@clef-sh/core 0.1.20 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/artifact/hash.d.ts +10 -0
  2. package/dist/artifact/hash.d.ts.map +1 -0
  3. package/dist/artifact/packer.d.ts.map +1 -1
  4. package/dist/envelope-debug/builders.d.ts +28 -0
  5. package/dist/envelope-debug/builders.d.ts.map +1 -0
  6. package/dist/envelope-debug/index.d.ts +5 -0
  7. package/dist/envelope-debug/index.d.ts.map +1 -0
  8. package/dist/envelope-debug/signer-key.d.ts +18 -0
  9. package/dist/envelope-debug/signer-key.d.ts.map +1 -0
  10. package/dist/envelope-debug/types.d.ts +142 -0
  11. package/dist/envelope-debug/types.d.ts.map +1 -0
  12. package/dist/envelope-debug/warnings.d.ts +23 -0
  13. package/dist/envelope-debug/warnings.d.ts.map +1 -0
  14. package/dist/index.d.mts +5 -0
  15. package/dist/index.d.ts +5 -0
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +715 -412
  18. package/dist/index.js.map +4 -4
  19. package/dist/index.mjs +695 -407
  20. package/dist/index.mjs.map +4 -4
  21. package/dist/schema/validator.d.ts.map +1 -1
  22. package/dist/schema/writer.d.ts +61 -0
  23. package/dist/schema/writer.d.ts.map +1 -0
  24. package/dist/types/index.d.ts +1 -4
  25. package/dist/types/index.d.ts.map +1 -1
  26. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -304,10 +304,10 @@ var require_lib = __commonJS({
304
304
  module2.exports.sync = writeFileSync7;
305
305
  module2.exports._getTmpname = getTmpname;
306
306
  module2.exports._cleanupOnExit = cleanupOnExit;
307
- var fs21 = require("fs");
308
- var crypto5 = require("node:crypto");
307
+ var fs22 = require("fs");
308
+ var crypto7 = require("node:crypto");
309
309
  var { onExit } = require_cjs();
310
- var path28 = require("path");
310
+ var path29 = require("path");
311
311
  var { promisify } = require("util");
312
312
  var activeFiles = {};
313
313
  var threadId = (function getId() {
@@ -320,24 +320,24 @@ var require_lib = __commonJS({
320
320
  })();
321
321
  var invocations = 0;
322
322
  function getTmpname(filename) {
323
- return filename + "." + crypto5.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
323
+ return filename + "." + crypto7.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
324
324
  }
325
325
  function cleanupOnExit(tmpfile) {
326
326
  return () => {
327
327
  try {
328
- fs21.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
328
+ fs22.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
329
329
  } catch {
330
330
  }
331
331
  };
332
332
  }
333
333
  function serializeActiveFile(absoluteName) {
334
- return new Promise((resolve) => {
334
+ return new Promise((resolve2) => {
335
335
  if (!activeFiles[absoluteName]) {
336
336
  activeFiles[absoluteName] = [];
337
337
  }
338
- activeFiles[absoluteName].push(resolve);
338
+ activeFiles[absoluteName].push(resolve2);
339
339
  if (activeFiles[absoluteName].length === 1) {
340
- resolve();
340
+ resolve2();
341
341
  }
342
342
  });
343
343
  }
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
360
360
  let fd;
361
361
  let tmpfile;
362
362
  const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
363
- const absoluteName = path28.resolve(filename);
363
+ const absoluteName = path29.resolve(filename);
364
364
  try {
365
365
  await serializeActiveFile(absoluteName);
366
- const truename = await promisify(fs21.realpath)(filename).catch(() => filename);
366
+ const truename = await promisify(fs22.realpath)(filename).catch(() => filename);
367
367
  tmpfile = getTmpname(truename);
368
368
  if (!options.mode || !options.chown) {
369
- const stats = await promisify(fs21.stat)(truename).catch(() => {
369
+ const stats = await promisify(fs22.stat)(truename).catch(() => {
370
370
  });
371
371
  if (stats) {
372
372
  if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
377
377
  }
378
378
  }
379
379
  }
380
- fd = await promisify(fs21.open)(tmpfile, "w", options.mode);
380
+ fd = await promisify(fs22.open)(tmpfile, "w", options.mode);
381
381
  if (options.tmpfileCreated) {
382
382
  await options.tmpfileCreated(tmpfile);
383
383
  }
384
384
  if (ArrayBuffer.isView(data)) {
385
- await promisify(fs21.write)(fd, data, 0, data.length, 0);
385
+ await promisify(fs22.write)(fd, data, 0, data.length, 0);
386
386
  } else if (data != null) {
387
- await promisify(fs21.write)(fd, String(data), 0, String(options.encoding || "utf8"));
387
+ await promisify(fs22.write)(fd, String(data), 0, String(options.encoding || "utf8"));
388
388
  }
389
389
  if (options.fsync !== false) {
390
- await promisify(fs21.fsync)(fd);
390
+ await promisify(fs22.fsync)(fd);
391
391
  }
392
- await promisify(fs21.close)(fd);
392
+ await promisify(fs22.close)(fd);
393
393
  fd = null;
394
394
  if (options.chown) {
395
- await promisify(fs21.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
395
+ await promisify(fs22.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
396
396
  if (!isChownErrOk(err)) {
397
397
  throw err;
398
398
  }
399
399
  });
400
400
  }
401
401
  if (options.mode) {
402
- await promisify(fs21.chmod)(tmpfile, options.mode).catch((err) => {
402
+ await promisify(fs22.chmod)(tmpfile, options.mode).catch((err) => {
403
403
  if (!isChownErrOk(err)) {
404
404
  throw err;
405
405
  }
406
406
  });
407
407
  }
408
- await promisify(fs21.rename)(tmpfile, truename);
408
+ await promisify(fs22.rename)(tmpfile, truename);
409
409
  } finally {
410
410
  if (fd) {
411
- await promisify(fs21.close)(fd).catch(
411
+ await promisify(fs22.close)(fd).catch(
412
412
  /* istanbul ignore next */
413
413
  () => {
414
414
  }
415
415
  );
416
416
  }
417
417
  removeOnExitHandler();
418
- await promisify(fs21.unlink)(tmpfile).catch(() => {
418
+ await promisify(fs22.unlink)(tmpfile).catch(() => {
419
419
  });
420
420
  activeFiles[absoluteName].shift();
421
421
  if (activeFiles[absoluteName].length > 0) {
@@ -448,13 +448,13 @@ var require_lib = __commonJS({
448
448
  options = {};
449
449
  }
450
450
  try {
451
- filename = fs21.realpathSync(filename);
451
+ filename = fs22.realpathSync(filename);
452
452
  } catch (ex) {
453
453
  }
454
454
  const tmpfile = getTmpname(filename);
455
455
  if (!options.mode || !options.chown) {
456
456
  try {
457
- const stats = fs21.statSync(filename);
457
+ const stats = fs22.statSync(filename);
458
458
  options = Object.assign({}, options);
459
459
  if (!options.mode) {
460
460
  options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
470
470
  const removeOnExitHandler = onExit(cleanup);
471
471
  let threw = true;
472
472
  try {
473
- fd = fs21.openSync(tmpfile, "w", options.mode || 438);
473
+ fd = fs22.openSync(tmpfile, "w", options.mode || 438);
474
474
  if (options.tmpfileCreated) {
475
475
  options.tmpfileCreated(tmpfile);
476
476
  }
477
477
  if (ArrayBuffer.isView(data)) {
478
- fs21.writeSync(fd, data, 0, data.length, 0);
478
+ fs22.writeSync(fd, data, 0, data.length, 0);
479
479
  } else if (data != null) {
480
- fs21.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
480
+ fs22.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
481
481
  }
482
482
  if (options.fsync !== false) {
483
- fs21.fsyncSync(fd);
483
+ fs22.fsyncSync(fd);
484
484
  }
485
- fs21.closeSync(fd);
485
+ fs22.closeSync(fd);
486
486
  fd = null;
487
487
  if (options.chown) {
488
488
  try {
489
- fs21.chownSync(tmpfile, options.chown.uid, options.chown.gid);
489
+ fs22.chownSync(tmpfile, options.chown.uid, options.chown.gid);
490
490
  } catch (err) {
491
491
  if (!isChownErrOk(err)) {
492
492
  throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
495
495
  }
496
496
  if (options.mode) {
497
497
  try {
498
- fs21.chmodSync(tmpfile, options.mode);
498
+ fs22.chmodSync(tmpfile, options.mode);
499
499
  } catch (err) {
500
500
  if (!isChownErrOk(err)) {
501
501
  throw err;
502
502
  }
503
503
  }
504
504
  }
505
- fs21.renameSync(tmpfile, filename);
505
+ fs22.renameSync(tmpfile, filename);
506
506
  threw = false;
507
507
  } finally {
508
508
  if (fd) {
509
509
  try {
510
- fs21.closeSync(fd);
510
+ fs22.closeSync(fd);
511
511
  } catch (ex) {
512
512
  }
513
513
  }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
546
546
  }
547
547
  var chdir;
548
548
  module2.exports = patch;
549
- function patch(fs21) {
549
+ function patch(fs22) {
550
550
  if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
551
- patchLchmod(fs21);
552
- }
553
- if (!fs21.lutimes) {
554
- patchLutimes(fs21);
555
- }
556
- fs21.chown = chownFix(fs21.chown);
557
- fs21.fchown = chownFix(fs21.fchown);
558
- fs21.lchown = chownFix(fs21.lchown);
559
- fs21.chmod = chmodFix(fs21.chmod);
560
- fs21.fchmod = chmodFix(fs21.fchmod);
561
- fs21.lchmod = chmodFix(fs21.lchmod);
562
- fs21.chownSync = chownFixSync(fs21.chownSync);
563
- fs21.fchownSync = chownFixSync(fs21.fchownSync);
564
- fs21.lchownSync = chownFixSync(fs21.lchownSync);
565
- fs21.chmodSync = chmodFixSync(fs21.chmodSync);
566
- fs21.fchmodSync = chmodFixSync(fs21.fchmodSync);
567
- fs21.lchmodSync = chmodFixSync(fs21.lchmodSync);
568
- fs21.stat = statFix(fs21.stat);
569
- fs21.fstat = statFix(fs21.fstat);
570
- fs21.lstat = statFix(fs21.lstat);
571
- fs21.statSync = statFixSync(fs21.statSync);
572
- fs21.fstatSync = statFixSync(fs21.fstatSync);
573
- fs21.lstatSync = statFixSync(fs21.lstatSync);
574
- if (fs21.chmod && !fs21.lchmod) {
575
- fs21.lchmod = function(path28, mode, cb) {
551
+ patchLchmod(fs22);
552
+ }
553
+ if (!fs22.lutimes) {
554
+ patchLutimes(fs22);
555
+ }
556
+ fs22.chown = chownFix(fs22.chown);
557
+ fs22.fchown = chownFix(fs22.fchown);
558
+ fs22.lchown = chownFix(fs22.lchown);
559
+ fs22.chmod = chmodFix(fs22.chmod);
560
+ fs22.fchmod = chmodFix(fs22.fchmod);
561
+ fs22.lchmod = chmodFix(fs22.lchmod);
562
+ fs22.chownSync = chownFixSync(fs22.chownSync);
563
+ fs22.fchownSync = chownFixSync(fs22.fchownSync);
564
+ fs22.lchownSync = chownFixSync(fs22.lchownSync);
565
+ fs22.chmodSync = chmodFixSync(fs22.chmodSync);
566
+ fs22.fchmodSync = chmodFixSync(fs22.fchmodSync);
567
+ fs22.lchmodSync = chmodFixSync(fs22.lchmodSync);
568
+ fs22.stat = statFix(fs22.stat);
569
+ fs22.fstat = statFix(fs22.fstat);
570
+ fs22.lstat = statFix(fs22.lstat);
571
+ fs22.statSync = statFixSync(fs22.statSync);
572
+ fs22.fstatSync = statFixSync(fs22.fstatSync);
573
+ fs22.lstatSync = statFixSync(fs22.lstatSync);
574
+ if (fs22.chmod && !fs22.lchmod) {
575
+ fs22.lchmod = function(path29, mode, cb) {
576
576
  if (cb) process.nextTick(cb);
577
577
  };
578
- fs21.lchmodSync = function() {
578
+ fs22.lchmodSync = function() {
579
579
  };
580
580
  }
581
- if (fs21.chown && !fs21.lchown) {
582
- fs21.lchown = function(path28, uid, gid, cb) {
581
+ if (fs22.chown && !fs22.lchown) {
582
+ fs22.lchown = function(path29, uid, gid, cb) {
583
583
  if (cb) process.nextTick(cb);
584
584
  };
585
- fs21.lchownSync = function() {
585
+ fs22.lchownSync = function() {
586
586
  };
587
587
  }
588
588
  if (platform === "win32") {
589
- fs21.rename = typeof fs21.rename !== "function" ? fs21.rename : (function(fs$rename) {
589
+ fs22.rename = typeof fs22.rename !== "function" ? fs22.rename : (function(fs$rename) {
590
590
  function rename(from, to, cb) {
591
591
  var start = Date.now();
592
592
  var backoff = 0;
593
593
  fs$rename(from, to, function CB(er) {
594
594
  if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
595
595
  setTimeout(function() {
596
- fs21.stat(to, function(stater, st) {
596
+ fs22.stat(to, function(stater, st) {
597
597
  if (stater && stater.code === "ENOENT")
598
598
  fs$rename(from, to, CB);
599
599
  else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
609
609
  }
610
610
  if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
611
611
  return rename;
612
- })(fs21.rename);
612
+ })(fs22.rename);
613
613
  }
614
- fs21.read = typeof fs21.read !== "function" ? fs21.read : (function(fs$read) {
614
+ fs22.read = typeof fs22.read !== "function" ? fs22.read : (function(fs$read) {
615
615
  function read(fd, buffer, offset, length, position, callback_) {
616
616
  var callback;
617
617
  if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
619
619
  callback = function(er, _, __) {
620
620
  if (er && er.code === "EAGAIN" && eagCounter < 10) {
621
621
  eagCounter++;
622
- return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
622
+ return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
623
623
  }
624
624
  callback_.apply(this, arguments);
625
625
  };
626
626
  }
627
- return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
627
+ return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
628
628
  }
629
629
  if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
630
630
  return read;
631
- })(fs21.read);
632
- fs21.readSync = typeof fs21.readSync !== "function" ? fs21.readSync : /* @__PURE__ */ (function(fs$readSync) {
631
+ })(fs22.read);
632
+ fs22.readSync = typeof fs22.readSync !== "function" ? fs22.readSync : /* @__PURE__ */ (function(fs$readSync) {
633
633
  return function(fd, buffer, offset, length, position) {
634
634
  var eagCounter = 0;
635
635
  while (true) {
636
636
  try {
637
- return fs$readSync.call(fs21, fd, buffer, offset, length, position);
637
+ return fs$readSync.call(fs22, fd, buffer, offset, length, position);
638
638
  } catch (er) {
639
639
  if (er.code === "EAGAIN" && eagCounter < 10) {
640
640
  eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
644
644
  }
645
645
  }
646
646
  };
647
- })(fs21.readSync);
648
- function patchLchmod(fs22) {
649
- fs22.lchmod = function(path28, mode, callback) {
650
- fs22.open(
651
- path28,
647
+ })(fs22.readSync);
648
+ function patchLchmod(fs23) {
649
+ fs23.lchmod = function(path29, mode, callback) {
650
+ fs23.open(
651
+ path29,
652
652
  constants.O_WRONLY | constants.O_SYMLINK,
653
653
  mode,
654
654
  function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
656
656
  if (callback) callback(err);
657
657
  return;
658
658
  }
659
- fs22.fchmod(fd, mode, function(err2) {
660
- fs22.close(fd, function(err22) {
659
+ fs23.fchmod(fd, mode, function(err2) {
660
+ fs23.close(fd, function(err22) {
661
661
  if (callback) callback(err2 || err22);
662
662
  });
663
663
  });
664
664
  }
665
665
  );
666
666
  };
667
- fs22.lchmodSync = function(path28, mode) {
668
- var fd = fs22.openSync(path28, constants.O_WRONLY | constants.O_SYMLINK, mode);
667
+ fs23.lchmodSync = function(path29, mode) {
668
+ var fd = fs23.openSync(path29, constants.O_WRONLY | constants.O_SYMLINK, mode);
669
669
  var threw = true;
670
670
  var ret;
671
671
  try {
672
- ret = fs22.fchmodSync(fd, mode);
672
+ ret = fs23.fchmodSync(fd, mode);
673
673
  threw = false;
674
674
  } finally {
675
675
  if (threw) {
676
676
  try {
677
- fs22.closeSync(fd);
677
+ fs23.closeSync(fd);
678
678
  } catch (er) {
679
679
  }
680
680
  } else {
681
- fs22.closeSync(fd);
681
+ fs23.closeSync(fd);
682
682
  }
683
683
  }
684
684
  return ret;
685
685
  };
686
686
  }
687
- function patchLutimes(fs22) {
688
- if (constants.hasOwnProperty("O_SYMLINK") && fs22.futimes) {
689
- fs22.lutimes = function(path28, at, mt, cb) {
690
- fs22.open(path28, constants.O_SYMLINK, function(er, fd) {
687
+ function patchLutimes(fs23) {
688
+ if (constants.hasOwnProperty("O_SYMLINK") && fs23.futimes) {
689
+ fs23.lutimes = function(path29, at, mt, cb) {
690
+ fs23.open(path29, constants.O_SYMLINK, function(er, fd) {
691
691
  if (er) {
692
692
  if (cb) cb(er);
693
693
  return;
694
694
  }
695
- fs22.futimes(fd, at, mt, function(er2) {
696
- fs22.close(fd, function(er22) {
695
+ fs23.futimes(fd, at, mt, function(er2) {
696
+ fs23.close(fd, function(er22) {
697
697
  if (cb) cb(er2 || er22);
698
698
  });
699
699
  });
700
700
  });
701
701
  };
702
- fs22.lutimesSync = function(path28, at, mt) {
703
- var fd = fs22.openSync(path28, constants.O_SYMLINK);
702
+ fs23.lutimesSync = function(path29, at, mt) {
703
+ var fd = fs23.openSync(path29, constants.O_SYMLINK);
704
704
  var ret;
705
705
  var threw = true;
706
706
  try {
707
- ret = fs22.futimesSync(fd, at, mt);
707
+ ret = fs23.futimesSync(fd, at, mt);
708
708
  threw = false;
709
709
  } finally {
710
710
  if (threw) {
711
711
  try {
712
- fs22.closeSync(fd);
712
+ fs23.closeSync(fd);
713
713
  } catch (er) {
714
714
  }
715
715
  } else {
716
- fs22.closeSync(fd);
716
+ fs23.closeSync(fd);
717
717
  }
718
718
  }
719
719
  return ret;
720
720
  };
721
- } else if (fs22.futimes) {
722
- fs22.lutimes = function(_a, _b, _c, cb) {
721
+ } else if (fs23.futimes) {
722
+ fs23.lutimes = function(_a, _b, _c, cb) {
723
723
  if (cb) process.nextTick(cb);
724
724
  };
725
- fs22.lutimesSync = function() {
725
+ fs23.lutimesSync = function() {
726
726
  };
727
727
  }
728
728
  }
729
729
  function chmodFix(orig) {
730
730
  if (!orig) return orig;
731
731
  return function(target, mode, cb) {
732
- return orig.call(fs21, target, mode, function(er) {
732
+ return orig.call(fs22, target, mode, function(er) {
733
733
  if (chownErOk(er)) er = null;
734
734
  if (cb) cb.apply(this, arguments);
735
735
  });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
739
739
  if (!orig) return orig;
740
740
  return function(target, mode) {
741
741
  try {
742
- return orig.call(fs21, target, mode);
742
+ return orig.call(fs22, target, mode);
743
743
  } catch (er) {
744
744
  if (!chownErOk(er)) throw er;
745
745
  }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
748
748
  function chownFix(orig) {
749
749
  if (!orig) return orig;
750
750
  return function(target, uid, gid, cb) {
751
- return orig.call(fs21, target, uid, gid, function(er) {
751
+ return orig.call(fs22, target, uid, gid, function(er) {
752
752
  if (chownErOk(er)) er = null;
753
753
  if (cb) cb.apply(this, arguments);
754
754
  });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
758
758
  if (!orig) return orig;
759
759
  return function(target, uid, gid) {
760
760
  try {
761
- return orig.call(fs21, target, uid, gid);
761
+ return orig.call(fs22, target, uid, gid);
762
762
  } catch (er) {
763
763
  if (!chownErOk(er)) throw er;
764
764
  }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
778
778
  }
779
779
  if (cb) cb.apply(this, arguments);
780
780
  }
781
- return options ? orig.call(fs21, target, options, callback) : orig.call(fs21, target, callback);
781
+ return options ? orig.call(fs22, target, options, callback) : orig.call(fs22, target, callback);
782
782
  };
783
783
  }
784
784
  function statFixSync(orig) {
785
785
  if (!orig) return orig;
786
786
  return function(target, options) {
787
- var stats = options ? orig.call(fs21, target, options) : orig.call(fs21, target);
787
+ var stats = options ? orig.call(fs22, target, options) : orig.call(fs22, target);
788
788
  if (stats) {
789
789
  if (stats.uid < 0) stats.uid += 4294967296;
790
790
  if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
813
813
  "../../node_modules/graceful-fs/legacy-streams.js"(exports2, module2) {
814
814
  var Stream = require("stream").Stream;
815
815
  module2.exports = legacy;
816
- function legacy(fs21) {
816
+ function legacy(fs22) {
817
817
  return {
818
818
  ReadStream,
819
819
  WriteStream
820
820
  };
821
- function ReadStream(path28, options) {
822
- if (!(this instanceof ReadStream)) return new ReadStream(path28, options);
821
+ function ReadStream(path29, options) {
822
+ if (!(this instanceof ReadStream)) return new ReadStream(path29, options);
823
823
  Stream.call(this);
824
824
  var self = this;
825
- this.path = path28;
825
+ this.path = path29;
826
826
  this.fd = null;
827
827
  this.readable = true;
828
828
  this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
856
856
  });
857
857
  return;
858
858
  }
859
- fs21.open(this.path, this.flags, this.mode, function(err, fd) {
859
+ fs22.open(this.path, this.flags, this.mode, function(err, fd) {
860
860
  if (err) {
861
861
  self.emit("error", err);
862
862
  self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
867
867
  self._read();
868
868
  });
869
869
  }
870
- function WriteStream(path28, options) {
871
- if (!(this instanceof WriteStream)) return new WriteStream(path28, options);
870
+ function WriteStream(path29, options) {
871
+ if (!(this instanceof WriteStream)) return new WriteStream(path29, options);
872
872
  Stream.call(this);
873
- this.path = path28;
873
+ this.path = path29;
874
874
  this.fd = null;
875
875
  this.writable = true;
876
876
  this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
895
895
  this.busy = false;
896
896
  this._queue = [];
897
897
  if (this.fd === null) {
898
- this._open = fs21.open;
898
+ this._open = fs22.open;
899
899
  this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
900
900
  this.flush();
901
901
  }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
930
930
  // ../../node_modules/graceful-fs/graceful-fs.js
931
931
  var require_graceful_fs = __commonJS({
932
932
  "../../node_modules/graceful-fs/graceful-fs.js"(exports2, module2) {
933
- var fs21 = require("fs");
933
+ var fs22 = require("fs");
934
934
  var polyfills = require_polyfills();
935
935
  var legacy = require_legacy_streams();
936
936
  var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
962
962
  m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
963
963
  console.error(m);
964
964
  };
965
- if (!fs21[gracefulQueue]) {
965
+ if (!fs22[gracefulQueue]) {
966
966
  queue = global[gracefulQueue] || [];
967
- publishQueue(fs21, queue);
968
- fs21.close = (function(fs$close) {
967
+ publishQueue(fs22, queue);
968
+ fs22.close = (function(fs$close) {
969
969
  function close(fd, cb) {
970
- return fs$close.call(fs21, fd, function(err) {
970
+ return fs$close.call(fs22, fd, function(err) {
971
971
  if (!err) {
972
972
  resetQueue();
973
973
  }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
979
979
  value: fs$close
980
980
  });
981
981
  return close;
982
- })(fs21.close);
983
- fs21.closeSync = (function(fs$closeSync) {
982
+ })(fs22.close);
983
+ fs22.closeSync = (function(fs$closeSync) {
984
984
  function closeSync2(fd) {
985
- fs$closeSync.apply(fs21, arguments);
985
+ fs$closeSync.apply(fs22, arguments);
986
986
  resetQueue();
987
987
  }
988
988
  Object.defineProperty(closeSync2, previousSymbol, {
989
989
  value: fs$closeSync
990
990
  });
991
991
  return closeSync2;
992
- })(fs21.closeSync);
992
+ })(fs22.closeSync);
993
993
  if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
994
994
  process.on("exit", function() {
995
- debug(fs21[gracefulQueue]);
996
- require("assert").equal(fs21[gracefulQueue].length, 0);
995
+ debug(fs22[gracefulQueue]);
996
+ require("assert").equal(fs22[gracefulQueue].length, 0);
997
997
  });
998
998
  }
999
999
  }
1000
1000
  var queue;
1001
1001
  if (!global[gracefulQueue]) {
1002
- publishQueue(global, fs21[gracefulQueue]);
1003
- }
1004
- module2.exports = patch(clone(fs21));
1005
- if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs21.__patched) {
1006
- module2.exports = patch(fs21);
1007
- fs21.__patched = true;
1008
- }
1009
- function patch(fs22) {
1010
- polyfills(fs22);
1011
- fs22.gracefulify = patch;
1012
- fs22.createReadStream = createReadStream;
1013
- fs22.createWriteStream = createWriteStream;
1014
- var fs$readFile = fs22.readFile;
1015
- fs22.readFile = readFile;
1016
- function readFile(path28, options, cb) {
1002
+ publishQueue(global, fs22[gracefulQueue]);
1003
+ }
1004
+ module2.exports = patch(clone(fs22));
1005
+ if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs22.__patched) {
1006
+ module2.exports = patch(fs22);
1007
+ fs22.__patched = true;
1008
+ }
1009
+ function patch(fs23) {
1010
+ polyfills(fs23);
1011
+ fs23.gracefulify = patch;
1012
+ fs23.createReadStream = createReadStream;
1013
+ fs23.createWriteStream = createWriteStream;
1014
+ var fs$readFile = fs23.readFile;
1015
+ fs23.readFile = readFile;
1016
+ function readFile(path29, options, cb) {
1017
1017
  if (typeof options === "function")
1018
1018
  cb = options, options = null;
1019
- return go$readFile(path28, options, cb);
1020
- function go$readFile(path29, options2, cb2, startTime) {
1021
- return fs$readFile(path29, options2, function(err) {
1019
+ return go$readFile(path29, options, cb);
1020
+ function go$readFile(path30, options2, cb2, startTime) {
1021
+ return fs$readFile(path30, options2, function(err) {
1022
1022
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1023
- enqueue([go$readFile, [path29, options2, cb2], err, startTime || Date.now(), Date.now()]);
1023
+ enqueue([go$readFile, [path30, options2, cb2], err, startTime || Date.now(), Date.now()]);
1024
1024
  else {
1025
1025
  if (typeof cb2 === "function")
1026
1026
  cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
1028
1028
  });
1029
1029
  }
1030
1030
  }
1031
- var fs$writeFile = fs22.writeFile;
1032
- fs22.writeFile = writeFile;
1033
- function writeFile(path28, data, options, cb) {
1031
+ var fs$writeFile = fs23.writeFile;
1032
+ fs23.writeFile = writeFile;
1033
+ function writeFile(path29, data, options, cb) {
1034
1034
  if (typeof options === "function")
1035
1035
  cb = options, options = null;
1036
- return go$writeFile(path28, data, options, cb);
1037
- function go$writeFile(path29, data2, options2, cb2, startTime) {
1038
- return fs$writeFile(path29, data2, options2, function(err) {
1036
+ return go$writeFile(path29, data, options, cb);
1037
+ function go$writeFile(path30, data2, options2, cb2, startTime) {
1038
+ return fs$writeFile(path30, data2, options2, function(err) {
1039
1039
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1040
- enqueue([go$writeFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1040
+ enqueue([go$writeFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1041
1041
  else {
1042
1042
  if (typeof cb2 === "function")
1043
1043
  cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
1045
1045
  });
1046
1046
  }
1047
1047
  }
1048
- var fs$appendFile = fs22.appendFile;
1048
+ var fs$appendFile = fs23.appendFile;
1049
1049
  if (fs$appendFile)
1050
- fs22.appendFile = appendFile;
1051
- function appendFile(path28, data, options, cb) {
1050
+ fs23.appendFile = appendFile;
1051
+ function appendFile(path29, data, options, cb) {
1052
1052
  if (typeof options === "function")
1053
1053
  cb = options, options = null;
1054
- return go$appendFile(path28, data, options, cb);
1055
- function go$appendFile(path29, data2, options2, cb2, startTime) {
1056
- return fs$appendFile(path29, data2, options2, function(err) {
1054
+ return go$appendFile(path29, data, options, cb);
1055
+ function go$appendFile(path30, data2, options2, cb2, startTime) {
1056
+ return fs$appendFile(path30, data2, options2, function(err) {
1057
1057
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1058
- enqueue([go$appendFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1058
+ enqueue([go$appendFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1059
1059
  else {
1060
1060
  if (typeof cb2 === "function")
1061
1061
  cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
1063
1063
  });
1064
1064
  }
1065
1065
  }
1066
- var fs$copyFile = fs22.copyFile;
1066
+ var fs$copyFile = fs23.copyFile;
1067
1067
  if (fs$copyFile)
1068
- fs22.copyFile = copyFile;
1068
+ fs23.copyFile = copyFile;
1069
1069
  function copyFile(src, dest, flags, cb) {
1070
1070
  if (typeof flags === "function") {
1071
1071
  cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
1083
1083
  });
1084
1084
  }
1085
1085
  }
1086
- var fs$readdir = fs22.readdir;
1087
- fs22.readdir = readdir;
1086
+ var fs$readdir = fs23.readdir;
1087
+ fs23.readdir = readdir;
1088
1088
  var noReaddirOptionVersions = /^v[0-5]\./;
1089
- function readdir(path28, options, cb) {
1089
+ function readdir(path29, options, cb) {
1090
1090
  if (typeof options === "function")
1091
1091
  cb = options, options = null;
1092
- var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path29, options2, cb2, startTime) {
1093
- return fs$readdir(path29, fs$readdirCallback(
1094
- path29,
1092
+ var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path30, options2, cb2, startTime) {
1093
+ return fs$readdir(path30, fs$readdirCallback(
1094
+ path30,
1095
1095
  options2,
1096
1096
  cb2,
1097
1097
  startTime
1098
1098
  ));
1099
- } : function go$readdir2(path29, options2, cb2, startTime) {
1100
- return fs$readdir(path29, options2, fs$readdirCallback(
1101
- path29,
1099
+ } : function go$readdir2(path30, options2, cb2, startTime) {
1100
+ return fs$readdir(path30, options2, fs$readdirCallback(
1101
+ path30,
1102
1102
  options2,
1103
1103
  cb2,
1104
1104
  startTime
1105
1105
  ));
1106
1106
  };
1107
- return go$readdir(path28, options, cb);
1108
- function fs$readdirCallback(path29, options2, cb2, startTime) {
1107
+ return go$readdir(path29, options, cb);
1108
+ function fs$readdirCallback(path30, options2, cb2, startTime) {
1109
1109
  return function(err, files) {
1110
1110
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1111
1111
  enqueue([
1112
1112
  go$readdir,
1113
- [path29, options2, cb2],
1113
+ [path30, options2, cb2],
1114
1114
  err,
1115
1115
  startTime || Date.now(),
1116
1116
  Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
1125
1125
  }
1126
1126
  }
1127
1127
  if (process.version.substr(0, 4) === "v0.8") {
1128
- var legStreams = legacy(fs22);
1128
+ var legStreams = legacy(fs23);
1129
1129
  ReadStream = legStreams.ReadStream;
1130
1130
  WriteStream = legStreams.WriteStream;
1131
1131
  }
1132
- var fs$ReadStream = fs22.ReadStream;
1132
+ var fs$ReadStream = fs23.ReadStream;
1133
1133
  if (fs$ReadStream) {
1134
1134
  ReadStream.prototype = Object.create(fs$ReadStream.prototype);
1135
1135
  ReadStream.prototype.open = ReadStream$open;
1136
1136
  }
1137
- var fs$WriteStream = fs22.WriteStream;
1137
+ var fs$WriteStream = fs23.WriteStream;
1138
1138
  if (fs$WriteStream) {
1139
1139
  WriteStream.prototype = Object.create(fs$WriteStream.prototype);
1140
1140
  WriteStream.prototype.open = WriteStream$open;
1141
1141
  }
1142
- Object.defineProperty(fs22, "ReadStream", {
1142
+ Object.defineProperty(fs23, "ReadStream", {
1143
1143
  get: function() {
1144
1144
  return ReadStream;
1145
1145
  },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
1149
1149
  enumerable: true,
1150
1150
  configurable: true
1151
1151
  });
1152
- Object.defineProperty(fs22, "WriteStream", {
1152
+ Object.defineProperty(fs23, "WriteStream", {
1153
1153
  get: function() {
1154
1154
  return WriteStream;
1155
1155
  },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
1160
1160
  configurable: true
1161
1161
  });
1162
1162
  var FileReadStream = ReadStream;
1163
- Object.defineProperty(fs22, "FileReadStream", {
1163
+ Object.defineProperty(fs23, "FileReadStream", {
1164
1164
  get: function() {
1165
1165
  return FileReadStream;
1166
1166
  },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
1171
1171
  configurable: true
1172
1172
  });
1173
1173
  var FileWriteStream = WriteStream;
1174
- Object.defineProperty(fs22, "FileWriteStream", {
1174
+ Object.defineProperty(fs23, "FileWriteStream", {
1175
1175
  get: function() {
1176
1176
  return FileWriteStream;
1177
1177
  },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
1181
1181
  enumerable: true,
1182
1182
  configurable: true
1183
1183
  });
1184
- function ReadStream(path28, options) {
1184
+ function ReadStream(path29, options) {
1185
1185
  if (this instanceof ReadStream)
1186
1186
  return fs$ReadStream.apply(this, arguments), this;
1187
1187
  else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
1201
1201
  }
1202
1202
  });
1203
1203
  }
1204
- function WriteStream(path28, options) {
1204
+ function WriteStream(path29, options) {
1205
1205
  if (this instanceof WriteStream)
1206
1206
  return fs$WriteStream.apply(this, arguments), this;
1207
1207
  else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
1219
1219
  }
1220
1220
  });
1221
1221
  }
1222
- function createReadStream(path28, options) {
1223
- return new fs22.ReadStream(path28, options);
1222
+ function createReadStream(path29, options) {
1223
+ return new fs23.ReadStream(path29, options);
1224
1224
  }
1225
- function createWriteStream(path28, options) {
1226
- return new fs22.WriteStream(path28, options);
1225
+ function createWriteStream(path29, options) {
1226
+ return new fs23.WriteStream(path29, options);
1227
1227
  }
1228
- var fs$open = fs22.open;
1229
- fs22.open = open;
1230
- function open(path28, flags, mode, cb) {
1228
+ var fs$open = fs23.open;
1229
+ fs23.open = open;
1230
+ function open(path29, flags, mode, cb) {
1231
1231
  if (typeof mode === "function")
1232
1232
  cb = mode, mode = null;
1233
- return go$open(path28, flags, mode, cb);
1234
- function go$open(path29, flags2, mode2, cb2, startTime) {
1235
- return fs$open(path29, flags2, mode2, function(err, fd) {
1233
+ return go$open(path29, flags, mode, cb);
1234
+ function go$open(path30, flags2, mode2, cb2, startTime) {
1235
+ return fs$open(path30, flags2, mode2, function(err, fd) {
1236
1236
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1237
- enqueue([go$open, [path29, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
1237
+ enqueue([go$open, [path30, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
1238
1238
  else {
1239
1239
  if (typeof cb2 === "function")
1240
1240
  cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
1242
1242
  });
1243
1243
  }
1244
1244
  }
1245
- return fs22;
1245
+ return fs23;
1246
1246
  }
1247
1247
  function enqueue(elem) {
1248
1248
  debug("ENQUEUE", elem[0].name, elem[1]);
1249
- fs21[gracefulQueue].push(elem);
1249
+ fs22[gracefulQueue].push(elem);
1250
1250
  retry();
1251
1251
  }
1252
1252
  var retryTimer;
1253
1253
  function resetQueue() {
1254
1254
  var now = Date.now();
1255
- for (var i = 0; i < fs21[gracefulQueue].length; ++i) {
1256
- if (fs21[gracefulQueue][i].length > 2) {
1257
- fs21[gracefulQueue][i][3] = now;
1258
- fs21[gracefulQueue][i][4] = now;
1255
+ for (var i = 0; i < fs22[gracefulQueue].length; ++i) {
1256
+ if (fs22[gracefulQueue][i].length > 2) {
1257
+ fs22[gracefulQueue][i][3] = now;
1258
+ fs22[gracefulQueue][i][4] = now;
1259
1259
  }
1260
1260
  }
1261
1261
  retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
1263
1263
  function retry() {
1264
1264
  clearTimeout(retryTimer);
1265
1265
  retryTimer = void 0;
1266
- if (fs21[gracefulQueue].length === 0)
1266
+ if (fs22[gracefulQueue].length === 0)
1267
1267
  return;
1268
- var elem = fs21[gracefulQueue].shift();
1268
+ var elem = fs22[gracefulQueue].shift();
1269
1269
  var fn = elem[0];
1270
1270
  var args = elem[1];
1271
1271
  var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
1287
1287
  debug("RETRY", fn.name, args);
1288
1288
  fn.apply(null, args.concat([startTime]));
1289
1289
  } else {
1290
- fs21[gracefulQueue].push(elem);
1290
+ fs22[gracefulQueue].push(elem);
1291
1291
  }
1292
1292
  }
1293
1293
  if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
1722
1722
  "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports2, module2) {
1723
1723
  "use strict";
1724
1724
  var cacheSymbol = /* @__PURE__ */ Symbol();
1725
- function probe(file, fs21, callback) {
1726
- const cachedPrecision = fs21[cacheSymbol];
1725
+ function probe(file, fs22, callback) {
1726
+ const cachedPrecision = fs22[cacheSymbol];
1727
1727
  if (cachedPrecision) {
1728
- return fs21.stat(file, (err, stat) => {
1728
+ return fs22.stat(file, (err, stat) => {
1729
1729
  if (err) {
1730
1730
  return callback(err);
1731
1731
  }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
1733
1733
  });
1734
1734
  }
1735
1735
  const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
1736
- fs21.utimes(file, mtime, mtime, (err) => {
1736
+ fs22.utimes(file, mtime, mtime, (err) => {
1737
1737
  if (err) {
1738
1738
  return callback(err);
1739
1739
  }
1740
- fs21.stat(file, (err2, stat) => {
1740
+ fs22.stat(file, (err2, stat) => {
1741
1741
  if (err2) {
1742
1742
  return callback(err2);
1743
1743
  }
1744
1744
  const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
1745
- Object.defineProperty(fs21, cacheSymbol, { value: precision });
1745
+ Object.defineProperty(fs22, cacheSymbol, { value: precision });
1746
1746
  callback(null, stat.mtime, precision);
1747
1747
  });
1748
1748
  });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
1763
1763
  var require_lockfile = __commonJS({
1764
1764
  "../../node_modules/proper-lockfile/lib/lockfile.js"(exports2, module2) {
1765
1765
  "use strict";
1766
- var path28 = require("path");
1767
- var fs21 = require_graceful_fs();
1766
+ var path29 = require("path");
1767
+ var fs22 = require_graceful_fs();
1768
1768
  var retry = require_retry2();
1769
1769
  var onExit = require_signal_exit();
1770
1770
  var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
1774
1774
  }
1775
1775
  function resolveCanonicalPath(file, options, callback) {
1776
1776
  if (!options.realpath) {
1777
- return callback(null, path28.resolve(file));
1777
+ return callback(null, path29.resolve(file));
1778
1778
  }
1779
1779
  options.fs.realpath(file, callback);
1780
1780
  }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
1895
1895
  update: null,
1896
1896
  realpath: true,
1897
1897
  retries: 0,
1898
- fs: fs21,
1898
+ fs: fs22,
1899
1899
  onCompromised: (err) => {
1900
1900
  throw err;
1901
1901
  },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
1939
1939
  }
1940
1940
  function unlock(file, options, callback) {
1941
1941
  options = {
1942
- fs: fs21,
1942
+ fs: fs22,
1943
1943
  realpath: true,
1944
1944
  ...options
1945
1945
  };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
1961
1961
  options = {
1962
1962
  stale: 1e4,
1963
1963
  realpath: true,
1964
- fs: fs21,
1964
+ fs: fs22,
1965
1965
  ...options
1966
1966
  };
1967
1967
  options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
2000
2000
  var require_adapter = __commonJS({
2001
2001
  "../../node_modules/proper-lockfile/lib/adapter.js"(exports2, module2) {
2002
2002
  "use strict";
2003
- var fs21 = require_graceful_fs();
2004
- function createSyncFs(fs22) {
2003
+ var fs22 = require_graceful_fs();
2004
+ function createSyncFs(fs23) {
2005
2005
  const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
2006
- const newFs = { ...fs22 };
2006
+ const newFs = { ...fs23 };
2007
2007
  methods.forEach((method) => {
2008
2008
  newFs[method] = (...args) => {
2009
2009
  const callback = args.pop();
2010
2010
  let ret;
2011
2011
  try {
2012
- ret = fs22[`${method}Sync`](...args);
2012
+ ret = fs23[`${method}Sync`](...args);
2013
2013
  } catch (err) {
2014
2014
  return callback(err);
2015
2015
  }
@@ -2019,12 +2019,12 @@ var require_adapter = __commonJS({
2019
2019
  return newFs;
2020
2020
  }
2021
2021
  function toPromise(method) {
2022
- return (...args) => new Promise((resolve, reject) => {
2022
+ return (...args) => new Promise((resolve2, reject) => {
2023
2023
  args.push((err, result) => {
2024
2024
  if (err) {
2025
2025
  reject(err);
2026
2026
  } else {
2027
- resolve(result);
2027
+ resolve2(result);
2028
2028
  }
2029
2029
  });
2030
2030
  method(...args);
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
2047
2047
  }
2048
2048
  function toSyncOptions(options) {
2049
2049
  options = { ...options };
2050
- options.fs = createSyncFs(options.fs || fs21);
2050
+ options.fs = createSyncFs(options.fs || fs22);
2051
2051
  if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
2052
2052
  throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
2053
2053
  }
@@ -3030,7 +3030,7 @@ var require_age_encryption = __commonJS({
3030
3030
  };
3031
3031
  }
3032
3032
  // @__NO_SIDE_EFFECTS__
3033
- function join20(separator = "") {
3033
+ function join21(separator = "") {
3034
3034
  astr("join", separator);
3035
3035
  return {
3036
3036
  encode: (from) => {
@@ -3160,9 +3160,9 @@ var require_age_encryption = __commonJS({
3160
3160
  decode(s) {
3161
3161
  return decodeBase64Builtin(s, false);
3162
3162
  }
3163
- } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join20("")));
3164
- var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join20("")));
3165
- var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join20(""));
3163
+ } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join21("")));
3164
+ var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join21("")));
3165
+ var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join21(""));
3166
3166
  var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
3167
3167
  function bech32Polymod(pre) {
3168
3168
  const b = pre >> 25;
@@ -11450,6 +11450,7 @@ __export(index_exports, {
11450
11450
  PolicyValidationError: () => PolicyValidationError,
11451
11451
  REQUESTS_FILENAME: () => REQUESTS_FILENAME,
11452
11452
  REQUIREMENTS: () => REQUIREMENTS,
11453
+ REVEAL_WARNING: () => REVEAL_WARNING,
11453
11454
  RecipientManager: () => RecipientManager,
11454
11455
  ReportGenerator: () => ReportGenerator,
11455
11456
  ReportSanitizer: () => ReportSanitizer,
@@ -11475,16 +11476,26 @@ __export(index_exports, {
11475
11476
  VALID_KMS_PROVIDERS: () => VALID_KMS_PROVIDERS,
11476
11477
  assertPackedArtifact: () => assertPackedArtifact,
11477
11478
  assertSops: () => assertSops,
11479
+ buildDecryptError: () => buildDecryptError,
11480
+ buildDecryptResult: () => buildDecryptResult,
11481
+ buildInspectError: () => buildInspectError,
11482
+ buildInspectResult: () => buildInspectResult,
11478
11483
  buildSigningPayload: () => buildSigningPayload,
11484
+ buildVerifyError: () => buildVerifyError,
11485
+ buildVerifyResult: () => buildVerifyResult,
11479
11486
  checkAll: () => checkAll,
11480
11487
  checkDependency: () => checkDependency,
11481
11488
  collectCIContext: () => collectCIContext,
11489
+ computeCiphertextHash: () => computeCiphertextHash,
11482
11490
  deriveAgePublicKey: () => deriveAgePublicKey,
11483
11491
  describeScope: () => describeScope,
11484
11492
  detectAlgorithm: () => detectAlgorithm,
11485
11493
  detectFormat: () => detectFormat,
11494
+ emptyTemplate: () => emptyTemplate,
11495
+ exampleTemplate: () => exampleTemplate,
11486
11496
  findRequest: () => findRequest,
11487
11497
  formatAgeKeyFile: () => formatAgeKeyFile,
11498
+ formatRevealWarning: () => formatRevealWarning,
11488
11499
  generateAgeIdentity: () => generateAgeIdentity,
11489
11500
  generateRandomValue: () => generateRandomValue,
11490
11501
  generateSigningKeyPair: () => generateSigningKeyPair,
@@ -11510,6 +11521,7 @@ __export(index_exports, {
11510
11521
  parseDotenv: () => parseDotenv,
11511
11522
  parseIgnoreContent: () => parseIgnoreContent,
11512
11523
  parseJson: () => parseJson,
11524
+ parseSignerKey: () => parseSignerKey,
11513
11525
  parseYaml: () => parseYaml,
11514
11526
  pkcs11UriToSyntheticArn: () => pkcs11UriToSyntheticArn,
11515
11527
  readManifestYaml: () => readManifestYaml,
@@ -11528,6 +11540,7 @@ __export(index_exports, {
11528
11540
  runCompliance: () => runCompliance,
11529
11541
  saveMetadata: () => saveMetadata,
11530
11542
  saveRequests: () => saveRequests,
11543
+ serializeSchema: () => serializeSchema,
11531
11544
  shannonEntropy: () => shannonEntropy,
11532
11545
  shouldIgnoreFile: () => shouldIgnoreFile,
11533
11546
  shouldIgnoreMatch: () => shouldIgnoreMatch,
@@ -11542,7 +11555,9 @@ __export(index_exports, {
11542
11555
  validateResetScope: () => validateResetScope,
11543
11556
  verifySignature: () => verifySignature,
11544
11557
  writeManifestYaml: () => writeManifestYaml,
11545
- writeManifestYamlRaw: () => writeManifestYamlRaw
11558
+ writeManifestYamlRaw: () => writeManifestYamlRaw,
11559
+ writeSchema: () => writeSchema,
11560
+ writeSchemaRaw: () => writeSchemaRaw
11546
11561
  });
11547
11562
  module.exports = __toCommonJS(index_exports);
11548
11563
 
