@clef-sh/core 0.1.15 → 0.1.16

package/dist/index.mjs

@@ -2638,6 +2638,12 @@ var ManifestParser = class {
             "service_identities"
           );
         }
+        if (siObj.pack_only !== void 0 && typeof siObj.pack_only !== "boolean") {
+          throw new ManifestValidationError(
+            `Service identity '${siName}' has a non-boolean 'pack_only' field.`,
+            "service_identities"
+          );
+        }
         if (!Array.isArray(siObj.namespaces) || siObj.namespaces.length === 0) {
           throw new ManifestValidationError(
             `Service identity '${siName}' must have a non-empty 'namespaces' array.`,
@@ -2743,7 +2749,8 @@ var ManifestParser = class {
           name: siName,
           description: siObj.description ?? "",
           namespaces: siObj.namespaces,
-          environments: parsedEnvs
+          environments: parsedEnvs,
+          ...siObj.pack_only === true ? { pack_only: true } : {}
         };
       });
       const siNames = /* @__PURE__ */ new Set();
@@ -5089,6 +5096,18 @@ var LintRunner = class {
           });
         }
       }
+      if (si.pack_only) {
+        const ageRecipients = Object.values(si.environments).filter((cfg) => !isKmsEnvelope(cfg) && cfg.recipient).map((cfg) => cfg.recipient);
+        if (ageRecipients.length >= 2 && new Set(ageRecipients).size === 1) {
+          issues.push({
+            severity: "warning",
+            category: "service-identity",
+            file: "clef.yaml",
+            message: `Runtime identity '${si.name}' uses a shared recipient across all environments. A compromised key in any environment decrypts artifacts for all environments. Consider per-environment keys for runtime workloads.`
+          });
+        }
+        continue;
+      }
       for (const cell of existingCells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
@@ -6448,12 +6467,10 @@ var ServiceIdentityManager = class {
    * Create a new service identity with per-environment age key pairs or KMS envelope config.
    * For age-only: generates keys, updates the manifest, and registers public keys as SOPS recipients.
    * For KMS: stores KMS config in manifest, no age keys generated.
-   *
-   * @param kmsEnvConfigs - Optional per-environment KMS config. When provided, those envs use
-   *   KMS envelope encryption instead of generating age keys.
-   * @returns The created identity definition and the per-environment private keys (empty for KMS envs).
+   * For pack-only (runtime) identities: keys are generated but NOT registered on SOPS files.
    */
-  async create(name, namespaces, description, manifest, repoRoot, kmsEnvConfigs) {
+  async create(name, namespaces, description, manifest, repoRoot, options) {
+    const { kmsEnvConfigs, sharedRecipient, packOnly } = options ?? {};
     if (manifest.service_identities?.some((si) => si.name === name)) {
       throw new Error(`Service identity '${name}' already exists.`);
     }
@@ -6465,23 +6482,25 @@ var ServiceIdentityManager = class {
     }
     const environments = {};
     const privateKeys = {};
+    const sharedKey = sharedRecipient ? await generateAgeIdentity() : void 0;
     for (const env of manifest.environments) {
       const kmsConfig = kmsEnvConfigs?.[env.name];
       if (kmsConfig) {
         environments[env.name] = { kms: kmsConfig };
       } else {
-        const identity = await generateAgeIdentity();
-        environments[env.name] = { recipient: identity.publicKey };
-        privateKeys[env.name] = identity.privateKey;
+        const ageIdentity = sharedKey ?? await generateAgeIdentity();
+        environments[env.name] = { recipient: ageIdentity.publicKey };
+        privateKeys[env.name] = ageIdentity.privateKey;
       }
     }
     const definition = {
       name,
       description,
       namespaces,
-      environments
+      environments,
+      ...packOnly ? { pack_only: true } : {}
     };
-    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && namespaces.includes(c.namespace));
+    const cells = packOnly ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && namespaces.includes(c.namespace));
     await this.tx.run(repoRoot, {
       description: `clef service create ${name}`,
       paths: this.txPaths(repoRoot, cells),
@@ -6495,12 +6514,13 @@ var ServiceIdentityManager = class {
           name,
           description,
           namespaces,
-          environments
+          environments,
+          ...packOnly ? { pack_only: true } : {}
         });
         writeManifestYaml(repoRoot, doc);
       }
     });
-    return { identity: definition, privateKeys };
+    return { identity: definition, privateKeys, sharedRecipient: sharedKey !== void 0 };
   }
   /**
    * List all service identities from the manifest.
@@ -6523,7 +6543,7 @@ var ServiceIdentityManager = class {
     if (!identity) {
       throw new Error(`Service identity '${name}' not found.`);
     }
-    const scopedCells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && identity.namespaces.includes(c.namespace));
+    const scopedCells = identity.pack_only ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && identity.namespaces.includes(c.namespace));
     await this.tx.run(repoRoot, {
       description: `clef service delete ${name}`,
       paths: this.txPaths(repoRoot, scopedCells),
@@ -6579,7 +6599,7 @@ var ServiceIdentityManager = class {
         const envs = siDoc.environments;
         for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
           const oldConfig = identity.environments[envName];
-          if (oldConfig?.recipient && !isKmsEnvelope(oldConfig)) {
+          if (!identity.pack_only && oldConfig?.recipient && !isKmsEnvelope(oldConfig)) {
             const scopedCells = cells.filter((c) => c.environment === envName);
             for (const cell of scopedCells) {
               try {
@@ -6598,8 +6618,10 @@ var ServiceIdentityManager = class {
   }
   /**
    * Register a service identity's public keys as SOPS recipients on scoped matrix files.
