@clef-sh/core 0.1.20 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/artifact/hash.d.ts +10 -0
  2. package/dist/artifact/hash.d.ts.map +1 -0
  3. package/dist/artifact/packer.d.ts.map +1 -1
  4. package/dist/envelope-debug/builders.d.ts +28 -0
  5. package/dist/envelope-debug/builders.d.ts.map +1 -0
  6. package/dist/envelope-debug/index.d.ts +5 -0
  7. package/dist/envelope-debug/index.d.ts.map +1 -0
  8. package/dist/envelope-debug/signer-key.d.ts +18 -0
  9. package/dist/envelope-debug/signer-key.d.ts.map +1 -0
  10. package/dist/envelope-debug/types.d.ts +142 -0
  11. package/dist/envelope-debug/types.d.ts.map +1 -0
  12. package/dist/envelope-debug/warnings.d.ts +23 -0
  13. package/dist/envelope-debug/warnings.d.ts.map +1 -0
  14. package/dist/index.d.mts +5 -0
  15. package/dist/index.d.ts +5 -0
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +715 -412
  18. package/dist/index.js.map +4 -4
  19. package/dist/index.mjs +695 -407
  20. package/dist/index.mjs.map +4 -4
  21. package/dist/schema/validator.d.ts.map +1 -1
  22. package/dist/schema/writer.d.ts +61 -0
  23. package/dist/schema/writer.d.ts.map +1 -0
  24. package/dist/types/index.d.ts +1 -4
  25. package/dist/types/index.d.ts.map +1 -1
  26. package/package.json +1 -1
package/dist/index.mjs CHANGED
@@ -304,10 +304,10 @@ var require_lib = __commonJS({
304
304
  module.exports.sync = writeFileSync7;
305
305
  module.exports._getTmpname = getTmpname;
306
306
  module.exports._cleanupOnExit = cleanupOnExit;
307
- var fs21 = __require("fs");
308
- var crypto4 = __require("node:crypto");
307
+ var fs22 = __require("fs");
308
+ var crypto6 = __require("node:crypto");
309
309
  var { onExit } = require_cjs();
310
- var path28 = __require("path");
310
+ var path29 = __require("path");
311
311
  var { promisify } = __require("util");
312
312
  var activeFiles = {};
313
313
  var threadId = (function getId() {
@@ -320,24 +320,24 @@ var require_lib = __commonJS({
320
320
  })();
321
321
  var invocations = 0;
322
322
  function getTmpname(filename) {
323
- return filename + "." + crypto4.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
323
+ return filename + "." + crypto6.createHash("sha1").update(__filename).update(String(process.pid)).update(String(threadId)).update(String(++invocations)).digest().readUInt32BE(0);
324
324
  }
325
325
  function cleanupOnExit(tmpfile) {
326
326
  return () => {
327
327
  try {
328
- fs21.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
328
+ fs22.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
329
329
  } catch {
330
330
  }
331
331
  };
332
332
  }
333
333
  function serializeActiveFile(absoluteName) {
334
- return new Promise((resolve) => {
334
+ return new Promise((resolve2) => {
335
335
  if (!activeFiles[absoluteName]) {
336
336
  activeFiles[absoluteName] = [];
337
337
  }
338
- activeFiles[absoluteName].push(resolve);
338
+ activeFiles[absoluteName].push(resolve2);
339
339
  if (activeFiles[absoluteName].length === 1) {
340
- resolve();
340
+ resolve2();
341
341
  }
342
342
  });
343
343
  }
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
360
360
  let fd;
361
361
  let tmpfile;
362
362
  const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
363
- const absoluteName = path28.resolve(filename);
363
+ const absoluteName = path29.resolve(filename);
364
364
  try {
365
365
  await serializeActiveFile(absoluteName);
366
- const truename = await promisify(fs21.realpath)(filename).catch(() => filename);
366
+ const truename = await promisify(fs22.realpath)(filename).catch(() => filename);
367
367
  tmpfile = getTmpname(truename);
368
368
  if (!options.mode || !options.chown) {
369
- const stats = await promisify(fs21.stat)(truename).catch(() => {
369
+ const stats = await promisify(fs22.stat)(truename).catch(() => {
370
370
  });
371
371
  if (stats) {
372
372
  if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
377
377
  }
378
378
  }
379
379
  }
380
- fd = await promisify(fs21.open)(tmpfile, "w", options.mode);
380
+ fd = await promisify(fs22.open)(tmpfile, "w", options.mode);
381
381
  if (options.tmpfileCreated) {
382
382
  await options.tmpfileCreated(tmpfile);
383
383
  }
384
384
  if (ArrayBuffer.isView(data)) {
385
- await promisify(fs21.write)(fd, data, 0, data.length, 0);
385
+ await promisify(fs22.write)(fd, data, 0, data.length, 0);
386
386
  } else if (data != null) {
387
- await promisify(fs21.write)(fd, String(data), 0, String(options.encoding || "utf8"));
387
+ await promisify(fs22.write)(fd, String(data), 0, String(options.encoding || "utf8"));
388
388
  }
389
389
  if (options.fsync !== false) {
390
- await promisify(fs21.fsync)(fd);
390
+ await promisify(fs22.fsync)(fd);
391
391
  }
392
- await promisify(fs21.close)(fd);
392
+ await promisify(fs22.close)(fd);
393
393
  fd = null;
394
394
  if (options.chown) {
395
- await promisify(fs21.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
395
+ await promisify(fs22.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
396
396
  if (!isChownErrOk(err)) {
397
397
  throw err;
398
398
  }
399
399
  });
400
400
  }
401
401
  if (options.mode) {
402
- await promisify(fs21.chmod)(tmpfile, options.mode).catch((err) => {
402
+ await promisify(fs22.chmod)(tmpfile, options.mode).catch((err) => {
403
403
  if (!isChownErrOk(err)) {
404
404
  throw err;
405
405
  }
406
406
  });
407
407
  }
408
- await promisify(fs21.rename)(tmpfile, truename);
408
+ await promisify(fs22.rename)(tmpfile, truename);
409
409
  } finally {
410
410
  if (fd) {
411
- await promisify(fs21.close)(fd).catch(
411
+ await promisify(fs22.close)(fd).catch(
412
412
  /* istanbul ignore next */
413
413
  () => {
414
414
  }
415
415
  );
416
416
  }
417
417
  removeOnExitHandler();
418
- await promisify(fs21.unlink)(tmpfile).catch(() => {
418
+ await promisify(fs22.unlink)(tmpfile).catch(() => {
419
419
  });
420
420
  activeFiles[absoluteName].shift();
421
421
  if (activeFiles[absoluteName].length > 0) {
@@ -448,13 +448,13 @@ var require_lib = __commonJS({
448
448
  options = {};
449
449
  }
450
450
  try {
451
- filename = fs21.realpathSync(filename);
451
+ filename = fs22.realpathSync(filename);
452
452
  } catch (ex) {
453
453
  }
454
454
  const tmpfile = getTmpname(filename);
455
455
  if (!options.mode || !options.chown) {
456
456
  try {
457
- const stats = fs21.statSync(filename);
457
+ const stats = fs22.statSync(filename);
458
458
  options = Object.assign({}, options);
459
459
  if (!options.mode) {
460
460
  options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
470
470
  const removeOnExitHandler = onExit(cleanup);
471
471
  let threw = true;
472
472
  try {
473
- fd = fs21.openSync(tmpfile, "w", options.mode || 438);
473
+ fd = fs22.openSync(tmpfile, "w", options.mode || 438);
474
474
  if (options.tmpfileCreated) {
475
475
  options.tmpfileCreated(tmpfile);
476
476
  }
477
477
  if (ArrayBuffer.isView(data)) {
478
- fs21.writeSync(fd, data, 0, data.length, 0);
478
+ fs22.writeSync(fd, data, 0, data.length, 0);
479
479
  } else if (data != null) {
480
- fs21.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
480
+ fs22.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
481
481
  }
482
482
  if (options.fsync !== false) {
483
- fs21.fsyncSync(fd);
483
+ fs22.fsyncSync(fd);
484
484
  }
485
- fs21.closeSync(fd);
485
+ fs22.closeSync(fd);
486
486
  fd = null;
487
487
  if (options.chown) {
488
488
  try {
489
- fs21.chownSync(tmpfile, options.chown.uid, options.chown.gid);
489
+ fs22.chownSync(tmpfile, options.chown.uid, options.chown.gid);
490
490
  } catch (err) {
491
491
  if (!isChownErrOk(err)) {
492
492
  throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
495
495
  }
496
496
  if (options.mode) {
497
497
  try {
498
- fs21.chmodSync(tmpfile, options.mode);
498
+ fs22.chmodSync(tmpfile, options.mode);
499
499
  } catch (err) {
500
500
  if (!isChownErrOk(err)) {
501
501
  throw err;
502
502
  }
503
503
  }
504
504
  }
505
- fs21.renameSync(tmpfile, filename);
505
+ fs22.renameSync(tmpfile, filename);
506
506
  threw = false;
507
507
  } finally {
508
508
  if (fd) {
509
509
  try {
510
- fs21.closeSync(fd);
510
+ fs22.closeSync(fd);
511
511
  } catch (ex) {
512
512
  }
513
513
  }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
546
546
  }
547
547
  var chdir;
548
548
  module.exports = patch;
549
- function patch(fs21) {
549
+ function patch(fs22) {
550
550
  if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
551
- patchLchmod(fs21);
552
- }
553
- if (!fs21.lutimes) {
554
- patchLutimes(fs21);
555
- }
556
- fs21.chown = chownFix(fs21.chown);
557
- fs21.fchown = chownFix(fs21.fchown);
558
- fs21.lchown = chownFix(fs21.lchown);
559
- fs21.chmod = chmodFix(fs21.chmod);
560
- fs21.fchmod = chmodFix(fs21.fchmod);
561
- fs21.lchmod = chmodFix(fs21.lchmod);
562
- fs21.chownSync = chownFixSync(fs21.chownSync);
563
- fs21.fchownSync = chownFixSync(fs21.fchownSync);
564
- fs21.lchownSync = chownFixSync(fs21.lchownSync);
565
- fs21.chmodSync = chmodFixSync(fs21.chmodSync);
566
- fs21.fchmodSync = chmodFixSync(fs21.fchmodSync);
567
- fs21.lchmodSync = chmodFixSync(fs21.lchmodSync);
568
- fs21.stat = statFix(fs21.stat);
569
- fs21.fstat = statFix(fs21.fstat);
570
- fs21.lstat = statFix(fs21.lstat);
571
- fs21.statSync = statFixSync(fs21.statSync);
572
- fs21.fstatSync = statFixSync(fs21.fstatSync);
573
- fs21.lstatSync = statFixSync(fs21.lstatSync);
574
- if (fs21.chmod && !fs21.lchmod) {
575
- fs21.lchmod = function(path28, mode, cb) {
551
+ patchLchmod(fs22);
552
+ }
553
+ if (!fs22.lutimes) {
554
+ patchLutimes(fs22);
555
+ }
556
+ fs22.chown = chownFix(fs22.chown);
557
+ fs22.fchown = chownFix(fs22.fchown);
558
+ fs22.lchown = chownFix(fs22.lchown);
559
+ fs22.chmod = chmodFix(fs22.chmod);
560
+ fs22.fchmod = chmodFix(fs22.fchmod);
561
+ fs22.lchmod = chmodFix(fs22.lchmod);
562
+ fs22.chownSync = chownFixSync(fs22.chownSync);
563
+ fs22.fchownSync = chownFixSync(fs22.fchownSync);
564
+ fs22.lchownSync = chownFixSync(fs22.lchownSync);
565
+ fs22.chmodSync = chmodFixSync(fs22.chmodSync);
566
+ fs22.fchmodSync = chmodFixSync(fs22.fchmodSync);
567
+ fs22.lchmodSync = chmodFixSync(fs22.lchmodSync);
568
+ fs22.stat = statFix(fs22.stat);
569
+ fs22.fstat = statFix(fs22.fstat);
570
+ fs22.lstat = statFix(fs22.lstat);
571
+ fs22.statSync = statFixSync(fs22.statSync);
572
+ fs22.fstatSync = statFixSync(fs22.fstatSync);
573
+ fs22.lstatSync = statFixSync(fs22.lstatSync);
574
+ if (fs22.chmod && !fs22.lchmod) {
575
+ fs22.lchmod = function(path29, mode, cb) {
576
576
  if (cb) process.nextTick(cb);
577
577
  };
578
- fs21.lchmodSync = function() {
578
+ fs22.lchmodSync = function() {
579
579
  };
580
580
  }
581
- if (fs21.chown && !fs21.lchown) {
582
- fs21.lchown = function(path28, uid, gid, cb) {
581
+ if (fs22.chown && !fs22.lchown) {
582
+ fs22.lchown = function(path29, uid, gid, cb) {
583
583
  if (cb) process.nextTick(cb);
584
584
  };
585
- fs21.lchownSync = function() {
585
+ fs22.lchownSync = function() {
586
586
  };
587
587
  }
588
588
  if (platform === "win32") {
589
- fs21.rename = typeof fs21.rename !== "function" ? fs21.rename : (function(fs$rename) {
589
+ fs22.rename = typeof fs22.rename !== "function" ? fs22.rename : (function(fs$rename) {
590
590
  function rename(from, to, cb) {
591
591
  var start = Date.now();
592
592
  var backoff = 0;
593
593
  fs$rename(from, to, function CB(er) {
594
594
  if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
595
595
  setTimeout(function() {
596
- fs21.stat(to, function(stater, st) {
596
+ fs22.stat(to, function(stater, st) {
597
597
  if (stater && stater.code === "ENOENT")
598
598
  fs$rename(from, to, CB);
599
599
  else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
609
609
  }
610
610
  if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
611
611
  return rename;
612
- })(fs21.rename);
612
+ })(fs22.rename);
613
613
  }
614
- fs21.read = typeof fs21.read !== "function" ? fs21.read : (function(fs$read) {
614
+ fs22.read = typeof fs22.read !== "function" ? fs22.read : (function(fs$read) {
615
615
  function read(fd, buffer, offset, length, position, callback_) {
616
616
  var callback;
617
617
  if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
619
619
  callback = function(er, _, __) {
620
620
  if (er && er.code === "EAGAIN" && eagCounter < 10) {
621
621
  eagCounter++;
622
- return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
622
+ return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
623
623
  }
624
624
  callback_.apply(this, arguments);
625
625
  };
626
626
  }
627
- return fs$read.call(fs21, fd, buffer, offset, length, position, callback);
627
+ return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
628
628
  }
629
629
  if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
630
630
  return read;
631
- })(fs21.read);
632
- fs21.readSync = typeof fs21.readSync !== "function" ? fs21.readSync : /* @__PURE__ */ (function(fs$readSync) {
631
+ })(fs22.read);
632
+ fs22.readSync = typeof fs22.readSync !== "function" ? fs22.readSync : /* @__PURE__ */ (function(fs$readSync) {
633
633
  return function(fd, buffer, offset, length, position) {
634
634
  var eagCounter = 0;
635
635
  while (true) {
636
636
  try {
637
- return fs$readSync.call(fs21, fd, buffer, offset, length, position);
637
+ return fs$readSync.call(fs22, fd, buffer, offset, length, position);
638
638
  } catch (er) {
639
639
  if (er.code === "EAGAIN" && eagCounter < 10) {
640
640
  eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
644
644
  }
645
645
  }
646
646
  };
647
- })(fs21.readSync);
648
- function patchLchmod(fs22) {
649
- fs22.lchmod = function(path28, mode, callback) {
650
- fs22.open(
651
- path28,
647
+ })(fs22.readSync);
648
+ function patchLchmod(fs23) {
649
+ fs23.lchmod = function(path29, mode, callback) {
650
+ fs23.open(
651
+ path29,
652
652
  constants.O_WRONLY | constants.O_SYMLINK,
653
653
  mode,
654
654
  function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
656
656
  if (callback) callback(err);
657
657
  return;
658
658
  }
659
- fs22.fchmod(fd, mode, function(err2) {
660
- fs22.close(fd, function(err22) {
659
+ fs23.fchmod(fd, mode, function(err2) {
660
+ fs23.close(fd, function(err22) {
661
661
  if (callback) callback(err2 || err22);
662
662
  });
663
663
  });
664
664
  }
665
665
  );
666
666
  };
667
- fs22.lchmodSync = function(path28, mode) {
668
- var fd = fs22.openSync(path28, constants.O_WRONLY | constants.O_SYMLINK, mode);
667
+ fs23.lchmodSync = function(path29, mode) {
668
+ var fd = fs23.openSync(path29, constants.O_WRONLY | constants.O_SYMLINK, mode);
669
669
  var threw = true;
670
670
  var ret;
671
671
  try {
672
- ret = fs22.fchmodSync(fd, mode);
672
+ ret = fs23.fchmodSync(fd, mode);
673
673
  threw = false;
674
674
  } finally {
675
675
  if (threw) {
676
676
  try {
677
- fs22.closeSync(fd);
677
+ fs23.closeSync(fd);
678
678
  } catch (er) {
679
679
  }
680
680
  } else {
681
- fs22.closeSync(fd);
681
+ fs23.closeSync(fd);
682
682
  }
683
683
  }
684
684
  return ret;
685
685
  };
686
686
  }
687
- function patchLutimes(fs22) {
688
- if (constants.hasOwnProperty("O_SYMLINK") && fs22.futimes) {
689
- fs22.lutimes = function(path28, at, mt, cb) {
690
- fs22.open(path28, constants.O_SYMLINK, function(er, fd) {
687
+ function patchLutimes(fs23) {
688
+ if (constants.hasOwnProperty("O_SYMLINK") && fs23.futimes) {
689
+ fs23.lutimes = function(path29, at, mt, cb) {
690
+ fs23.open(path29, constants.O_SYMLINK, function(er, fd) {
691
691
  if (er) {
692
692
  if (cb) cb(er);
693
693
  return;
694
694
  }
695
- fs22.futimes(fd, at, mt, function(er2) {
696
- fs22.close(fd, function(er22) {
695
+ fs23.futimes(fd, at, mt, function(er2) {
696
+ fs23.close(fd, function(er22) {
697
697
  if (cb) cb(er2 || er22);
698
698
  });
699
699
  });
700
700
  });
701
701
  };
702
- fs22.lutimesSync = function(path28, at, mt) {
703
- var fd = fs22.openSync(path28, constants.O_SYMLINK);
702
+ fs23.lutimesSync = function(path29, at, mt) {
703
+ var fd = fs23.openSync(path29, constants.O_SYMLINK);
704
704
  var ret;
705
705
  var threw = true;
706
706
  try {
707
- ret = fs22.futimesSync(fd, at, mt);
707
+ ret = fs23.futimesSync(fd, at, mt);
708
708
  threw = false;
709
709
  } finally {
710
710
  if (threw) {
711
711
  try {
712
- fs22.closeSync(fd);
712
+ fs23.closeSync(fd);
713
713
  } catch (er) {
714
714
  }
715
715
  } else {
716
- fs22.closeSync(fd);
716
+ fs23.closeSync(fd);
717
717
  }
718
718
  }
719
719
  return ret;
720
720
  };
721
- } else if (fs22.futimes) {
722
- fs22.lutimes = function(_a, _b, _c, cb) {
721
+ } else if (fs23.futimes) {
722
+ fs23.lutimes = function(_a, _b, _c, cb) {
723
723
  if (cb) process.nextTick(cb);
724
724
  };
725
- fs22.lutimesSync = function() {
725
+ fs23.lutimesSync = function() {
726
726
  };
727
727
  }
728
728
  }
729
729
  function chmodFix(orig) {
730
730
  if (!orig) return orig;
731
731
  return function(target, mode, cb) {
732
- return orig.call(fs21, target, mode, function(er) {
732
+ return orig.call(fs22, target, mode, function(er) {
733
733
  if (chownErOk(er)) er = null;
734
734
  if (cb) cb.apply(this, arguments);
735
735
  });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
739
739
  if (!orig) return orig;
740
740
  return function(target, mode) {
741
741
  try {
742
- return orig.call(fs21, target, mode);
742
+ return orig.call(fs22, target, mode);
743
743
  } catch (er) {
744
744
  if (!chownErOk(er)) throw er;
745
745
  }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
748
748
  function chownFix(orig) {
749
749
  if (!orig) return orig;
750
750
  return function(target, uid, gid, cb) {
751
- return orig.call(fs21, target, uid, gid, function(er) {
751
+ return orig.call(fs22, target, uid, gid, function(er) {
752
752
  if (chownErOk(er)) er = null;
753
753
  if (cb) cb.apply(this, arguments);
754
754
  });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
758
758
  if (!orig) return orig;
759
759
  return function(target, uid, gid) {
760
760
  try {
761
- return orig.call(fs21, target, uid, gid);
761
+ return orig.call(fs22, target, uid, gid);
762
762
  } catch (er) {
763
763
  if (!chownErOk(er)) throw er;
764
764
  }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
778
778
  }
779
779
  if (cb) cb.apply(this, arguments);
780
780
  }
781
- return options ? orig.call(fs21, target, options, callback) : orig.call(fs21, target, callback);
781
+ return options ? orig.call(fs22, target, options, callback) : orig.call(fs22, target, callback);
782
782
  };
783
783
  }
784
784
  function statFixSync(orig) {
785
785
  if (!orig) return orig;
786
786
  return function(target, options) {
787
- var stats = options ? orig.call(fs21, target, options) : orig.call(fs21, target);
787
+ var stats = options ? orig.call(fs22, target, options) : orig.call(fs22, target);
788
788
  if (stats) {
789
789
  if (stats.uid < 0) stats.uid += 4294967296;
790
790
  if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
813
813
  "../../node_modules/graceful-fs/legacy-streams.js"(exports, module) {
814
814
  var Stream = __require("stream").Stream;
815
815
  module.exports = legacy;
816
- function legacy(fs21) {
816
+ function legacy(fs22) {
817
817
  return {
818
818
  ReadStream,
819
819
  WriteStream
820
820
  };
821
- function ReadStream(path28, options) {
822
- if (!(this instanceof ReadStream)) return new ReadStream(path28, options);
821
+ function ReadStream(path29, options) {
822
+ if (!(this instanceof ReadStream)) return new ReadStream(path29, options);
823
823
  Stream.call(this);
824
824
  var self = this;
825
- this.path = path28;
825
+ this.path = path29;
826
826
  this.fd = null;
827
827
  this.readable = true;
828
828
  this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
856
856
  });
857
857
  return;
858
858
  }
859
- fs21.open(this.path, this.flags, this.mode, function(err, fd) {
859
+ fs22.open(this.path, this.flags, this.mode, function(err, fd) {
860
860
  if (err) {
861
861
  self.emit("error", err);
862
862
  self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
867
867
  self._read();
868
868
  });
869
869
  }
870
- function WriteStream(path28, options) {
871
- if (!(this instanceof WriteStream)) return new WriteStream(path28, options);
870
+ function WriteStream(path29, options) {
871
+ if (!(this instanceof WriteStream)) return new WriteStream(path29, options);
872
872
  Stream.call(this);
873
- this.path = path28;
873
+ this.path = path29;
874
874
  this.fd = null;
875
875
  this.writable = true;
876
876
  this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
895
895
  this.busy = false;
896
896
  this._queue = [];
897
897
  if (this.fd === null) {
898
- this._open = fs21.open;
898
+ this._open = fs22.open;
899
899
  this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
900
900
  this.flush();
901
901
  }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
930
930
  // ../../node_modules/graceful-fs/graceful-fs.js
931
931
  var require_graceful_fs = __commonJS({
932
932
  "../../node_modules/graceful-fs/graceful-fs.js"(exports, module) {
933
- var fs21 = __require("fs");
933
+ var fs22 = __require("fs");
934
934
  var polyfills = require_polyfills();
935
935
  var legacy = require_legacy_streams();
936
936
  var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
962
962
  m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
963
963
  console.error(m);
964
964
  };
965
- if (!fs21[gracefulQueue]) {
965
+ if (!fs22[gracefulQueue]) {
966
966
  queue = global[gracefulQueue] || [];
967
- publishQueue(fs21, queue);
968
- fs21.close = (function(fs$close) {
967
+ publishQueue(fs22, queue);
968
+ fs22.close = (function(fs$close) {
969
969
  function close(fd, cb) {
970
- return fs$close.call(fs21, fd, function(err) {
970
+ return fs$close.call(fs22, fd, function(err) {
971
971
  if (!err) {
972
972
  resetQueue();
973
973
  }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
979
979
  value: fs$close
980
980
  });
981
981
  return close;
982
- })(fs21.close);
983
- fs21.closeSync = (function(fs$closeSync) {
982
+ })(fs22.close);
983
+ fs22.closeSync = (function(fs$closeSync) {
984
984
  function closeSync2(fd) {
985
- fs$closeSync.apply(fs21, arguments);
985
+ fs$closeSync.apply(fs22, arguments);
986
986
  resetQueue();
987
987
  }
988
988
  Object.defineProperty(closeSync2, previousSymbol, {
989
989
  value: fs$closeSync
990
990
  });
991
991
  return closeSync2;
992
- })(fs21.closeSync);
992
+ })(fs22.closeSync);
993
993
  if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
994
994
  process.on("exit", function() {
995
- debug(fs21[gracefulQueue]);
996
- __require("assert").equal(fs21[gracefulQueue].length, 0);
995
+ debug(fs22[gracefulQueue]);
996
+ __require("assert").equal(fs22[gracefulQueue].length, 0);
997
997
  });
998
998
  }
999
999
  }
1000
1000
  var queue;
1001
1001
  if (!global[gracefulQueue]) {
1002
- publishQueue(global, fs21[gracefulQueue]);
1003
- }
1004
- module.exports = patch(clone(fs21));
1005
- if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs21.__patched) {
1006
- module.exports = patch(fs21);
1007
- fs21.__patched = true;
1008
- }
1009
- function patch(fs22) {
1010
- polyfills(fs22);
1011
- fs22.gracefulify = patch;
1012
- fs22.createReadStream = createReadStream;
1013
- fs22.createWriteStream = createWriteStream;
1014
- var fs$readFile = fs22.readFile;
1015
- fs22.readFile = readFile;
1016
- function readFile(path28, options, cb) {
1002
+ publishQueue(global, fs22[gracefulQueue]);
1003
+ }
1004
+ module.exports = patch(clone(fs22));
1005
+ if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs22.__patched) {
1006
+ module.exports = patch(fs22);
1007
+ fs22.__patched = true;
1008
+ }
1009
+ function patch(fs23) {
1010
+ polyfills(fs23);
1011
+ fs23.gracefulify = patch;
1012
+ fs23.createReadStream = createReadStream;
1013
+ fs23.createWriteStream = createWriteStream;
1014
+ var fs$readFile = fs23.readFile;
1015
+ fs23.readFile = readFile;
1016
+ function readFile(path29, options, cb) {
1017
1017
  if (typeof options === "function")
1018
1018
  cb = options, options = null;
1019
- return go$readFile(path28, options, cb);
1020
- function go$readFile(path29, options2, cb2, startTime) {
1021
- return fs$readFile(path29, options2, function(err) {
1019
+ return go$readFile(path29, options, cb);
1020
+ function go$readFile(path30, options2, cb2, startTime) {
1021
+ return fs$readFile(path30, options2, function(err) {
1022
1022
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1023
- enqueue([go$readFile, [path29, options2, cb2], err, startTime || Date.now(), Date.now()]);
1023
+ enqueue([go$readFile, [path30, options2, cb2], err, startTime || Date.now(), Date.now()]);
1024
1024
  else {
1025
1025
  if (typeof cb2 === "function")
1026
1026
  cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
1028
1028
  });
1029
1029
  }
1030
1030
  }
1031
- var fs$writeFile = fs22.writeFile;
1032
- fs22.writeFile = writeFile;
1033
- function writeFile(path28, data, options, cb) {
1031
+ var fs$writeFile = fs23.writeFile;
1032
+ fs23.writeFile = writeFile;
1033
+ function writeFile(path29, data, options, cb) {
1034
1034
  if (typeof options === "function")
1035
1035
  cb = options, options = null;
1036
- return go$writeFile(path28, data, options, cb);
1037
- function go$writeFile(path29, data2, options2, cb2, startTime) {
1038
- return fs$writeFile(path29, data2, options2, function(err) {
1036
+ return go$writeFile(path29, data, options, cb);
1037
+ function go$writeFile(path30, data2, options2, cb2, startTime) {
1038
+ return fs$writeFile(path30, data2, options2, function(err) {
1039
1039
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1040
- enqueue([go$writeFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1040
+ enqueue([go$writeFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1041
1041
  else {
1042
1042
  if (typeof cb2 === "function")
1043
1043
  cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
1045
1045
  });
1046
1046
  }
1047
1047
  }
1048
- var fs$appendFile = fs22.appendFile;
1048
+ var fs$appendFile = fs23.appendFile;
1049
1049
  if (fs$appendFile)
1050
- fs22.appendFile = appendFile;
1051
- function appendFile(path28, data, options, cb) {
1050
+ fs23.appendFile = appendFile;
1051
+ function appendFile(path29, data, options, cb) {
1052
1052
  if (typeof options === "function")
1053
1053
  cb = options, options = null;
1054
- return go$appendFile(path28, data, options, cb);
1055
- function go$appendFile(path29, data2, options2, cb2, startTime) {
1056
- return fs$appendFile(path29, data2, options2, function(err) {
1054
+ return go$appendFile(path29, data, options, cb);
1055
+ function go$appendFile(path30, data2, options2, cb2, startTime) {
1056
+ return fs$appendFile(path30, data2, options2, function(err) {
1057
1057
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1058
- enqueue([go$appendFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1058
+ enqueue([go$appendFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
1059
1059
  else {
1060
1060
  if (typeof cb2 === "function")
1061
1061
  cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
1063
1063
  });
1064
1064
  }
1065
1065
  }
1066
- var fs$copyFile = fs22.copyFile;
1066
+ var fs$copyFile = fs23.copyFile;
1067
1067
  if (fs$copyFile)
1068
- fs22.copyFile = copyFile;
1068
+ fs23.copyFile = copyFile;
1069
1069
  function copyFile(src, dest, flags, cb) {
1070
1070
  if (typeof flags === "function") {
1071
1071
  cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
1083
1083
  });
1084
1084
  }
1085
1085
  }
1086
- var fs$readdir = fs22.readdir;
1087
- fs22.readdir = readdir;
1086
+ var fs$readdir = fs23.readdir;
1087
+ fs23.readdir = readdir;
1088
1088
  var noReaddirOptionVersions = /^v[0-5]\./;
1089
- function readdir(path28, options, cb) {
1089
+ function readdir(path29, options, cb) {
1090
1090
  if (typeof options === "function")
1091
1091
  cb = options, options = null;
1092
- var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path29, options2, cb2, startTime) {
1093
- return fs$readdir(path29, fs$readdirCallback(
1094
- path29,
1092
+ var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path30, options2, cb2, startTime) {
1093
+ return fs$readdir(path30, fs$readdirCallback(
1094
+ path30,
1095
1095
  options2,
1096
1096
  cb2,
1097
1097
  startTime
1098
1098
  ));
1099
- } : function go$readdir2(path29, options2, cb2, startTime) {
1100
- return fs$readdir(path29, options2, fs$readdirCallback(
1101
- path29,
1099
+ } : function go$readdir2(path30, options2, cb2, startTime) {
1100
+ return fs$readdir(path30, options2, fs$readdirCallback(
1101
+ path30,
1102
1102
  options2,
1103
1103
  cb2,
1104
1104
  startTime
1105
1105
  ));
1106
1106
  };
1107
- return go$readdir(path28, options, cb);
1108
- function fs$readdirCallback(path29, options2, cb2, startTime) {
1107
+ return go$readdir(path29, options, cb);
1108
+ function fs$readdirCallback(path30, options2, cb2, startTime) {
1109
1109
  return function(err, files) {
1110
1110
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1111
1111
  enqueue([
1112
1112
  go$readdir,
1113
- [path29, options2, cb2],
1113
+ [path30, options2, cb2],
1114
1114
  err,
1115
1115
  startTime || Date.now(),
1116
1116
  Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
1125
1125
  }
1126
1126
  }
1127
1127
  if (process.version.substr(0, 4) === "v0.8") {
1128
- var legStreams = legacy(fs22);
1128
+ var legStreams = legacy(fs23);
1129
1129
  ReadStream = legStreams.ReadStream;
1130
1130
  WriteStream = legStreams.WriteStream;
1131
1131
  }
1132
- var fs$ReadStream = fs22.ReadStream;
1132
+ var fs$ReadStream = fs23.ReadStream;
1133
1133
  if (fs$ReadStream) {
1134
1134
  ReadStream.prototype = Object.create(fs$ReadStream.prototype);
1135
1135
  ReadStream.prototype.open = ReadStream$open;
1136
1136
  }
1137
- var fs$WriteStream = fs22.WriteStream;
1137
+ var fs$WriteStream = fs23.WriteStream;
1138
1138
  if (fs$WriteStream) {
1139
1139
  WriteStream.prototype = Object.create(fs$WriteStream.prototype);
1140
1140
  WriteStream.prototype.open = WriteStream$open;
1141
1141
  }
1142
- Object.defineProperty(fs22, "ReadStream", {
1142
+ Object.defineProperty(fs23, "ReadStream", {
1143
1143
  get: function() {
1144
1144
  return ReadStream;
1145
1145
  },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
1149
1149
  enumerable: true,
1150
1150
  configurable: true
1151
1151
  });
1152
- Object.defineProperty(fs22, "WriteStream", {
1152
+ Object.defineProperty(fs23, "WriteStream", {
1153
1153
  get: function() {
1154
1154
  return WriteStream;
1155
1155
  },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
1160
1160
  configurable: true
1161
1161
  });
1162
1162
  var FileReadStream = ReadStream;
1163
- Object.defineProperty(fs22, "FileReadStream", {
1163
+ Object.defineProperty(fs23, "FileReadStream", {
1164
1164
  get: function() {
1165
1165
  return FileReadStream;
1166
1166
  },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
1171
1171
  configurable: true
1172
1172
  });
1173
1173
  var FileWriteStream = WriteStream;
1174
- Object.defineProperty(fs22, "FileWriteStream", {
1174
+ Object.defineProperty(fs23, "FileWriteStream", {
1175
1175
  get: function() {
1176
1176
  return FileWriteStream;
1177
1177
  },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
1181
1181
  enumerable: true,
1182
1182
  configurable: true
1183
1183
  });
1184
- function ReadStream(path28, options) {
1184
+ function ReadStream(path29, options) {
1185
1185
  if (this instanceof ReadStream)
1186
1186
  return fs$ReadStream.apply(this, arguments), this;
1187
1187
  else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
1201
1201
  }
1202
1202
  });
1203
1203
  }
1204
- function WriteStream(path28, options) {
1204
+ function WriteStream(path29, options) {
1205
1205
  if (this instanceof WriteStream)
1206
1206
  return fs$WriteStream.apply(this, arguments), this;
1207
1207
  else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
1219
1219
  }
1220
1220
  });
1221
1221
  }
1222
- function createReadStream(path28, options) {
1223
- return new fs22.ReadStream(path28, options);
1222
+ function createReadStream(path29, options) {
1223
+ return new fs23.ReadStream(path29, options);
1224
1224
  }
1225
- function createWriteStream(path28, options) {
1226
- return new fs22.WriteStream(path28, options);
1225
+ function createWriteStream(path29, options) {
1226
+ return new fs23.WriteStream(path29, options);
1227
1227
  }
1228
- var fs$open = fs22.open;
1229
- fs22.open = open;
1230
- function open(path28, flags, mode, cb) {
1228
+ var fs$open = fs23.open;
1229
+ fs23.open = open;
1230
+ function open(path29, flags, mode, cb) {
1231
1231
  if (typeof mode === "function")
1232
1232
  cb = mode, mode = null;
1233
- return go$open(path28, flags, mode, cb);
1234
- function go$open(path29, flags2, mode2, cb2, startTime) {
1235
- return fs$open(path29, flags2, mode2, function(err, fd) {
1233
+ return go$open(path29, flags, mode, cb);
1234
+ function go$open(path30, flags2, mode2, cb2, startTime) {
1235
+ return fs$open(path30, flags2, mode2, function(err, fd) {
1236
1236
  if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
1237
- enqueue([go$open, [path29, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
1237
+ enqueue([go$open, [path30, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
1238
1238
  else {
1239
1239
  if (typeof cb2 === "function")
1240
1240
  cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
1242
1242
  });
1243
1243
  }
1244
1244
  }
1245
- return fs22;
1245
+ return fs23;
1246
1246
  }
1247
1247
  function enqueue(elem) {
1248
1248
  debug("ENQUEUE", elem[0].name, elem[1]);
1249
- fs21[gracefulQueue].push(elem);
1249
+ fs22[gracefulQueue].push(elem);
1250
1250
  retry();
1251
1251
  }
1252
1252
  var retryTimer;
1253
1253
  function resetQueue() {
1254
1254
  var now = Date.now();
1255
- for (var i = 0; i < fs21[gracefulQueue].length; ++i) {
1256
- if (fs21[gracefulQueue][i].length > 2) {
1257
- fs21[gracefulQueue][i][3] = now;
1258
- fs21[gracefulQueue][i][4] = now;
1255
+ for (var i = 0; i < fs22[gracefulQueue].length; ++i) {
1256
+ if (fs22[gracefulQueue][i].length > 2) {
1257
+ fs22[gracefulQueue][i][3] = now;
1258
+ fs22[gracefulQueue][i][4] = now;
1259
1259
  }
1260
1260
  }
1261
1261
  retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
1263
1263
  function retry() {
1264
1264
  clearTimeout(retryTimer);
1265
1265
  retryTimer = void 0;
1266
- if (fs21[gracefulQueue].length === 0)
1266
+ if (fs22[gracefulQueue].length === 0)
1267
1267
  return;
1268
- var elem = fs21[gracefulQueue].shift();
1268
+ var elem = fs22[gracefulQueue].shift();
1269
1269
  var fn = elem[0];
1270
1270
  var args = elem[1];
1271
1271
  var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
1287
1287
  debug("RETRY", fn.name, args);
1288
1288
  fn.apply(null, args.concat([startTime]));
1289
1289
  } else {
1290
- fs21[gracefulQueue].push(elem);
1290
+ fs22[gracefulQueue].push(elem);
1291
1291
  }
1292
1292
  }
1293
1293
  if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
1722
1722
  "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports, module) {
1723
1723
  "use strict";
1724
1724
  var cacheSymbol = /* @__PURE__ */ Symbol();
1725
- function probe(file, fs21, callback) {
1726
- const cachedPrecision = fs21[cacheSymbol];
1725
+ function probe(file, fs22, callback) {
1726
+ const cachedPrecision = fs22[cacheSymbol];
1727
1727
  if (cachedPrecision) {
1728
- return fs21.stat(file, (err, stat) => {
1728
+ return fs22.stat(file, (err, stat) => {
1729
1729
  if (err) {
1730
1730
  return callback(err);
1731
1731
  }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
1733
1733
  });
1734
1734
  }
1735
1735
  const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
1736
- fs21.utimes(file, mtime, mtime, (err) => {
1736
+ fs22.utimes(file, mtime, mtime, (err) => {
1737
1737
  if (err) {
1738
1738
  return callback(err);
1739
1739
  }
1740
- fs21.stat(file, (err2, stat) => {
1740
+ fs22.stat(file, (err2, stat) => {
1741
1741
  if (err2) {
1742
1742
  return callback(err2);
1743
1743
  }
1744
1744
  const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
1745
- Object.defineProperty(fs21, cacheSymbol, { value: precision });
1745
+ Object.defineProperty(fs22, cacheSymbol, { value: precision });
1746
1746
  callback(null, stat.mtime, precision);
1747
1747
  });
1748
1748
  });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
1763
1763
  var require_lockfile = __commonJS({
1764
1764
  "../../node_modules/proper-lockfile/lib/lockfile.js"(exports, module) {
1765
1765
  "use strict";
1766
- var path28 = __require("path");
1767
- var fs21 = require_graceful_fs();
1766
+ var path29 = __require("path");
1767
+ var fs22 = require_graceful_fs();
1768
1768
  var retry = require_retry2();
1769
1769
  var onExit = require_signal_exit();
1770
1770
  var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
1774
1774
  }
1775
1775
  function resolveCanonicalPath(file, options, callback) {
1776
1776
  if (!options.realpath) {
1777
- return callback(null, path28.resolve(file));
1777
+ return callback(null, path29.resolve(file));
1778
1778
  }
1779
1779
  options.fs.realpath(file, callback);
1780
1780
  }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
1895
1895
  update: null,
1896
1896
  realpath: true,
1897
1897
  retries: 0,
1898
- fs: fs21,
1898
+ fs: fs22,
1899
1899
  onCompromised: (err) => {
1900
1900
  throw err;
1901
1901
  },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
1939
1939
  }
1940
1940
  function unlock(file, options, callback) {
1941
1941
  options = {
1942
- fs: fs21,
1942
+ fs: fs22,
1943
1943
  realpath: true,
1944
1944
  ...options
1945
1945
  };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
1961
1961
  options = {
1962
1962
  stale: 1e4,
1963
1963
  realpath: true,
1964
- fs: fs21,
1964
+ fs: fs22,
1965
1965
  ...options
1966
1966
  };
1967
1967
  options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
2000
2000
  var require_adapter = __commonJS({
2001
2001
  "../../node_modules/proper-lockfile/lib/adapter.js"(exports, module) {
2002
2002
  "use strict";
2003
- var fs21 = require_graceful_fs();
2004
- function createSyncFs(fs22) {
2003
+ var fs22 = require_graceful_fs();
2004
+ function createSyncFs(fs23) {
2005
2005
  const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
2006
- const newFs = { ...fs22 };
2006
+ const newFs = { ...fs23 };
2007
2007
  methods.forEach((method) => {
2008
2008
  newFs[method] = (...args) => {
2009
2009
  const callback = args.pop();
2010
2010
  let ret;
2011
2011
  try {
2012
- ret = fs22[`${method}Sync`](...args);
2012
+ ret = fs23[`${method}Sync`](...args);
2013
2013
  } catch (err) {
2014
2014
  return callback(err);
2015
2015
  }
@@ -2019,12 +2019,12 @@ var require_adapter = __commonJS({
2019
2019
  return newFs;
2020
2020
  }
2021
2021
  function toPromise(method) {
2022
- return (...args) => new Promise((resolve, reject) => {
2022
+ return (...args) => new Promise((resolve2, reject) => {
2023
2023
  args.push((err, result) => {
2024
2024
  if (err) {
2025
2025
  reject(err);
2026
2026
  } else {
2027
- resolve(result);
2027
+ resolve2(result);
2028
2028
  }
2029
2029
  });
2030
2030
  method(...args);
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
2047
2047
  }
2048
2048
  function toSyncOptions(options) {
2049
2049
  options = { ...options };
2050
- options.fs = createSyncFs(options.fs || fs21);
2050
+ options.fs = createSyncFs(options.fs || fs22);
2051
2051
  if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
2052
2052
  throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
2053
2053
  }
@@ -2989,13 +2989,48 @@ function shouldIgnoreMatch(match, rules) {
2989
2989
  return false;
2990
2990
  }
2991
2991
  function matchesGlob(filePath, pattern) {
2992
- const DOUBLE_STAR = "\0DS\0";
2993
- const SINGLE_STAR = "\0SS\0";
2994
- const QUESTION = "\0QM\0";
2995
- const escaped = pattern.replace(/\*\*/g, DOUBLE_STAR).replace(/\*/g, SINGLE_STAR).replace(/\?/g, QUESTION).replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(DOUBLE_STAR, ".*").replace(SINGLE_STAR, "[^/]*").replace(QUESTION, "[^/]");
2996
- const regex = new RegExp("^" + escaped + "$");
2997
- const prefixRegex = new RegExp("^" + escaped + "/");
2998
- return regex.test(filePath) || prefixRegex.test(filePath);
2992
+ const body = globToRegex(pattern);
2993
+ const exact = new RegExp("^" + body + "$");
2994
+ const prefix = new RegExp("^" + body + "/");
2995
+ return exact.test(filePath) || prefix.test(filePath);
2996
+ }
2997
+ function globToRegex(pattern) {
2998
+ let out = "";
2999
+ let i = 0;
3000
+ while (i < pattern.length) {
3001
+ if (pattern.startsWith("/**/", i)) {
3002
+ out += "/(?:.*/)?";
3003
+ i += 4;
3004
+ continue;
3005
+ }
3006
+ if (i === 0 && pattern.startsWith("**/")) {
3007
+ out += "(?:.*/)?";
3008
+ i += 3;
3009
+ continue;
3010
+ }
3011
+ if (pattern.startsWith("/**", i) && i + 3 === pattern.length) {
3012
+ out += "(?:/.*)?";
3013
+ i += 3;
3014
+ continue;
3015
+ }
3016
+ if (pattern.startsWith("**", i)) {
3017
+ out += ".*";
3018
+ i += 2;
3019
+ continue;
3020
+ }
3021
+ const ch = pattern[i];
3022
+ if (ch === "*") {
3023
+ out += "[^/]*";
3024
+ } else if (ch === "?") {
3025
+ out += "[^/]";
3026
+ } else if (/[.+^${}()|[\]\\]/.test(ch)) {
3027
+ out += "\\" + ch;
3028
+ } else {
3029
+ out += ch;
3030
+ }
3031
+ i++;
3032
+ }
3033
+ return out;
2999
3034
  }
3000
3035
 
