@clef-sh/core 0.1.14 → 0.1.15-beta.108

package/dist/kms/types.d.ts

@@ -1,4 +1,4 @@
-export type KmsProviderType = "aws" | "gcp" | "azure" | "cloud";
+export type KmsProviderType = "aws" | "gcp" | "azure";
 export declare const VALID_KMS_PROVIDERS: readonly KmsProviderType[];
 export interface KmsWrapResult {
     wrappedKey: Buffer;

package/dist/kms/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/kms/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,CAAC;AAEhE,eAAO,MAAM,mBAAmB,EAAE,SAAS,eAAe,EAKhD,CAAC;AAEX,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,kFAAkF;IAClF,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/kms/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAEtD,eAAO,MAAM,mBAAmB,EAAE,SAAS,eAAe,EAAqC,CAAC;AAEhG,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,kFAAkF;IAClF,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD"}

package/dist/lint/runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAGX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAG7C;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAFV,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,UAAU,EAAE,iBAAiB;IAGhD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA6NxE;;OAEG;YACW,qBAAqB;IA+EnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAWzE"}
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAGX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAG7C;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAFV,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,UAAU,EAAE,iBAAiB;IAGhD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA6NxE;;OAEG;YACW,qBAAqB;IAiFnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAWzE"}

package/dist/manifest/io.d.ts

@@ -1,3 +1,19 @@
 export declare function readManifestYaml(repoRoot: string): Record<string, unknown>;
+/**
+ * Write the manifest atomically via write-file-atomic.
+ *
+ * Uses temp-file-then-rename in the same directory as the manifest, so the
+ * rename is atomic on POSIX (cross-filesystem renames degrade to copy+delete
+ * and are not atomic). Another reader sees either the old contents or the new
+ * contents — never a half-written file. If the process dies mid-write, the
+ * temp file is cleaned up by write-file-atomic's signal-exit handler. Handles
+ * Windows EPERM retries internally.
+ */
 export declare function writeManifestYaml(repoRoot: string, doc: Record<string, unknown>): void;
+/**
+ * Write a raw manifest string atomically. Used for rollback paths that need
+ * to restore an exact byte-for-byte snapshot of the original file (avoiding
+ * any YAML parse → stringify round-trip that could change formatting).
+ */
+export declare function writeManifestYamlRaw(repoRoot: string, contents: string): void;
 //# sourceMappingURL=io.d.ts.map

package/dist/manifest/io.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"AAKA,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAEtF"}
+{"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"AAMA,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAGtF;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7E"}

package/dist/manifest/parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAMb,MAAM,UAAU,CAAC;AAGlB;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;AAgBlD;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;IA0lBtC;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;AAGlB;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;AAelD;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;IA+iBtC;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}

package/dist/migration/backend.d.ts

@@ -1,5 +1,6 @@
-import { BackendType, ClefManifest, EncryptionBackend } from "../types";
+import { BackendType, ClefManifest, EncryptionBackend, EnvironmentSopsOverride } from "../types";
 import { MatrixManager } from "../matrix/manager";
+import { TransactionManager } from "../tx";
 export interface MigrationTarget {
     backend: BackendType;
     /** Key identifier: ARN, resource ID, URL, or fingerprint. Undefined for age. */
@@ -27,20 +28,36 @@ export interface MigrationProgressEvent {
     file?: string;
     message: string;
 }
+/**
+ * Maps a SOPS backend to the manifest field that holds its key identifier.
+ * `undefined` for backends that don't take a key (age).
+ *
+ * Exported so other backend-aware commands (clef reset, etc.) can
+ * honour the same field layout without duplicating the mapping.
+ */
+export declare const BACKEND_KEY_FIELDS: Record<BackendType, keyof EnvironmentSopsOverride | undefined>;
+/**
+ * Build a per-environment SOPS override block.
+ * Shared by BackendMigrator and ResetManager so the key-field mapping
+ * lives in one place.
+ */
+export declare function buildSopsOverride(backend: BackendType, key: string | undefined): EnvironmentSopsOverride;
 export declare class BackendMigrator {
     private readonly matrixManager;
+    private readonly tx;
     private readonly decryptBackend;
     private readonly encryptBackend;
     /**
      * @param encryption - Backend used for both decrypt and encrypt (standard case).
      * @param matrixManager - Matrix resolver.
+     * @param tx - Transaction manager that wraps the migration in a single git commit
+     *   so a partial failure rolls back ALL files + the manifest via `git reset --hard`.
      * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
      *   from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
      */
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, targetEncryption?: EncryptionBackend);
+    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager, targetEncryption?: EncryptionBackend);
     migrate(manifest: ClefManifest, repoRoot: string, options: MigrationOptions, onProgress?: (event: MigrationProgressEvent) => void): Promise<MigrationResult>;
     private updateManifestDoc;
-    private rollback;
     private checkAgeRecipientsWarning;
 }
 //# sourceMappingURL=backend.d.ts.map