@@ -12438,13 +12453,48 @@ function shouldIgnoreMatch(match, rules) {
12438
12453
  return false;
12439
12454
  }
12440
12455
  function matchesGlob(filePath, pattern) {
12441
- const DOUBLE_STAR = "\0DS\0";
12442
- const SINGLE_STAR = "\0SS\0";
12443
- const QUESTION = "\0QM\0";
12444
- const escaped = pattern.replace(/\*\*/g, DOUBLE_STAR).replace(/\*/g, SINGLE_STAR).replace(/\?/g, QUESTION).replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(DOUBLE_STAR, ".*").replace(SINGLE_STAR, "[^/]*").replace(QUESTION, "[^/]");
12445
- const regex = new RegExp("^" + escaped + "$");
12446
- const prefixRegex = new RegExp("^" + escaped + "/");
12447
- return regex.test(filePath) || prefixRegex.test(filePath);
12456
+ const body = globToRegex(pattern);
12457
+ const exact = new RegExp("^" + body + "$");
12458
+ const prefix = new RegExp("^" + body + "/");
12459
+ return exact.test(filePath) || prefix.test(filePath);
12460
+ }
12461
+ function globToRegex(pattern) {
12462
+ let out = "";
12463
+ let i = 0;
12464
+ while (i < pattern.length) {
12465
+ if (pattern.startsWith("/**/", i)) {
12466
+ out += "/(?:.*/)?";
12467
+ i += 4;
12468
+ continue;
12469
+ }
12470
+ if (i === 0 && pattern.startsWith("**/")) {
12471
+ out += "(?:.*/)?";
12472
+ i += 3;
12473
+ continue;
12474
+ }
12475
+ if (pattern.startsWith("/**", i) && i + 3 === pattern.length) {
12476
+ out += "(?:/.*)?";
12477
+ i += 3;
12478
+ continue;
12479
+ }
12480
+ if (pattern.startsWith("**", i)) {
12481
+ out += ".*";
12482
+ i += 2;
12483
+ continue;
12484
+ }
12485
+ const ch = pattern[i];
12486
+ if (ch === "*") {
12487
+ out += "[^/]*";
12488
+ } else if (ch === "?") {
12489
+ out += "[^/]";
12490
+ } else if (/[.+^${}()|[\]\\]/.test(ch)) {
12491
+ out += "\\" + ch;
12492
+ } else {
12493
+ out += ch;
12494
+ }
12495
+ i++;
12496
+ }
12497
+ return out;
12448
12498
  }
12449
12499
 
