@clef-sh/core 0.1.18 → 0.1.20-beta.142

package/dist/artifact/guards.d.ts

@@ -0,0 +1,40 @@
+import { ClefError } from "../types";
+import type { KmsEnvelope, PackedArtifact } from "./types";
+/** Discriminated union returned by {@link validatePackedArtifact}. */
+export type ValidationResult<T> = {
+    valid: true;
+    value: T;
+} | {
+    valid: false;
+    reason: string;
+};
+/**
+ * Thrown by {@link assertPackedArtifact} when an unknown value does not
+ * conform to the {@link PackedArtifact} shape. Follows the {@link ClefError}
+ * convention so callers can catch uniformly.
+ */
+export declare class InvalidArtifactError extends ClefError {
+    constructor(message: string);
+}
+/**
+ * Type predicate for {@link KmsEnvelope}. Verifies shape only — does not
+ * check semantic validity (e.g. non-empty strings, valid base64).
+ */
+export declare function isKmsEnvelope(x: unknown): x is KmsEnvelope;
+/**
+ * Validate an unknown value as a {@link PackedArtifact} and return a
+ * discriminated result with a field-level reason on failure. Semantic
+ * checks (non-empty strings, signature validity, expiry) live in the
+ * runtime's poller, not here — this is a pure shape guard.
+ */
+export declare function validatePackedArtifact(x: unknown): ValidationResult<PackedArtifact>;
+/** Type predicate for {@link PackedArtifact}. */
+export declare function isPackedArtifact(x: unknown): x is PackedArtifact;
+/**
+ * Assertion form of {@link validatePackedArtifact}. Throws with a
+ * context-prefixed error message on invalid input. Intended for parse
+ * boundaries (after `JSON.parse`) where a malformed artifact should be
+ * a hard failure.
+ */
+export declare function assertPackedArtifact(x: unknown, context?: string): asserts x is PackedArtifact;
+//# sourceMappingURL=guards.d.ts.map

package/dist/artifact/guards.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guards.d.ts","sourceRoot":"","sources":["../../src/artifact/guards.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAsB,MAAM,SAAS,CAAC;AAE/E,sEAAsE;AACtE,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,CAAC,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/F;;;;GAIG;AACH,qBAAa,oBAAqB,SAAQ,SAAS;gBACrC,OAAO,EAAE,MAAM;CAO5B;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAW1D;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAkDnF;AAED,iDAAiD;AACjD,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,cAAc,CAEhE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,IAAI,cAAc,CAM9F"}

package/dist/artifact/packer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAKjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA+H9F"}
+{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAKjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAiI9F"}

package/dist/artifact/types.d.ts

@@ -1,5 +1,5 @@
 /** KMS envelope metadata for artifacts using KMS envelope encryption. */
-export interface ArtifactEnvelope {
+export interface KmsEnvelope {
     /** KMS provider that wrapped the DEK (e.g. "aws", "gcp", "azure"). */
     provider: string;
     /** KMS key ARN/ID used to wrap the AES-256 DEK. */
@@ -31,9 +31,11 @@ export interface PackedArtifact {
     /** Base64-encoded ciphertext. Age format for age-only artifacts; AES-256-GCM for KMS envelope artifacts. */
     ciphertext: string;
     /** KMS envelope metadata. Present when the identity uses KMS envelope encryption. */
-    envelope?: ArtifactEnvelope;
+    envelope?: KmsEnvelope;
     /** ISO-8601 expiry timestamp. Artifact is rejected after this time. */
     expiresAt?: string;
+    /** ISO-8601 revocation timestamp. Present when the artifact has been revoked. */
+    revokedAt?: string;
     /** Base64-encoded cryptographic signature over the canonical artifact payload. */
     signature?: string;
     /** Algorithm used to produce the signature. */
@@ -68,6 +70,13 @@ export interface PackResult {
     namespaceCount: number;
     /** Number of secret keys in the artifact. */
     keyCount: number;
+    /**
+     * Names of the secret keys included in the artifact. Plaintext names only;
+     * values stay encrypted in `PackedArtifact.ciphertext`. Callers (e.g. the
+     * CDK library's synth-time validator) use this list to verify shape-template
+     * references before deploy. Order is not guaranteed.
+     */
+    keys: string[];
     /** Size of the artifact file in bytes. */
     artifactSize: number;
     /** Monotonic revision string. */

