@clef-sh/core 0.1.15-beta.98 → 0.1.16-beta.110

package/dist/index.mjs

@@ -304,10 +304,10 @@ var require_lib = __commonJS({
     module.exports.sync = writeFileSync6;
     module.exports._getTmpname = getTmpname;
     module.exports._cleanupOnExit = cleanupOnExit;
-    var fs21 = __require("fs");
+    var fs17 = __require("fs");
     var crypto4 = __require("node:crypto");
     var { onExit } = require_cjs();
-    var path28 = __require("path");
+    var path25 = __require("path");
     var { promisify } = __require("util");
     var activeFiles = {};
     var threadId = (function getId() {
@@ -325,7 +325,7 @@ var require_lib = __commonJS({
     function cleanupOnExit(tmpfile) {
       return () => {
         try {
-          fs21.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
+          fs17.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
         } catch {
         }
       };
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
       let fd;
       let tmpfile;
       const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
-      const absoluteName = path28.resolve(filename);
+      const absoluteName = path25.resolve(filename);
       try {
         await serializeActiveFile(absoluteName);
-        const truename = await promisify(fs21.realpath)(filename).catch(() => filename);
+        const truename = await promisify(fs17.realpath)(filename).catch(() => filename);
         tmpfile = getTmpname(truename);
         if (!options.mode || !options.chown) {
-          const stats = await promisify(fs21.stat)(truename).catch(() => {
+          const stats = await promisify(fs17.stat)(truename).catch(() => {
           });
           if (stats) {
             if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
             }
           }
         }
-        fd = await promisify(fs21.open)(tmpfile, "w", options.mode);
+        fd = await promisify(fs17.open)(tmpfile, "w", options.mode);
         if (options.tmpfileCreated) {
           await options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          await promisify(fs21.write)(fd, data, 0, data.length, 0);
+          await promisify(fs17.write)(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          await promisify(fs21.write)(fd, String(data), 0, String(options.encoding || "utf8"));
+          await promisify(fs17.write)(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          await promisify(fs21.fsync)(fd);
+          await promisify(fs17.fsync)(fd);
         }
-        await promisify(fs21.close)(fd);
+        await promisify(fs17.close)(fd);
         fd = null;
         if (options.chown) {
-          await promisify(fs21.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
+          await promisify(fs17.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
         if (options.mode) {
-          await promisify(fs21.chmod)(tmpfile, options.mode).catch((err) => {
+          await promisify(fs17.chmod)(tmpfile, options.mode).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
-        await promisify(fs21.rename)(tmpfile, truename);
+        await promisify(fs17.rename)(tmpfile, truename);
       } finally {
         if (fd) {
-          await promisify(fs21.close)(fd).catch(
+          await promisify(fs17.close)(fd).catch(
             /* istanbul ignore next */
             () => {
             }
           );
         }
         removeOnExitHandler();
-        await promisify(fs21.unlink)(tmpfile).catch(() => {
+        await promisify(fs17.unlink)(tmpfile).catch(() => {
         });
         activeFiles[absoluteName].shift();
         if (activeFiles[absoluteName].length > 0) {
@@ -448,13 +448,13 @@ var require_lib = __commonJS({
         options = {};
       }
       try {
-        filename = fs21.realpathSync(filename);
+        filename = fs17.realpathSync(filename);
       } catch (ex) {
       }
       const tmpfile = getTmpname(filename);
       if (!options.mode || !options.chown) {
         try {
-          const stats = fs21.statSync(filename);
+          const stats = fs17.statSync(filename);
           options = Object.assign({}, options);
           if (!options.mode) {
             options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
       const removeOnExitHandler = onExit(cleanup);
       let threw = true;
       try {
-        fd = fs21.openSync(tmpfile, "w", options.mode || 438);
+        fd = fs17.openSync(tmpfile, "w", options.mode || 438);
         if (options.tmpfileCreated) {
           options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          fs21.writeSync(fd, data, 0, data.length, 0);
+          fs17.writeSync(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          fs21.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
+          fs17.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          fs21.fsyncSync(fd);
+          fs17.fsyncSync(fd);
         }
-        fs21.closeSync(fd);
+        fs17.closeSync(fd);
         fd = null;
         if (options.chown) {
           try {
-            fs21.chownSync(tmpfile, options.chown.uid, options.chown.gid);
+            fs17.chownSync(tmpfile, options.chown.uid, options.chown.gid);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
         }
         if (options.mode) {
           try {
-            fs21.chmodSync(tmpfile, options.mode);
+            fs17.chmodSync(tmpfile, options.mode);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
             }
           }
         }
-        fs21.renameSync(tmpfile, filename);
+        fs17.renameSync(tmpfile, filename);
         threw = false;
       } finally {
         if (fd) {
           try {
-            fs21.closeSync(fd);
+            fs17.closeSync(fd);
           } catch (ex) {
           }
         }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
     }
     var chdir;
     module.exports = patch;
-    function patch(fs21) {
+    function patch(fs17) {
       if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
-        patchLchmod(fs21);
-      }
-      if (!fs21.lutimes) {
-        patchLutimes(fs21);
-      }
-      fs21.chown = chownFix(fs21.chown);
-      fs21.fchown = chownFix(fs21.fchown);
-      fs21.lchown = chownFix(fs21.lchown);
-      fs21.chmod = chmodFix(fs21.chmod);
-      fs21.fchmod = chmodFix(fs21.fchmod);
-      fs21.lchmod = chmodFix(fs21.lchmod);
-      fs21.chownSync = chownFixSync(fs21.chownSync);
-      fs21.fchownSync = chownFixSync(fs21.fchownSync);
-      fs21.lchownSync = chownFixSync(fs21.lchownSync);
-      fs21.chmodSync = chmodFixSync(fs21.chmodSync);
-      fs21.fchmodSync = chmodFixSync(fs21.fchmodSync);
-      fs21.lchmodSync = chmodFixSync(fs21.lchmodSync);
-      fs21.stat = statFix(fs21.stat);
-      fs21.fstat = statFix(fs21.fstat);
-      fs21.lstat = statFix(fs21.lstat);
-      fs21.statSync = statFixSync(fs21.statSync);
-      fs21.fstatSync = statFixSync(fs21.fstatSync);
-      fs21.lstatSync = statFixSync(fs21.lstatSync);
-      if (fs21.chmod && !fs21.lchmod) {
-        fs21.lchmod = function(path28, mode, cb) {
+        patchLchmod(fs17);
+      }
+      if (!fs17.lutimes) {
+        patchLutimes(fs17);
+      }
+      fs17.chown = chownFix(fs17.chown);
+      fs17.fchown = chownFix(fs17.fchown);
+      fs17.lchown = chownFix(fs17.lchown);
+      fs17.chmod = chmodFix(fs17.chmod);
+      fs17.fchmod = chmodFix(fs17.fchmod);
+      fs17.lchmod = chmodFix(fs17.lchmod);
+      fs17.chownSync = chownFixSync(fs17.chownSync);
+      fs17.fchownSync = chownFixSync(fs17.fchownSync);
+      fs17.lchownSync = chownFixSync(fs17.lchownSync);
+      fs17.chmodSync = chmodFixSync(fs17.chmodSync);
+      fs17.fchmodSync = chmodFixSync(fs17.fchmodSync);
+      fs17.lchmodSync = chmodFixSync(fs17.lchmodSync);
+      fs17.stat = statFix(fs17.stat);
+      fs17.fstat = statFix(fs17.fstat);
+      fs17.lstat = statFix(fs17.lstat);
+      fs17.statSync = statFixSync(fs17.statSync);
+      fs17.fstatSync = statFixSync(fs17.fstatSync);
+      fs17.lstatSync = statFixSync(fs17.lstatSync);
+      if (fs17.chmod && !fs17.lchmod) {
+        fs17.lchmod = function(path25, mode, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs21.lchmodSync = function() {
+        fs17.lchmodSync = function() {
         };
       }
-      if (fs21.chown && !fs21.lchown) {
-        fs21.lchown = function(path28, uid, gid, cb) {
+      if (fs17.chown && !fs17.lchown) {
+        fs17.lchown = function(path25, uid, gid, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs21.lchownSync = function() {
+        fs17.lchownSync = function() {
         };
       }
       if (platform === "win32") {
-        fs21.rename = typeof fs21.rename !== "function" ? fs21.rename : (function(fs$rename) {
+        fs17.rename = typeof fs17.rename !== "function" ? fs17.rename : (function(fs$rename) {
           function rename(from, to, cb) {
             var start = Date.now();
             var backoff = 0;
             fs$rename(from, to, function CB(er) {
               if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
                 setTimeout(function() {
-                  fs21.stat(to, function(stater, st) {
+                  fs17.stat(to, function(stater, st) {
                     if (stater && stater.code === "ENOENT")
                       fs$rename(from, to, CB);
                     else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
           }
           if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
           return rename;
-        })(fs21.rename);
+        })(fs17.rename);
       }
-      fs21.read = typeof fs21.read !== "function" ? fs21.read : (function(fs$read) {
