@clef-sh/core 0.1.27 → 0.2.0

package/dist/index.js

@@ -301,13 +301,13 @@ var require_lib = __commonJS({
   "../../node_modules/write-file-atomic/lib/index.js"(exports2, module2) {
     "use strict";
     module2.exports = writeFile;
-    module2.exports.sync = writeFileSync7;
+    module2.exports.sync = writeFileSync8;
     module2.exports._getTmpname = getTmpname;
     module2.exports._cleanupOnExit = cleanupOnExit;
-    var fs22 = require("fs");
+    var fs23 = require("fs");
     var crypto7 = require("node:crypto");
     var { onExit } = require_cjs();
-    var path29 = require("path");
+    var path28 = require("path");
     var { promisify } = require("util");
     var activeFiles = {};
     var threadId = (function getId() {
@@ -325,7 +325,7 @@ var require_lib = __commonJS({
     function cleanupOnExit(tmpfile) {
       return () => {
         try {
-          fs22.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
+          fs23.unlinkSync(typeof tmpfile === "function" ? tmpfile() : tmpfile);
         } catch {
         }
       };
@@ -360,13 +360,13 @@ var require_lib = __commonJS({
       let fd;
       let tmpfile;
       const removeOnExitHandler = onExit(cleanupOnExit(() => tmpfile));
-      const absoluteName = path29.resolve(filename);
+      const absoluteName = path28.resolve(filename);
       try {
         await serializeActiveFile(absoluteName);
-        const truename = await promisify(fs22.realpath)(filename).catch(() => filename);
+        const truename = await promisify(fs23.realpath)(filename).catch(() => filename);
         tmpfile = getTmpname(truename);
         if (!options.mode || !options.chown) {
-          const stats = await promisify(fs22.stat)(truename).catch(() => {
+          const stats = await promisify(fs23.stat)(truename).catch(() => {
           });
           if (stats) {
             if (options.mode == null) {
@@ -377,45 +377,45 @@ var require_lib = __commonJS({
             }
           }
         }
-        fd = await promisify(fs22.open)(tmpfile, "w", options.mode);
+        fd = await promisify(fs23.open)(tmpfile, "w", options.mode);
         if (options.tmpfileCreated) {
           await options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          await promisify(fs22.write)(fd, data, 0, data.length, 0);
+          await promisify(fs23.write)(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          await promisify(fs22.write)(fd, String(data), 0, String(options.encoding || "utf8"));
+          await promisify(fs23.write)(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          await promisify(fs22.fsync)(fd);
+          await promisify(fs23.fsync)(fd);
         }
-        await promisify(fs22.close)(fd);
+        await promisify(fs23.close)(fd);
         fd = null;
         if (options.chown) {
-          await promisify(fs22.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
+          await promisify(fs23.chown)(tmpfile, options.chown.uid, options.chown.gid).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
         if (options.mode) {
-          await promisify(fs22.chmod)(tmpfile, options.mode).catch((err) => {
+          await promisify(fs23.chmod)(tmpfile, options.mode).catch((err) => {
             if (!isChownErrOk(err)) {
               throw err;
             }
           });
         }
-        await promisify(fs22.rename)(tmpfile, truename);
+        await promisify(fs23.rename)(tmpfile, truename);
       } finally {
         if (fd) {
-          await promisify(fs22.close)(fd).catch(
+          await promisify(fs23.close)(fd).catch(
             /* istanbul ignore next */
             () => {
             }
           );
         }
         removeOnExitHandler();
-        await promisify(fs22.unlink)(tmpfile).catch(() => {
+        await promisify(fs23.unlink)(tmpfile).catch(() => {
         });
         activeFiles[absoluteName].shift();
         if (activeFiles[absoluteName].length > 0) {
@@ -441,20 +441,20 @@ var require_lib = __commonJS({
       }
       return promise;
     }
-    function writeFileSync7(filename, data, options) {
+    function writeFileSync8(filename, data, options) {
       if (typeof options === "string") {
         options = { encoding: options };
       } else if (!options) {
         options = {};
       }
       try {
-        filename = fs22.realpathSync(filename);
+        filename = fs23.realpathSync(filename);
       } catch (ex) {
       }
       const tmpfile = getTmpname(filename);
       if (!options.mode || !options.chown) {
         try {
-          const stats = fs22.statSync(filename);
+          const stats = fs23.statSync(filename);
           options = Object.assign({}, options);
           if (!options.mode) {
             options.mode = stats.mode;
@@ -470,23 +470,23 @@ var require_lib = __commonJS({
       const removeOnExitHandler = onExit(cleanup);
       let threw = true;
       try {
-        fd = fs22.openSync(tmpfile, "w", options.mode || 438);
+        fd = fs23.openSync(tmpfile, "w", options.mode || 438);
         if (options.tmpfileCreated) {
           options.tmpfileCreated(tmpfile);
         }
         if (ArrayBuffer.isView(data)) {
-          fs22.writeSync(fd, data, 0, data.length, 0);
+          fs23.writeSync(fd, data, 0, data.length, 0);
         } else if (data != null) {
-          fs22.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
+          fs23.writeSync(fd, String(data), 0, String(options.encoding || "utf8"));
         }
         if (options.fsync !== false) {
-          fs22.fsyncSync(fd);
+          fs23.fsyncSync(fd);
         }
-        fs22.closeSync(fd);
+        fs23.closeSync(fd);
         fd = null;
         if (options.chown) {
           try {
-            fs22.chownSync(tmpfile, options.chown.uid, options.chown.gid);
+            fs23.chownSync(tmpfile, options.chown.uid, options.chown.gid);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
@@ -495,19 +495,19 @@ var require_lib = __commonJS({
         }
         if (options.mode) {
           try {
-            fs22.chmodSync(tmpfile, options.mode);
+            fs23.chmodSync(tmpfile, options.mode);
           } catch (err) {
             if (!isChownErrOk(err)) {
               throw err;
             }
           }
         }
-        fs22.renameSync(tmpfile, filename);
+        fs23.renameSync(tmpfile, filename);
         threw = false;
       } finally {
         if (fd) {
           try {
-            fs22.closeSync(fd);
+            fs23.closeSync(fd);
           } catch (ex) {
           }
         }
@@ -546,54 +546,54 @@ var require_polyfills = __commonJS({
     }
     var chdir;
     module2.exports = patch;
-    function patch(fs22) {
+    function patch(fs23) {
       if (constants.hasOwnProperty("O_SYMLINK") && process.version.match(/^v0\.6\.[0-2]|^v0\.5\./)) {
-        patchLchmod(fs22);
-      }
-      if (!fs22.lutimes) {
-        patchLutimes(fs22);
-      }
-      fs22.chown = chownFix(fs22.chown);
-      fs22.fchown = chownFix(fs22.fchown);
-      fs22.lchown = chownFix(fs22.lchown);
-      fs22.chmod = chmodFix(fs22.chmod);
-      fs22.fchmod = chmodFix(fs22.fchmod);
-      fs22.lchmod = chmodFix(fs22.lchmod);
-      fs22.chownSync = chownFixSync(fs22.chownSync);
-      fs22.fchownSync = chownFixSync(fs22.fchownSync);
-      fs22.lchownSync = chownFixSync(fs22.lchownSync);
-      fs22.chmodSync = chmodFixSync(fs22.chmodSync);
-      fs22.fchmodSync = chmodFixSync(fs22.fchmodSync);
-      fs22.lchmodSync = chmodFixSync(fs22.lchmodSync);
-      fs22.stat = statFix(fs22.stat);
-      fs22.fstat = statFix(fs22.fstat);
-      fs22.lstat = statFix(fs22.lstat);
-      fs22.statSync = statFixSync(fs22.statSync);
-      fs22.fstatSync = statFixSync(fs22.fstatSync);
-      fs22.lstatSync = statFixSync(fs22.lstatSync);
-      if (fs22.chmod && !fs22.lchmod) {
-        fs22.lchmod = function(path29, mode, cb) {
+        patchLchmod(fs23);
+      }
+      if (!fs23.lutimes) {
+        patchLutimes(fs23);
+      }
+      fs23.chown = chownFix(fs23.chown);
+      fs23.fchown = chownFix(fs23.fchown);
+      fs23.lchown = chownFix(fs23.lchown);
+      fs23.chmod = chmodFix(fs23.chmod);
+      fs23.fchmod = chmodFix(fs23.fchmod);
+      fs23.lchmod = chmodFix(fs23.lchmod);
+      fs23.chownSync = chownFixSync(fs23.chownSync);
+      fs23.fchownSync = chownFixSync(fs23.fchownSync);
+      fs23.lchownSync = chownFixSync(fs23.lchownSync);
+      fs23.chmodSync = chmodFixSync(fs23.chmodSync);
+      fs23.fchmodSync = chmodFixSync(fs23.fchmodSync);
+      fs23.lchmodSync = chmodFixSync(fs23.lchmodSync);
+      fs23.stat = statFix(fs23.stat);
+      fs23.fstat = statFix(fs23.fstat);
+      fs23.lstat = statFix(fs23.lstat);
+      fs23.statSync = statFixSync(fs23.statSync);
+      fs23.fstatSync = statFixSync(fs23.fstatSync);
+      fs23.lstatSync = statFixSync(fs23.lstatSync);
+      if (fs23.chmod && !fs23.lchmod) {
+        fs23.lchmod = function(path28, mode, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs22.lchmodSync = function() {
+        fs23.lchmodSync = function() {
         };
       }
-      if (fs22.chown && !fs22.lchown) {
-        fs22.lchown = function(path29, uid, gid, cb) {
+      if (fs23.chown && !fs23.lchown) {
+        fs23.lchown = function(path28, uid, gid, cb) {
           if (cb) process.nextTick(cb);
         };
-        fs22.lchownSync = function() {
+        fs23.lchownSync = function() {
         };
       }
       if (platform === "win32") {
-        fs22.rename = typeof fs22.rename !== "function" ? fs22.rename : (function(fs$rename) {
+        fs23.rename = typeof fs23.rename !== "function" ? fs23.rename : (function(fs$rename) {
           function rename(from, to, cb) {
             var start = Date.now();
             var backoff = 0;
             fs$rename(from, to, function CB(er) {
               if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
                 setTimeout(function() {
-                  fs22.stat(to, function(stater, st) {
+                  fs23.stat(to, function(stater, st) {
                     if (stater && stater.code === "ENOENT")
                       fs$rename(from, to, CB);
                     else
@@ -609,9 +609,9 @@ var require_polyfills = __commonJS({
           }
           if (Object.setPrototypeOf) Object.setPrototypeOf(rename, fs$rename);
           return rename;
-        })(fs22.rename);
+        })(fs23.rename);
       }
-      fs22.read = typeof fs22.read !== "function" ? fs22.read : (function(fs$read) {
+      fs23.read = typeof fs23.read !== "function" ? fs23.read : (function(fs$read) {
         function read(fd, buffer, offset, length, position, callback_) {
           var callback;
           if (callback_ && typeof callback_ === "function") {
@@ -619,22 +619,22 @@ var require_polyfills = __commonJS({
             callback = function(er, _, __) {
               if (er && er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
-                return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
+                return fs$read.call(fs23, fd, buffer, offset, length, position, callback);
               }
               callback_.apply(this, arguments);
             };
           }
-          return fs$read.call(fs22, fd, buffer, offset, length, position, callback);
+          return fs$read.call(fs23, fd, buffer, offset, length, position, callback);
         }
         if (Object.setPrototypeOf) Object.setPrototypeOf(read, fs$read);
         return read;
-      })(fs22.read);
-      fs22.readSync = typeof fs22.readSync !== "function" ? fs22.readSync : /* @__PURE__ */ (function(fs$readSync) {
+      })(fs23.read);
+      fs23.readSync = typeof fs23.readSync !== "function" ? fs23.readSync : /* @__PURE__ */ (function(fs$readSync) {
         return function(fd, buffer, offset, length, position) {
           var eagCounter = 0;
           while (true) {
             try {
-              return fs$readSync.call(fs22, fd, buffer, offset, length, position);
+              return fs$readSync.call(fs23, fd, buffer, offset, length, position);
             } catch (er) {
               if (er.code === "EAGAIN" && eagCounter < 10) {
                 eagCounter++;
@@ -644,11 +644,11 @@ var require_polyfills = __commonJS({
             }
           }
         };
-      })(fs22.readSync);
-      function patchLchmod(fs23) {
-        fs23.lchmod = function(path29, mode, callback) {
-          fs23.open(
-            path29,
+      })(fs23.readSync);
+      function patchLchmod(fs24) {
+        fs24.lchmod = function(path28, mode, callback) {
+          fs24.open(
+            path28,
             constants.O_WRONLY | constants.O_SYMLINK,
             mode,
             function(err, fd) {
@@ -656,80 +656,80 @@ var require_polyfills = __commonJS({
                 if (callback) callback(err);
                 return;
               }
-              fs23.fchmod(fd, mode, function(err2) {
-                fs23.close(fd, function(err22) {
+              fs24.fchmod(fd, mode, function(err2) {
+                fs24.close(fd, function(err22) {
                   if (callback) callback(err2 || err22);
                 });
               });
             }
           );
         };
-        fs23.lchmodSync = function(path29, mode) {
-          var fd = fs23.openSync(path29, constants.O_WRONLY | constants.O_SYMLINK, mode);
+        fs24.lchmodSync = function(path28, mode) {
+          var fd = fs24.openSync(path28, constants.O_WRONLY | constants.O_SYMLINK, mode);
           var threw = true;
           var ret;
           try {
-            ret = fs23.fchmodSync(fd, mode);
+            ret = fs24.fchmodSync(fd, mode);
             threw = false;
           } finally {
             if (threw) {
               try {
-                fs23.closeSync(fd);
+                fs24.closeSync(fd);
               } catch (er) {
               }
             } else {
-              fs23.closeSync(fd);
+              fs24.closeSync(fd);
             }
           }
           return ret;
         };
       }
-      function patchLutimes(fs23) {
-        if (constants.hasOwnProperty("O_SYMLINK") && fs23.futimes) {
-          fs23.lutimes = function(path29, at, mt, cb) {
-            fs23.open(path29, constants.O_SYMLINK, function(er, fd) {
+      function patchLutimes(fs24) {
+        if (constants.hasOwnProperty("O_SYMLINK") && fs24.futimes) {
+          fs24.lutimes = function(path28, at, mt, cb) {
+            fs24.open(path28, constants.O_SYMLINK, function(er, fd) {
               if (er) {
                 if (cb) cb(er);
                 return;
               }
-              fs23.futimes(fd, at, mt, function(er2) {
-                fs23.close(fd, function(er22) {
+              fs24.futimes(fd, at, mt, function(er2) {
+                fs24.close(fd, function(er22) {
                   if (cb) cb(er2 || er22);
                 });
               });
             });
           };
-          fs23.lutimesSync = function(path29, at, mt) {
-            var fd = fs23.openSync(path29, constants.O_SYMLINK);
+          fs24.lutimesSync = function(path28, at, mt) {
+            var fd = fs24.openSync(path28, constants.O_SYMLINK);
             var ret;
             var threw = true;
             try {
-              ret = fs23.futimesSync(fd, at, mt);
+              ret = fs24.futimesSync(fd, at, mt);
               threw = false;
             } finally {
               if (threw) {
                 try {
-                  fs23.closeSync(fd);
+                  fs24.closeSync(fd);
                 } catch (er) {
                 }
               } else {
-                fs23.closeSync(fd);
+                fs24.closeSync(fd);
               }
             }
             return ret;
           };
-        } else if (fs23.futimes) {
-          fs23.lutimes = function(_a, _b, _c, cb) {
+        } else if (fs24.futimes) {
+          fs24.lutimes = function(_a, _b, _c, cb) {
             if (cb) process.nextTick(cb);
           };
-          fs23.lutimesSync = function() {
+          fs24.lutimesSync = function() {
           };
         }
       }
       function chmodFix(orig) {
         if (!orig) return orig;
         return function(target, mode, cb) {
-          return orig.call(fs22, target, mode, function(er) {
+          return orig.call(fs23, target, mode, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -739,7 +739,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, mode) {
           try {
-            return orig.call(fs22, target, mode);
+            return orig.call(fs23, target, mode);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -748,7 +748,7 @@ var require_polyfills = __commonJS({
       function chownFix(orig) {
         if (!orig) return orig;
         return function(target, uid, gid, cb) {
-          return orig.call(fs22, target, uid, gid, function(er) {
+          return orig.call(fs23, target, uid, gid, function(er) {
             if (chownErOk(er)) er = null;
             if (cb) cb.apply(this, arguments);
           });
@@ -758,7 +758,7 @@ var require_polyfills = __commonJS({
         if (!orig) return orig;
         return function(target, uid, gid) {
           try {
-            return orig.call(fs22, target, uid, gid);
+            return orig.call(fs23, target, uid, gid);
           } catch (er) {
             if (!chownErOk(er)) throw er;
           }
@@ -778,13 +778,13 @@ var require_polyfills = __commonJS({
             }
             if (cb) cb.apply(this, arguments);
           }
-          return options ? orig.call(fs22, target, options, callback) : orig.call(fs22, target, callback);
+          return options ? orig.call(fs23, target, options, callback) : orig.call(fs23, target, callback);
         };
       }
       function statFixSync(orig) {
         if (!orig) return orig;
         return function(target, options) {
-          var stats = options ? orig.call(fs22, target, options) : orig.call(fs22, target);
+          var stats = options ? orig.call(fs23, target, options) : orig.call(fs23, target);
           if (stats) {
             if (stats.uid < 0) stats.uid += 4294967296;
             if (stats.gid < 0) stats.gid += 4294967296;
@@ -813,16 +813,16 @@ var require_legacy_streams = __commonJS({
   "../../node_modules/graceful-fs/legacy-streams.js"(exports2, module2) {
     var Stream = require("stream").Stream;
     module2.exports = legacy;
-    function legacy(fs22) {
+    function legacy(fs23) {
       return {
         ReadStream,
         WriteStream
       };
-      function ReadStream(path29, options) {
-        if (!(this instanceof ReadStream)) return new ReadStream(path29, options);
+      function ReadStream(path28, options) {
+        if (!(this instanceof ReadStream)) return new ReadStream(path28, options);
         Stream.call(this);
         var self = this;
-        this.path = path29;
+        this.path = path28;
         this.fd = null;
         this.readable = true;
         this.paused = false;
@@ -856,7 +856,7 @@ var require_legacy_streams = __commonJS({
           });
           return;
         }
-        fs22.open(this.path, this.flags, this.mode, function(err, fd) {
+        fs23.open(this.path, this.flags, this.mode, function(err, fd) {
           if (err) {
             self.emit("error", err);
             self.readable = false;
@@ -867,10 +867,10 @@ var require_legacy_streams = __commonJS({
           self._read();
         });
       }
-      function WriteStream(path29, options) {
-        if (!(this instanceof WriteStream)) return new WriteStream(path29, options);
+      function WriteStream(path28, options) {
+        if (!(this instanceof WriteStream)) return new WriteStream(path28, options);
         Stream.call(this);
-        this.path = path29;
+        this.path = path28;
         this.fd = null;
         this.writable = true;
         this.flags = "w";
@@ -895,7 +895,7 @@ var require_legacy_streams = __commonJS({
         this.busy = false;
         this._queue = [];
         if (this.fd === null) {
-          this._open = fs22.open;
+          this._open = fs23.open;
           this._queue.push([this._open, this.path, this.flags, this.mode, void 0]);
           this.flush();
         }
@@ -930,7 +930,7 @@ var require_clone = __commonJS({
 // ../../node_modules/graceful-fs/graceful-fs.js
 var require_graceful_fs = __commonJS({
   "../../node_modules/graceful-fs/graceful-fs.js"(exports2, module2) {
-    var fs22 = require("fs");
+    var fs23 = require("fs");
     var polyfills = require_polyfills();
     var legacy = require_legacy_streams();
     var clone = require_clone();
@@ -962,12 +962,12 @@ var require_graceful_fs = __commonJS({
         m = "GFS4: " + m.split(/\n/).join("\nGFS4: ");
         console.error(m);
       };
-    if (!fs22[gracefulQueue]) {
+    if (!fs23[gracefulQueue]) {
       queue = global[gracefulQueue] || [];
-      publishQueue(fs22, queue);
-      fs22.close = (function(fs$close) {
+      publishQueue(fs23, queue);
+      fs23.close = (function(fs$close) {
         function close(fd, cb) {
-          return fs$close.call(fs22, fd, function(err) {
+          return fs$close.call(fs23, fd, function(err) {
             if (!err) {
               resetQueue();
             }
@@ -979,48 +979,48 @@ var require_graceful_fs = __commonJS({
           value: fs$close
         });
         return close;
-      })(fs22.close);
-      fs22.closeSync = (function(fs$closeSync) {
-        function closeSync2(fd) {
-          fs$closeSync.apply(fs22, arguments);
+      })(fs23.close);
+      fs23.closeSync = (function(fs$closeSync) {
+        function closeSync3(fd) {
+          fs$closeSync.apply(fs23, arguments);
           resetQueue();
         }
-        Object.defineProperty(closeSync2, previousSymbol, {
+        Object.defineProperty(closeSync3, previousSymbol, {
           value: fs$closeSync
         });
-        return closeSync2;
-      })(fs22.closeSync);
+        return closeSync3;
+      })(fs23.closeSync);
       if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || "")) {
         process.on("exit", function() {
-          debug(fs22[gracefulQueue]);
-          require("assert").equal(fs22[gracefulQueue].length, 0);
+          debug(fs23[gracefulQueue]);
+          require("assert").equal(fs23[gracefulQueue].length, 0);
         });
       }
     }
     var queue;
     if (!global[gracefulQueue]) {
-      publishQueue(global, fs22[gracefulQueue]);
-    }
-    module2.exports = patch(clone(fs22));
-    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs22.__patched) {
-      module2.exports = patch(fs22);
-      fs22.__patched = true;
-    }
-    function patch(fs23) {
-      polyfills(fs23);
-      fs23.gracefulify = patch;
-      fs23.createReadStream = createReadStream;
-      fs23.createWriteStream = createWriteStream;
-      var fs$readFile = fs23.readFile;
-      fs23.readFile = readFile;
-      function readFile(path29, options, cb) {
+      publishQueue(global, fs23[gracefulQueue]);
+    }
+    module2.exports = patch(clone(fs23));
+    if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs23.__patched) {
+      module2.exports = patch(fs23);
+      fs23.__patched = true;
+    }
+    function patch(fs24) {
+      polyfills(fs24);
+      fs24.gracefulify = patch;
+      fs24.createReadStream = createReadStream;
+      fs24.createWriteStream = createWriteStream;
+      var fs$readFile = fs24.readFile;
+      fs24.readFile = readFile;
+      function readFile(path28, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$readFile(path29, options, cb);
-        function go$readFile(path30, options2, cb2, startTime) {
-          return fs$readFile(path30, options2, function(err) {
+        return go$readFile(path28, options, cb);
+        function go$readFile(path29, options2, cb2, startTime) {
+          return fs$readFile(path29, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$readFile, [path30, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$readFile, [path29, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1028,16 +1028,16 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$writeFile = fs23.writeFile;
-      fs23.writeFile = writeFile;
-      function writeFile(path29, data, options, cb) {
+      var fs$writeFile = fs24.writeFile;
+      fs24.writeFile = writeFile;
+      function writeFile(path28, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$writeFile(path29, data, options, cb);
-        function go$writeFile(path30, data2, options2, cb2, startTime) {
-          return fs$writeFile(path30, data2, options2, function(err) {
+        return go$writeFile(path28, data, options, cb);
+        function go$writeFile(path29, data2, options2, cb2, startTime) {
+          return fs$writeFile(path29, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$writeFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$writeFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1045,17 +1045,17 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$appendFile = fs23.appendFile;