12450
12500
  // src/scanner/index.ts
@@ -13003,9 +13053,7 @@ var SchemaValidator = class {
13003
13053
  type,
13004
13054
  required: def.required === true,
13005
13055
  ...typeof def.pattern === "string" ? { pattern: def.pattern } : {},
13006
- ...def.default !== void 0 ? { default: def.default } : {},
13007
- ...typeof def.description === "string" ? { description: def.description } : {},
13008
- ...typeof def.max === "number" ? { max: def.max } : {}
13056
+ ...typeof def.description === "string" ? { description: def.description } : {}
13009
13057
  };
13010
13058
  }
13011
13059
  return { keys };
@@ -13041,12 +13089,6 @@ var SchemaValidator = class {
13041
13089
  message: `Key '${keyName}' must be an integer, got '${value}'.`,
13042
13090
  rule: "type"
13043
13091
  });
13044
- } else if (keyDef.max !== void 0 && num > keyDef.max) {
13045
- warnings.push({
13046
- key: keyName,
13047
- message: `Key '${keyName}' value ${num} exceeds maximum ${keyDef.max}.`,
13048
- rule: "max_exceeded"
13049
- });
13050
13092
  }
13051
13093
  break;
13052
13094
  }
@@ -13092,8 +13134,98 @@ var SchemaValidator = class {
13092
13134
  }
13093
13135
  };
13094
13136
 
