@clef-sh/core 0.1.11-beta.74 → 0.1.12-beta.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/dist/artifact/output.d.ts +18 -0
  2. package/dist/artifact/output.d.ts.map +1 -0
  3. package/dist/artifact/packer.d.ts.map +1 -1
  4. package/dist/artifact/types.d.ts +9 -3
  5. package/dist/artifact/types.d.ts.map +1 -1
  6. package/dist/cloud/credentials.d.ts.map +1 -1
  7. package/dist/cloud/device-flow.d.ts +12 -2
  8. package/dist/cloud/device-flow.d.ts.map +1 -1
  9. package/dist/cloud/index.d.ts +1 -1
  10. package/dist/cloud/index.d.ts.map +1 -1
  11. package/dist/cloud/pack-client.d.ts +1 -1
  12. package/dist/cloud/pack-client.d.ts.map +1 -1
  13. package/dist/index.d.mts +3 -2
  14. package/dist/index.d.ts +3 -2
  15. package/dist/index.d.ts.map +1 -1
  16. package/dist/index.js +112 -39
  17. package/dist/index.js.map +4 -4
  18. package/dist/index.mjs +110 -39
  19. package/dist/index.mjs.map +4 -4
  20. package/dist/manifest/parser.d.ts.map +1 -1
  21. package/dist/migration/backend.d.ts +9 -2
  22. package/dist/migration/backend.d.ts.map +1 -1
  23. package/dist/report/cloud-client.d.ts +1 -1
  24. package/dist/report/sanitizer.d.ts +1 -1
  25. package/dist/report/transformer.d.ts +1 -1
  26. package/dist/sops/client.d.ts +8 -0
  27. package/dist/sops/client.d.ts.map +1 -1
  28. package/dist/types/index.d.ts +1 -1
  29. package/dist/types/index.d.ts.map +1 -1
  30. package/package.json +1 -1
package/dist/artifact/output.d.ts ADDED
@@ -0,0 +1,18 @@
1
+ import type { PackOutput, PackedArtifact } from "./types";
2
+ /** Writes the packed artifact to a local file (atomic rename). */
3
+ export declare class FilePackOutput implements PackOutput {
4
+ private readonly outputPath;
5
+ constructor(outputPath: string);
6
+ write(_artifact: PackedArtifact, json: string): Promise<void>;
7
+ }
8
+ /** Keeps the packed artifact in memory. Used by `clef serve` to avoid disk I/O. */
9
+ export declare class MemoryPackOutput implements PackOutput {
10
+ private _artifact;
11
+ private _json;
12
+ write(artifact: PackedArtifact, json: string): Promise<void>;
13
+ /** The packed artifact, or null if `write` hasn't been called. */
14
+ get artifact(): PackedArtifact | null;
15
+ /** The serialized JSON, or null if `write` hasn't been called. */
16
+ get json(): string | null;
17
+ }
18
+ //# sourceMappingURL=output.d.ts.map
package/dist/artifact/output.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"output.d.ts","sourceRoot":"","sources":["../../src/artifact/output.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1D,kEAAkE;AAClE,qBAAa,cAAe,YAAW,UAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,MAAM;IAEzC,KAAK,CAAC,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CASpE;AAED,mFAAmF;AACnF,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,SAAS,CAA+B;IAChD,OAAO,CAAC,KAAK,CAAuB;IAE9B,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKlE,kEAAkE;IAClE,IAAI,QAAQ,IAAI,cAAc,GAAG,IAAI,CAEpC;IAED,kEAAkE;IAClE,IAAI,IAAI,IAAI,MAAM,GAAG,IAAI,CAExB;CACF"}
package/dist/artifact/packer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAIjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAmI9F"}
1
+ {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAKjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA+H9F"}
package/dist/artifact/types.d.ts CHANGED
@@ -39,14 +39,20 @@ export interface PackedArtifact {
39
39
  /** Algorithm used to produce the signature. */
40
40
  signatureAlgorithm?: SignatureAlgorithm;
41
41
  }
42
+ /** Output backend for packed artifacts. */
43
+ export interface PackOutput {
44
