npm - @clef-sh/core - Versions diffs - 0.1.11-beta.62 → 0.1.11-beta.68 - Mend

@clef-sh/core 0.1.11-beta.62 → 0.1.11-beta.68

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/artifact/packer.d.ts.map +1 -1
package/dist/artifact/signer.d.ts +2 -2
package/dist/artifact/signer.d.ts.map +1 -1
package/dist/artifact/types.d.ts +0 -2
package/dist/artifact/types.d.ts.map +1 -1
package/dist/index.js +36 -19
package/dist/index.js.map +3 -3
package/dist/index.mjs +36 -19
package/dist/index.mjs.map +3 -3
package/dist/manifest/parser.d.ts.map +1 -1
package/dist/migration/backend.d.ts +1 -3
package/dist/migration/backend.d.ts.map +1 -1
package/dist/sops/client.d.ts.map +1 -1
package/dist/types/index.d.ts +6 -0
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/artifact/packer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAIjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;~~CAqI9F~~"}
1	+ {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAIjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAmI9F"}

package/dist/artifact/signer.d.ts CHANGED Viewed

@@ -11,8 +11,8 @@ import type { KmsProvider } from "../kms";
  * `ciphertextHash` transitively covers the ciphertext content, so the
  * (potentially large) ciphertext itself is not included.
  *
- * Keys are sorted to ensure deterministic ordering regardless of
- * insertion order in the source object.
+ * Key names are intentionally excluded from the signing payload — they are
+ * not present in the envelope and are derived from decrypted values at runtime.
  */
 export declare function buildSigningPayload(artifact: PackedArtifact): Buffer;
 /**

package/dist/artifact/signer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/artifact/signer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAE1C;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,~~CAmBpE~~;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAUlF;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAQ7E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,WAAW,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAgBT;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,kBAAkB,CAU3E"}
1	+ {"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/artifact/signer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAE1C;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,CAkBpE;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAUlF;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAQ7E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,WAAW,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAgBT;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,kBAAkB,CAU3E"}

package/dist/artifact/types.d.ts CHANGED Viewed

@@ -30,8 +30,6 @@ export interface PackedArtifact {
     ciphertextHash: string;
     /** Base64-encoded ciphertext. Age format for age-only artifacts; AES-256-GCM for KMS envelope artifacts. */
     ciphertext: string;
-    /** Secret key names for introspection (not the values). */
-    keys: string[];
     /** KMS envelope metadata. Present when the identity uses KMS envelope encryption. */
     envelope?: ArtifactEnvelope;
     /** ISO-8601 expiry timestamp. Artifact is rejected after this time. */

package/dist/artifact/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,~~2DAA2D;IAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,~~qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/index.js CHANGED Viewed