13095
- // src/diff/engine.ts
13137
+ // src/schema/writer.ts
13138
+ var fs9 = __toESM(require("fs"));
13096
13139
  var path6 = __toESM(require("path"));
13140
+ var YAML7 = __toESM(require("yaml"));
13141
+ var import_write_file_atomic2 = __toESM(require_lib());
13142
+ function serializeSchema(schema, opts = {}) {
13143
+ const doc = new YAML7.Document();
13144
+ doc.contents = doc.createNode({ keys: orderedKeys(schema.keys) });
13145
+ const body = String(doc);
13146
+ if (!opts.header) return body;
13147
+ const commented = opts.header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
13148
+ return `${commented}
13149
+
13150
+ ${body}`;
13151
+ }
13152
+ function writeSchema(rootDir, relPath, schema, opts = {}) {
13153
+ writeSchemaRaw(rootDir, relPath, serializeSchema(schema, opts));
13154
+ }
13155
+ function writeSchemaRaw(rootDir, relPath, contents) {
13156
+ const normalizedRelPath = path6.normalize(relPath);
13157
+ if (!normalizedRelPath || normalizedRelPath === "." || path6.isAbsolute(normalizedRelPath)) {
13158
+ throw new Error(`Refusing to write schema using an absolute path: ${relPath}`);
13159
+ }
13160
+ const realRoot = fs9.realpathSync(path6.resolve(rootDir));
13161
+ const safePath = path6.resolve(realRoot, normalizedRelPath);
13162
+ const relCandidate = path6.relative(realRoot, safePath);
13163
+ if (relCandidate === ".." || relCandidate.startsWith(`..${path6.sep}`) || path6.isAbsolute(relCandidate)) {
13164
+ throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
13165
+ }
13166
+ const safeParent = path6.dirname(safePath);
13167
+ fs9.mkdirSync(safeParent, { recursive: true });
13168
+ const canonicalParent = fs9.realpathSync(safeParent);
13169
+ const canonicalTarget = path6.join(canonicalParent, path6.basename(safePath));
13170
+ const relToRoot = path6.relative(realRoot, canonicalTarget);
13171
+ if (relToRoot === ".." || relToRoot.startsWith(`..${path6.sep}`) || path6.isAbsolute(relToRoot)) {
13172
+ throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
13173
+ }
13174
+ import_write_file_atomic2.default.sync(canonicalTarget, contents);
13175
+ }
13176
+ function emptyTemplate(namespace) {
13177
+ const header = [
13178
+ `Schema for namespace '${namespace}'.`,
13179
+ "",
13180
+ "Declare keys your encrypted files must contain. Each key accepts:",
13181
+ " type: string | integer | boolean",
13182
+ " required: true | false",
13183
+ " pattern: (strings only) regex the value must match",
13184
+ " description: human-readable description",
13185
+ "",
13186
+ "Add keys below, then run `clef lint` to validate."
13187
+ ].join("\n");
13188
+ return serializeSchema({ keys: {} }, { header });
13189
+ }
13190
+ function exampleTemplate(namespace) {
13191
+ const header = [
13192
+ `Schema for namespace '${namespace}'.`,
13193
+ "",
13194
+ "The example below is commented out so `clef lint` passes as-is.",
13195
+ "Uncomment and edit to add your first key, or replace wholesale."
13196
+ ].join("\n");
13197
+ const body = [
13198
+ "keys: {}",
13199
+ "",
13200
+ "# keys:",
13201
+ "# API_KEY:",
13202
+ "# type: string",
13203
+ "# required: true",
13204
+ "# pattern: ^sk_(test|live)_[A-Za-z0-9]+$",
13205
+ "# description: Stripe secret key for server-side calls."
13206
+ ].join("\n");
13207
+ const commentedHeader = header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
13208
+ return `${commentedHeader}
13209
+
13210
+ ${body}
13211
+ `;
13212
+ }
13213
+ function orderedKeys(keys) {
13214
+ const out = {};
13215
+ for (const [name, def] of Object.entries(keys)) {
13216
+ const ordered = {
13217
+ type: def.type,
13218
+ required: def.required
13219
+ };
13220
+ if (def.pattern !== void 0) ordered.pattern = def.pattern;
13221
+ if (def.description !== void 0) ordered.description = def.description;
13222
+ out[name] = ordered;
13223
+ }
13224
+ return out;
13225
+ }
13226
+
13227
+ // src/diff/engine.ts
13228
+ var path7 = __toESM(require("path"));
13097
13229
  var DiffEngine = class {
13098
13230
  /**
13099
13231
  * Compare two in-memory value maps and produce a sorted diff result.
@@ -13150,11 +13282,11 @@ var DiffEngine = class {
13150
13282
  * @throws {@link SopsDecryptionError} If either file cannot be decrypted.
13151
13283
  */
13152
13284
  async diffFiles(namespace, envA, envB, manifest, sopsClient, repoRoot) {
13153
- const fileA = path6.join(
13285
+ const fileA = path7.join(
13154
13286
  repoRoot,
13155
13287
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envA)
13156
13288
  );
13157
- const fileB = path6.join(
13289
+ const fileB = path7.join(
13158
13290
  repoRoot,
13159
13291
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envB)
13160
13292
  );
@@ -13167,7 +13299,7 @@ var DiffEngine = class {
13167
13299
  };
13168
13300
 
13169
13301
  // src/bulk/ops.ts
13170
- var path7 = __toESM(require("path"));
13302
+ var path8 = __toESM(require("path"));
13171
13303
  var BulkOps = class {
13172
13304
  constructor(tx) {
13173
13305
  this.tx = tx;
@@ -13187,7 +13319,7 @@ var BulkOps = class {
13187
13319
  async setAcrossEnvironments(namespace, key, values, manifest, sopsClient, repoRoot) {
13188
13320
  const targets = manifest.environments.filter((env) => env.name in values).map((env) => ({
13189
13321
  env: env.name,
13190
- filePath: path7.join(
13322
+ filePath: path8.join(
13191
13323
  repoRoot,
13192
13324
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
13193
13325
  )
@@ -13195,7 +13327,7 @@ var BulkOps = class {
13195
13327
  if (targets.length === 0) return;
13196
13328
  await this.tx.run(repoRoot, {
13197
13329
  description: `clef set: ${namespace}/${key} across ${targets.length} env(s)`,
13198
- paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
13330
+ paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
13199
13331
  mutate: async () => {
13200
13332
  for (const target of targets) {
13201
13333
  const decrypted = await sopsClient.decrypt(target.filePath);
@@ -13217,14 +13349,14 @@ var BulkOps = class {
13217
13349
  async deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot) {
13218
13350
  const targets = manifest.environments.map((env) => ({
13219
13351
  env: env.name,
13220
- filePath: path7.join(
13352
+ filePath: path8.join(
13221
13353
  repoRoot,
13222
13354
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
13223
13355
  )
13224
13356
  }));
13225
13357
  await this.tx.run(repoRoot, {
13226
13358
  description: `clef delete: ${namespace}/${key} from ${targets.length} env(s)`,
13227
- paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
13359
+ paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
13228
13360
  mutate: async () => {
13229
13361
  for (const target of targets) {
13230
13362
  const decrypted = await sopsClient.decrypt(target.filePath);
@@ -13256,7 +13388,7 @@ var BulkOps = class {
13256
13388
  }
13257
13389
  await this.tx.run(repoRoot, {
13258
13390
  description: `clef copy: ${key} from ${fromCell.namespace}/${fromCell.environment} to ${toCell.namespace}/${toCell.environment}`,
13259
- paths: [path7.relative(repoRoot, toCell.filePath)],
13391
+ paths: [path8.relative(repoRoot, toCell.filePath)],
13260
13392
  mutate: async () => {
13261
13393
  const dest = await sopsClient.decrypt(toCell.filePath);
13262
13394
  dest.values[key] = source.values[key];
@@ -13267,8 +13399,8 @@ var BulkOps = class {
13267
13399
  };
13268
13400
 