+ write(artifact: PackedArtifact, json: string): Promise<void>;
45
+ }
42
46
  /** Configuration for the `pack` command. */
43
47
  export interface PackConfig {
44
48
  /** Service identity name from the manifest. */
45
49
  identity: string;
46
50
  /** Target environment name. */
47
51
  environment: string;
48
- /** Local file path to write the artifact JSON to. */
49
- outputPath: string;
52
+ /** Local file path to write the artifact JSON to. Used when `output` is not provided. */
53
+ outputPath?: string;
54
+ /** Output backend. When provided, `outputPath` is ignored and the backend handles storage. */
55
+ output?: PackOutput;
50
56
  /** TTL in seconds — embeds an `expiresAt` timestamp in the artifact envelope. */
51
57
  ttl?: number;
52
58
  /** Ed25519 private key for artifact signing (base64-encoded DER PKCS8). */
@@ -56,7 +62,7 @@ export interface PackConfig {
56
62
  }
57
63
  /** Result of a pack operation. */
58
64
  export interface PackResult {
59
- /** Path where the artifact was written. */
65
+ /** Path where the artifact was written (empty string for non-file outputs). */
60
66
  outputPath: string;
61
67
  /** Number of namespaces included. */
62
68
  namespaceCount: number;
package/dist/artifact/types.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,2CAA2C;AAC3C,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8FAA8F;IAC9F,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}
package/dist/cloud/credentials.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/cloud/credentials.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAKrD;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,oBAAoB,GAAG,IAAI,CAkBlE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,oBAAoB,GAAG,IAAI,CAS7E"}
1
+ {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/cloud/credentials.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAKrD;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,oBAAoB,GAAG,IAAI,CAqBlE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,oBAAoB,GAAG,IAAI,CAS7E"}
package/dist/cloud/device-flow.d.ts CHANGED
@@ -5,14 +5,23 @@ export interface DeviceSession {
5
5
  /** Session lifetime in seconds. */
6
6
  expiresIn: number;
7
7
  }
8
+ export type DeviceFlowType = "login" | "setup";
8
9
  export interface DevicePollResult {
9
10
  status: "pending" | "awaiting_payment" | "complete" | "cancelled" | "expired";
10
- /** Present when status is "complete". */
11
+ /** Cognito refresh token. Present when status is "complete". */
11
12
  token?: string;
13
+ /** Cognito access token. Present when status is "complete". */
14
+ accessToken?: string;
15
+ /** Access token lifetime in seconds. Present alongside accessToken. */
16
+ accessTokenExpiresIn?: number;
12
17
  /** Present when status is "complete". */
13
18
  integrationId?: string;
14
19
  /** Present when status is "complete". */
15
20
  keyId?: string;
21
+ /** Cognito OAuth2 domain URL for token refresh. Present when status is "complete". */
22
+ cognitoDomain?: string;
23
+ /** CLI Cognito app client ID. Present when status is "complete". */
24
+ clientId?: string;
16
25
  }
17
26
  /**
18
27
  * Initiate a device flow session with the Cloud API.
@@ -23,8 +32,9 @@ export interface DevicePollResult {
23
32
  */
24
33
  export declare function initiateDeviceFlow(endpoint: string | undefined, options: {
25
34
  repoName: string;
26
- environment: string;
35
+ environment?: string;
27
36
  clientVersion: string;
37
+ flow: DeviceFlowType;
28
38
  }): Promise<DeviceSession>;
29
39
  /**
30
40
  * Poll a device flow session for completion.