package/dist/artifact/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,2CAA2C;AAC3C,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8FAA8F;IAC9F,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/artifact/types.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,WAAW,WAAW;IAC1B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+CAA+C;AAC/C,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,cAAc,CAAC;AAE5D,kFAAkF;AAClF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,4GAA4G;IAC5G,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,2CAA2C;AAC3C,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8FAA8F;IAC9F,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,kCAAkC;AAClC,MAAM,WAAW,UAAU;IACzB,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;OAKG;IACH,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/hsm/bundled.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Try to locate the bundled clef-keyservice binary from the platform-specific
+ * npm package. Returns the resolved path or null if the package is not installed.
+ *
+ * Windows is intentionally unsupported: the keyservice's PKCS#11 dependency
+ * (miekg/pkcs11) requires per-vendor DLL conventions that are out of scope
+ * for v1. Returns null on win32; callers surface a clean error upstream.
+ */
+export declare function tryBundledKeyservice(): string | null;
+//# sourceMappingURL=bundled.d.ts.map

package/dist/hsm/bundled.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundled.d.ts","sourceRoot":"","sources":["../../src/hsm/bundled.ts"],"names":[],"mappings":"AAQA;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAsBpD"}

package/dist/hsm/index.d.ts

@@ -0,0 +1,4 @@
+export { tryBundledKeyservice } from "./bundled";
+export { resolveKeyservicePath, resetKeyserviceResolution, type KeyserviceResolution, type KeyserviceSource, } from "./resolver";
+export { spawnKeyservice, type KeyserviceHandle, type SpawnKeyserviceOptions } from "./keyservice";
+//# sourceMappingURL=index.d.ts.map

package/dist/hsm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hsm/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EACL,qBAAqB,EACrB,yBAAyB,EACzB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,GACtB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,eAAe,EAAE,KAAK,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,cAAc,CAAC"}

package/dist/hsm/keyservice.d.ts

@@ -0,0 +1,36 @@
+export interface KeyserviceHandle {
+    /** Address for SOPS `--keyservice` flag, e.g. `tcp://127.0.0.1:12345`. */
+    addr: string;
+    /** Gracefully stop the keyservice process. SIGTERM, then SIGKILL after 3s. */
+    kill(): Promise<void>;
+}
+export interface SpawnKeyserviceOptions {
+    /** Absolute path to the clef-keyservice binary (from {@link resolveKeyservicePath}). */
+    binaryPath: string;
+    /** Path to the vendor PKCS#11 shared library (e.g. `/usr/lib/softhsm/libsofthsm2.so`). */
+    modulePath: string;
+    /**
+     * HSM user PIN. Passed via `CLEF_PKCS11_PIN` env. Mutually exclusive
+     * with {@link pinFile}. At least one must be provided.
+     */
+    pin?: string;
+    /**
+     * Path to a 0600 file containing the user PIN. Passed via
+     * `CLEF_PKCS11_PIN_FILE` env. The keyservice reads the file itself.
+     */
+    pinFile?: string;
+    /**
+     * Extra environment variables to pass through. Vendor modules often
+     * need their own config env (`SOFTHSM2_CONF`, `YUBIHSM_PKCS11_CONF`,
+     * `ChrystokiConfigurationPath`). Forwarded verbatim.
+     */
+    extraEnv?: Record<string, string>;
+}
+/**
+ * Spawn a clef-keyservice sidecar and wait for it to report its port.
+ *
+ * @throws If neither `pin` nor `pinFile` is provided, if startup exceeds
+ *   {@link STARTUP_TIMEOUT_MS}, or if the child exits before reporting `PORT=`.
+ */
+export declare function spawnKeyservice(options: SpawnKeyserviceOptions): Promise<KeyserviceHandle>;
+//# sourceMappingURL=keyservice.d.ts.map

