@clef-sh/core 0.1.16 → 0.1.18

package/dist/index.mjs

@@ -301,13 +301,13 @@ var require_lib = __commonJS({
   "node_modules/write-file-atomic/lib/index.js"(exports, module) {
     "use strict";
     module.exports = writeFile;
-    module.exports.sync = writeFileSync6;
+    module.exports.sync = writeFileSync7;
     module.exports._getTmpname = getTmpname;
     module.exports._cleanupOnExit = cleanupOnExit;
-    var fs17 = __require("fs");
+    var fs19 = __require("fs");
     var crypto4 = __require("node:crypto");
     var { onExit } = require_cjs();
-    var path25 = __require("path");
+    var path26 = __require("path");
     var { promisify } = __require("util");
     var activeFiles = {};
     var threadId = (function getId() {
@@ -325,7 +325,7 @@ var require_lib = __commonJS({
     function cleanupOnExit(tmpfile) {
       return () => {
         try {
-          fs17.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
+          fs19.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
         } catch {
         }
       };
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
       let fd;
       let tmpfile;
       const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
-      const absoluteName = path25.resolve(filename);
+      const absoluteName = path26.resolve(filename);
       try {
         await serializeActiveFile(absoluteName);
-        const truename = await promisify(fs17.realpath)(filename).catch(() => filename);
+        const truename = await promisify(fs19.realpath)(filename).catch(() => filename);
         tmpfile = getTmpname(truename);
         if (!options.mode || !options.chown) {
-          const stats = await promisify(fs17.stat)(truename).catch(() => {
+          const stats = await promisify(fs19.stat)(truename).catch(() => {
           });
           if (stats) {
             if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
             }
           }
         }
-        fd = await promisify(fs17.open)(tmpfile, "w", options.mode);
+        fd = await promisify(fs19.open)(tmpfile, "w", options.mode);
         if (options.tmpfileCreated) {
           await options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          await promisify(fs17.write)(fd, data, 0, data.length, 0);
+          await promisify(fs19.write)(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          await promisify(fs17.write)(fd, String(data), 0, String(options.encoding || "utf8"));
+          await promisify(fs19.write)(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          await promisify(fs17.fsync)(fd);
+          await promisify(fs19.fsync)(fd);
         }
-        await promisify(fs17.close)(fd);
+        await promisify(fs19.close)(fd);
         fd = null;
         if (options.chown) {
-          await promisify(fs17.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
+          await promisify(fs19.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
         if (options.mode) {
-          await promisify(fs17.chmod)(tmpfile, options.mode).catch((err) => {
+          await promisify(fs19.chmod)(tmpfile, options.mode).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
-        await promisify(fs17.rename)(tmpfile, truename);
+        await promisify(fs19.rename)(tmpfile, truename);
       } finally {
         if (fd) {
-          await promisify(fs17.close)(fd).catch(
+          await promisify(fs19.close)(fd).catch(
             /* istanbul ignore next */
             () => {
             }
           );
         }
         removeOnExitHandler();
-        await promisify(fs17.unlink)(tmpfile).catch(() => {
+        await promisify(fs19.unlink)(tmpfile).catch(() => {
         });
         activeFiles[absoluteName].shift();
         if (activeFiles[absoluteName].length > 0) {
@@ -441,20 +441,20 @@ var require_lib = __commonJS({
       }
       return promise;
     }
-    function writeFileSync6(filename, data, options) {
+    function writeFileSync7(filename, data, options) {
       if (typeof options === "string") {
         options = { encoding: options };
       } else if (!options) {
         options = {};
       }
       try {
-        filename = fs17.realpathSync(filename);
+        filename = fs19.realpathSync(filename);
       } catch (ex) {
       }
       const tmpfile = getTmpname(filename);
       if (!options.mode || !options.chown) {
         try {
-          const stats = fs17.statSync(filename);
+          const stats = fs19.statSync(filename);
           options = Object.assign({}, options);
           if (!options.mode) {
             options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
       const removeOnExitHandler = onExit(cleanup);
       let threw = true;
       try {
-        fd = fs17.openSync(tmpfile, "w", options.mode || 438);
+        fd = fs19.openSync(tmpfile, "w", options.mode || 438);
         if (options.tmpfileCreated) {
           options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          fs17.writeSync(fd, data, 0, data.length, 0);
+          fs19.writeSync(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          fs17.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
+          fs19.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          fs17.fsyncSync(fd);
+          fs19.fsyncSync(fd);
         }
-        fs17.closeSync(fd);
+        fs19.closeSync(fd);
         fd = null;
         if (options.chown) {
           try {
-            fs17.chownSync(tmpfile, options.chown.uid, options.chown.gid);
+            fs19.chownSync(tmpfile, options.chown.uid, options.chown.gid);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
         }
         if (options.mode) {
           try {
-            fs17.chmodSync(tmpfile, options.mode);
+            fs19.chmodSync(tmpfile, options.mode);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
             }
           }
         }
-        fs17.renameSync(tmpfile, filename);
+        fs19.renameSync(tmpfile, filename);
         threw = false;
       } finally {
         if (fd) {
           try {
-            fs17.closeSync(fd);
+            fs19.closeSync(fd);
           } catch (ex) {
           }
         }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
     }
     var chdir;
     module.exports = patch;
-    function patch(fs17) {
+    function patch(fs19) {
       if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
-        patchLchmod(fs17);
-      }
-      if (!fs17.lutimes) {
-        patchLutimes(fs17);
-      }
-      fs17.chown = chownFix(fs17.chown);
-      fs17.fchown = chownFix(fs17.fchown);
-      fs17.lchown = chownFix(fs17.lchown);
-      fs17.chmod = chmodFix(fs17.chmod);
-      fs17.fchmod = chmodFix(fs17.fchmod);
-      fs17.lchmod = chmodFix(fs17.lchmod);
-      fs17.chownSync = chownFixSync(fs17.chownSync);
-      fs17.fchownSync = chownFixSync(fs17.fchownSync);
-      fs17.lchownSync = chownFixSync(fs17.lchownSync);
-      fs17.chmodSync = chmodFixSync(fs17.chmodSync);
-      fs17.fchmodSync = chmodFixSync(fs17.fchmodSync);
-      fs17.lchmodSync = chmodFixSync(fs17.lchmodSync);
-      fs17.stat = statFix(fs17.stat);
-      fs17.fstat = statFix(fs17.fstat);
-      fs17.lstat = statFix(fs17.lstat);
-      fs17.statSync = statFixSync(fs17.statSync);
-      fs17.fstatSync = statFixSync(fs17.fstatSync);
-      fs17.lstatSync = statFixSync(fs17.lstatSync);
-      if (fs17.chmod && !fs17.lchmod) {
-        fs17.lchmod = function(path25, mode, cb) {
+        patchLchmod(fs19);
+      }
+      if (!fs19.lutimes) {
+        patchLutimes(fs19);
+      }
+      fs19.chown = chownFix(fs19.chown);
+      fs19.fchown = chownFix(fs19.fchown);
+      fs19.lchown = chownFix(fs19.lchown);
+      fs19.chmod = chmodFix(fs19.chmod);
+      fs19.fchmod = chmodFix(fs19.fchmod);
+      fs19.lchmod = chmodFix(fs19.lchmod);
+      fs19.chownSync = chownFixSync(fs19.chownSync);
+      fs19.fchownSync = chownFixSync(fs19.fchownSync);
+      fs19.lchownSync = chownFixSync(fs19.lchownSync);
+      fs19.chmodSync = chmodFixSync(fs19.chmodSync);
+      fs19.fchmodSync = chmodFixSync(fs19.fchmodSync);
+      fs19.lchmodSync = chmodFixSync(fs19.lchmodSync);
+      fs19.stat = statFix(fs19.stat);
+      fs19.fstat = statFix(fs19.fstat);
+      fs19.lstat = statFix(fs19.lstat);
+      fs19.statSync = statFixSync(fs19.statSync);
+      fs19.fstatSync = statFixSync(fs19.fstatSync);
+      fs19.lstatSync = statFixSync(fs19.lstatSync);
+      if (fs19.chmod && !fs19.lchmod) {
+        fs19.lchmod = function(path26, mode, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs17.lchmodSync = function() {
+        fs19.lchmodSync = function() {
         };
       }
-      if (fs17.chown && !fs17.lchown) {
-        fs17.lchown = function(path25, uid, gid, cb) {
+      if (fs19.chown && !fs19.lchown) {
+        fs19.lchown = function(path26, uid, gid, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs17.lchownSync = function() {
+        fs19.lchownSync = function() {
         };
       }
       if (platform === "win32") {
-        fs17.rename = typeof fs17.rename !== "function" ? fs17.rename : (function(fs$rename) {
+        fs19.rename = typeof fs19.rename !== "function" ? fs19.rename : (function(fs$rename) {
           function rename(from, to, cb) {
             var start = Date.now();
             var backoff = 0;
             fs$rename(from, to, function CB(er) {
               if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
                 setTimeout(function() {
-                  fs17.stat(to, function(stater, st) {
+                  fs19.stat(to, function(stater, st) {
                     if (stater && stater.code === "ENOENT")
                       fs$rename(from, to, CB);
                     else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
           }
           if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
           return rename;
-        })(fs17.rename);
+        })(fs19.rename);
       }
-      fs17.read = typeof fs17.read !== "function" ? fs17.read : (function(fs$read) {
+      fs19.read = typeof fs19.read !== "function" ? fs19.read : (function(fs$read) {
         function read(fd, buffer, offset, length, position, callback_) {
           var callback;
           if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
             callback = function(er, _, __) {
               if (er && er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
-                return fs$read.call(fs17, fd, buffer, offset, length, position, callback);