package/dist/cloud/device-flow.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/cloud/device-flow.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,SAAS,GAAG,kBAAkB,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,CAAC;IAC9E,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACxE,OAAO,CAAC,aAAa,CAAC,CAmBxB;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAS/E"}
1
+ {"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/cloud/device-flow.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,OAAO,CAAC;AAE/C,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,SAAS,GAAG,kBAAkB,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,CAAC;IAC9E,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uEAAuE;IACvE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,yCAAyC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sFAAsF;IACtF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,EAAE;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,cAAc,CAAC;CACtB,GACA,OAAO,CAAC,aAAa,CAAC,CAgCxB;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAU/E"}
package/dist/cloud/index.d.ts CHANGED
@@ -4,7 +4,7 @@ export { resolveKeyservicePath, resetKeyserviceResolution } from "./resolver";
4
4
  export type { KeyserviceResolution, KeyserviceSource } from "./resolver";
5
5
  export { readCloudCredentials, writeCloudCredentials } from "./credentials";
6
6
  export { initiateDeviceFlow, pollDeviceFlow } from "./device-flow";
7
- export type { DeviceSession, DevicePollResult } from "./device-flow";
7
+ export type { DeviceSession, DevicePollResult, DeviceFlowType } from "./device-flow";
8
8
  export { CloudPackClient, CloudArtifactClient } from "./pack-client";
9
9
  export type { RemotePackConfig, RemotePackResult } from "./pack-client";
10
10
  //# sourceMappingURL=index.d.ts.map
package/dist/cloud/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cloud/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAC9E,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACrE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cloud/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAC9E,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AACrF,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACrE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC"}
package/dist/cloud/pack-client.d.ts CHANGED
@@ -28,7 +28,7 @@ export declare class CloudArtifactClient {
28
28
  upload(token: string, config: {
29
29
  identity: string;
30
30
  environment: string;
31
- artifactPath: string;
31
+ artifactJson: string;
32
32
  }): Promise<void>;
33
33
  }
34
34
  //# sourceMappingURL=pack-client.d.ts.map
package/dist/cloud/pack-client.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"pack-client.d.ts","sourceRoot":"","sources":["../../src/cloud/pack-client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAc,MAAM,UAAU,CAAC;AAIzD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,QAAQ,CAAC,EAAE,MAAM;IAIvB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;CAsC/E;AAED;;;;GAIG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,QAAQ,CAAC,EAAE,MAAM;IAIvB,MAAM,CACV,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GACtE,OAAO,CAAC,IAAI,CAAC;CAoBjB"}
1
+ {"version":3,"file":"pack-client.d.ts","sourceRoot":"","sources":["../../src/cloud/pack-client.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAc,MAAM,UAAU,CAAC;AAIzD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,QAAQ,CAAC,EAAE,MAAM;IAIvB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;CAsC/E;AAED;;;;GAIG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,QAAQ,CAAC,EAAE,MAAM;IAIvB,MAAM,CACV,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GACtE,OAAO,CAAC,IAAI,CAAC;CAkBjB"}
package/dist/index.d.mts CHANGED
@@ -35,12 +35,13 @@ export { ServiceIdentityManager, PartialRotationError } from "./service-identity
35
35
  export { resolveIdentitySecrets } from "./artifact/resolve";
36
36
  export type { ResolvedSecrets } from "./artifact/resolve";
37
37
  export { ArtifactPacker } from "./artifact/packer";
38
- export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
38
+ export { FilePackOutput, MemoryPackOutput } from "./artifact/output";
39
+ export type { PackedArtifact, PackConfig, PackResult, PackOutput, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
39
40