package/dist/migration/backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EAIlB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAyBD,qBAAa,eAAe;IAYxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAXhC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;OAKG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC7C,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IA8K3B,OAAO,CAAC,iBAAiB;IAiDzB,OAAO,CAAC,QAAQ;IAahB,OAAO,CAAC,yBAAyB;CAmBlC"}
+{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAM7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAcxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;OAOG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IAoL3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}

package/dist/recipients/index.d.ts

@@ -1,5 +1,6 @@
 import { ClefManifest, EncryptionBackend } from "../types";
 import { MatrixManager } from "../matrix/manager";
+import { TransactionManager } from "../tx";
 export interface Recipient {
     key: string;
     preview: string;
@@ -14,19 +15,23 @@ export interface RecipientsResult {
     warnings: string[];
 }
 /**
- * Manages age recipient keys in the manifest and re-encrypts matrix files on add/remove.
- * All add/remove operations are transactional — a failure triggers a full rollback.
+ * Manages age recipient keys in the manifest and re-encrypts matrix files on
+ * add/remove. Both `add` and `remove` run inside a single TransactionManager
+ * commit — any failure rolls back ALL re-encrypted files plus the manifest
+ * via `git reset --hard` rather than the previous in-method rollback dance.
  *
  * @example
  * ```ts
- * const manager = new RecipientManager(runner, matrixManager);
+ * const tx = new TransactionManager(new GitIntegration(runner));
+ * const manager = new RecipientManager(sopsClient, matrixManager, tx);
  * const result = await manager.add("age1...", "Alice", manifest, repoRoot);
  * ```
  */
 export declare class RecipientManager {
     private readonly encryption;
     private readonly matrixManager;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager);
+    private readonly tx;
+    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
     /**
      * List all age recipients declared in the manifest.
      *

package/dist/recipients/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAKlD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;GASG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBADb,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa;IAG/C;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IAsG5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAqG7B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA0E5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAiE7B"}