+      var fs$appendFile = fs24.appendFile;
       if (fs$appendFile)
-        fs23.appendFile = appendFile;
-      function appendFile(path29, data, options, cb) {
+        fs24.appendFile = appendFile;
+      function appendFile(path28, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        return go$appendFile(path29, data, options, cb);
-        function go$appendFile(path30, data2, options2, cb2, startTime) {
-          return fs$appendFile(path30, data2, options2, function(err) {
+        return go$appendFile(path28, data, options, cb);
+        function go$appendFile(path29, data2, options2, cb2, startTime) {
+          return fs$appendFile(path29, data2, options2, function(err) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$appendFile, [path30, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$appendFile, [path29, data2, options2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1063,9 +1063,9 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$copyFile = fs23.copyFile;
+      var fs$copyFile = fs24.copyFile;
       if (fs$copyFile)
-        fs23.copyFile = copyFile;
+        fs24.copyFile = copyFile;
       function copyFile(src, dest, flags, cb) {
         if (typeof flags === "function") {
           cb = flags;
@@ -1083,34 +1083,34 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      var fs$readdir = fs23.readdir;
-      fs23.readdir = readdir;
+      var fs$readdir = fs24.readdir;
+      fs24.readdir = readdir;
       var noReaddirOptionVersions = /^v[0-5]\./;
-      function readdir(path29, options, cb) {
+      function readdir(path28, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
-        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path30, options2, cb2, startTime) {
-          return fs$readdir(path30, fs$readdirCallback(
-            path30,
+        var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path29, options2, cb2, startTime) {
+          return fs$readdir(path29, fs$readdirCallback(
+            path29,
             options2,
             cb2,
             startTime
           ));
-        } : function go$readdir2(path30, options2, cb2, startTime) {
-          return fs$readdir(path30, options2, fs$readdirCallback(
-            path30,
+        } : function go$readdir2(path29, options2, cb2, startTime) {
+          return fs$readdir(path29, options2, fs$readdirCallback(
+            path29,
             options2,
             cb2,
             startTime
           ));
         };
-        return go$readdir(path29, options, cb);
-        function fs$readdirCallback(path30, options2, cb2, startTime) {
+        return go$readdir(path28, options, cb);
+        function fs$readdirCallback(path29, options2, cb2, startTime) {
           return function(err, files) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
               enqueue([
                 go$readdir,
-                [path30, options2, cb2],
+                [path29, options2, cb2],
                 err,
                 startTime || Date.now(),
                 Date.now()
@@ -1125,21 +1125,21 @@ var require_graceful_fs = __commonJS({
         }
       }
       if (process.version.substr(0, 4) === "v0.8") {
-        var legStreams = legacy(fs23);
+        var legStreams = legacy(fs24);
         ReadStream = legStreams.ReadStream;
         WriteStream = legStreams.WriteStream;
       }
-      var fs$ReadStream = fs23.ReadStream;
+      var fs$ReadStream = fs24.ReadStream;
       if (fs$ReadStream) {
         ReadStream.prototype = Object.create(fs$ReadStream.prototype);
         ReadStream.prototype.open = ReadStream$open;
       }
-      var fs$WriteStream = fs23.WriteStream;
+      var fs$WriteStream = fs24.WriteStream;
       if (fs$WriteStream) {
         WriteStream.prototype = Object.create(fs$WriteStream.prototype);
         WriteStream.prototype.open = WriteStream$open;
       }
-      Object.defineProperty(fs23, "ReadStream", {
+      Object.defineProperty(fs24, "ReadStream", {
         get: function() {
           return ReadStream;
         },
@@ -1149,7 +1149,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      Object.defineProperty(fs23, "WriteStream", {
+      Object.defineProperty(fs24, "WriteStream", {
         get: function() {
           return WriteStream;
         },
@@ -1160,7 +1160,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileReadStream = ReadStream;
-      Object.defineProperty(fs23, "FileReadStream", {
+      Object.defineProperty(fs24, "FileReadStream", {
         get: function() {
           return FileReadStream;
         },
@@ -1171,7 +1171,7 @@ var require_graceful_fs = __commonJS({
         configurable: true
       });
       var FileWriteStream = WriteStream;
-      Object.defineProperty(fs23, "FileWriteStream", {
+      Object.defineProperty(fs24, "FileWriteStream", {
         get: function() {
           return FileWriteStream;
         },
@@ -1181,7 +1181,7 @@ var require_graceful_fs = __commonJS({
         enumerable: true,
         configurable: true
       });
-      function ReadStream(path29, options) {
+      function ReadStream(path28, options) {
         if (this instanceof ReadStream)
           return fs$ReadStream.apply(this, arguments), this;
         else
@@ -1201,7 +1201,7 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function WriteStream(path29, options) {
+      function WriteStream(path28, options) {
         if (this instanceof WriteStream)
           return fs$WriteStream.apply(this, arguments), this;
         else
@@ -1219,22 +1219,22 @@ var require_graceful_fs = __commonJS({
           }
         });
       }
-      function createReadStream(path29, options) {
-        return new fs23.ReadStream(path29, options);
+      function createReadStream(path28, options) {
+        return new fs24.ReadStream(path28, options);
       }
-      function createWriteStream(path29, options) {
-        return new fs23.WriteStream(path29, options);
+      function createWriteStream(path28, options) {
+        return new fs24.WriteStream(path28, options);
       }
-      var fs$open = fs23.open;
-      fs23.open = open;
-      function open(path29, flags, mode, cb) {
+      var fs$open = fs24.open;
+      fs24.open = open;
+      function open(path28, flags, mode, cb) {
         if (typeof mode === "function")
           cb = mode, mode = null;
-        return go$open(path29, flags, mode, cb);
-        function go$open(path30, flags2, mode2, cb2, startTime) {
-          return fs$open(path30, flags2, mode2, function(err, fd) {
+        return go$open(path28, flags, mode, cb);
+        function go$open(path29, flags2, mode2, cb2, startTime) {
+          return fs$open(path29, flags2, mode2, function(err, fd) {
             if (err && (err.code === "EMFILE" || err.code === "ENFILE"))
-              enqueue([go$open, [path30, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
+              enqueue([go$open, [path29, flags2, mode2, cb2], err, startTime || Date.now(), Date.now()]);
             else {
               if (typeof cb2 === "function")
                 cb2.apply(this, arguments);
@@ -1242,20 +1242,20 @@ var require_graceful_fs = __commonJS({
           });
         }
       }
-      return fs23;
+      return fs24;
     }
     function enqueue(elem) {
       debug("ENQUEUE", elem[0].name, elem[1]);
-      fs22[gracefulQueue].push(elem);
+      fs23[gracefulQueue].push(elem);
       retry();
     }
     var retryTimer;
     function resetQueue() {
       var now = Date.now();
-      for (var i = 0; i < fs22[gracefulQueue].length; ++i) {
-        if (fs22[gracefulQueue][i].length > 2) {
-          fs22[gracefulQueue][i][3] = now;
-          fs22[gracefulQueue][i][4] = now;
+      for (var i = 0; i < fs23[gracefulQueue].length; ++i) {
+        if (fs23[gracefulQueue][i].length > 2) {
+          fs23[gracefulQueue][i][3] = now;
+          fs23[gracefulQueue][i][4] = now;
         }
       }
       retry();
@@ -1263,9 +1263,9 @@ var require_graceful_fs = __commonJS({
     function retry() {
       clearTimeout(retryTimer);
       retryTimer = void 0;
-      if (fs22[gracefulQueue].length === 0)
+      if (fs23[gracefulQueue].length === 0)
         return;
-      var elem = fs22[gracefulQueue].shift();
+      var elem = fs23[gracefulQueue].shift();
       var fn = elem[0];
       var args = elem[1];
       var err = elem[2];
@@ -1287,7 +1287,7 @@ var require_graceful_fs = __commonJS({
           debug("RETRY", fn.name, args);
           fn.apply(null, args.concat([startTime]));
         } else {
-          fs22[gracefulQueue].push(elem);
+          fs23[gracefulQueue].push(elem);
         }
       }
       if (retryTimer === void 0) {
@@ -1722,10 +1722,10 @@ var require_mtime_precision = __commonJS({
   "../../node_modules/proper-lockfile/lib/mtime-precision.js"(exports2, module2) {
     "use strict";
     var cacheSymbol = /* @__PURE__ */ Symbol();
-    function probe(file, fs22, callback) {
-      const cachedPrecision = fs22[cacheSymbol];
+    function probe(file, fs23, callback) {
+      const cachedPrecision = fs23[cacheSymbol];
       if (cachedPrecision) {
-        return fs22.stat(file, (err, stat) => {
+        return fs23.stat(file, (err, stat) => {
           if (err) {
             return callback(err);
           }
@@ -1733,16 +1733,16 @@ var require_mtime_precision = __commonJS({
         });
       }
       const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
-      fs22.utimes(file, mtime, mtime, (err) => {
+      fs23.utimes(file, mtime, mtime, (err) => {
         if (err) {
           return callback(err);
         }
-        fs22.stat(file, (err2, stat) => {
+        fs23.stat(file, (err2, stat) => {
           if (err2) {
             return callback(err2);
           }
           const precision = stat.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
-          Object.defineProperty(fs22, cacheSymbol, { value: precision });
+          Object.defineProperty(fs23, cacheSymbol, { value: precision });
           callback(null, stat.mtime, precision);
         });
       });
@@ -1763,8 +1763,8 @@ var require_mtime_precision = __commonJS({
 var require_lockfile = __commonJS({
   "../../node_modules/proper-lockfile/lib/lockfile.js"(exports2, module2) {
     "use strict";
-    var path29 = require("path");
-    var fs22 = require_graceful_fs();
+    var path28 = require("path");
+    var fs23 = require_graceful_fs();
     var retry = require_retry2();
     var onExit = require_signal_exit();
     var mtimePrecision = require_mtime_precision();
@@ -1774,7 +1774,7 @@ var require_lockfile = __commonJS({
     }
     function resolveCanonicalPath(file, options, callback) {
       if (!options.realpath) {
-        return callback(null, path29.resolve(file));
+        return callback(null, path28.resolve(file));
       }
       options.fs.realpath(file, callback);
     }
@@ -1895,7 +1895,7 @@ var require_lockfile = __commonJS({
         update: null,
         realpath: true,
         retries: 0,
-        fs: fs22,
+        fs: fs23,
         onCompromised: (err) => {
           throw err;
         },
@@ -1939,7 +1939,7 @@ var require_lockfile = __commonJS({
     }
     function unlock(file, options, callback) {
       options = {
-        fs: fs22,
+        fs: fs23,
         realpath: true,
         ...options
       };
@@ -1961,7 +1961,7 @@ var require_lockfile = __commonJS({
       options = {
         stale: 1e4,
         realpath: true,
-        fs: fs22,
+        fs: fs23,
         ...options
       };
       options.stale = Math.max(options.stale || 0, 2e3);
@@ -2000,16 +2000,16 @@ var require_lockfile = __commonJS({
 var require_adapter = __commonJS({
   "../../node_modules/proper-lockfile/lib/adapter.js"(exports2, module2) {
     "use strict";
-    var fs22 = require_graceful_fs();
-    function createSyncFs(fs23) {
+    var fs23 = require_graceful_fs();
+    function createSyncFs(fs24) {
       const methods = ["mkdir", "realpath", "stat", "rmdir", "utimes"];
-      const newFs = { ...fs23 };
+      const newFs = { ...fs24 };
       methods.forEach((method) => {
         newFs[method] = (...args) => {
           const callback = args.pop();
           let ret;
           try {
-            ret = fs23[`${method}Sync`](...args);
+            ret = fs24[`${method}Sync`](...args);
           } catch (err) {
             return callback(err);
           }
@@ -2047,7 +2047,7 @@ var require_adapter = __commonJS({
     }
     function toSyncOptions(options) {
       options = { ...options };
-      options.fs = createSyncFs(options.fs || fs22);
+      options.fs = createSyncFs(options.fs || fs23);
       if (typeof options.retries === "number" && options.retries > 0 || options.retries && typeof options.retries.retries === "number" && options.retries.retries > 0) {
         throw Object.assign(new Error("Cannot use retries with the sync api"), { code: "ESYNC" });
       }
@@ -2303,7 +2303,7 @@ var require_age_encryption = __commonJS({
       Object.assign(hashC, info);
       return Object.freeze(hashC);
     }
-    function randomBytes4(bytesLength = 32) {
+    function randomBytes5(bytesLength = 32) {
       anumber(bytesLength, "bytesLength");
       const cr = typeof globalThis === "object" ? globalThis.crypto : null;
       if (typeof cr?.getRandomValues !== "function")
@@ -3030,7 +3030,7 @@ var require_age_encryption = __commonJS({
       };
     }
     // @__NO_SIDE_EFFECTS__
-    function join21(separator = "") {
+    function join20(separator = "") {
       astr("join", separator);
       return {
         encode: (from) => {
@@ -3160,9 +3160,9 @@ var require_age_encryption = __commonJS({
       decode(s) {
         return decodeBase64Builtin(s, false);
       }
-    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join21("")));
-    var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join21("")));
-    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join21(""));
+    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join20("")));
+    var base64nopad = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join20("")));
+    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join20(""));
     var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
     function bech32Polymod(pre) {
       const b = pre >> 25;
@@ -7655,7 +7655,7 @@ var require_age_encryption = __commonJS({
     var concatBytes4 = (...arrays) => concatBytes(...arrays);
     var hexToBytes3 = (hex) => hexToBytes(hex);
     var isBytes5 = isBytes;
-    var randomBytes5 = (bytesLength) => randomBytes4(bytesLength);
+    var randomBytes52 = (bytesLength) => randomBytes5(bytesLength);
     var _0n7 = /* @__PURE__ */ BigInt(0);
     var _1n8 = /* @__PURE__ */ BigInt(1);
     function abool3(value, title = "") {
@@ -9127,7 +9127,7 @@ var require_age_encryption = __commonJS({
     }
     function ecdh2(Point, ecdhOpts = {}) {
       const { Fn: Fn2 } = Point;
-      const randomBytes_ = ecdhOpts.randomBytes === void 0 ? randomBytes5 : ecdhOpts.randomBytes;
+      const randomBytes_ = ecdhOpts.randomBytes === void 0 ? randomBytes52 : ecdhOpts.randomBytes;
       const lengths = Object.assign(getWLengths2(Point.Fp, Fn2), {
         seed: Math.max(getMinHashLength2(Fn2.ORDER), 16)
       });
@@ -9201,7 +9201,7 @@ var require_age_encryption = __commonJS({
         bits2int_modN: "function"
       });
       ecdsaOpts = Object.assign({}, ecdsaOpts);
-      const randomBytes6 = ecdsaOpts.randomBytes === void 0 ? randomBytes5 : ecdsaOpts.randomBytes;
+      const randomBytes6 = ecdsaOpts.randomBytes === void 0 ? randomBytes52 : ecdsaOpts.randomBytes;
       const hmac3 = ecdsaOpts.hmac === void 0 ? (key, msg) => hmac(hash_, key, msg) : ecdsaOpts.hmac;
       const { Fp: Fp2, Fn: Fn2 } = Point;
       const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn2;
@@ -9815,7 +9815,7 @@ var require_age_encryption = __commonJS({
       const is25519 = type === "x25519";
       if (!is25519 && type !== "x448")
         throw new Error("invalid type");
-      const randomBytes_ = rand === void 0 ? randomBytes5 : rand;
+      const randomBytes_ = rand === void 0 ? randomBytes52 : rand;
       const montgomeryBits = is25519 ? 255 : 448;
       const fieldLen = is25519 ? 32 : 56;
       const Gu = is25519 ? BigInt(9) : BigInt(5);
@@ -10449,12 +10449,12 @@ var require_age_encryption = __commonJS({
       return generateX25519Identity();
     }
     function generateX25519Identity() {
-      const scalar = randomBytes4(32);
+      const scalar = randomBytes5(32);
       const identity = bech32.encodeFromBytes("AGE-SECRET-KEY-", scalar).toUpperCase();
       return Promise.resolve(identity);
     }
     function generateHybridIdentity() {
-      const scalar = randomBytes4(32);
+      const scalar = randomBytes5(32);
       const identity = bech32.encodeFromBytes("AGE-SECRET-KEY-PQ-", scalar).toUpperCase();
       return Promise.resolve(identity);
     }
@@ -10662,7 +10662,7 @@ var require_age_encryption = __commonJS({
         this.recipient = res.bytes;
       }
       async wrapFileKey(fileKey) {
-        const ephemeral = randomBytes4(32);
+        const ephemeral = randomBytes5(32);
         const share = await scalarMultBase(ephemeral);
         const secret = await scalarMult(ephemeral, this.recipient);
         const salt = new Uint8Array(share.length + this.recipient.length);
@@ -10723,7 +10723,7 @@ var require_age_encryption = __commonJS({
         this.logN = logN;
       }
       wrapFileKey(fileKey) {
-        const salt = randomBytes4(16);
+        const salt = randomBytes5(16);
         const label2 = "age-encryption.org/v1/scrypt";
         const labelAndSalt = new Uint8Array(label2.length + 16);
         labelAndSalt.set(new TextEncoder().encode(label2));
@@ -11058,7 +11058,7 @@ var require_age_encryption = __commonJS({
           rp: { name: "", id: options.rpId },
           user: {
             name: options.keyName,
-            id: domBuffer2(randomBytes4(8)),
+            id: domBuffer2(randomBytes5(8)),
             // avoid overwriting existing keys
             displayName: ""
           },
@@ -11128,7 +11128,7 @@ var require_age_encryption = __commonJS({
               transports: this.transports,
               type: "public-key"
             }] : [],
-            challenge: domBuffer2(randomBytes4(16)),
+            challenge: domBuffer2(randomBytes5(16)),
             extensions: { prf: { eval: prfInputs(nonce) } },
             userVerification: "required",
             // prf requires UV
@@ -11147,7 +11147,7 @@ var require_age_encryption = __commonJS({
        * Implements {@link Recipient.wrapFileKey}.
        */
       async wrapFileKey(fileKey) {
-        const nonce = randomBytes4(16);
+        const nonce = randomBytes5(16);
         const results = await this.getCredential(nonce);
         const key = deriveKey(results);
         return [new Stanza([label, base64nopad.encode(nonce)], encryptFileKey(fileKey, key))];
@@ -11270,7 +11270,7 @@ var require_age_encryption = __commonJS({
         }
       }
       async encrypt(file) {
-        const fileKey = randomBytes4(16);
+        const fileKey = randomBytes5(16);
         const stanzas = [];
         let recipients = this.recipients;
         if (this.passphrase !== null) {
@@ -11283,7 +11283,7 @@ var require_age_encryption = __commonJS({
         const hmacKey = hkdf(sha256, fileKey, void 0, labelHeader, 32);
         const mac = hmac(sha256, hmacKey, encodeHeaderNoMAC(stanzas));
         const header = encodeHeader(stanzas, mac);
-        const nonce = randomBytes4(16);
+        const nonce = randomBytes5(16);
         const labelPayload = new TextEncoder().encode("payload");
         const streamKey = hkdf(sha256, fileKey, nonce, labelPayload, 32);
         const encrypter = encryptSTREAM(streamKey);
@@ -11420,7 +11420,6 @@ var index_exports = {};
 __export(index_exports, {
   ArtifactPacker: () => ArtifactPacker,
   BackendMigrator: () => BackendMigrator,
-  BulkOps: () => BulkOps,
   CLEF_MANIFEST_FILENAME: () => CLEF_MANIFEST_FILENAME,
   CLEF_POLICY_FILENAME: () => CLEF_POLICY_FILENAME,
   CLEF_REPORT_SCHEMA_VERSION: () => CLEF_REPORT_SCHEMA_VERSION,
@@ -11434,6 +11433,7 @@ __export(index_exports, {
   DiffEngine: () => DiffEngine,
   DriftDetector: () => DriftDetector,
   FilePackOutput: () => FilePackOutput,
+  FilesystemStorageBackend: () => FilesystemStorageBackend,
   GitIntegration: () => GitIntegration,
   GitOperationError: () => GitOperationError,
   ImportRunner: () => ImportRunner,
@@ -11450,7 +11450,6 @@ __export(index_exports, {
   PolicyValidationError: () => PolicyValidationError,
   REQUESTS_FILENAME: () => REQUESTS_FILENAME,
   REQUIREMENTS: () => REQUIREMENTS,
-  REVEAL_WARNING: () => REVEAL_WARNING,
   RecipientManager: () => RecipientManager,
   ReportGenerator: () => ReportGenerator,
   ReportSanitizer: () => ReportSanitizer,
@@ -11467,6 +11466,7 @@ __export(index_exports, {
   SopsMergeDriver: () => SopsMergeDriver,
   SopsMissingError: () => SopsMissingError,
   SopsVersionError: () => SopsVersionError,
+  SourceCapabilityUnsupportedError: () => SourceCapabilityUnsupportedError,
   StructureManager: () => StructureManager,
   SyncManager: () => SyncManager,
   TransactionLockError: () => TransactionLockError,
@@ -11486,11 +11486,11 @@ __export(index_exports, {
   checkAll: () => checkAll,
   checkDependency: () => checkDependency,
   collectCIContext: () => collectCIContext,
+  composeSecretSource: () => composeSecretSource,
   computeCiphertextHash: () => computeCiphertextHash,
   deriveAgePublicKey: () => deriveAgePublicKey,
+  describeCapabilities: () => describeCapabilities,
   describeScope: () => describeScope,
-  detectAlgorithm: () => detectAlgorithm,
-  detectFormat: () => detectFormat,
   emptyTemplate: () => emptyTemplate,
   exampleTemplate: () => exampleTemplate,
   findRequest: () => findRequest,
@@ -11498,35 +11498,27 @@ __export(index_exports, {
   formatRevealWarning: () => formatRevealWarning,
   generateAgeIdentity: () => generateAgeIdentity,
   generateRandomValue: () => generateRandomValue,
-  generateSigningKeyPair: () => generateSigningKeyPair,
-  getPendingKeys: () => getPendingKeys,
-  getRotations: () => getRotations,
+  isBulk: () => isBulk,
   isClefHsmArn: () => isClefHsmArn,
-  isHighEntropy: () => isHighEntropy,
   isKmsEnvelope: () => isKmsEnvelope,
+  isLintable: () => isLintable,
+  isMergeAware: () => isMergeAware,
+  isMigratable: () => isMigratable,
   isPackedArtifact: () => isPackedArtifact,
-  isPending: () => isPending,
+  isRecipientManaged: () => isRecipientManaged,
+  isRotatable: () => isRotatable,
+  isStructural: () => isStructural,
   keyPreview: () => keyPreview,
-  loadIgnoreRules: () => loadIgnoreRules,
-  loadMetadata: () => loadMetadata,
   loadRequests: () => loadRequests,
   markPending: () => markPending,
-  markPendingWithRetry: () => markPendingWithRetry,
   markResolved: () => markResolved,
-  matchPatterns: () => matchPatterns,
-  mergeMetadataContents: () => mergeMetadataContents,
   mergeMetadataFiles: () => mergeMetadataFiles,
-  metadataPath: () => metadataPath,
   parse: () => parse9,
-  parseDotenv: () => parseDotenv,
-  parseIgnoreContent: () => parseIgnoreContent,
-  parseJson: () => parseJson,
   parseSignerKey: () => parseSignerKey,
   parseYaml: () => parseYaml,
   pkcs11UriToSyntheticArn: () => pkcs11UriToSyntheticArn,
   readManifestYaml: () => readManifestYaml,
   recordRotation: () => recordRotation,
-  redactValue: () => redactValue,
   removeAccessRequest: () => removeRequest,
   removeRotation: () => removeRotation,
   requestsFilePath: () => requestsFilePath,
@@ -11538,22 +11530,18 @@ __export(index_exports, {
   resolveRecipientsForEnvironment: () => resolveRecipientsForEnvironment,
   resolveSopsPath: () => resolveSopsPath,
   runCompliance: () => runCompliance,
-  saveMetadata: () => saveMetadata,
   saveRequests: () => saveRequests,
-  serializeSchema: () => serializeSchema,
-  shannonEntropy: () => shannonEntropy,
-  shouldIgnoreFile: () => shouldIgnoreFile,
-  shouldIgnoreMatch: () => shouldIgnoreMatch,
-  signEd25519: () => signEd25519,
-  signKms: () => signKms,
+  shouldUseLinuxStdinFifo: () => shouldUseLinuxStdinFifo,
   spawnKeyservice: () => spawnKeyservice,
   syntheticArnToPkcs11Uri: () => syntheticArnToPkcs11Uri,
   tryBundledKeyservice: () => tryBundledKeyservice,
   upsertRequest: () => upsertRequest,
   validateAgePublicKey: () => validateAgePublicKey,
+  validateAwsKmsArn: () => validateAwsKmsArn,
   validatePackedArtifact: () => validatePackedArtifact,
   validateResetScope: () => validateResetScope,
   verifySignature: () => verifySignature,
+  wrapWithLinuxStdinFifo: () => wrapWithLinuxStdinFifo,
   writeManifestYaml: () => writeManifestYaml,
   writeManifestYamlRaw: () => writeManifestYamlRaw,
   writeSchema: () => writeSchema,
@@ -11728,11 +11716,98 @@ function keyPreview(key) {
   return `age1\u2026${last8}`;
 }
 