3001
3036
  // src/scanner/index.ts
@@ -3554,9 +3589,7 @@ var SchemaValidator = class {
3554
3589
  type,
3555
3590
  required: def.required === true,
3556
3591
  ...typeof def.pattern === "string" ? { pattern: def.pattern } : {},
3557
- ...def.default !== void 0 ? { default: def.default } : {},
3558
- ...typeof def.description === "string" ? { description: def.description } : {},
3559
- ...typeof def.max === "number" ? { max: def.max } : {}
3592
+ ...typeof def.description === "string" ? { description: def.description } : {}
3560
3593
  };
3561
3594
  }
3562
3595
  return { keys };
@@ -3592,12 +3625,6 @@ var SchemaValidator = class {
3592
3625
  message: `Key '${keyName}' must be an integer, got '${value}'.`,
3593
3626
  rule: "type"
3594
3627
  });
3595
- } else if (keyDef.max !== void 0 && num > keyDef.max) {
3596
- warnings.push({
3597
- key: keyName,
3598
- message: `Key '${keyName}' value ${num} exceeds maximum ${keyDef.max}.`,
3599
- rule: "max_exceeded"
3600
- });
3601
3628
  }
3602
3629
  break;
3603
3630
  }
@@ -3643,8 +3670,98 @@ var SchemaValidator = class {
3643
3670
  }
3644
3671
  };
3645
3672
 