package/dist/reset/manager.d.ts

@@ -0,0 +1,118 @@
+import { BackendType, ClefManifest, EncryptionBackend } from "../types";
+import { MatrixManager } from "../matrix/manager";
+import { SchemaValidator } from "../schema/validator";
+import { TransactionManager } from "../tx";
+/**
+ * Target scope for a reset operation. The CLI command refuses a naked
+ * `clef reset` with no scope — the user must name what they're destroying.
+ */
+export type ResetScope = {
+    kind: "env";
+    name: string;
+} | {
+    kind: "namespace";
+    name: string;
+} | {
+    kind: "cell";
+    namespace: string;
+    environment: string;
+};
+export interface ResetOptions {
+    scope: ResetScope;
+    /**
+     * If provided, switch the affected environments to this backend as part
+     * of the reset. Written as a per-env SOPS override so other environments
+     * are unaffected. When omitted, reset uses whatever backend the manifest
+     * currently specifies.
+     */
+    backend?: BackendType;
+    /**
+     * Key identifier for KMS backends (ARN, resource ID, URL, fingerprint).
+     * Required when `backend` is `awskms`, `gcpkms`, `azurekv`, or `pgp`.
+     */
+    key?: string;
+    /**
+     * Explicit key names to scaffold as pending random placeholders. Used
+     * when the affected namespace has no schema. Ignored when a schema is
+     * present — the schema's keys are authoritative.
+     */
+    keys?: string[];
+}
+export interface ResetResult {
+    scaffoldedCells: string[];
+    pendingKeysByCell: Record<string, string[]>;
+    backendChanged: boolean;
+    affectedEnvironments: string[];
+}
+/**
+ * Destructive recovery command. Abandons the current encrypted contents of
+ * matrix cells in a target scope and scaffolds fresh empty/placeholder cells
+ * using the current manifest backend (or a new one supplied via options).
+ *
+ * Critical property: this command does NOT attempt to decrypt anything. It
+ * exists precisely for the case where decryption is impossible (lost age
+ * key, nuked KMS key, deleted cloud env). The scaffold path only needs
+ * encrypt access to whatever backend the manifest resolves for each env —
+ * which can be freshly provided via `options.backend` + `options.key` as
+ * part of the same transaction.
+ *
+ * Placeholder strategy:
+ *   - If the affected namespace has a schema, every schema key is scaffolded
+ *     with a random value and marked pending. User runs `clef set` to refill.
+ *   - If no schema and `options.keys` is provided, that key list is used.
+ *   - Otherwise an empty cell (`{}`) is scaffolded.
+ *
+ * Transaction: the manifest update (when switching backends) and every
+ * cell re-scaffold run inside one TransactionManager commit. Any failure
+ * rolls back the manifest AND the cell writes via `git reset --hard`.
+ */
+export declare class ResetManager {
+    private readonly matrixManager;
+    private readonly encryption;
+    private readonly schemaValidator;
+    private readonly tx;
+    constructor(matrixManager: MatrixManager, encryption: EncryptionBackend, schemaValidator: SchemaValidator, tx: TransactionManager);
+    reset(opts: ResetOptions, manifest: ClefManifest, repoRoot: string): Promise<ResetResult>;
+    /**
+     * Resolve the scope into an explicit list of cells. Assumes the scope has
+     * already been validated by `validateResetScope`. Unlike most other
+     * commands, reset includes cells whether or not the file currently exists
+     * on disk — "reset a namespace" also re-scaffolds any missing cells under
+     * it, which is the natural interpretation of "reset everything in this
+     * scope."
+     */
+    private resolveCells;
+    /**
+     * Build the placeholder values for a new cell from a pre-resolved key list.
+     * The list is computed once per namespace by `resolveKeyPlan` so schema
+     * files aren't re-read for every cell in a namespace-spanning reset.
+     */
+    private buildPlaceholders;
+    /**
+     * Decide the scaffold key list for each affected namespace exactly once.
+     *
+     * - Namespace has a schema → every schema key (schema errors propagate;
+     *   a corrupt schema is a configuration problem, not a silent fallback).
+     * - No schema and `--keys` provided → that list.
+     * - Otherwise → empty, user fills via `clef set`.
+     */
+    private resolveKeyPlan;
+}
+/** Human-readable description of a reset scope for commit messages and errors. */
+export declare function describeScope(scope: ResetScope): string;
+/**
+ * Validate a reset scope against the manifest. Exported so the CLI can
+ * reject a bad scope *before* prompting for destructive confirmation —
+ * otherwise the user is asked to confirm destroying something, types "y",
+ * and only then finds out the name was wrong. The ResetManager re-uses
+ * this as the authoritative check at the top of `reset()`.
+ */
+export declare function validateResetScope(scope: ResetScope, manifest: {
+    environments: {
+        name: string;
+    }[];
+    namespaces: {
+        name: string;
+    }[];
+}): void;
+//# sourceMappingURL=manager.d.ts.map