+// src/kms/aws-arn.ts
+var PARTITION_PATTERN = /^aws(?:-[a-z]+)*$/;
+var REGION_PATTERN = /^[a-z]{2,}(?:-[a-z]+)+-\d+$/;
+var ACCOUNT_PATTERN = /^\d{12}$/;
+function validateAwsKmsArn(input) {
+  if (typeof input !== "string") {
+    return { ok: false, reason: "value must be a string" };
+  }
+  if (input.length === 0) {
+    return { ok: false, reason: "value is empty" };
+  }
+  if (!input.startsWith("arn:")) {
+    return {
+      ok: false,
+      reason: "expected an ARN starting with 'arn:' (got a bare key id, alias name, or other format). Use a full ARN like 'arn:aws:kms:us-east-1:123456789012:alias/<name>'."
+    };
+  }
+  const segments = input.split(":");
+  if (segments.length < 6) {
+    return {
+      ok: false,
+      reason: `expected 6 colon-delimited segments (arn:aws:kms:<region>:<account>:<resource>), got ${segments.length}. Check that the region and account aren't missing.`
+    };
+  }
+  if (segments.length > 6) {
+    return {
+      ok: false,
+      reason: `expected exactly 6 colon-delimited segments, got ${segments.length}. Check for stray ':' characters.`
+    };
+  }
+  const [, partition, service, region, account, resource] = segments;
+  if (!PARTITION_PATTERN.test(partition)) {
+    return {
+      ok: false,
+      reason: `partition segment '${partition}' is not recognized. Expected 'aws', 'aws-us-gov', 'aws-cn', etc.`
+    };
+  }
+  if (service !== "kms") {
+    return {
+      ok: false,
+      reason: `service segment must be 'kms', got '${service}'.`
+    };
+  }
+  if (region.length === 0) {
+    return {
+      ok: false,
+      reason: "region segment is empty (look for '::' between 'kms' and the account id). Set a region like 'us-east-1' before reconstructing the ARN \u2014 common cause: a $REGION shell variable was unset when the ARN was built."
+    };
+  }
+  if (!REGION_PATTERN.test(region)) {
+    return {
+      ok: false,
+      reason: `region segment '${region}' doesn't look like an AWS region (expected e.g. 'us-east-1', 'eu-west-2').`
+    };
+  }
+  if (account.length === 0) {
+    return {
+      ok: false,
+      reason: "account segment is empty. Provide the 12-digit AWS account id."
+    };
+  }
+  if (!ACCOUNT_PATTERN.test(account)) {
+    return {
+      ok: false,
+      reason: `account segment '${account}' must be exactly 12 digits.`
+    };
+  }
+  if (!resource || resource.length === 0) {
+    return {
+      ok: false,
+      reason: "resource segment is empty. Expected 'key/<id>' or 'alias/<name>' after the account."
+    };
+  }
+  if (!resource.startsWith("key/") && !resource.startsWith("alias/")) {
+    return {
+      ok: false,
+      reason: `resource '${resource}' must start with 'key/' or 'alias/'.`
+    };
+  }
+  if (resource === "key/" || resource === "alias/") {
+    return {
+      ok: false,
+      reason: "resource id is empty after 'key/' or 'alias/'."
+    };
+  }
+  return { ok: true };
+}
+
 // src/manifest/parser.ts
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
 var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp", "hsm"];
 var PKCS11_URI_PATTERN = /^pkcs11:[a-zA-Z][a-zA-Z0-9_-]*=[^;]+/;
-var AWS_KMS_ARN_PATTERN = /^arn:aws(?:-[a-z]+)*:kms:[a-z0-9-]+:\d+:(key|alias)\/.+$/;
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
@@ -12255,11 +12330,14 @@ var ManifestParser = class {
                 "service_identities"
               );
             }
-            if (kmsObj.provider === "aws" && !AWS_KMS_ARN_PATTERN.test(kmsObj.keyId)) {
-              throw new ManifestValidationError(
-                `Service identity '${siName}' environment '${envName}': kms.keyId must be a full AWS KMS ARN (e.g. arn:aws:kms:us-east-1:123456789012:key/abcd-1234), got '${kmsObj.keyId}'.`,
-                "service_identities"
-              );
+            if (kmsObj.provider === "aws") {
+              const arnValidation = validateAwsKmsArn(kmsObj.keyId);
+              if (!arnValidation.ok) {
+                throw new ManifestValidationError(
+                  `Service identity '${siName}' environment '${envName}': kms.keyId is not a valid AWS KMS ARN \u2014 ${arnValidation.reason} (got '${kmsObj.keyId}'). Expected shape: arn:aws:kms:<region>:<account>:key/<id> or arn:aws:kms:<region>:<account>:alias/<name>.`,
+                  "service_identities"
+                );
+              }
             }
             if (Object.prototype.hasOwnProperty.call(kmsObj, "region")) {
               throw new ManifestValidationError(
@@ -12334,6 +12412,18 @@ function readManifestYaml(repoRoot) {
   return YAML2.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
+  const parser = new ManifestParser();
+  try {
+    parser.validate(doc);
+  } catch (err) {
+    if (err instanceof ManifestValidationError) {
+      throw new ManifestValidationError(
+        `Refusing to write invalid manifest: ${err.message}`,
+        err.field
+      );
+    }
+    throw err;
+  }
   const manifestPath = path.join(repoRoot, CLEF_MANIFEST_FILENAME);
   import_write_file_atomic.default.sync(manifestPath, YAML2.stringify(doc));
 }
@@ -12804,10 +12894,6 @@ async function getPendingKeys(filePath) {
   const metadata = await loadMetadata(filePath);
   return metadata.pending.map((p) => p.key);
 }
-async function isPending(filePath, key) {
-  const metadata = await loadMetadata(filePath);
-  return metadata.pending.some((p) => p.key === key);
-}
 async function recordRotation(filePath, keys, rotatedBy, now = /* @__PURE__ */ new Date()) {
   const metadata = await loadMetadata(filePath);
   for (const key of keys) {
@@ -12843,14 +12929,6 @@ async function getRotations(filePath) {
 function generateRandomValue() {
   return crypto2.randomBytes(32).toString("hex");
 }
-async function markPendingWithRetry(filePath, keys, setBy, retryDelayMs = 200) {
-  try {
-    await markPending(filePath, keys, setBy);
-  } catch {
-    await new Promise((r) => setTimeout(r, retryDelayMs));
-    await markPending(filePath, keys, setBy);
-  }
-}
 