3646
- // src/diff/engine.ts
3673
+ // src/schema/writer.ts
3674
+ var import_write_file_atomic2 = __toESM(require_lib());
3675
+ import * as fs9 from "fs";
3647
3676
  import * as path6 from "path";
3677
+ import * as YAML7 from "yaml";
3678
+ function serializeSchema(schema, opts = {}) {
3679
+ const doc = new YAML7.Document();
3680
+ doc.contents = doc.createNode({ keys: orderedKeys(schema.keys) });
3681
+ const body = String(doc);
3682
+ if (!opts.header) return body;
3683
+ const commented = opts.header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
3684
+ return `${commented}
3685
+
3686
+ ${body}`;
3687
+ }
3688
+ function writeSchema(rootDir, relPath, schema, opts = {}) {
3689
+ writeSchemaRaw(rootDir, relPath, serializeSchema(schema, opts));
3690
+ }
3691
+ function writeSchemaRaw(rootDir, relPath, contents) {
3692
+ const normalizedRelPath = path6.normalize(relPath);
3693
+ if (!normalizedRelPath || normalizedRelPath === "." || path6.isAbsolute(normalizedRelPath)) {
3694
+ throw new Error(`Refusing to write schema using an absolute path: ${relPath}`);
3695
+ }
3696
+ const realRoot = fs9.realpathSync(path6.resolve(rootDir));
3697
+ const safePath = path6.resolve(realRoot, normalizedRelPath);
3698
+ const relCandidate = path6.relative(realRoot, safePath);
3699
+ if (relCandidate === ".." || relCandidate.startsWith(`..${path6.sep}`) || path6.isAbsolute(relCandidate)) {
3700
+ throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
3701
+ }
3702
+ const safeParent = path6.dirname(safePath);
3703
+ fs9.mkdirSync(safeParent, { recursive: true });
3704
+ const canonicalParent = fs9.realpathSync(safeParent);
3705
+ const canonicalTarget = path6.join(canonicalParent, path6.basename(safePath));
3706
+ const relToRoot = path6.relative(realRoot, canonicalTarget);
3707
+ if (relToRoot === ".." || relToRoot.startsWith(`..${path6.sep}`) || path6.isAbsolute(relToRoot)) {
3708
+ throw new Error(`Refusing to write schema outside the repository root: ${relPath}`);
3709
+ }
3710
+ import_write_file_atomic2.default.sync(canonicalTarget, contents);
3711
+ }
3712
+ function emptyTemplate(namespace) {
3713
+ const header = [
3714
+ `Schema for namespace '${namespace}'.`,
3715
+ "",
3716
+ "Declare keys your encrypted files must contain. Each key accepts:",
3717
+ " type: string | integer | boolean",
3718
+ " required: true | false",
3719
+ " pattern: (strings only) regex the value must match",
3720
+ " description: human-readable description",
3721
+ "",
3722
+ "Add keys below, then run `clef lint` to validate."
3723
+ ].join("\n");
3724
+ return serializeSchema({ keys: {} }, { header });
3725
+ }
3726
+ function exampleTemplate(namespace) {
3727
+ const header = [
3728
+ `Schema for namespace '${namespace}'.`,
3729
+ "",
3730
+ "The example below is commented out so `clef lint` passes as-is.",
3731
+ "Uncomment and edit to add your first key, or replace wholesale."
3732
+ ].join("\n");
3733
+ const body = [
3734
+ "keys: {}",
3735
+ "",
3736
+ "# keys:",
3737
+ "# API_KEY:",
3738
+ "# type: string",
3739
+ "# required: true",
3740
+ "# pattern: ^sk_(test|live)_[A-Za-z0-9]+$",
3741
+ "# description: Stripe secret key for server-side calls."
3742
+ ].join("\n");
3743
+ const commentedHeader = header.split("\n").map((line) => line.length === 0 ? "#" : `# ${line}`).join("\n");
3744
+ return `${commentedHeader}
3745
+
3746
+ ${body}
3747
+ `;
3748
+ }
3749
+ function orderedKeys(keys) {
3750
+ const out = {};
3751
+ for (const [name, def] of Object.entries(keys)) {
3752
+ const ordered = {
3753
+ type: def.type,
3754
+ required: def.required
3755
+ };
3756
+ if (def.pattern !== void 0) ordered.pattern = def.pattern;
3757
+ if (def.description !== void 0) ordered.description = def.description;
3758
+ out[name] = ordered;
3759
+ }
3760
+ return out;
3761
+ }
3762
+
3763
+ // src/diff/engine.ts
3764
+ import * as path7 from "path";
3648
3765
  var DiffEngine = class {
3649
3766
  /**
3650
3767
  * Compare two in-memory value maps and produce a sorted diff result.
@@ -3701,11 +3818,11 @@ var DiffEngine = class {
3701
3818
  * @throws {@link SopsDecryptionError} If either file cannot be decrypted.
3702
3819
  */
3703
3820
  async diffFiles(namespace, envA, envB, manifest, sopsClient, repoRoot) {
3704
- const fileA = path6.join(
3821
+ const fileA = path7.join(
3705
3822
  repoRoot,
3706
3823
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envA)
3707
3824
  );
3708
- const fileB = path6.join(
3825
+ const fileB = path7.join(
3709
3826
  repoRoot,
3710
3827
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envB)
3711
3828
  );
@@ -3718,7 +3835,7 @@ var DiffEngine = class {
3718
3835
  };
3719
3836
 