+                return fs$read.call(fs19, fd, buffer, offset, length, position, callback);
               }
               callback_.apply(this, arguments);
             };
           }
-          return fs$read.call(fs17, fd, buffer, offset, length, position, callback);
+          return fs$read.call(fs19, fd, buffer, offset, length, position, callback);
         }
         if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
         return read;
-      })(fs17.read);
-      fs17.readSync = typeof fs17.readSync !== "function" ? fs17.readSync : /* @__PURE__ */ (function(fs$readSync) {
+      })(fs19.read);
+      fs19.readSync = typeof fs19.readSync !== "function" ? fs19.readSync : /* @__PURE__ */ (function(fs$readSync) {
         return function(fd, buffer, offset, length, position) {
           var eagCounter = 0;
           while (true) {
             try {
-              return fs$readSync.call(fs17, fd, buffer, offset, length, position);
+              return fs$readSync.call(fs19, fd, buffer, offset, length, position);
             } catch (er) {
               if (er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
             }
           }
         };
-      })(fs17.readSync);
-      function patchLchmod(fs18) {
-        fs18.lchmod = function(path25, mode, callback) {
-          fs18.open(
-            path25,
+      })(fs19.readSync);
+      function patchLchmod(fs20) {
+        fs20.lchmod = function(path26, mode, callback) {
+          fs20.open(
+            path26,
             constants.O_WRONLY | constants.O_SYMLINK,
             mode,
             function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
                 if (callback) callback(err);
                 return;
               }
-              fs18.fchmod(fd, mode, function(err2) {
-                fs18.close(fd, function(err22) {
+              fs20.fchmod(fd, mode, function(err2) {
+                fs20.close(fd, function(err22) {
                   if (callback) callback(err2 || err22);
                 });
               });
             }
           );
         };
-        fs18.lchmodSync = function(path25, mode) {
-          var fd = fs18.openSync(path25, constants.O_WRONLY | constants.O_SYMLINK, mode);
+        fs20.lchmodSync = function(path26, mode) {
+          var fd = fs20.openSync(path26, constants.O_WRONLY | constants.O_SYMLINK, mode);
           var threw = true;
           var ret;
           try {
-            ret = fs18.fchmodSync(fd, mode);
+            ret = fs20.fchmodSync(fd, mode);
             threw = false;
           } finally {
             if (threw) {
               try {
-                fs18.closeSync(fd);
+                fs20.closeSync(fd);
               } catch (er) {
               }
             } else {
-              fs18.closeSync(fd);
+              fs20.closeSync(fd);
             }
           }
           return ret;
         };
       }
-      function patchLutimes(fs18) {
-        if (constants.hasOwnProperty("O_SYMLINK") && fs18.futimes) {
-          fs18.lutimes = function(path25, at, mt, cb) {
-            fs18.open(path25, constants.O_SYMLINK, function(er, fd) {
+      function patchLutimes(fs20) {
+        if (constants.hasOwnProperty("O_SYMLINK") && fs20.futimes) {
+          fs20.lutimes = function(path26, at, mt, cb) {
+            fs20.open(path26, constants.O_SYMLINK, function(er, fd) {
               if (er) {
                 if (cb) cb(er);
                 return;
               }
-              fs18.futimes(fd, at, mt, function(er2) {
-                fs18.close(fd, function(er22) {
+              fs20.futimes(fd, at, mt, function(er2) {
+                fs20.close(fd, function(er22) {
                   if (cb) cb(er2 || er22);
                 });
               });
             });
           };
-          fs18.lutimesSync = function(path25, at, mt) {
-            var fd = fs18.openSync(path25, constants.O_SYMLINK);
+          fs20.lutimesSync = function(path26, at, mt) {
+            var fd = fs20.openSync(path26, constants.O_SYMLINK);
             var ret;
             var threw = true;
             try {
-              ret = fs18.futimesSync(fd, at, mt);
+              ret = fs20.futimesSync(fd, at, mt);
               threw = false;
             } finally {
               if (threw) {
                 try {
-                  fs18.closeSync(fd);
+                  fs20.closeSync(fd);
                 } catch (er) {
                 }
               } else {
-                fs18.closeSync(fd);
+                fs20.closeSync(fd);
               }
             }
             return ret;
           };
-        } else if (fs18.futimes) {
-          fs18.lutimes = function(_a, _b, _c, cb) {
+        } else if (fs20.futimes) {
+          fs20.lutimes = function(_a, _b, _c, cb) {
             if (cb) process.nextTick(cb);
           };
-          fs18.lutimesSync = function() {
+          fs20.lutimesSync = function() {
           };
         }
       }
       function chmodFix(orig) {
         if (!orig) return orig;
         return function(target, mode, cb) {
-          return orig.call(fs17, target, mode, function(er) {
+          return orig.call(fs19, target, mode, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, mode) {
           try {
-            return orig.call(fs17, target, mode);
+            return orig.call(fs19, target, mode);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
       function chownFix(orig) {
         if (!orig) return orig;
         return function(target, uid, gid, cb) {
-          return orig.call(fs17, target, uid, gid, function(er) {
+          return orig.call(fs19, target, uid, gid, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, uid, gid) {
           try {
-            return orig.call(fs17, target, uid, gid);
+            return orig.call(fs19, target, uid, gid);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
             }
             if (cb) cb.apply(this, arguments);
           }
-          return options ? orig.call(fs17, target, options, callback) : orig.call(fs17, target, callback);
+          return options ? orig.call(fs19, target, options, callback) : orig.call(fs19, target, callback);
         };
       }
       function statFixSync(orig) {
         if (!orig) return orig;
         return function(target, options) {
-          var stats = options ? orig.call(fs17, target, options) : orig.call(fs17, target);
+          var stats = options ? orig.call(fs19, target, options) : orig.call(fs19, target);
           if (stats) {
             if (stats.uid < 0) stats.uid += 4294967296;
             if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
   "../../node_modules/graceful-fs/legacy-streams.js"(exports, module) {
     var Stream = __require("stream").Stream;
     module.exports = legacy;
-    function legacy(fs17) {
+    function legacy(fs19) {
       return {
         ReadStream,
         WriteStream
       };
-      function ReadStream(path25, options) {
-        if (!(this instanceof ReadStream)) return new ReadStream(path25, options);
+      function ReadStream(path26, options) {
+        if (!(this instanceof ReadStream)) return new ReadStream(path26, options);
         Stream.call(this);
         var self = this;
-        this.path = path25;
+        this.path = path26;
         this.fd = null;
         this.readable = true;
         this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
           });
           return;
         }
-        fs17.open(this.path, this.flags, this.mode, function(err, fd) {
+        fs19.open(this.path, this.flags, this.mode, function(err, fd) {
           if (err) {
             self.emit("error", err);
             self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
           self._read();
         });
       }
-      function WriteStream(path25, options) {
-        if (!(this instanceof WriteStream)) return new WriteStream(path25, options);
+      function WriteStream(path26, options) {
+        if (!(this instanceof WriteStream)) return new WriteStream(path26, options);
         Stream.call(this);
-        this.path = path25;
+        this.path = path26;
         this.fd = null;
         this.writable = true;
         this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
         this.busy = false;
         this._queue = [];
         if (this.fd === null) {
-          this._open = fs17.open;
+          this._open = fs19.open;
           this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
           this.flush();
         }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
 // ../../node_modules/graceful-fs/graceful-fs.js
 var require_graceful_fs = __commonJS({
   "../../node_modules/graceful-fs/graceful-fs.js"(exports, module) {
-    var fs17 = __require("fs");
+    var fs19 = __require("fs");
     var polyfills = require_polyfills();
     var legacy = require_legacy_streams();
     var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
         m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
         console.error(m);
       };
-    if (!fs17[gracefulQueue]) {
+    if (!fs19[gracefulQueue]) {
       queue = global[gracefulQueue] || [];
-      publishQueue(fs17, queue);
-      fs17.close = (function(fs$close) {
+      publishQueue(fs19, queue);
+      fs19.close = (function(fs$close) {
         function close(fd, cb) {
-          return fs$close.call(fs17, fd, function(err) {
+          return fs$close.call(fs19, fd, function(err) {
             if (!err) {
               resetQueue();
             }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
           value: fs$close
         });
         return close;
-      })(fs17.close);
-      fs17.closeSync = (function(fs$closeSync) {
+      })(fs19.close);
+      fs19.closeSync = (function(fs$closeSync) {
         function closeSync2(fd) {
-          fs$closeSync.apply(fs17, arguments);
+          fs$closeSync.apply(fs19, arguments);
           resetQueue();
         }
         Object.defineProperty(closeSync2, previousSymbol, {
           value: fs$closeSync
         });
         return closeSync2;
-      })(fs17.closeSync);
+      })(fs19.closeSync);
       if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
         process.on("exit", function() {
-          debug(fs17[gracefulQueue]);
-          __require("assert").equal(fs17[gracefulQueue].length, 0);
+          debug(fs19[gracefulQueue]);
+          __require("assert").equal(fs19[gracefulQueue].length, 0);