  export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
40
41
  export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
41
42
  export { VALID_KMS_PROVIDERS } from "./kms";
42
43
  export { BackendMigrator } from "./migration/backend";
43
44
  export type { MigrationTarget, MigrationOptions, MigrationResult, MigrationProgressEvent, } from "./migration/backend";
44
45
  export { spawnKeyservice, resolveKeyservicePath, resetKeyserviceResolution, readCloudCredentials, writeCloudCredentials, initiateDeviceFlow, pollDeviceFlow, CloudPackClient, CloudArtifactClient, } from "./cloud";
45
- export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, DeviceSession, DevicePollResult, RemotePackConfig, RemotePackResult, } from "./cloud";
46
+ export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, DeviceSession, DevicePollResult, DeviceFlowType, RemotePackConfig, RemotePackResult, } from "./cloud";
46
47
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts CHANGED
@@ -35,12 +35,13 @@ export { ServiceIdentityManager, PartialRotationError } from "./service-identity
35
35
  export { resolveIdentitySecrets } from "./artifact/resolve";
36
36
  export type { ResolvedSecrets } from "./artifact/resolve";
37
37
  export { ArtifactPacker } from "./artifact/packer";
38
- export type { PackedArtifact, PackConfig, PackResult, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
38
+ export { FilePackOutput, MemoryPackOutput } from "./artifact/output";
39
+ export type { PackedArtifact, PackConfig, PackResult, PackOutput, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
39
40
  export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
40
41
  export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
41
42
  export { VALID_KMS_PROVIDERS } from "./kms";
42
43
  export { BackendMigrator } from "./migration/backend";
43
44
  export type { MigrationTarget, MigrationOptions, MigrationResult, MigrationProgressEvent, } from "./migration/backend";
44
45
  export { spawnKeyservice, resolveKeyservicePath, resetKeyserviceResolution, readCloudCredentials, writeCloudCredentials, initiateDeviceFlow, pollDeviceFlow, CloudPackClient, CloudArtifactClient, } from "./cloud";
45
- export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, DeviceSession, DevicePollResult, RemotePackConfig, RemotePackResult, } from "./cloud";
46
+ export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, DeviceSession, DevicePollResult, DeviceFlowType, RemotePackConfig, RemotePackResult, } from "./cloud";
46
47
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACpE,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,cAAc,EACd,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,WAAW,EACX,OAAO,EACP,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,cAAc,EACd,eAAe,EACf,mBAAmB,GACpB,MAAM,SAAS,CAAC;AACjB,YAAY,EACV,gBAAgB,EAChB,oBAAoB,EACpB,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,SAAS,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACpE,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrE,YAAY,EACV,cAAc,EACd,UAAU,EACV,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,WAAW,EACX,OAAO,EACP,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,yBAAyB,EACzB,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,cAAc,EACd,eAAe,EACf,mBAAmB,GACpB,MAAM,SAAS,CAAC;AACjB,YAAY,EACV,gBAAgB,EAChB,oBAAoB,EACpB,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,SAAS,CAAC"}
package/dist/index.js CHANGED
@@ -6927,6 +6927,7 @@ __export(index_exports, {
6927
6927
  ConsumptionClient: () => ConsumptionClient,
6928
6928
  DiffEngine: () => DiffEngine,
6929
6929
  DriftDetector: () => DriftDetector,
6930
+ FilePackOutput: () => FilePackOutput,
6930
6931
  GitIntegration: () => GitIntegration,
6931
6932
  GitOperationError: () => GitOperationError,
6932
6933
  ImportRunner: () => ImportRunner,
@@ -6934,6 +6935,7 @@ __export(index_exports, {
6934
6935
  ManifestParser: () => ManifestParser,
6935
6936
  ManifestValidationError: () => ManifestValidationError,
6936
6937
  MatrixManager: () => MatrixManager,
6938
+ MemoryPackOutput: () => MemoryPackOutput,
6937
6939
  PartialRotationError: () => PartialRotationError,
6938
6940
  REQUESTS_FILENAME: () => REQUESTS_FILENAME,
6939
6941
  REQUIREMENTS: () => REQUIREMENTS,
@@ -7544,6 +7546,12 @@ var ManifestParser = class {