3720
3837
  // src/bulk/ops.ts
3721
- import * as path7 from "path";
3838
+ import * as path8 from "path";
3722
3839
  var BulkOps = class {
3723
3840
  constructor(tx) {
3724
3841
  this.tx = tx;
@@ -3738,7 +3855,7 @@ var BulkOps = class {
3738
3855
  async setAcrossEnvironments(namespace, key, values, manifest, sopsClient, repoRoot) {
3739
3856
  const targets = manifest.environments.filter((env) => env.name in values).map((env) => ({
3740
3857
  env: env.name,
3741
- filePath: path7.join(
3858
+ filePath: path8.join(
3742
3859
  repoRoot,
3743
3860
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
3744
3861
  )
@@ -3746,7 +3863,7 @@ var BulkOps = class {
3746
3863
  if (targets.length === 0) return;
3747
3864
  await this.tx.run(repoRoot, {
3748
3865
  description: `clef set: ${namespace}/${key} across ${targets.length} env(s)`,
3749
- paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
3866
+ paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
3750
3867
  mutate: async () => {
3751
3868
  for (const target of targets) {
3752
3869
  const decrypted = await sopsClient.decrypt(target.filePath);
@@ -3768,14 +3885,14 @@ var BulkOps = class {
3768
3885
  async deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot) {
3769
3886
  const targets = manifest.environments.map((env) => ({
3770
3887
  env: env.name,
3771
- filePath: path7.join(
3888
+ filePath: path8.join(
3772
3889
  repoRoot,
3773
3890
  manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
3774
3891
  )
3775
3892
  }));
3776
3893
  await this.tx.run(repoRoot, {
3777
3894
  description: `clef delete: ${namespace}/${key} from ${targets.length} env(s)`,
3778
- paths: targets.map((t) => path7.relative(repoRoot, t.filePath)),
3895
+ paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
3779
3896
  mutate: async () => {
3780
3897
  for (const target of targets) {
3781
3898
  const decrypted = await sopsClient.decrypt(target.filePath);
@@ -3807,7 +3924,7 @@ var BulkOps = class {
3807
3924
  }
3808
3925
  await this.tx.run(repoRoot, {
3809
3926
  description: `clef copy: ${key} from ${fromCell.namespace}/${fromCell.environment} to ${toCell.namespace}/${toCell.environment}`,
3810
- paths: [path7.relative(repoRoot, toCell.filePath)],
3927
+ paths: [path8.relative(repoRoot, toCell.filePath)],
3811
3928
  mutate: async () => {
3812
3929
  const dest = await sopsClient.decrypt(toCell.filePath);
3813
3930
  dest.values[key] = source.values[key];
@@ -3818,8 +3935,8 @@ var BulkOps = class {
3818
3935
  };
3819
3936
 
