npm - @clef-sh/core - Versions diffs - 0.1.27 → 0.1.28 - Mend

@clef-sh/core 0.1.27 → 0.1.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +120 -9
package/dist/index.js.map +3 -3
package/dist/index.mjs +119 -9
package/dist/index.mjs.map +3 -3
package/dist/kms/aws-arn.d.ts +29 -0
package/dist/kms/aws-arn.d.ts.map +1 -0
package/dist/kms/index.d.ts +2 -0
package/dist/kms/index.d.ts.map +1 -1
package/dist/manifest/io.d.ts +6 -0
package/dist/manifest/io.d.ts.map +1 -1
package/dist/manifest/parser.d.ts.map +1 -1
package/dist/migration/backend.d.ts.map +1 -1
package/package.json +1 -1

package/dist/kms/aws-arn.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * AWS KMS ARN validator with specific failure reasons.
+ *
+ * The parser already used a single regex (`AWS_KMS_ARN_PATTERN`) to accept-or-
+ * reject keyIds, but the failure message was generic. This validator walks the
+ * ARN segment-by-segment and returns a reason that points at the actual fault
+ * — empty region, malformed account, missing `key/`/`alias/`, etc. — so users
+ * fix the right segment without trial-and-error.
+ *
+ * Accepted forms:
+ *   - `arn:aws:kms:{region}:{account}:key/{key-id}`
+ *   - `arn:aws:kms:{region}:{account}:alias/{name}`
+ *   - `arn:aws-{partition}:kms:...` (gov, cn, etc.)
+ *
+ * Bare key UUIDs and bare aliases are rejected — region must be derivable
+ * from the ARN at synth time.
+ */
+export interface AwsKmsArnValidation {
+    ok: boolean;
+    /** Human-readable reason. Present when `ok` is `false`. */
+    reason?: string;
+}
+/**
+ * Validate an AWS KMS key or alias ARN. Returns `{ ok: true }` on a well-
+ * formed ARN, otherwise `{ ok: false, reason }` with a message that names the
+ * faulty segment.
+ */
+export declare function validateAwsKmsArn(input: unknown): AwsKmsArnValidation;
+//# sourceMappingURL=aws-arn.d.ts.map

package/dist/kms/aws-arn.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"aws-arn.d.ts","sourceRoot":"","sources":["../../src/kms/aws-arn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,OAAO,CAAC;IACZ,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB,CA4FrE"}

package/dist/kms/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
 export type { KmsProviderType, KmsWrapResult, KmsProvider } from "./types";
 export { VALID_KMS_PROVIDERS } from "./types";
+export { validateAwsKmsArn } from "./aws-arn";
+export type { AwsKmsArnValidation } from "./aws-arn";
 //# sourceMappingURL=index.d.ts.map

package/dist/kms/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/kms/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/kms/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/manifest/io.d.ts CHANGED Viewed

@@ -8,6 +8,12 @@ export declare function readManifestYaml(repoRoot: string): Record<string, unkno
  * contents — never a half-written file. If the process dies mid-write, the
  * temp file is cleaned up by write-file-atomic's signal-exit handler. Handles
  * Windows EPERM retries internally.
+ *
+ * **Validates before writing.** Any caller producing an invalid manifest
+ * (malformed KMS ARN, bad recipient, missing required field, etc.) gets
+ * rejected here instead of silently persisting corrupt YAML that would later
+ * brick every `clef <command>` invocation. The validation error names the
+ * specific field at fault, so callers can fix the input rather than guessing.
  */
 export declare function writeManifestYaml(repoRoot: string, doc: Record<string, unknown>): void;
 /**

package/dist/manifest/io.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"~~AAMA~~,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED~~;;;;;;;;;GASG~~;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,~~CAGtF~~;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7E"}
1	+ {"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"AAOA,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAetF;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7E"}

package/dist/manifest/parser.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;~~AAGlB~~;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;~~AA4BlD~~;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;~~IA+mBtC~~;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}
1	+ {"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;AAIlB;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;AAuBlD;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;IAonBtC;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}

package/dist/migration/backend.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAcxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;OAOG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;~~IAoL3B~~,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}
1	+ {"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAcxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;OAOG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IAwM3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@clef-sh/core",
-  "version": "0.1.27",
+  "version": "0.1.28",
   "description": "Core library for Clef — git-native secrets management",
   "repository": {
     "type": "git",