@clef-sh/core 0.1.11-beta.68 → 0.1.11-beta.74

package/dist/index.js

@@ -608,7 +608,7 @@ var require_age_encryption = __commonJS({
       };
     }
     // @__NO_SIDE_EFFECTS__
-    function join18(separator = "") {
+    function join21(separator = "") {
       astr("join", separator);
       return {
         encode: (from) => {
@@ -738,9 +738,9 @@ var require_age_encryption = __commonJS({
       decode(s) {
         return decodeBase64Builtin(s, false);
       }
-    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join18(""));
-    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join18(""));
-    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join18(""));
+    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join21(""));
+    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join21(""));
+    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join21(""));
     var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
     function bech32Polymod(pre) {
       const b = pre >> 25;
@@ -6921,7 +6921,9 @@ __export(index_exports, {
   CLEF_SUPPORTED_EXTENSIONS: () => CLEF_SUPPORTED_EXTENSIONS,
   ClefError: () => ClefError,
   CloudApiError: () => CloudApiError,
+  CloudArtifactClient: () => CloudArtifactClient,
   CloudClient: () => CloudClient,
+  CloudPackClient: () => CloudPackClient,
   ConsumptionClient: () => ConsumptionClient,
   DiffEngine: () => DiffEngine,
   DriftDetector: () => DriftDetector,
@@ -6965,6 +6967,7 @@ __export(index_exports, {
   generateRandomValue: () => generateRandomValue,
   generateSigningKeyPair: () => generateSigningKeyPair,
   getPendingKeys: () => getPendingKeys,
+  initiateDeviceFlow: () => initiateDeviceFlow,
   isHighEntropy: () => isHighEntropy,
   isKmsEnvelope: () => isKmsEnvelope,
   isPending: () => isPending,
@@ -6982,13 +6985,17 @@ __export(index_exports, {
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
   parseYaml: () => parseYaml,
+  pollDeviceFlow: () => pollDeviceFlow,
+  readCloudCredentials: () => readCloudCredentials,
   readManifestYaml: () => readManifestYaml,
   redactValue: () => redactValue,
   removeAccessRequest: () => removeRequest,
   requestsFilePath: () => requestsFilePath,
+  resetKeyserviceResolution: () => resetKeyserviceResolution,
   resetSopsResolution: () => resetSopsResolution,
   resolveBackendConfig: () => resolveBackendConfig,
   resolveIdentitySecrets: () => resolveIdentitySecrets,
+  resolveKeyservicePath: () => resolveKeyservicePath,
   resolveRecipientsForEnvironment: () => resolveRecipientsForEnvironment,
   resolveSopsPath: () => resolveSopsPath,
   saveMetadata: () => saveMetadata,
@@ -6998,9 +7005,11 @@ __export(index_exports, {
   shouldIgnoreMatch: () => shouldIgnoreMatch,
   signEd25519: () => signEd25519,
   signKms: () => signKms,
+  spawnKeyservice: () => spawnKeyservice,
   upsertRequest: () => upsertRequest,
   validateAgePublicKey: () => validateAgePublicKey,
   verifySignature: () => verifySignature,
+  writeCloudCredentials: () => writeCloudCredentials,
   writeManifestYaml: () => writeManifestYaml
 });
 module.exports = __toCommonJS(index_exports);
@@ -7155,7 +7164,7 @@ function keyPreview(key) {
 
 // src/manifest/parser.ts
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
-var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp"];
+var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "cloud"];
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
@@ -7680,7 +7689,26 @@ var ManifestParser = class {
           "cloud"
         );
       }
-      cloud = { integrationId: cloudObj.integrationId };
+      if (typeof cloudObj.keyId !== "string" || cloudObj.keyId.length === 0) {
+        throw new ManifestValidationError(
+          "Field 'cloud.keyId' is required and must be a non-empty string.",
+          "cloud"
+        );
+      }
+      if (!/^clef:[a-z0-9_]+\/[a-z0-9_-]+$/.test(cloudObj.keyId)) {
+        throw new ManifestValidationError(
+          `Field 'cloud.keyId' has invalid format '${cloudObj.keyId}'. Must match: clef:<integrationId>/<keyAlias>`,
+          "cloud"
+        );
+      }
+      cloud = { integrationId: cloudObj.integrationId, keyId: cloudObj.keyId };
+    }
+    const usesCloudBackend = sopsConfig.default_backend === "cloud" || environments.some((e) => e.sops?.backend === "cloud");
+    if (usesCloudBackend && !cloud) {
+      throw new ManifestValidationError(
+        "One or more environments use the 'cloud' backend but the manifest is missing the top-level 'cloud' block with 'integrationId' and 'keyId'.",
+        "cloud"
+      );
     }
     return {
       version: 1,
@@ -9088,14 +9116,18 @@ var SopsClient = class {
    *   to the subprocess environment.