package/dist/reset/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/reset/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAc,MAAM,UAAU,CAAC;AACpF,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAItD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAG3C;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAHF,aAAa,EAAE,aAAa,EAC5B,UAAU,EAAE,iBAAiB,EAC7B,eAAe,EAAE,eAAe,EAChC,EAAE,EAAE,kBAAkB;IAGnC,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAwF/F;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAQzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE;IAAE,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAAC,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,GAC7E,IAAI,CA2BN"}

package/dist/service-identity/manager.d.ts

@@ -1,26 +1,31 @@
 import { ClefManifest, EncryptionBackend, KmsConfig, ServiceIdentityDefinition, ServiceIdentityDriftIssue } from "../types";
 import { MatrixManager } from "../matrix/manager";
-/**
- * Thrown when key rotation partially completes before a failure.
- * Contains the private keys for environments that were successfully rotated.
- */
-export declare class PartialRotationError extends Error {
-    readonly rotatedKeys: Record<string, string>;
-    constructor(message: string, rotatedKeys: Record<string, string>);
-}
+import { TransactionManager } from "../tx";
 /**
  * Manages service identities: creation, listing, key rotation, and drift validation.
  *
+ * Mutating methods (create, delete, addNamespacesToScope, etc.) wrap their
+ * work in a TransactionManager so a failure rolls back ALL of the cell-file
+ * + manifest writes via `git reset --hard` rather than leaving the matrix in
+ * a partial state.
+ *
  * @example
  * ```ts
- * const manager = new ServiceIdentityManager(sopsClient, matrixManager);
+ * const tx = new TransactionManager(new GitIntegration(runner));
+ * const manager = new ServiceIdentityManager(sopsClient, matrixManager, tx);
  * const result = await manager.create("api-gw", ["api"], "API gateway", manifest, repoRoot);
  * ```
  */
 export declare class ServiceIdentityManager {
     private readonly encryption;
     private readonly matrixManager;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager);
+    private readonly tx;
+    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
+    /**
+     * Compute repo-relative paths for a set of cells plus the manifest. Used
+     * to seed TransactionManager.run's `paths` argument.
+     */
+    private txPaths;
     /**
      * Create a new service identity with per-environment age key pairs or KMS envelope config.
      * For age-only: generates keys, updates the manifest, and registers public keys as SOPS recipients.
@@ -59,9 +64,61 @@ export declare class ServiceIdentityManager {
      * Register a service identity's public keys as SOPS recipients on scoped matrix files.
      */
     registerRecipients(identity: ServiceIdentityDefinition, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Expand a service identity's namespace scope. Registers the SI's existing
+     * per-env recipient on every matrix cell in the new namespace × env
+     * combinations. KMS-backed environments are skipped (no recipient to
+     * register).
+     *
+     * Idempotent: namespaces already in scope are silently skipped. Refuses if
+     * any requested namespace does not exist in the manifest.
+     */
+    addNamespacesToScope(name: string, namespacesToAdd: string[], manifest: ClefManifest, repoRoot: string): Promise<{
+        added: string[];
+        affectedFiles: string[];
+    }>;
+    /**
+     * Shrink a service identity's namespace scope. De-registers the SI's
+     * per-env recipient from every matrix cell in the removed namespace × env
+     * combinations. KMS-backed environments are skipped (no recipient to remove).
+     *
+     * Refuses if removing would leave the SI with zero namespaces — point the
+     * caller at `clef service delete` for that case. Refuses if any requested
+     * namespace is not currently in the SI's scope.
+     */
+    removeNamespacesFromScope(name: string, namespacesToRemove: string[], manifest: ClefManifest, repoRoot: string): Promise<{
+        removed: string[];
+        affectedFiles: string[];
+    }>;
+    /**
+     * Extend a service identity to cover an additional environment. Generates a
+     * fresh age key for the new env (or uses the supplied KMS config), registers
+     * the new recipient on every cell in the SI's scoped namespaces × this env,
+     * and adds the env entry to the SI's `environments{}` map in the manifest.
+     *
+     * Used as the explicit follow-up to `clef env add`. The env-add command
+     * deliberately doesn't cascade to existing SIs — `clef lint` reports the
+     * gap as a `missing_environment` issue and the user runs this method (via
+     * `clef service add-env <si> <env>`) once per SI to fill it in,
+     * choosing the backend deliberately at that moment.
+     *
+     * Refuses if the SI doesn't exist, the env doesn't exist in the manifest,
+     * or the env is already configured on the SI.
+     *
+     * @returns The new private key (for age) or `undefined` (for KMS), keyed
+     *   by env name. The caller is responsible for storing it securely.
+     */
+    addEnvironmentToScope(name: string, envName: string, manifest: ClefManifest, repoRoot: string, kmsConfig?: KmsConfig): Promise<{
+        privateKey: string | undefined;
+    }>;
     /**
      * Rotate the age key for a service identity (all envs or a specific env).
      * Returns the new private keys.
+     *
+     * The whole rotation runs inside a single transaction: any cell-write
+     * failure rolls back ALL recipient swaps and the manifest update via
+     * `git reset --hard` to the pre-rotation state. The previous in-method
+     * `PartialRotationError` rollback dance is no longer needed.
      */
     rotateKey(name: string, manifest: ClefManifest, repoRoot: string, environment?: string): Promise<Record<string, string>>;
     /**