+      fs17.read = typeof fs17.read !== "function" ? fs17.read : (function(fs$read) {
         function read(fd, buffer, offset, length, position, callback_) {
           var callback;
           if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
             callback = function(er, _, __) {
               if (er && er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
-                return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
+                return fs$read.call(fs17, fd, buffer, offset, length, position, callback);
               }
               callback_.apply(this, arguments);
             };
           }
-          return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
+          return fs$read.call(fs17, fd, buffer, offset, length, position, callback);
         }
         if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
         return read;
-      })(fs21.read);
-      fs21.readSync = typeof fs21.readSync !== "function" ? fs21.readSync : /* @__PURE__ */ (function(fs$readSync) {
+      })(fs17.read);
+      fs17.readSync = typeof fs17.readSync !== "function" ? fs17.readSync : /* @__PURE__ */ (function(fs$readSync) {
         return function(fd, buffer, offset, length, position) {
           var eagCounter = 0;
           while (true) {
             try {
-              return fs$readSync.call(fs21, fd, buffer, offset, length, position);
+              return fs$readSync.call(fs17, fd, buffer, offset, length, position);
             } catch (er) {
               if (er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
             }
           }
         };
-      })(fs21.readSync);
-      function patchLchmod(fs22) {
-        fs22.lchmod = function(path28, mode, callback) {
-          fs22.open(
-            path28,
+      })(fs17.readSync);
+      function patchLchmod(fs18) {
+        fs18.lchmod = function(path25, mode, callback) {
+          fs18.open(
+            path25,
             constants.O_WRONLY | constants.O_SYMLINK,
             mode,
             function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
                 if (callback) callback(err);
                 return;
               }
-              fs22.fchmod(fd, mode, function(err2) {
-                fs22.close(fd, function(err22) {
+              fs18.fchmod(fd, mode, function(err2) {
+                fs18.close(fd, function(err22) {
                   if (callback) callback(err2 || err22);
                 });
               });
             }
           );
         };
-        fs22.lchmodSync = function(path28, mode) {
-          var fd = fs22.openSync(path28, constants.O_WRONLY | constants.O_SYMLINK, mode);
+        fs18.lchmodSync = function(path25, mode) {
+          var fd = fs18.openSync(path25, constants.O_WRONLY | constants.O_SYMLINK, mode);
           var threw = true;
           var ret;
           try {
-            ret = fs22.fchmodSync(fd, mode);
+            ret = fs18.fchmodSync(fd, mode);
             threw = false;
           } finally {
             if (threw) {
               try {
-                fs22.closeSync(fd);
+                fs18.closeSync(fd);
               } catch (er) {
               }
             } else {
-              fs22.closeSync(fd);
+              fs18.closeSync(fd);
             }
           }
           return ret;
         };
       }
-      function patchLutimes(fs22) {
-        if (constants.hasOwnProperty("O_SYMLINK") && fs22.futimes) {
-          fs22.lutimes = function(path28, at, mt, cb) {
-            fs22.open(path28, constants.O_SYMLINK, function(er, fd) {
+      function patchLutimes(fs18) {
+        if (constants.hasOwnProperty("O_SYMLINK") && fs18.futimes) {
+          fs18.lutimes = function(path25, at, mt, cb) {
+            fs18.open(path25, constants.O_SYMLINK, function(er, fd) {
               if (er) {
                 if (cb) cb(er);
                 return;
               }
-              fs22.futimes(fd, at, mt, function(er2) {
-                fs22.close(fd, function(er22) {
+              fs18.futimes(fd, at, mt, function(er2) {
+                fs18.close(fd, function(er22) {
                   if (cb) cb(er2 || er22);
                 });
               });
             });
           };
-          fs22.lutimesSync = function(path28, at, mt) {
-            var fd = fs22.openSync(path28, constants.O_SYMLINK);
+          fs18.lutimesSync = function(path25, at, mt) {
+            var fd = fs18.openSync(path25, constants.O_SYMLINK);
             var ret;
             var threw = true;
             try {
-              ret = fs22.futimesSync(fd, at, mt);
+              ret = fs18.futimesSync(fd, at, mt);
               threw = false;
             } finally {
               if (threw) {
                 try {
-                  fs22.closeSync(fd);
+                  fs18.closeSync(fd);
                 } catch (er) {
                 }
               } else {
-                fs22.closeSync(fd);
+                fs18.closeSync(fd);
               }
             }
             return ret;
           };
-        } else if (fs22.futimes) {
-          fs22.lutimes = function(_a, _b, _c, cb) {
+        } else if (fs18.futimes) {
+          fs18.lutimes = function(_a, _b, _c, cb) {
             if (cb) process.nextTick(cb);
           };
-          fs22.lutimesSync = function() {
+          fs18.lutimesSync = function() {
           };
         }
       }
       function chmodFix(orig) {
         if (!orig) return orig;
         return function(target, mode, cb) {
-          return orig.call(fs21, target, mode, function(er) {
+          return orig.call(fs17, target, mode, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, mode) {
           try {
-            return orig.call(fs21, target, mode);
+            return orig.call(fs17, target, mode);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
       function chownFix(orig) {
         if (!orig) return orig;
         return function(target, uid, gid, cb) {
-          return orig.call(fs21, target, uid, gid, function(er) {
+          return orig.call(fs17, target, uid, gid, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, uid, gid) {
           try {
-            return orig.call(fs21, target, uid, gid);
+            return orig.call(fs17, target, uid, gid);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
             }
             if (cb) cb.apply(this, arguments);
           }
-          return options ? orig.call(fs21, target, options, callback) : orig.call(fs21, target, callback);
+          return options ? orig.call(fs17, target, options, callback) : orig.call(fs17, target, callback);
         };
       }
       function statFixSync(orig) {
         if (!orig) return orig;
         return function(target, options) {
-          var stats = options ? orig.call(fs21, target, options) : orig.call(fs21, target);
+          var stats = options ? orig.call(fs17, target, options) : orig.call(fs17, target);
           if (stats) {
             if (stats.uid < 0) stats.uid += 4294967296;
             if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
   "../../node_modules/graceful-fs/legacy-streams.js"(exports, module) {
     var Stream = __require("stream").Stream;
     module.exports = legacy;
-    function legacy(fs21) {
+    function legacy(fs17) {
       return {
         ReadStream,
         WriteStream
       };
-      function ReadStream(path28, options) {
-        if (!(this instanceof ReadStream)) return new ReadStream(path28, options);
+      function ReadStream(path25, options) {
+        if (!(this instanceof ReadStream)) return new ReadStream(path25, options);
         Stream.call(this);
         var self = this;
-        this.path = path28;
+        this.path = path25;
         this.fd = null;
         this.readable = true;
         this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
           });
           return;
         }
-        fs21.open(this.path, this.flags, this.mode, function(err, fd) {
+        fs17.open(this.path, this.flags, this.mode, function(err, fd) {
           if (err) {
             self.emit("error", err);
             self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
           self._read();
         });
       }
-      function WriteStream(path28, options) {
-        if (!(this instanceof WriteStream)) return new WriteStream(path28, options);
+      function WriteStream(path25, options) {
+        if (!(this instanceof WriteStream)) return new WriteStream(path25, options);
         Stream.call(this);
-        this.path = path28;
+        this.path = path25;
         this.fd = null;
         this.writable = true;
         this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
         this.busy = false;
         this._queue = [];
         if (this.fd === null) {
-          this._open = fs21.open;
+          this._open = fs17.open;
           this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
           this.flush();
         }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
 // ../../node_modules/graceful-fs/graceful-fs.js
 var require_graceful_fs = __commonJS({
   "../../node_modules/graceful-fs/graceful-fs.js"(exports, module) {
-    var fs21 = __require("fs");
+    var fs17 = __require("fs");
     var polyfills = require_polyfills();
     var legacy = require_legacy_streams();
     var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
         m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
         console.error(m);
       };
-    if (!fs21[gracefulQueue]) {
+    if (!fs17[gracefulQueue]) {
       queue = global[gracefulQueue] || [];
-      publishQueue(fs21, queue);