         });
       }
     }
     var queue;
     if (!global[gracefulQueue]) {
-      publishQueue(global, fs17[gracefulQueue]);
-    }
-    module.exports = patch(clone(fs17));
-    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs17.__patched) {
-      module.exports = patch(fs17);
-      fs17.__patched = true;
-    }
-    function patch(fs18) {
-      polyfills(fs18);
-      fs18.gracefulify = patch;
-      fs18.createReadStream = createReadStream;
-      fs18.createWriteStream = createWriteStream;
-      var fs$readFile = fs18.readFile;
-      fs18.readFile = readFile;
-      function readFile(path25, options, cb) {
+      publishQueue(global, fs19[gracefulQueue]);
+    }
+    module.exports = patch(clone(fs19));
+    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs19.__patched) {
+      module.exports = patch(fs19);
+      fs19.__patched = true;
+    }
+    function patch(fs20) {
+      polyfills(fs20);
+      fs20.gracefulify = patch;
+      fs20.createReadStream = createReadStream;
+      fs20.createWriteStream = createWriteStream;
+      var fs$readFile = fs20.readFile;
+      fs20.readFile = readFile;
+      function readFile(path26, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$readFile(path25, options, cb);
-        function go$readFile(path26, options2, cb2, startTime) {
-          return fs$readFile(path26, options2, function(err) {
+        return go$readFile(path26, options, cb);
+        function go$readFile(path27, options2, cb2, startTime) {
+          return fs$readFile(path27, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$readFile, [path26, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$readFile, [path27, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$writeFile = fs18.writeFile;
-      fs18.writeFile = writeFile;
-      function writeFile(path25, data, options, cb) {
+      var fs$writeFile = fs20.writeFile;
+      fs20.writeFile = writeFile;
+      function writeFile(path26, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$writeFile(path25, data, options, cb);
-        function go$writeFile(path26, data2, options2, cb2, startTime) {
-          return fs$writeFile(path26, data2, options2, function(err) {
+        return go$writeFile(path26, data, options, cb);
+        function go$writeFile(path27, data2, options2, cb2, startTime) {
+          return fs$writeFile(path27, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$writeFile, [path26, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$writeFile, [path27, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$appendFile = fs18.appendFile;
+      var fs$appendFile = fs20.appendFile;
       if (fs$appendFile)
-        fs18.appendFile = appendFile;
-      function appendFile(path25, data, options, cb) {
+        fs20.appendFile = appendFile;
+      function appendFile(path26, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$appendFile(path25, data, options, cb);
-        function go$appendFile(path26, data2, options2, cb2, startTime) {
-          return fs$appendFile(path26, data2, options2, function(err) {
+        return go$appendFile(path26, data, options, cb);
+        function go$appendFile(path27, data2, options2, cb2, startTime) {
+          return fs$appendFile(path27, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$appendFile, [path26, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$appendFile, [path27, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$copyFile = fs18.copyFile;
+      var fs$copyFile = fs20.copyFile;
       if (fs$copyFile)
-        fs18.copyFile = copyFile;
+        fs20.copyFile = copyFile;
       function copyFile(src, dest, flags, cb) {
         if (typeof flags === "function") {
           cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$readdir = fs18.readdir;
-      fs18.readdir = readdir;
+      var fs$readdir = fs20.readdir;
+      fs20.readdir = readdir;
       var noReaddirOptionVersions = /^v[0-5]\./;
-      function readdir(path25, options, cb) {
+      function readdir(path26, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path26, options2, cb2, startTime) {
-          return fs$readdir(path26, fs$readdirCallback(
-            path26,
+        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path27, options2, cb2, startTime) {
+          return fs$readdir(path27, fs$readdirCallback(
+            path27,
             options2,
             cb2,
             startTime
           ));
-        } : function go$readdir2(path26, options2, cb2, startTime) {
-          return fs$readdir(path26, options2, fs$readdirCallback(
-            path26,
+        } : function go$readdir2(path27, options2, cb2, startTime) {
+          return fs$readdir(path27, options2, fs$readdirCallback(
+            path27,
             options2,
             cb2,
             startTime
           ));
         };
-        return go$readdir(path25, options, cb);
-        function fs$readdirCallback(path26, options2, cb2, startTime) {
+        return go$readdir(path26, options, cb);
+        function fs$readdirCallback(path27, options2, cb2, startTime) {
           return function(err, files) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
               enqueue([
                 go$readdir,
-                [path26, options2, cb2],
+                [path27, options2, cb2],
                 err,
                 startTime || Date.now(),
                 Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
         }
       }
       if (process.version.substr(0, 4) === "v0.8") {
-        var legStreams = legacy(fs18);
+        var legStreams = legacy(fs20);
         ReadStream = legStreams.ReadStream;
         WriteStream = legStreams.WriteStream;
       }
-      var fs$ReadStream = fs18.ReadStream;
+      var fs$ReadStream = fs20.ReadStream;
       if (fs$ReadStream) {
         ReadStream.prototype = Object.create(fs$ReadStream.prototype);
         ReadStream.prototype.open = ReadStream$open;
       }
-      var fs$WriteStream = fs18.WriteStream;
+      var fs$WriteStream = fs20.WriteStream;
       if (fs$WriteStream) {
         WriteStream.prototype = Object.create(fs$WriteStream.prototype);
         WriteStream.prototype.open = WriteStream$open;
       }
-      Object.defineProperty(fs18, "ReadStream", {
+      Object.defineProperty(fs20, "ReadStream", {
         get: function() {
           return ReadStream;
         },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      Object.defineProperty(fs18, "WriteStream", {
+      Object.defineProperty(fs20, "WriteStream", {
         get: function() {
           return WriteStream;
         },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileReadStream = ReadStream;
-      Object.defineProperty(fs18, "FileReadStream", {
+      Object.defineProperty(fs20, "FileReadStream", {
         get: function() {
           return FileReadStream;
         },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileWriteStream = WriteStream;
-      Object.defineProperty(fs18, "FileWriteStream", {
+      Object.defineProperty(fs20, "FileWriteStream", {
         get: function() {
           return FileWriteStream;
         },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      function ReadStream(path25, options) {
+      function ReadStream(path26, options) {
         if (this instanceof ReadStream)
           return fs$ReadStream.apply(this, arguments), this;
         else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function WriteStream(path25, options) {
+      function WriteStream(path26, options) {
         if (this instanceof WriteStream)
           return fs$WriteStream.apply(this, arguments), this;
         else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function createReadStream(path25, options) {
-        return new fs18.ReadStream(path25, options);
+      function createReadStream(path26, options) {
+        return new fs20.ReadStream(path26, options);
       }
-      function createWriteStream(path25, options) {
-        return new fs18.WriteStream(path25, options);
+      function createWriteStream(path26, options) {
+        return new fs20.WriteStream(path26, options);
       }
-      var fs$open = fs18.open;
-      fs18.open = open;
-      function open(path25, flags, mode, cb) {
+      var fs$open = fs20.open;
+      fs20.open = open;
+      function open(path26, flags, mode, cb) {
         if (typeof mode === "function")
           cb = mode, mode = null;
-        return go$open(path25, flags, mode, cb);
-        function go$open(path26, flags2, mode2, cb2, startTime) {
-          return fs$open(path26, flags2, mode2, function(err, fd) {
+        return go$open(path26, flags, mode, cb);
+        function go$open(path27, flags2, mode2, cb2, startTime) {
+          return fs$open(path27, flags2, mode2, function(err, fd) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$open, [path26, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$open, [path27, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      return fs18;
+      return fs20;
     }
     function enqueue(elem) {
       debug("ENQUEUE", elem[0].name, elem[1]);
-      fs17[gracefulQueue].push(elem);
+      fs19[gracefulQueue].push(elem);
       retry();
     }
     var retryTimer;
     function resetQueue() {
       var now = Date.now();
-      for (var i = 0; i < fs17[gracefulQueue].length; ++i) {
-        if (fs17[gracefulQueue][i].length > 2) {
-          fs17[gracefulQueue][i][3] = now;
-          fs17[gracefulQueue][i][4] = now;
+      for (var i = 0; i < fs19[gracefulQueue].length; ++i) {
+        if (fs19[gracefulQueue][i].length > 2) {
+          fs19[gracefulQueue][i][3] = now;
+          fs19[gracefulQueue][i][4] = now;
         }
       }
       retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
     function retry() {
       clearTimeout(retryTimer);
       retryTimer = void 0;
-      if (fs17[gracefulQueue].length === 0)
+      if (fs19[gracefulQueue].length === 0)
         return;
-      var elem = fs17[gracefulQueue].shift();
+      var elem = fs19[gracefulQueue].shift();
       var fn = elem[0];
       var args = elem[1];
       var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
           debug("RETRY", fn.name, args);
           fn.apply(null, args.concat([startTime]));
         } else {
-          fs17[gracefulQueue].push(elem);
+          fs19[gracefulQueue].push(elem);
         }
       }
       if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