13269
13401
  // src/git/integration.ts
13270
- var fs9 = __toESM(require("fs"));
13271
- var path8 = __toESM(require("path"));
13402
+ var fs10 = __toESM(require("fs"));
13403
+ var path9 = __toESM(require("path"));
13272
13404
  var PRE_COMMIT_HOOK = `#!/bin/sh
13273
13405
  # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
13274
13406
  # and scans staged files for plaintext secrets.
@@ -13444,17 +13576,17 @@ var GitIntegration = class {
13444
13576
  * @returns The kind of operation in progress, or null if none.
13445
13577
  */
13446
13578
  async isMidOperation(repoRoot) {
13447
- const gitDir = path8.join(repoRoot, ".git");
13448
- if (fs9.existsSync(path8.join(gitDir, "MERGE_HEAD"))) {
13579
+ const gitDir = path9.join(repoRoot, ".git");
13580
+ if (fs10.existsSync(path9.join(gitDir, "MERGE_HEAD"))) {
13449
13581
  return { midOp: true, kind: "merge" };
13450
13582
  }
13451
- if (fs9.existsSync(path8.join(gitDir, "rebase-merge")) || fs9.existsSync(path8.join(gitDir, "rebase-apply"))) {
13583
+ if (fs10.existsSync(path9.join(gitDir, "rebase-merge")) || fs10.existsSync(path9.join(gitDir, "rebase-apply"))) {
13452
13584
  return { midOp: true, kind: "rebase" };
13453
13585
  }
13454
- if (fs9.existsSync(path8.join(gitDir, "CHERRY_PICK_HEAD"))) {
13586
+ if (fs10.existsSync(path9.join(gitDir, "CHERRY_PICK_HEAD"))) {
13455
13587
  return { midOp: true, kind: "cherry-pick" };
13456
13588
  }
13457
- if (fs9.existsSync(path8.join(gitDir, "REVERT_HEAD"))) {
13589
+ if (fs10.existsSync(path9.join(gitDir, "REVERT_HEAD"))) {
13458
13590
  return { midOp: true, kind: "revert" };
13459
13591
  }
13460
13592
  return { midOp: false };
@@ -13630,15 +13762,15 @@ var GitIntegration = class {
13630
13762
  { cwd: repoRoot }
13631
13763
  );
13632
13764
  const metadataGitConfig = metaConfig.exitCode === 0 && metaConfig.stdout.trim().length > 0;
13633
- const attrFilePath = path8.join(repoRoot, ".gitattributes");
13634
- const attrContent = fs9.existsSync(attrFilePath) ? fs9.readFileSync(attrFilePath, "utf-8") : "";
13765
+ const attrFilePath = path9.join(repoRoot, ".gitattributes");
13766
+ const attrContent = fs10.existsSync(attrFilePath) ? fs10.readFileSync(attrFilePath, "utf-8") : "";
13635
13767
  const gitattributes = attrContent.includes("merge=sops");
13636
13768
  const metadataGitattributes = attrContent.includes("merge=clef-metadata");
13637
13769
  return { gitConfig, gitattributes, metadataGitConfig, metadataGitattributes };
13638
13770
  }
13639
13771
  async ensureGitattributes(repoRoot) {
13640
- const attrPath = path8.join(repoRoot, ".gitattributes");
13641
- const existing = fs9.existsSync(attrPath) ? fs9.readFileSync(attrPath, "utf-8") : "";
13772
+ const attrPath = path9.join(repoRoot, ".gitattributes");
13773
+ const existing = fs10.existsSync(attrPath) ? fs10.readFileSync(attrPath, "utf-8") : "";
13642
13774
  let newContent = existing;
13643
13775
  if (!existing.includes("merge=sops")) {
13644
13776
  const block = `# Clef: SOPS-aware merge driver for encrypted files
@@ -13659,7 +13791,7 @@ ${block}` : block;
13659
13791
  }
13660
13792
  if (newContent === existing) return;
13661
13793
  try {
13662
- fs9.writeFileSync(attrPath, newContent, "utf-8");
13794
+ fs10.writeFileSync(attrPath, newContent, "utf-8");
13663
13795
  } catch (err) {
13664
13796
  throw new GitOperationError(`Failed to write .gitattributes: ${err.message}`);
13665
13797
  }
@@ -13672,13 +13804,13 @@ ${block}` : block;
13672
13804
  * @throws {@link GitOperationError} On failure.
13673
13805
  */
13674
13806
  async installPreCommitHook(repoRoot) {
13675
- const hookPath = path8.join(repoRoot, ".git", "hooks", "pre-commit");
13807
+ const hookPath = path9.join(repoRoot, ".git", "hooks", "pre-commit");
13676
13808
  try {
13677
- const hooksDir = path8.dirname(hookPath);
13678
- if (!fs9.existsSync(hooksDir)) {
13679
- fs9.mkdirSync(hooksDir, { recursive: true });
13809
+ const hooksDir = path9.dirname(hookPath);
13810
+ if (!fs10.existsSync(hooksDir)) {
13811
+ fs10.mkdirSync(hooksDir, { recursive: true });
13680
13812
  }
13681
- fs9.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
13813
+ fs10.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
13682
13814
  } catch (err) {
13683
13815
  throw new GitOperationError(
13684
13816
  `Failed to install pre-commit hook: ${err.message}`,
@@ -13689,8 +13821,8 @@ ${block}` : block;
13689
13821
  };
13690
13822
 
13691
13823
  // src/tx/transaction-manager.ts
13692
- var fs10 = __toESM(require("fs"));
13693
- var path9 = __toESM(require("path"));
13824
+ var fs11 = __toESM(require("fs"));
13825
+ var path10 = __toESM(require("path"));
13694
13826
  var lockfile = __toESM(require_proper_lockfile());
13695
13827
 
13696
13828
  // src/tx/errors.ts
@@ -13739,17 +13871,17 @@ var TransactionManager = class {
13739
13871
  async run(repoRoot, opts) {
13740
13872
  const shouldCommit = opts.commit !== false;
13741
13873
  const allowDirty = opts.allowDirty === true;
13742
- const clefDir = path9.join(repoRoot, CLEF_DIR);
13743
- if (!fs10.existsSync(clefDir)) {
13744
- fs10.mkdirSync(clefDir, { recursive: true });
13874
+ const clefDir = path10.join(repoRoot, CLEF_DIR);
13875
+ if (!fs11.existsSync(clefDir)) {
13876
+ fs11.mkdirSync(clefDir, { recursive: true });
13745
13877
  }
13746
- const clefGitignore = path9.join(clefDir, ".gitignore");
13747
- if (!fs10.existsSync(clefGitignore)) {
13748
- fs10.writeFileSync(clefGitignore, "*\n");
13878
+ const clefGitignore = path10.join(clefDir, ".gitignore");
13879
+ if (!fs11.existsSync(clefGitignore)) {
13880
+ fs11.writeFileSync(clefGitignore, "*\n");
13749
13881
  }
13750
- const lockPath = path9.join(clefDir, LOCK_FILE);
13751
- if (!fs10.existsSync(lockPath)) {
13752
- fs10.writeFileSync(lockPath, "");
13882
+ const lockPath = path10.join(clefDir, LOCK_FILE);
13883
+ if (!fs11.existsSync(lockPath)) {
13884
+ fs11.writeFileSync(lockPath, "");
13753
13885
  }
13754
13886
  let release;
13755
13887
  try {
@@ -13877,19 +14009,19 @@ var TransactionManager = class {
13877
14009
  };
13878
14010
 
13879
14011
  // src/sops/client.ts
13880
- var fs13 = __toESM(require("fs"));
14012
+ var fs14 = __toESM(require("fs"));
13881
14013
  var net = __toESM(require("net"));
13882
14014
  var import_crypto = require("crypto");
13883
- var import_write_file_atomic2 = __toESM(require_lib());
13884
- var YAML7 = __toESM(require("yaml"));
14015
+ var import_write_file_atomic3 = __toESM(require_lib());
14016
+ var YAML8 = __toESM(require("yaml"));
13885
14017
 
13886
14018
  // src/sops/resolver.ts
13887
- var fs12 = __toESM(require("fs"));
13888
- var path11 = __toESM(require("path"));
14019
+ var fs13 = __toESM(require("fs"));
14020
+ var path12 = __toESM(require("path"));
13889
14021
 
13890
14022
  // src/sops/bundled.ts
13891
- var fs11 = __toESM(require("fs"));
13892
- var path10 = __toESM(require("path"));
14023
+ var fs12 = __toESM(require("fs"));
14024
+ var path11 = __toESM(require("path"));
13893
14025
  function tryBundled() {
13894
14026
  const platform = process.platform;
13895
14027
  const arch = process.arch;
@@ -13901,9 +14033,9 @@ function tryBundled() {
13901
14033
  const binName = platform === "win32" ? "sops.exe" : "sops";
13902
14034
  try {
13903
14035
  const packageMain = require.resolve(`${packageName}/package.json`);
13904
- const packageDir = path10.dirname(packageMain);
13905
- const binPath = path10.join(packageDir, "bin", binName);
13906
- return fs11.existsSync(binPath) ? binPath : null;
14036
+ const packageDir = path11.dirname(packageMain);
14037
+ const binPath = path11.join(packageDir, "bin", binName);
14038
+ return fs12.existsSync(binPath) ? binPath : null;
13907
14039
  } catch {
13908
14040
  return null;
13909
14041
  }
@@ -13911,7 +14043,7 @@ function tryBundled() {
13911
14043
 
13912
14044
  // src/sops/resolver.ts
13913
14045
  function validateSopsPath(candidate) {
13914
- if (!path11.isAbsolute(candidate)) {
14046
+ if (!path12.isAbsolute(candidate)) {
13915
14047
  throw new Error(`CLEF_SOPS_PATH must be an absolute path, got '${candidate}'.`);
13916
14048
  }
13917
14049
  const segments = candidate.split(/[/\\]/);
@@ -13927,7 +14059,7 @@ function resolveSopsPath() {
13927
14059
  const envPath = process.env.CLEF_SOPS_PATH?.trim();
13928
14060
  if (envPath) {
13929
14061
  validateSopsPath(envPath);
13930
- if (!fs12.existsSync(envPath)) {
14062
+ if (!fs13.existsSync(envPath)) {
13931
14063
  throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
13932
14064
  }
13933
14065
  cached = { path: envPath, source: "env" };
@@ -14092,7 +14224,7 @@ function formatFromPath(filePath) {
14092
14224
  }
14093
14225
  function openWindowsInputPipe(content) {
14094
14226
  const pipeName = `\\\\.\\pipe\\clef-sops-${(0, import_crypto.randomBytes)(8).toString("hex")}`;
14095
- return new Promise((resolve, reject) => {
14227
+ return new Promise((resolve2, reject) => {
14096
14228
  const server = net.createServer((socket) => {
14097
14229
  socket.write(content, () => {
14098
14230
  socket.destroy();
@@ -14101,7 +14233,7 @@ function openWindowsInputPipe(content) {
14101
14233
  server.maxConnections = 1;
14102
14234
  server.on("error", reject);
14103
14235
  server.listen(pipeName, () => {
14104
- resolve({
14236
+ resolve2({
14105
14237
  inputArg: pipeName,
14106
14238
  cleanup: () => server.close()
14107
14239
  });
@@ -14182,7 +14314,7 @@ var SopsClient = class {
14182
14314
  }
14183
14315
  let parsed;
14184
14316
  try {
14185
- parsed = YAML7.parse(result.stdout) ?? {};
14317
+ parsed = YAML8.parse(result.stdout) ?? {};
14186
14318
  } catch {
14187
14319
  throw new SopsDecryptionError(
14188
14320
  `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -14209,7 +14341,7 @@ var SopsClient = class {
14209
14341
  async encrypt(filePath, values, manifest, environment) {
14210
14342
  await assertSops(this.runner, this.sopsCommand);
14211
14343
  const fmt = formatFromPath(filePath);
14212
- const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML7.stringify(values);
14344
+ const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML8.stringify(values);
14213
14345
  const args = this.buildEncryptArgs(filePath, manifest, environment);
14214
14346
  const env = this.buildSopsEnv();
14215
14347
  let inputArg;
@@ -14257,7 +14389,7 @@ var SopsClient = class {
14257
14389
  );
14258
14390
  }
14259
14391
  try {
14260
- await (0, import_write_file_atomic2.default)(filePath, result.stdout);
14392
+ await (0, import_write_file_atomic3.default)(filePath, result.stdout);
14261
14393
  } catch (err) {
14262
14394
  throw new SopsEncryptionError(
14263
14395
  `Failed to write encrypted data to '${filePath}': ${err.message}`,
@@ -14376,7 +14508,7 @@ var SopsClient = class {
14376
14508
  if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
14377
14509
  let keyContent;
14378
14510
  try {
14379
- keyContent = this.ageKey ?? fs13.readFileSync(this.ageKeyFile, "utf-8");
14511
+ keyContent = this.ageKey ?? fs14.readFileSync(this.ageKeyFile, "utf-8");
14380
14512
  } catch {
14381
14513
  return "key-not-found";
14382
14514
  }
@@ -14393,7 +14525,7 @@ var SopsClient = class {
14393
14525
  parseMetadataFromFile(filePath) {
14394
14526
  let content;
14395
14527
  try {
14396
- content = fs13.readFileSync(filePath, "utf-8");
14528
+ content = fs14.readFileSync(filePath, "utf-8");
14397
14529
  } catch {
14398
14530
  throw new SopsDecryptionError(
14399
14531
  `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -14402,7 +14534,7 @@ var SopsClient = class {
14402
14534
  }
14403
14535
  let parsed;
14404
14536
  try {
14405
- parsed = YAML7.parse(content);
14537
+ parsed = YAML8.parse(content);
14406
14538
  } catch {
14407
14539
  throw new SopsDecryptionError(
14408
14540
  `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -14527,8 +14659,8 @@ var SopsClient = class {
14527
14659
  };
14528
14660
 
14529
14661
  // src/hsm/bundled.ts
14530
- var fs14 = __toESM(require("fs"));
14531
- var path12 = __toESM(require("path"));
14662
+ var fs15 = __toESM(require("fs"));
14663
+ var path13 = __toESM(require("path"));
14532
14664
  function tryBundledKeyservice() {
14533
14665
  const platform = process.platform;
14534
14666
  const arch = process.arch;
@@ -14540,19 +14672,19 @@ function tryBundledKeyservice() {
14540
14672
  const binName = "clef-keyservice";
14541
14673
  try {
14542
14674
  const packageMain = require.resolve(`${packageName}/package.json`);
14543
- const packageDir = path12.dirname(packageMain);
14544
- const binPath = path12.join(packageDir, "bin", binName);
14545
- return fs14.existsSync(binPath) ? binPath : null;
14675
+ const packageDir = path13.dirname(packageMain);
14676
+ const binPath = path13.join(packageDir, "bin", binName);
14677
+ return fs15.existsSync(binPath) ? binPath : null;
14546
14678
  } catch {
14547
14679
  return null;
14548
14680
  }
14549
14681
  }
14550
14682
 