 // src/sops/keys.ts
 var fs6 = __toESM(require("fs"));
@@ -12900,34 +12978,17 @@ var MatrixManager = class {
   detectMissingCells(manifest, repoRoot) {
     return this.resolveMatrix(manifest, repoRoot).filter((cell) => !cell.exists);
   }
-  /**
-   * Create an empty encrypted SOPS file for a missing matrix cell.
-   *
-   * @param cell - The cell to scaffold (must not already exist).
-   * @param sopsClient - SOPS client used to write the initial encrypted file.
-   * @param manifest - Parsed manifest used to determine the encryption backend.
-   */
-  async scaffoldCell(cell, sopsClient, manifest) {
-    const dir = path5.dirname(cell.filePath);
-    if (!fs7.existsSync(dir)) {
-      fs7.mkdirSync(dir, { recursive: true });
-    }
-    await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
-  }
   /**
    * Read each cell and return key counts, pending counts, and cross-environment issues.
    *
-   * The SOPS client parameter is currently unused — keys are read from the
-   * plaintext YAML structure directly, no decryption needed. It is retained
-   * in the signature for back-compat with callers that may need to swap to a
-   * decrypt-based implementation later (e.g. for backends that don't expose
-   * key names without decryption).
+   * Keys are read from the plaintext YAML structure directly — no
+   * decryption needed. A future backend that doesn't expose key names
+   * without decryption would need its own implementation.
    *
    * @param manifest - Parsed manifest.
    * @param repoRoot - Absolute path to the repository root.
-   * @param _sopsClient - Reserved for future use; pass any `EncryptionBackend`.
    */
-  async getMatrixStatus(manifest, repoRoot, _sopsClient) {
+  async getMatrixStatus(manifest, repoRoot) {
     const cells = this.resolveMatrix(manifest, repoRoot);
     const statuses = [];
     const cellKeys = /* @__PURE__ */ new Map();
@@ -13243,7 +13304,6 @@ function orderedKeys(keys) {
 }
 
