npm - @clef-sh/core - Versions diffs - 0.1.20-beta.143 → 0.1.21-beta.154 - Mend

@clef-sh/core 0.1.20-beta.143 → 0.1.21-beta.154

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/artifact/hash.d.ts +10 -0
package/dist/artifact/hash.d.ts.map +1 -0
package/dist/artifact/packer.d.ts.map +1 -1
package/dist/envelope-debug/builders.d.ts +28 -0
package/dist/envelope-debug/builders.d.ts.map +1 -0
package/dist/envelope-debug/index.d.ts +5 -0
package/dist/envelope-debug/index.d.ts.map +1 -0
package/dist/envelope-debug/signer-key.d.ts +18 -0
package/dist/envelope-debug/signer-key.d.ts.map +1 -0
package/dist/envelope-debug/types.d.ts +142 -0
package/dist/envelope-debug/types.d.ts.map +1 -0
package/dist/envelope-debug/warnings.d.ts +23 -0
package/dist/envelope-debug/warnings.d.ts.map +1 -0
package/dist/index.d.mts +5 -0
package/dist/index.d.ts +5 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +715 -412
package/dist/index.js.map +4 -4
package/dist/index.mjs +695 -407
package/dist/index.mjs.map +4 -4
package/dist/schema/validator.d.ts.map +1 -1
package/dist/schema/writer.d.ts +61 -0
package/dist/schema/writer.d.ts.map +1 -0
package/dist/types/index.d.ts +1 -4
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -304,10 +304,10 @@ var require_lib = __commonJS({
     module2.exports.sync = writeFileSync7;
     module2.exports._getTmpname = getTmpname;
     module2.exports._cleanupOnExit = cleanupOnExit;
-    var fs21 = require("fs");
-    var crypto5 = require("node:crypto");
+    var fs22 = require("fs");
+    var crypto7 = require("node:crypto");
     var { onExit } = require_cjs();
-    var path28 = require("path");
+    var path29 = require("path");
     var { promisify } = require("util");
     var activeFiles = {};
     var threadId = (function getId() {
@@ -320,24 +320,24 @@ var require_lib = __commonJS({
     })();
     var invocations = 0;
     function getTmpname(filename) {
-      return filename + "." + crypto5.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
+      return filename + "." + crypto7.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
     }
     function cleanupOnExit(tmpfile) {
       return () => {
         try {
-          fs21.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
+          fs22.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
         } catch {
         }
       };
     }
     function serializeActiveFile(absoluteName) {
-      return new Promise((resolve) => {
+      return new Promise((resolve2) => {
         if (!activeFiles[absoluteName]) {
           activeFiles[absoluteName] = [];
         }
-        activeFiles[absoluteName].push(resolve);
+        activeFiles[absoluteName].push(resolve2);
         if (activeFiles[absoluteName].length === 1) {
-          resolve();
+          resolve2();
         }
       });
     }
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
       let fd;
       let tmpfile;
       const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
-      const absoluteName = path28.resolve(filename);
+      const absoluteName = path29.resolve(filename);
       try {
         await serializeActiveFile(absoluteName);
-        const truename = await promisify(fs21.realpath)(filename).catch(() => filename);
+        const truename = await promisify(fs22.realpath)(filename).catch(() => filename);
         tmpfile = getTmpname(truename);
         if (!options.mode || !options.chown) {
-          const stats = await promisify(fs21.stat)(truename).catch(() => {
+          const stats = await promisify(fs22.stat)(truename).catch(() => {
           });
           if (stats) {
             if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
             }
           }
         }
-        fd = await promisify(fs21.open)(tmpfile, "w", options.mode);
+        fd = await promisify(fs22.open)(tmpfile, "w", options.mode);
         if (options.tmpfileCreated) {
           await options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          await promisify(fs21.write)(fd, data, 0, data.length, 0);
+          await promisify(fs22.write)(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          await promisify(fs21.write)(fd, String(data), 0, String(options.encoding || "utf8"));
+          await promisify(fs22.write)(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          await promisify(fs21.fsync)(fd);
+          await promisify(fs22.fsync)(fd);
         }
-        await promisify(fs21.close)(fd);
+        await promisify(fs22.close)(fd);
         fd = null;
         if (options.chown) {
-          await promisify(fs21.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
+          await promisify(fs22.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
         if (options.mode) {
-          await promisify(fs21.chmod)(tmpfile, options.mode).catch((err) => {
+          await promisify(fs22.chmod)(tmpfile, options.mode).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
-        await promisify(fs21.rename)(tmpfile, truename);
+        await promisify(fs22.rename)(tmpfile, truename);
       } finally {
         if (fd) {
-          await promisify(fs21.close)(fd).catch(
+          await promisify(fs22.close)(fd).catch(
             /* istanbul ignore next */
             () => {
             }
           );
         }
         removeOnExitHandler();
-        await promisify(fs21.unlink)(tmpfile).catch(() => {
+        await promisify(fs22.unlink)(tmpfile).catch(() => {
         });
         activeFiles[absoluteName].shift();
         if (activeFiles[absoluteName].length > 0) {
@@ -448,13 +448,13 @@ var require_lib = __commonJS({
         options = {};
       }
       try {
-        filename = fs21.realpathSync(filename);
+        filename = fs22.realpathSync(filename);
       } catch (ex) {
       }
       const tmpfile = getTmpname(filename);
       if (!options.mode || !options.chown) {
         try {
-          const stats = fs21.statSync(filename);
+          const stats = fs22.statSync(filename);
           options = Object.assign({}, options);
           if (!options.mode) {
             options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
       const removeOnExitHandler = onExit(cleanup);
       let threw = true;
       try {
-        fd = fs21.openSync(tmpfile, "w", options.mode || 438);
+        fd = fs22.openSync(tmpfile, "w", options.mode || 438);
         if (options.tmpfileCreated) {
           options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          fs21.writeSync(fd, data, 0, data.length, 0);
+          fs22.writeSync(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          fs21.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
+          fs22.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          fs21.fsyncSync(fd);
+          fs22.fsyncSync(fd);
         }
-        fs21.closeSync(fd);
+        fs22.closeSync(fd);
         fd = null;
         if (options.chown) {
           try {
-            fs21.chownSync(tmpfile, options.chown.uid, options.chown.gid);
+            fs22.chownSync(tmpfile, options.chown.uid, options.chown.gid);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
         }
         if (options.mode) {
           try {
-            fs21.chmodSync(tmpfile, options.mode);
+            fs22.chmodSync(tmpfile, options.mode);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
             }
           }
         }
-        fs21.renameSync(tmpfile, filename);
+        fs22.renameSync(tmpfile, filename);
         threw = false;
       } finally {
         if (fd) {
           try {
-            fs21.closeSync(fd);
+            fs22.closeSync(fd);
           } catch (ex) {
           }
         }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
     }
     var chdir;
     module2.exports = patch;
-    function patch(fs21) {
+    function patch(fs22) {
       if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
-        patchLchmod(fs21);
-      }
-      if (!fs21.lutimes) {
-        patchLutimes(fs21);
-      }
-      fs21.chown = chownFix(fs21.chown);
-      fs21.fchown = chownFix(fs21.fchown);
-      fs21.lchown = chownFix(fs21.lchown);
-      fs21.chmod = chmodFix(fs21.chmod);
-      fs21.fchmod = chmodFix(fs21.fchmod);
-      fs21.lchmod = chmodFix(fs21.lchmod);
-      fs21.chownSync = chownFixSync(fs21.chownSync);
-      fs21.fchownSync = chownFixSync(fs21.fchownSync);
-      fs21.lchownSync = chownFixSync(fs21.lchownSync);
-      fs21.chmodSync = chmodFixSync(fs21.chmodSync);
-      fs21.fchmodSync = chmodFixSync(fs21.fchmodSync);
-      fs21.lchmodSync = chmodFixSync(fs21.lchmodSync);
-      fs21.stat = statFix(fs21.stat);
-      fs21.fstat = statFix(fs21.fstat);
-      fs21.lstat = statFix(fs21.lstat);
-      fs21.statSync = statFixSync(fs21.statSync);
-      fs21.fstatSync = statFixSync(fs21.fstatSync);
-      fs21.lstatSync = statFixSync(fs21.lstatSync);
-      if (fs21.chmod && !fs21.lchmod) {
-        fs21.lchmod = function(path28, mode, cb) {
+        patchLchmod(fs22);
+      }
+      if (!fs22.lutimes) {
+        patchLutimes(fs22);
+      }
+      fs22.chown = chownFix(fs22.chown);
+      fs22.fchown = chownFix(fs22.fchown);
+      fs22.lchown = chownFix(fs22.lchown);
+      fs22.chmod = chmodFix(fs22.chmod);
+      fs22.fchmod = chmodFix(fs22.fchmod);
+      fs22.lchmod = chmodFix(fs22.lchmod);
+      fs22.chownSync = chownFixSync(fs22.chownSync);
+      fs22.fchownSync = chownFixSync(fs22.fchownSync);
+      fs22.lchownSync = chownFixSync(fs22.lchownSync);
+      fs22.chmodSync = chmodFixSync(fs22.chmodSync);
+      fs22.fchmodSync = chmodFixSync(fs22.fchmodSync);
+      fs22.lchmodSync = chmodFixSync(fs22.lchmodSync);
+      fs22.stat = statFix(fs22.stat);
+      fs22.fstat = statFix(fs22.fstat);
+      fs22.lstat = statFix(fs22.lstat);
+      fs22.statSync = statFixSync(fs22.statSync);
+      fs22.fstatSync = statFixSync(fs22.fstatSync);
+      fs22.lstatSync = statFixSync(fs22.lstatSync);
+      if (fs22.chmod && !fs22.lchmod) {
+        fs22.lchmod = function(path29, mode, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs21.lchmodSync = function() {
+        fs22.lchmodSync = function() {
         };
       }
-      if (fs21.chown && !fs21.lchown) {
-        fs21.lchown = function(path28, uid, gid, cb) {
+      if (fs22.chown && !fs22.lchown) {
+        fs22.lchown = function(path29, uid, gid, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs21.lchownSync = function() {
+        fs22.lchownSync = function() {
         };
       }
       if (platform === "win32") {
-        fs21.rename = typeof fs21.rename !== "function" ? fs21.rename : (function(fs$rename) {
+        fs22.rename = typeof fs22.rename !== "function" ? fs22.rename : (function(fs$rename) {
           function rename(from, to, cb) {
             var start = Date.now();
             var backoff = 0;
             fs$rename(from, to, function CB(er) {
               if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
                 setTimeout(function() {
-                  fs21.stat(to, function(stater, st) {
+                  fs22.stat(to, function(stater, st) {
                     if (stater && stater.code === "ENOENT")
                       fs$rename(from, to, CB);
                     else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
           }
           if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
           return rename;
-        })(fs21.rename);
+        })(fs22.rename);
       }
-      fs21.read = typeof fs21.read !== "function" ? fs21.read : (function(fs$read) {
+      fs22.read = typeof fs22.read !== "function" ? fs22.read : (function(fs$read) {
         function read(fd, buffer, offset, length, position, callback_) {
           var callback;
           if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
             callback = function(er, _, __) {
               if (er && er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
-                return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
+                return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
               }
               callback_.apply(this, arguments);
             };
           }
-          return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
+          return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
         }
         if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
         return read;
-      })(fs21.read);
-      fs21.readSync = typeof fs21.readSync !== "function" ? fs21.readSync : /* @__PURE__ */ (function(fs$readSync) {
+      })(fs22.read);