package/dist/service-identity/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,KAAK;aAG3B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;gBADnD,OAAO,EAAE,MAAM,EACC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAKtD;AAED;;;;;;;;GAQG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBADb,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa;IAG/C;;;;;;;;OAQG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GACxC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACrC,CAAC;IAwEF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4CnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA4DnD;;OAEG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA4FlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAmF/F"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,SAAS,EAET,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;OAGG;IACH,OAAO,CAAC,OAAO;IAIf;;;;;;;;OAQG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GACxC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACrC,CAAC;IAwEF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA2DnD;;OAEG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EAAE,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAgExD;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,MAAM,EAAE,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA8D1D;;;;;;;;;;;;;;;;;OAiBG;IACG,qBAAqB,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,SAAS,GACpB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IAwE9C;;;;;;;;OAQG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAmFlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAoF/F"}

package/dist/sops/client.d.ts

@@ -1,12 +1,4 @@
 import { ClefManifest, DecryptedFile, EncryptionBackend, SopsMetadata, SubprocessRunner } from "../types";
-/**
- * Convert a Clef Cloud key ID (e.g. "clef:intId/env") to a synthetic ARN that
- * passes SOPS's ARN regex: `^arn:aws[\w-]*:kms:(.+):[0-9]+:(key|alias)/.+$`.
- * SOPS validates --kms values even when --keyservice is set, so we must use a
- * valid-looking AWS ARN. The keyservice proxy forwards it to the Cloud API
- * which recognizes the `alias/clef/` prefix and maps back to the real KMS key.
- */
-export declare function cloudKeyToArn(keyId: string): string;
 /**
  * Wraps the `sops` binary for encryption, decryption, re-encryption, and metadata extraction.
  * All decrypt/encrypt operations are piped via stdin/stdout — plaintext never touches disk.
@@ -22,7 +14,6 @@ export declare class SopsClient implements EncryptionBackend {
     private readonly ageKeyFile?;
     private readonly ageKey?;
     private readonly sopsCommand;
-    private readonly keyserviceArgs;
     /**
      * @param runner - Subprocess runner used to invoke the `sops` binary.
      * @param ageKeyFile - Optional path to an age private key file. Passed as
@@ -31,10 +22,8 @@ export declare class SopsClient implements EncryptionBackend {
      *   to the subprocess environment.
      * @param sopsPath - Optional explicit path to the sops binary. When omitted,
      *   resolved automatically via {@link resolveSopsPath}.
-     * @param keyserviceAddr - Optional keyservice address (e.g. `tcp://127.0.0.1:12345`).
-     *   When set, all SOPS invocations include `--enable-local-keyservice=false --keyservice <addr>`.
      */
-    constructor(runner: SubprocessRunner, ageKeyFile?: string | undefined, ageKey?: string | undefined, sopsPath?: string, keyserviceAddr?: string);
+    constructor(runner: SubprocessRunner, ageKeyFile?: string | undefined, ageKey?: string | undefined, sopsPath?: string);
     private buildSopsEnv;
     /**
      * Decrypt a SOPS-encrypted file and return its values and metadata.