+   * Pack-only (runtime) identities skip registration entirely.
    */
   async registerRecipients(identity, manifest, repoRoot) {
+    if (identity.pack_only) return;
     const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
     for (const cell of cells) {
       if (!identity.namespaces.includes(cell.namespace)) continue;
@@ -6649,18 +6671,20 @@ var ServiceIdentityManager = class {
       description: `clef service update ${name}: add namespaces ${toAdd.join(",")}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        for (const cell of cells) {
-          const envConfig = identity.environments[cell.environment];
-          if (!envConfig) continue;
-          if (isKmsEnvelope(envConfig)) continue;
-          if (!envConfig.recipient) continue;
-          try {
-            await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
-            affectedFiles.push(cell.filePath);
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            if (!message.includes("already")) {
-              throw err;
+        if (!identity.pack_only) {
+          for (const cell of cells) {
+            const envConfig = identity.environments[cell.environment];
+            if (!envConfig) continue;
+            if (isKmsEnvelope(envConfig)) continue;
+            if (!envConfig.recipient) continue;
+            try {
+              await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
+              affectedFiles.push(cell.filePath);
+            } catch (err) {
+              const message = err instanceof Error ? err.message : String(err);
+              if (!message.includes("already")) {
+                throw err;
+              }
             }
           }
         }
@@ -6708,15 +6732,17 @@ var ServiceIdentityManager = class {
       description: `clef service update ${name}: remove namespaces ${namespacesToRemove.join(",")}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        for (const cell of cells) {
-          const envConfig = identity.environments[cell.environment];
-          if (!envConfig) continue;
-          if (isKmsEnvelope(envConfig)) continue;
-          if (!envConfig.recipient) continue;
-          try {
-            await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
-            affectedFiles.push(cell.filePath);
-          } catch {
+        if (!identity.pack_only) {
+          for (const cell of cells) {
+            const envConfig = identity.environments[cell.environment];
+            if (!envConfig) continue;
+            if (isKmsEnvelope(envConfig)) continue;
+            if (!envConfig.recipient) continue;
+            try {
+              await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+              affectedFiles.push(cell.filePath);
+            } catch {
+            }
           }
         }
         const doc = readManifestYaml(repoRoot);
@@ -6779,7 +6805,7 @@ var ServiceIdentityManager = class {
       description: `clef service add-env ${name} ${envName}`,
       paths: this.txPaths(repoRoot, cells),
       mutate: async () => {
-        if (!isKmsEnvelope(envConfig) && envConfig.recipient) {
+        if (!identity.pack_only && !isKmsEnvelope(envConfig) && envConfig.recipient) {
           for (const cell of cells) {
             try {
               await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
@@ -6838,7 +6864,7 @@ var ServiceIdentityManager = class {
     if (targetEnvNames.size === 0) {
       return newPrivateKeys;
     }
-    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter(
+    const cells = identity.pack_only ? [] : this.matrixManager.resolveMatrix(manifest, repoRoot).filter(
       (c) => c.exists && identity.namespaces.includes(c.namespace) && targetEnvNames.has(c.environment)
     );
     await this.tx.run(repoRoot, {
@@ -6855,13 +6881,15 @@ var ServiceIdentityManager = class {
           const oldRecipient = identity.environments[envName].recipient;
           const newPublicKey = newPublicKeys[envName];
           envs[envName] = { recipient: newPublicKey };
-          const scopedCells = cells.filter((c) => c.environment === envName);
-          for (const cell of scopedCells) {
-            try {
-              await this.encryption.removeRecipient(cell.filePath, oldRecipient);
-            } catch {
+          if (!identity.pack_only) {
+            const scopedCells = cells.filter((c) => c.environment === envName);
+            for (const cell of scopedCells) {
+              try {
+                await this.encryption.removeRecipient(cell.filePath, oldRecipient);
+              } catch {
+              }
+              await this.encryption.addRecipient(cell.filePath, newPublicKey);
             }
-            await this.encryption.addRecipient(cell.filePath, newPublicKey);
           }
         }
         writeManifestYaml(repoRoot, doc);
@@ -6901,6 +6929,17 @@ var ServiceIdentityManager = class {
           });
         }
       }
+      if (si.pack_only) {
+        const ageRecipients = Object.values(si.environments).filter((cfg) => !isKmsEnvelope(cfg) && cfg.recipient).map((cfg) => cfg.recipient);
+        if (ageRecipients.length >= 2 && new Set(ageRecipients).size === 1) {
+          issues.push({
+            identity: si.name,
+            type: "runtime_shared_recipient",
+            message: `Runtime identity '${si.name}' uses a shared recipient across all environments. A compromised key in any environment decrypts artifacts for all environments. Consider per-environment keys for runtime workloads.`
+          });
+        }
+        continue;
+      }
       for (const cell of cells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;