+      fs22.readSync = typeof fs22.readSync !== "function" ? fs22.readSync : /* @__PURE__ */ (function(fs$readSync) {
         return function(fd, buffer, offset, length, position) {
           var eagCounter = 0;
           while (true) {
             try {
-              return fs$readSync.call(fs21, fd, buffer, offset, length, position);
+              return fs$readSync.call(fs22, fd, buffer, offset, length, position);
             } catch (er) {
               if (er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
             }
           }
         };
-      })(fs21.readSync);
-      function patchLchmod(fs22) {
-        fs22.lchmod = function(path28, mode, callback) {
-          fs22.open(
-            path28,
+      })(fs22.readSync);
+      function patchLchmod(fs23) {
+        fs23.lchmod = function(path29, mode, callback) {
+          fs23.open(
+            path29,
             constants.O_WRONLY | constants.O_SYMLINK,
             mode,
             function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
                 if (callback) callback(err);
                 return;
               }
-              fs22.fchmod(fd, mode, function(err2) {
-                fs22.close(fd, function(err22) {
+              fs23.fchmod(fd, mode, function(err2) {
+                fs23.close(fd, function(err22) {
                   if (callback) callback(err2 || err22);
                 });
               });
             }
           );
         };
-        fs22.lchmodSync = function(path28, mode) {
-          var fd = fs22.openSync(path28, constants.O_WRONLY | constants.O_SYMLINK, mode);
+        fs23.lchmodSync = function(path29, mode) {
+          var fd = fs23.openSync(path29, constants.O_WRONLY | constants.O_SYMLINK, mode);
           var threw = true;
           var ret;
           try {
-            ret = fs22.fchmodSync(fd, mode);
+            ret = fs23.fchmodSync(fd, mode);
             threw = false;
           } finally {
             if (threw) {
               try {
-                fs22.closeSync(fd);
+                fs23.closeSync(fd);
               } catch (er) {
               }
             } else {
-              fs22.closeSync(fd);
+              fs23.closeSync(fd);
             }
           }
           return ret;
         };
       }
-      function patchLutimes(fs22) {
-        if (constants.hasOwnProperty("O_SYMLINK") && fs22.futimes) {
-          fs22.lutimes = function(path28, at, mt, cb) {
-            fs22.open(path28, constants.O_SYMLINK, function(er, fd) {
+      function patchLutimes(fs23) {
+        if (constants.hasOwnProperty("O_SYMLINK") && fs23.futimes) {
+          fs23.lutimes = function(path29, at, mt, cb) {
+            fs23.open(path29, constants.O_SYMLINK, function(er, fd) {
               if (er) {
                 if (cb) cb(er);
                 return;
               }
-              fs22.futimes(fd, at, mt, function(er2) {
-                fs22.close(fd, function(er22) {
+              fs23.futimes(fd, at, mt, function(er2) {
+                fs23.close(fd, function(er22) {
                   if (cb) cb(er2 || er22);
                 });
               });
             });
           };
-          fs22.lutimesSync = function(path28, at, mt) {
-            var fd = fs22.openSync(path28, constants.O_SYMLINK);
+          fs23.lutimesSync = function(path29, at, mt) {
+            var fd = fs23.openSync(path29, constants.O_SYMLINK);
             var ret;
             var threw = true;
             try {
-              ret = fs22.futimesSync(fd, at, mt);
+              ret = fs23.futimesSync(fd, at, mt);
               threw = false;
             } finally {
               if (threw) {
                 try {
-                  fs22.closeSync(fd);
+                  fs23.closeSync(fd);
                 } catch (er) {
                 }
               } else {
-                fs22.closeSync(fd);
+                fs23.closeSync(fd);
               }
             }
             return ret;
           };
-        } else if (fs22.futimes) {
-          fs22.lutimes = function(_a, _b, _c, cb) {
+        } else if (fs23.futimes) {
+          fs23.lutimes = function(_a, _b, _c, cb) {
             if (cb) process.nextTick(cb);
           };
-          fs22.lutimesSync = function() {
+          fs23.lutimesSync = function() {
           };
         }
       }
       function chmodFix(orig) {
         if (!orig) return orig;
         return function(target, mode, cb) {
-          return orig.call(fs21, target, mode, function(er) {
+          return orig.call(fs22, target, mode, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, mode) {
           try {
-            return orig.call(fs21, target, mode);
+            return orig.call(fs22, target, mode);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
       function chownFix(orig) {
         if (!orig) return orig;
         return function(target, uid, gid, cb) {
-          return orig.call(fs21, target, uid, gid, function(er) {
+          return orig.call(fs22, target, uid, gid, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, uid, gid) {
           try {
-            return orig.call(fs21, target, uid, gid);
+            return orig.call(fs22, target, uid, gid);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
             }
             if (cb) cb.apply(this, arguments);
           }
-          return options ? orig.call(fs21, target, options, callback) : orig.call(fs21, target, callback);
+          return options ? orig.call(fs22, target, options, callback) : orig.call(fs22, target, callback);
         };
       }
       function statFixSync(orig) {
         if (!orig) return orig;
         return function(target, options) {
-          var stats = options ? orig.call(fs21, target, options) : orig.call(fs21, target);
+          var stats = options ? orig.call(fs22, target, options) : orig.call(fs22, target);
           if (stats) {
             if (stats.uid < 0) stats.uid += 4294967296;
             if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
   "../../node_modules/graceful-fs/legacy-streams.js"(exports2, module2) {
     var Stream = require("stream").Stream;
     module2.exports = legacy;
-    function legacy(fs21) {
+    function legacy(fs22) {
       return {
         ReadStream,
         WriteStream
       };
-      function ReadStream(path28, options) {
-        if (!(this instanceof ReadStream)) return new ReadStream(path28, options);
+      function ReadStream(path29, options) {
+        if (!(this instanceof ReadStream)) return new ReadStream(path29, options);
         Stream.call(this);
         var self = this;
-        this.path = path28;
+        this.path = path29;
         this.fd = null;
         this.readable = true;
         this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
           });
           return;
         }
-        fs21.open(this.path, this.flags, this.mode, function(err, fd) {
+        fs22.open(this.path, this.flags, this.mode, function(err, fd) {
           if (err) {
             self.emit("error", err);
             self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
           self._read();
         });
       }
-      function WriteStream(path28, options) {
-        if (!(this instanceof WriteStream)) return new WriteStream(path28, options);
+      function WriteStream(path29, options) {
+        if (!(this instanceof WriteStream)) return new WriteStream(path29, options);
         Stream.call(this);
-        this.path = path28;
+        this.path = path29;
         this.fd = null;
         this.writable = true;
         this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
         this.busy = false;
         this._queue = [];
         if (this.fd === null) {
-          this._open = fs21.open;
+          this._open = fs22.open;
           this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
           this.flush();
         }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
 // ../../node_modules/graceful-fs/graceful-fs.js
 var require_graceful_fs = __commonJS({
   "../../node_modules/graceful-fs/graceful-fs.js"(exports2, module2) {
-    var fs21 = require("fs");
+    var fs22 = require("fs");
     var polyfills = require_polyfills();
     var legacy = require_legacy_streams();
     var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
         m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
         console.error(m);
       };
-    if (!fs21[gracefulQueue]) {
+    if (!fs22[gracefulQueue]) {
       queue = global[gracefulQueue] || [];
-      publishQueue(fs21, queue);
-      fs21.close = (function(fs$close) {
+      publishQueue(fs22, queue);
+      fs22.close = (function(fs$close) {
         function close(fd, cb) {
-          return fs$close.call(fs21, fd, function(err) {
+          return fs$close.call(fs22, fd, function(err) {
             if (!err) {
               resetQueue();
             }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
           value: fs$close
         });
         return close;
-      })(fs21.close);
-      fs21.closeSync = (function(fs$closeSync) {
+      })(fs22.close);
+      fs22.closeSync = (function(fs$closeSync) {
         function closeSync2(fd) {
-          fs$closeSync.apply(fs21, arguments);
+          fs$closeSync.apply(fs22, arguments);
           resetQueue();
         }
         Object.defineProperty(closeSync2, previousSymbol, {
           value: fs$closeSync
         });
         return closeSync2;
-      })(fs21.closeSync);
+      })(fs22.closeSync);
       if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
         process.on("exit", function() {
-          debug(fs21[gracefulQueue]);
-          require("assert").equal(fs21[gracefulQueue].length, 0);
+          debug(fs22[gracefulQueue]);
+          require("assert").equal(fs22[gracefulQueue].length, 0);
         });
       }
     }
     var queue;
     if (!global[gracefulQueue]) {
-      publishQueue(global, fs21[gracefulQueue]);
-    }
-    module2.exports = patch(clone(fs21));
-    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs21.__patched) {
-      module2.exports = patch(fs21);
-      fs21.__patched = true;
-    }
-    function patch(fs22) {
-      polyfills(fs22);
-      fs22.gracefulify = patch;
-      fs22.createReadStream = createReadStream;
-      fs22.createWriteStream = createWriteStream;
-      var fs$readFile = fs22.readFile;
-      fs22.readFile = readFile;
-      function readFile(path28, options, cb) {
+      publishQueue(global, fs22[gracefulQueue]);
+    }
+    module2.exports = patch(clone(fs22));
+    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs22.__patched) {
+      module2.exports = patch(fs22);
+      fs22.__patched = true;
+    }
+    function patch(fs23) {
+      polyfills(fs23);
+      fs23.gracefulify = patch;
+      fs23.createReadStream = createReadStream;
+      fs23.createWriteStream = createWriteStream;
+      var fs$readFile = fs23.readFile;
+      fs23.readFile = readFile;
+      function readFile(path29, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$readFile(path28, options, cb);
-        function go$readFile(path29, options2, cb2, startTime) {
-          return fs$readFile(path29, options2, function(err) {
+        return go$readFile(path29, options, cb);
+        function go$readFile(path30, options2, cb2, startTime) {
+          return fs$readFile(path30, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$readFile, [path29, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$readFile, [path30, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$writeFile = fs22.writeFile;
-      fs22.writeFile = writeFile;
-      function writeFile(path28, data, options, cb) {
+      var fs$writeFile = fs23.writeFile;
+      fs23.writeFile = writeFile;
+      function writeFile(path29, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$writeFile(path28, data, options, cb);
-        function go$writeFile(path29, data2, options2, cb2, startTime) {
-          return fs$writeFile(path29, data2, options2, function(err) {
+        return go$writeFile(path29, data, options, cb);
+        function go$writeFile(path30, data2, options2, cb2, startTime) {
+          return fs$writeFile(path30, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$writeFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$writeFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$appendFile = fs22.appendFile;
+      var fs$appendFile = fs23.appendFile;
       if (fs$appendFile)
-        fs22.appendFile = appendFile;
-      function appendFile(path28, data, options, cb) {