-      fs21.close = (function(fs$close) {
+      publishQueue(fs17, queue);
+      fs17.close = (function(fs$close) {
         function close(fd, cb) {
-          return fs$close.call(fs21, fd, function(err) {
+          return fs$close.call(fs17, fd, function(err) {
             if (!err) {
               resetQueue();
             }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
           value: fs$close
         });
         return close;
-      })(fs21.close);
-      fs21.closeSync = (function(fs$closeSync) {
+      })(fs17.close);
+      fs17.closeSync = (function(fs$closeSync) {
         function closeSync2(fd) {
-          fs$closeSync.apply(fs21, arguments);
+          fs$closeSync.apply(fs17, arguments);
           resetQueue();
         }
         Object.defineProperty(closeSync2, previousSymbol, {
           value: fs$closeSync
         });
         return closeSync2;
-      })(fs21.closeSync);
+      })(fs17.closeSync);
       if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
         process.on("exit", function() {
-          debug(fs21[gracefulQueue]);
-          __require("assert").equal(fs21[gracefulQueue].length, 0);
+          debug(fs17[gracefulQueue]);
+          __require("assert").equal(fs17[gracefulQueue].length, 0);
         });
       }
     }
     var queue;
     if (!global[gracefulQueue]) {
-      publishQueue(global, fs21[gracefulQueue]);
-    }
-    module.exports = patch(clone(fs21));
-    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs21.__patched) {
-      module.exports = patch(fs21);
-      fs21.__patched = true;
-    }
-    function patch(fs22) {
-      polyfills(fs22);
-      fs22.gracefulify = patch;
-      fs22.createReadStream = createReadStream;
-      fs22.createWriteStream = createWriteStream;
-      var fs$readFile = fs22.readFile;
-      fs22.readFile = readFile;
-      function readFile(path28, options, cb) {
+      publishQueue(global, fs17[gracefulQueue]);
+    }
+    module.exports = patch(clone(fs17));
+    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs17.__patched) {
+      module.exports = patch(fs17);
+      fs17.__patched = true;
+    }
+    function patch(fs18) {
+      polyfills(fs18);
+      fs18.gracefulify = patch;
+      fs18.createReadStream = createReadStream;
+      fs18.createWriteStream = createWriteStream;
+      var fs$readFile = fs18.readFile;
+      fs18.readFile = readFile;
+      function readFile(path25, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$readFile(path28, options, cb);
-        function go$readFile(path29, options2, cb2, startTime) {
-          return fs$readFile(path29, options2, function(err) {
+        return go$readFile(path25, options, cb);
+        function go$readFile(path26, options2, cb2, startTime) {
+          return fs$readFile(path26, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$readFile, [path29, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$readFile, [path26, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$writeFile = fs22.writeFile;
-      fs22.writeFile = writeFile;
-      function writeFile(path28, data, options, cb) {
+      var fs$writeFile = fs18.writeFile;
+      fs18.writeFile = writeFile;
+      function writeFile(path25, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$writeFile(path28, data, options, cb);
-        function go$writeFile(path29, data2, options2, cb2, startTime) {
-          return fs$writeFile(path29, data2, options2, function(err) {
+        return go$writeFile(path25, data, options, cb);
+        function go$writeFile(path26, data2, options2, cb2, startTime) {
+          return fs$writeFile(path26, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$writeFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$writeFile, [path26, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$appendFile = fs22.appendFile;
+      var fs$appendFile = fs18.appendFile;
       if (fs$appendFile)
-        fs22.appendFile = appendFile;
-      function appendFile(path28, data, options, cb) {
+        fs18.appendFile = appendFile;
+      function appendFile(path25, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$appendFile(path28, data, options, cb);
-        function go$appendFile(path29, data2, options2, cb2, startTime) {
-          return fs$appendFile(path29, data2, options2, function(err) {
+        return go$appendFile(path25, data, options, cb);
+        function go$appendFile(path26, data2, options2, cb2, startTime) {
+          return fs$appendFile(path26, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$appendFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$appendFile, [path26, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$copyFile = fs22.copyFile;
+      var fs$copyFile = fs18.copyFile;
       if (fs$copyFile)
-        fs22.copyFile = copyFile;
+        fs18.copyFile = copyFile;
       function copyFile(src, dest, flags, cb) {
         if (typeof flags === "function") {
           cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$readdir = fs22.readdir;
-      fs22.readdir = readdir;
+      var fs$readdir = fs18.readdir;
+      fs18.readdir = readdir;
       var noReaddirOptionVersions = /^v[0-5]\./;
-      function readdir(path28, options, cb) {
+      function readdir(path25, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path29, options2, cb2, startTime) {
-          return fs$readdir(path29, fs$readdirCallback(
-            path29,
+        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path26, options2, cb2, startTime) {
+          return fs$readdir(path26, fs$readdirCallback(
+            path26,
             options2,
             cb2,
             startTime
           ));
-        } : function go$readdir2(path29, options2, cb2, startTime) {
-          return fs$readdir(path29, options2, fs$readdirCallback(
-            path29,
+        } : function go$readdir2(path26, options2, cb2, startTime) {
+          return fs$readdir(path26, options2, fs$readdirCallback(
+            path26,
             options2,
             cb2,
             startTime
           ));
         };
-        return go$readdir(path28, options, cb);
-        function fs$readdirCallback(path29, options2, cb2, startTime) {
+        return go$readdir(path25, options, cb);
+        function fs$readdirCallback(path26, options2, cb2, startTime) {
           return function(err, files) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
               enqueue([
                 go$readdir,
-                [path29, options2, cb2],
+                [path26, options2, cb2],
                 err,
                 startTime || Date.now(),
                 Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
         }
       }
       if (process.version.substr(0, 4) === "v0.8") {
-        var legStreams = legacy(fs22);
+        var legStreams = legacy(fs18);
         ReadStream = legStreams.ReadStream;
         WriteStream = legStreams.WriteStream;
       }
-      var fs$ReadStream = fs22.ReadStream;
+      var fs$ReadStream = fs18.ReadStream;
       if (fs$ReadStream) {
         ReadStream.prototype = Object.create(fs$ReadStream.prototype);
         ReadStream.prototype.open = ReadStream$open;
       }
-      var fs$WriteStream = fs22.WriteStream;
+      var fs$WriteStream = fs18.WriteStream;
       if (fs$WriteStream) {
         WriteStream.prototype = Object.create(fs$WriteStream.prototype);
         WriteStream.prototype.open = WriteStream$open;
       }
-      Object.defineProperty(fs22, "ReadStream", {
+      Object.defineProperty(fs18, "ReadStream", {
         get: function() {
           return ReadStream;
         },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      Object.defineProperty(fs22, "WriteStream", {
+      Object.defineProperty(fs18, "WriteStream", {
         get: function() {
           return WriteStream;
         },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileReadStream = ReadStream;
-      Object.defineProperty(fs22, "FileReadStream", {
+      Object.defineProperty(fs18, "FileReadStream", {
         get: function() {
           return FileReadStream;
         },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileWriteStream = WriteStream;
-      Object.defineProperty(fs22, "FileWriteStream", {
+      Object.defineProperty(fs18, "FileWriteStream", {
         get: function() {
           return FileWriteStream;
         },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      function ReadStream(path28, options) {
+      function ReadStream(path25, options) {
         if (this instanceof ReadStream)
           return fs$ReadStream.apply(this, arguments), this;
         else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function WriteStream(path28, options) {
+      function WriteStream(path25, options) {
         if (this instanceof WriteStream)
           return fs$WriteStream.apply(this, arguments), this;
         else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function createReadStream(path28, options) {
-        return new fs22.ReadStream(path28, options);
+      function createReadStream(path25, options) {
+        return new fs18.ReadStream(path25, options);
       }
-      function createWriteStream(path28, options) {
-        return new fs22.WriteStream(path28, options);
+      function createWriteStream(path25, options) {
+        return new fs18.WriteStream(path25, options);
       }
-      var fs$open = fs22.open;
-      fs22.open = open;
-      function open(path28, flags, mode, cb) {
+      var fs$open = fs18.open;
+      fs18.open = open;
+      function open(path25, flags, mode, cb) {
         if (typeof mode === "function")