@@ -7462,8 +7462,26 @@ var ManifestParser = class {
         "sops.default_backend"
       );
     }
+    const ageObj = sopsObj.age;
+    const ageRecipients = ageObj && Array.isArray(ageObj.recipients) ? ageObj.recipients : void 0;
+    const parsedAge = ageRecipients ? {
+      age: {
+        recipients: ageRecipients.map((r) => {
+          if (typeof r === "string") return r;
+          if (typeof r === "object" && r !== null) {
+            const obj2 = r;
+            return {
+              key: String(obj2.key ?? ""),
+              ...typeof obj2.label === "string" ? { label: obj2.label } : {}
+            };
+          }
+          return String(r);
+        })
+      }
+    } : {};
     const sopsConfig = {
       default_backend: sopsObj.default_backend,
+      ...parsedAge,
       ...typeof sopsObj.aws_kms_arn === "string" ? { aws_kms_arn: sopsObj.aws_kms_arn } : {},
       ...typeof sopsObj.gcp_kms_resource_id === "string" ? { gcp_kms_resource_id: sopsObj.gcp_kms_resource_id } : {},
       ...typeof sopsObj.azure_kv_url === "string" ? { azure_kv_url: sopsObj.azure_kv_url } : {},
@@ -7829,8 +7847,8 @@ function matchesGlob(filePath, pattern) {
 var ALWAYS_SKIP_EXTENSIONS = [".enc.yaml", ".enc.json"];
 var ALWAYS_SKIP_NAMES = [
   ".clef-meta.yaml",
-  ".sops.yaml"
-  // contains age public keys and KMS ARNs — configuration, not secrets
+  "clef.yaml"
+  // manifest — contains public keys and config, not secrets
 ];
 var ALWAYS_SKIP_DIRS = ["node_modules", ".git"];
 var MAX_FILE_SIZE = 1024 * 1024;
@@ -9162,9 +9180,12 @@ var SopsClient = class {
     }
     let result;
     try {
+      const configPath = process.platform === "win32" ? "NUL" : "/dev/null";
       result = await this.runner.run(
         this.sopsCommand,
         [
+          "--config",
+          configPath,
           "encrypt",
           ...args,
           "--input-type",
@@ -9401,8 +9422,15 @@ var SopsClient = class {
       pgp_fingerprint: manifest.sops.pgp_fingerprint
     };
     switch (config.backend) {
-      case "age":
+      case "age": {
+        const envRecipients = environment ? resolveRecipientsForEnvironment(manifest, environment) : void 0;
+        const recipients = envRecipients ?? manifest.sops.age?.recipients ?? [];
+        const keys = recipients.map((r) => typeof r === "string" ? r : r.key);
+        if (keys.length > 0) {
+          args.push("--age", keys.join(","));
+        }
         break;
+      }
       case "awskms":
         if (config.aws_kms_arn) {
           args.push("--kms", config.aws_kms_arn);
@@ -11437,14 +11465,13 @@ var crypto4 = __toESM(require("crypto"));
 var crypto3 = __toESM(require("crypto"));
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v2",
+    "clef-sig-v3",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
     artifact.revision,
     artifact.packedAt,
     artifact.ciphertextHash,
-    [...artifact.keys].sort().join(","),
     artifact.expiresAt ?? "",
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
@@ -11567,7 +11594,6 @@ var ArtifactPacker = class {
           revision,
           ciphertextHash,
           ciphertext,
-          keys: Object.keys(resolved.values),
           envelope: {
             provider: kmsConfig.provider,
             keyId: kmsConfig.keyId,
@@ -11601,8 +11627,7 @@ var ArtifactPacker = class {
         packedAt: (/* @__PURE__ */ new Date()).toISOString(),
         revision,
         ciphertextHash,
-        ciphertext,
-        keys: Object.keys(resolved.values)
+        ciphertext
       };
     }
     const outputDir = path19.dirname(config.outputPath);
@@ -11665,7 +11690,7 @@ var BackendMigrator = class {
     this.encryption = encryption;
     this.matrixManager = matrixManager;
   }
-  async migrate(manifest, repoRoot, options, callbacks, onProgress) {
+  async migrate(manifest, repoRoot, options, onProgress) {
     const { target, environment, dryRun, skipVerify } = options;
     if (environment) {
       const env = manifest.environments.find((e) => e.name === environment);
@@ -11735,14 +11760,11 @@ var BackendMigrator = class {
     }
     const manifestPath = path20.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const manifestBackup = fs17.readFileSync(manifestPath, "utf-8");
-    const sopsYamlPath = path20.join(repoRoot, ".sops.yaml");
-    const sopsYamlBackup = fs17.existsSync(sopsYamlPath) ? fs17.readFileSync(sopsYamlPath, "utf-8") : void 0;
     const fileBackups = /* @__PURE__ */ new Map();
     const doc = readManifestYaml(repoRoot);
     this.updateManifestDoc(doc, target, environment);
     writeManifestYaml(repoRoot, doc);
     const updatedManifest = YAML11.parse(YAML11.stringify(doc));
-    callbacks.regenerateSopsConfig();
     const migratedFiles = [];
     for (const cell of toMigrate) {
       try {
@@ -11761,7 +11783,7 @@ var BackendMigrator = class {
         );
         migratedFiles.push(cell.filePath);
       } catch (err) {
-        this.rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups);
+        this.rollback(manifestPath, manifestBackup, fileBackups);
         const errorMsg = err instanceof Error ? err.message : String(err);
         onProgress?.({
           type: "warn",
@@ -11825,15 +11847,10 @@ var BackendMigrator = class {
       }
     }
   }
-  rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups) {
+  rollback(manifestPath, manifestBackup, fileBackups) {
     for (const [filePath, backup] of fileBackups) {
       fs17.writeFileSync(filePath, backup, "utf-8");
     }
-    if (sopsYamlBackup !== void 0) {
-      fs17.writeFileSync(sopsYamlPath, sopsYamlBackup, "utf-8");
-    } else if (fs17.existsSync(sopsYamlPath)) {
-      fs17.unlinkSync(sopsYamlPath);
-    }
     fs17.writeFileSync(manifestPath, manifestBackup, "utf-8");
   }
   checkAgeRecipientsWarning(manifest, target, environment, warnings) {