+        fs23.appendFile = appendFile;
+      function appendFile(path29, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$appendFile(path28, data, options, cb);
-        function go$appendFile(path29, data2, options2, cb2, startTime) {
-          return fs$appendFile(path29, data2, options2, function(err) {
+        return go$appendFile(path29, data, options, cb);
+        function go$appendFile(path30, data2, options2, cb2, startTime) {
+          return fs$appendFile(path30, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$appendFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$appendFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$copyFile = fs22.copyFile;
+      var fs$copyFile = fs23.copyFile;
       if (fs$copyFile)
-        fs22.copyFile = copyFile;
+        fs23.copyFile = copyFile;
       function copyFile(src, dest, flags, cb) {
         if (typeof flags === "function") {
           cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$readdir = fs22.readdir;
-      fs22.readdir = readdir;
+      var fs$readdir = fs23.readdir;
+      fs23.readdir = readdir;
       var noReaddirOptionVersions = /^v[0-5]\./;
-      function readdir(path28, options, cb) {
+      function readdir(path29, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path29, options2, cb2, startTime) {
-          return fs$readdir(path29, fs$readdirCallback(
-            path29,
+        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path30, options2, cb2, startTime) {
+          return fs$readdir(path30, fs$readdirCallback(
+            path30,
             options2,
             cb2,
             startTime
           ));
-        } : function go$readdir2(path29, options2, cb2, startTime) {
-          return fs$readdir(path29, options2, fs$readdirCallback(
-            path29,
+        } : function go$readdir2(path30, options2, cb2, startTime) {
+          return fs$readdir(path30, options2, fs$readdirCallback(
+            path30,
             options2,
             cb2,
             startTime
           ));
         };
-        return go$readdir(path28, options, cb);
-        function fs$readdirCallback(path29, options2, cb2, startTime) {
+        return go$readdir(path29, options, cb);
+        function fs$readdirCallback(path30, options2, cb2, startTime) {
           return function(err, files) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
               enqueue([
                 go$readdir,
-                [path29, options2, cb2],
+                [path30, options2, cb2],
                 err,
                 startTime || Date.now(),
                 Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
         }
       }
       if (process.version.substr(0, 4) === "v0.8") {
-        var legStreams = legacy(fs22);
+        var legStreams = legacy(fs23);
         ReadStream = legStreams.ReadStream;
         WriteStream = legStreams.WriteStream;
       }
-      var fs$ReadStream = fs22.ReadStream;
+      var fs$ReadStream = fs23.ReadStream;
       if (fs$ReadStream) {
         ReadStream.prototype = Object.create(fs$ReadStream.prototype);
         ReadStream.prototype.open = ReadStream$open;
       }
-      var fs$WriteStream = fs22.WriteStream;
+      var fs$WriteStream = fs23.WriteStream;
       if (fs$WriteStream) {
         WriteStream.prototype = Object.create(fs$WriteStream.prototype);
         WriteStream.prototype.open = WriteStream$open;
       }
-      Object.defineProperty(fs22, "ReadStream", {
+      Object.defineProperty(fs23, "ReadStream", {
         get: function() {
           return ReadStream;
         },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      Object.defineProperty(fs22, "WriteStream", {
+      Object.defineProperty(fs23, "WriteStream", {
         get: function() {
           return WriteStream;
         },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileReadStream = ReadStream;
-      Object.defineProperty(fs22, "FileReadStream", {
+      Object.defineProperty(fs23, "FileReadStream", {
         get: function() {
           return FileReadStream;
         },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileWriteStream = WriteStream;
-      Object.defineProperty(fs22, "FileWriteStream", {
+      Object.defineProperty(fs23, "FileWriteStream", {
         get: function() {
           return FileWriteStream;
         },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      function ReadStream(path28, options) {
+      function ReadStream(path29, options) {
         if (this instanceof ReadStream)
           return fs$ReadStream.apply(this, arguments), this;
         else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function WriteStream(path28, options) {
+      function WriteStream(path29, options) {
         if (this instanceof WriteStream)
           return fs$WriteStream.apply(this, arguments), this;
         else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function createReadStream(path28, options) {
-        return new fs22.ReadStream(path28, options);
+      function createReadStream(path29, options) {
+        return new fs23.ReadStream(path29, options);
       }
-      function createWriteStream(path28, options) {
-        return new fs22.WriteStream(path28, options);
+      function createWriteStream(path29, options) {
+        return new fs23.WriteStream(path29, options);
       }
-      var fs$open = fs22.open;
-      fs22.open = open;
-      function open(path28, flags, mode, cb) {
+      var fs$open = fs23.open;
+      fs23.open = open;
+      function open(path29, flags, mode, cb) {
         if (typeof mode === "function")
           cb = mode, mode = null;
-        return go$open(path28, flags, mode, cb);
-        function go$open(path29, flags2, mode2, cb2, startTime) {
-          return fs$open(path29, flags2, mode2, function(err, fd) {
+        return go$open(path29, flags, mode, cb);
+        function go$open(path30, flags2, mode2, cb2, startTime) {
+          return fs$open(path30, flags2, mode2, function(err, fd) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$open, [path29, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$open, [path30, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      return fs22;
+      return fs23;
     }
     function enqueue(elem) {
       debug("ENQUEUE", elem[0].name, elem[1]);
-      fs21[gracefulQueue].push(elem);
+      fs22[gracefulQueue].push(elem);
       retry();
     }
     var retryTimer;
     function resetQueue() {
       var now = Date.now();
-      for (var i = 0; i < fs21[gracefulQueue].length; ++i) {
-        if (fs21[gracefulQueue][i].length > 2) {
-          fs21[gracefulQueue][i][3] = now;
-          fs21[gracefulQueue][i][4] = now;
+      for (var i = 0; i < fs22[gracefulQueue].length; ++i) {
+        if (fs22[gracefulQueue][i].length > 2) {
+          fs22[gracefulQueue][i][3] = now;
+          fs22[gracefulQueue][i][4] = now;
         }
       }
       retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
     function retry() {
       clearTimeout(retryTimer);
       retryTimer = void 0;
-      if (fs21[gracefulQueue].length === 0)
+      if (fs22[gracefulQueue].length === 0)
         return;
-      var elem = fs21[gracefulQueue].shift();
+      var elem = fs22[gracefulQueue].shift();
       var fn = elem[0];
       var args = elem[1];
       var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
           debug("RETRY", fn.name, args);
           fn.apply(null, args.concat([startTime]));
         } else {
-          fs21[gracefulQueue].push(elem);
+          fs22[gracefulQueue].push(elem);
         }
       }
       if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
   "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports2, module2) {
     "use strict";
     var cacheSymbol = /* @__PURE__ */ Symbol();
-    function probe(file, fs21, callback) {
-      const cachedPrecision = fs21[cacheSymbol];
+    function probe(file, fs22, callback) {
+      const cachedPrecision = fs22[cacheSymbol];
       if (cachedPrecision) {
-        return fs21.stat(file, (err, stat) => {
+        return fs22.stat(file, (err, stat) => {
           if (err) {
             return callback(err);
           }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
         });
       }
       const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
-      fs21.utimes(file, mtime, mtime, (err) => {
+      fs22.utimes(file, mtime, mtime, (err) => {
         if (err) {
           return callback(err);
         }
-        fs21.stat(file, (err2, stat) => {
+        fs22.stat(file, (err2, stat) => {
           if (err2) {
             return callback(err2);
           }
           const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
-          Object.defineProperty(fs21, cacheSymbol, { value: precision });
+          Object.defineProperty(fs22, cacheSymbol, { value: precision });
           callback(null, stat.mtime, precision);
         });
       });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
 var require_lockfile = __commonJS({
   "../../node_modules/proper-lockfile/lib/lockfile.js"(exports2, module2) {
     "use strict";
-    var path28 = require("path");
-    var fs21 = require_graceful_fs();
+    var path29 = require("path");
+    var fs22 = require_graceful_fs();
     var retry = require_retry2();
     var onExit = require_signal_exit();
     var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
     }
     function resolveCanonicalPath(file, options, callback) {
       if (!options.realpath) {
-        return callback(null, path28.resolve(file));
+        return callback(null, path29.resolve(file));
       }
       options.fs.realpath(file, callback);
     }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
         update: null,
         realpath: true,
         retries: 0,
-        fs: fs21,
+        fs: fs22,
         onCompromised: (err) => {
           throw err;
         },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
     }
     function unlock(file, options, callback) {
       options = {
-        fs: fs21,
+        fs: fs22,
         realpath: true,
         ...options
       };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
       options = {
         stale: 1e4,
         realpath: true,
-        fs: fs21,
+        fs: fs22,
         ...options
       };
       options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
 var require_adapter = __commonJS({
   "../../node_modules/proper-lockfile/lib/adapter.js"(exports2, module2) {
     "use strict";
-    var fs21 = require_graceful_fs();
-    function createSyncFs(fs22) {
+    var fs22 = require_graceful_fs();
+    function createSyncFs(fs23) {
       const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
-      const newFs = { ...fs22 };
+      const newFs = { ...fs23 };
       methods.forEach((method) => {
         newFs[method] = (...args) => {
           const callback = args.pop();
           let ret;
           try {
-            ret = fs22[`${method}Sync`](...args);
+            ret = fs23[`${method}Sync`](...args);
           } catch (err) {
             return callback(err);
           }
@@ -2019,12 +2019,12 @@ var require_adapter = __commonJS({
       return newFs;
     }
     function toPromise(method) {
-      return (...args) => new Promise((resolve, reject) => {
+      return (...args) => new Promise((resolve2, reject) => {
         args.push((err, result) => {
           if (err) {
             reject(err);
           } else {
-            resolve(result);
+            resolve2(result);
           }
         });
         method(...args);
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
     }
     function toSyncOptions(options) {
       options = { ...options };
-      options.fs = createSyncFs(options.fs || fs21);
+      options.fs = createSyncFs(options.fs || fs22);
       if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
         throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
       }
@@ -3030,7 +3030,7 @@ var require_age_encryption = __commonJS({
       };
     }
     // @__NO_SIDE_EFFECTS__
-    function join20(separator = "") {
+    function join21(separator = "") {
       astr("join", separator);
       return {
         encode: (from) => {
@@ -3160,9 +3160,9 @@ var require_age_encryption = __commonJS({
       decode(s) {
         return decodeBase64Builtin(s, false);
       }
-    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join20("")));
-    var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join20("")));
-    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join20(""));