           cb = mode, mode = null;
-        return go$open(path28, flags, mode, cb);
-        function go$open(path29, flags2, mode2, cb2, startTime) {
-          return fs$open(path29, flags2, mode2, function(err, fd) {
+        return go$open(path25, flags, mode, cb);
+        function go$open(path26, flags2, mode2, cb2, startTime) {
+          return fs$open(path26, flags2, mode2, function(err, fd) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$open, [path29, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$open, [path26, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      return fs22;
+      return fs18;
     }
     function enqueue(elem) {
       debug("ENQUEUE", elem[0].name, elem[1]);
-      fs21[gracefulQueue].push(elem);
+      fs17[gracefulQueue].push(elem);
       retry();
     }
     var retryTimer;
     function resetQueue() {
       var now = Date.now();
-      for (var i = 0; i < fs21[gracefulQueue].length; ++i) {
-        if (fs21[gracefulQueue][i].length > 2) {
-          fs21[gracefulQueue][i][3] = now;
-          fs21[gracefulQueue][i][4] = now;
+      for (var i = 0; i < fs17[gracefulQueue].length; ++i) {
+        if (fs17[gracefulQueue][i].length > 2) {
+          fs17[gracefulQueue][i][3] = now;
+          fs17[gracefulQueue][i][4] = now;
         }
       }
       retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
     function retry() {
       clearTimeout(retryTimer);
       retryTimer = void 0;
-      if (fs21[gracefulQueue].length === 0)
+      if (fs17[gracefulQueue].length === 0)
         return;
-      var elem = fs21[gracefulQueue].shift();
+      var elem = fs17[gracefulQueue].shift();
       var fn = elem[0];
       var args = elem[1];
       var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
           debug("RETRY", fn.name, args);
           fn.apply(null, args.concat([startTime]));
         } else {
-          fs21[gracefulQueue].push(elem);
+          fs17[gracefulQueue].push(elem);
         }
       }
       if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
   "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports, module) {
     "use strict";
     var cacheSymbol = /* @__PURE__ */ Symbol();
-    function probe(file, fs21, callback) {
-      const cachedPrecision = fs21[cacheSymbol];
+    function probe(file, fs17, callback) {
+      const cachedPrecision = fs17[cacheSymbol];
       if (cachedPrecision) {
-        return fs21.stat(file, (err, stat) => {
+        return fs17.stat(file, (err, stat) => {
           if (err) {
             return callback(err);
           }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
         });
       }
       const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
-      fs21.utimes(file, mtime, mtime, (err) => {
+      fs17.utimes(file, mtime, mtime, (err) => {
         if (err) {
           return callback(err);
         }
-        fs21.stat(file, (err2, stat) => {
+        fs17.stat(file, (err2, stat) => {
           if (err2) {
             return callback(err2);
           }
           const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
-          Object.defineProperty(fs21, cacheSymbol, { value: precision });
+          Object.defineProperty(fs17, cacheSymbol, { value: precision });
           callback(null, stat.mtime, precision);
         });
       });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
 var require_lockfile = __commonJS({
   "../../node_modules/proper-lockfile/lib/lockfile.js"(exports, module) {
     "use strict";
-    var path28 = __require("path");
-    var fs21 = require_graceful_fs();
+    var path25 = __require("path");
+    var fs17 = require_graceful_fs();
     var retry = require_retry2();
     var onExit = require_signal_exit();
     var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
     }
     function resolveCanonicalPath(file, options, callback) {
       if (!options.realpath) {
-        return callback(null, path28.resolve(file));
+        return callback(null, path25.resolve(file));
       }
       options.fs.realpath(file, callback);
     }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
         update: null,
         realpath: true,
         retries: 0,
-        fs: fs21,
+        fs: fs17,
         onCompromised: (err) => {
           throw err;
         },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
     }
     function unlock(file, options, callback) {
       options = {
-        fs: fs21,
+        fs: fs17,
         realpath: true,
         ...options
       };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
       options = {
         stale: 1e4,
         realpath: true,
-        fs: fs21,
+        fs: fs17,
         ...options
       };
       options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
 var require_adapter = __commonJS({
   "../../node_modules/proper-lockfile/lib/adapter.js"(exports, module) {
     "use strict";
-    var fs21 = require_graceful_fs();
-    function createSyncFs(fs22) {
+    var fs17 = require_graceful_fs();
+    function createSyncFs(fs18) {
       const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
-      const newFs = { ...fs22 };
+      const newFs = { ...fs18 };
       methods.forEach((method) => {
         newFs[method] = (...args) => {
           const callback = args.pop();
           let ret;
           try {
-            ret = fs22[`${method}Sync`](...args);
+            ret = fs18[`${method}Sync`](...args);
           } catch (err) {
             return callback(err);
           }
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
     }
     function toSyncOptions(options) {
       options = { ...options };
-      options.fs = createSyncFs(options.fs || fs21);
+      options.fs = createSyncFs(options.fs || fs17);
       if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
         throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
       }
@@ -2247,15 +2247,14 @@ function keyPreview(key) {
 
 // src/manifest/parser.ts
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
-var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "cloud"];
+var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp"];
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
   "namespaces",
   "sops",
   "file_pattern",
-  "service_identities",
-  "cloud"
+  "service_identities"
 ];
 var ENV_NAME_PATTERN = /^[a-z][a-z0-9_-]*$/;
 var FILE_PATTERN_REQUIRED_TOKENS = ["{namespace}", "{environment}"];
@@ -2639,6 +2638,12 @@ var ManifestParser = class {
             "service_identities"
           );
         }
+        if (siObj.pack_only !== void 0 && typeof siObj.pack_only !== "boolean") {
+          throw new ManifestValidationError(
+            `Service identity '${siName}' has a non-boolean 'pack_only' field.`,
+            "service_identities"
+          );
+        }
         if (!Array.isArray(siObj.namespaces) || siObj.namespaces.length === 0) {
           throw new ManifestValidationError(
             `Service identity '${siName}' must have a non-empty 'namespaces' array.`,
@@ -2744,7 +2749,8 @@ var ManifestParser = class {
           name: siName,
           description: siObj.description ?? "",
           namespaces: siObj.namespaces,
-          environments: parsedEnvs
+          environments: parsedEnvs,
+          ...siObj.pack_only === true ? { pack_only: true } : {}
         };
       });
       const siNames = /* @__PURE__ */ new Set();
@@ -2758,47 +2764,13 @@ var ManifestParser = class {
         siNames.add(si.name);
       }
     }
-    let cloud;
-    if (obj.cloud !== void 0) {
-      if (typeof obj.cloud !== "object" || obj.cloud === null || Array.isArray(obj.cloud)) {
-        throw new ManifestValidationError("Field 'cloud' must be an object.", "cloud");
-      }
-      const cloudObj = obj.cloud;
-      if (typeof cloudObj.integrationId !== "string" || cloudObj.integrationId.length === 0) {
-        throw new ManifestValidationError(
-          "Field 'cloud.integrationId' is required and must be a non-empty string.",
-          "cloud"
-        );
-      }
-      if (typeof cloudObj.keyId !== "string" || cloudObj.keyId.length === 0) {
-        throw new ManifestValidationError(
-          "Field 'cloud.keyId' is required and must be a non-empty string.",
-          "cloud"
-        );
-      }
-      if (!/^clef:[a-zA-Z0-9_]+\/[a-zA-Z0-9_-]+$/.test(cloudObj.keyId)) {
-        throw new ManifestValidationError(
-          `Field 'cloud.keyId' has invalid format '${cloudObj.keyId}'. Must match: clef:<integrationId>/<keyAlias>`,
-          "cloud"
-        );
-      }
-      cloud = { integrationId: cloudObj.integrationId, keyId: cloudObj.keyId };
-    }
-    const usesCloudBackend = sopsConfig.default_backend === "cloud" || environments.some((e) => e.sops?.backend === "cloud");
-    if (usesCloudBackend && !cloud) {
-      throw new ManifestValidationError(
-        "One or more environments use the 'cloud' backend but the manifest is missing the top-level 'cloud' block with 'integrationId' and 'keyId'.",
-        "cloud"
-      );
-    }
     return {
       version: 1,
       environments,
       namespaces,
       sops: sopsConfig,
       file_pattern: obj.file_pattern,
-      ...serviceIdentities ? { service_identities: serviceIdentities } : {},
-      ...cloud ? { cloud } : {}
+      ...serviceIdentities ? { service_identities: serviceIdentities } : {}
     };
   }
   /**
@@ -3740,6 +3712,11 @@ var PRE_COMMIT_HOOK = `#!/bin/sh
 # and scans staged files for plaintext secrets.
 # Installed by: clef hooks install
 
+# Skip during TransactionManager commits (policy scaffolding, migrations, etc.)