package/dist/sops/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/sops/client.ts"],"names":[],"mappings":"AAgBA,OAAO,EAEL,YAAY,EACZ,aAAa,EACb,iBAAiB,EAIjB,YAAY,EACZ,gBAAgB,EAGjB,MAAM,UAAU,CAAC;AAyClB;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMnD;AAED;;;;;;;;;GASG;AACH,qBAAa,UAAW,YAAW,iBAAiB;IAgBhD,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAjB1B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAW;IAE1C;;;;;;;;;;OAUG;gBAEgB,MAAM,EAAE,gBAAgB,EACxB,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,MAAM,CAAC,EAAE,MAAM,YAAA,EAChC,QAAQ,CAAC,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,MAAM;IAQzB,OAAO,CAAC,YAAY;IAWpB;;;;;;;OAOG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IA6CvD;;;;;;;;;OASG;IACG,OAAO,CACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9B,QAAQ,EAAE,YAAY,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAoEhB;;;;;;OAMG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhE;;;;;;OAMG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBhE;;;;;;OAMG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBnE;;;;;OAKG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5D;;;;;;;OAOG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgB1D;;;;;;;OAOG;YACW,oBAAoB;IAsClC,OAAO,CAAC,qBAAqB;IAoC7B,OAAO,CAAC,aAAa;IAoBrB,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,gBAAgB;CA4DzB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/sops/client.ts"],"names":[],"mappings":"AAiBA,OAAO,EAEL,YAAY,EACZ,aAAa,EACb,iBAAiB,EAIjB,YAAY,EACZ,gBAAgB,EAGjB,MAAM,UAAU,CAAC;AAyClB;;;;;;;;;GASG;AACH,qBAAa,UAAW,YAAW,iBAAiB;IAahD,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAd1B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IAErC;;;;;;;;OAQG;gBAEgB,MAAM,EAAE,gBAAgB,EACxB,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,MAAM,CAAC,EAAE,MAAM,YAAA,EAChC,QAAQ,CAAC,EAAE,MAAM;IAKnB,OAAO,CAAC,YAAY;IAWpB;;;;;;;OAOG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IA6CvD;;;;;;;;;OASG;IACG,OAAO,CACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9B,QAAQ,EAAE,YAAY,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAsEhB;;;;;;OAMG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhE;;;;;;OAMG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBhE;;;;;;OAMG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBnE;;;;;OAKG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5D;;;;;;;OAOG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgB1D;;;;;;;OAOG;YACW,oBAAoB;IAsClC,OAAO,CAAC,qBAAqB;IAoC7B,OAAO,CAAC,aAAa;IAWrB,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,gBAAgB;CAqDzB"}