+    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join21("")));
+    var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join21("")));
+    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join21(""));
     var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
     function bech32Polymod(pre) {
       const b = pre >> 25;
@@ -11450,6 +11450,7 @@ __export(index_exports, {
   PolicyValidationError: () => PolicyValidationError,
   REQUESTS_FILENAME: () => REQUESTS_FILENAME,
   REQUIREMENTS: () => REQUIREMENTS,
+  REVEAL_WARNING: () => REVEAL_WARNING,
   RecipientManager: () => RecipientManager,
   ReportGenerator: () => ReportGenerator,
   ReportSanitizer: () => ReportSanitizer,
@@ -11475,16 +11476,26 @@ __export(index_exports, {
   VALID_KMS_PROVIDERS: () => VALID_KMS_PROVIDERS,
   assertPackedArtifact: () => assertPackedArtifact,
   assertSops: () => assertSops,
+  buildDecryptError: () => buildDecryptError,
+  buildDecryptResult: () => buildDecryptResult,
+  buildInspectError: () => buildInspectError,
+  buildInspectResult: () => buildInspectResult,
   buildSigningPayload: () => buildSigningPayload,
+  buildVerifyError: () => buildVerifyError,
+  buildVerifyResult: () => buildVerifyResult,
   checkAll: () => checkAll,
   checkDependency: () => checkDependency,
   collectCIContext: () => collectCIContext,
+  computeCiphertextHash: () => computeCiphertextHash,
   deriveAgePublicKey: () => deriveAgePublicKey,
   describeScope: () => describeScope,
   detectAlgorithm: () => detectAlgorithm,
   detectFormat: () => detectFormat,
+  emptyTemplate: () => emptyTemplate,
+  exampleTemplate: () => exampleTemplate,
   findRequest: () => findRequest,
   formatAgeKeyFile: () => formatAgeKeyFile,
+  formatRevealWarning: () => formatRevealWarning,
   generateAgeIdentity: () => generateAgeIdentity,
   generateRandomValue: () => generateRandomValue,
   generateSigningKeyPair: () => generateSigningKeyPair,
@@ -11510,6 +11521,7 @@ __export(index_exports, {
   parseDotenv: () => parseDotenv,
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
+  parseSignerKey: () => parseSignerKey,
   parseYaml: () => parseYaml,
   pkcs11UriToSyntheticArn: () => pkcs11UriToSyntheticArn,
   readManifestYaml: () => readManifestYaml,
@@ -11528,6 +11540,7 @@ __export(index_exports, {
   runCompliance: () => runCompliance,
   saveMetadata: () => saveMetadata,
   saveRequests: () => saveRequests,
+  serializeSchema: () => serializeSchema,
   shannonEntropy: () => shannonEntropy,
   shouldIgnoreFile: () => shouldIgnoreFile,
   shouldIgnoreMatch: () => shouldIgnoreMatch,
@@ -11542,7 +11555,9 @@ __export(index_exports, {
   validateResetScope: () => validateResetScope,
   verifySignature: () => verifySignature,
   writeManifestYaml: () => writeManifestYaml,
-  writeManifestYamlRaw: () => writeManifestYamlRaw
+  writeManifestYamlRaw: () => writeManifestYamlRaw,
+  writeSchema: () => writeSchema,
+  writeSchemaRaw: () => writeSchemaRaw
 });
 module.exports = __toCommonJS(index_exports);
@@ -12438,13 +12453,48 @@ function shouldIgnoreMatch(match, rules) {
   return false;
 }
 function matchesGlob(filePath, pattern) {
-  const DOUBLE_STAR = "\0DS\0";
-  const SINGLE_STAR = "\0SS\0";
-  const QUESTION = "\0QM\0";
-  const escaped = pattern.replace(/\*\*/g, DOUBLE_STAR).replace(/\*/g, SINGLE_STAR).replace(/\?/g, QUESTION).replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(DOUBLE_STAR, ".*").replace(SINGLE_STAR, "[^/]*").replace(QUESTION, "[^/]");
-  const regex = new RegExp("^" + escaped + "$");
-  const prefixRegex = new RegExp("^" + escaped + "/");
-  return regex.test(filePath) || prefixRegex.test(filePath);
+  const body = globToRegex(pattern);
+  const exact = new RegExp("^" + body + "$");
+  const prefix = new RegExp("^" + body + "/");
+  return exact.test(filePath) || prefix.test(filePath);
+}
+function globToRegex(pattern) {
+  let out = "";
+  let i = 0;
+  while (i < pattern.length) {
+    if (pattern.startsWith("/**/", i)) {
+      out += "/(?:.*/)?";
+      i += 4;
+      continue;
+    }
+    if (i === 0 && pattern.startsWith("**/")) {
+      out += "(?:.*/)?";
+      i += 3;
+      continue;
+    }
+    if (pattern.startsWith("/**", i) && i + 3 === pattern.length) {
+      out += "(?:/.*)?";
+      i += 3;
+      continue;
+    }
+    if (pattern.startsWith("**", i)) {
+      out += ".*";
+      i += 2;
+      continue;
+    }
+    const ch = pattern[i];
+    if (ch === "*") {
+      out += "[^/]*";
+    } else if (ch === "?") {
+      out += "[^/]";
+    } else if (/[.+^${}()|[\]\\]/.test(ch)) {
+      out += "\\" + ch;
+    } else {
+      out += ch;
+    }
+    i++;
+  }
+  return out;
 }
 // src/scanner/index.ts
@@ -13003,9 +13053,7 @@ var SchemaValidator = class {
         type,
         required: def.required === true,
         ...typeof def.pattern === "string" ? { pattern: def.pattern } : {},
-        ...def.default !== void 0 ? { default: def.default } : {},
-        ...typeof def.description === "string" ? { description: def.description } : {},
-        ...typeof def.max === "number" ? { max: def.max } : {}
+        ...typeof def.description === "string" ? { description: def.description } : {}
       };
     }
     return { keys };
@@ -13041,12 +13089,6 @@ var SchemaValidator = class {
               message: `Key '${keyName}' must be an integer, got '${value}'.`,
               rule: "type"
             });
-          } else if (keyDef.max !== void 0 && num > keyDef.max) {
-            warnings.push({
-              key: keyName,
-              message: `Key '${keyName}' value ${num} exceeds maximum ${keyDef.max}.`,
-              rule: "max_exceeded"
-            });
           }
           break;
         }
@@ -13092,8 +13134,98 @@ var SchemaValidator = class {
   }
 };
-// src/diff/engine.ts
+// src/schema/writer.ts
+var fs9 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
+var YAML7 = __toESM(require("yaml"));
+var import_write_file_atomic2 = __toESM(require_lib());
+function serializeSchema(schema, opts = {}) {
+  const doc = new YAML7.Document();
+  doc.contents = doc.createNode({ keys: orderedKeys(schema.keys) });
+  const body = String(doc);
+  if (!opts.header) return body;
+  const commented = opts.header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
+  return `${commented}
+${body}`;
+}
+function writeSchema(rootDir, relPath, schema, opts = {}) {
+  writeSchemaRaw(rootDir, relPath, serializeSchema(schema, opts));
+}
+function writeSchemaRaw(rootDir, relPath, contents) {
+  const normalizedRelPath = path6.normalize(relPath);
+  if (!normalizedRelPath || normalizedRelPath === "." || path6.isAbsolute(normalizedRelPath)) {
+    throw new Error(`Refusing to write schema using an absolute path: ${relPath}`);
+  }
+  const realRoot = fs9.realpathSync(path6.resolve(rootDir));
+  const safePath = path6.resolve(realRoot, normalizedRelPath);
+  const relCandidate = path6.relative(realRoot, safePath);
+  if (relCandidate === ".." || relCandidate.startsWith(`..${path6.sep}`) || path6.isAbsolute(relCandidate)) {
+    throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
+  }
+  const safeParent = path6.dirname(safePath);
+  fs9.mkdirSync(safeParent, { recursive: true });
+  const canonicalParent = fs9.realpathSync(safeParent);
+  const canonicalTarget = path6.join(canonicalParent, path6.basename(safePath));
+  const relToRoot = path6.relative(realRoot, canonicalTarget);
+  if (relToRoot === ".." || relToRoot.startsWith(`..${path6.sep}`) || path6.isAbsolute(relToRoot)) {
+    throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
+  }
+  import_write_file_atomic2.default.sync(canonicalTarget, contents);
+}
+function emptyTemplate(namespace) {
+  const header = [
+    `Schema for namespace '${namespace}'.`,
+    "",
+    "Declare keys your encrypted files must contain. Each key accepts:",
+    "  type:        string | integer | boolean",
+    "  required:    true | false",
+    "  pattern:     (strings only) regex the value must match",
+    "  description: human-readable description",
+    "",
+    "Add keys below, then run `clef lint` to validate."
+  ].join("\n");
+  return serializeSchema({ keys: {} }, { header });
+}
+function exampleTemplate(namespace) {
+  const header = [
+    `Schema for namespace '${namespace}'.`,
+    "",
+    "The example below is commented out so `clef lint` passes as-is.",
+    "Uncomment and edit to add your first key, or replace wholesale."
+  ].join("\n");
+  const body = [
+    "keys: {}",
+    "",
+    "# keys:",
+    "#   API_KEY:",
+    "#     type: string",
+    "#     required: true",
+    "#     pattern: ^sk_(test|live)_[A-Za-z0-9]+$",
+    "#     description: Stripe secret key for server-side calls."
+  ].join("\n");
+  const commentedHeader = header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
+  return `${commentedHeader}
+${body}
+`;
+}
+function orderedKeys(keys) {
+  const out = {};
+  for (const [name, def] of Object.entries(keys)) {
+    const ordered = {
+      type: def.type,
+      required: def.required
+    };
+    if (def.pattern !== void 0) ordered.pattern = def.pattern;
+    if (def.description !== void 0) ordered.description = def.description;
+    out[name] = ordered;
+  }
+  return out;
+}
+// src/diff/engine.ts
+var path7 = __toESM(require("path"));
 var DiffEngine = class {
   /**
    * Compare two in-memory value maps and produce a sorted diff result.
@@ -13150,11 +13282,11 @@ var DiffEngine = class {
    * @throws {@link SopsDecryptionError} If either file cannot be decrypted.
    */
   async diffFiles(namespace, envA, envB, manifest, sopsClient, repoRoot) {
-    const fileA = path6.join(
+    const fileA = path7.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envA)
     );
-    const fileB = path6.join(
+    const fileB = path7.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envB)
     );
@@ -13167,7 +13299,7 @@ var DiffEngine = class {
 };
 // src/bulk/ops.ts
-var path7 = __toESM(require("path"));
+var path8 = __toESM(require("path"));
 var BulkOps = class {
   constructor(tx) {
     this.tx = tx;
@@ -13187,7 +13319,7 @@ var BulkOps = class {
   async setAcrossEnvironments(namespace, key, values, manifest, sopsClient, repoRoot) {
     const targets = manifest.environments.filter((env) => env.name in values).map((env) => ({
       env: env.name,
-      filePath: path7.join(
+      filePath: path8.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
       )
@@ -13195,7 +13327,7 @@ var BulkOps = class {
     if (targets.length === 0) return;
     await this.tx.run(repoRoot, {
       description: `clef set: ${namespace}/${key} across ${targets.length} env(s)`,
-      paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
+      paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
       mutate: async () => {
         for (const target of targets) {
           const decrypted = await sopsClient.decrypt(target.filePath);
@@ -13217,14 +13349,14 @@ var BulkOps = class {
   async deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot) {
     const targets = manifest.environments.map((env) => ({
       env: env.name,
-      filePath: path7.join(
+      filePath: path8.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
       )
     }));
     await this.tx.run(repoRoot, {
       description: `clef delete: ${namespace}/${key} from ${targets.length} env(s)`,
-      paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
+      paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
       mutate: async () => {
         for (const target of targets) {
           const decrypted = await sopsClient.decrypt(target.filePath);
@@ -13256,7 +13388,7 @@ var BulkOps = class {
     }
     await this.tx.run(repoRoot, {
       description: `clef copy: ${key} from ${fromCell.namespace}/${fromCell.environment} to ${toCell.namespace}/${toCell.environment}`,
-      paths: [path7.relative(repoRoot, toCell.filePath)],
+      paths: [path8.relative(repoRoot, toCell.filePath)],
       mutate: async () => {
         const dest = await sopsClient.decrypt(toCell.filePath);
         dest.values[key] = source.values[key];
@@ -13267,8 +13399,8 @@ var BulkOps = class {
 };
 // src/git/integration.ts
-var fs9 = __toESM(require("fs"));
-var path8 = __toESM(require("path"));
+var fs10 = __toESM(require("fs"));
+var path9 = __toESM(require("path"));
 var PRE_COMMIT_HOOK = `#!/bin/sh
 # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
 # and scans staged files for plaintext secrets.
@@ -13444,17 +13576,17 @@ var GitIntegration = class {
    * @returns The kind of operation in progress, or null if none.