 // src/diff/engine.ts
-var path7 = __toESM(require("path"));
 var DiffEngine = class {
   /**
    * Compare two in-memory value maps and produce a sorted diff result.
@@ -13294,131 +13354,21 @@ var DiffEngine = class {
    * @param namespace - Namespace containing both cells.
    * @param envA - Name of environment A.
    * @param envB - Name of environment B.
-   * @param manifest - Parsed manifest used to resolve file paths.
-   * @param sopsClient - SOPS client used to decrypt both files.
-   * @param repoRoot - Absolute path to the repository root.
-   * @throws {@link SopsDecryptionError} If either file cannot be decrypted.
+   * @param source - SecretSource that resolves both cells (substrate-agnostic).
+   * @throws {@link SopsDecryptionError} If either cell cannot be decrypted.
    */
-  async diffFiles(namespace, envA, envB, manifest, sopsClient, repoRoot) {
-    const fileA = path7.join(
-      repoRoot,
-      manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envA)
-    );
-    const fileB = path7.join(
-      repoRoot,
-      manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envB)
-    );
+  async diffCells(namespace, envA, envB, source) {
     const [decryptedA, decryptedB] = await Promise.all([
-      sopsClient.decrypt(fileA),
-      sopsClient.decrypt(fileB)
+      source.readCell({ namespace, environment: envA }),
+      source.readCell({ namespace, environment: envB })
     ]);
     return this.diff(decryptedA.values, decryptedB.values, envA, envB, namespace);
   }
 };
 
-// src/bulk/ops.ts
-var path8 = __toESM(require("path"));
-var BulkOps = class {
-  constructor(tx) {
-    this.tx = tx;
-  }
-  tx;
-  /**
-   * Set a key to different values in multiple environments at once.
-   *
-   * @param namespace - Target namespace.
-   * @param key - Secret key name to set.
-   * @param values - Map of `{ environment: value }` pairs.
-   * @param manifest - Parsed manifest.
-   * @param sopsClient - SOPS client used to decrypt and re-encrypt each file.
-   * @param repoRoot - Absolute path to the repository root.
-   * @throws Whatever the underlying encrypt throws — the transaction rolls back.
-   */
-  async setAcrossEnvironments(namespace, key, values, manifest, sopsClient, repoRoot) {
-    const targets = manifest.environments.filter((env) => env.name in values).map((env) => ({
-      env: env.name,
-      filePath: path8.join(
-        repoRoot,
-        manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
-      )
-    }));
-    if (targets.length === 0) return;
-    await this.tx.run(repoRoot, {
-      description: `clef set: ${namespace}/${key} across ${targets.length} env(s)`,
-      paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
-      mutate: async () => {
-        for (const target of targets) {
-          const decrypted = await sopsClient.decrypt(target.filePath);
-          decrypted.values[key] = values[target.env];
-          await sopsClient.encrypt(target.filePath, decrypted.values, manifest, target.env);
-        }
-      }
-    });
-  }
-  /**
-   * Delete a key from every environment in a namespace.
-   *
-   * @param namespace - Target namespace.
-   * @param key - Secret key name to delete.
-   * @param manifest - Parsed manifest.
-   * @param sopsClient - SOPS client.
-   * @param repoRoot - Absolute path to the repository root.
-   */
-  async deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot) {
-    const targets = manifest.environments.map((env) => ({
-      env: env.name,
-      filePath: path8.join(
-        repoRoot,
-        manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
-      )
-    }));
-    await this.tx.run(repoRoot, {
-      description: `clef delete: ${namespace}/${key} from ${targets.length} env(s)`,
-      paths: targets.map((t) => path8.relative(repoRoot, t.filePath)),
-      mutate: async () => {
-        for (const target of targets) {
-          const decrypted = await sopsClient.decrypt(target.filePath);
-          if (key in decrypted.values) {
-            delete decrypted.values[key];
-            await sopsClient.encrypt(target.filePath, decrypted.values, manifest, target.env);
-          }
-        }
-      }
-    });
-  }
-  /**
-   * Copy a single key's value from one matrix cell to another.
-   *
-   * @param key - Secret key name to copy.
-   * @param fromCell - Source matrix cell.
-   * @param toCell - Destination matrix cell.
-   * @param sopsClient - SOPS client.
-   * @param manifest - Parsed manifest.
-   * @param repoRoot - Absolute path to the repository root.
-   * @throws `Error` if the key does not exist in the source cell.
-   */
-  async copyValue(key, fromCell, toCell, sopsClient, manifest, repoRoot) {
-    const source = await sopsClient.decrypt(fromCell.filePath);
-    if (!(key in source.values)) {
-      throw new Error(
-        `Key '${key}' does not exist in ${fromCell.namespace}/${fromCell.environment}.`
-      );
-    }
-    await this.tx.run(repoRoot, {
-      description: `clef copy: ${key} from ${fromCell.namespace}/${fromCell.environment} to ${toCell.namespace}/${toCell.environment}`,
-      paths: [path8.relative(repoRoot, toCell.filePath)],
-      mutate: async () => {
-        const dest = await sopsClient.decrypt(toCell.filePath);
-        dest.values[key] = source.values[key];
-        await sopsClient.encrypt(toCell.filePath, dest.values, manifest, toCell.environment);
-      }
-    });
-  }
-};
-
 // src/git/integration.ts
 var fs10 = __toESM(require("fs"));
-var path9 = __toESM(require("path"));
+var path7 = __toESM(require("path"));
 var PRE_COMMIT_HOOK = `#!/bin/sh
 # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
 # and scans staged files for plaintext secrets.
@@ -13594,17 +13544,17 @@ var GitIntegration = class {
    * @returns The kind of operation in progress, or null if none.
    */
   async isMidOperation(repoRoot) {
-    const gitDir = path9.join(repoRoot, ".git");
-    if (fs10.existsSync(path9.join(gitDir, "MERGE_HEAD"))) {
+    const gitDir = path7.join(repoRoot, ".git");
+    if (fs10.existsSync(path7.join(gitDir, "MERGE_HEAD"))) {
       return { midOp: true, kind: "merge" };
     }
-    if (fs10.existsSync(path9.join(gitDir, "rebase-merge")) || fs10.existsSync(path9.join(gitDir, "rebase-apply"))) {
+    if (fs10.existsSync(path7.join(gitDir, "rebase-merge")) || fs10.existsSync(path7.join(gitDir, "rebase-apply"))) {
       return { midOp: true, kind: "rebase" };
     }
-    if (fs10.existsSync(path9.join(gitDir, "CHERRY_PICK_HEAD"))) {
+    if (fs10.existsSync(path7.join(gitDir, "CHERRY_PICK_HEAD"))) {
       return { midOp: true, kind: "cherry-pick" };
     }
-    if (fs10.existsSync(path9.join(gitDir, "REVERT_HEAD"))) {
+    if (fs10.existsSync(path7.join(gitDir, "REVERT_HEAD"))) {
       return { midOp: true, kind: "revert" };
     }
     return { midOp: false };
@@ -13816,14 +13766,14 @@ var GitIntegration = class {
       { cwd: repoRoot }
     );
     const metadataGitConfig = metaConfig.exitCode === 0 && metaConfig.stdout.trim().length > 0;
-    const attrFilePath = path9.join(repoRoot, ".gitattributes");
+    const attrFilePath = path7.join(repoRoot, ".gitattributes");
     const attrContent = fs10.existsSync(attrFilePath) ? fs10.readFileSync(attrFilePath, "utf-8") : "";
     const gitattributes = attrContent.includes("merge=sops");
     const metadataGitattributes = attrContent.includes("merge=clef-metadata");
     return { gitConfig, gitattributes, metadataGitConfig, metadataGitattributes };
   }
   async ensureGitattributes(repoRoot) {
-    const attrPath = path9.join(repoRoot, ".gitattributes");
+    const attrPath = path7.join(repoRoot, ".gitattributes");
     const existing = fs10.existsSync(attrPath) ? fs10.readFileSync(attrPath, "utf-8") : "";
     let newContent = existing;
     if (!existing.includes("merge=sops")) {
@@ -13858,9 +13808,9 @@ ${block}` : block;
    * @throws {@link GitOperationError} On failure.
    */
   async installPreCommitHook(repoRoot) {
-    const hookPath = path9.join(repoRoot, ".git", "hooks", "pre-commit");
+    const hookPath = path7.join(repoRoot, ".git", "hooks", "pre-commit");
     try {
-      const hooksDir = path9.dirname(hookPath);
+      const hooksDir = path7.dirname(hookPath);
       if (!fs10.existsSync(hooksDir)) {
         fs10.mkdirSync(hooksDir, { recursive: true });
       }
@@ -13876,7 +13826,7 @@ ${block}` : block;
 
 // src/tx/transaction-manager.ts
 var fs11 = __toESM(require("fs"));
-var path10 = __toESM(require("path"));
+var path8 = __toESM(require("path"));
 var lockfile = __toESM(require_proper_lockfile());
 
 // src/tx/errors.ts
@@ -13925,15 +13875,15 @@ var TransactionManager = class {
   async run(repoRoot, opts) {
     const shouldCommit = opts.commit !== false;
     const allowDirty = opts.allowDirty === true;
-    const clefDir = path10.join(repoRoot, CLEF_DIR);
+    const clefDir = path8.join(repoRoot, CLEF_DIR);
     if (!fs11.existsSync(clefDir)) {
       fs11.mkdirSync(clefDir, { recursive: true });
     }
-    const clefGitignore = path10.join(clefDir, ".gitignore");
+    const clefGitignore = path8.join(clefDir, ".gitignore");
     if (!fs11.existsSync(clefGitignore)) {
       fs11.writeFileSync(clefGitignore, "*\n");
     }
-    const lockPath = path10.join(clefDir, LOCK_FILE);
+    const lockPath = path8.join(clefDir, LOCK_FILE);
     if (!fs11.existsSync(lockPath)) {
       fs11.writeFileSync(lockPath, "");
     }
@@ -14074,16 +14024,15 @@ var TransactionManager = class {
 var fs14 = __toESM(require("fs"));
 var net = __toESM(require("net"));
 var import_crypto = require("crypto");
-var import_write_file_atomic3 = __toESM(require_lib());
 var YAML8 = __toESM(require("yaml"));
 