   "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports, module) {
     "use strict";
     var cacheSymbol = /* @__PURE__ */ Symbol();
-    function probe(file, fs17, callback) {
-      const cachedPrecision = fs17[cacheSymbol];
+    function probe(file, fs19, callback) {
+      const cachedPrecision = fs19[cacheSymbol];
       if (cachedPrecision) {
-        return fs17.stat(file, (err, stat) => {
+        return fs19.stat(file, (err, stat) => {
           if (err) {
             return callback(err);
           }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
         });
       }
       const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
-      fs17.utimes(file, mtime, mtime, (err) => {
+      fs19.utimes(file, mtime, mtime, (err) => {
         if (err) {
           return callback(err);
         }
-        fs17.stat(file, (err2, stat) => {
+        fs19.stat(file, (err2, stat) => {
           if (err2) {
             return callback(err2);
           }
           const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
-          Object.defineProperty(fs17, cacheSymbol, { value: precision });
+          Object.defineProperty(fs19, cacheSymbol, { value: precision });
           callback(null, stat.mtime, precision);
         });
       });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
 var require_lockfile = __commonJS({
   "../../node_modules/proper-lockfile/lib/lockfile.js"(exports, module) {
     "use strict";
-    var path25 = __require("path");
-    var fs17 = require_graceful_fs();
+    var path26 = __require("path");
+    var fs19 = require_graceful_fs();
     var retry = require_retry2();
     var onExit = require_signal_exit();
     var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
     }
     function resolveCanonicalPath(file, options, callback) {
       if (!options.realpath) {
-        return callback(null, path25.resolve(file));
+        return callback(null, path26.resolve(file));
       }
       options.fs.realpath(file, callback);
     }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
         update: null,
         realpath: true,
         retries: 0,
-        fs: fs17,
+        fs: fs19,
         onCompromised: (err) => {
           throw err;
         },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
     }
     function unlock(file, options, callback) {
       options = {
-        fs: fs17,
+        fs: fs19,
         realpath: true,
         ...options
       };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
       options = {
         stale: 1e4,
         realpath: true,
-        fs: fs17,
+        fs: fs19,
         ...options
       };
       options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
 var require_adapter = __commonJS({
   "../../node_modules/proper-lockfile/lib/adapter.js"(exports, module) {
     "use strict";
-    var fs17 = require_graceful_fs();
-    function createSyncFs(fs18) {
+    var fs19 = require_graceful_fs();
+    function createSyncFs(fs20) {
       const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
-      const newFs = { ...fs18 };
+      const newFs = { ...fs20 };
       methods.forEach((method) => {
         newFs[method] = (...args) => {
           const callback = args.pop();
           let ret;
           try {
-            ret = fs18[`${method}Sync`](...args);
+            ret = fs20[`${method}Sync`](...args);
           } catch (err) {
             return callback(err);
           }
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
     }
     function toSyncOptions(options) {
       options = { ...options };
-      options.fs = createSyncFs(options.fs || fs17);
+      options.fs = createSyncFs(options.fs || fs19);
       if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
         throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
       }
@@ -2161,6 +2161,13 @@ var GitOperationError = class extends ClefError {
     this.name = "GitOperationError";
   }
 };
+var PolicyValidationError = class extends ClefError {
+  constructor(message, field) {
+    super(message, field ? `Check the '${field}' field in .clef/policy.yaml` : void 0);
+    this.field = field;
+    this.name = "PolicyValidationError";
+  }
+};
 var SchemaLoadError = class extends ClefError {
   constructor(message, filePath) {
     super(
@@ -2835,6 +2842,20 @@ var PATTERNS = [
   },
   { name: "Database URL", regex: /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/ }
 ];
+var PUBLIC_PREFIX_PATTERNS = [
+  // reCAPTCHA v2, v3, and Enterprise site keys are exactly 40 chars and
+  // begin with 6L[c-f]. Site keys are designed to be embedded in HTML.
+  // https://developers.google.com/recaptcha/docs/faq
+  { name: "reCAPTCHA site key", regex: /^6L[c-f][0-9A-Za-z_-]{37}$/ },
+  // Stripe publishable keys (client-side, distinct from sk_live_/sk_test_).
+  { name: "Stripe publishable key", regex: /^pk_(?:live|test)_[0-9a-zA-Z]{24,}$/ }
+];
+function matchPublicPrefix(value) {
+  for (const def of PUBLIC_PREFIX_PATTERNS) {
+    if (def.regex.test(value)) return { name: def.name };
+  }
+  return null;
+}
 function shannonEntropy(str) {
   if (str.length === 0) return 0;
   const freq = /* @__PURE__ */ new Map();
@@ -3023,7 +3044,8 @@ var ScanRunner = class {
           }
         }
         if (options.severity !== "high") {
-          const entropyHit = this.detectEntropy(line, lineNum, relPath);
+          const allowPublic = options.publicAllowlist !== false;
+          const entropyHit = this.detectEntropy(line, lineNum, relPath, allowPublic);
           if (entropyHit && !shouldIgnoreMatch(entropyHit, ignoreRules)) {
             matches.push(entropyHit);
           }
@@ -3064,13 +3086,14 @@ var ScanRunner = class {
       return false;
     }
   }
-  detectEntropy(line, lineNum, filePath) {
+  detectEntropy(line, lineNum, filePath, allowPublic) {
     const valuePattern = /(?:=|:\s*)["']?([A-Za-z0-9+/=_-]{20,})["']?/;
     const match = valuePattern.exec(line);
     if (!match) return null;
     const value = match[1];
     const entropy = shannonEntropy(value);
     if (!isHighEntropy(value)) return null;
+    if (allowPublic && matchPublicPrefix(value)) return null;
     const varMatch = /(\w+)\s*(?:=|:)/.exec(line);
     const varName = varMatch ? varMatch[1] : "";
     const preview = varName ? `${varName}=\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022` : redactValue(value);
@@ -3152,41 +3175,50 @@ function metadataPath(encryptedFilePath) {
   return path4.join(dir, `${base}.clef-meta.yaml`);
 }
 var HEADER_COMMENT = "# Managed by Clef. Do not edit manually.\n";
+function emptyMetadata() {
+  return { version: 1, pending: [], rotations: [] };
+}
 async function loadMetadata(filePath) {
   const metaPath = metadataPath(filePath);
   try {
-    if (!fs5.existsSync(metaPath)) {
-      return { version: 1, pending: [] };
-    }
+    if (!fs5.existsSync(metaPath)) return emptyMetadata();
     const content = fs5.readFileSync(metaPath, "utf-8");
     const parsed = YAML3.parse(content);
-    if (!parsed || !Array.isArray(parsed.pending)) {
-      return { version: 1, pending: [] };
-    }
-    return {
-      version: 1,
-      pending: parsed.pending.map((p) => ({
-        key: p.key,
-        since: new Date(p.since),
-        setBy: p.setBy
-      }))
-    };
+    if (!parsed || typeof parsed !== "object") return emptyMetadata();
+    const pendingRaw = Array.isArray(parsed.pending) ? parsed.pending : [];
+    const pending = pendingRaw.filter(
+      (p) => !!p && typeof p === "object" && typeof p.key === "string" && typeof p.since === "string" && typeof p.setBy === "string"
+    ).map((p) => ({ key: p.key, since: new Date(p.since), setBy: p.setBy }));
+    const rotationsRaw = Array.isArray(parsed.rotations) ? parsed.rotations : [];
+    const rotations = rotationsRaw.filter(
+      (r) => !!r && typeof r === "object" && typeof r.key === "string" && typeof r.last_rotated_at === "string" && typeof r.rotated_by === "string" && typeof r.rotation_count === "number"
+    ).map((r) => ({
+      key: r.key,
+      lastRotatedAt: new Date(r.last_rotated_at),
+      rotatedBy: r.rotated_by,
+      rotationCount: r.rotation_count
+    }));
+    return { version: 1, pending, rotations };
   } catch {
-    return { version: 1, pending: [] };
+    return emptyMetadata();
   }
 }
 async function saveMetadata(filePath, metadata) {
   const metaPath = metadataPath(filePath);
   const dir = path4.dirname(metaPath);
-  if (!fs5.existsSync(dir)) {
-    fs5.mkdirSync(dir, { recursive: true });
-  }
+  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
   const data = {
     version: metadata.version,
     pending: metadata.pending.map((p) => ({
       key: p.key,
       since: p.since.toISOString(),
       setBy: p.setBy
+    })),
+    rotations: metadata.rotations.map((r) => ({
+      key: r.key,
+      last_rotated_at: r.lastRotatedAt.toISOString(),
+      rotated_by: r.rotatedBy,
+      rotation_count: r.rotationCount
     }))
   };
   fs5.writeFileSync(metaPath, HEADER_COMMENT + YAML3.stringify(data), "utf-8");
@@ -3217,6 +3249,38 @@ async function isPending(filePath, key) {
   const metadata = await loadMetadata(filePath);
   return metadata.pending.some((p) => p.key === key);
 }
+async function recordRotation(filePath, keys, rotatedBy, now = /* @__PURE__ */ new Date()) {
+  const metadata = await loadMetadata(filePath);
+  for (const key of keys) {
+    const existing = metadata.rotations.findIndex((r) => r.key === key);
+    if (existing >= 0) {
+      metadata.rotations[existing] = {
+        key,
+        lastRotatedAt: now,
+        rotatedBy,
+        rotationCount: metadata.rotations[existing].rotationCount + 1
+      };
+    } else {
+      metadata.rotations.push({
+        key,
+        lastRotatedAt: now,
+        rotatedBy,
+        rotationCount: 1
+      });
+    }
+  }
+  metadata.pending = metadata.pending.filter((p) => !keys.includes(p.key));
+  await saveMetadata(filePath, metadata);
+}
+async function removeRotation(filePath, keys) {
+  const metadata = await loadMetadata(filePath);
+  metadata.rotations = metadata.rotations.filter((r) => !keys.includes(r.key));
+  await saveMetadata(filePath, metadata);
+}
+async function getRotations(filePath) {
+  const metadata = await loadMetadata(filePath);
+  return metadata.rotations;
+}
 function generateRandomValue() {
   return crypto.randomBytes(32).toString("hex");
 }
@@ -4018,61 +4082,83 @@ var GitIntegration = class {
    * @throws {@link GitOperationError} On failure.