    */
   async isMidOperation(repoRoot) {
-    const gitDir = path8.join(repoRoot, ".git");
-    if (fs9.existsSync(path8.join(gitDir, "MERGE_HEAD"))) {
+    const gitDir = path9.join(repoRoot, ".git");
+    if (fs10.existsSync(path9.join(gitDir, "MERGE_HEAD"))) {
       return { midOp: true, kind: "merge" };
     }
-    if (fs9.existsSync(path8.join(gitDir, "rebase-merge")) || fs9.existsSync(path8.join(gitDir, "rebase-apply"))) {
+    if (fs10.existsSync(path9.join(gitDir, "rebase-merge")) || fs10.existsSync(path9.join(gitDir, "rebase-apply"))) {
       return { midOp: true, kind: "rebase" };
     }
-    if (fs9.existsSync(path8.join(gitDir, "CHERRY_PICK_HEAD"))) {
+    if (fs10.existsSync(path9.join(gitDir, "CHERRY_PICK_HEAD"))) {
       return { midOp: true, kind: "cherry-pick" };
     }
-    if (fs9.existsSync(path8.join(gitDir, "REVERT_HEAD"))) {
+    if (fs10.existsSync(path9.join(gitDir, "REVERT_HEAD"))) {
       return { midOp: true, kind: "revert" };
     }
     return { midOp: false };
@@ -13630,15 +13762,15 @@ var GitIntegration = class {
       { cwd: repoRoot }
     );
     const metadataGitConfig = metaConfig.exitCode === 0 && metaConfig.stdout.trim().length > 0;
-    const attrFilePath = path8.join(repoRoot, ".gitattributes");
-    const attrContent = fs9.existsSync(attrFilePath) ? fs9.readFileSync(attrFilePath, "utf-8") : "";
+    const attrFilePath = path9.join(repoRoot, ".gitattributes");
+    const attrContent = fs10.existsSync(attrFilePath) ? fs10.readFileSync(attrFilePath, "utf-8") : "";
     const gitattributes = attrContent.includes("merge=sops");
     const metadataGitattributes = attrContent.includes("merge=clef-metadata");
     return { gitConfig, gitattributes, metadataGitConfig, metadataGitattributes };
   }
   async ensureGitattributes(repoRoot) {
-    const attrPath = path8.join(repoRoot, ".gitattributes");
-    const existing = fs9.existsSync(attrPath) ? fs9.readFileSync(attrPath, "utf-8") : "";
+    const attrPath = path9.join(repoRoot, ".gitattributes");
+    const existing = fs10.existsSync(attrPath) ? fs10.readFileSync(attrPath, "utf-8") : "";
     let newContent = existing;
     if (!existing.includes("merge=sops")) {
       const block = `# Clef: SOPS-aware merge driver for encrypted files
@@ -13659,7 +13791,7 @@ ${block}` : block;
     }
     if (newContent === existing) return;
     try {
-      fs9.writeFileSync(attrPath, newContent, "utf-8");
+      fs10.writeFileSync(attrPath, newContent, "utf-8");
     } catch (err) {
       throw new GitOperationError(`Failed to write .gitattributes: ${err.message}`);
     }
@@ -13672,13 +13804,13 @@ ${block}` : block;
    * @throws {@link GitOperationError} On failure.
    */
   async installPreCommitHook(repoRoot) {
-    const hookPath = path8.join(repoRoot, ".git", "hooks", "pre-commit");
+    const hookPath = path9.join(repoRoot, ".git", "hooks", "pre-commit");
     try {
-      const hooksDir = path8.dirname(hookPath);
-      if (!fs9.existsSync(hooksDir)) {
-        fs9.mkdirSync(hooksDir, { recursive: true });
+      const hooksDir = path9.dirname(hookPath);
+      if (!fs10.existsSync(hooksDir)) {
+        fs10.mkdirSync(hooksDir, { recursive: true });
       }
-      fs9.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
+      fs10.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
     } catch (err) {
       throw new GitOperationError(
         `Failed to install pre-commit hook: ${err.message}`,
@@ -13689,8 +13821,8 @@ ${block}` : block;
 };
 // src/tx/transaction-manager.ts
-var fs10 = __toESM(require("fs"));
-var path9 = __toESM(require("path"));
+var fs11 = __toESM(require("fs"));
+var path10 = __toESM(require("path"));
 var lockfile = __toESM(require_proper_lockfile());
 // src/tx/errors.ts
@@ -13739,17 +13871,17 @@ var TransactionManager = class {
   async run(repoRoot, opts) {
     const shouldCommit = opts.commit !== false;
     const allowDirty = opts.allowDirty === true;
-    const clefDir = path9.join(repoRoot, CLEF_DIR);
-    if (!fs10.existsSync(clefDir)) {
-      fs10.mkdirSync(clefDir, { recursive: true });
+    const clefDir = path10.join(repoRoot, CLEF_DIR);
+    if (!fs11.existsSync(clefDir)) {
+      fs11.mkdirSync(clefDir, { recursive: true });
     }
-    const clefGitignore = path9.join(clefDir, ".gitignore");
-    if (!fs10.existsSync(clefGitignore)) {
-      fs10.writeFileSync(clefGitignore, "*\n");
+    const clefGitignore = path10.join(clefDir, ".gitignore");
+    if (!fs11.existsSync(clefGitignore)) {
+      fs11.writeFileSync(clefGitignore, "*\n");
     }
-    const lockPath = path9.join(clefDir, LOCK_FILE);
-    if (!fs10.existsSync(lockPath)) {
-      fs10.writeFileSync(lockPath, "");
+    const lockPath = path10.join(clefDir, LOCK_FILE);
+    if (!fs11.existsSync(lockPath)) {
+      fs11.writeFileSync(lockPath, "");
     }
     let release;
     try {
@@ -13877,19 +14009,19 @@ var TransactionManager = class {
 };
 // src/sops/client.ts
-var fs13 = __toESM(require("fs"));
+var fs14 = __toESM(require("fs"));
 var net = __toESM(require("net"));
 var import_crypto = require("crypto");
-var import_write_file_atomic2 = __toESM(require_lib());
-var YAML7 = __toESM(require("yaml"));
+var import_write_file_atomic3 = __toESM(require_lib());
+var YAML8 = __toESM(require("yaml"));
 // src/sops/resolver.ts
-var fs12 = __toESM(require("fs"));
-var path11 = __toESM(require("path"));
+var fs13 = __toESM(require("fs"));
+var path12 = __toESM(require("path"));
 // src/sops/bundled.ts
-var fs11 = __toESM(require("fs"));
-var path10 = __toESM(require("path"));
+var fs12 = __toESM(require("fs"));
+var path11 = __toESM(require("path"));
 function tryBundled() {
   const platform = process.platform;
   const arch = process.arch;
@@ -13901,9 +14033,9 @@ function tryBundled() {
   const binName = platform === "win32" ? "sops.exe" : "sops";
   try {
     const packageMain = require.resolve(`${packageName}/package.json`);
-    const packageDir = path10.dirname(packageMain);
-    const binPath = path10.join(packageDir, "bin", binName);
-    return fs11.existsSync(binPath) ? binPath : null;
+    const packageDir = path11.dirname(packageMain);
+    const binPath = path11.join(packageDir, "bin", binName);
+    return fs12.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
   }
@@ -13911,7 +14043,7 @@ function tryBundled() {
 // src/sops/resolver.ts
 function validateSopsPath(candidate) {
-  if (!path11.isAbsolute(candidate)) {
+  if (!path12.isAbsolute(candidate)) {
     throw new Error(`CLEF_SOPS_PATH must be an absolute path, got '${candidate}'.`);
   }
   const segments = candidate.split(/[/\\]/);
@@ -13927,7 +14059,7 @@ function resolveSopsPath() {
   const envPath = process.env.CLEF_SOPS_PATH?.trim();
   if (envPath) {
     validateSopsPath(envPath);
-    if (!fs12.existsSync(envPath)) {
+    if (!fs13.existsSync(envPath)) {
       throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
     }
     cached = { path: envPath, source: "env" };
@@ -14092,7 +14224,7 @@ function formatFromPath(filePath) {
 }
 function openWindowsInputPipe(content) {
   const pipeName = `\\\\.\\pipe\\clef-sops-${(0, import_crypto.randomBytes)(8).toString("hex")}`;
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const server = net.createServer((socket) => {
       socket.write(content, () => {
         socket.destroy();
@@ -14101,7 +14233,7 @@ function openWindowsInputPipe(content) {
     server.maxConnections = 1;
     server.on("error", reject);
     server.listen(pipeName, () => {
-      resolve({
+      resolve2({
         inputArg: pipeName,
         cleanup: () => server.close()
       });
@@ -14182,7 +14314,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML7.parse(result.stdout) ?? {};
+      parsed = YAML8.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -14209,7 +14341,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML7.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML8.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -14257,7 +14389,7 @@ var SopsClient = class {
       );
     }
     try {
-      await (0, import_write_file_atomic2.default)(filePath, result.stdout);
+      await (0, import_write_file_atomic3.default)(filePath, result.stdout);
     } catch (err) {
       throw new SopsEncryptionError(
         `Failed to write encrypted data to '${filePath}': ${err.message}`,
@@ -14376,7 +14508,7 @@ var SopsClient = class {
     if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
     let keyContent;
     try {
-      keyContent = this.ageKey ?? fs13.readFileSync(this.ageKeyFile, "utf-8");
+      keyContent = this.ageKey ?? fs14.readFileSync(this.ageKeyFile, "utf-8");
     } catch {
       return "key-not-found";
     }
@@ -14393,7 +14525,7 @@ var SopsClient = class {
   parseMetadataFromFile(filePath) {
     let content;
     try {
-      content = fs13.readFileSync(filePath, "utf-8");
+      content = fs14.readFileSync(filePath, "utf-8");
     } catch {
       throw new SopsDecryptionError(
         `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -14402,7 +14534,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML7.parse(content);
+      parsed = YAML8.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -14527,8 +14659,8 @@ var SopsClient = class {
 };
 // src/hsm/bundled.ts
-var fs14 = __toESM(require("fs"));
-var path12 = __toESM(require("path"));
+var fs15 = __toESM(require("fs"));
+var path13 = __toESM(require("path"));
 function tryBundledKeyservice() {
   const platform = process.platform;
   const arch = process.arch;
@@ -14540,19 +14672,19 @@ function tryBundledKeyservice() {
   const binName = "clef-keyservice";
   try {
     const packageMain = require.resolve(`${packageName}/package.json`);
-    const packageDir = path12.dirname(packageMain);
-    const binPath = path12.join(packageDir, "bin", binName);
-    return fs14.existsSync(binPath) ? binPath : null;
+    const packageDir = path13.dirname(packageMain);
+    const binPath = path13.join(packageDir, "bin", binName);
+    return fs15.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
   }
 }
 // src/hsm/resolver.ts
-var fs15 = __toESM(require("fs"));
-var path13 = __toESM(require("path"));
+var fs16 = __toESM(require("fs"));
+var path14 = __toESM(require("path"));
 function validateKeyservicePath(candidate) {
-  if (!path13.isAbsolute(candidate)) {
+  if (!path14.isAbsolute(candidate)) {
     throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
   }
   const segments = candidate.split(/[/\\]/);
@@ -14568,7 +14700,7 @@ function resolveKeyservicePath() {
   const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
   if (envPath) {