7544
7546
  );
7545
7547
  }
7546
7548
  const siName = siObj.name;
7549
+ if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(siName)) {
7550
+ throw new ManifestValidationError(
7551
+ `Service identity '${siName}' has an invalid name. Names must be lowercase alphanumeric with hyphens, must not start or end with a hyphen, and max 63 characters (e.g. 'api-gateway', 'auth-service').`,
7552
+ "service_identities"
7553
+ );
7554
+ }
7547
7555
  if (siObj.description != null && typeof siObj.description !== "string") {
7548
7556
  throw new ManifestValidationError(
7549
7557
  `Service identity '${siName}' has a non-string 'description'.`,
@@ -7695,7 +7703,7 @@ var ManifestParser = class {
7695
7703
  "cloud"
7696
7704
  );
7697
7705
  }
7698
- if (!/^clef:[a-z0-9_]+\/[a-z0-9_-]+$/.test(cloudObj.keyId)) {
7706
+ if (!/^clef:[a-zA-Z0-9_]+\/[a-zA-Z0-9_-]+$/.test(cloudObj.keyId)) {
7699
7707
  throw new ManifestValidationError(
7700
7708
  `Field 'cloud.keyId' has invalid format '${cloudObj.keyId}'. Must match: clef:<integrationId>/<keyAlias>`,
7701
7709
  "cloud"
@@ -9107,6 +9115,13 @@ function openWindowsInputPipe(content) {
9107
9115
  });
9108
9116
  });
9109
9117
  }
9118
+ function cloudKeyToArn(keyId) {
9119
+ const body = keyId.replace(/^clef:/, "");
9120
+ const sep = body.indexOf("/");
9121
+ const integration = sep >= 0 ? body.slice(0, sep) : body;
9122
+ const env = sep >= 0 ? body.slice(sep + 1) : "default";
9123
+ return `arn:aws:kms:us-east-1:000000000000:alias/clef/${integration}/${env}`;
9124
+ }
9110
9125
  var SopsClient = class {
9111
9126
  /**
9112
9127
  * @param runner - Subprocess runner used to invoke the `sops` binary.
@@ -9152,7 +9167,7 @@ var SopsClient = class {
9152
9167
  const env = this.buildSopsEnv();
9153
9168
  const result = await this.runner.run(
9154
9169
  this.sopsCommand,
9155
- [...this.keyserviceArgs, "decrypt", "--output-type", fmt, filePath],
9170
+ ["decrypt", ...this.keyserviceArgs, "--output-type", fmt, filePath],
9156
9171
  {
9157
9172
  ...env ? { env } : {}
9158
9173
  }
@@ -9218,8 +9233,8 @@ var SopsClient = class {
9218
9233
  [
9219
9234
  "--config",
9220
9235
  configPath,
9221
- ...this.keyserviceArgs,
9222
9236
  "encrypt",
9237
+ ...this.keyserviceArgs,
9223
9238
  ...args,
9224
9239
  "--input-type",
9225
9240
  fmt,
@@ -9273,7 +9288,7 @@ var SopsClient = class {
9273
9288
  const env = this.buildSopsEnv();
9274
9289
  const result = await this.runner.run(
9275
9290
  this.sopsCommand,
9276
- [...this.keyserviceArgs, "rotate", "-i", "--add-age", key, filePath],
9291
+ ["rotate", ...this.keyserviceArgs, "-i", "--add-age", key, filePath],
9277
9292
  {
9278
9293
  ...env ? { env } : {}
9279
9294
  }
@@ -9297,7 +9312,7 @@ var SopsClient = class {
9297
9312
  const env = this.buildSopsEnv();
9298
9313
  const result = await this.runner.run(
9299
9314
  this.sopsCommand,
9300
- [...this.keyserviceArgs, "rotate", "-i", "--rm-age", key, filePath],
9315
+ ["rotate", ...this.keyserviceArgs, "-i", "--rm-age", key, filePath],
9301
9316
  {
9302
9317
  ...env ? { env } : {}
9303
9318
  }
@@ -9411,7 +9426,7 @@ var SopsClient = class {
9411
9426
  if (sops.age && Array.isArray(sops.age) && sops.age.length > 0) return "age";
9412
9427
  if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) {
9413
9428
  const firstArn = sops.kms[0]?.arn;
9414
- if (typeof firstArn === "string" && firstArn.startsWith("clef:")) {
9429
+ if (typeof firstArn === "string" && (firstArn.startsWith("clef:") || firstArn.includes("alias/clef/"))) {
9415
9430
  return "cloud";
9416
9431
  }
9417
9432
  return "awskms";
@@ -9494,7 +9509,7 @@ var SopsClient = class {
9494
9509
  case "cloud": {
9495
9510
  const cloudKeyId = manifest.cloud?.keyId;
9496
9511
  if (cloudKeyId) {
9497
- args.push("--kms", cloudKeyId);
9512
+ args.push("--kms", cloudKeyToArn(cloudKeyId));
9498
9513
  }
9499
9514
  break;
9500
9515
  }
@@ -10961,7 +10976,7 @@ var CloudClient = class {
10961
10976
  response = await fetch(url, init);
10962
10977
  } catch (retryErr) {
10963
10978
  throw new CloudApiError(
10964
- `Network error contacting Clef Pro: ${retryErr.message}`,
10979
+ `Network error contacting Clef Cloud: ${retryErr.message}`,
10965
10980
  0,
10966
10981
  "Check your network connection and CLEF_API_URL."