 // src/sops/resolver.ts
 var fs13 = __toESM(require("fs"));
-var path12 = __toESM(require("path"));
+var path10 = __toESM(require("path"));
 
 // src/sops/bundled.ts
 var fs12 = __toESM(require("fs"));
-var path11 = __toESM(require("path"));
+var path9 = __toESM(require("path"));
 function tryBundled() {
   const platform = process.platform;
   const arch = process.arch;
@@ -14095,8 +14044,8 @@ function tryBundled() {
   const binName = platform === "win32" ? "sops.exe" : "sops";
   try {
     const packageMain = require.resolve(`${packageName}/package.json`);
-    const packageDir = path11.dirname(packageMain);
-    const binPath = path11.join(packageDir, "bin", binName);
+    const packageDir = path9.dirname(packageMain);
+    const binPath = path9.join(packageDir, "bin", binName);
     return fs12.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
@@ -14105,7 +14054,7 @@ function tryBundled() {
 
 // src/sops/resolver.ts
 function validateSopsPath(candidate) {
-  if (!path12.isAbsolute(candidate)) {
+  if (!path10.isAbsolute(candidate)) {
     throw new Error(`CLEF_SOPS_PATH must be an absolute path, got '${candidate}'.`);
   }
   const segments = candidate.split(/[/\\]/);
@@ -14284,6 +14233,17 @@ function isClefHsmArn(arn) {
 function formatFromPath(filePath) {
   return filePath.endsWith(".json") ? "json" : "yaml";
 }
+async function openInputPipe(content) {
+  if (process.platform === "win32") {
+    const pipe = await openWindowsInputPipe(content);
+    return { inputArg: pipe.inputArg, cleanup: pipe.cleanup };
+  }
+  return { inputArg: "/dev/stdin", cleanup: () => {
+  }, runnerStdin: content };
+}
+function nullConfigPath() {
+  return process.platform === "win32" ? "NUL" : "/dev/null";
+}
 function openWindowsInputPipe(content) {
   const pipeName = `\\\\.\\pipe\\clef-sops-${(0, import_crypto.randomBytes)(8).toString("hex")}`;
   return new Promise((resolve2, reject) => {
@@ -14331,6 +14291,10 @@ var SopsClient = class {
   runner;
   ageKeyFile;
   ageKey;
+  /** {@link EncryptionBackend} identifier. */
+  id = "sops";
+  /** {@link EncryptionBackend} short description (used by `clef doctor`). */
+  description = "SOPS-based encryption via the bundled `sops` binary";
   sopsCommand;
   keyserviceArgs;
   buildSopsEnv() {
@@ -14344,14 +14308,18 @@ var SopsClient = class {
     return Object.keys(env).length > 0 ? env : void 0;
   }
   /**
-   * Decrypt a SOPS-encrypted file and return its values and metadata.
+   * Decrypt a SOPS-encrypted file by path. The only remaining file-path
+   * entry point on this class — kept for the merge driver, which
+   * receives temp filesystem paths from git that don't map onto a
+   * `CellRef`. Production `SecretSource` consumers should call
+   * `source.readCell` instead.
    *
    * @param filePath - Path to the `.enc.yaml` or `.enc.json` file.
    * @returns {@link DecryptedFile} with plaintext values in memory only.
    * @throws {@link SopsKeyNotFoundError} If no matching decryption key is available.
    * @throws {@link SopsDecryptionError} On any other decryption failure.
    */
-  async decrypt(filePath) {
+  async decryptFile(filePath) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
     const env = this.buildSopsEnv();
@@ -14387,170 +14355,9 @@ var SopsClient = class {
     for (const [key, value] of Object.entries(parsed)) {
       values[key] = String(value);
     }
-    const metadata = await this.getMetadata(filePath);
+    const metadata = this.parseMetadataFromFile(filePath);
     return { values, metadata };
   }
-  /**
-   * Encrypt a key/value map and write it to an encrypted SOPS file.
-   *
-   * @param filePath - Destination path for the encrypted file.
-   * @param values - Flat key/value map to encrypt.
-   * @param manifest - Manifest used to determine the encryption backend and key configuration.
-   * @param environment - Optional environment name. When provided, per-env backend overrides
-   *   are resolved from the manifest. When omitted, the global `sops.default_backend` is used.
-   * @throws {@link SopsEncryptionError} On encryption or write failure.
-   */
-  async encrypt(filePath, values, manifest, environment) {
-    await assertSops(this.runner, this.sopsCommand);
-    const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML8.stringify(values);
-    const args = this.buildEncryptArgs(filePath, manifest, environment);
-    const env = this.buildSopsEnv();
-    let inputArg;
-    let pipeCleanup;
-    if (process.platform === "win32") {
-      const pipe = await openWindowsInputPipe(content);
-      inputArg = pipe.inputArg;
-      pipeCleanup = pipe.cleanup;
-    } else {
-      inputArg = "/dev/stdin";
-    }
-    let result;
-    try {
-      const configPath = process.platform === "win32" ? "NUL" : "/dev/null";
-      result = await this.runner.run(
-        this.sopsCommand,
-        [
-          "--config",
-          configPath,
-          "encrypt",
-          ...this.keyserviceArgs,
-          ...args,
-          "--input-type",
-          fmt,
-          "--output-type",
-          fmt,
-          "--filename-override",
-          filePath,
-          inputArg
-        ],
-        {
-          // stdin is still piped on Unix (/dev/stdin reads from it);
-          // on Windows the named pipe server feeds content directly.
-          ...process.platform !== "win32" ? { stdin: content } : {},
-          ...env ? { env } : {}
-        }
-      );
-    } finally {
-      pipeCleanup?.();
-    }
-    if (result.exitCode !== 0) {
-      throw new SopsEncryptionError(
-        `Failed to encrypt '${filePath}': ${result.stderr.trim()}`,
-        filePath
-      );
-    }
-    try {
-      await (0, import_write_file_atomic3.default)(filePath, result.stdout);
-    } catch (err) {
-      throw new SopsEncryptionError(
-        `Failed to write encrypted data to '${filePath}': ${err.message}`,
-        filePath
-      );
-    }
-  }
-  /**
-   * Rotate encryption by adding a new age recipient key to an existing SOPS file.
-   *
-   * @param filePath - Path to the encrypted file to re-encrypt.
-   * @param newKey - New age public key to add as a recipient.
-   * @throws {@link SopsEncryptionError} On failure.
-   */
-  async reEncrypt(filePath, newKey) {
-    await this.addRecipient(filePath, newKey);
-  }
-  /**
-   * Add an age recipient to an existing SOPS file.
-   *
-   * @param filePath - Path to the encrypted file.
-   * @param key - age public key to add as a recipient.
-   * @throws {@link SopsEncryptionError} On failure.
-   */
-  async addRecipient(filePath, key) {
-    await assertSops(this.runner, this.sopsCommand);
-    const env = this.buildSopsEnv();
-    const result = await this.runner.run(
-      this.sopsCommand,
-      ["rotate", ...this.keyserviceArgs, "-i", "--add-age", key, filePath],
-      {
-        ...env ? { env } : {}
-      }
-    );
-    if (result.exitCode !== 0) {
-      throw new SopsEncryptionError(
-        `Failed to add recipient to '${filePath}': ${result.stderr.trim()}`,
-        filePath
-      );
-    }
-  }
-  /**
-   * Remove an age recipient from an existing SOPS file.
-   *
-   * @param filePath - Path to the encrypted file.
-   * @param key - age public key to remove.
-   * @throws {@link SopsEncryptionError} On failure.
-   */
-  async removeRecipient(filePath, key) {
-    await assertSops(this.runner, this.sopsCommand);
-    const env = this.buildSopsEnv();
-    const result = await this.runner.run(
-      this.sopsCommand,
-      ["rotate", ...this.keyserviceArgs, "-i", "--rm-age", key, filePath],
-      {
-        ...env ? { env } : {}
-      }
-    );
-    if (result.exitCode !== 0) {
-      throw new SopsEncryptionError(
-        `Failed to remove recipient from '${filePath}': ${result.stderr.trim()}`,
-        filePath
-      );
-    }
-  }
-  /**
-   * Check whether a file contains valid SOPS encryption metadata.
-   *
-   * @param filePath - Path to the file to check.
-   * @returns `true` if valid SOPS metadata is present; `false` otherwise. Never throws.
-   */
-  async validateEncryption(filePath) {
-    await assertSops(this.runner, this.sopsCommand);
-    try {
-      await this.getMetadata(filePath);
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  /**
-   * Extract SOPS metadata (backend, recipients, last-modified timestamp) from an encrypted file
-   * without decrypting its values.
-   *
-   * @param filePath - Path to the encrypted file.
-   * @returns {@link SopsMetadata} parsed from the file's `sops:` block.
-   * @throws {@link SopsDecryptionError} If the file cannot be read or parsed.
-   */
-  async getMetadata(filePath) {
-    await assertSops(this.runner, this.sopsCommand);
-    const env = this.buildSopsEnv();
-    const result = await this.runner.run(this.sopsCommand, ["filestatus", filePath], {
-      ...env ? { env } : {}
-    });
-    if (result.exitCode !== 0) {
-      return this.parseMetadataFromFile(filePath);
-    }
-    return this.parseMetadataFromFile(filePath);
-  }
   /**
    * Determine whether a decrypt failure is caused by a missing/mismatched key (vs. some other
    * SOPS error) without relying on stderr message text.
@@ -14594,20 +14401,30 @@ var SopsClient = class {
         filePath
       );
     }
+    return this.parseMetadataFromContent(content, filePath);
+  }
+  /**
+   * Parse SOPS metadata from a string (no IO). Used by both
+   * `parseMetadataFromFile` (after reading from disk) and the blob-shaped
+   * `getMetadataFromBlob` (which receives ciphertext directly from a
+   * BlobStore). The `label` is woven into error messages so callers can
+   * include the file path or cell ref the content came from.
+   */
+  parseMetadataFromContent(content, label) {
     let parsed;
     try {
       parsed = YAML8.parse(content);
     } catch {
       throw new SopsDecryptionError(
-        `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
-        filePath
+        `${label} is not valid YAML. Cannot extract SOPS metadata.`,
+        label
       );
     }
     const sops = parsed?.sops;
     if (!sops) {
       throw new SopsDecryptionError(
-        `File '${filePath}' does not contain SOPS metadata. It may not be encrypted.`,
-        filePath
+        `${label} does not contain SOPS metadata. It may not be encrypted.`,
+        label
       );
     }
     const backend = this.detectBackend(sops);
@@ -14670,7 +14487,7 @@ var SopsClient = class {
       }
     }
   }
-  buildEncryptArgs(filePath, manifest, environment) {
+  buildEncryptArgs(manifest, environment) {
     const args = [];
     const config = environment ? resolveBackendConfig(manifest, environment) : {
       backend: manifest.sops.default_backend,
@@ -14718,36 +14535,280 @@ var SopsClient = class {
     }
     return args;
   }
-};
-
-// src/hsm/bundled.ts
-var fs15 = __toESM(require("fs"));
-var path13 = __toESM(require("path"));
-function tryBundledKeyservice() {
-  const platform = process.platform;
-  const arch = process.arch;
-  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
-  if (!archName) return null;
-  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : null;
-  if (!platformName) return null;
-  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
-  const binName = "clef-keyservice";
-  try {
-    const packageMain = require.resolve(`${packageName}/package.json`);
-    const packageDir = path13.dirname(packageMain);
-    const binPath = path13.join(packageDir, "bin", binName);
-    return fs15.existsSync(binPath) ? binPath : null;
-  } catch {
-    return null;
-  }
-}
-
-// src/hsm/resolver.ts
-var fs16 = __toESM(require("fs"));
-var path14 = __toESM(require("path"));
-function validateKeyservicePath(candidate) {
-  if (!path14.isAbsolute(candidate)) {
-    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
+  // ── Blob-shaped methods ─────────────────────────────────────────────────
+  //
+  // These mirror the file-path methods above but operate on opaque
+  // ciphertext bytes via SOPS' stdin/stdout. They are the substrate-
+  // agnostic primitives used by the `composeSecretSource` factory to
+  // wrap any `BlobStore` (filesystem, postgres, etc.) into a full
+  // `SecretSource`. Plaintext never leaves the SOPS subprocess.
+  /**
+   * {@link EncryptionBackend.decrypt} — decrypt SOPS-encrypted bytes (e.g.
+   * read from a `StorageBackend`) and return plaintext values + metadata.
+   * Plaintext lives only in memory.
+   */
+  async decrypt(blob, ctx) {
+    await assertSops(this.runner, this.sopsCommand);
+    const env = this.buildSopsEnv();
+    const pipe = await openInputPipe(blob);
+    let result;
+    try {
+      result = await this.runner.run(
+        this.sopsCommand,
+        [
+          "decrypt",
+          ...this.keyserviceArgs,
+          "--input-type",
+          ctx.format,
+          "--output-type",
+          ctx.format,
+          pipe.inputArg
+        ],
+        {
+          ...pipe.runnerStdin !== void 0 ? { stdin: pipe.runnerStdin } : {},
+          ...env ? { env } : {}
+        }
+      );
+    } finally {
+      pipe.cleanup();
+    }
+    if (result.exitCode !== 0) {
+      const errorType = await this.classifyDecryptErrorFromContent(blob);
+      if (errorType === "key-not-found") {
+        throw new SopsKeyNotFoundError(`No decryption key found for cell. ${result.stderr.trim()}`);
+      }
+      throw new SopsDecryptionError(`Failed to decrypt cell: ${result.stderr.trim()}`);
+    }
+    let parsed;
+    try {
+      parsed = YAML8.parse(result.stdout) ?? {};
+    } catch {
+      throw new SopsDecryptionError("Decrypted content is not valid YAML.");
+    }
+    const values = {};
+    for (const [key, value] of Object.entries(parsed)) {
+      values[key] = String(value);
+    }
+    const metadata = this.parseMetadataFromContent(blob, "<cell>");
+    return { values, metadata };
+  }
+  /**
+   * {@link EncryptionBackend.encrypt} — encrypt plaintext values into a
+   * SOPS-formatted ciphertext blob. Returns the bytes as a string;
+   * caller (typically a `StorageBackend`) decides where to put them.
+   * Plaintext is piped via stdin only.
+   */
+  async encrypt(values, ctx) {
+    await assertSops(this.runner, this.sopsCommand);
+    const content = ctx.format === "json" ? JSON.stringify(values, null, 2) : YAML8.stringify(values);
+    const args = this.buildEncryptArgs(ctx.manifest, ctx.environment);
+    const env = this.buildSopsEnv();
+    const pipe = await openInputPipe(content);
+    let result;
+    try {
+      result = await this.runner.run(
+        this.sopsCommand,
+        [
+          "--config",
+          nullConfigPath(),
+          "encrypt",
+          ...this.keyserviceArgs,
+          ...args,
+          "--input-type",
+          ctx.format,
+          "--output-type",
+          ctx.format,
+          pipe.inputArg
+        ],
+        {
+          ...pipe.runnerStdin !== void 0 ? { stdin: pipe.runnerStdin } : {},
+          ...env ? { env } : {}
+        }
+      );
+    } finally {
+      pipe.cleanup();
+    }
+    if (result.exitCode !== 0) {
+      throw new SopsEncryptionError(`Failed to encrypt cell: ${result.stderr.trim()}`);
+    }
+    return result.stdout;
+  }
+  /**
+   * {@link EncryptionBackend.rotate} — add or remove recipients from an
+   * encrypted SOPS blob via stdin/stdout. Drops the in-place `-i` flag
+   * the deleted file-path-shaped methods used, so SOPS writes the
+   * rotated ciphertext to stdout instead of back to a file. Plaintext
+   * stays inside the SOPS subprocess; no plaintext window exists in
+   * this Node process.
+   *
+   * Single SOPS invocation can both add and remove recipients
+   * simultaneously (matches the CLI flag set).
+   */
+  async rotate(blob, opts, ctx) {
+    await assertSops(this.runner, this.sopsCommand);
+    const env = this.buildSopsEnv();
+    const pipe = await openInputPipe(blob);
+    const flagArgs = [];
+    if (opts.addAge) flagArgs.push("--add-age", opts.addAge);
+    if (opts.rmAge) flagArgs.push("--rm-age", opts.rmAge);
+    if (opts.addKms) flagArgs.push("--add-kms", opts.addKms);
+    if (opts.rmKms) flagArgs.push("--rm-kms", opts.rmKms);
+    if (opts.addGcpKms) flagArgs.push("--add-gcp-kms", opts.addGcpKms);
+    if (opts.rmGcpKms) flagArgs.push("--rm-gcp-kms", opts.rmGcpKms);
+    if (opts.addAzureKv) flagArgs.push("--add-azure-kv", opts.addAzureKv);
+    if (opts.rmAzureKv) flagArgs.push("--rm-azure-kv", opts.rmAzureKv);
+    if (opts.addPgp) flagArgs.push("--add-pgp", opts.addPgp);
+    if (opts.rmPgp) flagArgs.push("--rm-pgp", opts.rmPgp);
+    let result;
+    try {
+      result = await this.runner.run(
+        this.sopsCommand,
+        [
+          "--config",
+          nullConfigPath(),
+          "rotate",
+          ...this.keyserviceArgs,
+          ...flagArgs,
+          "--input-type",
+          ctx.format,
+          "--output-type",
+          ctx.format,
+          pipe.inputArg
+        ],
+        {
+          ...pipe.runnerStdin !== void 0 ? { stdin: pipe.runnerStdin } : {},
+          ...env ? { env } : {}
+        }
+      );
+    } finally {
+      pipe.cleanup();
+    }
+    if (result.exitCode !== 0) {
+      throw new SopsEncryptionError(`Failed to rotate cell: ${result.stderr.trim()}`);
+    }
+    return result.stdout;
+  }
+  /**
+   * {@link EncryptionBackend.getMetadata} — extract SOPS metadata from a
+   * ciphertext blob without decrypting. Pure parser, no IO, no
+   * subprocess.
+   */
+  getMetadata(content) {
+    return this.parseMetadataFromContent(content, "<cell>");
+  }
+  /**
+   * {@link EncryptionBackend.validateEncryption} — whether `content` is a
+   * valid SOPS-encrypted blob (parses + has the `sops:` metadata
+   * block). Never throws.
+   */
+  validateEncryption(content) {
+    try {
+      this.parseMetadataFromContent(content, "<cell>");
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Blob-shaped variant of `classifyDecryptError`. Same logic as the
+   * file-path version but reads metadata from the in-memory ciphertext
+   * instead of disk.
+   */
+  async classifyDecryptErrorFromContent(content) {
+    let metadata;
+    try {
+      metadata = this.parseMetadataFromContent(content, "<cell>");
+    } catch {
+      return "other";
+    }
+    if (metadata.backend !== "age") return "other";
+    if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
+    let keyContent;
+    try {
+      keyContent = this.ageKey ?? fs14.readFileSync(this.ageKeyFile, "utf-8");
+    } catch {
+      return "key-not-found";
+    }
+    const privateKeys = keyContent.split("\n").map((line) => line.trim()).filter((line) => line.startsWith("AGE-SECRET-KEY-"));
+    if (privateKeys.length === 0) return "key-not-found";
+    try {
+      const publicKeys = await Promise.all(privateKeys.map((k) => deriveAgePublicKey(k)));
+      const recipients = new Set(metadata.recipients);
+      return publicKeys.some((pk) => recipients.has(pk)) ? "other" : "key-not-found";
+    } catch {
+      return "other";
+    }
+  }
+};
+
+// src/sops/linux-stdin-fifo.ts
+var os = __toESM(require("os"));
+var path11 = __toESM(require("path"));
+var import_child_process = require("child_process");
+function shouldUseLinuxStdinFifo() {
+  return process.platform === "linux" && !process.env.JEST_WORKER_ID;
+}
+function wrapWithLinuxStdinFifo(runner) {
+  if (!shouldUseLinuxStdinFifo()) return runner;
+  return {
+    run: (cmd, args, opts) => {
+      const stdinIdx = args.indexOf("/dev/stdin");
+      if (stdinIdx < 0 || opts?.stdin === void 0) {
+        return runner.run(cmd, args, opts);
+      }
+      const fifoDir = (0, import_child_process.execFileSync)("mktemp", ["-d", path11.join(os.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
+      const fifoPath = path11.join(fifoDir, "input");
+      (0, import_child_process.execFileSync)("mkfifo", [fifoPath]);
+      const writer = (0, import_child_process.spawn)("dd", [`of=${fifoPath}`, "status=none"], {
+        stdio: ["pipe", "ignore", "ignore"]
+      });
+      writer.stdin.write(opts.stdin);
+      writer.stdin.end();
+      const patchedArgs = [...args];
+      patchedArgs[stdinIdx] = fifoPath;
+      const { stdin: _stdin, ...restOpts } = opts;
+      return runner.run(cmd, patchedArgs, restOpts).finally(() => {
+        try {
+          writer.kill();
+        } catch {
+        }
+        try {
+          (0, import_child_process.execFileSync)("rm", ["-rf", fifoDir]);
+        } catch {
+        }
+      });
+    }
+  };
+}
+
+// src/hsm/bundled.ts
+var fs15 = __toESM(require("fs"));
+var path12 = __toESM(require("path"));
+function tryBundledKeyservice() {
+  const platform = process.platform;
+  const arch = process.arch;
+  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
+  if (!archName) return null;
+  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : null;
+  if (!platformName) return null;
+  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
+  const binName = "clef-keyservice";
+  try {
+    const packageMain = require.resolve(`${packageName}/package.json`);
+    const packageDir = path12.dirname(packageMain);
+    const binPath = path12.join(packageDir, "bin", binName);
+    return fs15.existsSync(binPath) ? binPath : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/hsm/resolver.ts
+var fs16 = __toESM(require("fs"));
+var path13 = __toESM(require("path"));
+function validateKeyservicePath(candidate) {
+  if (!path13.isAbsolute(candidate)) {
+    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
   }
   const segments = candidate.split(/[/\\]/);
   if (segments.includes("..")) {
@@ -14781,7 +14842,7 @@ function resetKeyserviceResolution() {
 }
 