14551
14683
  // src/hsm/resolver.ts
14552
- var fs15 = __toESM(require("fs"));
14553
- var path13 = __toESM(require("path"));
14684
+ var fs16 = __toESM(require("fs"));
14685
+ var path14 = __toESM(require("path"));
14554
14686
  function validateKeyservicePath(candidate) {
14555
- if (!path13.isAbsolute(candidate)) {
14687
+ if (!path14.isAbsolute(candidate)) {
14556
14688
  throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
14557
14689
  }
14558
14690
  const segments = candidate.split(/[/\\]/);
@@ -14568,7 +14700,7 @@ function resolveKeyservicePath() {
14568
14700
  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
14569
14701
  if (envPath) {
14570
14702
  validateKeyservicePath(envPath);
14571
- if (!fs15.existsSync(envPath)) {
14703
+ if (!fs16.existsSync(envPath)) {
14572
14704
  throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
14573
14705
  }
14574
14706
  cached2 = { path: envPath, source: "env" };
@@ -14616,7 +14748,7 @@ async function spawnKeyservice(options) {
14616
14748
  };
14617
14749
  }
14618
14750
  function readPort(child) {
14619
- return new Promise((resolve, reject) => {
14751
+ return new Promise((resolve2, reject) => {
14620
14752
  let settled = false;
14621
14753
  if (!child.stdout) {
14622
14754
  reject(new Error("Keyservice child has no stdout pipe."));
@@ -14644,7 +14776,7 @@ function readPort(child) {
14644
14776
  if (match && !settled) {
14645
14777
  settled = true;
14646
14778
  settle();
14647
- resolve(parseInt(match[1], 10));
14779
+ resolve2(parseInt(match[1], 10));
14648
14780
  }
14649
14781
  });
14650
14782
  child.on("error", (err) => {
@@ -14664,9 +14796,9 @@ function readPort(child) {
14664
14796
  });
14665
14797
  }
14666
14798
  function killGracefully(child) {
14667
- return new Promise((resolve) => {
14799
+ return new Promise((resolve2) => {
14668
14800
  if (child.exitCode !== null) {
14669
- resolve();
14801
+ resolve2();
14670
14802
  return;
14671
14803
  }
14672
14804
  const timer = setTimeout(() => {
@@ -14674,14 +14806,14 @@ function killGracefully(child) {
14674
14806
  }, SHUTDOWN_TIMEOUT_MS);
14675
14807
  child.on("exit", () => {
14676
14808
  clearTimeout(timer);
14677
- resolve();
14809
+ resolve2();
14678
14810
  });
14679
14811
  child.kill("SIGTERM");
14680
14812
  });
14681
14813
  }
14682
14814
 
14683
14815
  // src/lint/runner.ts
14684
- var path14 = __toESM(require("path"));
14816
+ var path15 = __toESM(require("path"));
14685
14817
  var LintRunner = class {
14686
14818
  constructor(matrixManager, schemaValidator, sopsClient) {
14687
14819
  this.matrixManager = matrixManager;
@@ -14784,7 +14916,7 @@ var LintRunner = class {
14784
14916
  }
14785
14917
  const ns = manifest.namespaces.find((n) => n.name === cell.namespace);
14786
14918
  if (ns?.schema) {
14787
- const schemaPath = path14.join(repoRoot, ns.schema);
14919
+ const schemaPath = path15.join(repoRoot, ns.schema);
14788
14920
  try {
14789
14921
  const schema = this.schemaValidator.loadSchema(schemaPath);
14790
14922
  const result = this.schemaValidator.validate(decrypted.values, schema);
@@ -15071,14 +15203,14 @@ Use 'clef exec' to inject secrets directly into a process, or 'clef export --for
15071
15203
  };
15072
15204
 
15073
15205
  // src/import/index.ts
15074
- var path16 = __toESM(require("path"));
15206
+ var path17 = __toESM(require("path"));
15075
15207
 
15076
15208
  // src/import/parsers.ts
15077
- var path15 = __toESM(require("path"));
15078
- var YAML8 = __toESM(require("yaml"));
15209
+ var path16 = __toESM(require("path"));
15210
+ var YAML9 = __toESM(require("yaml"));
15079
15211
  function detectFormat(filePath, content) {
15080
- const base = path15.basename(filePath);
15081
- const ext = path15.extname(filePath).toLowerCase();
15212
+ const base = path16.basename(filePath);
15213
+ const ext = path16.extname(filePath).toLowerCase();
15082
15214
  if (base === ".env" || base.startsWith(".env.")) {
15083
15215
  return "dotenv";
15084
15216
  }
@@ -15099,7 +15231,7 @@ function detectFormat(filePath, content) {
15099
15231
  } catch {
15100
15232
  }
15101
15233
  try {
15102
- const parsed = YAML8.parse(content);
15234
+ const parsed = YAML9.parse(content);
15103
15235
  if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
15104
15236
  return "yaml";
15105
15237
  }
@@ -15180,7 +15312,7 @@ function parseJson(content) {
15180
15312
  function parseYaml(content) {
15181
15313
  let parsed;
15182
15314
  try {
15183
- parsed = YAML8.parse(content);
15315
+ parsed = YAML9.parse(content);
15184
15316
  } catch (err) {
15185
15317
  throw new Error(`Invalid YAML: ${err.message}`);
15186
15318
  }
@@ -15246,7 +15378,7 @@ var ImportRunner = class {
15246
15378
  */
15247
15379
  async import(target, sourcePath, content, manifest, repoRoot, options) {
15248
15380
  const [ns, env] = target.split("/");
15249
- const filePath = path16.join(
15381
+ const filePath = path17.join(
15250
15382
  repoRoot,
15251
15383
  manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
15252
15384
  );
@@ -15298,7 +15430,7 @@ var ImportRunner = class {
15298
15430
  if (imported.length === 0) {
15299
15431
  return { imported, skipped, failed, warnings, dryRun: false };
15300
15432
  }
15301
- const relCellPath = path16.relative(repoRoot, filePath);
15433
+ const relCellPath = path17.relative(repoRoot, filePath);
15302
15434
  const relMetaPath = relCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
15303
15435
  await this.tx.run(repoRoot, {
15304
15436
  description: `clef import ${target}: ${imported.length} key(s)`,
@@ -15317,7 +15449,7 @@ var ImportRunner = class {
15317
15449
  };
15318
15450
 
15319
15451
  // src/recipients/index.ts
15320
- var path17 = __toESM(require("path"));
15452
+ var path18 = __toESM(require("path"));
15321
15453
  function parseRecipientEntry(entry) {
15322
15454
  if (typeof entry === "string") {
15323
15455
  return { key: entry };
@@ -15445,7 +15577,7 @@ var RecipientManager = class {
15445
15577
  const reEncryptedFiles = [];
15446
15578
  await this.tx.run(repoRoot, {
15447
15579
  description: environment ? `clef recipients add ${keyPreview(normalizedKey)} -e ${environment}` : `clef recipients add ${keyPreview(normalizedKey)}`,
15448
- paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
15580
+ paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
15449
15581
  mutate: async () => {
15450
15582
  const doc = readManifestYaml(repoRoot);
15451
15583
  const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15504,7 +15636,7 @@ var RecipientManager = class {
15504
15636
  const reEncryptedFiles = [];
15505
15637
  await this.tx.run(repoRoot, {
15506
15638
  description: environment ? `clef recipients remove ${keyPreview(trimmedKey)} -e ${environment}` : `clef recipients remove ${keyPreview(trimmedKey)}`,
15507
- paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
15639
+ paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
15508
15640
  mutate: async () => {
15509
15641
  const doc = readManifestYaml(repoRoot);
15510
15642
  const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15533,20 +15665,20 @@ var RecipientManager = class {
15533
15665
  };
15534
15666
 
15535
15667
  // src/recipients/requests.ts
15536
- var fs16 = __toESM(require("fs"));
15537
- var path18 = __toESM(require("path"));
15538
- var YAML9 = __toESM(require("yaml"));
15668
+ var fs17 = __toESM(require("fs"));
15669
+ var path19 = __toESM(require("path"));
15670
+ var YAML10 = __toESM(require("yaml"));
15539
15671
  var REQUESTS_FILENAME = ".clef-requests.yaml";
15540
15672
  var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
15541
15673
  function requestsFilePath(repoRoot) {
15542
- return path18.join(repoRoot, REQUESTS_FILENAME);
15674
+ return path19.join(repoRoot, REQUESTS_FILENAME);
15543
15675
  }
15544
15676
  function loadRequests(repoRoot) {
15545
15677
  const filePath = requestsFilePath(repoRoot);
15546
15678
  try {
15547
- if (!fs16.existsSync(filePath)) return [];
15548
- const content = fs16.readFileSync(filePath, "utf-8");
15549
- const parsed = YAML9.parse(content);
15679
+ if (!fs17.existsSync(filePath)) return [];
15680
+ const content = fs17.readFileSync(filePath, "utf-8");
15681
+ const parsed = YAML10.parse(content);
15550
15682
  if (!parsed || !Array.isArray(parsed.requests)) return [];
15551
15683
  return parsed.requests.map((r) => ({
15552
15684
  key: r.key,
@@ -15562,7 +15694,7 @@ function saveRequests(repoRoot, requests) {
15562
15694
  const filePath = requestsFilePath(repoRoot);
15563
15695
  if (requests.length === 0) {
15564
15696
  try {
15565
- fs16.unlinkSync(filePath);
15697
+ fs17.unlinkSync(filePath);
15566
15698
  } catch {
15567
15699
  }
15568
15700
  return;
@@ -15578,7 +15710,7 @@ function saveRequests(repoRoot, requests) {
15578
15710
  return raw;
15579
15711
  })
15580
15712
  };
15581
- fs16.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
15713
+ fs17.writeFileSync(filePath, HEADER_COMMENT2 + YAML10.stringify(data), "utf-8");
15582
15714
  }
15583
15715
  function upsertRequest(repoRoot, key, label, environment) {
15584
15716
  const requests = loadRequests(repoRoot);
@@ -15614,7 +15746,7 @@ function findInList(requests, identifier) {
15614
15746
  }
15615
15747
 
15616
15748
  // src/drift/detector.ts
15617
- var path19 = __toESM(require("path"));
15749
+ var path20 = __toESM(require("path"));
15618
15750
  var DriftDetector = class {
15619
15751
  parser = new ManifestParser();
15620
15752
  matrix = new MatrixManager();
@@ -15627,8 +15759,8 @@ var DriftDetector = class {
15627
15759
  * @returns Drift result with any issues found.
15628
15760
  */
15629
15761
  detect(localRoot, remoteRoot, namespaceFilter) {
15630
- const localManifest = this.parser.parse(path19.join(localRoot, CLEF_MANIFEST_FILENAME));
15631
- const remoteManifest = this.parser.parse(path19.join(remoteRoot, CLEF_MANIFEST_FILENAME));
15762
+ const localManifest = this.parser.parse(path20.join(localRoot, CLEF_MANIFEST_FILENAME));
15763
+ const remoteManifest = this.parser.parse(path20.join(remoteRoot, CLEF_MANIFEST_FILENAME));
15632
15764
  const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
15633
15765
  const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
15634
15766
  const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -15692,7 +15824,7 @@ var DriftDetector = class {
15692
15824
  };
15693
15825
 
15694
15826
  // src/report/generator.ts
15695
- var path20 = __toESM(require("path"));
15827
+ var path21 = __toESM(require("path"));
15696
15828
 
15697
15829
  // src/report/sanitizer.ts
15698
15830
  var ReportSanitizer = class {
@@ -15852,7 +15984,7 @@ var ReportGenerator = class {
15852
15984
  let manifest = null;
15853
15985
  try {
15854
15986
  const parser = new ManifestParser();
15855
- manifest = parser.parse(path20.join(repoRoot, "clef.yaml"));
15987
+ manifest = parser.parse(path21.join(repoRoot, "clef.yaml"));
15856
15988
  } catch {
15857
15989
  const emptyManifest = {
15858
15990
  manifestVersion: 0,
@@ -16206,7 +16338,7 @@ var CloudClient = class {
16206
16338
  );
16207
16339
  }
16208
16340
  delay(ms) {
16209
- return new Promise((resolve) => setTimeout(resolve, ms));
16341
+ return new Promise((resolve2) => setTimeout(resolve2, ms));
16210
16342
  }
16211
16343
  };
16212
16344
 
@@ -16331,12 +16463,12 @@ var SopsMergeDriver = class {
16331
16463
  };
16332
16464
 
16333
16465
  // src/merge/metadata-driver.ts
16334
- var fs17 = __toESM(require("fs"));
16335
- var YAML10 = __toESM(require("yaml"));
16466
+ var fs18 = __toESM(require("fs"));
16467
+ var YAML11 = __toESM(require("yaml"));
16336
16468
  var HEADER_COMMENT3 = "# Managed by Clef. Do not edit manually.\n";
16337
16469
  function parseMetadata(content) {
16338
16470
  try {
16339
- const parsed = YAML10.parse(content);
16471
+ const parsed = YAML11.parse(content);
16340
16472
  if (!parsed || typeof parsed !== "object") return emptyMetadata2();
16341
16473
  const pendingRaw = Array.isArray(parsed.pending) ? parsed.pending : [];
16342
16474
  const pending = pendingRaw.filter(
@@ -16374,7 +16506,7 @@ function serializeMetadata(m) {
16374
16506
  rotation_count: r.rotationCount
16375
16507
  }))
16376
16508
  };
16377
- return HEADER_COMMENT3 + YAML10.stringify(data);
16509
+ return HEADER_COMMENT3 + YAML11.stringify(data);
16378
16510
  }
16379
16511
  function mergeRotations(ours, theirs) {
16380
16512
  const byKey = /* @__PURE__ */ new Map();
@@ -16434,14 +16566,14 @@ function mergeMetadataContents(oursContent, theirsContent) {
16434
16566
  return serializeMetadata({ version: 1, pending, rotations });
16435
16567
  }
16436
16568
  function mergeMetadataFiles(_basePath, oursPath, theirsPath) {
16437
- const oursContent = fs17.existsSync(oursPath) ? fs17.readFileSync(oursPath, "utf-8") : "";
16438
- const theirsContent = fs17.existsSync(theirsPath) ? fs17.readFileSync(theirsPath, "utf-8") : "";
16569
+ const oursContent = fs18.existsSync(oursPath) ? fs18.readFileSync(oursPath, "utf-8") : "";
16570
+ const theirsContent = fs18.existsSync(theirsPath) ? fs18.readFileSync(theirsPath, "utf-8") : "";
16439
16571
  const merged = mergeMetadataContents(oursContent, theirsContent);
16440
- fs17.writeFileSync(oursPath, merged, "utf-8");
16572
+ fs18.writeFileSync(oursPath, merged, "utf-8");
16441
16573
  }
16442
16574
 