    */
   async installMergeDriver(repoRoot) {
-    const configResult = await this.runner.run(
-      "git",
-      ["config", "merge.sops.name", "SOPS-aware merge driver"],
-      { cwd: repoRoot }
-    );
-    if (configResult.exitCode !== 0) {
-      throw new GitOperationError(
-        `Failed to configure merge driver name: ${configResult.stderr.trim()}`,
-        "Ensure you are inside a git repository."
+    const drivers = [
+      { config: "merge.sops", friendly: "SOPS-aware merge driver" },
+      { config: "merge.clef-metadata", friendly: "Clef metadata merge driver" }
+    ];
+    for (const driver of drivers) {
+      const nameResult = await this.runner.run(
+        "git",
+        ["config", `${driver.config}.name`, driver.friendly],
+        { cwd: repoRoot }
       );
-    }
-    const driverResult = await this.runner.run(
-      "git",
-      ["config", "merge.sops.driver", "clef merge-driver %O %A %B"],
-      { cwd: repoRoot }
-    );
-    if (driverResult.exitCode !== 0) {
-      throw new GitOperationError(
-        `Failed to configure merge driver command: ${driverResult.stderr.trim()}`,
-        "Ensure you are inside a git repository."
+      if (nameResult.exitCode !== 0) {
+        throw new GitOperationError(
+          `Failed to configure merge driver name: ${nameResult.stderr.trim()}`,
+          "Ensure you are inside a git repository."
+        );
+      }
+      const driverResult = await this.runner.run(
+        "git",
+        ["config", `${driver.config}.driver`, "clef merge-driver %O %A %B"],
+        { cwd: repoRoot }
       );
+      if (driverResult.exitCode !== 0) {
+        throw new GitOperationError(
+          `Failed to configure merge driver command: ${driverResult.stderr.trim()}`,
+          "Ensure you are inside a git repository."
+        );
+      }
     }
     await this.ensureGitattributes(repoRoot);
   }
   /**
-   * Check whether the SOPS merge driver is configured in both
-   * `.git/config` and `.gitattributes`.
-   *
-   * @param repoRoot - Absolute path to the repository root.
-   * @returns An object indicating which parts are configured.
+   * Check whether both Clef merge drivers are configured in `.git/config`
+   * and `.gitattributes`.  Reports separately on the SOPS driver
+   * (`merge=sops` for `.enc.*`) and the metadata driver
+   * (`merge=clef-metadata` for `.clef-meta.yaml`) so `clef doctor` can
+   * prompt the user to run `clef hooks` when only the SOPS driver is
+   * installed (older install, pre-metadata-merge).
    */
   async checkMergeDriver(repoRoot) {
-    const configResult = await this.runner.run("git", ["config", "--get", "merge.sops.driver"], {
+    const sopsConfig = await this.runner.run("git", ["config", "--get", "merge.sops.driver"], {
       cwd: repoRoot
     });
-    const gitConfig = configResult.exitCode === 0 && configResult.stdout.trim().length > 0;
+    const gitConfig = sopsConfig.exitCode === 0 && sopsConfig.stdout.trim().length > 0;
+    const metaConfig = await this.runner.run(
+      "git",
+      ["config", "--get", "merge.clef-metadata.driver"],
+      { cwd: repoRoot }
+    );
+    const metadataGitConfig = metaConfig.exitCode === 0 && metaConfig.stdout.trim().length > 0;
     const attrFilePath = path8.join(repoRoot, ".gitattributes");
     const attrContent = fs9.existsSync(attrFilePath) ? fs9.readFileSync(attrFilePath, "utf-8") : "";
     const gitattributes = attrContent.includes("merge=sops");
-    return { gitConfig, gitattributes };
+    const metadataGitattributes = attrContent.includes("merge=clef-metadata");
+    return { gitConfig, gitattributes, metadataGitConfig, metadataGitattributes };
   }
   async ensureGitattributes(repoRoot) {
     const attrPath = path8.join(repoRoot, ".gitattributes");
-    const mergeRule = "*.enc.yaml merge=sops\n*.enc.json merge=sops";
     const existing = fs9.existsSync(attrPath) ? fs9.readFileSync(attrPath, "utf-8") : "";
-    if (existing.includes("merge=sops")) {
-      return;
-    }
-    const newContent = existing.trimEnd() ? `${existing.trimEnd()}
+    let newContent = existing;
+    if (!existing.includes("merge=sops")) {
+      const block = `# Clef: SOPS-aware merge driver for encrypted files
+*.enc.yaml merge=sops
+*.enc.json merge=sops
+`;
+      newContent = newContent.trimEnd() ? `${newContent.trimEnd()}
 
-# Clef: SOPS-aware merge driver for encrypted files
-${mergeRule}
-` : `# Clef: SOPS-aware merge driver for encrypted files
-${mergeRule}
+${block}` : block;
+    }
+    if (!newContent.includes("merge=clef-metadata")) {
+      const block = `# Clef: rotation-aware merge driver for metadata sidecars
+*.clef-meta.yaml merge=clef-metadata
 `;
+      newContent = newContent.trimEnd() ? `${newContent.trimEnd()}
+
+${block}` : block;
+    }
+    if (newContent === existing) return;
     try {
       fs9.writeFileSync(attrPath, newContent, "utf-8");
     } catch (err) {
@@ -4779,8 +4865,11 @@ var SopsClient = class {
     }
     const backend = this.detectBackend(sops);
     const recipients = this.extractRecipients(sops, backend);
-    const lastModified = sops.lastmodified ? new Date(sops.lastmodified) : /* @__PURE__ */ new Date();
-    return { backend, recipients, lastModified };
+    const lastModifiedRaw = typeof sops.lastmodified === "string" ? sops.lastmodified : void 0;
+    const lastModified = lastModifiedRaw ? new Date(lastModifiedRaw) : /* @__PURE__ */ new Date();
+    const lastModifiedPresent = lastModifiedRaw !== void 0;
+    const version = typeof sops.version === "string" ? sops.version : void 0;
+    return { backend, recipients, lastModified, lastModifiedPresent, version };
   }
   detectBackend(sops) {
     if (sops.age && Array.isArray(sops.age) && sops.age.length > 0) return "age";
@@ -5066,8 +5155,50 @@ var LintRunner = class {
       );
       issues.push(...siIssues);
     }
+    const metadataIssues = await this.lintMetadataConsistency(existingCells);
+    issues.push(...metadataIssues);
     return { issues, fileCount: fileCount + missingCells.length, pendingCount };
   }
+  /**
+   * Cross-reference `.clef-meta.yaml` against the cipher's plaintext key
+   * names for each existing cell.  Reports orphan rotation records and
+   * dual-state (pending + rotation) inconsistencies.  Uses
+   * {@link readSopsKeyNames} (plaintext YAML parse) — no decryption.
+   */
+  async lintMetadataConsistency(cells) {
+    const issues = [];
+    for (const cell of cells) {
+      const keysInCipher = readSopsKeyNames(cell.filePath);
+      if (keysInCipher === null) continue;
+      const cipherKeys = new Set(keysInCipher);
+      const metadata = await loadMetadata(cell.filePath);
+      for (const record of metadata.rotations) {
+        if (!cipherKeys.has(record.key)) {
+          issues.push({
+            severity: "warning",
+            category: "metadata",
+            file: cell.filePath,
+            key: record.key,
+            message: `Rotation record exists for key '${record.key}' but the key is not in this cell. Remove the orphan entry from .clef-meta.yaml or re-add the key via clef set.`
+          });
+        }
+      }
+      const pendingKeys = new Set(metadata.pending.map((p) => p.key));
+      for (const record of metadata.rotations) {
+        if (pendingKeys.has(record.key)) {
+          issues.push({
+            severity: "error",
+            category: "metadata",
+            file: cell.filePath,
+            key: record.key,
+            message: `Key '${record.key}' appears in both 'pending' and 'rotations' sections of .clef-meta.yaml. One of them is stale \u2014 likely a manual edit or a failed transaction. Re-run clef set to reconcile.`,
+            fixCommand: `clef set ${cell.namespace}/${cell.environment} ${record.key}`
+          });
+        }
+      }
+    }
+    return issues;
+  }
   /**
    * Lint service identity configurations for drift issues.
    */
@@ -5420,22 +5551,33 @@ var ImportRunner = class {
     }
     const decrypted = await this.sopsClient.decrypt(filePath);
     const newValues = { ...decrypted.values };
+    const rotatedKeys = [];
     for (const [key, value] of candidates) {
-      if (key in decrypted.values && !options.overwrite) {
+      const existed = key in decrypted.values;
+      if (existed && !options.overwrite) {
         skipped.push(key);
         continue;
       }
+      const valueChanged = !existed || decrypted.values[key] !== value;
       newValues[key] = value;
       imported.push(key);
+      if (valueChanged) rotatedKeys.push(key);
     }
     if (imported.length === 0) {
       return { imported, skipped, failed, warnings, dryRun: false };
     }
+    const relCellPath = path14.relative(repoRoot, filePath);
+    const relMetaPath = relCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
     await this.tx.run(repoRoot, {
       description: `clef import ${target}: ${imported.length} key(s)`,
-      paths: [path14.relative(repoRoot, filePath)],
+      // Include the metadata path so rotation records created in the mutate
+      // callback are staged and rolled back atomically with the ciphertext.