 // src/hsm/keyservice.ts
-var import_child_process = require("child_process");
+var import_child_process2 = require("child_process");
 var readline = __toESM(require("readline"));
 var PORT_REGEX = /^PORT=(\d+)$/;
 var STARTUP_TIMEOUT_MS = 5e3;
@@ -14799,7 +14860,7 @@ async function spawnKeyservice(options) {
     ...options.pin ? { CLEF_PKCS11_PIN: options.pin } : {},
     ...options.pinFile ? { CLEF_PKCS11_PIN_FILE: options.pinFile } : {}
   };
-  const child = (0, import_child_process.spawn)(options.binaryPath, args, {
+  const child = (0, import_child_process2.spawn)(options.binaryPath, args, {
     stdio: ["ignore", "pipe", "pipe"],
     env: childEnv
   });
@@ -14875,16 +14936,16 @@ function killGracefully(child) {
 }
 
 // src/lint/runner.ts
-var path15 = __toESM(require("path"));
+var path14 = __toESM(require("path"));
 var LintRunner = class {
-  constructor(matrixManager, schemaValidator, sopsClient) {
+  constructor(matrixManager, schemaValidator, source) {
     this.matrixManager = matrixManager;
     this.schemaValidator = schemaValidator;
-    this.sopsClient = sopsClient;
+    this.source = source;
   }
   matrixManager;
   schemaValidator;
-  sopsClient;
+  source;
   /**
    * Lint the entire matrix: check missing files, schema errors, SOPS integrity,
    * single-recipient warnings, and cross-environment key drift.
@@ -14911,8 +14972,9 @@ var LintRunner = class {
     fileCount = existingCells.length;
     const namespaceKeys = {};
     for (const cell of existingCells) {
+      const ref = { namespace: cell.namespace, environment: cell.environment };
       try {
-        const isValid = await this.sopsClient.validateEncryption(cell.filePath);
+        const isValid = await this.source.validateEncryption(ref);
         if (!isValid) {
           issues.push({
             severity: "error",
@@ -14933,7 +14995,7 @@ var LintRunner = class {
         continue;
       }
       try {
-        const decrypted = await this.sopsClient.decrypt(cell.filePath);
+        const decrypted = await this.source.readCell(ref);
         const keys = Object.keys(decrypted.values);
         if (!namespaceKeys[cell.namespace]) {
           namespaceKeys[cell.namespace] = {};
@@ -14978,7 +15040,7 @@ var LintRunner = class {
         }
         const ns = manifest.namespaces.find((n) => n.name === cell.namespace);
         if (ns?.schema) {
-          const schemaPath = path15.join(repoRoot, ns.schema);
+          const schemaPath = path14.join(repoRoot, ns.schema);
           try {
             const schema = this.schemaValidator.loadSchema(schemaPath);
             const result = this.schemaValidator.validate(decrypted.values, schema);
@@ -15021,7 +15083,8 @@ var LintRunner = class {
           }
         }
         try {
-          const pendingKeys = await getPendingKeys(cell.filePath);
+          const meta = await this.source.getPendingMetadata(ref);
+          const pendingKeys = meta.pending.map((p) => p.key);
           pendingCount += pendingKeys.length;
           for (const pendingKey of pendingKeys) {
             issues.push({
@@ -15074,7 +15137,6 @@ var LintRunner = class {
       const siIssues = await this.lintServiceIdentities(
         manifest.service_identities,
         manifest,
-        repoRoot,
         existingCells
       );
       issues.push(...siIssues);
@@ -15084,18 +15146,27 @@ var LintRunner = class {
     return { issues, fileCount: fileCount + missingCells.length, pendingCount };
   }
   /**
-   * Cross-reference `.clef-meta.yaml` against the cipher's plaintext key
+   * Cross-reference cell metadata against the cipher's plaintext key
    * names for each existing cell.  Reports orphan rotation records and
-   * dual-state (pending + rotation) inconsistencies.  Uses
-   * {@link readSopsKeyNames} (plaintext YAML parse) — no decryption.
+   * dual-state (pending + rotation) inconsistencies.  Uses the source's
+   * `listKeys` (no decryption).
    */
   async lintMetadataConsistency(cells) {
     const issues = [];
     for (const cell of cells) {
-      const keysInCipher = readSopsKeyNames(cell.filePath);
-      if (keysInCipher === null) continue;
-      const cipherKeys = new Set(keysInCipher);
-      const metadata = await loadMetadata(cell.filePath);
+      const ref = { namespace: cell.namespace, environment: cell.environment };
+      let cipherKeys;
+      try {
+        cipherKeys = new Set(await this.source.listKeys(ref));
+      } catch {
+        continue;
+      }
+      let metadata;
+      try {
+        metadata = await this.source.getPendingMetadata(ref);
+      } catch {
+        continue;
+      }
       for (const record of metadata.rotations) {
         if (!cipherKeys.has(record.key)) {
           issues.push({
@@ -15126,7 +15197,7 @@ var LintRunner = class {
   /**
    * Lint service identity configurations for drift issues.
    */
-  async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
+  async lintServiceIdentities(identities, manifest, existingCells) {
     const issues = [];
     const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
     const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -15167,9 +15238,10 @@ var LintRunner = class {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
         if (!envConfig.recipient) continue;
+        const ref = { namespace: cell.namespace, environment: cell.environment };
         if (si.namespaces.includes(cell.namespace)) {
           try {
-            const metadata = await this.sopsClient.getMetadata(cell.filePath);
+            const metadata = await this.source.getCellMetadata(ref);
             if (!metadata.recipients.includes(envConfig.recipient)) {
               issues.push({
                 severity: "warning",
@@ -15183,7 +15255,7 @@ var LintRunner = class {
           }
         } else {
           try {
-            const metadata = await this.sopsClient.getMetadata(cell.filePath);
+            const metadata = await this.source.getCellMetadata(ref);
             if (metadata.recipients.includes(envConfig.recipient)) {
               issues.push({
                 severity: "warning",
@@ -15209,7 +15281,10 @@ var LintRunner = class {
   async fix(manifest, repoRoot) {
     const missingCells = this.matrixManager.detectMissingCells(manifest, repoRoot);
     for (const cell of missingCells) {
-      await this.matrixManager.scaffoldCell(cell, this.sopsClient, manifest);
+      await this.source.scaffoldCell(
+        { namespace: cell.namespace, environment: cell.environment },
+        manifest
+      );
     }
     return this.run(manifest, repoRoot);
   }
@@ -15264,15 +15339,12 @@ Use 'clef exec' to inject secrets directly into a process, or 'clef export --for
   }
 };
 