10967
10982
  );
@@ -10983,7 +10998,7 @@ var CloudClient = class {
10983
10998
  buildError(response) {
10984
10999
  const hint = response.status === 401 || response.status === 403 ? "Check your API token (--api-token or CLEF_API_TOKEN)." : response.status === 404 ? "Check your cloud.integrationId in clef.yaml." : void 0;
10985
11000
  return new CloudApiError(
10986
- `Clef Pro API returned ${response.status} ${response.statusText}`,
11001
+ `Clef Cloud API returned ${response.status} ${response.statusText}`,
10987
11002
  response.status,
10988
11003
  hint
10989
11004
  );
@@ -11504,9 +11519,41 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
11504
11519
  }
11505
11520
 
11506
11521
  // src/artifact/packer.ts
11522
+ var crypto4 = __toESM(require("crypto"));
11523
+
11524
+ // src/artifact/output.ts
11507
11525
  var fs16 = __toESM(require("fs"));
11508
11526
  var path19 = __toESM(require("path"));
11509
- var crypto4 = __toESM(require("crypto"));
11527
+ var FilePackOutput = class {
11528
+ constructor(outputPath) {
11529
+ this.outputPath = outputPath;
11530
+ }
11531
+ async write(_artifact, json) {
11532
+ const outputDir = path19.dirname(this.outputPath);
11533
+ if (!fs16.existsSync(outputDir)) {
11534
+ fs16.mkdirSync(outputDir, { recursive: true });
11535
+ }
11536
+ const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
11537
+ fs16.writeFileSync(tmpOutput, json, "utf-8");
11538
+ fs16.renameSync(tmpOutput, this.outputPath);
11539
+ }
11540
+ };
11541
+ var MemoryPackOutput = class {
11542
+ _artifact = null;
11543
+ _json = null;
11544
+ async write(artifact, json) {
11545
+ this._artifact = artifact;
11546
+ this._json = json;
11547
+ }
11548
+ /** The packed artifact, or null if `write` hasn't been called. */
11549
+ get artifact() {
11550
+ return this._artifact;
11551
+ }
11552
+ /** The serialized JSON, or null if `write` hasn't been called. */
11553
+ get json() {
11554
+ return this._json;
11555
+ }
11556
+ };
11510
11557
 
11511
11558
  // src/artifact/signer.ts
11512
11559
  var crypto3 = __toESM(require("crypto"));
@@ -11677,10 +11724,6 @@ var ArtifactPacker = class {
11677
11724
  ciphertext
11678
11725
  };
11679
11726
  }
11680
- const outputDir = path19.dirname(config.outputPath);
11681
- if (!fs16.existsSync(outputDir)) {
11682
- fs16.mkdirSync(outputDir, { recursive: true });
11683
- }
11684
11727
  if (config.ttl && config.ttl > 0) {
11685
11728
  artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
11686
11729
  }
@@ -11697,11 +11740,10 @@ var ArtifactPacker = class {
11697
11740
  artifact.signatureAlgorithm = "ECDSA_SHA256";
11698
11741
  }
11699
11742
  const json = JSON.stringify(artifact, null, 2);
11700
- const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
11701
- fs16.writeFileSync(tmpOutput, json, "utf-8");
11702
- fs16.renameSync(tmpOutput, config.outputPath);
11743
+ const output = config.output ?? new FilePackOutput(config.outputPath ?? "artifact.json");
11744
+ await output.write(artifact, json);
11703
11745
  return {
11704
- outputPath: config.outputPath,
11746
+ outputPath: config.outputPath ?? "",
11705
11747
  namespaceCount: resolved.identity.namespaces.length,
11706
11748
  keyCount: Object.keys(resolved.values).length,
11707
11749
  artifactSize: Buffer.byteLength(json, "utf-8"),
@@ -11734,10 +11776,19 @@ function metadataMatchesTarget(meta, target) {
11734
11776
  return meta.recipients.includes(target.key);
11735
11777
  }
11736
11778
  var BackendMigrator = class {
11737
- constructor(encryption, matrixManager) {
11738
- this.encryption = encryption;
11779
+ /**
11780
+ * @param encryption - Backend used for both decrypt and encrypt (standard case).