+      paths: [relCellPath, relMetaPath],
       mutate: async () => {
         await this.sopsClient.encrypt(filePath, newValues, manifest, env);
+        if (options.rotatedBy && rotatedKeys.length > 0) {
+          await recordRotation(filePath, rotatedKeys, options.rotatedBy);
+        }
       }
     });
     return { imported, skipped, failed, warnings, dryRun: false };
@@ -6448,6 +6590,116 @@ var SopsMergeDriver = class {
   }
 };
 
+// src/merge/metadata-driver.ts
+import * as fs15 from "fs";
+import * as YAML10 from "yaml";
+var HEADER_COMMENT3 = "# Managed by Clef. Do not edit manually.\n";
+function parseMetadata(content) {
+  try {
+    const parsed = YAML10.parse(content);
+    if (!parsed || typeof parsed !== "object") return emptyMetadata2();
+    const pendingRaw = Array.isArray(parsed.pending) ? parsed.pending : [];
+    const pending = pendingRaw.filter(
+      (p) => !!p && typeof p === "object" && typeof p.key === "string" && typeof p.since === "string" && typeof p.setBy === "string"
+    ).map((p) => ({ key: p.key, since: new Date(p.since), setBy: p.setBy }));
+    const rotationsRaw = Array.isArray(parsed.rotations) ? parsed.rotations : [];
+    const rotations = rotationsRaw.filter(
+      (r) => !!r && typeof r === "object" && typeof r.key === "string" && typeof r.last_rotated_at === "string" && typeof r.rotated_by === "string" && typeof r.rotation_count === "number"
+    ).map((r) => ({
+      key: r.key,
+      lastRotatedAt: new Date(r.last_rotated_at),
+      rotatedBy: r.rotated_by,
+      rotationCount: r.rotation_count
+    }));
+    return { version: 1, pending, rotations };
+  } catch {
+    return emptyMetadata2();
+  }
+}
+function emptyMetadata2() {
+  return { version: 1, pending: [], rotations: [] };
+}
+function serializeMetadata(m) {
+  const data = {
+    version: m.version,
+    pending: m.pending.map((p) => ({
+      key: p.key,
+      since: p.since.toISOString(),
+      setBy: p.setBy
+    })),
+    rotations: m.rotations.map((r) => ({
+      key: r.key,
+      last_rotated_at: r.lastRotatedAt.toISOString(),
+      rotated_by: r.rotatedBy,
+      rotation_count: r.rotationCount
+    }))
+  };
+  return HEADER_COMMENT3 + YAML10.stringify(data);
+}
+function mergeRotations(ours, theirs) {
+  const byKey = /* @__PURE__ */ new Map();
+  const ourByKey = new Map(ours.map((r) => [r.key, r]));
+  const theirByKey = new Map(theirs.map((r) => [r.key, r]));
+  const allKeys = /* @__PURE__ */ new Set([...ourByKey.keys(), ...theirByKey.keys()]);
+  for (const key of allKeys) {
+    const o = ourByKey.get(key);
+    const t = theirByKey.get(key);
+    if (o && t) {
+      const oTime = o.lastRotatedAt.getTime();
+      const tTime = t.lastRotatedAt.getTime();
+      const winner = tTime > oTime ? t : o;
+      byKey.set(key, {
+        key,
+        lastRotatedAt: winner.lastRotatedAt,
+        rotatedBy: winner.rotatedBy,
+        rotationCount: Math.max(o.rotationCount, t.rotationCount) + 1
+      });
+    } else if (o) {
+      byKey.set(key, o);
+    } else if (t) {
+      byKey.set(key, t);
+    }
+  }
+  return Array.from(byKey.values());
+}
+function mergePending(oursPending, theirsPending, oursRotations, theirsRotations) {
+  const ourByKey = new Map(oursPending.map((p) => [p.key, p]));
+  const theirByKey = new Map(theirsPending.map((p) => [p.key, p]));
+  const rotatedKeys = /* @__PURE__ */ new Set([
+    ...oursRotations.map((r) => r.key),
+    ...theirsRotations.map((r) => r.key)
+  ]);
+  const allKeys = /* @__PURE__ */ new Set([...ourByKey.keys(), ...theirByKey.keys()]);
+  const out = [];
+  for (const key of allKeys) {
+    if (rotatedKeys.has(key)) continue;
+    const o = ourByKey.get(key);
+    const t = theirByKey.get(key);
+    if (o && t) {
+      const winner = t.since.getTime() > o.since.getTime() ? t : o;
+      out.push({ key, since: winner.since, setBy: winner.setBy });
+    } else if (o) {
+      out.push(o);
+    } else if (t) {
+      out.push(t);
+    }
+  }
+  return out;
+}
+function mergeMetadataContents(oursContent, theirsContent) {
+  const ours = parseMetadata(oursContent);
+  const theirs = parseMetadata(theirsContent);
+  const rotations = mergeRotations(ours.rotations, theirs.rotations);
+  const pending = mergePending(ours.pending, theirs.pending, ours.rotations, theirs.rotations);
+  return serializeMetadata({ version: 1, pending, rotations });
+}
+function mergeMetadataFiles(_basePath, oursPath, theirsPath) {
+  const oursContent = fs15.existsSync(oursPath) ? fs15.readFileSync(oursPath, "utf-8") : "";
+  const theirsContent = fs15.existsSync(theirsPath) ? fs15.readFileSync(theirsPath, "utf-8") : "";
+  const merged = mergeMetadataContents(oursContent, theirsContent);
+  fs15.writeFileSync(oursPath, merged, "utf-8");
+}
+
 // src/service-identity/manager.ts
 import * as path19 from "path";
 var ServiceIdentityManager = class {
@@ -6983,7 +7235,7 @@ var ServiceIdentityManager = class {
 };
 
 // src/structure/manager.ts
-import * as fs15 from "fs";
+import * as fs16 from "fs";
 import * as path20 from "path";
 var StructureManager = class {
   constructor(matrixManager, encryption, tx) {
@@ -7011,7 +7263,7 @@ var StructureManager = class {
       )
     }));
     for (const cell of newCellPaths) {
-      if (fs15.existsSync(cell.filePath)) {
+      if (fs16.existsSync(cell.filePath)) {
         throw new Error(
           `Cannot add namespace '${name}': file '${path20.relative(repoRoot, cell.filePath)}' already exists.`
         );
@@ -7083,7 +7335,7 @@ var StructureManager = class {
       )
     }));
     for (const cell of newCellPaths) {
-      if (fs15.existsSync(cell.filePath)) {
+      if (fs16.existsSync(cell.filePath)) {
         throw new Error(
           `Cannot add environment '${name}': file '${path20.relative(repoRoot, cell.filePath)}' already exists.`
         );
@@ -7167,7 +7419,7 @@ var StructureManager = class {
       paths: this.deletePaths(repoRoot, cellsToDelete),
       mutate: async () => {
         for (const cell of cellsToDelete) {
-          fs15.unlinkSync(cell.filePath);
+          fs16.unlinkSync(cell.filePath);
           this.unlinkMetaSibling(cell.filePath);
         }
         const doc = readManifestYaml(repoRoot);
@@ -7217,7 +7469,7 @@ var StructureManager = class {
       paths: this.deletePaths(repoRoot, cellsToDelete),
       mutate: async () => {
         for (const cell of cellsToDelete) {
-          fs15.unlinkSync(cell.filePath);
+          fs16.unlinkSync(cell.filePath);
           this.unlinkMetaSibling(cell.filePath);
         }
         const doc = readManifestYaml(repoRoot);
@@ -7259,7 +7511,7 @@ var StructureManager = class {
     const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "namespace") : [];
     if (isRename) {
       for (const pair of renamePairs) {
-        if (fs15.existsSync(pair.to)) {
+        if (fs16.existsSync(pair.to)) {
           throw new Error(
             `Rename target '${path20.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
@@ -7302,7 +7554,7 @@ var StructureManager = class {
     const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "environment") : [];
     if (isRename) {
       for (const pair of renamePairs) {
-        if (fs15.existsSync(pair.to)) {
+        if (fs16.existsSync(pair.to)) {
           throw new Error(
             `Rename target '${path20.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
@@ -7339,7 +7591,7 @@ var StructureManager = class {
       const newCellPath = this.swapAxisInCellPath(repoRoot, manifest, cell, axis, newName);
       pairs.push({ from: cell.filePath, to: newCellPath });
       const oldMeta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-      if (fs15.existsSync(oldMeta)) {
+      if (fs16.existsSync(oldMeta)) {
         const newMeta = newCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
         pairs.push({ from: oldMeta, to: newMeta });
       }
@@ -7379,10 +7631,10 @@ var StructureManager = class {
   applyRenames(pairs) {
     for (const pair of pairs) {
       const targetDir = path20.dirname(pair.to);
-      if (!fs15.existsSync(targetDir)) {
-        fs15.mkdirSync(targetDir, { recursive: true });
+      if (!fs16.existsSync(targetDir)) {
+        fs16.mkdirSync(targetDir, { recursive: true });
       }
-      fs15.renameSync(pair.from, pair.to);