3820
3937
  // src/git/integration.ts
3821
- import * as fs9 from "fs";
3822
- import * as path8 from "path";
3938
+ import * as fs10 from "fs";
3939
+ import * as path9 from "path";
3823
3940
  var PRE_COMMIT_HOOK = `#!/bin/sh
3824
3941
  # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
3825
3942
  # and scans staged files for plaintext secrets.
@@ -3995,17 +4112,17 @@ var GitIntegration = class {
3995
4112
  * @returns The kind of operation in progress, or null if none.
3996
4113
  */
3997
4114
  async isMidOperation(repoRoot) {
3998
- const gitDir = path8.join(repoRoot, ".git");
3999
- if (fs9.existsSync(path8.join(gitDir, "MERGE_HEAD"))) {
4115
+ const gitDir = path9.join(repoRoot, ".git");
4116
+ if (fs10.existsSync(path9.join(gitDir, "MERGE_HEAD"))) {
4000
4117
  return { midOp: true, kind: "merge" };
4001
4118
  }
4002
- if (fs9.existsSync(path8.join(gitDir, "rebase-merge")) || fs9.existsSync(path8.join(gitDir, "rebase-apply"))) {
4119
+ if (fs10.existsSync(path9.join(gitDir, "rebase-merge")) || fs10.existsSync(path9.join(gitDir, "rebase-apply"))) {
4003
4120
  return { midOp: true, kind: "rebase" };
4004
4121
  }
4005
- if (fs9.existsSync(path8.join(gitDir, "CHERRY_PICK_HEAD"))) {
4122
+ if (fs10.existsSync(path9.join(gitDir, "CHERRY_PICK_HEAD"))) {
4006
4123
  return { midOp: true, kind: "cherry-pick" };
4007
4124
  }
4008
- if (fs9.existsSync(path8.join(gitDir, "REVERT_HEAD"))) {
4125
+ if (fs10.existsSync(path9.join(gitDir, "REVERT_HEAD"))) {
4009
4126
  return { midOp: true, kind: "revert" };
4010
4127
  }
4011
4128
  return { midOp: false };
@@ -4181,15 +4298,15 @@ var GitIntegration = class {
4181
4298
  { cwd: repoRoot }
4182
4299
  );
4183
4300
  const metadataGitConfig = metaConfig.exitCode === 0 && metaConfig.stdout.trim().length > 0;
4184
- const attrFilePath = path8.join(repoRoot, ".gitattributes");
4185
- const attrContent = fs9.existsSync(attrFilePath) ? fs9.readFileSync(attrFilePath, "utf-8") : "";
4301
+ const attrFilePath = path9.join(repoRoot, ".gitattributes");
4302
+ const attrContent = fs10.existsSync(attrFilePath) ? fs10.readFileSync(attrFilePath, "utf-8") : "";
4186
4303
  const gitattributes = attrContent.includes("merge=sops");
4187
4304
  const metadataGitattributes = attrContent.includes("merge=clef-metadata");
4188
4305
  return { gitConfig, gitattributes, metadataGitConfig, metadataGitattributes };
4189
4306
  }
4190
4307
  async ensureGitattributes(repoRoot) {
4191
- const attrPath = path8.join(repoRoot, ".gitattributes");
4192
- const existing = fs9.existsSync(attrPath) ? fs9.readFileSync(attrPath, "utf-8") : "";
4308
+ const attrPath = path9.join(repoRoot, ".gitattributes");
4309
+ const existing = fs10.existsSync(attrPath) ? fs10.readFileSync(attrPath, "utf-8") : "";
4193
4310
  let newContent = existing;
4194
4311
  if (!existing.includes("merge=sops")) {
4195
4312
  const block = `# Clef: SOPS-aware merge driver for encrypted files
@@ -4210,7 +4327,7 @@ ${block}` : block;
4210
4327
  }
4211
4328
  if (newContent === existing) return;
4212
4329
  try {
4213
- fs9.writeFileSync(attrPath, newContent, "utf-8");
4330
+ fs10.writeFileSync(attrPath, newContent, "utf-8");
4214
4331
  } catch (err) {
4215
4332
  throw new GitOperationError(`Failed to write .gitattributes: ${err.message}`);
4216
4333
  }
@@ -4223,13 +4340,13 @@ ${block}` : block;
4223
4340
  * @throws {@link GitOperationError} On failure.
4224
4341
  */
4225
4342
  async installPreCommitHook(repoRoot) {
4226
- const hookPath = path8.join(repoRoot, ".git", "hooks", "pre-commit");
4343
+ const hookPath = path9.join(repoRoot, ".git", "hooks", "pre-commit");
4227
4344
  try {
4228
- const hooksDir = path8.dirname(hookPath);
4229
- if (!fs9.existsSync(hooksDir)) {
4230
- fs9.mkdirSync(hooksDir, { recursive: true });
4345
+ const hooksDir = path9.dirname(hookPath);
4346
+ if (!fs10.existsSync(hooksDir)) {
4347
+ fs10.mkdirSync(hooksDir, { recursive: true });
4231
4348
  }
4232
- fs9.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
4349
+ fs10.writeFileSync(hookPath, PRE_COMMIT_HOOK, { mode: 493 });
4233
4350
  } catch (err) {
4234
4351
  throw new GitOperationError(
4235
4352
  `Failed to install pre-commit hook: ${err.message}`,
@@ -4241,8 +4358,8 @@ ${block}` : block;
4241
4358
 
4242
4359
  // src/tx/transaction-manager.ts
4243
4360
  var lockfile = __toESM(require_proper_lockfile());
4244
- import * as fs10 from "fs";
4245
- import * as path9 from "path";
4361
+ import * as fs11 from "fs";
4362
+ import * as path10 from "path";
4246
4363
 
4247
4364
  // src/tx/errors.ts
4248
4365
  var TransactionLockError = class extends Error {
@@ -4290,17 +4407,17 @@ var TransactionManager = class {
4290
4407
  async run(repoRoot, opts) {
4291
4408
  const shouldCommit = opts.commit !== false;
4292
4409
  const allowDirty = opts.allowDirty === true;
4293
- const clefDir = path9.join(repoRoot, CLEF_DIR);
4294
- if (!fs10.existsSync(clefDir)) {
4295
- fs10.mkdirSync(clefDir, { recursive: true });
4410
+ const clefDir = path10.join(repoRoot, CLEF_DIR);
4411
+ if (!fs11.existsSync(clefDir)) {
4412
+ fs11.mkdirSync(clefDir, { recursive: true });
4296
4413
  }
4297
- const clefGitignore = path9.join(clefDir, ".gitignore");
4298
- if (!fs10.existsSync(clefGitignore)) {
4299
- fs10.writeFileSync(clefGitignore, "*\n");
4414
+ const clefGitignore = path10.join(clefDir, ".gitignore");
4415
+ if (!fs11.existsSync(clefGitignore)) {
4416
+ fs11.writeFileSync(clefGitignore, "*\n");
4300
4417
  }
4301
- const lockPath = path9.join(clefDir, LOCK_FILE);
4302
- if (!fs10.existsSync(lockPath)) {
4303
- fs10.writeFileSync(lockPath, "");
4418
+ const lockPath = path10.join(clefDir, LOCK_FILE);
4419
+ if (!fs11.existsSync(lockPath)) {
4420
+ fs11.writeFileSync(lockPath, "");
4304
4421
  }
4305
4422
  let release;
4306
4423
  try {
@@ -4428,19 +4545,19 @@ var TransactionManager = class {
4428
4545
  };
4429
4546
 
4430
4547
  // src/sops/client.ts
4431
- var import_write_file_atomic2 = __toESM(require_lib());
4432
- import * as fs13 from "fs";
4548
+ var import_write_file_atomic3 = __toESM(require_lib());
4549
+ import * as fs14 from "fs";
4433
4550
  import * as net from "net";
4434
4551
  import { randomBytes as randomBytes2 } from "crypto";
4435
- import * as YAML7 from "yaml";
4552
+ import * as YAML8 from "yaml";
4436
4553
 
4437
4554
  // src/sops/resolver.ts
4438
- import * as fs12 from "fs";
4439
- import * as path11 from "path";
4555
+ import * as fs13 from "fs";
4556
+ import * as path12 from "path";
4440
4557
 
4441
4558
  // src/sops/bundled.ts
4442
- import * as fs11 from "fs";
4443
- import * as path10 from "path";
4559
+ import * as fs12 from "fs";
4560
+ import * as path11 from "path";
4444
4561
  function tryBundled() {
4445
4562
  const platform = process.platform;
4446
4563
  const arch = process.arch;
@@ -4452,9 +4569,9 @@ function tryBundled() {
4452
4569
  const binName = platform === "win32" ? "sops.exe" : "sops";
4453
4570
  try {
4454
4571
  const packageMain = __require.resolve(`${packageName}/package.json`);
4455
- const packageDir = path10.dirname(packageMain);
4456
- const binPath = path10.join(packageDir, "bin", binName);
4457
- return fs11.existsSync(binPath) ? binPath : null;
4572
+ const packageDir = path11.dirname(packageMain);
4573
+ const binPath = path11.join(packageDir, "bin", binName);
4574
+ return fs12.existsSync(binPath) ? binPath : null;
4458
4575
  } catch {
4459
4576
  return null;
4460
4577
  }
@@ -4462,7 +4579,7 @@ function tryBundled() {
4462
4579
 
4463
4580
  // src/sops/resolver.ts
4464
4581
  function validateSopsPath(candidate) {
4465
- if (!path11.isAbsolute(candidate)) {
4582
+ if (!path12.isAbsolute(candidate)) {
4466
4583
  throw new Error(`CLEF_SOPS_PATH must be an absolute path, got '${candidate}'.`);
4467
4584
  }
4468
4585
  const segments = candidate.split(/[/\\]/);
@@ -4478,7 +4595,7 @@ function resolveSopsPath() {
4478
4595
  const envPath = process.env.CLEF_SOPS_PATH?.trim();
4479
4596
  if (envPath) {
4480
4597
  validateSopsPath(envPath);
4481
- if (!fs12.existsSync(envPath)) {
4598
+ if (!fs13.existsSync(envPath)) {
4482
4599
  throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
4483
4600
  }
4484
4601
  cached = { path: envPath, source: "env" };
@@ -4643,7 +4760,7 @@ function formatFromPath(filePath) {
4643
4760
  }
4644
4761
  function openWindowsInputPipe(content) {
4645
4762
  const pipeName = `\\\\.\\pipe\\clef-sops-${randomBytes2(8).toString("hex")}`;
4646
- return new Promise((resolve, reject) => {
4763
+ return new Promise((resolve2, reject) => {
4647
4764
  const server = net.createServer((socket) => {
4648
4765
  socket.write(content, () => {
4649
4766
  socket.destroy();
@@ -4652,7 +4769,7 @@ function openWindowsInputPipe(content) {
4652
4769
  server.maxConnections = 1;
4653
4770
  server.on("error", reject);
4654
4771
  server.listen(pipeName, () => {
4655
- resolve({
4772
+ resolve2({
4656
4773
  inputArg: pipeName,
4657
4774
  cleanup: () => server.close()
4658
4775
  });
@@ -4733,7 +4850,7 @@ var SopsClient = class {
4733
4850
  }
4734
4851
  let parsed;
4735
4852
  try {
4736
- parsed = YAML7.parse(result.stdout) ?? {};
4853
+ parsed = YAML8.parse(result.stdout) ?? {};
4737
4854
  } catch {
4738
4855
  throw new SopsDecryptionError(
4739
4856
  `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -4760,7 +4877,7 @@ var SopsClient = class {
4760
4877
  async encrypt(filePath, values, manifest, environment) {
4761
4878
  await assertSops(this.runner, this.sopsCommand);
4762
4879
  const fmt = formatFromPath(filePath);
4763
- const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML7.stringify(values);
4880
+ const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML8.stringify(values);
4764
4881
  const args = this.buildEncryptArgs(filePath, manifest, environment);
4765
4882
  const env = this.buildSopsEnv();
4766
4883
  let inputArg;
@@ -4808,7 +4925,7 @@ var SopsClient = class {
4808
4925
  );
4809
4926
  }
4810
4927
  try {
4811
- await (0, import_write_file_atomic2.default)(filePath, result.stdout);
4928
+ await (0, import_write_file_atomic3.default)(filePath, result.stdout);
4812
4929
  } catch (err) {
4813
4930
  throw new SopsEncryptionError(
4814
4931
  `Failed to write encrypted data to '${filePath}': ${err.message}`,
@@ -4927,7 +5044,7 @@ var SopsClient = class {
4927
5044
  if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
4928
5045
  let keyContent;
4929
5046
  try {
4930
- keyContent = this.ageKey ?? fs13.readFileSync(this.ageKeyFile, "utf-8");
5047
+ keyContent = this.ageKey ?? fs14.readFileSync(this.ageKeyFile, "utf-8");
4931
5048
  } catch {
4932
5049
  return "key-not-found";
4933
5050
  }
@@ -4944,7 +5061,7 @@ var SopsClient = class {
4944
5061
  parseMetadataFromFile(filePath) {
4945
5062
  let content;
4946
5063
  try {
4947
- content = fs13.readFileSync(filePath, "utf-8");
5064
+ content = fs14.readFileSync(filePath, "utf-8");
4948
5065
  } catch {
4949
5066
  throw new SopsDecryptionError(
4950
5067
  `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -4953,7 +5070,7 @@ var SopsClient = class {
4953
5070
  }
4954
5071
  let parsed;
4955
5072
  try {
4956
- parsed = YAML7.parse(content);
5073
+ parsed = YAML8.parse(content);
4957
5074
  } catch {
4958
5075
  throw new SopsDecryptionError(
4959
5076
  `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -5078,8 +5195,8 @@ var SopsClient = class {
5078
5195
  };
5079
5196
 
5080
5197
  // src/hsm/bundled.ts
5081
- import * as fs14 from "fs";
5082
- import * as path12 from "path";
5198
+ import * as fs15 from "fs";
5199
+ import * as path13 from "path";
5083
5200
  function tryBundledKeyservice() {
5084
5201
  const platform = process.platform;
5085
5202
  const arch = process.arch;
@@ -5091,19 +5208,19 @@ function tryBundledKeyservice() {
5091
5208
  const binName = "clef-keyservice";
5092
5209
  try {
5093
5210
  const packageMain = __require.resolve(`${packageName}/package.json`);
5094
- const packageDir = path12.dirname(packageMain);
5095
- const binPath = path12.join(packageDir, "bin", binName);
5096
- return fs14.existsSync(binPath) ? binPath : null;
5211
+ const packageDir = path13.dirname(packageMain);
5212
+ const binPath = path13.join(packageDir, "bin", binName);
5213
+ return fs15.existsSync(binPath) ? binPath : null;
5097
5214
  } catch {
5098
5215
  return null;
5099
5216
  }
5100
5217
  }
5101
5218
 
5102
5219
  // src/hsm/resolver.ts
5103
- import * as fs15 from "fs";
5104
- import * as path13 from "path";
5220
+ import * as fs16 from "fs";
5221
+ import * as path14 from "path";
5105
5222
  function validateKeyservicePath(candidate) {
5106
- if (!path13.isAbsolute(candidate)) {
5223
+ if (!path14.isAbsolute(candidate)) {
5107
5224
  throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
5108
5225
  }
5109
5226
  const segments = candidate.split(/[/\\]/);
@@ -5119,7 +5236,7 @@ function resolveKeyservicePath() {
5119
5236
  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
5120
5237
  if (envPath) {
5121
5238
  validateKeyservicePath(envPath);
5122
- if (!fs15.existsSync(envPath)) {
5239
+ if (!fs16.existsSync(envPath)) {
5123
5240
  throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
5124
5241
  }
5125
5242
  cached2 = { path: envPath, source: "env" };
@@ -5167,7 +5284,7 @@ async function spawnKeyservice(options) {
5167
5284
  };
5168
5285
  }
5169
5286
  function readPort(child) {
5170
- return new Promise((resolve, reject) => {
5287
+ return new Promise((resolve2, reject) => {
5171
5288
  let settled = false;
5172
5289
  if (!child.stdout) {
5173
5290
  reject(new Error("Keyservice child has no stdout pipe."));
@@ -5195,7 +5312,7 @@ function readPort(child) {
5195
5312
  if (match && !settled) {
5196
5313
  settled = true;
5197
5314
  settle();
5198
- resolve(parseInt(match[1], 10));
5315
+ resolve2(parseInt(match[1], 10));
5199
5316
  }
5200
5317
  });
5201
5318
  child.on("error", (err) => {
@@ -5215,9 +5332,9 @@ function readPort(child) {
5215
5332
  });
5216
5333
  }
5217
5334
  function killGracefully(child) {
5218
- return new Promise((resolve) => {
5335
+ return new Promise((resolve2) => {
5219
5336
  if (child.exitCode !== null) {
5220
- resolve();
5337
+ resolve2();
5221
5338
  return;
5222
5339
  }
5223
5340
  const timer = setTimeout(() => {
@@ -5225,14 +5342,14 @@ function killGracefully(child) {
5225
5342
  }, SHUTDOWN_TIMEOUT_MS);
5226
5343
  child.on("exit", () => {
5227
5344
  clearTimeout(timer);
5228
- resolve();
5345
+ resolve2();
5229
5346
  });
5230
5347
  child.kill("SIGTERM");
5231
5348
  });
5232
5349
  }
5233
5350
 