     validateKeyservicePath(envPath);
-    if (!fs15.existsSync(envPath)) {
+    if (!fs16.existsSync(envPath)) {
       throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
     }
     cached2 = { path: envPath, source: "env" };
@@ -14616,7 +14748,7 @@ async function spawnKeyservice(options) {
   };
 }
 function readPort(child) {
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     let settled = false;
     if (!child.stdout) {
       reject(new Error("Keyservice child has no stdout pipe."));
@@ -14644,7 +14776,7 @@ function readPort(child) {
       if (match && !settled) {
         settled = true;
         settle();
-        resolve(parseInt(match[1], 10));
+        resolve2(parseInt(match[1], 10));
       }
     });
     child.on("error", (err) => {
@@ -14664,9 +14796,9 @@ function readPort(child) {
   });
 }
 function killGracefully(child) {
-  return new Promise((resolve) => {
+  return new Promise((resolve2) => {
     if (child.exitCode !== null) {
-      resolve();
+      resolve2();
       return;
     }
     const timer = setTimeout(() => {
@@ -14674,14 +14806,14 @@ function killGracefully(child) {
     }, SHUTDOWN_TIMEOUT_MS);
     child.on("exit", () => {
       clearTimeout(timer);
-      resolve();
+      resolve2();
     });
     child.kill("SIGTERM");
   });
 }
 // src/lint/runner.ts
-var path14 = __toESM(require("path"));
+var path15 = __toESM(require("path"));
 var LintRunner = class {
   constructor(matrixManager, schemaValidator, sopsClient) {
     this.matrixManager = matrixManager;
@@ -14784,7 +14916,7 @@ var LintRunner = class {
         }
         const ns = manifest.namespaces.find((n) => n.name === cell.namespace);
         if (ns?.schema) {
-          const schemaPath = path14.join(repoRoot, ns.schema);
+          const schemaPath = path15.join(repoRoot, ns.schema);
           try {
             const schema = this.schemaValidator.loadSchema(schemaPath);
             const result = this.schemaValidator.validate(decrypted.values, schema);
@@ -15071,14 +15203,14 @@ Use 'clef exec' to inject secrets directly into a process, or 'clef export --for
 };
 // src/import/index.ts
-var path16 = __toESM(require("path"));
+var path17 = __toESM(require("path"));
 // src/import/parsers.ts
-var path15 = __toESM(require("path"));
-var YAML8 = __toESM(require("yaml"));
+var path16 = __toESM(require("path"));
+var YAML9 = __toESM(require("yaml"));
 function detectFormat(filePath, content) {
-  const base = path15.basename(filePath);
-  const ext = path15.extname(filePath).toLowerCase();
+  const base = path16.basename(filePath);
+  const ext = path16.extname(filePath).toLowerCase();
   if (base === ".env" || base.startsWith(".env.")) {
     return "dotenv";
   }
@@ -15099,7 +15231,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML8.parse(content);
+    const parsed = YAML9.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -15180,7 +15312,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML8.parse(content);
+    parsed = YAML9.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -15246,7 +15378,7 @@ var ImportRunner = class {
    */
   async import(target, sourcePath, content, manifest, repoRoot, options) {
     const [ns, env] = target.split("/");
-    const filePath = path16.join(
+    const filePath = path17.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
@@ -15298,7 +15430,7 @@ var ImportRunner = class {
     if (imported.length === 0) {
       return { imported, skipped, failed, warnings, dryRun: false };
     }
-    const relCellPath = path16.relative(repoRoot, filePath);
+    const relCellPath = path17.relative(repoRoot, filePath);
     const relMetaPath = relCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
     await this.tx.run(repoRoot, {
       description: `clef import ${target}: ${imported.length} key(s)`,
@@ -15317,7 +15449,7 @@ var ImportRunner = class {
 };
 // src/recipients/index.ts
-var path17 = __toESM(require("path"));
+var path18 = __toESM(require("path"));
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -15445,7 +15577,7 @@ var RecipientManager = class {
     const reEncryptedFiles = [];
     await this.tx.run(repoRoot, {
       description: environment ? `clef recipients add ${keyPreview(normalizedKey)} -e ${environment}` : `clef recipients add ${keyPreview(normalizedKey)}`,
-      paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
+      paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
       mutate: async () => {
         const doc = readManifestYaml(repoRoot);
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15504,7 +15636,7 @@ var RecipientManager = class {
     const reEncryptedFiles = [];
     await this.tx.run(repoRoot, {
       description: environment ? `clef recipients remove ${keyPreview(trimmedKey)} -e ${environment}` : `clef recipients remove ${keyPreview(trimmedKey)}`,
-      paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
+      paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
       mutate: async () => {
         const doc = readManifestYaml(repoRoot);
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15533,20 +15665,20 @@ var RecipientManager = class {
 };
 // src/recipients/requests.ts
-var fs16 = __toESM(require("fs"));
-var path18 = __toESM(require("path"));
-var YAML9 = __toESM(require("yaml"));
+var fs17 = __toESM(require("fs"));
+var path19 = __toESM(require("path"));
+var YAML10 = __toESM(require("yaml"));
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
-  return path18.join(repoRoot, REQUESTS_FILENAME);
+  return path19.join(repoRoot, REQUESTS_FILENAME);
 }
 function loadRequests(repoRoot) {
   const filePath = requestsFilePath(repoRoot);
   try {
-    if (!fs16.existsSync(filePath)) return [];
-    const content = fs16.readFileSync(filePath, "utf-8");
-    const parsed = YAML9.parse(content);
+    if (!fs17.existsSync(filePath)) return [];
+    const content = fs17.readFileSync(filePath, "utf-8");
+    const parsed = YAML10.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -15562,7 +15694,7 @@ function saveRequests(repoRoot, requests) {
   const filePath = requestsFilePath(repoRoot);
   if (requests.length === 0) {
     try {
-      fs16.unlinkSync(filePath);
+      fs17.unlinkSync(filePath);
     } catch {
     }
     return;
@@ -15578,7 +15710,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs16.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
+  fs17.writeFileSync(filePath, HEADER_COMMENT2 + YAML10.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -15614,7 +15746,7 @@ function findInList(requests, identifier) {
 }
 // src/drift/detector.ts
-var path19 = __toESM(require("path"));
+var path20 = __toESM(require("path"));
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -15627,8 +15759,8 @@ var DriftDetector = class {
    * @returns Drift result with any issues found.
    */
   detect(localRoot, remoteRoot, namespaceFilter) {
-    const localManifest = this.parser.parse(path19.join(localRoot, CLEF_MANIFEST_FILENAME));
-    const remoteManifest = this.parser.parse(path19.join(remoteRoot, CLEF_MANIFEST_FILENAME));
+    const localManifest = this.parser.parse(path20.join(localRoot, CLEF_MANIFEST_FILENAME));
+    const remoteManifest = this.parser.parse(path20.join(remoteRoot, CLEF_MANIFEST_FILENAME));
     const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
     const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
     const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -15692,7 +15824,7 @@ var DriftDetector = class {
 };
 // src/report/generator.ts
-var path20 = __toESM(require("path"));
+var path21 = __toESM(require("path"));
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -15852,7 +15984,7 @@ var ReportGenerator = class {
     let manifest = null;
     try {
       const parser = new ManifestParser();
-      manifest = parser.parse(path20.join(repoRoot, "clef.yaml"));
+      manifest = parser.parse(path21.join(repoRoot, "clef.yaml"));
     } catch {
       const emptyManifest = {
         manifestVersion: 0,
@@ -16206,7 +16338,7 @@ var CloudClient = class {
     );
   }
   delay(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+    return new Promise((resolve2) => setTimeout(resolve2, ms));
   }
 };
@@ -16331,12 +16463,12 @@ var SopsMergeDriver = class {
 };
 // src/merge/metadata-driver.ts
-var fs17 = __toESM(require("fs"));
-var YAML10 = __toESM(require("yaml"));
+var fs18 = __toESM(require("fs"));
+var YAML11 = __toESM(require("yaml"));
 var HEADER_COMMENT3 = "# Managed by Clef. Do not edit manually.\n";
 function parseMetadata(content) {
   try {
-    const parsed = YAML10.parse(content);
+    const parsed = YAML11.parse(content);
     if (!parsed || typeof parsed !== "object") return emptyMetadata2();
     const pendingRaw = Array.isArray(parsed.pending) ? parsed.pending : [];
     const pending = pendingRaw.filter(
@@ -16374,7 +16506,7 @@ function serializeMetadata(m) {
       rotation_count: r.rotationCount
     }))
   };
-  return HEADER_COMMENT3 + YAML10.stringify(data);
+  return HEADER_COMMENT3 + YAML11.stringify(data);
 }
 function mergeRotations(ours, theirs) {
   const byKey = /* @__PURE__ */ new Map();
@@ -16434,14 +16566,14 @@ function mergeMetadataContents(oursContent, theirsContent) {
   return serializeMetadata({ version: 1, pending, rotations });
 }
 function mergeMetadataFiles(_basePath, oursPath, theirsPath) {
-  const oursContent = fs17.existsSync(oursPath) ? fs17.readFileSync(oursPath, "utf-8") : "";
-  const theirsContent = fs17.existsSync(theirsPath) ? fs17.readFileSync(theirsPath, "utf-8") : "";
+  const oursContent = fs18.existsSync(oursPath) ? fs18.readFileSync(oursPath, "utf-8") : "";
+  const theirsContent = fs18.existsSync(theirsPath) ? fs18.readFileSync(theirsPath, "utf-8") : "";
   const merged = mergeMetadataContents(oursContent, theirsContent);
-  fs17.writeFileSync(oursPath, merged, "utf-8");
+  fs18.writeFileSync(oursPath, merged, "utf-8");
 }
 // src/service-identity/manager.ts
-var path21 = __toESM(require("path"));
+var path22 = __toESM(require("path"));
 var ServiceIdentityManager = class {
   constructor(encryption, matrixManager, tx) {
     this.encryption = encryption;
@@ -16456,7 +16588,7 @@ var ServiceIdentityManager = class {
    * to seed TransactionManager.run's `paths` argument.
    */
   txPaths(repoRoot, cells) {
-    return [...cells.map((c) => path21.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
+    return [...cells.map((c) => path22.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
   }
   /**
    * Create a new service identity with per-environment age key pairs or KMS envelope config.
