@clef-sh/core 0.1.23 → 0.1.24-beta.169

package/dist/artifact/packer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAMjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAiI9F"}
+{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAMjE;;;;;;GAMG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA0I9F"}

package/dist/artifact/resolve.d.ts

@@ -1,9 +1,13 @@
 import { ClefManifest, EncryptionBackend, ServiceIdentityDefinition, ServiceIdentityEnvironmentConfig } from "../types";
 import { MatrixManager } from "../matrix/manager";
-/** Resolved identity secrets: merged key/value map plus metadata. */
+/** Resolved identity secrets: namespace → key → value, plus metadata. */
 export interface ResolvedSecrets {
-    /** Flat key/value map (namespace-prefixed if multi-namespace). */
-    values: Record<string, string>;
+    /**
+     * Nested map keyed by namespace, then by key name. The on-the-wire ciphertext
+     * payload uses this exact shape — namespace structure stays inside the
+     * encrypted blob, never in clear metadata.
+     */
+    values: Record<string, Record<string, string>>;
     /** The matched service identity definition. */
     identity: ServiceIdentityDefinition;
     /** Age public key for the target environment (undefined for KMS identities). */

package/dist/artifact/resolve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/artifact/resolve.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,yBAAyB,EACzB,gCAAgC,EACjC,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,qEAAqE;AACrE,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,+CAA+C;IAC/C,QAAQ,EAAE,yBAAyB,CAAC;IACpC,gFAAgF;IAChF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,SAAS,EAAE,gCAAgC,CAAC;CAC7C;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC,eAAe,CAAC,CA+C1B"}
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/artifact/resolve.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,yBAAyB,EACzB,gCAAgC,EACjC,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC9B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/C,+CAA+C;IAC/C,QAAQ,EAAE,yBAAyB,CAAC;IACpC,gFAAgF;IAChF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,SAAS,EAAE,gCAAgC,CAAC;CAC7C;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC,eAAe,CAAC,CA0C1B"}

package/dist/git/integration.d.ts

@@ -117,6 +117,23 @@ export declare class GitIntegration {
      * @throws {@link GitOperationError} On failure.
      */
     getDiff(repoRoot: string): Promise<string>;
+    /**
+     * Of the given paths, return those that exist on disk but are untracked by git.
+     *
+     * Used by {@link TransactionManager} to refuse mutations whose declared paths
+     * include untracked-but-existing files. Rollback uses `git reset --hard` to
+     * restore content, which can only restore files that exist in a commit. An
+     * untracked file in the declared paths would be silently destroyed by the
+     * rollback's `git clean` — so we refuse upfront.
+     *
+     * @param repoRoot - Working directory for the git command.
+     * @param paths - Paths to check (relative to repoRoot).
+     * @returns Subset of `paths` that are untracked. Non-existent paths are
+     *          excluded; tracked paths are excluded; directories are reported by
+     *          their porcelain entry (with trailing slash if untracked-as-dir).
+     * @throws {@link GitOperationError} On failure.
+     */
+    getUntrackedAmongPaths(repoRoot: string, paths: string[]): Promise<string[]>;
     /**
      * Parse `git status --porcelain` into staged, unstaged, and untracked lists.
      *

package/dist/git/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"","sources":["../../src/git/integration.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAqB,SAAS,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AA8CrF;;;;;;;;;GASG;AACH,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,gBAAgB;IAErD;;;;;;OAMG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAatE;;;;;;;;OAQG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,GAC7D,OAAO,CAAC,MAAM,CAAC;IAqBlB;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAahD;;;;;;;;;;OAUG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAW7D;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAelE;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBjD;;;;;;;OAOG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,aAAa,GAAG,QAAQ,CAAA;KAAE,CAAC;IAsBpF;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKhD;;;;;;OAMG;IACG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAe1F;;;;;;;OAOG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,GAAE,MAAW,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IA6B1F;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAUhD;;;;;OAKG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IA8CrD;;;;;;;;;;;;OAYG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCzD;;;;;;;OAOG;IACG,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAChD,SAAS,EAAE,OAAO,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;QACvB,iBAAiB,EAAE,OAAO,CAAC;QAC3B,qBAAqB,EAAE,OAAO,CAAC;KAChC,CAAC;YAqBY,mBAAmB;IAyBjC;;;;;;OAMG;IACG,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAgB5D"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"","sources":["../../src/git/integration.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAqB,SAAS,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AA8CrF;;;;;;;;;GASG;AACH,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,gBAAgB;IAErD;;;;;;OAMG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAatE;;;;;;;;OAQG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,GAC7D,OAAO,CAAC,MAAM,CAAC;IAqBlB;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAahD;;;;;;;;;;OAUG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAW7D;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAelE;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBjD;;;;;;;OAOG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,aAAa,GAAG,QAAQ,CAAA;KAAE,CAAC;IAsBpF;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKhD;;;;;;OAMG;IACG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAe1F;;;;;;;OAOG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,GAAE,MAAW,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IA6B1F;;;;;;OAMG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAUhD;;;;;;;;;;;;;;;OAeG;IACG,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAwBlF;;;;;OAKG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IA8CrD;;;;;;;;;;;;OAYG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyCzD;;;;;;;OAOG;IACG,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAChD,SAAS,EAAE,OAAO,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;QACvB,iBAAiB,EAAE,OAAO,CAAC;QAC3B,qBAAqB,EAAE,OAAO,CAAC;KAChC,CAAC;YAqBY,mBAAmB;IAyBjC;;;;;;OAMG;IACG,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAgB5D"}

package/dist/hsm/keyservice.d.ts

@@ -30,7 +30,7 @@ export interface SpawnKeyserviceOptions {
  * Spawn a clef-keyservice sidecar and wait for it to report its port.
  *
  * @throws If neither `pin` nor `pinFile` is provided, if startup exceeds
- *   {@link STARTUP_TIMEOUT_MS}, or if the child exits before reporting `PORT=`.
+ *   the 5s startup timeout, or if the child exits before reporting `PORT=`.
  */
 export declare function spawnKeyservice(options: SpawnKeyserviceOptions): Promise<KeyserviceHandle>;
 //# sourceMappingURL=keyservice.d.ts.map