package/dist/hsm/keyservice.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyservice.d.ts","sourceRoot":"","sources":["../../src/hsm/keyservice.ts"],"names":[],"mappings":"AAqBA,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IACb,8EAA8E;IAC9E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,wFAAwF;IACxF,UAAU,EAAE,MAAM,CAAC;IACnB,0FAA0F;IAC1F,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAMD;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA6BhG"}

package/dist/hsm/resolver.d.ts

@@ -0,0 +1,22 @@
+export type KeyserviceSource = "env" | "bundled" | "system";
+export interface KeyserviceResolution {
+    /** Absolute path to the keyservice binary, or "clef-keyservice" for system PATH fallback. */
+    path: string;
+    /** How the binary was located. */
+    source: KeyserviceSource;
+}
+/**
+ * Resolve the clef-keyservice binary path.
+ *
+ * Resolution order:
+ *   1. `CLEF_KEYSERVICE_PATH` env var — explicit override
+ *   2. Bundled `@clef-sh/keyservice-{platform}-{arch}` package
+ *   3. System PATH fallback — returns bare `"clef-keyservice"`
+ *
+ * The result is cached module-wide. Call {@link resetKeyserviceResolution}
+ * in tests to clear the cache.
+ */
+export declare function resolveKeyservicePath(): KeyserviceResolution;
+/** Clear the cached resolution. Only intended for use in tests. */
+export declare function resetKeyserviceResolution(): void;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/hsm/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/hsm/resolver.ts"],"names":[],"mappings":"AA2BA,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,SAAS,GAAG,QAAQ,CAAC;AAE5D,MAAM,WAAW,oBAAoB;IACnC,6FAA6F;IAC7F,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,IAAI,oBAAoB,CAqB5D;AAED,mEAAmE;AACnE,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD"}

package/dist/index.d.mts

@@ -11,8 +11,11 @@ export { GitIntegration } from "./git/integration";
 export { TransactionManager, TransactionLockError, TransactionPreflightError, TransactionRollbackError, } from "./tx";
 export type { TransactionOptions, TransactionResult } from "./tx";
 export { SopsClient } from "./sops/client";
+export { isClefHsmArn, pkcs11UriToSyntheticArn, syntheticArnToPkcs11Uri } from "./sops/hsm-arn";
 export { resolveSopsPath, resetSopsResolution } from "./sops/resolver";
 export type { SopsResolution, SopsSource } from "./sops/resolver";
+export { resolveKeyservicePath, resetKeyserviceResolution, spawnKeyservice, tryBundledKeyservice, } from "./hsm";
+export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, SpawnKeyserviceOptions, } from "./hsm";
 export { LintRunner } from "./lint/runner";
 export { ConsumptionClient } from "./consumption/client";
 export { checkDependency, checkAll, assertSops, REQUIREMENTS } from "./dependencies/checker";
@@ -42,8 +45,14 @@ export { resolveIdentitySecrets } from "./artifact/resolve";
 export type { ResolvedSecrets } from "./artifact/resolve";
 export { ArtifactPacker } from "./artifact/packer";
 export { FilePackOutput, MemoryPackOutput } from "./artifact/output";
-export type { PackedArtifact, PackConfig, PackResult, PackOutput, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
+export { isPackedArtifact, validatePackedArtifact, assertPackedArtifact, InvalidArtifactError, } from "./artifact/guards";
+export type { ValidationResult } from "./artifact/guards";
+export type { PackedArtifact, PackConfig, PackResult, PackOutput, KmsEnvelope, SignatureAlgorithm, } from "./artifact/types";
 export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
+export { PackBackendRegistry } from "./pack/registry";
+export type { PackBackend, PackBackendFactory, PackRequest, PackServices, BackendPackResult, } from "./pack/types";
+export { JsonEnvelopeBackend } from "./pack/backends/json-envelope";
+export type { JsonEnvelopeOptions } from "./pack/backends/json-envelope";
 export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
 export { VALID_KMS_PROVIDERS } from "./kms";
 export { BackendMigrator } from "./migration/backend";

