@clef-sh/core 0.1.27 → 0.1.28

package/dist/index.mjs

@@ -2269,11 +2269,98 @@ function keyPreview(key) {
   return `age1\u2026${last8}`;
 }
 
+// src/kms/aws-arn.ts
+var PARTITION_PATTERN = /^aws(?:-[a-z]+)*$/;
+var REGION_PATTERN = /^[a-z]{2,}(?:-[a-z]+)+-\d+$/;
+var ACCOUNT_PATTERN = /^\d{12}$/;
+function validateAwsKmsArn(input) {
+  if (typeof input !== "string") {
+    return { ok: false, reason: "value must be a string" };
+  }
+  if (input.length === 0) {
+    return { ok: false, reason: "value is empty" };
+  }
+  if (!input.startsWith("arn:")) {
+    return {
+      ok: false,
+      reason: "expected an ARN starting with 'arn:' (got a bare key id, alias name, or other format). Use a full ARN like 'arn:aws:kms:us-east-1:123456789012:alias/<name>'."
+    };
+  }
+  const segments = input.split(":");
+  if (segments.length < 6) {
+    return {
+      ok: false,
+      reason: `expected 6 colon-delimited segments (arn:aws:kms:<region>:<account>:<resource>), got ${segments.length}. Check that the region and account aren't missing.`
+    };
+  }
+  if (segments.length > 6) {
+    return {
+      ok: false,
+      reason: `expected exactly 6 colon-delimited segments, got ${segments.length}. Check for stray ':' characters.`
+    };
+  }
+  const [, partition, service, region, account, resource] = segments;
+  if (!PARTITION_PATTERN.test(partition)) {
+    return {
+      ok: false,
+      reason: `partition segment '${partition}' is not recognized. Expected 'aws', 'aws-us-gov', 'aws-cn', etc.`
+    };
+  }
+  if (service !== "kms") {
+    return {
+      ok: false,
+      reason: `service segment must be 'kms', got '${service}'.`
+    };
+  }
+  if (region.length === 0) {
+    return {
+      ok: false,
+      reason: "region segment is empty (look for '::' between 'kms' and the account id). Set a region like 'us-east-1' before reconstructing the ARN \u2014 common cause: a $REGION shell variable was unset when the ARN was built."
+    };
+  }
+  if (!REGION_PATTERN.test(region)) {
+    return {
+      ok: false,
+      reason: `region segment '${region}' doesn't look like an AWS region (expected e.g. 'us-east-1', 'eu-west-2').`
+    };
+  }
+  if (account.length === 0) {
+    return {
+      ok: false,
+      reason: "account segment is empty. Provide the 12-digit AWS account id."
+    };
+  }
+  if (!ACCOUNT_PATTERN.test(account)) {
+    return {
+      ok: false,
+      reason: `account segment '${account}' must be exactly 12 digits.`
+    };
+  }
+  if (!resource || resource.length === 0) {
+    return {
+      ok: false,
+      reason: "resource segment is empty. Expected 'key/<id>' or 'alias/<name>' after the account."
+    };
+  }
+  if (!resource.startsWith("key/") && !resource.startsWith("alias/")) {
+    return {
+      ok: false,
+      reason: `resource '${resource}' must start with 'key/' or 'alias/'.`
+    };
+  }
+  if (resource === "key/" || resource === "alias/") {
+    return {
+      ok: false,
+      reason: "resource id is empty after 'key/' or 'alias/'."
+    };
+  }
+  return { ok: true };
+}
+
 // src/manifest/parser.ts
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
 var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "hsm"];
 var PKCS11_URI_PATTERN = /^pkcs11:[a-zA-Z][a-zA-Z0-9_-]*=[^;]+/;
-var AWS_KMS_ARN_PATTERN = /^arn:aws(?:-[a-z]+)*:kms:[a-z0-9-]+:\d+:(key|alias)\/.+$/;
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
@@ -2796,11 +2883,14 @@ var ManifestParser = class {
                 "service_identities"
               );
             }
-            if (kmsObj.provider === "aws" && !AWS_KMS_ARN_PATTERN.test(kmsObj.keyId)) {
