@clef-sh/core 0.1.11-beta.62 → 0.1.11-beta.68
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/artifact/packer.d.ts.map +1 -1
- package/dist/artifact/signer.d.ts +2 -2
- package/dist/artifact/signer.d.ts.map +1 -1
- package/dist/artifact/types.d.ts +0 -2
- package/dist/artifact/types.d.ts.map +1 -1
- package/dist/index.js +36 -19
- package/dist/index.js.map +3 -3
- package/dist/index.mjs +36 -19
- package/dist/index.mjs.map +3 -3
- package/dist/manifest/parser.d.ts.map +1 -1
- package/dist/migration/backend.d.ts +1 -3
- package/dist/migration/backend.d.ts.map +1 -1
- package/dist/sops/client.d.ts.map +1 -1
- package/dist/types/index.d.ts +6 -0
- package/dist/types/index.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -462,8 +462,26 @@ var ManifestParser = class {
|
|
|
462
462
|
"sops.default_backend"
|
|
463
463
|
);
|
|
464
464
|
}
|
|
465
|
+
const ageObj = sopsObj.age;
|
|
466
|
+
const ageRecipients = ageObj && Array.isArray(ageObj.recipients) ? ageObj.recipients : void 0;
|
|
467
|
+
const parsedAge = ageRecipients ? {
|
|
468
|
+
age: {
|
|
469
|
+
recipients: ageRecipients.map((r) => {
|
|
470
|
+
if (typeof r === "string") return r;
|
|
471
|
+
if (typeof r === "object" && r !== null) {
|
|
472
|
+
const obj2 = r;
|
|
473
|
+
return {
|
|
474
|
+
key: String(obj2.key ?? ""),
|
|
475
|
+
...typeof obj2.label === "string" ? { label: obj2.label } : {}
|
|
476
|
+
};
|
|
477
|
+
}
|
|
478
|
+
return String(r);
|
|
479
|
+
})
|
|
480
|
+
}
|
|
481
|
+
} : {};
|
|
465
482
|
const sopsConfig = {
|
|
466
483
|
default_backend: sopsObj.default_backend,
|
|
484
|
+
...parsedAge,
|
|
467
485
|
...typeof sopsObj.aws_kms_arn === "string" ? { aws_kms_arn: sopsObj.aws_kms_arn } : {},
|
|
468
486
|
...typeof sopsObj.gcp_kms_resource_id === "string" ? { gcp_kms_resource_id: sopsObj.gcp_kms_resource_id } : {},
|
|
469
487
|
...typeof sopsObj.azure_kv_url === "string" ? { azure_kv_url: sopsObj.azure_kv_url } : {},
|
|
@@ -829,8 +847,8 @@ function matchesGlob(filePath, pattern) {
|
|
|
829
847
|
var ALWAYS_SKIP_EXTENSIONS = [".enc.yaml", ".enc.json"];
|
|
830
848
|
var ALWAYS_SKIP_NAMES = [
|
|
831
849
|
".clef-meta.yaml",
|
|
832
|
-
".
|
|
833
|
-
// contains
|
|
850
|
+
"clef.yaml"
|
|
851
|
+
// manifest — contains public keys and config, not secrets
|
|
834
852
|
];
|
|
835
853
|
var ALWAYS_SKIP_DIRS = ["node_modules", ".git"];
|
|
836
854
|
var MAX_FILE_SIZE = 1024 * 1024;
|
|
@@ -2162,9 +2180,12 @@ var SopsClient = class {
|
|
|
2162
2180
|
}
|
|
2163
2181
|
let result;
|
|
2164
2182
|
try {
|
|
2183
|
+
const configPath = process.platform === "win32" ? "NUL" : "/dev/null";
|
|
2165
2184
|
result = await this.runner.run(
|
|
2166
2185
|
this.sopsCommand,
|
|
2167
2186
|
[
|
|
2187
|
+
"--config",
|
|
2188
|
+
configPath,
|
|
2168
2189
|
"encrypt",
|
|
2169
2190
|
...args,
|
|
2170
2191
|
"--input-type",
|
|
@@ -2401,8 +2422,15 @@ var SopsClient = class {
|
|
|
2401
2422
|
pgp_fingerprint: manifest.sops.pgp_fingerprint
|
|
2402
2423
|
};
|
|
2403
2424
|
switch (config.backend) {
|
|
2404
|
-
case "age":
|
|
2425
|
+
case "age": {
|
|
2426
|
+
const envRecipients = environment ? resolveRecipientsForEnvironment(manifest, environment) : void 0;
|
|
2427
|
+
const recipients = envRecipients ?? manifest.sops.age?.recipients ?? [];
|
|
2428
|
+
const keys = recipients.map((r) => typeof r === "string" ? r : r.key);
|
|
2429
|
+
if (keys.length > 0) {
|
|
2430
|
+
args.push("--age", keys.join(","));
|
|
2431
|
+
}
|
|
2405
2432
|
break;
|
|
2433
|
+
}
|
|
2406
2434
|
case "awskms":
|
|
2407
2435
|
if (config.aws_kms_arn) {
|
|
2408
2436
|
args.push("--kms", config.aws_kms_arn);
|
|
@@ -4437,14 +4465,13 @@ import * as crypto3 from "crypto";
|
|
|
4437
4465
|
import * as crypto2 from "crypto";
|
|
4438
4466
|
function buildSigningPayload(artifact) {
|