+if [ "$CLEF_IN_TRANSACTION" = "1" ]; then
+  exit 0
+fi
+
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 EXIT_CODE=0
 
@@ -4096,12 +4073,10 @@ ${mergeRule}
 ` : `# Clef: SOPS-aware merge driver for encrypted files
 ${mergeRule}
 `;
-    const writeResult = await this.runner.run("tee", [attrPath], {
-      stdin: newContent,
-      cwd: repoRoot
-    });
-    if (writeResult.exitCode !== 0) {
-      throw new GitOperationError(`Failed to write .gitattributes: ${writeResult.stderr.trim()}`);
+    try {
+      fs9.writeFileSync(attrPath, newContent, "utf-8");
+    } catch (err) {
+      throw new GitOperationError(`Failed to write .gitattributes: ${err.message}`);
     }
   }
   /**
@@ -4113,22 +4088,18 @@ ${mergeRule}
    */
   async installPreCommitHook(repoRoot) {
     const hookPath = path8.join(repoRoot, ".git", "hooks", "pre-commit");
-    const result = await this.runner.run("tee", [hookPath], {
-      stdin: PRE_COMMIT_HOOK,
-      cwd: repoRoot
-    });
-    if (result.exitCode !== 0) {
+    try {
+      const hooksDir = path8.dirname(hookPath);
+      if (!fs9.existsSync(hooksDir)) {
+        fs9.mkdirSync(hooksDir, { recursive: true });
+      }
+      fs9.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
+    } catch (err) {
       throw new GitOperationError(
-        `Failed to install pre-commit hook: ${result.stderr.trim()}`,
+        `Failed to install pre-commit hook: ${err.message}`,
         "Ensure .git/hooks/ directory exists."
       );
     }
-    const chmodResult = await this.runner.run("chmod", ["+x", hookPath], { cwd: repoRoot });
-    if (chmodResult.exitCode !== 0) {
-      throw new GitOperationError(
-        `Failed to make pre-commit hook executable: ${chmodResult.stderr.trim()}`
-      );
-    }
   }
 };
 
@@ -4513,13 +4484,6 @@ function openWindowsInputPipe(content) {
     });
   });
 }
-function cloudKeyToArn(keyId) {
-  const body = keyId.replace(/^clef:/, "");
-  const sep = body.indexOf("/");
-  const integration = sep >= 0 ? body.slice(0, sep) : body;
-  const env = sep >= 0 ? body.slice(sep + 1) : "default";
-  return `arn:aws:kms:us-east-1:000000000000:alias/clef/${integration}/${env}`;
-}
 var SopsClient = class {
   /**
    * @param runner - Subprocess runner used to invoke the `sops` binary.
@@ -4529,18 +4493,14 @@ var SopsClient = class {
    *   to the subprocess environment.
    * @param sopsPath - Optional explicit path to the sops binary. When omitted,
    *   resolved automatically via {@link resolveSopsPath}.
-   * @param keyserviceAddr - Optional keyservice address (e.g. `tcp://127.0.0.1:12345`).
-   *   When set, all SOPS invocations include `--enable-local-keyservice=false --keyservice <addr>`.
    */
-  constructor(runner, ageKeyFile, ageKey, sopsPath, keyserviceAddr) {
+  constructor(runner, ageKeyFile, ageKey, sopsPath) {
     this.runner = runner;
     this.ageKeyFile = ageKeyFile;
     this.ageKey = ageKey;
     this.sopsCommand = sopsPath ?? resolveSopsPath().path;
-    this.keyserviceArgs = keyserviceAddr ? ["--enable-local-keyservice=false", "--keyservice", keyserviceAddr] : [];
   }
   sopsCommand;
-  keyserviceArgs;
   buildSopsEnv() {
     const env = {};
     if (this.ageKey) {
@@ -4565,7 +4525,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["decrypt", ...this.keyserviceArgs, "--output-type", fmt, filePath],
+      ["decrypt", "--output-type", fmt, filePath],
       {
         ...env ? { env } : {}
       }
@@ -4632,7 +4592,6 @@ var SopsClient = class {
           "--config",
           configPath,
           "encrypt",
-          ...this.keyserviceArgs,
           ...args,
           "--input-type",
           fmt,
@@ -4689,7 +4648,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["rotate", ...this.keyserviceArgs, "-i", "--add-age", key, filePath],
+      ["rotate", "-i", "--add-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -4713,7 +4672,7 @@ var SopsClient = class {
     const env = this.buildSopsEnv();
     const result = await this.runner.run(
       this.sopsCommand,
-      ["rotate", ...this.keyserviceArgs, "-i", "--rm-age", key, filePath],
+      ["rotate", "-i", "--rm-age", key, filePath],
       {
         ...env ? { env } : {}
       }
@@ -4825,13 +4784,7 @@ var SopsClient = class {
   }
   detectBackend(sops) {
     if (sops.age && Array.isArray(sops.age) && sops.age.length > 0) return "age";
-    if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) {
-      const firstArn = sops.kms[0]?.arn;
-      if (typeof firstArn === "string" && (firstArn.startsWith("clef:") || firstArn.includes("alias/clef/"))) {
-        return "cloud";
-      }
-      return "awskms";
-    }
+    if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) return "awskms";
     if (sops.gcp_kms && Array.isArray(sops.gcp_kms) && sops.gcp_kms.length > 0)
       return "gcpkms";
     if (sops.azure_kv && Array.isArray(sops.azure_kv) && sops.azure_kv.length > 0)
@@ -4845,7 +4798,6 @@ var SopsClient = class {
         const entries = sops.age;
         return entries?.map((e) => String(e.recipient ?? "")) ?? [];
       }
-      case "cloud":
       case "awskms": {
         const entries = sops.kms;
         return entries?.map((e) => String(e.arn ?? "")) ?? [];
@@ -4907,13 +4859,6 @@ var SopsClient = class {
           args.push("--pgp", config.pgp_fingerprint);
         }
         break;
-      case "cloud": {
-        const cloudKeyId = manifest.cloud?.keyId;
-        if (cloudKeyId) {
-          args.push("--kms", cloudKeyToArn(cloudKeyId));
-        }
-        break;
-      }
     }
     return args;
   }
@@ -5151,6 +5096,18 @@ var LintRunner = class {
           });
         }
       }
+      if (si.pack_only) {
+        const ageRecipients = Object.values(si.environments).filter((cfg) => !isKmsEnvelope(cfg) && cfg.recipient).map((cfg) => cfg.recipient);
+        if (ageRecipients.length >= 2 && new Set(ageRecipients).size === 1) {
+          issues.push({
+            severity: "warning",
+            category: "service-identity",
+            file: "clef.yaml",
+            message: `Runtime identity '${si.name}' uses a shared recipient across all environments. A compromised key in any environment decrypts artifacts for all environments. Consider per-environment keys for runtime workloads.`
+          });
+        }
+        continue;
+      }
       for (const cell of existingCells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
@@ -6510,12 +6467,10 @@ var ServiceIdentityManager = class {
    * Create a new service identity with per-environment age key pairs or KMS envelope config.