@@ -16978,8 +17110,8 @@ var ServiceIdentityManager = class {
 };
 // src/structure/manager.ts
-var fs18 = __toESM(require("fs"));
-var path22 = __toESM(require("path"));
+var fs19 = __toESM(require("fs"));
+var path23 = __toESM(require("path"));
 var StructureManager = class {
   constructor(matrixManager, encryption, tx) {
     this.matrixManager = matrixManager;
@@ -17003,15 +17135,15 @@ var StructureManager = class {
     this.assertValidIdentifier("namespace", name);
     const newCellPaths = manifest.environments.map((env) => ({
       environment: env.name,
-      filePath: path22.join(
+      filePath: path23.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", name).replace("{environment}", env.name)
       )
     }));
     for (const cell of newCellPaths) {
-      if (fs18.existsSync(cell.filePath)) {
+      if (fs19.existsSync(cell.filePath)) {
         throw new Error(
-          `Cannot add namespace '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
+          `Cannot add namespace '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
         );
       }
     }
@@ -17030,7 +17162,7 @@ var StructureManager = class {
     await this.tx.run(repoRoot, {
       description: `clef namespace add ${name}`,
       paths: [
-        ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
+        ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
         CLEF_MANIFEST_FILENAME
       ],
       mutate: async () => {
@@ -17075,15 +17207,15 @@ var StructureManager = class {
     this.assertValidIdentifier("environment", name);
     const newCellPaths = manifest.namespaces.map((ns) => ({
       namespace: ns.name,
-      filePath: path22.join(
+      filePath: path23.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", name)
       )
     }));
     for (const cell of newCellPaths) {
-      if (fs18.existsSync(cell.filePath)) {
+      if (fs19.existsSync(cell.filePath)) {
         throw new Error(
-          `Cannot add environment '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
+          `Cannot add environment '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
         );
       }
     }
@@ -17102,7 +17234,7 @@ var StructureManager = class {
     await this.tx.run(repoRoot, {
       description: `clef env add ${name}`,
       paths: [
-        ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
+        ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
         CLEF_MANIFEST_FILENAME
       ],
       mutate: async () => {
@@ -17165,7 +17297,7 @@ var StructureManager = class {
       paths: this.deletePaths(repoRoot, cellsToDelete),
       mutate: async () => {
         for (const cell of cellsToDelete) {
-          fs18.unlinkSync(cell.filePath);
+          fs19.unlinkSync(cell.filePath);
           this.unlinkMetaSibling(cell.filePath);
         }
         const doc = readManifestYaml(repoRoot);
@@ -17215,7 +17347,7 @@ var StructureManager = class {
       paths: this.deletePaths(repoRoot, cellsToDelete),
       mutate: async () => {
         for (const cell of cellsToDelete) {
-          fs18.unlinkSync(cell.filePath);
+          fs19.unlinkSync(cell.filePath);
           this.unlinkMetaSibling(cell.filePath);
         }
         const doc = readManifestYaml(repoRoot);
@@ -17257,9 +17389,9 @@ var StructureManager = class {
     const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "namespace") : [];
     if (isRename) {
       for (const pair of renamePairs) {
-        if (fs18.existsSync(pair.to)) {
+        if (fs19.existsSync(pair.to)) {
           throw new Error(
-            `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
+            `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
         }
       }
@@ -17300,9 +17432,9 @@ var StructureManager = class {
     const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "environment") : [];
     if (isRename) {
       for (const pair of renamePairs) {
-        if (fs18.existsSync(pair.to)) {
+        if (fs19.existsSync(pair.to)) {
           throw new Error(
-            `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
+            `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
         }
       }
@@ -17337,7 +17469,7 @@ var StructureManager = class {
       const newCellPath = this.swapAxisInCellPath(repoRoot, manifest, cell, axis, newName);
       pairs.push({ from: cell.filePath, to: newCellPath });
       const oldMeta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-      if (fs18.existsSync(oldMeta)) {
+      if (fs19.existsSync(oldMeta)) {
         const newMeta = newCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
         pairs.push({ from: oldMeta, to: newMeta });
       }
@@ -17352,7 +17484,7 @@ var StructureManager = class {
   swapAxisInCellPath(repoRoot, manifest, cell, axis, newName) {
     const ns = axis === "namespace" ? newName : cell.namespace;
     const env = axis === "environment" ? newName : cell.environment;
-    return path22.join(
+    return path23.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
@@ -17364,8 +17496,8 @@ var StructureManager = class {
   txPaths(repoRoot, renamePairs) {
     const paths = /* @__PURE__ */ new Set();
     for (const pair of renamePairs) {
-      paths.add(path22.relative(repoRoot, pair.from));
-      paths.add(path22.relative(repoRoot, pair.to));
+      paths.add(path23.relative(repoRoot, pair.from));
+      paths.add(path23.relative(repoRoot, pair.to));
     }
     paths.add(CLEF_MANIFEST_FILENAME);
     return [...paths];
@@ -17376,11 +17508,11 @@ var StructureManager = class {
    */
   applyRenames(pairs) {
     for (const pair of pairs) {
-      const targetDir = path22.dirname(pair.to);
-      if (!fs18.existsSync(targetDir)) {
-        fs18.mkdirSync(targetDir, { recursive: true });
+      const targetDir = path23.dirname(pair.to);
+      if (!fs19.existsSync(targetDir)) {
+        fs19.mkdirSync(targetDir, { recursive: true });
       }
-      fs18.renameSync(pair.from, pair.to);
+      fs19.renameSync(pair.from, pair.to);
     }
   }
   /**
@@ -17391,10 +17523,10 @@ var StructureManager = class {
   deletePaths(repoRoot, cells) {
     const paths = /* @__PURE__ */ new Set();
     for (const cell of cells) {
-      paths.add(path22.relative(repoRoot, cell.filePath));
+      paths.add(path23.relative(repoRoot, cell.filePath));
       const meta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-      if (fs18.existsSync(meta)) {
-        paths.add(path22.relative(repoRoot, meta));
+      if (fs19.existsSync(meta)) {
+        paths.add(path23.relative(repoRoot, meta));
       }
     }
     paths.add(CLEF_MANIFEST_FILENAME);
@@ -17407,8 +17539,8 @@ var StructureManager = class {
    */
   unlinkMetaSibling(cellPath) {
     const meta = cellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
-    if (fs18.existsSync(meta)) {
-      fs18.unlinkSync(meta);
+    if (fs19.existsSync(meta)) {
+      fs19.unlinkSync(meta);
     }
   }
   /**
@@ -17550,24 +17682,24 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 }
 // src/artifact/packer.ts
-var crypto4 = __toESM(require("crypto"));
+var crypto5 = __toESM(require("crypto"));
 // src/artifact/output.ts
-var fs19 = __toESM(require("fs"));
-var path23 = __toESM(require("path"));
+var fs20 = __toESM(require("fs"));
+var path24 = __toESM(require("path"));
 var FilePackOutput = class {
   constructor(outputPath) {
     this.outputPath = outputPath;
   }
   outputPath;
   async write(_artifact, json) {
-    const outputDir = path23.dirname(this.outputPath);
-    if (!fs19.existsSync(outputDir)) {
-      fs19.mkdirSync(outputDir, { recursive: true });
+    const outputDir = path24.dirname(this.outputPath);
+    if (!fs20.existsSync(outputDir)) {
+      fs20.mkdirSync(outputDir, { recursive: true });
     }
     const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
-    fs19.writeFileSync(tmpOutput, json, "utf-8");
-    fs19.renameSync(tmpOutput, this.outputPath);
+    fs20.writeFileSync(tmpOutput, json, "utf-8");
+    fs20.renameSync(tmpOutput, this.outputPath);
   }
 };
 var MemoryPackOutput = class {
@@ -17666,6 +17798,12 @@ function detectAlgorithm(publicKeyBase64) {
   throw new Error(`Unsupported key type: ${keyType}`);
 }
+// src/artifact/hash.ts
+var crypto4 = __toESM(require("crypto"));
+function computeCiphertextHash(ciphertext) {
+  return crypto4.createHash("sha256").update(ciphertext).digest("hex");
+}
 // src/artifact/packer.ts
 var ArtifactPacker = class {
   constructor(encryption, matrixManager, kms) {
@@ -17701,10 +17839,10 @@ var ArtifactPacker = class {
       if (!this.kms) {
         throw new Error("KMS provider required for envelope encryption but none was provided.");
       }
-      const dek = crypto4.randomBytes(32);
-      const iv = crypto4.randomBytes(12);
+      const dek = crypto5.randomBytes(32);
+      const iv = crypto5.randomBytes(12);
       try {
-        const cipher = crypto4.createCipheriv("aes-256-gcm", dek, iv);
+        const cipher = crypto5.createCipheriv("aes-256-gcm", dek, iv);
         const ciphertextBuf = Buffer.concat([
           cipher.update(Buffer.from(plaintext, "utf-8")),
           cipher.final()
@@ -17713,8 +17851,8 @@ var ArtifactPacker = class {
         ciphertext = ciphertextBuf.toString("base64");
         const kmsConfig = resolved.envConfig.kms;
         const wrapped = await this.kms.wrap(kmsConfig.keyId, dek);
-        const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
-        const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
+        const revision = `${Date.now()}-${crypto5.randomBytes(4).toString("hex")}`;
+        const ciphertextHash = computeCiphertextHash(ciphertext);
         artifact = {
           version: 1,
           identity: config.identity,
@@ -17747,8 +17885,8 @@ var ArtifactPacker = class {
           `Failed to age-encrypt artifact: ${err instanceof Error ? err.message : String(err)}`
         );
       }
-      const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
+      const revision = `${Date.now()}-${crypto5.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = computeCiphertextHash(ciphertext);
       artifact = {
         version: 1,
         identity: config.identity,
@@ -17862,6 +18000,156 @@ function assertPackedArtifact(x, context) {
   }
 }
+// src/envelope-debug/builders.ts
+function buildInspectError(source, code, message) {
+  return {
+    source,
+    version: null,
+    identity: null,
+    environment: null,
+    packedAt: null,
+    packedAtAgeMs: null,
+    revision: null,
+    ciphertextHash: null,
+    ciphertextHashVerified: null,
+    ciphertextBytes: null,
+    expiresAt: null,
+    expired: null,
+    revokedAt: null,
+    revoked: null,
+    envelope: null,
+    signature: { present: false, algorithm: null, verified: null },
+    error: { code, message }
+  };
+}
+function buildInspectResult(source, artifact, hashOk, now = Date.now()) {
+  const expiresAt = artifact.expiresAt ?? null;
+  const revokedAt = artifact.revokedAt ?? null;
+  const env = artifact.envelope;
+  return {
+    source,
+    version: artifact.version,