5234
5351
  // src/lint/runner.ts
5235
- import * as path14 from "path";
5352
+ import * as path15 from "path";
5236
5353
  var LintRunner = class {
5237
5354
  constructor(matrixManager, schemaValidator, sopsClient) {
5238
5355
  this.matrixManager = matrixManager;
@@ -5335,7 +5452,7 @@ var LintRunner = class {
5335
5452
  }
5336
5453
  const ns = manifest.namespaces.find((n) => n.name === cell.namespace);
5337
5454
  if (ns?.schema) {
5338
- const schemaPath = path14.join(repoRoot, ns.schema);
5455
+ const schemaPath = path15.join(repoRoot, ns.schema);
5339
5456
  try {
5340
5457
  const schema = this.schemaValidator.loadSchema(schemaPath);
5341
5458
  const result = this.schemaValidator.validate(decrypted.values, schema);
@@ -5622,14 +5739,14 @@ Use 'clef exec' to inject secrets directly into a process, or 'clef export --for
5622
5739
  };
5623
5740
 
5624
5741
  // src/import/index.ts
5625
- import * as path16 from "path";
5742
+ import * as path17 from "path";
5626
5743
 
5627
5744
  // src/import/parsers.ts
5628
- import * as path15 from "path";
5629
- import * as YAML8 from "yaml";
5745
+ import * as path16 from "path";
5746
+ import * as YAML9 from "yaml";
5630
5747
  function detectFormat(filePath, content) {
5631
- const base = path15.basename(filePath);
5632
- const ext = path15.extname(filePath).toLowerCase();
5748
+ const base = path16.basename(filePath);
5749
+ const ext = path16.extname(filePath).toLowerCase();
5633
5750
  if (base === ".env" || base.startsWith(".env.")) {
5634
5751
  return "dotenv";
5635
5752
  }
@@ -5650,7 +5767,7 @@ function detectFormat(filePath, content) {
5650
5767
  } catch {
5651
5768
  }
5652
5769
  try {
5653
- const parsed = YAML8.parse(content);
5770
+ const parsed = YAML9.parse(content);
5654
5771
  if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
5655
5772
  return "yaml";
5656
5773
  }
@@ -5731,7 +5848,7 @@ function parseJson(content) {
5731
5848
  function parseYaml(content) {
5732
5849
  let parsed;
5733
5850
  try {
5734
- parsed = YAML8.parse(content);
5851
+ parsed = YAML9.parse(content);
5735
5852
  } catch (err) {
5736
5853
  throw new Error(`Invalid YAML: ${err.message}`);
5737
5854
  }
@@ -5797,7 +5914,7 @@ var ImportRunner = class {
5797
5914
  */
5798
5915
  async import(target, sourcePath, content, manifest, repoRoot, options) {
5799
5916
  const [ns, env] = target.split("/");
5800
- const filePath = path16.join(
5917
+ const filePath = path17.join(
5801
5918
  repoRoot,
5802
5919
  manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
5803
5920
  );
@@ -5849,7 +5966,7 @@ var ImportRunner = class {
5849
5966
  if (imported.length === 0) {
5850
5967
  return { imported, skipped, failed, warnings, dryRun: false };
5851
5968
  }
5852
- const relCellPath = path16.relative(repoRoot, filePath);
5969
+ const relCellPath = path17.relative(repoRoot, filePath);
5853
5970
  const relMetaPath = relCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
5854
5971
  await this.tx.run(repoRoot, {
5855
5972
  description: `clef import ${target}: ${imported.length} key(s)`,
@@ -5868,7 +5985,7 @@ var ImportRunner = class {
5868
5985
  };
5869
5986
 
5870
5987
  // src/recipients/index.ts
5871
- import * as path17 from "path";
5988
+ import * as path18 from "path";
5872
5989
  function parseRecipientEntry(entry) {
5873
5990
  if (typeof entry === "string") {
5874
5991
  return { key: entry };
@@ -5996,7 +6113,7 @@ var RecipientManager = class {
5996
6113
  const reEncryptedFiles = [];
5997
6114
  await this.tx.run(repoRoot, {
5998
6115
  description: environment ? `clef recipients add ${keyPreview(normalizedKey)} -e ${environment}` : `clef recipients add ${keyPreview(normalizedKey)}`,
5999
- paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
6116
+ paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
6000
6117
  mutate: async () => {
6001
6118
  const doc = readManifestYaml(repoRoot);
6002
6119
  const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -6055,7 +6172,7 @@ var RecipientManager = class {
6055
6172
  const reEncryptedFiles = [];
6056
6173
  await this.tx.run(repoRoot, {
6057
6174
  description: environment ? `clef recipients remove ${keyPreview(trimmedKey)} -e ${environment}` : `clef recipients remove ${keyPreview(trimmedKey)}`,
6058
- paths: [...cells.map((c) => path17.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
6175
+ paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
6059
6176
  mutate: async () => {
6060
6177
  const doc = readManifestYaml(repoRoot);
6061
6178
  const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -6084,20 +6201,20 @@ var RecipientManager = class {
6084
6201
  };
6085
6202
 
6086
6203
  // src/recipients/requests.ts
6087
- import * as fs16 from "fs";
6088
- import * as path18 from "path";
6089
- import * as YAML9 from "yaml";
6204
+ import * as fs17 from "fs";
6205
+ import * as path19 from "path";
6206
+ import * as YAML10 from "yaml";
6090
6207
  var REQUESTS_FILENAME = ".clef-requests.yaml";
6091
6208
  var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
6092
6209
  function requestsFilePath(repoRoot) {
6093
- return path18.join(repoRoot, REQUESTS_FILENAME);
6210
+ return path19.join(repoRoot, REQUESTS_FILENAME);
6094
6211
  }
6095
6212
  function loadRequests(repoRoot) {
6096
6213
  const filePath = requestsFilePath(repoRoot);
6097
6214
  try {
6098
- if (!fs16.existsSync(filePath)) return [];
6099
- const content = fs16.readFileSync(filePath, "utf-8");
6100
- const parsed = YAML9.parse(content);
6215
+ if (!fs17.existsSync(filePath)) return [];
6216
+ const content = fs17.readFileSync(filePath, "utf-8");
6217
+ const parsed = YAML10.parse(content);
6101
6218
  if (!parsed || !Array.isArray(parsed.requests)) return [];
6102
6219
  return parsed.requests.map((r) => ({
6103
6220
  key: r.key,
@@ -6113,7 +6230,7 @@ function saveRequests(repoRoot, requests) {
6113
6230
  const filePath = requestsFilePath(repoRoot);
6114
6231
  if (requests.length === 0) {
6115
6232
  try {
6116
- fs16.unlinkSync(filePath);
6233
+ fs17.unlinkSync(filePath);
6117
6234
  } catch {
6118
6235
  }
6119
6236
  return;
@@ -6129,7 +6246,7 @@ function saveRequests(repoRoot, requests) {
6129
6246
  return raw;
6130
6247
  })
6131
6248
  };
6132
- fs16.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
6249
+ fs17.writeFileSync(filePath, HEADER_COMMENT2 + YAML10.stringify(data), "utf-8");
6133
6250
  }
6134
6251
  function upsertRequest(repoRoot, key, label, environment) {
6135
6252
  const requests = loadRequests(repoRoot);
@@ -6165,7 +6282,7 @@ function findInList(requests, identifier) {
6165
6282
  }
6166
6283
 
6167
6284
  // src/drift/detector.ts
6168
- import * as path19 from "path";
6285
+ import * as path20 from "path";
6169
6286
  var DriftDetector = class {
6170
6287
  parser = new ManifestParser();
6171
6288
  matrix = new MatrixManager();
@@ -6178,8 +6295,8 @@ var DriftDetector = class {
6178
6295
  * @returns Drift result with any issues found.
6179
6296
  */
6180
6297
  detect(localRoot, remoteRoot, namespaceFilter) {
6181
- const localManifest = this.parser.parse(path19.join(localRoot, CLEF_MANIFEST_FILENAME));
6182
- const remoteManifest = this.parser.parse(path19.join(remoteRoot, CLEF_MANIFEST_FILENAME));
6298
+ const localManifest = this.parser.parse(path20.join(localRoot, CLEF_MANIFEST_FILENAME));
6299
+ const remoteManifest = this.parser.parse(path20.join(remoteRoot, CLEF_MANIFEST_FILENAME));
6183
6300
  const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
6184
6301
  const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
6185
6302
  const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -6243,7 +6360,7 @@ var DriftDetector = class {
6243
6360
  };
6244
6361
 
6245
6362
  // src/report/generator.ts
6246
- import * as path20 from "path";
6363
+ import * as path21 from "path";
6247
6364
 
6248
6365
  // src/report/sanitizer.ts
6249
6366
  var ReportSanitizer = class {
@@ -6403,7 +6520,7 @@ var ReportGenerator = class {
6403
6520
  let manifest = null;
6404
6521
  try {
6405
6522
  const parser = new ManifestParser();
6406
- manifest = parser.parse(path20.join(repoRoot, "clef.yaml"));
6523
+ manifest = parser.parse(path21.join(repoRoot, "clef.yaml"));
6407
6524
  } catch {
6408
6525
  const emptyManifest = {
6409
6526
  manifestVersion: 0,
@@ -6757,7 +6874,7 @@ var CloudClient = class {
6757
6874
  );
6758
6875
  }
6759
6876
  delay(ms) {
6760
- return new Promise((resolve) => setTimeout(resolve, ms));
6877
+ return new Promise((resolve2) => setTimeout(resolve2, ms));
6761
6878
  }
6762
6879
  };
6763
6880
 
@@ -6882,12 +6999,12 @@ var SopsMergeDriver = class {
6882
6999
  };
6883
7000
 
6884
7001
  // src/merge/metadata-driver.ts
6885
- import * as fs17 from "fs";
6886
- import * as YAML10 from "yaml";
7002
+ import * as fs18 from "fs";
7003
+ import * as YAML11 from "yaml";
6887
7004
  var HEADER_COMMENT3 = "# Managed by Clef. Do not edit manually.\n";
6888
7005
  function parseMetadata(content) {
6889
7006
  try {
6890
- const parsed = YAML10.parse(content);
7007
+ const parsed = YAML11.parse(content);
6891
7008
  if (!parsed || typeof parsed !== "object") return emptyMetadata2();
6892
7009
  const pendingRaw = Array.isArray(parsed.pending) ? parsed.pending : [];
6893
7010
  const pending = pendingRaw.filter(
@@ -6925,7 +7042,7 @@ function serializeMetadata(m) {
6925
7042
  rotation_count: r.rotationCount
6926
7043
  }))
6927
7044
  };
6928
- return HEADER_COMMENT3 + YAML10.stringify(data);
7045
+ return HEADER_COMMENT3 + YAML11.stringify(data);
6929
7046
  }
6930
7047
  function mergeRotations(ours, theirs) {
6931
7048
  const byKey = /* @__PURE__ */ new Map();
@@ -6985,14 +7102,14 @@ function mergeMetadataContents(oursContent, theirsContent) {
6985
7102
  return serializeMetadata({ version: 1, pending, rotations });
6986
7103
  }
6987
7104
  function mergeMetadataFiles(_basePath, oursPath, theirsPath) {
6988
- const oursContent = fs17.existsSync(oursPath) ? fs17.readFileSync(oursPath, "utf-8") : "";
6989
- const theirsContent = fs17.existsSync(theirsPath) ? fs17.readFileSync(theirsPath, "utf-8") : "";
7105
+ const oursContent = fs18.existsSync(oursPath) ? fs18.readFileSync(oursPath, "utf-8") : "";
7106
+ const theirsContent = fs18.existsSync(theirsPath) ? fs18.readFileSync(theirsPath, "utf-8") : "";
6990
7107
  const merged = mergeMetadataContents(oursContent, theirsContent);
6991
- fs17.writeFileSync(oursPath, merged, "utf-8");
7108
+ fs18.writeFileSync(oursPath, merged, "utf-8");
6992
7109
  }
6993
7110
 
6994
7111
  // src/service-identity/manager.ts
6995
- import * as path21 from "path";
7112
+ import * as path22 from "path";
6996
7113
  var ServiceIdentityManager = class {
6997
7114
  constructor(encryption, matrixManager, tx) {
6998
7115
  this.encryption = encryption;
@@ -7007,7 +7124,7 @@ var ServiceIdentityManager = class {
7007
7124
  * to seed TransactionManager.run's `paths` argument.
7008
7125
  */
7009
7126
  txPaths(repoRoot, cells) {
7010
- return [...cells.map((c) => path21.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
7127
+ return [...cells.map((c) => path22.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
7011
7128
  }
7012
7129
  /**
7013
7130
  * Create a new service identity with per-environment age key pairs or KMS envelope config.
@@ -7529,8 +7646,8 @@ var ServiceIdentityManager = class {
7529
7646
  };
7530
7647
 
7531
7648
  // src/structure/manager.ts
7532
- import * as fs18 from "fs";
7533
- import * as path22 from "path";
7649
+ import * as fs19 from "fs";
7650
+ import * as path23 from "path";
7534
7651
  var StructureManager = class {
7535
7652
  constructor(matrixManager, encryption, tx) {
7536
7653
  this.matrixManager = matrixManager;
@@ -7554,15 +7671,15 @@ var StructureManager = class {
7554
7671
  this.assertValidIdentifier("namespace", name);
7555
7672
  const newCellPaths = manifest.environments.map((env) => ({
7556
7673
  environment: env.name,
7557
- filePath: path22.join(
7674
+ filePath: path23.join(
7558
7675
  repoRoot,
7559
7676
  manifest.file_pattern.replace("{namespace}", name).replace("{environment}", env.name)
7560
7677
  )
7561
7678
  }));
7562
7679
  for (const cell of newCellPaths) {
7563
- if (fs18.existsSync(cell.filePath)) {
7680
+ if (fs19.existsSync(cell.filePath)) {
7564
7681
  throw new Error(
7565
- `Cannot add namespace '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
7682
+ `Cannot add namespace '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
7566
7683
  );
7567
7684
  }
7568
7685
  }
@@ -7581,7 +7698,7 @@ var StructureManager = class {
7581
7698
  await this.tx.run(repoRoot, {
7582
7699
  description: `clef namespace add ${name}`,
7583
7700
  paths: [
7584
- ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
7701
+ ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
7585
7702
  CLEF_MANIFEST_FILENAME
7586
7703
  ],
7587
7704
  mutate: async () => {
@@ -7626,15 +7743,15 @@ var StructureManager = class {
7626
7743
  this.assertValidIdentifier("environment", name);
7627
7744
  const newCellPaths = manifest.namespaces.map((ns) => ({
7628
7745
  namespace: ns.name,
7629
- filePath: path22.join(
7746
+ filePath: path23.join(
7630
7747
  repoRoot,
7631
7748
  manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", name)
7632
7749
  )
7633
7750
  }));
7634
7751
  for (const cell of newCellPaths) {
7635
- if (fs18.existsSync(cell.filePath)) {
7752
+ if (fs19.existsSync(cell.filePath)) {
7636
7753
  throw new Error(
7637
- `Cannot add environment '${name}': file '${path22.relative(repoRoot, cell.filePath)}' already exists.`
7754
+ `Cannot add environment '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
7638
7755
  );
7639
7756
  }
7640
7757
  }
@@ -7653,7 +7770,7 @@ var StructureManager = class {
7653
7770
  await this.tx.run(repoRoot, {
7654
7771
  description: `clef env add ${name}`,
7655
7772
  paths: [
7656
- ...newCellPaths.map((c) => path22.relative(repoRoot, c.filePath)),
7773
+ ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
7657
7774
  CLEF_MANIFEST_FILENAME
7658
7775
  ],
7659
7776
  mutate: async () => {
@@ -7716,7 +7833,7 @@ var StructureManager = class {
7716
7833
  paths: this.deletePaths(repoRoot, cellsToDelete),
7717
7834
  mutate: async () => {
7718
7835
  for (const cell of cellsToDelete) {
7719
- fs18.unlinkSync(cell.filePath);
7836
+ fs19.unlinkSync(cell.filePath);
7720
7837
  this.unlinkMetaSibling(cell.filePath);
7721
7838
  }
7722
7839
  const doc = readManifestYaml(repoRoot);
@@ -7766,7 +7883,7 @@ var StructureManager = class {
7766
7883
  paths: this.deletePaths(repoRoot, cellsToDelete),
7767
7884
  mutate: async () => {
7768
7885
  for (const cell of cellsToDelete) {
7769
- fs18.unlinkSync(cell.filePath);
7886
+ fs19.unlinkSync(cell.filePath);
7770
7887
  this.unlinkMetaSibling(cell.filePath);
7771
7888
  }
7772
7889
  const doc = readManifestYaml(repoRoot);
@@ -7808,9 +7925,9 @@ var StructureManager = class {
7808
7925
  const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "namespace") : [];
7809
7926
  if (isRename) {
7810
7927
  for (const pair of renamePairs) {
7811
- if (fs18.existsSync(pair.to)) {
7928
+ if (fs19.existsSync(pair.to)) {
7812
7929
  throw new Error(
7813
- `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
7930
+ `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
7814
7931
  );
7815
7932
  }
7816
7933
  }
@@ -7851,9 +7968,9 @@ var StructureManager = class {
7851
7968
  const renamePairs = isRename ? this.collectRenamePairs(manifest, repoRoot, name, opts.rename, "environment") : [];
7852
7969
  if (isRename) {
7853
7970
  for (const pair of renamePairs) {
7854
- if (fs18.existsSync(pair.to)) {
7971
+ if (fs19.existsSync(pair.to)) {
7855
7972
  throw new Error(
7856
- `Rename target '${path22.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
7973
+ `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
7857
7974
  );
7858
7975
  }
7859
7976
  }
@@ -7888,7 +8005,7 @@ var StructureManager = class {
7888
8005
  const newCellPath = this.swapAxisInCellPath(repoRoot, manifest, cell, axis, newName);
7889
8006
  pairs.push({ from: cell.filePath, to: newCellPath });
7890
8007
  const oldMeta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
7891
- if (fs18.existsSync(oldMeta)) {
8008
+ if (fs19.existsSync(oldMeta)) {
7892
8009
  const newMeta = newCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
7893
8010
  pairs.push({ from: oldMeta, to: newMeta });
7894
8011
  }
@@ -7903,7 +8020,7 @@ var StructureManager = class {
7903
8020
  swapAxisInCellPath(repoRoot, manifest, cell, axis, newName) {
7904
8021
  const ns = axis === "namespace" ? newName : cell.namespace;
7905
8022
  const env = axis === "environment" ? newName : cell.environment;
7906
- return path22.join(
8023
+ return path23.join(
7907
8024
  repoRoot,
7908
8025
  manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
7909
8026
  );
@@ -7915,8 +8032,8 @@ var StructureManager = class {
7915
8032
  txPaths(repoRoot, renamePairs) {
7916
8033
  const paths = /* @__PURE__ */ new Set();
7917
8034
  for (const pair of renamePairs) {
7918
- paths.add(path22.relative(repoRoot, pair.from));
7919
- paths.add(path22.relative(repoRoot, pair.to));
8035
+ paths.add(path23.relative(repoRoot, pair.from));
8036
+ paths.add(path23.relative(repoRoot, pair.to));
7920
8037
  }
7921
8038
  paths.add(CLEF_MANIFEST_FILENAME);
7922
8039
  return [...paths];
@@ -7927,11 +8044,11 @@ var StructureManager = class {
7927
8044
  */
7928
8045
  applyRenames(pairs) {
7929
8046
  for (const pair of pairs) {
7930
- const targetDir = path22.dirname(pair.to);
7931
- if (!fs18.existsSync(targetDir)) {
7932
- fs18.mkdirSync(targetDir, { recursive: true });
8047
+ const targetDir = path23.dirname(pair.to);
8048
+ if (!fs19.existsSync(targetDir)) {
8049
+ fs19.mkdirSync(targetDir, { recursive: true });
7933
8050
  }
7934
- fs18.renameSync(pair.from, pair.to);
8051
+ fs19.renameSync(pair.from, pair.to);
7935
8052
  }
7936
8053
  }
7937
8054
  /**
@@ -7942,10 +8059,10 @@ var StructureManager = class {
7942
8059
  deletePaths(repoRoot, cells) {
7943
8060
  const paths = /* @__PURE__ */ new Set();
7944
8061
  for (const cell of cells) {
7945
- paths.add(path22.relative(repoRoot, cell.filePath));
8062
+ paths.add(path23.relative(repoRoot, cell.filePath));
7946
8063
  const meta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
7947
- if (fs18.existsSync(meta)) {
7948
- paths.add(path22.relative(repoRoot, meta));
8064
+ if (fs19.existsSync(meta)) {
8065
+ paths.add(path23.relative(repoRoot, meta));
7949
8066
  }
7950
8067
  }
7951
8068
  paths.add(CLEF_MANIFEST_FILENAME);
@@ -7958,8 +8075,8 @@ var StructureManager = class {
7958
8075
  */
7959
8076
  unlinkMetaSibling(cellPath) {
7960
8077
  const meta = cellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
7961
- if (fs18.existsSync(meta)) {
7962
- fs18.unlinkSync(meta);
8078
+ if (fs19.existsSync(meta)) {
8079
+ fs19.unlinkSync(meta);
7963
8080
  }
7964
8081
  }
7965
8082
  /**
@@ -8101,24 +8218,24 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
8101
8218
  }
8102
8219
 
8103
8220
  // src/artifact/packer.ts
8104
- import * as crypto3 from "crypto";
8221
+ import * as crypto4 from "crypto";
8105
8222
 
8106
8223
  // src/artifact/output.ts
8107
- import * as fs19 from "fs";
8108
- import * as path23 from "path";
8224
+ import * as fs20 from "fs";
8225
+ import * as path24 from "path";
8109
8226
  var FilePackOutput = class {
8110
8227
  constructor(outputPath) {
8111
8228
  this.outputPath = outputPath;
8112
8229
  }
8113
8230
  outputPath;
8114
8231
  async write(_artifact, json) {
8115
- const outputDir = path23.dirname(this.outputPath);
8116
- if (!fs19.existsSync(outputDir)) {
8117
- fs19.mkdirSync(outputDir, { recursive: true });
8232
+ const outputDir = path24.dirname(this.outputPath);
8233
+ if (!fs20.existsSync(outputDir)) {
8234
+ fs20.mkdirSync(outputDir, { recursive: true });
8118
8235
  }
8119
8236
  const tmpOutput = `${this.outputPath}.tmp.${process.pid}`;
8120
- fs19.writeFileSync(tmpOutput, json, "utf-8");
8121
- fs19.renameSync(tmpOutput, this.outputPath);
8237
+ fs20.writeFileSync(tmpOutput, json, "utf-8");
8238
+ fs20.renameSync(tmpOutput, this.outputPath);
8122
8239
  }
8123
8240
  };
8124
8241
  var MemoryPackOutput = class {
@@ -8217,6 +8334,12 @@ function detectAlgorithm(publicKeyBase64) {
8217
8334
  throw new Error(`Unsupported key type: ${keyType}`);
8218
8335
  }
8219
8336
 
8337
+ // src/artifact/hash.ts
8338
+ import * as crypto3 from "crypto";
8339
+ function computeCiphertextHash(ciphertext) {
8340
+ return crypto3.createHash("sha256").update(ciphertext).digest("hex");
8341
+ }
8342
+
8220
8343
  // src/artifact/packer.ts
8221
8344
  var ArtifactPacker = class {
8222
8345
  constructor(encryption, matrixManager, kms) {
@@ -8252,10 +8375,10 @@ var ArtifactPacker = class {
8252
8375
  if (!this.kms) {
8253
8376
  throw new Error("KMS provider required for envelope encryption but none was provided.");
8254
8377
  }
8255
- const dek = crypto3.randomBytes(32);
8256
- const iv = crypto3.randomBytes(12);
8378
+ const dek = crypto4.randomBytes(32);
8379
+ const iv = crypto4.randomBytes(12);
8257
8380
  try {
8258
- const cipher = crypto3.createCipheriv("aes-256-gcm", dek, iv);
8381
+ const cipher = crypto4.createCipheriv("aes-256-gcm", dek, iv);
8259
8382
  const ciphertextBuf = Buffer.concat([
8260
8383
  cipher.update(Buffer.from(plaintext, "utf-8")),
8261
8384
  cipher.final()
@@ -8264,8 +8387,8 @@ var ArtifactPacker = class {
8264
8387
  ciphertext = ciphertextBuf.toString("base64");
8265
8388
  const kmsConfig = resolved.envConfig.kms;
8266
8389
  const wrapped = await this.kms.wrap(kmsConfig.keyId, dek);
8267
- const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
8268
- const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
8390
+ const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
8391
+ const ciphertextHash = computeCiphertextHash(ciphertext);
8269
8392
  artifact = {
8270
8393
  version: 1,
8271
8394
  identity: config.identity,
@@ -8298,8 +8421,8 @@ var ArtifactPacker = class {
8298
8421
  `Failed to age-encrypt artifact: ${err instanceof Error ? err.message : String(err)}`
8299
8422
  );
8300
8423
  }
8301
- const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
8302
- const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
8424
+ const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
8425
+ const ciphertextHash = computeCiphertextHash(ciphertext);
8303
8426
  artifact = {
8304
8427
  version: 1,
8305
8428
  identity: config.identity,
@@ -8413,6 +8536,156 @@ function assertPackedArtifact(x, context) {
8413
8536
  }
8414
8537
  }
8415
8538
 