    * @param sopsPath - Optional explicit path to the sops binary. When omitted,
    *   resolved automatically via {@link resolveSopsPath}.
+   * @param keyserviceAddr - Optional keyservice address (e.g. `tcp://127.0.0.1:12345`).
+   *   When set, all SOPS invocations include `--enable-local-keyservice=false --keyservice <addr>`.
    */
-  constructor(runner, ageKeyFile, ageKey, sopsPath) {
+  constructor(runner, ageKeyFile, ageKey, sopsPath, keyserviceAddr) {
     this.runner = runner;
     this.ageKeyFile = ageKeyFile;
     this.ageKey = ageKey;
     this.sopsCommand = sopsPath ?? resolveSopsPath().path;
+    this.keyserviceArgs = keyserviceAddr ? ["--enable-local-keyservice=false", "--keyservice", keyserviceAddr] : [];
   }
   sopsCommand;
+  keyserviceArgs;
   buildSopsEnv() {
     const env = {};
     if (this.ageKey) {
@@ -9120,7 +9152,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["decrypt", "--output-type", fmt, filePath],
+      [...this.keyserviceArgs, "decrypt", "--output-type", fmt, filePath],
       {
         ...env ? { env } : {}
       }
@@ -9186,6 +9218,7 @@ var SopsClient = class {
         [
           "--config",
           configPath,
+          ...this.keyserviceArgs,
           "encrypt",
           ...args,
           "--input-type",
@@ -9240,7 +9273,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["rotate", "-i", "--add-age", key, filePath],
+      [...this.keyserviceArgs, "rotate", "-i", "--add-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -9264,7 +9297,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["rotate", "-i", "--rm-age", key, filePath],
+      [...this.keyserviceArgs, "rotate", "-i", "--rm-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -9376,7 +9409,13 @@ var SopsClient = class {
   }
   detectBackend(sops) {
     if (sops.age && Array.isArray(sops.age) && sops.age.length > 0) return "age";
-    if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) return "awskms";
+    if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) {
+      const firstArn = sops.kms[0]?.arn;
+      if (typeof firstArn === "string" && firstArn.startsWith("clef:")) {
+        return "cloud";
+      }
+      return "awskms";
+    }
     if (sops.gcp_kms && Array.isArray(sops.gcp_kms) && sops.gcp_kms.length > 0)
       return "gcpkms";
     if (sops.azure_kv && Array.isArray(sops.azure_kv) && sops.azure_kv.length > 0)
@@ -9390,6 +9429,7 @@ var SopsClient = class {
         const entries = sops.age;
         return entries?.map((e) => String(e.recipient ?? "")) ?? [];
       }
+      case "cloud":
       case "awskms": {
         const entries = sops.kms;
         return entries?.map((e) => String(e.arn ?? "")) ?? [];
@@ -9451,6 +9491,13 @@ var SopsClient = class {
           args.push("--pgp", config.pgp_fingerprint);
         }
         break;
+      case "cloud": {
+        const cloudKeyId = manifest.cloud?.keyId;
+        if (cloudKeyId) {
+          args.push("--kms", cloudKeyId);
+        }
+        break;
+      }
     }
     return args;
   }
@@ -11675,7 +11722,8 @@ var BACKEND_KEY_FIELDS = {
   awskms: "aws_kms_arn",
   gcpkms: "gcp_kms_resource_id",
   azurekv: "azure_kv_url",
-  pgp: "pgp_fingerprint"
+  pgp: "pgp_fingerprint",
+  cloud: void 0
 };
 var ALL_KEY_FIELDS = Object.values(BACKEND_KEY_FIELDS).filter(
   (v) => v !== void 0
@@ -11863,6 +11911,276 @@ var BackendMigrator = class {
     }
   }
 };
+
+// src/cloud/keyservice.ts
+var import_child_process = require("child_process");
+var readline = __toESM(require("readline"));
+var PORT_REGEX = /^PORT=(\d+)$/;
+var STARTUP_TIMEOUT_MS = 5e3;
+var SHUTDOWN_TIMEOUT_MS = 3e3;
+async function spawnKeyservice(options) {
+  const args = ["--addr", "127.0.0.1:0"];
+  if (options.endpoint) {
+    args.push("--endpoint", options.endpoint);
+  }
+  const child = (0, import_child_process.spawn)(options.binaryPath, args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    env: { ...process.env, CLEF_CLOUD_TOKEN: options.token }
+  });
+  const port = await readPort(child);
+  const addr = `tcp://127.0.0.1:${port}`;
+  return {
+    addr,
+    kill: () => killGracefully(child)
+  };
+}
+function readPort(child) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const rl = readline.createInterface({ input: child.stdout });