package/dist/index.d.ts

@@ -11,8 +11,11 @@ export { GitIntegration } from "./git/integration";
 export { TransactionManager, TransactionLockError, TransactionPreflightError, TransactionRollbackError, } from "./tx";
 export type { TransactionOptions, TransactionResult } from "./tx";
 export { SopsClient } from "./sops/client";
+export { isClefHsmArn, pkcs11UriToSyntheticArn, syntheticArnToPkcs11Uri } from "./sops/hsm-arn";
 export { resolveSopsPath, resetSopsResolution } from "./sops/resolver";
 export type { SopsResolution, SopsSource } from "./sops/resolver";
+export { resolveKeyservicePath, resetKeyserviceResolution, spawnKeyservice, tryBundledKeyservice, } from "./hsm";
+export type { KeyserviceHandle, KeyserviceResolution, KeyserviceSource, SpawnKeyserviceOptions, } from "./hsm";
 export { LintRunner } from "./lint/runner";
 export { ConsumptionClient } from "./consumption/client";
 export { checkDependency, checkAll, assertSops, REQUIREMENTS } from "./dependencies/checker";
@@ -42,8 +45,14 @@ export { resolveIdentitySecrets } from "./artifact/resolve";
 export type { ResolvedSecrets } from "./artifact/resolve";
 export { ArtifactPacker } from "./artifact/packer";
 export { FilePackOutput, MemoryPackOutput } from "./artifact/output";
-export type { PackedArtifact, PackConfig, PackResult, PackOutput, ArtifactEnvelope, SignatureAlgorithm, } from "./artifact/types";
+export { isPackedArtifact, validatePackedArtifact, assertPackedArtifact, InvalidArtifactError, } from "./artifact/guards";
+export type { ValidationResult } from "./artifact/guards";
+export type { PackedArtifact, PackConfig, PackResult, PackOutput, KmsEnvelope, SignatureAlgorithm, } from "./artifact/types";
 export { buildSigningPayload, generateSigningKeyPair, signEd25519, signKms, verifySignature, detectAlgorithm, } from "./artifact/signer";
+export { PackBackendRegistry } from "./pack/registry";
+export type { PackBackend, PackBackendFactory, PackRequest, PackServices, BackendPackResult, } from "./pack/types";
+export { JsonEnvelopeBackend } from "./pack/backends/json-envelope";
+export type { JsonEnvelopeOptions } from "./pack/backends/json-envelope";
 export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
 export { VALID_KMS_PROVIDERS } from "./kms";
 export { BackendMigrator } from "./migration/backend";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAC1F,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,GACzB,MAAM,MAAM,CAAC;AACd,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACpG,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AACpF,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,YAAY,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,YAAY,EACV,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrE,YAAY,EACV,cAAc,EACd,UAAU,EACV,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,WAAW,EACX,OAAO,EACP,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClF,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC7E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9E,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,yBAAyB,EACzB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAC1F,OAAO,EACL,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,GACzB,MAAM,MAAM,CAAC;AACd,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAChG,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClE,OAAO,EACL,qBAAqB,EACrB,yBAAyB,EACzB,eAAe,EACf,oBAAoB,GACrB,MAAM,OAAO,CAAC;AACf,YAAY,EACV,gBAAgB,EAChB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACzF,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACpG,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,IAAI,mBAAmB,EACpC,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,WAAW,EACX,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AACpF,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,YAAY,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,YAAY,EACV,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,YAAY,EACV,cAAc,EACd,UAAU,EACV,UAAU,EACV,UAAU,EACV,WAAW,EACX,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,WAAW,EACX,OAAO,EACP,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,YAAY,EACV,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,YAAY,EACZ,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,YAAY,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACzE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAClF,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC7E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9E,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,yBAAyB,EACzB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}