+      fs16.renameSync(pair.from, pair.to);
     }
   }
   /**
@@ -7395,7 +7647,7 @@ var StructureManager = class {
     for (const cell of cells) {
       paths.add(path20.relative(repoRoot, cell.filePath));
       const meta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-      if (fs15.existsSync(meta)) {
+      if (fs16.existsSync(meta)) {
         paths.add(path20.relative(repoRoot, meta));
       }
     }
@@ -7409,8 +7661,8 @@ var StructureManager = class {
    */
   unlinkMetaSibling(cellPath) {
     const meta = cellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-    if (fs15.existsSync(meta)) {
-      fs15.unlinkSync(meta);
+    if (fs16.existsSync(meta)) {
+      fs16.unlinkSync(meta);
     }
   }
   /**
@@ -7555,7 +7807,7 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 import * as crypto3 from "crypto";
 
 // src/artifact/output.ts
-import * as fs16 from "fs";
+import * as fs17 from "fs";
 import * as path21 from "path";
 var FilePackOutput = class {
   constructor(outputPath) {
@@ -7563,12 +7815,12 @@ var FilePackOutput = class {
   }
   async write(_artifact, json) {
     const outputDir = path21.dirname(this.outputPath);
-    if (!fs16.existsSync(outputDir)) {
-      fs16.mkdirSync(outputDir, { recursive: true });
+    if (!fs17.existsSync(outputDir)) {
+      fs17.mkdirSync(outputDir, { recursive: true });
     }
     const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
-    fs16.writeFileSync(tmpOutput, json, "utf-8");
-    fs16.renameSync(tmpOutput, this.outputPath);
+    fs17.writeFileSync(tmpOutput, json, "utf-8");
+    fs17.renameSync(tmpOutput, this.outputPath);
   }
 };
 var MemoryPackOutput = class {
@@ -7790,7 +8042,7 @@ var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
 
 // src/migration/backend.ts
 import * as path22 from "path";
-import * as YAML10 from "yaml";
+import * as YAML11 from "yaml";
 var BACKEND_KEY_FIELDS = {
   age: void 0,
   awskms: "aws_kms_arn",
@@ -7913,7 +8165,7 @@ var BackendMigrator = class {
           const doc = readManifestYaml(repoRoot);
           this.updateManifestDoc(doc, target, environment);
           writeManifestYaml(repoRoot, doc);
-          const updatedManifest = YAML10.parse(YAML10.stringify(doc));
+          const updatedManifest = YAML11.parse(YAML11.stringify(doc));
           for (const cell of toMigrate) {
             onProgress?.({
               type: "migrate",
@@ -8306,17 +8558,375 @@ var SyncManager = class {
     };
   }
 };
+
+// src/policy/parser.ts
+import * as fs18 from "fs";
+import * as YAML12 from "yaml";
+
+// src/policy/types.ts
+var DEFAULT_POLICY = Object.freeze({
+  version: 1,
+  rotation: Object.freeze({ max_age_days: 90 })
+});
+
+// src/policy/parser.ts
+var CLEF_POLICY_FILENAME = ".clef/policy.yaml";
+var SUPPORTED_VERSIONS = [1];
+var PolicyParser = class {
+  /**
+   * Read and validate a policy file from disk.
+   *
+   * @throws {@link PolicyValidationError} If the file cannot be read, contains
+   *   invalid YAML, or fails schema validation.
+   */
+  parse(filePath) {
+    let raw;
+    try {
+      raw = fs18.readFileSync(filePath, "utf-8");
+    } catch {
+      throw new PolicyValidationError(`Could not read policy file at '${filePath}'.`);
+    }
+    return this.parseContent(raw);
+  }
+  /**
+   * Parse and validate a policy document from a YAML string.
+   *
+   * @throws {@link PolicyValidationError} If the content is malformed or
+   *   fails validation.
+   */
+  parseContent(content) {
+    let parsed;
+    try {
+      parsed = YAML12.parse(content);
+    } catch {
+      throw new PolicyValidationError(
+        "Policy file contains invalid YAML. Check for syntax errors."
+      );
+    }
+    return this.validate(parsed);
+  }
+  /**
+   * Load policy from disk, returning {@link DEFAULT_POLICY} if the file does
+   * not exist. Any other read or validation error throws.
+   */
+  load(filePath) {
+    if (!fs18.existsSync(filePath)) return DEFAULT_POLICY;
+    return this.parse(filePath);
+  }
+  validate(raw) {
+    if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+      throw new PolicyValidationError("Policy file must be a YAML object.");
+    }
+    const doc = raw;
+    if (!SUPPORTED_VERSIONS.includes(doc.version)) {
+      throw new PolicyValidationError(
+        `Policy file must declare 'version: 1', got: ${JSON.stringify(doc.version)}.`,
+        "version"
+      );
+    }
+    const rotation = doc.rotation === void 0 ? void 0 : this.validateRotation(doc.rotation);
+    return { version: 1, ...rotation ? { rotation } : {} };
+  }
+  validateRotation(raw) {
+    if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+      throw new PolicyValidationError("Policy 'rotation' must be an object.", "rotation");
+    }
+    const rot = raw;
+    const maxAge = rot.max_age_days;
+    if (typeof maxAge !== "number" || !Number.isFinite(maxAge) || maxAge <= 0) {
+      throw new PolicyValidationError(
+        "Policy 'rotation.max_age_days' must be a positive number.",
+        "rotation.max_age_days"
+      );
+    }
+    const result = { max_age_days: maxAge };
+    if (rot.environments !== void 0) {
+      if (typeof rot.environments !== "object" || rot.environments === null || Array.isArray(rot.environments)) {
+        throw new PolicyValidationError(
+          "Policy 'rotation.environments' must be an object keyed by environment name.",
+          "rotation.environments"
+        );
+      }
+      const envs = {};
+      for (const [envName, envVal] of Object.entries(rot.environments)) {
+        if (typeof envVal !== "object" || envVal === null || Array.isArray(envVal)) {
+          throw new PolicyValidationError(
+            `Policy 'rotation.environments.${envName}' must be an object.`,
+            `rotation.environments.${envName}`
+          );
+        }
+        const envMaxAge = envVal.max_age_days;
+        if (typeof envMaxAge !== "number" || !Number.isFinite(envMaxAge) || envMaxAge <= 0) {
+          throw new PolicyValidationError(
+            `Policy 'rotation.environments.${envName}.max_age_days' must be a positive number.`,
+            `rotation.environments.${envName}.max_age_days`
+          );
+        }
+        envs[envName] = { max_age_days: envMaxAge };
+      }
+      result.environments = envs;
+    }
+    return result;
+  }
+};
+
+// src/policy/evaluator.ts
+var MS_PER_DAY = 864e5;
+var DEFAULT_MAX_AGE_DAYS = 90;
+var PolicyEvaluator = class {
+  constructor(policy) {
+    this.policy = policy;
+  }
+  /**
+   * Evaluate a single encrypted file's per-key rotation state.
+   *
+   * @param filePath    Repo-relative or absolute path to the encrypted file.
+   * @param environment Environment name; selects per-env overrides.
+   * @param metadata    SOPS metadata for the file (carries last_modified,
+   *                    backend, recipients).  The evaluator does not read
+   *                    `last_modified` for the policy gate — it is echoed
+   *                    into the output for audit consumers only.
+   * @param keys        Plaintext key names present in the cipher, enumerated
+   *                    from the unencrypted YAML top-level keys (no decrypt
+   *                    required since SOPS stores key names in plaintext).
+   * @param rotations   Rotation records from `.clef-meta.yaml`.  Records for
+   *                    keys not in `keys` are ignored (those are orphans;
+   *                    lint surfaces them as a warning).
+   * @param now         Reference time.  Inject for deterministic tests.
+   */
+  evaluateFile(filePath, environment, metadata, keys, rotations, now = /* @__PURE__ */ new Date()) {
+    const maxAgeDays = this.resolveMaxAgeDays(environment);
+    const byKey = new Map(rotations.map((r) => [r.key, r]));
+    const keyStatuses = keys.map(
+      (key) => this.evaluateKey(key, byKey.get(key), maxAgeDays, now)
+    );
+    return {
+      path: filePath,
+      environment,
+      backend: metadata.backend,
+      recipients: metadata.recipients,
+      last_modified: metadata.lastModified.toISOString(),
+      last_modified_known: metadata.lastModifiedPresent !== false,
+      keys: keyStatuses,
+      // Cell-level compliance is the AND of per-key verdicts.  An empty
+      // `keys` array (cell with no secrets) is vacuously compliant.