8539
+ // src/envelope-debug/builders.ts
8540
+ function buildInspectError(source, code, message) {
8541
+ return {
8542
+ source,
8543
+ version: null,
8544
+ identity: null,
8545
+ environment: null,
8546
+ packedAt: null,
8547
+ packedAtAgeMs: null,
8548
+ revision: null,
8549
+ ciphertextHash: null,
8550
+ ciphertextHashVerified: null,
8551
+ ciphertextBytes: null,
8552
+ expiresAt: null,
8553
+ expired: null,
8554
+ revokedAt: null,
8555
+ revoked: null,
8556
+ envelope: null,
8557
+ signature: { present: false, algorithm: null, verified: null },
8558
+ error: { code, message }
8559
+ };
8560
+ }
8561
+ function buildInspectResult(source, artifact, hashOk, now = Date.now()) {
8562
+ const expiresAt = artifact.expiresAt ?? null;
8563
+ const revokedAt = artifact.revokedAt ?? null;
8564
+ const env = artifact.envelope;
8565
+ return {
8566
+ source,
8567
+ version: artifact.version,
8568
+ identity: artifact.identity,
8569
+ environment: artifact.environment,
8570
+ packedAt: artifact.packedAt,
8571
+ packedAtAgeMs: now - new Date(artifact.packedAt).getTime(),
8572
+ revision: artifact.revision,
8573
+ ciphertextHash: artifact.ciphertextHash,
8574
+ ciphertextHashVerified: hashOk,
8575
+ ciphertextBytes: Buffer.byteLength(artifact.ciphertext, "base64"),
8576
+ expiresAt,
8577
+ expired: expiresAt ? new Date(expiresAt).getTime() < now : null,
8578
+ revokedAt,
8579
+ revoked: revokedAt !== null,
8580
+ envelope: env ? {
8581
+ provider: env.provider,
8582
+ kms: {
8583
+ provider: env.provider,
8584
+ keyId: env.keyId,
8585
+ algorithm: env.algorithm
8586
+ }
8587
+ } : { provider: "age", kms: null },
8588
+ signature: {
8589
+ present: typeof artifact.signature === "string",
8590
+ algorithm: artifact.signatureAlgorithm ?? null,
8591
+ verified: null
8592
+ },
8593
+ error: null
8594
+ };
8595
+ }
8596
+ function buildVerifyError(source, code, message) {
8597
+ return {
8598
+ source,
8599
+ checks: {
8600
+ hash: { status: "skipped" },
8601
+ signature: { status: "absent", algorithm: null },
8602
+ expiry: { status: "absent", expiresAt: null },
8603
+ revocation: { status: "absent", revokedAt: null }
8604
+ },
8605
+ overall: "fail",
8606
+ error: { code, message }
8607
+ };
8608
+ }
8609
+ function buildVerifyResult(source, inputs) {
8610
+ const hashFailed = inputs.hash === "mismatch";
8611
+ const signatureFailed = inputs.signature.status === "invalid";
8612
+ const overall = hashFailed || signatureFailed ? "fail" : "pass";
8613
+ return {
8614
+ source,
8615
+ checks: {
8616
+ hash: { status: inputs.hash },
8617
+ signature: inputs.signature,
8618
+ expiry: inputs.expiry,
8619
+ revocation: inputs.revocation
8620
+ },
8621
+ overall,
8622
+ error: null
8623
+ };
8624
+ }
8625
+ function buildDecryptError(source, code, message) {
8626
+ return {
8627
+ source,
8628
+ status: "error",
8629
+ error: { code, message },
8630
+ revealed: false,
8631
+ keys: [],
8632
+ values: null
8633
+ };
8634
+ }
8635
+ function buildDecryptResult(source, inputs) {
8636
+ let values = null;
8637
+ if (inputs.allValues) {
8638
+ values = inputs.allValues;
8639
+ } else if (inputs.singleKey) {
8640
+ values = { [inputs.singleKey.name]: inputs.singleKey.value };
8641
+ }
8642
+ return {
8643
+ source,
8644
+ status: "ok",
8645
+ error: null,
8646
+ revealed: values !== null,
8647
+ keys: [...inputs.keys].sort(),
8648
+ values
8649
+ };
8650
+ }
8651
+
8652
+ // src/envelope-debug/warnings.ts
8653
+ var WARNING_TAIL = "Shell history, terminal scrollback, and any attached logging (tmux capture-pane, CI log collectors, screen-recording) may retain it. Proceed only if this terminal and its upstream captures are trusted.";
8654
+ var REVEAL_WARNING = `WARNING: plaintext will be printed to stdout. ${WARNING_TAIL}`;
8655
+ function formatRevealWarning(key) {
8656
+ if (!key) return REVEAL_WARNING;
8657
+ return `WARNING: value for key "${key}" will be printed to stdout. ${WARNING_TAIL}`;
8658
+ }
8659
+
8660
+ // src/envelope-debug/signer-key.ts
8661
+ import * as crypto5 from "crypto";
8662
+ function parseSignerKey(input) {
8663
+ const trimmed = input.trim();
8664
+ if (trimmed.startsWith("-----BEGIN")) {
8665
+ return pemToBase64Der(trimmed);
8666
+ }
8667
+ try {
8668
+ const key = crypto5.createPublicKey({
8669
+ key: Buffer.from(trimmed, "base64"),
8670
+ format: "der",
8671
+ type: "spki"
8672
+ });
8673
+ return key.export({ type: "spki", format: "der" }).toString("base64");
8674
+ } catch (err) {
8675
+ throw new Error(
8676
+ `signer key could not be parsed as PEM or a base64 DER SPKI key: ${err.message}`
8677
+ );
8678
+ }
8679
+ }
8680
+ function pemToBase64Der(pem) {
8681
+ try {
8682
+ const key = crypto5.createPublicKey({ key: pem, format: "pem" });
8683
+ return key.export({ type: "spki", format: "der" }).toString("base64");
8684
+ } catch (err) {
8685
+ throw new Error(`signer key PEM is invalid: ${err.message}`);
8686
+ }
8687
+ }
8688
+
8416
8689
  // src/pack/registry.ts
8417
8690
  var PackBackendRegistry = class {
8418
8691
  factories = /* @__PURE__ */ new Map();
@@ -8500,8 +8773,8 @@ var JsonEnvelopeBackend = class {
8500
8773
  var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
8501
8774
 
8502
8775
  // src/migration/backend.ts
8503
- import * as path24 from "path";
8504
- import * as YAML11 from "yaml";
8776
+ import * as path25 from "path";
8777
+ import * as YAML12 from "yaml";
8505
8778
  var BACKEND_KEY_FIELDS = {
8506
8779
  age: void 0,
8507
8780
  awskms: "aws_kms_arn",
@@ -8620,14 +8893,14 @@ var BackendMigrator = class {
8620
8893
  await this.tx.run(repoRoot, {
8621
8894
  description: environment ? `clef migrate-backend ${target.backend}: ${environment}` : `clef migrate-backend ${target.backend}`,
8622
8895
  paths: [
8623
- ...toMigrate.map((c) => path24.relative(repoRoot, c.filePath)),
8896
+ ...toMigrate.map((c) => path25.relative(repoRoot, c.filePath)),
8624
8897
  CLEF_MANIFEST_FILENAME
8625
8898
  ],
8626
8899
  mutate: async () => {
8627
8900
  const doc = readManifestYaml(repoRoot);
8628
8901
  this.updateManifestDoc(doc, target, environment);
8629
8902
  writeManifestYaml(repoRoot, doc);
8630
- const updatedManifest = YAML11.parse(YAML11.stringify(doc));
8903
+ const updatedManifest = YAML12.parse(YAML12.stringify(doc));
8631
8904
  for (const cell of toMigrate) {
8632
8905
  onProgress?.({
8633
8906
  type: "migrate",
@@ -8718,7 +8991,7 @@ var BackendMigrator = class {
8718
8991
  };
8719
8992
 
8720
8993
  // src/reset/manager.ts
8721
- import * as path25 from "path";
8994
+ import * as path26 from "path";
8722
8995
  var ResetManager = class {
8723
8996
  constructor(matrixManager, encryption, schemaValidator, tx) {
8724
8997
  this.matrixManager = matrixManager;
@@ -8747,11 +9020,11 @@ var ResetManager = class {
8747
9020
  txPaths.push(CLEF_MANIFEST_FILENAME);
8748
9021
  }
8749
9022
  for (const cell of targetCells) {
8750
- txPaths.push(path25.relative(repoRoot, cell.filePath));
9023
+ txPaths.push(path26.relative(repoRoot, cell.filePath));
8751
9024
  const cellKeys = keyPlan.get(cell.namespace) ?? [];
8752
9025
  if (cellKeys.length > 0) {
8753
9026
  txPaths.push(
8754
- path25.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
9027
+ path26.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
8755
9028
  );
8756
9029
  }
8757
9030
  }
@@ -8839,7 +9112,7 @@ var ResetManager = class {
8839
9112
  for (const namespace of namespaces) {
8840
9113
  const nsDef = manifest.namespaces.find((n) => n.name === namespace);
8841
9114
  if (nsDef?.schema) {
8842
- const schema = this.schemaValidator.loadSchema(path25.join(repoRoot, nsDef.schema));
9115
+ const schema = this.schemaValidator.loadSchema(path26.join(repoRoot, nsDef.schema));
8843
9116
  plan.set(namespace, Object.keys(schema.keys));
8844
9117
  continue;
8845
9118
  }
@@ -8918,7 +9191,7 @@ function withBackendOverride(manifest, envNames, backend, key) {
8918
9191
  }
8919
9192
 
8920
9193
  // src/sync/manager.ts
8921
- import * as path26 from "path";
9194
+ import * as path27 from "path";
8922
9195
  var SyncManager = class {
8923
9196
  constructor(matrixManager, encryption, tx) {
8924
9197
  this.matrixManager = matrixManager;
@@ -8990,7 +9263,7 @@ var SyncManager = class {
8990
9263
  }
8991
9264
  const txPaths = [];
8992
9265
  for (const cell of syncPlan.cells) {
8993
- const rel = path26.relative(repoRoot, cell.filePath);
9266
+ const rel = path27.relative(repoRoot, cell.filePath);
8994
9267
  txPaths.push(rel);
8995
9268
  txPaths.push(rel.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"));
8996
9269
  }
@@ -9029,8 +9302,8 @@ var SyncManager = class {
9029
9302
  };
9030
9303
 
9031
9304
  // src/policy/parser.ts
9032
- import * as fs20 from "fs";
9033
- import * as YAML12 from "yaml";
9305
+ import * as fs21 from "fs";
9306
+ import * as YAML13 from "yaml";
9034
9307
 
9035
9308
  // src/policy/types.ts
9036
9309
  var DEFAULT_POLICY = Object.freeze({
@@ -9051,7 +9324,7 @@ var PolicyParser = class {
9051
9324
  parse(filePath) {
9052
9325
  let raw;
9053
9326
  try {
9054
- raw = fs20.readFileSync(filePath, "utf-8");
9327
+ raw = fs21.readFileSync(filePath, "utf-8");
9055
9328
  } catch {
9056
9329
  throw new PolicyValidationError(`Could not read policy file at '${filePath}'.`);
9057
9330
  }
@@ -9066,7 +9339,7 @@ var PolicyParser = class {
9066
9339
  parseContent(content) {
9067
9340
  let parsed;
9068
9341
  try {
9069
- parsed = YAML12.parse(content);
9342
+ parsed = YAML13.parse(content);
9070
9343
  } catch {
9071
9344
  throw new PolicyValidationError(
9072
9345
  "Policy file contains invalid YAML. Check for syntax errors."
@@ -9079,7 +9352,7 @@ var PolicyParser = class {
9079
9352
  * not exist. Any other read or validation error throws.
9080
9353
  */
9081
9354
  load(filePath) {
9082
- if (!fs20.existsSync(filePath)) return DEFAULT_POLICY;
9355
+ if (!fs21.existsSync(filePath)) return DEFAULT_POLICY;
9083
9356
  return this.parse(filePath);
9084
9357
  }
9085
9358
  validate(raw) {
@@ -9273,13 +9546,13 @@ var ComplianceGenerator = class {
9273
9546
  };
9274
9547
 
9275
9548
  // src/compliance/run.ts
9276
- import * as path27 from "path";
9549
+ import * as path28 from "path";
9277
9550
  var UNKNOWN = "unknown";
9278
9551
  async function runCompliance(opts) {
9279
9552
  const start = Date.now();
9280
9553
  const repoRoot = opts.repoRoot ?? process.cwd();
9281
- const manifestPath = opts.manifestPath ?? path27.join(repoRoot, "clef.yaml");
9282
- const policyPath = opts.policyPath ?? path27.join(repoRoot, CLEF_POLICY_FILENAME);
9554
+ const manifestPath = opts.manifestPath ?? path28.join(repoRoot, "clef.yaml");
9555
+ const policyPath = opts.policyPath ?? path28.join(repoRoot, CLEF_POLICY_FILENAME);
9283
9556
  const include = {
9284
9557
  scan: opts.include?.scan ?? true,
9285
9558
  lint: opts.include?.lint ?? true,
@@ -9325,7 +9598,7 @@ async function evaluateMatrix(args) {
9325
9598
  return Promise.all(
9326
9599
  cells.map(async (cell) => {
9327
9600
  const metadata = await args.sopsClient.getMetadata(cell.filePath);
9328
- const relPath = path27.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
9601
+ const relPath = path28.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
9329
9602
  const keys = readSopsKeyNames(cell.filePath) ?? [];
9330
9603
  const rotations = await getRotations(cell.filePath);
9331
9604
  return evaluator.evaluateFile(relPath, cell.environment, metadata, keys, rotations, args.now);
@@ -9416,6 +9689,7 @@ export {
9416
9689
  PolicyValidationError,
9417
9690
  REQUESTS_FILENAME,
9418
9691
  REQUIREMENTS,
9692
+ REVEAL_WARNING,
9419
9693
  RecipientManager,
9420
9694
  ReportGenerator,
9421
9695
  ReportSanitizer,
@@ -9441,16 +9715,26 @@ export {
9441
9715
  VALID_KMS_PROVIDERS,
9442
9716
  assertPackedArtifact,
9443
9717
  assertSops,
9718
+ buildDecryptError,
9719
+ buildDecryptResult,
9720
+ buildInspectError,
9721
+ buildInspectResult,
9444
9722
  buildSigningPayload,
9723
+ buildVerifyError,
9724
+ buildVerifyResult,
9445
9725
  checkAll,
9446
9726
  checkDependency,
9447
9727
  collectCIContext,
9728
+ computeCiphertextHash,
9448
9729
  deriveAgePublicKey,
9449
9730
  describeScope,
9450
9731
  detectAlgorithm,
9451
9732
  detectFormat,
9733
+ emptyTemplate,
9734
+ exampleTemplate,
9452
9735
  findRequest,
9453
9736
  formatAgeKeyFile,
9737
+ formatRevealWarning,
9454
9738
  generateAgeIdentity,
9455
9739
  generateRandomValue,
9456
9740
  generateSigningKeyPair,
@@ -9476,6 +9760,7 @@ export {
9476
9760
  parseDotenv,
9477
9761
  parseIgnoreContent,
9478
9762
  parseJson,
9763
+ parseSignerKey,
9479
9764
  parseYaml,
9480
9765
  pkcs11UriToSyntheticArn,
9481
9766
  readManifestYaml,
@@ -9494,6 +9779,7 @@ export {
9494
9779
  runCompliance,
9495
9780
  saveMetadata,
9496
9781
  saveRequests,
9782
+ serializeSchema,
9497
9783
  shannonEntropy,
9498
9784
  shouldIgnoreFile,
9499
9785
  shouldIgnoreMatch,
@@ -9508,6 +9794,8 @@ export {
9508
9794
  validateResetScope,
9509
9795
  verifySignature,
9510
9796
  writeManifestYaml,
9511
- writeManifestYamlRaw
9797
+ writeManifestYamlRaw,
9798
+ writeSchema,
9799
+ writeSchemaRaw
9512
9800
  };
9513
9801
  //# sourceMappingURL=index.mjs.map