11781
+ * @param matrixManager - Matrix resolver.
11782
+ * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
11783
+ * from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
11784
+ */
11785
+ constructor(encryption, matrixManager, targetEncryption) {
11739
11786
  this.matrixManager = matrixManager;
11787
+ this.decryptBackend = encryption;
11788
+ this.encryptBackend = targetEncryption ?? encryption;
11740
11789
  }
11790
+ decryptBackend;
11791
+ encryptBackend;
11741
11792
  async migrate(manifest, repoRoot, options, onProgress) {
11742
11793
  const { target, environment, dryRun, skipVerify } = options;
11743
11794
  if (environment) {
@@ -11760,7 +11811,7 @@ var BackendMigrator = class {
11760
11811
  const toMigrate = [];
11761
11812
  const skippedFiles = [];
11762
11813
  for (const cell of targetCells) {
11763
- const meta = await this.encryption.getMetadata(cell.filePath);
11814
+ const meta = await this.decryptBackend.getMetadata(cell.filePath);
11764
11815
  if (metadataMatchesTarget(meta, target)) {
11765
11816
  skippedFiles.push(cell.filePath);
11766
11817
  onProgress?.({
@@ -11822,8 +11873,8 @@ var BackendMigrator = class {
11822
11873
  file: cell.filePath,
11823
11874
  message: `Migrating ${cell.namespace}/${cell.environment}...`
11824
11875
  });
11825
- const decrypted = await this.encryption.decrypt(cell.filePath);
11826
- await this.encryption.encrypt(
11876
+ const decrypted = await this.decryptBackend.decrypt(cell.filePath);
11877
+ await this.encryptBackend.encrypt(
11827
11878
  cell.filePath,
11828
11879
  decrypted.values,
11829
11880
  updatedManifest,
@@ -11858,7 +11909,7 @@ var BackendMigrator = class {
11858
11909
  file: cell.filePath,
11859
11910
  message: `Verifying ${cell.namespace}/${cell.environment}...`
11860
11911
  });
11861
- await this.encryption.decrypt(cell.filePath);
11912
+ await this.encryptBackend.decrypt(cell.filePath);
11862
11913
  verifiedFiles.push(cell.filePath);
11863
11914
  } catch (err) {
11864
11915
  const errorMsg = err instanceof Error ? err.message : String(err);
@@ -11894,6 +11945,18 @@ var BackendMigrator = class {
11894
11945
  sops[keyField] = target.key;
11895
11946
  }
11896
11947
  }
11948
+ if (doc.cloud && target.backend !== "cloud") {
11949
+ const sops = doc.sops;
11950
+ const environments = doc.environments;
11951
+ const defaultIsCloud = sops.default_backend === "cloud";
11952
+ const anyEnvIsCloud = environments.some((e) => {
11953
+ const envSops = e.sops;
11954
+ return envSops?.backend === "cloud";
11955
+ });
11956
+ if (!defaultIsCloud && !anyEnvIsCloud) {
11957
+ delete doc.cloud;
11958
+ }
11959
+ }
11897
11960
  }
11898
11961
  rollback(manifestPath, manifestBackup, fileBackups) {
11899
11962
  for (const [filePath, backup] of fileBackups) {
@@ -12074,11 +12137,10 @@ function readCloudCredentials() {
12074
12137
  }
12075
12138
  if (!raw || typeof raw !== "object") return null;
12076
12139
  const obj = raw;
12077
- if (typeof obj.token !== "string" || obj.token.length === 0) return null;
12078
- return {
12079
- token: obj.token,
12080
- endpoint: typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT
12081
- };
12140
+ const token = typeof obj.token === "string" && obj.token.length > 0 ? obj.token : "";
12141
+ const endpoint = typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;
12142
+ if (!token && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;
12143
+ return { token, endpoint };
12082
12144
  }
12083
12145
  function writeCloudCredentials(credentials) {
12084
12146
  const clefDir = path23.join(os2.homedir(), ".clef");
@@ -12094,21 +12156,30 @@ function writeCloudCredentials(credentials) {
12094
12156
  // src/cloud/device-flow.ts
12095
12157
  async function initiateDeviceFlow(endpoint, options) {
12096
12158
  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
12159
+ const payload = {
12160
+ clientType: "cli",
12161
+ clientVersion: options.clientVersion,
12162
+ repoName: options.repoName,
12163
+ flow: options.flow
12164
+ };
12165
+ if (options.environment) {
12166
+ payload.environment = options.environment;
12167
+ }
12097
12168
  const res = await fetch(`${base}/api/v1/device/init`, {
12098
12169
  method: "POST",
12099
12170
  headers: { "Content-Type": "application/json" },
12100
- body: JSON.stringify({
12101
- clientType: "cli",
12102
- clientVersion: options.clientVersion,
12103
- repoName: options.repoName,
12104
- environment: options.environment
12105
- })
12171
+ body: JSON.stringify(payload)
12106
12172
  });
12107
12173
  if (!res.ok) {
12108
12174
  const body = await res.text().catch(() => "");
12109
12175
  throw new Error(`Device flow init failed (${res.status}): ${body}`);
12110
12176
  }
12111
- return await res.json();
12177
+ const json = await res.json();
12178
+ const session = json.data ?? json;
12179
+ if (session.pollUrl && !session.pollUrl.startsWith("http")) {
12180
+ session.pollUrl = `${base}${session.pollUrl}`;
12181
+ }
12182
+ return session;
12112
12183
  }
12113
12184
  async function pollDeviceFlow(pollUrl) {
12114
12185
  const res = await fetch(pollUrl);
@@ -12116,7 +12187,8 @@ async function pollDeviceFlow(pollUrl) {
12116
12187
  const body = await res.text().catch(() => "");
12117
12188
  throw new Error(`Device flow poll failed (${res.status}): ${body}`);
12118
12189
  }
12119
- return await res.json();
12190
+ const json = await res.json();
12191
+ return json.data ?? json;
12120
12192
  }
12121
12193
 
12122
12194
  // src/cloud/pack-client.ts
@@ -12163,7 +12235,6 @@ var CloudArtifactClient = class {
12163
12235
  this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
12164
12236
  }
12165
12237
  async upload(token, config) {
12166
- const content = fs21.readFileSync(config.artifactPath, "utf-8");
12167
12238
  const res = await fetch(
12168
12239
  `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,
12169
12240
  {
@@ -12172,7 +12243,7 @@ var CloudArtifactClient = class {
12172
12243
  Authorization: `Bearer ${token}`,
12173
12244
  "Content-Type": "application/json"
12174
12245
  },
12175
- body: content
12246
+ body: config.artifactJson
12176
12247
  }
12177
12248
  );
12178
12249
  if (!res.ok) {
@@ -12197,6 +12268,7 @@ var CloudArtifactClient = class {
12197
12268
  ConsumptionClient,
12198
12269
  DiffEngine,
12199
12270
  DriftDetector,
12271
+ FilePackOutput,
12200
12272
  GitIntegration,
12201
12273
  GitOperationError,
12202
12274
  ImportRunner,
@@ -12204,6 +12276,7 @@ var CloudArtifactClient = class {
12204
12276
  ManifestParser,
12205
12277
  ManifestValidationError,
12206
12278
  MatrixManager,
12279
+ MemoryPackOutput,
12207
12280
  PartialRotationError,
12208
12281
  REQUESTS_FILENAME,
12209
12282
  REQUIREMENTS,