    * For age-only: generates keys, updates the manifest, and registers public keys as SOPS recipients.
    * For KMS: stores KMS config in manifest, no age keys generated.
-   *
-   * @param kmsEnvConfigs - Optional per-environment KMS config. When provided, those envs use
-   *   KMS envelope encryption instead of generating age keys.
-   * @returns The created identity definition and the per-environment private keys (empty for KMS envs).
+   * For pack-only (runtime) identities: keys are generated but NOT registered on SOPS files.
    */
-  async create(name, namespaces, description, manifest, repoRoot, kmsEnvConfigs) {
+  async create(name, namespaces, description, manifest, repoRoot, options) {
+    const { kmsEnvConfigs, sharedRecipient, packOnly } = options ?? {};
     if (manifest.service_identities?.some((si) => si.name === name)) {
       throw new Error(`Service identity '${name}' already exists.`);
     }
@@ -6527,23 +6482,25 @@ var ServiceIdentityManager = class {
     }
     const environments = {};
     const privateKeys = {};
+    const sharedKey = sharedRecipient ? await generateAgeIdentity() : void 0;
     for (const env of manifest.environments) {
       const kmsConfig = kmsEnvConfigs?.[env.name];
       if (kmsConfig) {
         environments[env.name] = { kms: kmsConfig };
       } else {
-        const identity = await generateAgeIdentity();
-        environments[env.name] = { recipient: identity.publicKey };
-        privateKeys[env.name] = identity.privateKey;
+        const ageIdentity = sharedKey ?? await generateAgeIdentity();
+        environments[env.name] = { recipient: ageIdentity.publicKey };
+        privateKeys[env.name] = ageIdentity.privateKey;
       }
     }
     const definition = {
       name,
       description,
       namespaces,
-      environments
+      environments,
+      ...packOnly ? { pack_only: true } : {}
     };
-    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && namespaces.includes(c.namespace));
+    const cells = packOnly ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && namespaces.includes(c.namespace));
     await this.tx.run(repoRoot, {
       description: `clef service create ${name}`,
       paths: this.txPaths(repoRoot, cells),
@@ -6557,12 +6514,13 @@ var ServiceIdentityManager = class {
           name,
           description,
           namespaces,
-          environments
+          environments,
+          ...packOnly ? { pack_only: true } : {}
         });
         writeManifestYaml(repoRoot, doc);
       }
     });
-    return { identity: definition, privateKeys };
+    return { identity: definition, privateKeys, sharedRecipient: sharedKey !== void 0 };
   }
   /**
    * List all service identities from the manifest.
@@ -6585,7 +6543,7 @@ var ServiceIdentityManager = class {
     if (!identity) {
       throw new Error(`Service identity '${name}' not found.`);
     }
-    const scopedCells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && identity.namespaces.includes(c.namespace));
+    const scopedCells = identity.pack_only ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && identity.namespaces.includes(c.namespace));
     await this.tx.run(repoRoot, {
       description: `clef service delete ${name}`,
       paths: this.txPaths(repoRoot, scopedCells),
@@ -6641,7 +6599,7 @@ var ServiceIdentityManager = class {
         const envs = siDoc.environments;
         for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
           const oldConfig = identity.environments[envName];
-          if (oldConfig?.recipient && !isKmsEnvelope(oldConfig)) {
+          if (!identity.pack_only && oldConfig?.recipient && !isKmsEnvelope(oldConfig)) {
             const scopedCells = cells.filter((c) => c.environment === envName);
             for (const cell of scopedCells) {
               try {
@@ -6660,8 +6618,10 @@ var ServiceIdentityManager = class {
   }
   /**
    * Register a service identity's public keys as SOPS recipients on scoped matrix files.
+   * Pack-only (runtime) identities skip registration entirely.
    */
   async registerRecipients(identity, manifest, repoRoot) {
+    if (identity.pack_only) return;
     const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
     for (const cell of cells) {
       if (!identity.namespaces.includes(cell.namespace)) continue;
@@ -6711,18 +6671,20 @@ var ServiceIdentityManager = class {
       description: `clef service update ${name}: add namespaces ${toAdd.join(",")}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        for (const cell of cells) {
-          const envConfig = identity.environments[cell.environment];
-          if (!envConfig) continue;
-          if (isKmsEnvelope(envConfig)) continue;
-          if (!envConfig.recipient) continue;
-          try {
-            await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
-            affectedFiles.push(cell.filePath);
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            if (!message.includes("already")) {
-              throw err;
+        if (!identity.pack_only) {
+          for (const cell of cells) {
+            const envConfig = identity.environments[cell.environment];
+            if (!envConfig) continue;
+            if (isKmsEnvelope(envConfig)) continue;
+            if (!envConfig.recipient) continue;
+            try {
+              await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
+              affectedFiles.push(cell.filePath);
+            } catch (err) {
+              const message = err instanceof Error ? err.message : String(err);
+              if (!message.includes("already")) {
+                throw err;
+              }
             }
           }
         }
@@ -6770,15 +6732,17 @@ var ServiceIdentityManager = class {
       description: `clef service update ${name}: remove namespaces ${namespacesToRemove.join(",")}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        for (const cell of cells) {
-          const envConfig = identity.environments[cell.environment];
-          if (!envConfig) continue;
-          if (isKmsEnvelope(envConfig)) continue;
-          if (!envConfig.recipient) continue;
-          try {
-            await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
-            affectedFiles.push(cell.filePath);
-          } catch {
+        if (!identity.pack_only) {
+          for (const cell of cells) {
+            const envConfig = identity.environments[cell.environment];
+            if (!envConfig) continue;
+            if (isKmsEnvelope(envConfig)) continue;
+            if (!envConfig.recipient) continue;
+            try {
+              await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+              affectedFiles.push(cell.filePath);
+            } catch {
+            }
           }
         }
         const doc = readManifestYaml(repoRoot);
@@ -6841,7 +6805,7 @@ var ServiceIdentityManager = class {
       description: `clef service add-env ${name} ${envName}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        if (!isKmsEnvelope(envConfig) && envConfig.recipient) {
+        if (!identity.pack_only && !isKmsEnvelope(envConfig) && envConfig.recipient) {
           for (const cell of cells) {
             try {
               await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
@@ -6900,7 +6864,7 @@ var ServiceIdentityManager = class {
     if (targetEnvNames.size === 0) {
       return newPrivateKeys;
     }
-    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter(
+    const cells = identity.pack_only ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter(
       (c) => c.exists && identity.namespaces.includes(c.namespace) && targetEnvNames.has(c.environment)
     );
     await this.tx.run(repoRoot, {
@@ -6917,13 +6881,15 @@ var ServiceIdentityManager = class {
           const oldRecipient = identity.environments[envName].recipient;
           const newPublicKey = newPublicKeys[envName];
           envs[envName] = { recipient: newPublicKey };
-          const scopedCells = cells.filter((c) => c.environment === envName);
-          for (const cell of scopedCells) {
-            try {
-              await this.encryption.removeRecipient(cell.filePath, oldRecipient);
-            } catch {
+          if (!identity.pack_only) {
+            const scopedCells = cells.filter((c) => c.environment === envName);
+            for (const cell of scopedCells) {