package/dist/structure/manager.d.ts

@@ -0,0 +1,155 @@
+import { ClefManifest, EncryptionBackend } from "../types";
+import { MatrixManager } from "../matrix/manager";
+import { TransactionManager } from "../tx";
+export interface NamespaceEditOptions {
+    /** New name for the namespace. Renames cell files on disk and SI references. */
+    rename?: string;
+    /** Replace the namespace's description. Manifest-only update. */
+    description?: string;
+    /** Replace the namespace's schema path. Manifest-only update. */
+    schema?: string;
+}
+export interface EnvironmentEditOptions {
+    /** New name for the environment. Renames cell files on disk and SI references. */
+    rename?: string;
+    /** Replace the environment's description. Manifest-only update. */
+    description?: string;
+    /** Mark the environment as protected. Manifest-only update. */
+    protected?: boolean;
+}
+export interface AddNamespaceOptions {
+    /** Human-readable description for the new namespace. */
+    description?: string;
+    /** Optional schema file path for the new namespace. */
+    schema?: string;
+}
+export interface AddEnvironmentOptions {
+    /** Human-readable description for the new environment. */
+    description?: string;
+    /** Mark the new environment as protected from the start. */
+    protected?: boolean;
+}
+/**
+ * Manages namespace and environment CRUD on the manifest. Covers add, remove,
+ * and edit operations. Renames cascade through service identity references;
+ * removes refuse if they would orphan an SI (force the user to clean up SIs
+ * first) or break the manifest (last namespace, last environment, protected
+ * environment).
+ *
+ * Every mutation runs inside TransactionManager so cell-file ops + the
+ * manifest update + SI cascade updates land as one git commit, or roll back
+ * via `git reset --hard` on failure.
+ *
+ * @example
+ * ```ts
+ * const tx = new TransactionManager(new GitIntegration(runner));
+ * const structure = new StructureManager(matrixManager, sopsClient, tx);
+ * await structure.addNamespace("billing", {}, manifest, repoRoot);
+ * ```
+ */
+export declare class StructureManager {
+    private readonly matrixManager;
+    private readonly encryption;
+    private readonly tx;
+    constructor(matrixManager: MatrixManager, encryption: EncryptionBackend, tx: TransactionManager);
+    /**
+     * Add a new namespace to the manifest and scaffold an empty encrypted cell
+     * for every existing environment. Refuses if the name already exists, the
+     * identifier is invalid, or any of the target cell files are already on
+     * disk.
+     */
+    addNamespace(name: string, opts: AddNamespaceOptions, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Add a new environment to the manifest and scaffold an empty encrypted
+     * cell for every existing namespace. Refuses if the name already exists,
+     * the identifier is invalid, or any of the target cell files are already
+     * on disk.
+     *
+     * Does NOT cascade to service identities — existing SIs will not have a
+     * config for the new env. Lint will surface that gap; users explicitly
+     * close it via `clef service update --add-env` (Phase 1c).
+     */
+    addEnvironment(name: string, opts: AddEnvironmentOptions, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Remove a namespace from the manifest and delete every cell file under
+     * it. Cascades through service identities by removing the namespace from
+     * each SI's `namespaces[]` array. Refuses if removing it would leave any
+     * SI with zero scope (the user must delete those SIs first or add other
+     * namespaces to them) or if it would leave the manifest with zero
+     * namespaces.
+     */
+    removeNamespace(name: string, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Remove an environment from the manifest and delete every cell file for
+     * it across all namespaces. Cascades through service identities by
+     * removing the env entry from each SI's `environments{}` map. Refuses on
+     * protected environments (force the user to `clef env edit --unprotect`
+     * first), if it would leave the manifest with zero environments, or if
+     * the env doesn't exist.
+     */
+    removeEnvironment(name: string, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Edit a namespace's manifest entry, optionally renaming the namespace
+     * (which also renames cell files on disk and updates every service
+     * identity that references it).