16443
16575
  // src/service-identity/manager.ts
16444
- var path21 = __toESM(require("path"));
16576
+ var path22 = __toESM(require("path"));
16445
16577
  var ServiceIdentityManager = class {
16446
16578
  constructor(encryption, matrixManager, tx) {
16447
16579
  this.encryption = encryption;
@@ -16456,7 +16588,7 @@ var ServiceIdentityManager = class {
16456
16588
  * to seed TransactionManager.run's `paths` argument.
16457
16589
  */
16458
16590
  txPaths(repoRoot, cells) {
16459
- return [...cells.map((c) => path21.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
16591
+ return [...cells.map((c) => path22.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
16460
16592
  }
16461
16593
  /**
16462
16594
  * Create a new service identity with per-environment age key pairs or KMS envelope config.
@@ -16978,8 +17110,8 @@ var ServiceIdentityManager = class {
16978
17110
  };
16979
17111
 
16980
17112
  // src/structure/manager.ts
16981
- var fs18 = __toESM(require("fs"));
16982
- var path22 = __toESM(require("path"));
17113
+ var fs19 = __toESM(require("fs"));
17114
+ var path23 = __toESM(require("path"));
16983
17115
  var StructureManager = class {
16984
17116
  constructor(matrixManager, encryption, tx) {
16985
17117
  this.matrixManager = matrixManager;
@@ -17003,15 +17135,15 @@ var StructureManager = class {
17003
17135
  this.assertValidIdentifier("namespace", name);
17004
17136
  const newCellPaths = manifest.environments.map((env) => ({
17005
17137
  environment: env.name,
17006
- filePath: path22.join(
17138
+ filePath: path23.join(
17007
17139
  repoRoot,
17008
17140
  manifest.file_pattern.replace("{namespace}", name).replace("{environment}", env.name)
17009
17141
  )
17010
17142
  }));
17011
17143
  for (const cell of newCellPaths) {
17012
- if (fs18.existsSync(cell.filePath)) {
17144
+ if (fs19.existsSync(cell.filePath)) {
17013
17145
  throw new Error(
17014
- `Cannot add namespace '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
17146
+ `Cannot add namespace '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
17015
17147
  );
17016
17148
  }
17017
17149
  }
@@ -17030,7 +17162,7 @@ var StructureManager = class {
17030
17162
  await this.tx.run(repoRoot, {
17031
17163
  description: `clef namespace add ${name}`,
17032
17164
  paths: [
17033
- ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
17165
+ ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
17034
17166
  CLEF_MANIFEST_FILENAME
17035
17167
  ],
17036
17168
  mutate: async () => {
@@ -17075,15 +17207,15 @@ var StructureManager = class {
17075
17207
  this.assertValidIdentifier("environment", name);
17076
17208
  const newCellPaths = manifest.namespaces.map((ns) => ({
17077
17209
  namespace: ns.name,
17078
- filePath: path22.join(
17210
+ filePath: path23.join(
17079
17211
  repoRoot,
17080
17212
  manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", name)
17081
17213
  )
17082
17214
  }));
17083
17215
  for (const cell of newCellPaths) {
17084
- if (fs18.existsSync(cell.filePath)) {
17216
+ if (fs19.existsSync(cell.filePath)) {
17085
17217
  throw new Error(
17086
- `Cannot add environment '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
17218
+ `Cannot add environment '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
17087
17219
  );
17088
17220
  }
17089
17221
  }
@@ -17102,7 +17234,7 @@ var StructureManager = class {
17102
17234
  await this.tx.run(repoRoot, {
17103
17235
  description: `clef env add ${name}`,
17104
17236
  paths: [
17105
- ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
17237
+ ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
17106
17238
  CLEF_MANIFEST_FILENAME
17107
17239
  ],
17108
17240
  mutate: async () => {
@@ -17165,7 +17297,7 @@ var StructureManager = class {
17165
17297
  paths: this.deletePaths(repoRoot, cellsToDelete),
17166
17298
  mutate: async () => {
17167
17299
  for (const cell of cellsToDelete) {
17168
- fs18.unlinkSync(cell.filePath);
17300
+ fs19.unlinkSync(cell.filePath);
17169
17301
  this.unlinkMetaSibling(cell.filePath);
17170
17302
  }
17171
17303
  const doc = readManifestYaml(repoRoot);
@@ -17215,7 +17347,7 @@ var StructureManager = class {
17215
17347
  paths: this.deletePaths(repoRoot, cellsToDelete),
17216
17348
  mutate: async () => {
17217
17349
  for (const cell of cellsToDelete) {
17218
- fs18.unlinkSync(cell.filePath);
17350
+ fs19.unlinkSync(cell.filePath);
17219
17351
  this.unlinkMetaSibling(cell.filePath);
17220
17352
  }
17221
17353
  const doc = readManifestYaml(repoRoot);
@@ -17257,9 +17389,9 @@ var StructureManager = class {
17257
17389
  const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "namespace") : [];
17258
17390
  if (isRename) {
17259
17391
  for (const pair of renamePairs) {
17260
- if (fs18.existsSync(pair.to)) {
17392
+ if (fs19.existsSync(pair.to)) {
17261
17393
  throw new Error(
17262
- `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
17394
+ `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
17263
17395
  );
17264
17396
  }
17265
17397
  }
@@ -17300,9 +17432,9 @@ var StructureManager = class {
17300
17432
  const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "environment") : [];
17301
17433
  if (isRename) {
17302
17434
  for (const pair of renamePairs) {
17303
- if (fs18.existsSync(pair.to)) {
17435
+ if (fs19.existsSync(pair.to)) {
17304
17436
  throw new Error(
17305
- `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
17437
+ `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
17306
17438
  );
17307
17439
  }
17308
17440
  }
@@ -17337,7 +17469,7 @@ var StructureManager = class {
17337
17469
  const newCellPath = this.swapAxisInCellPath(repoRoot, manifest, cell, axis, newName);
17338
17470
  pairs.push({ from: cell.filePath, to: newCellPath });
17339
17471
  const oldMeta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
17340
- if (fs18.existsSync(oldMeta)) {
17472
+ if (fs19.existsSync(oldMeta)) {
17341
17473
  const newMeta = newCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
17342
17474
  pairs.push({ from: oldMeta, to: newMeta });
17343
17475
  }
@@ -17352,7 +17484,7 @@ var StructureManager = class {
17352
17484
  swapAxisInCellPath(repoRoot, manifest, cell, axis, newName) {
17353
17485
  const ns = axis === "namespace" ? newName : cell.namespace;
17354
17486
  const env = axis === "environment" ? newName : cell.environment;
17355
- return path22.join(
17487
+ return path23.join(
17356
17488
  repoRoot,
17357
17489
  manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
17358
17490
  );
@@ -17364,8 +17496,8 @@ var StructureManager = class {
17364
17496
  txPaths(repoRoot, renamePairs) {
17365
17497
  const paths = /* @__PURE__ */ new Set();
17366
17498
  for (const pair of renamePairs) {
17367
- paths.add(path22.relative(repoRoot, pair.from));
17368
- paths.add(path22.relative(repoRoot, pair.to));
17499
+ paths.add(path23.relative(repoRoot, pair.from));
17500
+ paths.add(path23.relative(repoRoot, pair.to));
17369
17501
  }
17370
17502
  paths.add(CLEF_MANIFEST_FILENAME);
17371
17503
  return [...paths];
@@ -17376,11 +17508,11 @@ var StructureManager = class {
17376
17508
  */
17377
17509
  applyRenames(pairs) {
17378
17510
  for (const pair of pairs) {
17379
- const targetDir = path22.dirname(pair.to);
17380
- if (!fs18.existsSync(targetDir)) {
17381
- fs18.mkdirSync(targetDir, { recursive: true });
17511
+ const targetDir = path23.dirname(pair.to);
17512
+ if (!fs19.existsSync(targetDir)) {
17513
+ fs19.mkdirSync(targetDir, { recursive: true });
17382
17514
  }
17383
- fs18.renameSync(pair.from, pair.to);
17515
+ fs19.renameSync(pair.from, pair.to);
17384
17516
  }
17385
17517
  }
17386
17518
  /**
@@ -17391,10 +17523,10 @@ var StructureManager = class {
17391
17523
  deletePaths(repoRoot, cells) {
17392
17524
  const paths = /* @__PURE__ */ new Set();
17393
17525
  for (const cell of cells) {
17394
- paths.add(path22.relative(repoRoot, cell.filePath));
17526
+ paths.add(path23.relative(repoRoot, cell.filePath));
17395
17527
  const meta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
17396
- if (fs18.existsSync(meta)) {
17397
- paths.add(path22.relative(repoRoot, meta));
17528
+ if (fs19.existsSync(meta)) {
17529
+ paths.add(path23.relative(repoRoot, meta));
17398
17530
  }
17399
17531
  }
17400
17532
  paths.add(CLEF_MANIFEST_FILENAME);
@@ -17407,8 +17539,8 @@ var StructureManager = class {
17407
17539
  */
17408
17540
  unlinkMetaSibling(cellPath) {
17409
17541
  const meta = cellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
17410
- if (fs18.existsSync(meta)) {
17411
- fs18.unlinkSync(meta);
17542
+ if (fs19.existsSync(meta)) {
17543
+ fs19.unlinkSync(meta);
17412
17544
  }
17413
17545
  }
17414
17546
  /**
@@ -17550,24 +17682,24 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
17550
17682
  }
17551
17683
 
17552
17684
  // src/artifact/packer.ts
17553
- var crypto4 = __toESM(require("crypto"));
17685
+ var crypto5 = __toESM(require("crypto"));
17554
17686
 
17555
17687
  // src/artifact/output.ts
17556
- var fs19 = __toESM(require("fs"));
17557
- var path23 = __toESM(require("path"));
17688
+ var fs20 = __toESM(require("fs"));
17689
+ var path24 = __toESM(require("path"));
17558
17690
  var FilePackOutput = class {
17559
17691
  constructor(outputPath) {
17560
17692
  this.outputPath = outputPath;
17561
17693
  }
17562
17694
  outputPath;
17563
17695
  async write(_artifact, json) {
17564
- const outputDir = path23.dirname(this.outputPath);
17565
- if (!fs19.existsSync(outputDir)) {
17566
- fs19.mkdirSync(outputDir, { recursive: true });
17696
+ const outputDir = path24.dirname(this.outputPath);
17697
+ if (!fs20.existsSync(outputDir)) {
17698
+ fs20.mkdirSync(outputDir, { recursive: true });
17567
17699
  }
17568
17700
  const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
17569
- fs19.writeFileSync(tmpOutput, json, "utf-8");
17570
- fs19.renameSync(tmpOutput, this.outputPath);
17701
+ fs20.writeFileSync(tmpOutput, json, "utf-8");
17702
+ fs20.renameSync(tmpOutput, this.outputPath);
17571
17703
  }
17572
17704
  };
17573
17705
  var MemoryPackOutput = class {
@@ -17666,6 +17798,12 @@ function detectAlgorithm(publicKeyBase64) {
17666
17798
  throw new Error(`Unsupported key type: ${keyType}`);
17667
17799
  }
17668
17800
 
17801
+ // src/artifact/hash.ts
17802
+ var crypto4 = __toESM(require("crypto"));
17803
+ function computeCiphertextHash(ciphertext) {
17804
+ return crypto4.createHash("sha256").update(ciphertext).digest("hex");
17805
+ }
17806
+
17669
17807
  // src/artifact/packer.ts
17670
17808
  var ArtifactPacker = class {
17671
17809
  constructor(encryption, matrixManager, kms) {
@@ -17701,10 +17839,10 @@ var ArtifactPacker = class {
17701
17839
  if (!this.kms) {
17702
17840
  throw new Error("KMS provider required for envelope encryption but none was provided.");
17703
17841
  }
17704
- const dek = crypto4.randomBytes(32);
17705
- const iv = crypto4.randomBytes(12);
17842
+ const dek = crypto5.randomBytes(32);
17843
+ const iv = crypto5.randomBytes(12);
17706
17844
  try {
17707
- const cipher = crypto4.createCipheriv("aes-256-gcm", dek, iv);
17845
+ const cipher = crypto5.createCipheriv("aes-256-gcm", dek, iv);
17708
17846
  const ciphertextBuf = Buffer.concat([
17709
17847
  cipher.update(Buffer.from(plaintext, "utf-8")),
17710
17848
  cipher.final()
@@ -17713,8 +17851,8 @@ var ArtifactPacker = class {
17713
17851
  ciphertext = ciphertextBuf.toString("base64");
17714
17852
  const kmsConfig = resolved.envConfig.kms;
17715
17853
  const wrapped = await this.kms.wrap(kmsConfig.keyId, dek);
17716
- const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
17717
- const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
17854
+ const revision = `${Date.now()}-${crypto5.randomBytes(4).toString("hex")}`;
17855
+ const ciphertextHash = computeCiphertextHash(ciphertext);
17718
17856
  artifact = {
17719
17857
  version: 1,
17720
17858
  identity: config.identity,
@@ -17747,8 +17885,8 @@ var ArtifactPacker = class {
17747
17885
  `Failed to age-encrypt artifact: ${err instanceof Error ? err.message : String(err)}`
17748
17886
  );
17749
17887
  }
17750
- const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
17751
- const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
17888
+ const revision = `${Date.now()}-${crypto5.randomBytes(4).toString("hex")}`;
17889
+ const ciphertextHash = computeCiphertextHash(ciphertext);
17752
17890
  artifact = {
17753
17891
  version: 1,
17754
17892
  identity: config.identity,
@@ -17862,6 +18000,156 @@ function assertPackedArtifact(x, context) {
17862
18000
  }
17863
18001
  }
17864
18002
 