+              try {
+                await this.encryption.removeRecipient(cell.filePath, oldRecipient);
+              } catch {
+              }
+              await this.encryption.addRecipient(cell.filePath, newPublicKey);
             }
-            await this.encryption.addRecipient(cell.filePath, newPublicKey);
           }
         }
         writeManifestYaml(repoRoot, doc);
@@ -6963,6 +6929,17 @@ var ServiceIdentityManager = class {
           });
         }
       }
+      if (si.pack_only) {
+        const ageRecipients = Object.values(si.environments).filter((cfg) => !isKmsEnvelope(cfg) && cfg.recipient).map((cfg) => cfg.recipient);
+        if (ageRecipients.length >= 2 && new Set(ageRecipients).size === 1) {
+          issues.push({
+            identity: si.name,
+            type: "runtime_shared_recipient",
+            message: `Runtime identity '${si.name}' uses a shared recipient across all environments. A compromised key in any environment decrypts artifacts for all environments. Consider per-environment keys for runtime workloads.`
+          });
+        }
+        continue;
+      }
       for (const cell of cells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
@@ -7809,12 +7786,7 @@ var ArtifactPacker = class {
 };
 
 // src/kms/types.ts
-var VALID_KMS_PROVIDERS = [
-  "aws",
-  "gcp",
-  "azure",
-  "cloud"
-];
+var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
 
 // src/migration/backend.ts
 import * as path22 from "path";
@@ -7824,8 +7796,7 @@ var BACKEND_KEY_FIELDS = {
   awskms: "aws_kms_arn",
   gcpkms: "gcp_kms_resource_id",
   azurekv: "azure_kv_url",
-  pgp: "pgp_fingerprint",
-  cloud: void 0
+  pgp: "pgp_fingerprint"
 };
 var ALL_KEY_FIELDS = Object.values(BACKEND_KEY_FIELDS).filter(
   (v) => v !== void 0
@@ -8020,18 +7991,6 @@ var BackendMigrator = class {
         sops[keyField] = target.key;
       }
     }
-    if (doc.cloud && target.backend !== "cloud") {
-      const sops = doc.sops;
-      const environments = doc.environments;
-      const defaultIsCloud = sops.default_backend === "cloud";
-      const anyEnvIsCloud = environments.some((e) => {
-        const envSops = e.sops;
-        return envSops?.backend === "cloud";
-      });
-      if (!defaultIsCloud && !anyEnvIsCloud) {
-        delete doc.cloud;
-      }
-    }
   }
   checkAgeRecipientsWarning(manifest, target, environment, warnings) {
     if (target.backend === "age") return;
@@ -8240,281 +8199,111 @@ function withBackendOverride(manifest, envNames, backend, key) {
   };
 }
 
-// src/cloud/keyservice.ts
-import { spawn } from "child_process";
-import * as readline from "readline";
-var PORT_REGEX = /^PORT=(\d+)$/;
-var STARTUP_TIMEOUT_MS = 5e3;
-var SHUTDOWN_TIMEOUT_MS = 3e3;
-async function spawnKeyservice(options) {
-  const args = ["--addr", "127.0.0.1:0"];
-  if (options.endpoint) {
-    args.push("--endpoint", options.endpoint);
-  }
-  const child = spawn(options.binaryPath, args, {
-    stdio: ["ignore", "pipe", "pipe"],
-    env: { ...process.env, CLEF_CLOUD_TOKEN: options.token }
-  });
-  const port = await readPort(child);
-  const addr = `tcp://127.0.0.1:${port}`;
-  return {
-    addr,
-    kill: () => killGracefully(child)
-  };
-}
-function readPort(child) {
-  return new Promise((resolve, reject) => {
-    let settled = false;
-    const rl = readline.createInterface({ input: child.stdout });
-    function settle() {
-      clearTimeout(timer);
-      rl.close();
-    }
-    const timer = setTimeout(() => {
-      if (!settled) {
-        settled = true;
-        settle();
-        child.kill("SIGKILL");
-        reject(new Error("Keyservice did not start within 5 seconds."));
-      }
-    }, STARTUP_TIMEOUT_MS);
-    rl.on("line", (line) => {
-      const match = PORT_REGEX.exec(line);
-      if (match && !settled) {
-        settled = true;
-        settle();
-        resolve(parseInt(match[1], 10));
+// src/sync/manager.ts
+import * as path24 from "path";
+var SyncManager = class {
+  constructor(matrixManager, encryption, tx) {
+    this.matrixManager = matrixManager;
+    this.encryption = encryption;
+    this.tx = tx;
+  }
+  /**
+   * Compute what sync would do without mutating anything.
+   */
+  async plan(manifest, repoRoot, opts) {
+    if (opts.namespace) {
+      const exists = manifest.namespaces.some((n) => n.name === opts.namespace);
+      if (!exists) {
+        throw new Error(`Namespace '${opts.namespace}' not found in manifest.`);
       }
-    });
-    child.on("error", (err) => {
-      if (!settled) {
-        settled = true;
-        settle();
-        reject(new Error(`Failed to start keyservice: ${err.message}`));
+    }
+    const allCells = this.matrixManager.resolveMatrix(manifest, repoRoot);
+    const existingCells = allCells.filter((c) => c.exists);
+    const targetCells = opts.namespace ? existingCells.filter((c) => c.namespace === opts.namespace) : existingCells;
+    const keysByNsEnv = {};
+    for (const cell of targetCells) {
+      const keys = readSopsKeyNames(cell.filePath);
+      if (!keys) continue;
+      if (!keysByNsEnv[cell.namespace]) keysByNsEnv[cell.namespace] = {};
+      keysByNsEnv[cell.namespace][cell.environment] = new Set(keys);
+    }
+    const cells = [];
+    let totalKeys = 0;
+    let hasProtectedEnvs = false;
+    for (const [nsName, envKeys] of Object.entries(keysByNsEnv)) {
+      const allKeys = /* @__PURE__ */ new Set();
+      for (const keys of Object.values(envKeys)) {
+        for (const k of keys) allKeys.add(k);
       }
-    });
-    child.on("exit", (code) => {
-      if (!settled) {
-        settled = true;
-        settle();
-        reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));
+      for (const cell of targetCells) {
+        if (cell.namespace !== nsName) continue;
+        const cellKeys = envKeys[cell.environment];
+        if (!cellKeys) continue;
+        const missing = [...allKeys].filter((k) => !cellKeys.has(k));
+        if (missing.length === 0) continue;
+        const isProtected = this.matrixManager.isProtectedEnvironment(manifest, cell.environment);
+        if (isProtected) hasProtectedEnvs = true;
+        cells.push({
+          namespace: cell.namespace,
+          environment: cell.environment,
+          filePath: cell.filePath,
+          missingKeys: missing.sort(),
+          isProtected
+        });
+        totalKeys += missing.length;
       }
-    });
-  });
-}
-function killGracefully(child) {
-  return new Promise((resolve) => {
-    if (child.exitCode !== null) {
-      resolve();
-      return;
-    }
-    const timer = setTimeout(() => {
-      child.kill("SIGKILL");
-    }, SHUTDOWN_TIMEOUT_MS);
-    child.on("exit", () => {
-      clearTimeout(timer);
-      resolve();
-    });
-    child.kill("SIGTERM");
-  });
-}
-
-// src/cloud/resolver.ts
-import * as fs18 from "fs";
-import * as path25 from "path";
-
-// src/cloud/bundled.ts
-import * as fs17 from "fs";
-import * as path24 from "path";
-function tryBundledKeyservice() {
-  const platform = process.platform;
-  const arch = process.arch;
-  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
-  if (!archName) return null;
-  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : platform === "win32" ? "win32" : null;
-  if (!platformName) return null;
-  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
-  const binName = platform === "win32" ? "clef-keyservice.exe" : "clef-keyservice";
-  try {
-    const packageMain = __require.resolve(`${packageName}/package.json`);
-    const packageDir = path24.dirname(packageMain);
-    const binPath = path24.join(packageDir, "bin", binName);
-    return fs17.existsSync(binPath) ? binPath : null;
-  } catch {
-    return null;
-  }
-}
-
-// src/cloud/resolver.ts
-function validateKeyservicePath(candidate) {
-  if (!path25.isAbsolute(candidate)) {
-    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
-  }
-  const segments = candidate.split(/[/\\]/);
-  if (segments.includes("..")) {
-    throw new Error(
-      `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). Use an absolute path without directory traversal.`
-    );
-  }
-}
-var cached2;
-function resolveKeyservicePath() {
-  if (cached2) return cached2;
-  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
-  if (envPath) {
-    validateKeyservicePath(envPath);
-    if (!fs18.existsSync(envPath)) {