+    function settle() {
+      clearTimeout(timer);
+      rl.close();
+    }
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        settle();
+        child.kill("SIGKILL");
+        reject(new Error("Keyservice did not start within 5 seconds."));
+      }
+    }, STARTUP_TIMEOUT_MS);
+    rl.on("line", (line) => {
+      const match = PORT_REGEX.exec(line);
+      if (match && !settled) {
+        settled = true;
+        settle();
+        resolve(parseInt(match[1], 10));
+      }
+    });
+    child.on("error", (err) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Failed to start keyservice: ${err.message}`));
+      }
+    });
+    child.on("exit", (code) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));
+      }
+    });
+  });
+}
+function killGracefully(child) {
+  return new Promise((resolve) => {
+    if (child.exitCode !== null) {
+      resolve();
+      return;
+    }
+    const timer = setTimeout(() => {
+      child.kill("SIGKILL");
+    }, SHUTDOWN_TIMEOUT_MS);
+    child.on("exit", () => {
+      clearTimeout(timer);
+      resolve();
+    });
+    child.kill("SIGTERM");
+  });
+}
+
+// src/cloud/resolver.ts
+var fs19 = __toESM(require("fs"));
+var path22 = __toESM(require("path"));
+
+// src/cloud/bundled.ts
+var fs18 = __toESM(require("fs"));
+var path21 = __toESM(require("path"));
+function tryBundledKeyservice() {
+  const platform = process.platform;
+  const arch = process.arch;
+  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
+  if (!archName) return null;
+  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : platform === "win32" ? "win32" : null;
+  if (!platformName) return null;
+  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
+  const binName = platform === "win32" ? "clef-keyservice.exe" : "clef-keyservice";
+  try {
+    const packageMain = require.resolve(`${packageName}/package.json`);
+    const packageDir = path21.dirname(packageMain);
+    const binPath = path21.join(packageDir, "bin", binName);
+    return fs18.existsSync(binPath) ? binPath : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/cloud/resolver.ts
+function validateKeyservicePath(candidate) {
+  if (!path22.isAbsolute(candidate)) {
+    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
+  }
+  const segments = candidate.split(/[/\\]/);
+  if (segments.includes("..")) {
+    throw new Error(
+      `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). Use an absolute path without directory traversal.`
+    );
+  }
+}
+var cached2;
+function resolveKeyservicePath() {
+  if (cached2) return cached2;
+  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
+  if (envPath) {
+    validateKeyservicePath(envPath);
+    if (!fs19.existsSync(envPath)) {
+      throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
+    }
+    cached2 = { path: envPath, source: "env" };
+    return cached2;
+  }
+  const bundledPath = tryBundledKeyservice();
+  if (bundledPath) {
+    cached2 = { path: bundledPath, source: "bundled" };
+    return cached2;
+  }
+  cached2 = { path: "clef-keyservice", source: "system" };
+  return cached2;
+}
+function resetKeyserviceResolution() {
+  cached2 = void 0;
+}
+
+// src/cloud/credentials.ts
+var fs20 = __toESM(require("fs"));
+var path23 = __toESM(require("path"));
+var os2 = __toESM(require("os"));
+var YAML12 = __toESM(require("yaml"));
+
+// src/cloud/constants.ts
+var CLOUD_DEFAULT_ENDPOINT = "https://api.clef.sh";
+
+// src/cloud/credentials.ts
+var CREDENTIALS_FILENAME = "credentials.yaml";
+function readCloudCredentials() {
+  const credPath = path23.join(os2.homedir(), ".clef", CREDENTIALS_FILENAME);
+  let raw;
+  try {
+    raw = YAML12.parse(fs20.readFileSync(credPath, "utf-8"));
+  } catch {
+    return null;
+  }
+  if (!raw || typeof raw !== "object") return null;
+  const obj = raw;
+  if (typeof obj.token !== "string" || obj.token.length === 0) return null;
+  return {
+    token: obj.token,
+    endpoint: typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT
+  };
+}
+function writeCloudCredentials(credentials) {
+  const clefDir = path23.join(os2.homedir(), ".clef");
+  fs20.mkdirSync(clefDir, { recursive: true, mode: 448 });
+  const credPath = path23.join(clefDir, CREDENTIALS_FILENAME);
+  const content = { token: credentials.token };
+  if (credentials.endpoint) {
+    content.endpoint = credentials.endpoint;
+  }
+  fs20.writeFileSync(credPath, YAML12.stringify(content), { mode: 384 });
+}
+
+// src/cloud/device-flow.ts
+async function initiateDeviceFlow(endpoint, options) {
+  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  const res = await fetch(`${base}/api/v1/device/init`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      clientType: "cli",
+      clientVersion: options.clientVersion,
+      repoName: options.repoName,
+      environment: options.environment
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow init failed (${res.status}): ${body}`);
+  }
+  return await res.json();
+}
+async function pollDeviceFlow(pollUrl) {
+  const res = await fetch(pollUrl);
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow poll failed (${res.status}): ${body}`);
+  }
+  return await res.json();
+}
+
+// src/cloud/pack-client.ts
+var fs21 = __toESM(require("fs"));
+var path24 = __toESM(require("path"));
+var CloudPackClient = class {
+  endpoint;
+  constructor(endpoint) {
+    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  }
+  async pack(token, config) {
+    const matrixManager = new MatrixManager();
+    const cells = matrixManager.resolveMatrix(config.manifest, config.repoRoot).filter((c) => c.environment === config.environment && c.exists);
+    const formData = new FormData();
+    const configJson = JSON.stringify({
+      identity: config.identity,
+      environment: config.environment,
+      ...config.ttl ? { ttl: config.ttl } : {}
+    });
+    formData.append("config", new Blob([configJson], { type: "application/json" }));
+    const manifestPath = path24.join(config.repoRoot, "clef.yaml");
+    const manifestContent = fs21.readFileSync(manifestPath, "utf-8");
+    formData.append("manifest", new Blob([manifestContent], { type: "text/yaml" }));
+    for (const cell of cells) {
+      const relPath = path24.relative(config.repoRoot, cell.filePath);
+      const content = fs21.readFileSync(cell.filePath, "utf-8");
+      formData.append(`files`, new Blob([content], { type: "text/yaml" }), relPath);
+    }
+    const res = await fetch(`${this.endpoint}/api/v1/cloud/pack`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Cloud pack failed (${res.status}): ${body}`);
+    }
+    return await res.json();
+  }
+};
+var CloudArtifactClient = class {
+  endpoint;
+  constructor(endpoint) {
+    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  }
+  async upload(token, config) {
+    const content = fs21.readFileSync(config.artifactPath, "utf-8");
+    const res = await fetch(
+      `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,
+      {
+        method: "PUT",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: content
+      }
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Artifact upload failed (${res.status}): ${body}`);
+    }
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ArtifactPacker,
@@ -11873,7 +12191,9 @@ var BackendMigrator = class {
   CLEF_SUPPORTED_EXTENSIONS,
   ClefError,
   CloudApiError,
+  CloudArtifactClient,
   CloudClient,
+  CloudPackClient,
   ConsumptionClient,
   DiffEngine,
   DriftDetector,
@@ -11917,6 +12237,7 @@ var BackendMigrator = class {
   generateRandomValue,
   generateSigningKeyPair,
   getPendingKeys,
+  initiateDeviceFlow,
   isHighEntropy,
   isKmsEnvelope,
   isPending,
@@ -11934,13 +12255,17 @@ var BackendMigrator = class {
   parseIgnoreContent,
   parseJson,
   parseYaml,
+  pollDeviceFlow,
+  readCloudCredentials,
   readManifestYaml,
   redactValue,
   removeAccessRequest,
   requestsFilePath,
+  resetKeyserviceResolution,
   resetSopsResolution,
   resolveBackendConfig,
   resolveIdentitySecrets,
+  resolveKeyservicePath,
   resolveRecipientsForEnvironment,
   resolveSopsPath,
   saveMetadata,
@@ -11950,9 +12275,11 @@ var BackendMigrator = class {
   shouldIgnoreMatch,
   signEd25519,
   signKms,
+  spawnKeyservice,
   upsertRequest,
   validateAgePublicKey,
   verifySignature,
+  writeCloudCredentials,
   writeManifestYaml
 });
 /*! Bundled license information: