@clef-sh/core 0.1.11-beta.74 → 0.1.12-beta.85

package/dist/index.mjs

@@ -535,6 +535,12 @@ var ManifestParser = class {
           );
         }
         const siName = siObj.name;
+        if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(siName)) {
+          throw new ManifestValidationError(
+            `Service identity '${siName}' has an invalid name. Names must be lowercase alphanumeric with hyphens, must not start or end with a hyphen, and max 63 characters (e.g. 'api-gateway', 'auth-service').`,
+            "service_identities"
+          );
+        }
         if (siObj.description != null && typeof siObj.description !== "string") {
           throw new ManifestValidationError(
             `Service identity '${siName}' has a non-string 'description'.`,
@@ -686,7 +692,7 @@ var ManifestParser = class {
           "cloud"
         );
       }
-      if (!/^clef:[a-z0-9_]+\/[a-z0-9_-]+$/.test(cloudObj.keyId)) {
+      if (!/^clef:[a-zA-Z0-9_]+\/[a-zA-Z0-9_-]+$/.test(cloudObj.keyId)) {
         throw new ManifestValidationError(
           `Field 'cloud.keyId' has invalid format '${cloudObj.keyId}'. Must match: clef:<integrationId>/<keyAlias>`,
           "cloud"
@@ -2098,6 +2104,13 @@ function openWindowsInputPipe(content) {
     });
   });
 }
+function cloudKeyToArn(keyId) {
+  const body = keyId.replace(/^clef:/, "");
+  const sep = body.indexOf("/");
+  const integration = sep >= 0 ? body.slice(0, sep) : body;
+  const env = sep >= 0 ? body.slice(sep + 1) : "default";
+  return `arn:aws:kms:us-east-1:000000000000:alias/clef/${integration}/${env}`;
+}
 var SopsClient = class {
   /**
    * @param runner - Subprocess runner used to invoke the `sops` binary.
@@ -2143,7 +2156,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      [...this.keyserviceArgs, "decrypt", "--output-type", fmt, filePath],
+      ["decrypt", ...this.keyserviceArgs, "--output-type", fmt, filePath],
       {
         ...env ? { env } : {}
       }
@@ -2209,8 +2222,8 @@ var SopsClient = class {
         [
           "--config",
           configPath,
-          ...this.keyserviceArgs,
           "encrypt",
+          ...this.keyserviceArgs,
           ...args,
           "--input-type",
           fmt,
@@ -2264,7 +2277,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      [...this.keyserviceArgs, "rotate", "-i", "--add-age", key, filePath],
+      ["rotate", ...this.keyserviceArgs, "-i", "--add-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -2288,7 +2301,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      [...this.keyserviceArgs, "rotate", "-i", "--rm-age", key, filePath],
+      ["rotate", ...this.keyserviceArgs, "-i", "--rm-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -2402,7 +2415,7 @@ var SopsClient = class {
     if (sops.age && Array.isArray(sops.age) && sops.age.length > 0) return "age";
     if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) {
       const firstArn = sops.kms[0]?.arn;
-      if (typeof firstArn === "string" && firstArn.startsWith("clef:")) {
+      if (typeof firstArn === "string" && (firstArn.startsWith("clef:") || firstArn.includes("alias/clef/"))) {
         return "cloud";
       }
       return "awskms";
@@ -2485,7 +2498,7 @@ var SopsClient = class {
       case "cloud": {
         const cloudKeyId = manifest.cloud?.keyId;
         if (cloudKeyId) {
-          args.push("--kms", cloudKeyId);
+          args.push("--kms", cloudKeyToArn(cloudKeyId));
         }
         break;
       }
@@ -3952,7 +3965,7 @@ var CloudClient = class {
         response = await fetch(url, init);
       } catch (retryErr) {
         throw new CloudApiError(
-          `Network error contacting Clef Pro: ${retryErr.message}`,
+          `Network error contacting Clef Cloud: ${retryErr.message}`,
           0,
           "Check your network connection and CLEF_API_URL."
         );
@@ -3974,7 +3987,7 @@ var CloudClient = class {
   buildError(response) {
     const hint = response.status === 401 || response.status === 403 ? "Check your API token (--api-token or CLEF_API_TOKEN)." : response.status === 404 ? "Check your cloud.integrationId in clef.yaml." : void 0;
     return new CloudApiError(
-      `Clef Pro API returned ${response.status} ${response.statusText}`,
+      `Clef Cloud API returned ${response.status} ${response.statusText}`,
       response.status,
       hint
     );
@@ -4495,9 +4508,41 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 }
 
 // src/artifact/packer.ts
+import * as crypto3 from "crypto";
+
+// src/artifact/output.ts
 import * as fs16 from "fs";
 import * as path19 from "path";
-import * as crypto3 from "crypto";
+var FilePackOutput = class {
+  constructor(outputPath) {
+    this.outputPath = outputPath;
+  }
+  async write(_artifact, json) {
+    const outputDir = path19.dirname(this.outputPath);
+    if (!fs16.existsSync(outputDir)) {
+      fs16.mkdirSync(outputDir, { recursive: true });
+    }
+    const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
+    fs16.writeFileSync(tmpOutput, json, "utf-8");
+    fs16.renameSync(tmpOutput, this.outputPath);
+  }
+};
+var MemoryPackOutput = class {
+  _artifact = null;
+  _json = null;
+  async write(artifact, json) {
+    this._artifact = artifact;
+    this._json = json;
+  }
+  /** The packed artifact, or null if `write` hasn't been called. */
+  get artifact() {
+    return this._artifact;
+  }
+  /** The serialized JSON, or null if `write` hasn't been called. */
+  get json() {
+    return this._json;
+  }
+};
 
 // src/artifact/signer.ts
 import * as crypto2 from "crypto";
@@ -4668,10 +4713,6 @@ var ArtifactPacker = class {
         ciphertext
       };
     }
-    const outputDir = path19.dirname(config.outputPath);
-    if (!fs16.existsSync(outputDir)) {
-      fs16.mkdirSync(outputDir, { recursive: true });
-    }
     if (config.ttl && config.ttl > 0) {
       artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
     }
@@ -4688,11 +4729,10 @@ var ArtifactPacker = class {
       artifact.signatureAlgorithm = "ECDSA_SHA256";
     }
     const json = JSON.stringify(artifact, null, 2);
-    const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
-    fs16.writeFileSync(tmpOutput, json, "utf-8");
-    fs16.renameSync(tmpOutput, config.outputPath);
+    const output = config.output ?? new FilePackOutput(config.outputPath ?? "artifact.json");
+    await output.write(artifact, json);
     return {
-      outputPath: config.outputPath,
+      outputPath: config.outputPath ?? "",
       namespaceCount: resolved.identity.namespaces.length,
       keyCount: Object.keys(resolved.values).length,
       artifactSize: Buffer.byteLength(json, "utf-8"),
@@ -4725,10 +4765,19 @@ function metadataMatchesTarget(meta, target) {
   return meta.recipients.includes(target.key);
 }
 var BackendMigrator = class {
-  constructor(encryption, matrixManager) {
-    this.encryption = encryption;
+  /**
+   * @param encryption - Backend used for both decrypt and encrypt (standard case).
+   * @param matrixManager - Matrix resolver.
+   * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
+   *   from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
+   */
+  constructor(encryption, matrixManager, targetEncryption) {
     this.matrixManager = matrixManager;
+    this.decryptBackend = encryption;
+    this.encryptBackend = targetEncryption ?? encryption;
   }
+  decryptBackend;
+  encryptBackend;
   async migrate(manifest, repoRoot, options, onProgress) {
     const { target, environment, dryRun, skipVerify } = options;
     if (environment) {
@@ -4751,7 +4800,7 @@ var BackendMigrator = class {
     const toMigrate = [];
     const skippedFiles = [];
     for (const cell of targetCells) {
-      const meta = await this.encryption.getMetadata(cell.filePath);
+      const meta = await this.decryptBackend.getMetadata(cell.filePath);
       if (metadataMatchesTarget(meta, target)) {
         skippedFiles.push(cell.filePath);
         onProgress?.({
@@ -4813,8 +4862,8 @@ var BackendMigrator = class {
           file: cell.filePath,
           message: `Migrating ${cell.namespace}/${cell.environment}...`
         });
-        const decrypted = await this.encryption.decrypt(cell.filePath);
-        await this.encryption.encrypt(
+        const decrypted = await this.decryptBackend.decrypt(cell.filePath);
+        await this.encryptBackend.encrypt(
           cell.filePath,
           decrypted.values,
           updatedManifest,
@@ -4849,7 +4898,7 @@ var BackendMigrator = class {
             file: cell.filePath,
             message: `Verifying ${cell.namespace}/${cell.environment}...`
           });
-          await this.encryption.decrypt(cell.filePath);
+          await this.encryptBackend.decrypt(cell.filePath);
           verifiedFiles.push(cell.filePath);
         } catch (err) {
           const errorMsg = err instanceof Error ? err.message : String(err);
@@ -4885,6 +4934,18 @@ var BackendMigrator = class {
         sops[keyField] = target.key;
       }
     }
+    if (doc.cloud && target.backend !== "cloud") {
+      const sops = doc.sops;
+      const environments = doc.environments;
+      const defaultIsCloud = sops.default_backend === "cloud";
+      const anyEnvIsCloud = environments.some((e) => {
+        const envSops = e.sops;
+        return envSops?.backend === "cloud";
+      });
+      if (!defaultIsCloud && !anyEnvIsCloud) {
+        delete doc.cloud;
+      }
+    }
   }
   rollback(manifestPath, manifestBackup, fileBackups) {
     for (const [filePath, backup] of fileBackups) {
@@ -5065,11 +5126,10 @@ function readCloudCredentials() {
   }
   if (!raw || typeof raw !== "object") return null;
   const obj = raw;
-  if (typeof obj.token !== "string" || obj.token.length === 0) return null;
-  return {
-    token: obj.token,
-    endpoint: typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT
-  };
+  const token = typeof obj.token === "string" && obj.token.length > 0 ? obj.token : "";
+  const endpoint = typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;
+  if (!token && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;
+  return { token, endpoint };
 }
 function writeCloudCredentials(credentials) {
   const clefDir = path23.join(os2.homedir(), ".clef");
@@ -5085,21 +5145,30 @@ function writeCloudCredentials(credentials) {
 // src/cloud/device-flow.ts
 async function initiateDeviceFlow(endpoint, options) {
   const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  const payload = {
+    clientType: "cli",
+    clientVersion: options.clientVersion,
+    repoName: options.repoName,
+    flow: options.flow
+  };
+  if (options.environment) {
+    payload.environment = options.environment;
+  }
   const res = await fetch(`${base}/api/v1/device/init`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      clientType: "cli",
-      clientVersion: options.clientVersion,
-      repoName: options.repoName,
-      environment: options.environment
-    })
+    body: JSON.stringify(payload)
   });
   if (!res.ok) {
     const body = await res.text().catch(() => "");
     throw new Error(`Device flow init failed (${res.status}): ${body}`);
   }
-  return await res.json();
+  const json = await res.json();
+  const session = json.data ?? json;
+  if (session.pollUrl && !session.pollUrl.startsWith("http")) {
+    session.pollUrl = `${base}${session.pollUrl}`;
+  }
+  return session;
 }
 async function pollDeviceFlow(pollUrl) {
   const res = await fetch(pollUrl);
@@ -5107,7 +5176,8 @@ async function pollDeviceFlow(pollUrl) {
     const body = await res.text().catch(() => "");
     throw new Error(`Device flow poll failed (${res.status}): ${body}`);
   }
-  return await res.json();
+  const json = await res.json();
+  return json.data ?? json;
 }
 
 // src/cloud/pack-client.ts
@@ -5154,7 +5224,6 @@ var CloudArtifactClient = class {
     this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
   }
   async upload(token, config) {
-    const content = fs21.readFileSync(config.artifactPath, "utf-8");
     const res = await fetch(
       `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,
       {
@@ -5163,7 +5232,7 @@ var CloudArtifactClient = class {
           Authorization: `Bearer ${token}`,
           "Content-Type": "application/json"
         },
-        body: content
+        body: config.artifactJson
       }
     );
     if (!res.ok) {
@@ -5187,6 +5256,7 @@ export {
   ConsumptionClient,
   DiffEngine,
   DriftDetector,
+  FilePackOutput,
   GitIntegration,
   GitOperationError,
   ImportRunner,
@@ -5194,6 +5264,7 @@ export {
   ManifestParser,
   ManifestValidationError,
   MatrixManager,
+  MemoryPackOutput,
   PartialRotationError,
   REQUESTS_FILENAME,
   REQUIREMENTS,