-      throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
     }
-    cached2 = { path: envPath, source: "env" };
-    return cached2;
-  }
-  const bundledPath = tryBundledKeyservice();
-  if (bundledPath) {
-    cached2 = { path: bundledPath, source: "bundled" };
-    return cached2;
-  }
-  cached2 = { path: "clef-keyservice", source: "system" };
-  return cached2;
-}
-function resetKeyserviceResolution() {
-  cached2 = void 0;
-}
-
-// src/cloud/credentials.ts
-import * as fs19 from "fs";
-import * as path26 from "path";
-import * as os from "os";
-import * as YAML11 from "yaml";
-
-// src/cloud/constants.ts
-var CLOUD_DEFAULT_ENDPOINT = "https://api.clef.sh";
-
-// src/cloud/credentials.ts
-var CREDENTIALS_FILENAME = "credentials.yaml";
-function readCloudCredentials() {
-  const credPath = path26.join(os.homedir(), ".clef", CREDENTIALS_FILENAME);
-  let raw;
-  try {
-    raw = YAML11.parse(fs19.readFileSync(credPath, "utf-8"));
-  } catch {
-    return null;
+    return { cells, totalKeys, hasProtectedEnvs };
   }
-  if (!raw || typeof raw !== "object") return null;
-  const obj = raw;
-  const token = typeof obj.token === "string" && obj.token.length > 0 ? obj.token : "";
-  const endpoint = typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;
-  if (!token && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;
-  return { token, endpoint };
-}
-function writeCloudCredentials(credentials) {
-  const clefDir = path26.join(os.homedir(), ".clef");
-  fs19.mkdirSync(clefDir, { recursive: true, mode: 448 });
-  const credPath = path26.join(clefDir, CREDENTIALS_FILENAME);
-  const content = { token: credentials.token };
-  if (credentials.endpoint) {
-    content.endpoint = credentials.endpoint;
-  }
-  fs19.writeFileSync(credPath, YAML11.stringify(content), { mode: 384 });
-}
-
-// src/cloud/device-flow.ts
-async function initiateDeviceFlow(endpoint, options) {
-  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
-  const payload = {
-    clientType: "cli",
-    clientVersion: options.clientVersion,
-    repoName: options.repoName,
-    flow: options.flow
-  };
-  if (options.environment) {
-    payload.environment = options.environment;
-  }
-  const res = await fetch(`${base}/api/v1/device/init`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(payload)
-  });
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`Device flow init failed (${res.status}): ${body}`);
-  }
-  const json = await res.json();
-  const session = json.data ?? json;
-  if (session.pollUrl && !session.pollUrl.startsWith("http")) {
-    session.pollUrl = `${base}${session.pollUrl}`;
-  }
-  return session;
-}
-async function pollDeviceFlow(pollUrl) {
-  const res = await fetch(pollUrl);
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`Device flow poll failed (${res.status}): ${body}`);
-  }
-  const json = await res.json();
-  return json.data ?? json;
-}
-
-// src/cloud/pack-client.ts
-import * as fs20 from "fs";
-import * as path27 from "path";
-var CloudPackClient = class {
-  endpoint;
-  constructor(endpoint) {
-    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
-  }
-  async pack(token, config) {
-    const matrixManager = new MatrixManager();
-    const cells = matrixManager.resolveMatrix(config.manifest, config.repoRoot).filter((c) => c.environment === config.environment && c.exists);
-    const formData = new FormData();
-    const configJson = JSON.stringify({
-      identity: config.identity,
-      environment: config.environment,
-      ...config.ttl ? { ttl: config.ttl } : {}
-    });
-    formData.append("config", new Blob([configJson], { type: "application/json" }));
-    const manifestPath = path27.join(config.repoRoot, "clef.yaml");
-    const manifestContent = fs20.readFileSync(manifestPath, "utf-8");
-    formData.append("manifest", new Blob([manifestContent], { type: "text/yaml" }));
-    for (const cell of cells) {
-      const relPath = path27.relative(config.repoRoot, cell.filePath);
-      const content = fs20.readFileSync(cell.filePath, "utf-8");
-      formData.append(`files`, new Blob([content], { type: "text/yaml" }), relPath);
-    }
-    const res = await fetch(`${this.endpoint}/api/v1/cloud/pack`, {
-      method: "POST",
-      headers: { Authorization: `Bearer ${token}` },
-      body: formData
-    });
-    if (!res.ok) {
-      const body = await res.text().catch(() => "");
-      throw new Error(`Cloud pack failed (${res.status}): ${body}`);
+  /**
+   * Execute the sync: scaffold missing keys with random pending values.
+   *
+   * Returns immediately (no-op) when the plan has nothing to do.
+   * When `dryRun` is set, returns a result with zero modifications —
+   * the caller can inspect the plan via {@link plan} separately.
+   */
+  async sync(manifest, repoRoot, opts = {}) {
+    const syncPlan = await this.plan(manifest, repoRoot, opts);
+    if (opts.dryRun || syncPlan.totalKeys === 0) {
+      return { modifiedCells: [], scaffoldedKeys: {}, totalKeysScaffolded: 0 };
     }
-    return await res.json();
-  }
-};
-var CloudArtifactClient = class {
-  endpoint;
-  constructor(endpoint) {
-    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
-  }
-  async upload(token, config) {
-    const res = await fetch(
-      `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,
-      {
-        method: "PUT",
-        headers: {
-          Authorization: `Bearer ${token}`,
-          "Content-Type": "application/json"
-        },
-        body: config.artifactJson
+    const txPaths = [];
+    for (const cell of syncPlan.cells) {
+      const rel = path24.relative(repoRoot, cell.filePath);
+      txPaths.push(rel);
+      txPaths.push(rel.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"));
+    }
+    const modifiedCells = [];
+    const scaffoldedKeys = {};
+    const nsLabel = opts.namespace ?? "all";
+    const envCount = new Set(syncPlan.cells.map((c) => c.environment)).size;
+    await this.tx.run(repoRoot, {
+      description: `clef sync ${nsLabel}: ${syncPlan.totalKeys} key(s) across ${envCount} environment(s)`,
+      paths: txPaths,
+      mutate: async () => {
+        for (const cell of syncPlan.cells) {
+          const decrypted = await this.encryption.decrypt(cell.filePath);
+          for (const key of cell.missingKeys) {
+            decrypted.values[key] = generateRandomValue();
+          }
+          await this.encryption.encrypt(
+            cell.filePath,
+            decrypted.values,
+            manifest,
+            cell.environment
+          );
+          await markPendingWithRetry(cell.filePath, cell.missingKeys, "clef sync");
+          const cellLabel = `${cell.namespace}/${cell.environment}`;
+          modifiedCells.push(cellLabel);
+          scaffoldedKeys[cellLabel] = cell.missingKeys;
+        }
       }
-    );
-    if (!res.ok) {
-      const body = await res.text().catch(() => "");
-      throw new Error(`Artifact upload failed (${res.status}): ${body}`);
-    }
+    });
+    return {
+      modifiedCells,
+      scaffoldedKeys,
+      totalKeysScaffolded: syncPlan.totalKeys
+    };
   }
 };
 export {
@@ -8526,9 +8315,7 @@ export {
   CLEF_SUPPORTED_EXTENSIONS,
   ClefError,
   CloudApiError,
-  CloudArtifactClient,
   CloudClient,
-  CloudPackClient,
   ConsumptionClient,
   DiffEngine,
   DriftDetector,
@@ -8560,6 +8347,7 @@ export {
   SopsMissingError,
   SopsVersionError,
   StructureManager,
+  SyncManager,
   TransactionLockError,
   TransactionManager,
   TransactionPreflightError,
@@ -8580,7 +8368,6 @@ export {
   generateRandomValue,
   generateSigningKeyPair,
   getPendingKeys,
-  initiateDeviceFlow,
   isHighEntropy,
   isKmsEnvelope,
   isPending,
@@ -8598,17 +8385,13 @@ export {
   parseIgnoreContent,
   parseJson,
   parseYaml,
-  pollDeviceFlow,
-  readCloudCredentials,
   readManifestYaml,
   redactValue,
   removeRequest as removeAccessRequest,
   requestsFilePath,
-  resetKeyserviceResolution,
   resetSopsResolution,
   resolveBackendConfig,
   resolveIdentitySecrets,
-  resolveKeyservicePath,
   resolveRecipientsForEnvironment,
   resolveSopsPath,
   saveMetadata,
@@ -8618,12 +8401,10 @@ export {
   shouldIgnoreMatch,
   signEd25519,
   signKms,
-  spawnKeyservice,
   upsertRequest,
   validateAgePublicKey,
   validateResetScope,
   verifySignature,
-  writeCloudCredentials,
   writeManifestYaml,
   writeManifestYamlRaw
 };