+    identity: artifact.identity,
+    environment: artifact.environment,
+    packedAt: artifact.packedAt,
+    packedAtAgeMs: now - new Date(artifact.packedAt).getTime(),
+    revision: artifact.revision,
+    ciphertextHash: artifact.ciphertextHash,
+    ciphertextHashVerified: hashOk,
+    ciphertextBytes: Buffer.byteLength(artifact.ciphertext, "base64"),
+    expiresAt,
+    expired: expiresAt ? new Date(expiresAt).getTime() < now : null,
+    revokedAt,
+    revoked: revokedAt !== null,
+    envelope: env ? {
+      provider: env.provider,
+      kms: {
+        provider: env.provider,
+        keyId: env.keyId,
+        algorithm: env.algorithm
+      }
+    } : { provider: "age", kms: null },
+    signature: {
+      present: typeof artifact.signature === "string",
+      algorithm: artifact.signatureAlgorithm ?? null,
+      verified: null
+    },
+    error: null
+  };
+}
+function buildVerifyError(source, code, message) {
+  return {
+    source,
+    checks: {
+      hash: { status: "skipped" },
+      signature: { status: "absent", algorithm: null },
+      expiry: { status: "absent", expiresAt: null },
+      revocation: { status: "absent", revokedAt: null }
+    },
+    overall: "fail",
+    error: { code, message }
+  };
+}
+function buildVerifyResult(source, inputs) {
+  const hashFailed = inputs.hash === "mismatch";
+  const signatureFailed = inputs.signature.status === "invalid";
+  const overall = hashFailed || signatureFailed ? "fail" : "pass";
+  return {
+    source,
+    checks: {
+      hash: { status: inputs.hash },
+      signature: inputs.signature,
+      expiry: inputs.expiry,
+      revocation: inputs.revocation
+    },
+    overall,
+    error: null
+  };
+}
+function buildDecryptError(source, code, message) {
+  return {
+    source,
+    status: "error",
+    error: { code, message },
+    revealed: false,
+    keys: [],
+    values: null
+  };
+}
+function buildDecryptResult(source, inputs) {
+  let values = null;
+  if (inputs.allValues) {
+    values = inputs.allValues;
+  } else if (inputs.singleKey) {
+    values = { [inputs.singleKey.name]: inputs.singleKey.value };
+  }
+  return {
+    source,
+    status: "ok",
+    error: null,
+    revealed: values !== null,
+    keys: [...inputs.keys].sort(),
+    values
+  };
+}
+// src/envelope-debug/warnings.ts
+var WARNING_TAIL = "Shell history, terminal scrollback, and any attached logging (tmux capture-pane, CI log collectors, screen-recording) may retain it. Proceed only if this terminal and its upstream captures are trusted.";
+var REVEAL_WARNING = `WARNING: plaintext will be printed to stdout. ${WARNING_TAIL}`;
+function formatRevealWarning(key) {
+  if (!key) return REVEAL_WARNING;
+  return `WARNING: value for key "${key}" will be printed to stdout. ${WARNING_TAIL}`;
+}
+// src/envelope-debug/signer-key.ts
+var crypto6 = __toESM(require("crypto"));
+function parseSignerKey(input) {
+  const trimmed = input.trim();
+  if (trimmed.startsWith("-----BEGIN")) {
+    return pemToBase64Der(trimmed);
+  }
+  try {
+    const key = crypto6.createPublicKey({
+      key: Buffer.from(trimmed, "base64"),
+      format: "der",
+      type: "spki"
+    });
+    return key.export({ type: "spki", format: "der" }).toString("base64");
+  } catch (err) {
+    throw new Error(
+      `signer key could not be parsed as PEM or a base64 DER SPKI key: ${err.message}`
+    );
+  }
+}
+function pemToBase64Der(pem) {
+  try {
+    const key = crypto6.createPublicKey({ key: pem, format: "pem" });
+    return key.export({ type: "spki", format: "der" }).toString("base64");
+  } catch (err) {
+    throw new Error(`signer key PEM is invalid: ${err.message}`);
+  }
+}
 // src/pack/registry.ts
 var PackBackendRegistry = class {
   factories = /* @__PURE__ */ new Map();
@@ -17949,8 +18237,8 @@ var JsonEnvelopeBackend = class {
 var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
 // src/migration/backend.ts
-var path24 = __toESM(require("path"));
-var YAML11 = __toESM(require("yaml"));
+var path25 = __toESM(require("path"));
+var YAML12 = __toESM(require("yaml"));
 var BACKEND_KEY_FIELDS = {
   age: void 0,
   awskms: "aws_kms_arn",
@@ -18069,14 +18357,14 @@ var BackendMigrator = class {
       await this.tx.run(repoRoot, {
         description: environment ? `clef migrate-backend ${target.backend}: ${environment}` : `clef migrate-backend ${target.backend}`,
         paths: [
-          ...toMigrate.map((c) => path24.relative(repoRoot, c.filePath)),
+          ...toMigrate.map((c) => path25.relative(repoRoot, c.filePath)),
           CLEF_MANIFEST_FILENAME
         ],
         mutate: async () => {
           const doc = readManifestYaml(repoRoot);
           this.updateManifestDoc(doc, target, environment);
           writeManifestYaml(repoRoot, doc);
-          const updatedManifest = YAML11.parse(YAML11.stringify(doc));
+          const updatedManifest = YAML12.parse(YAML12.stringify(doc));
           for (const cell of toMigrate) {
             onProgress?.({
               type: "migrate",
@@ -18167,7 +18455,7 @@ var BackendMigrator = class {
 };
 // src/reset/manager.ts
-var path25 = __toESM(require("path"));
+var path26 = __toESM(require("path"));
 var ResetManager = class {
   constructor(matrixManager, encryption, schemaValidator, tx) {
     this.matrixManager = matrixManager;
@@ -18196,11 +18484,11 @@ var ResetManager = class {
       txPaths.push(CLEF_MANIFEST_FILENAME);
     }
     for (const cell of targetCells) {
-      txPaths.push(path25.relative(repoRoot, cell.filePath));
+      txPaths.push(path26.relative(repoRoot, cell.filePath));
       const cellKeys = keyPlan.get(cell.namespace) ?? [];
       if (cellKeys.length > 0) {
         txPaths.push(
-          path25.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
+          path26.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
         );
       }
     }
@@ -18288,7 +18576,7 @@ var ResetManager = class {
     for (const namespace of namespaces) {
       const nsDef = manifest.namespaces.find((n) => n.name === namespace);
       if (nsDef?.schema) {
-        const schema = this.schemaValidator.loadSchema(path25.join(repoRoot, nsDef.schema));
+        const schema = this.schemaValidator.loadSchema(path26.join(repoRoot, nsDef.schema));
         plan.set(namespace, Object.keys(schema.keys));
         continue;
       }
@@ -18367,7 +18655,7 @@ function withBackendOverride(manifest, envNames, backend, key) {
 }
 // src/sync/manager.ts
-var path26 = __toESM(require("path"));
+var path27 = __toESM(require("path"));
 var SyncManager = class {
   constructor(matrixManager, encryption, tx) {
     this.matrixManager = matrixManager;
@@ -18439,7 +18727,7 @@ var SyncManager = class {
     }
     const txPaths = [];
     for (const cell of syncPlan.cells) {
-      const rel = path26.relative(repoRoot, cell.filePath);
+      const rel = path27.relative(repoRoot, cell.filePath);
       txPaths.push(rel);
       txPaths.push(rel.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"));
     }
@@ -18478,8 +18766,8 @@ var SyncManager = class {
 };
 // src/policy/parser.ts
-var fs20 = __toESM(require("fs"));
-var YAML12 = __toESM(require("yaml"));
+var fs21 = __toESM(require("fs"));
+var YAML13 = __toESM(require("yaml"));
 // src/policy/types.ts
 var DEFAULT_POLICY = Object.freeze({
@@ -18500,7 +18788,7 @@ var PolicyParser = class {
   parse(filePath) {
     let raw;
     try {
-      raw = fs20.readFileSync(filePath, "utf-8");
+      raw = fs21.readFileSync(filePath, "utf-8");
     } catch {
       throw new PolicyValidationError(`Could not read policy file at '${filePath}'.`);
     }
@@ -18515,7 +18803,7 @@ var PolicyParser = class {
   parseContent(content) {
     let parsed;
     try {
-      parsed = YAML12.parse(content);
+      parsed = YAML13.parse(content);
     } catch {
       throw new PolicyValidationError(
         "Policy file contains invalid YAML. Check for syntax errors."
@@ -18528,7 +18816,7 @@ var PolicyParser = class {
    * not exist. Any other read or validation error throws.
    */
   load(filePath) {
-    if (!fs20.existsSync(filePath)) return DEFAULT_POLICY;
+    if (!fs21.existsSync(filePath)) return DEFAULT_POLICY;
     return this.parse(filePath);
   }
   validate(raw) {
@@ -18722,13 +19010,13 @@ var ComplianceGenerator = class {
 };
 // src/compliance/run.ts
-var path27 = __toESM(require("path"));
+var path28 = __toESM(require("path"));
 var UNKNOWN = "unknown";
 async function runCompliance(opts) {
   const start = Date.now();
   const repoRoot = opts.repoRoot ?? process.cwd();
-  const manifestPath = opts.manifestPath ?? path27.join(repoRoot, "clef.yaml");
-  const policyPath = opts.policyPath ?? path27.join(repoRoot, CLEF_POLICY_FILENAME);
+  const manifestPath = opts.manifestPath ?? path28.join(repoRoot, "clef.yaml");
+  const policyPath = opts.policyPath ?? path28.join(repoRoot, CLEF_POLICY_FILENAME);
   const include = {
     scan: opts.include?.scan ?? true,
     lint: opts.include?.lint ?? true,
@@ -18774,7 +19062,7 @@ async function evaluateMatrix(args) {
   return Promise.all(
     cells.map(async (cell) => {
       const metadata = await args.sopsClient.getMetadata(cell.filePath);
-      const relPath = path27.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
+      const relPath = path28.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
       const keys = readSopsKeyNames(cell.filePath) ?? [];
       const rotations = await getRotations(cell.filePath);
       return evaluator.evaluateFile(relPath, cell.environment, metadata, keys, rotations, args.now);
@@ -18866,6 +19154,7 @@ async function detectRepo(runner, repoRoot) {
   PolicyValidationError,
   REQUESTS_FILENAME,
   REQUIREMENTS,
+  REVEAL_WARNING,
   RecipientManager,
   ReportGenerator,
   ReportSanitizer,
@@ -18891,16 +19180,26 @@ async function detectRepo(runner, repoRoot) {
   VALID_KMS_PROVIDERS,
   assertPackedArtifact,
   assertSops,
+  buildDecryptError,
+  buildDecryptResult,
+  buildInspectError,
+  buildInspectResult,
   buildSigningPayload,
+  buildVerifyError,
+  buildVerifyResult,
   checkAll,
   checkDependency,
   collectCIContext,
+  computeCiphertextHash,
   deriveAgePublicKey,
   describeScope,
   detectAlgorithm,
   detectFormat,
+  emptyTemplate,
+  exampleTemplate,
   findRequest,
   formatAgeKeyFile,
+  formatRevealWarning,
   generateAgeIdentity,
   generateRandomValue,
   generateSigningKeyPair,
@@ -18926,6 +19225,7 @@ async function detectRepo(runner, repoRoot) {
   parseDotenv,
   parseIgnoreContent,
   parseJson,
+  parseSignerKey,
   parseYaml,
   pkcs11UriToSyntheticArn,
   readManifestYaml,
@@ -18944,6 +19244,7 @@ async function detectRepo(runner, repoRoot) {
   runCompliance,
   saveMetadata,
   saveRequests,
+  serializeSchema,
   shannonEntropy,
   shouldIgnoreFile,
   shouldIgnoreMatch,
@@ -18958,7 +19259,9 @@ async function detectRepo(runner, repoRoot) {
   validateResetScope,
   verifySignature,
   writeManifestYaml,
-  writeManifestYamlRaw
+  writeManifestYamlRaw,
+  writeSchema,
+  writeSchemaRaw
 });
 /*! Bundled license information: