@clef-sh/core 0.1.23 → 0.1.24-beta.169

package/dist/index.mjs

@@ -2268,6 +2268,7 @@ function keyPreview(key) {
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
 var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "hsm"];
 var PKCS11_URI_PATTERN = /^pkcs11:[a-zA-Z][a-zA-Z0-9_-]*=[^;]+/;
+var AWS_KMS_ARN_PATTERN = /^arn:aws(?:-[a-z]+)*:kms:[a-z0-9-]+:\d+:(key|alias)\/.+$/;
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
@@ -2790,11 +2791,22 @@ var ManifestParser = class {
                 "service_identities"
               );
             }
+            if (kmsObj.provider === "aws" && !AWS_KMS_ARN_PATTERN.test(kmsObj.keyId)) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.keyId must be a full AWS KMS ARN (e.g. arn:aws:kms:us-east-1:123456789012:key/abcd-1234), got '${kmsObj.keyId}'.`,
+                "service_identities"
+              );
+            }
+            if (Object.prototype.hasOwnProperty.call(kmsObj, "region")) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.region is no longer accepted; the region is read from the AWS KMS key ARN. Remove this field.`,
+                "service_identities"
+              );
+            }
             parsedEnvs[envName] = {
               kms: {
                 provider: kmsObj.provider,
-                keyId: kmsObj.keyId,
-                region: typeof kmsObj.region === "string" ? kmsObj.region : void 0
+                keyId: kmsObj.keyId
               }
             };
           }
@@ -3439,11 +3451,17 @@ var MatrixManager = class {
     await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
   }
   /**
-   * Decrypt each cell and return key counts, pending counts, and cross-environment issues.
+   * Read each cell and return key counts, pending counts, and cross-environment issues.
+   *
+   * The SOPS client parameter is currently unused — keys are read from the
+   * plaintext YAML structure directly, no decryption needed. It is retained
+   * in the signature for back-compat with callers that may need to swap to a
+   * decrypt-based implementation later (e.g. for backends that don't expose
+   * key names without decryption).
    *
    * @param manifest - Parsed manifest.
    * @param repoRoot - Absolute path to the repository root.
-   * @param sopsClient - SOPS client used to decrypt each cell.
+   * @param _sopsClient - Reserved for future use; pass any `EncryptionBackend`.
    */
   async getMatrixStatus(manifest, repoRoot, _sopsClient) {
     const cells = this.resolveMatrix(manifest, repoRoot);
@@ -4200,6 +4218,42 @@ var GitIntegration = class {
     }
     return result.stdout;
   }
+  /**
+   * Of the given paths, return those that exist on disk but are untracked by git.
+   *
+   * Used by {@link TransactionManager} to refuse mutations whose declared paths
+   * include untracked-but-existing files. Rollback uses `git reset --hard` to
+   * restore content, which can only restore files that exist in a commit. An
+   * untracked file in the declared paths would be silently destroyed by the
+   * rollback's `git clean` — so we refuse upfront.
+   *
+   * @param repoRoot - Working directory for the git command.
+   * @param paths - Paths to check (relative to repoRoot).
+   * @returns Subset of `paths` that are untracked. Non-existent paths are
+   *          excluded; tracked paths are excluded; directories are reported by
+   *          their porcelain entry (with trailing slash if untracked-as-dir).
+   * @throws {@link GitOperationError} On failure.
+   */
+  async getUntrackedAmongPaths(repoRoot, paths) {
+    if (paths.length === 0) return [];
+    const result = await this.runner.run("git", ["status", "--porcelain", "--", ...paths], {
+      cwd: repoRoot
+    });
+    if (result.exitCode !== 0) {
+      throw new GitOperationError(
+        `Failed to check tracked status: ${result.stderr.trim()}`,
+        "Inspect with 'git status' and resolve any repository errors."
+      );
+    }
+    const untracked = [];
+    for (const line of result.stdout.split("\n")) {
+      if (line === "") continue;
+      if (line[0] === "?") {
+        untracked.push(line.substring(3));
+      }
+    }
+    return untracked;
+  }
   /**
    * Parse `git status --porcelain` into staged, unstaged, and untracked lists.
    *
@@ -4474,6 +4528,14 @@ var TransactionManager = class {
           "Commit or stash your changes first, or pass --allow-dirty to proceed (rollback will be best-effort)."
         );
       }
+      const untrackedDeclared = await this.git.getUntrackedAmongPaths(repoRoot, opts.paths);
+      if (untrackedDeclared.length > 0) {
+        throw new TransactionPreflightError(
+          "untracked-paths",
+          `Refusing to mutate: the following declared paths are untracked and would not survive rollback: ${untrackedDeclared.join(", ")}`,
+          "Commit these files first (`git add` + `git commit`), then retry. Rollback can only restore content that exists in a commit."
+        );
+      }
       try {
         await opts.mutate();
       } catch (mutateErr) {
@@ -8192,23 +8254,18 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
   const cells = matrixManager.resolveMatrix(manifest, repoRoot).filter(
     (c) => c.exists && identity.namespaces.includes(c.namespace) && c.environment === environment
   );
-  const isMultiNamespace = identity.namespaces.length > 1;
-  const collisions = [];
   for (const cell of cells) {
     const decrypted = await encryption.decrypt(cell.filePath);
+    const bucket = allValues[cell.namespace] ??= {};
     for (const [key, value] of Object.entries(decrypted.values)) {
-      const qualifiedKey = isMultiNamespace ? `${cell.namespace}__${key}` : key;
-      if (qualifiedKey in allValues && allValues[qualifiedKey] !== value) {
-        collisions.push(qualifiedKey);
+      if (key in bucket && bucket[key] !== value) {
+        throw new Error(
+          `Key collision in namespace '${cell.namespace}': '${key}' set to different values.`
+        );
       }
-      allValues[qualifiedKey] = value;
+      bucket[key] = value;
     }
   }
-  if (collisions.length > 0) {
-    throw new Error(
-      `Key collision detected in bundle: ${collisions.join(", ")}. Keys with the same name but different values exist across namespaces.`
-    );
-  }
   return {
     values: allValues,
     identity,
@@ -8451,7 +8508,12 @@ var ArtifactPacker = class {
     const json = JSON.stringify(artifact, null, 2);
     const output = config.output ?? new FilePackOutput(config.outputPath ?? "artifact.json");
     await output.write(artifact, json);
-    const keys = Object.keys(resolved.values);
+    const keys = [];
+    for (const [ns, bucket] of Object.entries(resolved.values)) {
+      for (const k of Object.keys(bucket)) {
+        keys.push(`${ns}__${k}`);
+      }
+    }
     return {
       outputPath: config.outputPath ?? "",
       namespaceCount: resolved.identity.namespaces.length,