package/dist/index.js

@@ -11732,6 +11732,7 @@ function keyPreview(key) {
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
 var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "hsm"];
 var PKCS11_URI_PATTERN = /^pkcs11:[a-zA-Z][a-zA-Z0-9_-]*=[^;]+/;
+var AWS_KMS_ARN_PATTERN = /^arn:aws(?:-[a-z]+)*:kms:[a-z0-9-]+:\d+:(key|alias)\/.+$/;
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
@@ -12254,11 +12255,22 @@ var ManifestParser = class {
                 "service_identities"
               );
             }
+            if (kmsObj.provider === "aws" && !AWS_KMS_ARN_PATTERN.test(kmsObj.keyId)) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.keyId must be a full AWS KMS ARN (e.g. arn:aws:kms:us-east-1:123456789012:key/abcd-1234), got '${kmsObj.keyId}'.`,
+                "service_identities"
+              );
+            }
+            if (Object.prototype.hasOwnProperty.call(kmsObj, "region")) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.region is no longer accepted; the region is read from the AWS KMS key ARN. Remove this field.`,
+                "service_identities"
+              );
+            }
             parsedEnvs[envName] = {
               kms: {
                 provider: kmsObj.provider,
-                keyId: kmsObj.keyId,
-                region: typeof kmsObj.region === "string" ? kmsObj.region : void 0
+                keyId: kmsObj.keyId
               }
             };
           }
@@ -12903,11 +12915,17 @@ var MatrixManager = class {
     await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
   }
   /**
-   * Decrypt each cell and return key counts, pending counts, and cross-environment issues.
+   * Read each cell and return key counts, pending counts, and cross-environment issues.
+   *
+   * The SOPS client parameter is currently unused — keys are read from the
+   * plaintext YAML structure directly, no decryption needed. It is retained
+   * in the signature for back-compat with callers that may need to swap to a
+   * decrypt-based implementation later (e.g. for backends that don't expose
+   * key names without decryption).
    *
    * @param manifest - Parsed manifest.
    * @param repoRoot - Absolute path to the repository root.
-   * @param sopsClient - SOPS client used to decrypt each cell.
+   * @param _sopsClient - Reserved for future use; pass any `EncryptionBackend`.
    */
   async getMatrixStatus(manifest, repoRoot, _sopsClient) {
     const cells = this.resolveMatrix(manifest, repoRoot);
@@ -13664,6 +13682,42 @@ var GitIntegration = class {
     }
     return result.stdout;
   }
+  /**
+   * Of the given paths, return those that exist on disk but are untracked by git.
+   *
+   * Used by {@link TransactionManager} to refuse mutations whose declared paths
+   * include untracked-but-existing files. Rollback uses `git reset --hard` to
+   * restore content, which can only restore files that exist in a commit. An
+   * untracked file in the declared paths would be silently destroyed by the
+   * rollback's `git clean` — so we refuse upfront.
+   *
+   * @param repoRoot - Working directory for the git command.
+   * @param paths - Paths to check (relative to repoRoot).
+   * @returns Subset of `paths` that are untracked. Non-existent paths are
+   *          excluded; tracked paths are excluded; directories are reported by
+   *          their porcelain entry (with trailing slash if untracked-as-dir).
+   * @throws {@link GitOperationError} On failure.
+   */
+  async getUntrackedAmongPaths(repoRoot, paths) {
+    if (paths.length === 0) return [];
+    const result = await this.runner.run("git", ["status", "--porcelain", "--", ...paths], {
+      cwd: repoRoot
+    });
+    if (result.exitCode !== 0) {
+      throw new GitOperationError(
+        `Failed to check tracked status: ${result.stderr.trim()}`,
+        "Inspect with 'git status' and resolve any repository errors."
+      );
+    }
+    const untracked = [];
+    for (const line of result.stdout.split("\n")) {
+      if (line === "") continue;
+      if (line[0] === "?") {
+        untracked.push(line.substring(3));
+      }
+    }
+    return untracked;
+  }
   /**
    * Parse `git status --porcelain` into staged, unstaged, and untracked lists.
    *
@@ -13938,6 +13992,14 @@ var TransactionManager = class {
           "Commit or stash your changes first, or pass --allow-dirty to proceed (rollback will be best-effort)."
         );
       }
+      const untrackedDeclared = await this.git.getUntrackedAmongPaths(repoRoot, opts.paths);
+      if (untrackedDeclared.length > 0) {
+        throw new TransactionPreflightError(
+          "untracked-paths",
+          `Refusing to mutate: the following declared paths are untracked and would not survive rollback: ${untrackedDeclared.join(", ")}`,
+          "Commit these files first (`git add` + `git commit`), then retry. Rollback can only restore content that exists in a commit."
+        );
+      }
       try {
         await opts.mutate();
       } catch (mutateErr) {
@@ -17656,23 +17718,18 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
   const cells = matrixManager.resolveMatrix(manifest, repoRoot).filter(
     (c) => c.exists && identity.namespaces.includes(c.namespace) && c.environment === environment
   );
-  const isMultiNamespace = identity.namespaces.length > 1;
-  const collisions = [];
   for (const cell of cells) {
     const decrypted = await encryption.decrypt(cell.filePath);
+    const bucket = allValues[cell.namespace] ??= {};
     for (const [key, value] of Object.entries(decrypted.values)) {
-      const qualifiedKey = isMultiNamespace ? `${cell.namespace}__${key}` : key;
-      if (qualifiedKey in allValues && allValues[qualifiedKey] !== value) {
-        collisions.push(qualifiedKey);
+      if (key in bucket && bucket[key] !== value) {
+        throw new Error(
+          `Key collision in namespace '${cell.namespace}': '${key}' set to different values.`
+        );
       }
-      allValues[qualifiedKey] = value;
+      bucket[key] = value;
     }
   }
-  if (collisions.length > 0) {
-    throw new Error(
-      `Key collision detected in bundle: ${collisions.join(", ")}. Keys with the same name but different values exist across namespaces.`
-    );
-  }
   return {
     values: allValues,
     identity,
@@ -17915,7 +17972,12 @@ var ArtifactPacker = class {
     const json = JSON.stringify(artifact, null, 2);
     const output = config.output ?? new FilePackOutput(config.outputPath ?? "artifact.json");
     await output.write(artifact, json);
-    const keys = Object.keys(resolved.values);
+    const keys = [];
+    for (const [ns, bucket] of Object.entries(resolved.values)) {
+      for (const k of Object.keys(bucket)) {
+        keys.push(`${ns}__${k}`);
+      }
+    }
     return {
       outputPath: config.outputPath ?? "",
       namespaceCount: resolved.identity.namespaces.length,