+     */
+    editNamespace(name: string, opts: NamespaceEditOptions, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * Edit an environment's manifest entry, optionally renaming the env
+     * (which also renames cell files across every namespace and updates
+     * every service identity's environments map key).
+     */
+    editEnvironment(name: string, opts: EnvironmentEditOptions, manifest: ClefManifest, repoRoot: string): Promise<void>;
+    /**
+     * For a rename, return every (oldPath, newPath) pair that needs to move on
+     * disk. Includes the encrypted cell files AND their sibling .clef-meta.yaml
+     * pending-metadata files. Filters to existing cells only — empty cells
+     * (no file on disk) need no rename.
+     */
+    private collectRenamePairs;
+    /**
+     * Build the new file path by substituting the renamed axis (namespace or
+     * environment) into the manifest's file_pattern. Reuses MatrixManager's
+     * resolution logic instead of doing string surgery on the existing path.
+     */
+    private swapAxisInCellPath;
+    /**
+     * Compute the repo-relative paths a transaction needs to know about.
+     * Includes both ends of every rename plus the manifest itself.
+     */
+    private txPaths;
+    /**
+     * Apply each rename in order. Creates parent directories as needed (a
+     * namespace rename moves files into a brand-new directory).
+     */
+    private applyRenames;
+    /**
+     * Compute the repo-relative paths for a remove op. Includes every cell
+     * file being deleted, every existing .clef-meta.yaml sibling, and the
+     * manifest itself.
+     */
+    private deletePaths;
+    /**
+     * Delete the .clef-meta.yaml sibling of a cell file if it exists. No-op
+     * otherwise. Used by remove ops to keep pending-state files in sync with
+     * the cells they describe.
+     */
+    private unlinkMetaSibling;
+    /**
+     * Mutate the manifest doc in place to apply a namespace edit. Handles
+     * description/schema replacement and the rename cascade through every
+     * service identity that references the namespace.
+     */
+    private applyNamespaceManifestEdit;
+    /**
+     * Mutate the manifest doc in place to apply an environment edit. Handles
+     * description/protected updates and the rename cascade through every
+     * service identity's environments map.
+     */
+    private applyEnvironmentManifestEdit;
+    /** Reject rename targets that aren't safe path segments. */
+    private assertValidIdentifier;
+    /** Build the human-readable commit message for an edit. */
+    private describeEdit;
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/structure/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/structure/manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAc,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,oBAAoB;IACnC,gFAAgF;IAChF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,wDAAwD;IACxD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,0DAA0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,aAAa,EAAE,aAAa,EAC5B,UAAU,EAAE,iBAAiB,EAC7B,EAAE,EAAE,kBAAkB;IAKzC;;;;;OAKG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,mBAAmB,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA4EhB;;;;;;;;;OASG;IACG,cAAc,CAClB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,qBAAqB,EAC3B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAwEhB;;;;;;;OAOG;IACG,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA0D5F;;;;;;;OAOG;IACG,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsD9F;;;;OAIG;IACG,aAAa,CACjB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAqDhB;;;;OAIG;IACG,eAAe,CACnB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,sBAAsB,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAkDhB;;;;;OAKG;IACH,OAAO,CAAC,kBAAkB;IA6B1B;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAe1B;;;OAGG;IACH,OAAO,CAAC,OAAO;IAUf;;;OAGG;IACH,OAAO,CAAC,YAAY;IAUpB;;;;OAIG;IACH,OAAO,CAAC,WAAW;IAanB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;;;OAIG;IACH,OAAO,CAAC,0BAA0B;IAsClC;;;;OAIG;IACH,OAAO,CAAC,4BAA4B;IAsCpC,4DAA4D;IAC5D,OAAO,CAAC,qBAAqB;IAQ7B,2DAA2D;IAC3D,OAAO,CAAC,YAAY;CAcrB"}

package/dist/sync/index.d.ts

@@ -0,0 +1,3 @@
+export { SyncManager } from "./manager";
+export type { SyncOptions, SyncPlan, SyncCellPlan, SyncResult } from "./manager";
+//# sourceMappingURL=index.d.ts.map

package/dist/sync/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sync/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC"}