-              throw new ManifestValidationError(
-                `Service identity '${siName}' environment '${envName}': kms.keyId must be a full AWS KMS ARN (e.g. arn:aws:kms:us-east-1:123456789012:key/abcd-1234), got '${kmsObj.keyId}'.`,
-                "service_identities"
-              );
+            if (kmsObj.provider === "aws") {
+              const arnValidation = validateAwsKmsArn(kmsObj.keyId);
+              if (!arnValidation.ok) {
+                throw new ManifestValidationError(
+                  `Service identity '${siName}' environment '${envName}': kms.keyId is not a valid AWS KMS ARN \u2014 ${arnValidation.reason} (got '${kmsObj.keyId}'). Expected shape: arn:aws:kms:<region>:<account>:key/<id> or arn:aws:kms:<region>:<account>:alias/<name>.`,
+                  "service_identities"
+                );
+              }
             }
             if (Object.prototype.hasOwnProperty.call(kmsObj, "region")) {
               throw new ManifestValidationError(
@@ -2875,6 +2965,18 @@ function readManifestYaml(repoRoot) {
   return YAML2.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
+  const parser = new ManifestParser();
+  try {
+    parser.validate(doc);
+  } catch (err) {
+    if (err instanceof ManifestValidationError) {
+      throw new ManifestValidationError(
+        `Refusing to write invalid manifest: ${err.message}`,
+        err.field
+      );
+    }
+    throw err;
+  }
   const manifestPath = path.join(repoRoot, CLEF_MANIFEST_FILENAME);
   import_write_file_atomic.default.sync(manifestPath, YAML2.stringify(doc));
 }
@@ -8933,6 +9035,8 @@ var BackendMigrator = class {
         warnings: ["All files already use the target backend and key. Nothing to migrate."]
       };
     }
+    const preMigrationWarnings = [];
+    this.checkAgeRecipientsWarning(manifest, target, environment, preMigrationWarnings);
     if (dryRun) {
       const warnings2 = [];
       for (const cell of toMigrate) {
@@ -8949,7 +9053,7 @@ var BackendMigrator = class {
       } else {
         warnings2.push(`Would update global default_backend \u2192 ${target.backend}`);
       }
-      this.checkAgeRecipientsWarning(manifest, target, environment, warnings2);
+      warnings2.push(...preMigrationWarnings);
       return {
         migratedFiles: [],
         skippedFiles,
@@ -9005,7 +9109,12 @@ var BackendMigrator = class {
         rolledBack: true,
         error: migrationError.message,
         verifiedFiles: [],
-        warnings: ["All changes have been rolled back."]
+        // Surface pre-migration warnings even on rollback. The new manifest
+        // validator can reject the write (e.g. per-env recipients vs.
+        // non-age backend), and without these warnings the user only sees
+        // an opaque "rolled back" message — not the actionable hint about
+        // what to clean up first.
+        warnings: ["All changes have been rolled back.", ...preMigrationWarnings]
       };
     }
     const verifiedFiles = [];
@@ -9028,7 +9137,7 @@ var BackendMigrator = class {
         }
       }
     }
-    this.checkAgeRecipientsWarning(manifest, target, environment, warnings);
+    warnings.push(...preMigrationWarnings);
     return { migratedFiles, skippedFiles, rolledBack: false, verifiedFiles, warnings };
   }
   // ── Private helpers ──────────────────────────────────────────────────
@@ -9862,6 +9971,7 @@ export {
   tryBundledKeyservice,
   upsertRequest,
   validateAgePublicKey,
+  validateAwsKmsArn,
   validatePackedArtifact,
   validateResetScope,
   verifySignature,