|
4439
4467
|
const fields = [
|
|
4440
|
-
"clef-sig-
|
|
4468
|
+
"clef-sig-v3",
|
|
4441
4469
|
String(artifact.version),
|
|
4442
4470
|
artifact.identity,
|
|
4443
4471
|
artifact.environment,
|
|
4444
4472
|
artifact.revision,
|
|
4445
4473
|
artifact.packedAt,
|
|
4446
4474
|
artifact.ciphertextHash,
|
|
4447
|
-
[...artifact.keys].sort().join(","),
|
|
4448
4475
|
artifact.expiresAt ?? "",
|
|
4449
4476
|
artifact.envelope?.provider ?? "",
|
|
4450
4477
|
artifact.envelope?.keyId ?? "",
|
|
@@ -4567,7 +4594,6 @@ var ArtifactPacker = class {
|
|
|
4567
4594
|
revision,
|
|
4568
4595
|
ciphertextHash,
|
|
4569
4596
|
ciphertext,
|
|
4570
|
-
keys: Object.keys(resolved.values),
|
|
4571
4597
|
envelope: {
|
|
4572
4598
|
provider: kmsConfig.provider,
|
|
4573
4599
|
keyId: kmsConfig.keyId,
|
|
@@ -4601,8 +4627,7 @@ var ArtifactPacker = class {
|
|
|
4601
4627
|
packedAt: (/* @__PURE__ */ new Date()).toISOString(),
|
|
4602
4628
|
revision,
|
|
4603
4629
|
ciphertextHash,
|
|
4604
|
-
ciphertext
|
|
4605
|
-
keys: Object.keys(resolved.values)
|
|
4630
|
+
ciphertext
|
|
4606
4631
|
};
|
|
4607
4632
|
}
|
|
4608
4633
|
const outputDir = path19.dirname(config.outputPath);
|
|
@@ -4665,7 +4690,7 @@ var BackendMigrator = class {
|
|
|
4665
4690
|
this.encryption = encryption;
|
|
4666
4691
|
this.matrixManager = matrixManager;
|
|
4667
4692
|
}
|
|
4668
|
-
async migrate(manifest, repoRoot, options,
|
|
4693
|
+
async migrate(manifest, repoRoot, options, onProgress) {
|
|
4669
4694
|
const { target, environment, dryRun, skipVerify } = options;
|
|
4670
4695
|
if (environment) {
|
|
4671
4696
|
const env = manifest.environments.find((e) => e.name === environment);
|
|
@@ -4735,14 +4760,11 @@ var BackendMigrator = class {
|
|
|
4735
4760
|
}
|
|
4736
4761
|
const manifestPath = path20.join(repoRoot, CLEF_MANIFEST_FILENAME);
|
|
4737
4762
|
const manifestBackup = fs17.readFileSync(manifestPath, "utf-8");
|
|
4738
|
-
const sopsYamlPath = path20.join(repoRoot, ".sops.yaml");
|
|
4739
|
-
const sopsYamlBackup = fs17.existsSync(sopsYamlPath) ? fs17.readFileSync(sopsYamlPath, "utf-8") : void 0;
|
|
4740
4763
|
const fileBackups = /* @__PURE__ */ new Map();
|
|
4741
4764
|
const doc = readManifestYaml(repoRoot);
|
|
4742
4765
|
this.updateManifestDoc(doc, target, environment);
|
|
4743
4766
|
writeManifestYaml(repoRoot, doc);
|
|
4744
4767
|
const updatedManifest = YAML11.parse(YAML11.stringify(doc));
|
|
4745
|
-
callbacks.regenerateSopsConfig();
|
|
4746
4768
|
const migratedFiles = [];
|
|
4747
4769
|
for (const cell of toMigrate) {
|
|
4748
4770
|
try {
|
|
@@ -4761,7 +4783,7 @@ var BackendMigrator = class {
|
|
|
4761
4783
|
);
|
|
4762
4784
|
migratedFiles.push(cell.filePath);
|
|
4763
4785
|
} catch (err) {
|
|
4764
|
-
this.rollback(manifestPath, manifestBackup,
|
|
4786
|
+
this.rollback(manifestPath, manifestBackup, fileBackups);
|
|
4765
4787
|
const errorMsg = err instanceof Error ? err.message : String(err);
|
|
4766
4788
|
onProgress?.({
|
|
4767
4789
|
type: "warn",
|
|
@@ -4825,15 +4847,10 @@ var BackendMigrator = class {
|
|
|
4825
4847
|
}
|
|
4826
4848
|
}
|
|
4827
4849
|
}
|
|
4828
|
-
rollback(manifestPath, manifestBackup,
|
|
4850
|
+
rollback(manifestPath, manifestBackup, fileBackups) {
|
|
4829
4851
|
for (const [filePath, backup] of fileBackups) {
|
|
4830
4852
|
fs17.writeFileSync(filePath, backup, "utf-8");
|
|
4831
4853
|
}
|
|
4832
|
-
if (sopsYamlBackup !== void 0) {
|
|
4833
|
-
fs17.writeFileSync(sopsYamlPath, sopsYamlBackup, "utf-8");
|
|
4834
|
-
} else if (fs17.existsSync(sopsYamlPath)) {
|
|
4835
|
-
fs17.unlinkSync(sopsYamlPath);
|
|
4836
|
-
}
|
|
4837
4854
|
fs17.writeFileSync(manifestPath, manifestBackup, "utf-8");
|
|
4838
4855
|
}
|
|
4839
4856
|
checkAgeRecipientsWarning(manifest, target, environment, warnings) {
|