+      compliant: keyStatuses.every((k) => k.compliant)
+    };
+  }
+  evaluateKey(key, record, maxAgeDays, now) {
+    if (!record) {
+      return {
+        key,
+        last_rotated_at: null,
+        last_rotated_known: false,
+        rotated_by: null,
+        rotation_count: 0,
+        rotation_due: null,
+        rotation_overdue: false,
+        days_overdue: 0,
+        compliant: false
+      };
+    }
+    const rotationDue = new Date(record.lastRotatedAt.getTime() + maxAgeDays * MS_PER_DAY);
+    const rotationOverdue = now.getTime() > rotationDue.getTime();
+    const daysOverdue = rotationOverdue ? Math.floor((now.getTime() - rotationDue.getTime()) / MS_PER_DAY) : 0;
+    return {
+      key,
+      last_rotated_at: record.lastRotatedAt.toISOString(),
+      last_rotated_known: true,
+      rotated_by: record.rotatedBy,
+      rotation_count: record.rotationCount,
+      rotation_due: rotationDue.toISOString(),
+      rotation_overdue: rotationOverdue,
+      days_overdue: daysOverdue,
+      compliant: !rotationOverdue
+    };
+  }
+  resolveMaxAgeDays(environment) {
+    const envOverride = this.policy.rotation?.environments?.[environment];
+    if (envOverride !== void 0) return envOverride.max_age_days;
+    return this.policy.rotation?.max_age_days ?? DEFAULT_MAX_AGE_DAYS;
+  }
+};
+
+// src/compliance/generator.ts
+import { createHash as createHash3 } from "crypto";
+var SCHEMA_VERSION = "1";
+function canonicalJson(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return `[${value.map(canonicalJson).join(",")}]`;
+  }
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  const entries = keys.map((k) => `${JSON.stringify(k)}:${canonicalJson(obj[k])}`);
+  return `{${entries.join(",")}}`;
+}
+var ComplianceGenerator = class {
+  generate(opts) {
+    const { sha, repo, policy, scanResult, lintResult, files, now } = opts;
+    const generated_at = (now ?? /* @__PURE__ */ new Date()).toISOString();
+    const policy_hash = `sha256:${createHash3("sha256").update(canonicalJson(policy)).digest("hex")}`;
+    return {
+      schema_version: SCHEMA_VERSION,
+      generated_at,
+      sha,
+      repo,
+      policy_hash,
+      policy_snapshot: policy,
+      summary: this.buildSummary(scanResult, lintResult, files),
+      files,
+      scan: scanResult,
+      lint: lintResult
+    };
+  }
+  /**
+   * Compute a {@link ComplianceDocument.policy_hash}-format hash of any
+   * {@link PolicyDocument} without generating a full document.  Useful for
+   * external consumers that want to compare policies across repos.
+   */
+  static hashPolicy(policy) {
+    return `sha256:${createHash3("sha256").update(canonicalJson(policy)).digest("hex")}`;
+  }
+  buildSummary(scan, lint, files) {
+    const rotationOverdue = files.filter((f) => !f.compliant).length;
+    return {
+      total_files: files.length,
+      compliant: files.filter((f) => f.compliant).length,
+      rotation_overdue: rotationOverdue,
+      scan_violations: scan.matches.length,
+      lint_errors: lint.issues.filter((i) => i.severity === "error").length
+    };
+  }
+};
+
+// src/compliance/run.ts
+import * as path25 from "path";
+var UNKNOWN = "unknown";
+async function runCompliance(opts) {
+  const start = Date.now();
+  const repoRoot = opts.repoRoot ?? process.cwd();
+  const manifestPath = opts.manifestPath ?? path25.join(repoRoot, "clef.yaml");
+  const policyPath = opts.policyPath ?? path25.join(repoRoot, CLEF_POLICY_FILENAME);
+  const include = {
+    scan: opts.include?.scan ?? true,
+    lint: opts.include?.lint ?? true,
+    rotation: opts.include?.rotation ?? true
+  };
+  const now = opts.now ?? /* @__PURE__ */ new Date();
+  const manifest = new ManifestParser().parse(manifestPath);
+  const policy = opts.policy ?? new PolicyParser().load(policyPath);
+  const sopsClient = new SopsClient(opts.runner, opts.ageKeyFile, opts.ageKey, opts.sopsPath);
+  const matrixManager = new MatrixManager();
+  const schemaValidator = new SchemaValidator();
+  const [sha, repo, files, scanResult, lintResult] = await Promise.all([
+    opts.sha !== void 0 ? Promise.resolve(opts.sha) : detectSha(opts.runner, repoRoot),
+    opts.repo !== void 0 ? Promise.resolve(opts.repo) : detectRepo(opts.runner, repoRoot),
+    include.rotation ? evaluateMatrix({
+      manifest,
+      repoRoot,
+      policy,
+      matrixManager,
+      sopsClient,
+      filter: opts.filter,
+      now
+    }) : Promise.resolve([]),
+    include.scan ? new ScanRunner(opts.runner).scan(repoRoot, manifest) : Promise.resolve(emptyScan()),
+    include.lint ? new LintRunner(matrixManager, schemaValidator, sopsClient).run(manifest, repoRoot) : Promise.resolve(emptyLint())
+  ]);
+  const adjustedLint = downgradeDecryptIssues(lintResult);
+  const document = new ComplianceGenerator().generate({
+    sha,
+    repo,
+    policy,
+    scanResult,
+    lintResult: adjustedLint,
+    files,
+    now
+  });
+  const passed = document.summary.rotation_overdue === 0 && document.summary.scan_violations === 0 && document.summary.lint_errors === 0;
+  return { document, passed, durationMs: Date.now() - start };
+}
+async function evaluateMatrix(args) {
+  const evaluator = new PolicyEvaluator(args.policy);
+  const cells = args.matrixManager.resolveMatrix(args.manifest, args.repoRoot).filter((c) => applyFilter(c.namespace, c.environment, args.filter)).filter((c) => c.exists);
+  return Promise.all(
+    cells.map(async (cell) => {
+      const metadata = await args.sopsClient.getMetadata(cell.filePath);
+      const relPath = path25.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
+      const keys = readSopsKeyNames(cell.filePath) ?? [];
+      const rotations = await getRotations(cell.filePath);
+      return evaluator.evaluateFile(relPath, cell.environment, metadata, keys, rotations, args.now);
+    })
+  );
+}
+function applyFilter(namespace, environment, filter) {
+  if (filter?.namespaces?.length && !filter.namespaces.includes(namespace)) return false;
+  if (filter?.environments?.length && !filter.environments.includes(environment)) return false;
+  return true;
+}
+function emptyScan() {
+  return {
+    matches: [],
+    filesScanned: 0,
+    filesSkipped: 0,
+    unencryptedMatrixFiles: [],
+    durationMs: 0
+  };
+}
+function emptyLint() {
+  return { issues: [], fileCount: 0, pendingCount: 0 };
+}
+function downgradeDecryptIssues(result) {
+  return {
+    ...result,
+    issues: result.issues.map((issue) => {
+      if (issue.category === "sops" && issue.message.startsWith("Failed to decrypt")) {
+        return {
+          ...issue,
+          severity: "info",
+          message: `File not decryptable in this environment (compliance runs without keys). Original check: ${issue.message}`
+        };
+      }
+      return issue;
+    })
+  };
+}
+async function detectSha(runner, repoRoot) {
+  const env = process.env;
+  const fromEnv = env.GITHUB_SHA ?? env.CI_COMMIT_SHA ?? env.BITBUCKET_COMMIT ?? env.CIRCLE_SHA1 ?? env.BUILD_VCS_NUMBER;
+  if (fromEnv) return fromEnv;
+  const result = await runner.run("git", ["rev-parse", "HEAD"], { cwd: repoRoot });
+  if (result.exitCode !== 0) return UNKNOWN;
+  const trimmed = result.stdout.trim();
+  return trimmed || UNKNOWN;
+}
+async function detectRepo(runner, repoRoot) {
+  const env = process.env;
+  const fromEnv = env.GITHUB_REPOSITORY ?? env.CI_PROJECT_PATH ?? env.BITBUCKET_REPO_FULL_NAME ?? (env.CIRCLE_PROJECT_USERNAME && env.CIRCLE_PROJECT_REPONAME ? `${env.CIRCLE_PROJECT_USERNAME}/${env.CIRCLE_PROJECT_REPONAME}` : void 0);
+  if (fromEnv) return fromEnv;
+  const result = await runner.run("git", ["remote", "get-url", "origin"], { cwd: repoRoot });
+  if (result.exitCode !== 0) return UNKNOWN;
+  const url = result.stdout.trim();
+  const match = url.match(/[:/]([^/:]+)\/([^/]+?)(?:\.git)?\/?$/);
+  return match ? `${match[1]}/${match[2]}` : UNKNOWN;
+}
 export {
   ArtifactPacker,
   BackendMigrator,
   BulkOps,
   CLEF_MANIFEST_FILENAME,
+  CLEF_POLICY_FILENAME,
   CLEF_REPORT_SCHEMA_VERSION,
   CLEF_SUPPORTED_EXTENSIONS,
   ClefError,
   CloudApiError,
   CloudClient,
+  ComplianceGenerator,
   ConsumptionClient,
+  DEFAULT_POLICY,
   DiffEngine,
   DriftDetector,
   FilePackOutput,
@@ -8328,6 +8938,9 @@ export {
   ManifestValidationError,
   MatrixManager,
   MemoryPackOutput,
+  PolicyEvaluator,
+  PolicyParser,
+  PolicyValidationError,
   REQUESTS_FILENAME,
   REQUIREMENTS,
   RecipientManager,
@@ -8368,6 +8981,7 @@ export {
   generateRandomValue,
   generateSigningKeyPair,
   getPendingKeys,
+  getRotations,
   isHighEntropy,
   isKmsEnvelope,
   isPending,
@@ -8379,6 +8993,8 @@ export {
   markPendingWithRetry,
   markResolved,
   matchPatterns,
+  mergeMetadataContents,
+  mergeMetadataFiles,
   metadataPath,
   parse9 as parse,
   parseDotenv,
@@ -8386,14 +9002,17 @@ export {
   parseJson,
   parseYaml,
   readManifestYaml,
+  recordRotation,
   redactValue,
   removeRequest as removeAccessRequest,
+  removeRotation,
   requestsFilePath,
   resetSopsResolution,
   resolveBackendConfig,
   resolveIdentitySecrets,
   resolveRecipientsForEnvironment,
   resolveSopsPath,
+  runCompliance,
   saveMetadata,
   saveRequests,
   shannonEntropy,