18003
+ // src/envelope-debug/builders.ts
18004
+ function buildInspectError(source, code, message) {
18005
+ return {
18006
+ source,
18007
+ version: null,
18008
+ identity: null,
18009
+ environment: null,
18010
+ packedAt: null,
18011
+ packedAtAgeMs: null,
18012
+ revision: null,
18013
+ ciphertextHash: null,
18014
+ ciphertextHashVerified: null,
18015
+ ciphertextBytes: null,
18016
+ expiresAt: null,
18017
+ expired: null,
18018
+ revokedAt: null,
18019
+ revoked: null,
18020
+ envelope: null,
18021
+ signature: { present: false, algorithm: null, verified: null },
18022
+ error: { code, message }
18023
+ };
18024
+ }
18025
+ function buildInspectResult(source, artifact, hashOk, now = Date.now()) {
18026
+ const expiresAt = artifact.expiresAt ?? null;
18027
+ const revokedAt = artifact.revokedAt ?? null;
18028
+ const env = artifact.envelope;
18029
+ return {
18030
+ source,
18031
+ version: artifact.version,
18032
+ identity: artifact.identity,
18033
+ environment: artifact.environment,
18034
+ packedAt: artifact.packedAt,
18035
+ packedAtAgeMs: now - new Date(artifact.packedAt).getTime(),
18036
+ revision: artifact.revision,
18037
+ ciphertextHash: artifact.ciphertextHash,
18038
+ ciphertextHashVerified: hashOk,
18039
+ ciphertextBytes: Buffer.byteLength(artifact.ciphertext, "base64"),
18040
+ expiresAt,
18041
+ expired: expiresAt ? new Date(expiresAt).getTime() < now : null,
18042
+ revokedAt,
18043
+ revoked: revokedAt !== null,
18044
+ envelope: env ? {
18045
+ provider: env.provider,
18046
+ kms: {
18047
+ provider: env.provider,
18048
+ keyId: env.keyId,
18049
+ algorithm: env.algorithm
18050
+ }
18051
+ } : { provider: "age", kms: null },
18052
+ signature: {
18053
+ present: typeof artifact.signature === "string",
18054
+ algorithm: artifact.signatureAlgorithm ?? null,
18055
+ verified: null
18056
+ },
18057
+ error: null
18058
+ };
18059
+ }
18060
+ function buildVerifyError(source, code, message) {
18061
+ return {
18062
+ source,
18063
+ checks: {
18064
+ hash: { status: "skipped" },
18065
+ signature: { status: "absent", algorithm: null },
18066
+ expiry: { status: "absent", expiresAt: null },
18067
+ revocation: { status: "absent", revokedAt: null }
18068
+ },
18069
+ overall: "fail",
18070
+ error: { code, message }
18071
+ };
18072
+ }
18073
+ function buildVerifyResult(source, inputs) {
18074
+ const hashFailed = inputs.hash === "mismatch";
18075
+ const signatureFailed = inputs.signature.status === "invalid";
18076
+ const overall = hashFailed || signatureFailed ? "fail" : "pass";
18077
+ return {
18078
+ source,
18079
+ checks: {
18080
+ hash: { status: inputs.hash },
18081
+ signature: inputs.signature,
18082
+ expiry: inputs.expiry,
18083
+ revocation: inputs.revocation
18084
+ },
18085
+ overall,
18086
+ error: null
18087
+ };
18088
+ }
18089
+ function buildDecryptError(source, code, message) {
18090
+ return {
18091
+ source,
18092
+ status: "error",
18093
+ error: { code, message },
18094
+ revealed: false,
18095
+ keys: [],
18096
+ values: null
18097
+ };
18098
+ }
18099
+ function buildDecryptResult(source, inputs) {
18100
+ let values = null;
18101
+ if (inputs.allValues) {
18102
+ values = inputs.allValues;
18103
+ } else if (inputs.singleKey) {
18104
+ values = { [inputs.singleKey.name]: inputs.singleKey.value };
18105
+ }
18106
+ return {
18107
+ source,
18108
+ status: "ok",
18109
+ error: null,
18110
+ revealed: values !== null,
18111
+ keys: [...inputs.keys].sort(),
18112
+ values
18113
+ };
18114
+ }
18115
+
18116
+ // src/envelope-debug/warnings.ts
18117
+ var WARNING_TAIL = "Shell history, terminal scrollback, and any attached logging (tmux capture-pane, CI log collectors, screen-recording) may retain it. Proceed only if this terminal and its upstream captures are trusted.";
18118
+ var REVEAL_WARNING = `WARNING: plaintext will be printed to stdout. ${WARNING_TAIL}`;
18119
+ function formatRevealWarning(key) {
18120
+ if (!key) return REVEAL_WARNING;
18121
+ return `WARNING: value for key "${key}" will be printed to stdout. ${WARNING_TAIL}`;
18122
+ }
18123
+
18124
+ // src/envelope-debug/signer-key.ts
18125
+ var crypto6 = __toESM(require("crypto"));
18126
+ function parseSignerKey(input) {
18127
+ const trimmed = input.trim();
18128
+ if (trimmed.startsWith("-----BEGIN")) {
18129
+ return pemToBase64Der(trimmed);
18130
+ }
18131
+ try {
18132
+ const key = crypto6.createPublicKey({
18133
+ key: Buffer.from(trimmed, "base64"),
18134
+ format: "der",
18135
+ type: "spki"
18136
+ });
18137
+ return key.export({ type: "spki", format: "der" }).toString("base64");
18138
+ } catch (err) {
18139
+ throw new Error(
18140
+ `signer key could not be parsed as PEM or a base64 DER SPKI key: ${err.message}`
18141
+ );
18142
+ }
18143
+ }
18144
+ function pemToBase64Der(pem) {
18145
+ try {
18146
+ const key = crypto6.createPublicKey({ key: pem, format: "pem" });
18147
+ return key.export({ type: "spki", format: "der" }).toString("base64");
18148
+ } catch (err) {
18149
+ throw new Error(`signer key PEM is invalid: ${err.message}`);
18150
+ }
18151
+ }
18152
+
17865
18153
  // src/pack/registry.ts
17866
18154
  var PackBackendRegistry = class {
17867
18155
  factories = /* @__PURE__ */ new Map();
@@ -17949,8 +18237,8 @@ var JsonEnvelopeBackend = class {
17949
18237
  var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
17950
18238
 
17951
18239
  // src/migration/backend.ts
17952
- var path24 = __toESM(require("path"));
17953
- var YAML11 = __toESM(require("yaml"));
18240
+ var path25 = __toESM(require("path"));
18241
+ var YAML12 = __toESM(require("yaml"));
17954
18242
  var BACKEND_KEY_FIELDS = {
17955
18243
  age: void 0,
17956
18244
  awskms: "aws_kms_arn",
@@ -18069,14 +18357,14 @@ var BackendMigrator = class {
18069
18357
  await this.tx.run(repoRoot, {
18070
18358
  description: environment ? `clef migrate-backend ${target.backend}: ${environment}` : `clef migrate-backend ${target.backend}`,
18071
18359
  paths: [
18072
- ...toMigrate.map((c) => path24.relative(repoRoot, c.filePath)),
18360
+ ...toMigrate.map((c) => path25.relative(repoRoot, c.filePath)),
18073
18361
  CLEF_MANIFEST_FILENAME
18074
18362
  ],
18075
18363
  mutate: async () => {
18076
18364
  const doc = readManifestYaml(repoRoot);
18077
18365
  this.updateManifestDoc(doc, target, environment);
18078
18366
  writeManifestYaml(repoRoot, doc);
18079
- const updatedManifest = YAML11.parse(YAML11.stringify(doc));
18367
+ const updatedManifest = YAML12.parse(YAML12.stringify(doc));
18080
18368
  for (const cell of toMigrate) {
18081
18369
  onProgress?.({
18082
18370
  type: "migrate",
@@ -18167,7 +18455,7 @@ var BackendMigrator = class {
18167
18455
  };
18168
18456
 
18169
18457
  // src/reset/manager.ts
18170
- var path25 = __toESM(require("path"));
18458
+ var path26 = __toESM(require("path"));
18171
18459
  var ResetManager = class {
18172
18460
  constructor(matrixManager, encryption, schemaValidator, tx) {
18173
18461
  this.matrixManager = matrixManager;
@@ -18196,11 +18484,11 @@ var ResetManager = class {
18196
18484
  txPaths.push(CLEF_MANIFEST_FILENAME);
18197
18485
  }
18198
18486
  for (const cell of targetCells) {
18199
- txPaths.push(path25.relative(repoRoot, cell.filePath));
18487
+ txPaths.push(path26.relative(repoRoot, cell.filePath));
18200
18488
  const cellKeys = keyPlan.get(cell.namespace) ?? [];
18201
18489
  if (cellKeys.length > 0) {
18202
18490
  txPaths.push(
18203
- path25.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
18491
+ path26.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
18204
18492
  );
18205
18493
  }
18206
18494
  }
@@ -18288,7 +18576,7 @@ var ResetManager = class {
18288
18576
  for (const namespace of namespaces) {
18289
18577
  const nsDef = manifest.namespaces.find((n) => n.name === namespace);
18290
18578
  if (nsDef?.schema) {
18291
- const schema = this.schemaValidator.loadSchema(path25.join(repoRoot, nsDef.schema));
18579
+ const schema = this.schemaValidator.loadSchema(path26.join(repoRoot, nsDef.schema));
18292
18580
  plan.set(namespace, Object.keys(schema.keys));
18293
18581
  continue;
18294
18582
  }
@@ -18367,7 +18655,7 @@ function withBackendOverride(manifest, envNames, backend, key) {
18367
18655
  }
18368
18656
 
18369
18657
  // src/sync/manager.ts
18370
- var path26 = __toESM(require("path"));
18658
+ var path27 = __toESM(require("path"));
18371
18659
  var SyncManager = class {
18372
18660
  constructor(matrixManager, encryption, tx) {
18373
18661
  this.matrixManager = matrixManager;
@@ -18439,7 +18727,7 @@ var SyncManager = class {
18439
18727
  }
18440
18728
  const txPaths = [];
18441
18729
  for (const cell of syncPlan.cells) {
18442
- const rel = path26.relative(repoRoot, cell.filePath);
18730
+ const rel = path27.relative(repoRoot, cell.filePath);
18443
18731
  txPaths.push(rel);
18444
18732
  txPaths.push(rel.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"));
18445
18733
  }
@@ -18478,8 +18766,8 @@ var SyncManager = class {
18478
18766
  };
18479
18767
 
18480
18768
  // src/policy/parser.ts
18481
- var fs20 = __toESM(require("fs"));
18482
- var YAML12 = __toESM(require("yaml"));
18769
+ var fs21 = __toESM(require("fs"));
18770
+ var YAML13 = __toESM(require("yaml"));
18483
18771
 
18484
18772
  // src/policy/types.ts
18485
18773
  var DEFAULT_POLICY = Object.freeze({
@@ -18500,7 +18788,7 @@ var PolicyParser = class {
18500
18788
  parse(filePath) {
18501
18789
  let raw;
18502
18790
  try {
18503
- raw = fs20.readFileSync(filePath, "utf-8");
18791
+ raw = fs21.readFileSync(filePath, "utf-8");
18504
18792
  } catch {
18505
18793
  throw new PolicyValidationError(`Could not read policy file at '${filePath}'.`);
18506
18794
  }
@@ -18515,7 +18803,7 @@ var PolicyParser = class {
18515
18803
  parseContent(content) {
18516
18804
  let parsed;
18517
18805
  try {
18518
- parsed = YAML12.parse(content);
18806
+ parsed = YAML13.parse(content);
18519
18807
  } catch {
18520
18808
  throw new PolicyValidationError(
18521
18809
  "Policy file contains invalid YAML. Check for syntax errors."
@@ -18528,7 +18816,7 @@ var PolicyParser = class {
18528
18816
  * not exist. Any other read or validation error throws.
18529
18817
  */
18530
18818
  load(filePath) {
18531
- if (!fs20.existsSync(filePath)) return DEFAULT_POLICY;
18819
+ if (!fs21.existsSync(filePath)) return DEFAULT_POLICY;
18532
18820
  return this.parse(filePath);
18533
18821
  }
18534
18822
  validate(raw) {
@@ -18722,13 +19010,13 @@ var ComplianceGenerator = class {
18722
19010
  };
18723
19011
 
18724
19012
  // src/compliance/run.ts
18725
- var path27 = __toESM(require("path"));
19013
+ var path28 = __toESM(require("path"));
18726
19014
  var UNKNOWN = "unknown";
18727
19015
  async function runCompliance(opts) {
18728
19016
  const start = Date.now();
18729
19017
  const repoRoot = opts.repoRoot ?? process.cwd();
18730
- const manifestPath = opts.manifestPath ?? path27.join(repoRoot, "clef.yaml");
18731
- const policyPath = opts.policyPath ?? path27.join(repoRoot, CLEF_POLICY_FILENAME);
19018
+ const manifestPath = opts.manifestPath ?? path28.join(repoRoot, "clef.yaml");
19019
+ const policyPath = opts.policyPath ?? path28.join(repoRoot, CLEF_POLICY_FILENAME);
18732
19020
  const include = {
18733
19021
  scan: opts.include?.scan ?? true,
18734
19022
  lint: opts.include?.lint ?? true,
@@ -18774,7 +19062,7 @@ async function evaluateMatrix(args) {
18774
19062
  return Promise.all(
18775
19063
  cells.map(async (cell) => {
18776
19064
  const metadata = await args.sopsClient.getMetadata(cell.filePath);
18777
- const relPath = path27.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
19065
+ const relPath = path28.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
18778
19066
  const keys = readSopsKeyNames(cell.filePath) ?? [];
18779
19067
  const rotations = await getRotations(cell.filePath);
18780
19068
  return evaluator.evaluateFile(relPath, cell.environment, metadata, keys, rotations, args.now);
@@ -18866,6 +19154,7 @@ async function detectRepo(runner, repoRoot) {
18866
19154
  PolicyValidationError,
18867
19155
  REQUESTS_FILENAME,
18868
19156
  REQUIREMENTS,
19157
+ REVEAL_WARNING,
18869
19158
  RecipientManager,
18870
19159
  ReportGenerator,
18871
19160
  ReportSanitizer,
@@ -18891,16 +19180,26 @@ async function detectRepo(runner, repoRoot) {
18891
19180
  VALID_KMS_PROVIDERS,
18892
19181
  assertPackedArtifact,
18893
19182
  assertSops,
19183
+ buildDecryptError,
19184
+ buildDecryptResult,
19185
+ buildInspectError,
19186
+ buildInspectResult,
18894
19187
  buildSigningPayload,
19188
+ buildVerifyError,
19189
+ buildVerifyResult,
18895
19190
  checkAll,
18896
19191
  checkDependency,
18897
19192
  collectCIContext,
19193
+ computeCiphertextHash,
18898
19194
  deriveAgePublicKey,
18899
19195
  describeScope,
18900
19196
  detectAlgorithm,
18901
19197
  detectFormat,
19198
+ emptyTemplate,
19199
+ exampleTemplate,
18902
19200
  findRequest,
18903
19201
  formatAgeKeyFile,
19202
+ formatRevealWarning,
18904
19203
  generateAgeIdentity,
18905
19204
  generateRandomValue,
18906
19205
  generateSigningKeyPair,
@@ -18926,6 +19225,7 @@ async function detectRepo(runner, repoRoot) {
18926
19225
  parseDotenv,
18927
19226
  parseIgnoreContent,
18928
19227
  parseJson,
19228
+ parseSignerKey,
18929
19229
  parseYaml,
18930
19230
  pkcs11UriToSyntheticArn,
18931
19231
  readManifestYaml,
@@ -18944,6 +19244,7 @@ async function detectRepo(runner, repoRoot) {
18944
19244
  runCompliance,
18945
19245
  saveMetadata,
18946
19246
  saveRequests,
19247
+ serializeSchema,
18947
19248
  shannonEntropy,
18948
19249
  shouldIgnoreFile,
18949
19250
  shouldIgnoreMatch,
@@ -18958,7 +19259,9 @@ async function detectRepo(runner, repoRoot) {
18958
19259
  validateResetScope,
18959
19260
  verifySignature,
18960
19261
  writeManifestYaml,
18961
- writeManifestYamlRaw
19262
+ writeManifestYamlRaw,
19263
+ writeSchema,
19264
+ writeSchemaRaw
18962
19265
  });
18963
19266
  /*! Bundled license information:
18964
19267