-// src/import/index.ts
-var path17 = __toESM(require("path"));
-
 // src/import/parsers.ts
-var path16 = __toESM(require("path"));
+var path15 = __toESM(require("path"));
 var YAML9 = __toESM(require("yaml"));
 function detectFormat(filePath, content) {
-  const base = path16.basename(filePath);
-  const ext = path16.extname(filePath).toLowerCase();
+  const base = path15.basename(filePath);
+  const ext = path15.extname(filePath).toLowerCase();
   if (base === ".env" || base.startsWith(".env.")) {
     return "dotenv";
   }
@@ -15422,11 +15494,11 @@ function parse9(content, format, filePath) {
 
 // src/import/index.ts
 var ImportRunner = class {
-  constructor(sopsClient, tx) {
-    this.sopsClient = sopsClient;
+  constructor(source, tx) {
+    this.source = source;
     this.tx = tx;
   }
-  sopsClient;
+  source;
   tx;
   /**
    * Parse a source file and import its key/value pairs into a target `namespace/environment` cell.
@@ -15440,10 +15512,8 @@ var ImportRunner = class {
    */
   async import(target, sourcePath, content, manifest, repoRoot, options) {
     const [ns, env] = target.split("/");
-    const filePath = path17.join(
-      repoRoot,
-      manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
-    );
+    const ref = { namespace: ns, environment: env };
+    const relCellPath = manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env);
     const parsed = parse9(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
@@ -15461,7 +15531,7 @@ var ImportRunner = class {
     if (options.dryRun) {
       let existingKeys;
       try {
-        const decrypted2 = await this.sopsClient.decrypt(filePath);
+        const decrypted2 = await this.source.readCell(ref);
         existingKeys = new Set(Object.keys(decrypted2.values));
       } catch {
         existingKeys = /* @__PURE__ */ new Set();
@@ -15475,7 +15545,7 @@ var ImportRunner = class {
       }
       return { imported, skipped, failed, warnings, dryRun: true };
     }
-    const decrypted = await this.sopsClient.decrypt(filePath);
+    const decrypted = await this.source.readCell(ref);
     const newValues = { ...decrypted.values };
     const rotatedKeys = [];
     for (const [key, value] of candidates) {
@@ -15492,7 +15562,6 @@ var ImportRunner = class {
     if (imported.length === 0) {
       return { imported, skipped, failed, warnings, dryRun: false };
     }
-    const relCellPath = path17.relative(repoRoot, filePath);
     const relMetaPath = relCellPath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
     await this.tx.run(repoRoot, {
       description: `clef import ${target}: ${imported.length} key(s)`,
@@ -15500,9 +15569,9 @@ var ImportRunner = class {
       // callback are staged and rolled back atomically with the ciphertext.
       paths: [relCellPath, relMetaPath],
       mutate: async () => {
-        await this.sopsClient.encrypt(filePath, newValues, manifest, env);
+        await this.source.writeCell(ref, newValues);
         if (options.rotatedBy && rotatedKeys.length > 0) {
-          await recordRotation(filePath, rotatedKeys, options.rotatedBy);
+          await this.source.recordRotation(ref, rotatedKeys, options.rotatedBy);
         }
       }
     });
@@ -15511,7 +15580,7 @@ var ImportRunner = class {
 };
 
 // src/recipients/index.ts
-var path18 = __toESM(require("path"));
+var path16 = __toESM(require("path"));
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -15579,12 +15648,12 @@ function ensureEnvironmentRecipientsArray(doc, envName) {
   return env.recipients;
 }
 var RecipientManager = class {
-  constructor(encryption, matrixManager, tx) {
-    this.encryption = encryption;
+  constructor(source, matrixManager, tx) {
+    this.source = source;
     this.matrixManager = matrixManager;
     this.tx = tx;
   }
-  encryption;
+  source;
   matrixManager;
   tx;
   /**
@@ -15639,7 +15708,7 @@ var RecipientManager = class {
     const reEncryptedFiles = [];
     await this.tx.run(repoRoot, {
       description: environment ? `clef recipients add ${keyPreview(normalizedKey)} -e ${environment}` : `clef recipients add ${keyPreview(normalizedKey)}`,
-      paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
+      paths: [...cells.map((c) => path16.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
       mutate: async () => {
         const doc = readManifestYaml(repoRoot);
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15650,7 +15719,8 @@ var RecipientManager = class {
         }
         writeManifestYaml(repoRoot, doc);
         for (const cell of cells) {
-          await this.encryption.addRecipient(cell.filePath, normalizedKey);
+          const ref = { namespace: cell.namespace, environment: cell.environment };
+          await this.source.rotate(ref, { addAge: normalizedKey });
           reEncryptedFiles.push(cell.filePath);
         }
       }
@@ -15698,7 +15768,7 @@ var RecipientManager = class {
     const reEncryptedFiles = [];
     await this.tx.run(repoRoot, {
       description: environment ? `clef recipients remove ${keyPreview(trimmedKey)} -e ${environment}` : `clef recipients remove ${keyPreview(trimmedKey)}`,
-      paths: [...cells.map((c) => path18.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
+      paths: [...cells.map((c) => path16.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME],
       mutate: async () => {
         const doc = readManifestYaml(repoRoot);
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
@@ -15706,7 +15776,8 @@ var RecipientManager = class {
         recipients.splice(idx, 1);
         writeManifestYaml(repoRoot, doc);
         for (const cell of cells) {
-          await this.encryption.removeRecipient(cell.filePath, trimmedKey);
+          const ref = { namespace: cell.namespace, environment: cell.environment };
+          await this.source.rotate(ref, { rmAge: trimmedKey });
           reEncryptedFiles.push(cell.filePath);
         }
       }
@@ -15728,12 +15799,12 @@ var RecipientManager = class {
 
 // src/recipients/requests.ts
 var fs17 = __toESM(require("fs"));
-var path19 = __toESM(require("path"));
+var path17 = __toESM(require("path"));
 var YAML10 = __toESM(require("yaml"));
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
-  return path19.join(repoRoot, REQUESTS_FILENAME);
+  return path17.join(repoRoot, REQUESTS_FILENAME);
 }
 function loadRequests(repoRoot) {
   const filePath = requestsFilePath(repoRoot);
@@ -15808,7 +15879,7 @@ function findInList(requests, identifier) {
 }
 
 // src/drift/detector.ts
-var path20 = __toESM(require("path"));
+var path18 = __toESM(require("path"));
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -15821,8 +15892,8 @@ var DriftDetector = class {
    * @returns Drift result with any issues found.
    */
   detect(localRoot, remoteRoot, namespaceFilter) {
-    const localManifest = this.parser.parse(path20.join(localRoot, CLEF_MANIFEST_FILENAME));
-    const remoteManifest = this.parser.parse(path20.join(remoteRoot, CLEF_MANIFEST_FILENAME));
+    const localManifest = this.parser.parse(path18.join(localRoot, CLEF_MANIFEST_FILENAME));
+    const remoteManifest = this.parser.parse(path18.join(remoteRoot, CLEF_MANIFEST_FILENAME));
     const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
     const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
     const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -15886,7 +15957,7 @@ var DriftDetector = class {
 };
 
 // src/report/generator.ts
-var path21 = __toESM(require("path"));
+var path19 = __toESM(require("path"));
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -16023,14 +16094,14 @@ var ReportSanitizer = class {
 
 // src/report/generator.ts
 var ReportGenerator = class {
-  constructor(runner, sopsClient, matrixManager, schemaValidator) {
+  constructor(runner, source, matrixManager, schemaValidator) {
     this.runner = runner;
-    this.sopsClient = sopsClient;
+    this.source = source;
     this.matrixManager = matrixManager;
     this.schemaValidator = schemaValidator;
   }
   runner;
-  sopsClient;
+  source;
   matrixManager;
   schemaValidator;
   /**
@@ -16046,7 +16117,7 @@ var ReportGenerator = class {
     let manifest = null;
     try {
       const parser = new ManifestParser();
-      manifest = parser.parse(path21.join(repoRoot, "clef.yaml"));
+      manifest = parser.parse(path19.join(repoRoot, "clef.yaml"));
     } catch {
       const emptyManifest = {
         manifestVersion: 0,
@@ -16167,16 +16238,17 @@ var ReportGenerator = class {
         metadata: null
       };
     }
+    const ref = { namespace: cell.namespace, environment: cell.environment };
     const keyCount = this.readKeyCount(cell.filePath);
     let pendingCount = 0;
     try {
-      const pending = await getPendingKeys(cell.filePath);
-      pendingCount = pending.length;
+      const meta = await this.source.getPendingMetadata(ref);
+      pendingCount = meta.pending.length;
     } catch {
     }
     let metadata = null;
     try {
-      const sopsMetadata = await this.sopsClient.getMetadata(cell.filePath);
+      const sopsMetadata = await this.source.getCellMetadata(ref);
       metadata = {
         backend: sopsMetadata.backend,
         recipients: sopsMetadata.recipients,
@@ -16199,7 +16271,7 @@ var ReportGenerator = class {
   }
   async buildPolicy(manifest, repoRoot) {
     try {
-      const lintRunner = new LintRunner(this.matrixManager, this.schemaValidator, this.sopsClient);
+      const lintRunner = new LintRunner(this.matrixManager, this.schemaValidator, this.source);
       const lintResult = await lintRunner.run(manifest, repoRoot);
       return new ReportSanitizer().sanitize(lintResult.issues);
     } catch {
@@ -16516,9 +16588,9 @@ var SopsMergeDriver = class {
    */
   async mergeFiles(basePath, oursPath, theirsPath) {
     const [baseDecrypted, oursDecrypted, theirsDecrypted] = await Promise.all([
-      this.sopsClient.decrypt(basePath),
-      this.sopsClient.decrypt(oursPath),
-      this.sopsClient.decrypt(theirsPath)
+      this.sopsClient.decryptFile(basePath),
+      this.sopsClient.decryptFile(oursPath),
+      this.sopsClient.decryptFile(theirsPath)
     ]);
     return this.merge(baseDecrypted.values, oursDecrypted.values, theirsDecrypted.values);
   }
@@ -16635,22 +16707,26 @@ function mergeMetadataFiles(_basePath, oursPath, theirsPath) {
 }
 
 // src/service-identity/manager.ts
-var path22 = __toESM(require("path"));
+var path20 = __toESM(require("path"));
 var ServiceIdentityManager = class {
-  constructor(encryption, matrixManager, tx) {
-    this.encryption = encryption;
+  constructor(source, matrixManager, tx) {
+    this.source = source;
     this.matrixManager = matrixManager;
     this.tx = tx;
   }
-  encryption;
+  source;
   matrixManager;
   tx;
+  /** Helper: cell → ref for the source seam. */
+  ref(cell) {
+    return { namespace: cell.namespace, environment: cell.environment };
+  }
   /**
    * Compute repo-relative paths for a set of cells plus the manifest. Used
    * to seed TransactionManager.run's `paths` argument.
    */
   txPaths(repoRoot, cells) {
-    return [...cells.map((c) => path22.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
+    return [...cells.map((c) => path20.relative(repoRoot, c.filePath)), CLEF_MANIFEST_FILENAME];
   }
   /**
    * Create a new service identity with per-environment age key pairs or KMS envelope config.
@@ -16742,7 +16818,7 @@ var ServiceIdentityManager = class {
           if (!envConfig?.recipient) continue;
           if (isKmsEnvelope(envConfig)) continue;
           try {
-            await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+            await this.source.rotate(this.ref(cell), { rmAge: envConfig.recipient });
           } catch {
           }
         }
@@ -16792,7 +16868,7 @@ var ServiceIdentityManager = class {
             const scopedCells = cells.filter((c) => c.environment === envName);
             for (const cell of scopedCells) {
               try {
-                await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+                await this.source.rotate(this.ref(cell), { rmAge: oldConfig.recipient });
               } catch {
               }
             }
@@ -16819,7 +16895,7 @@ var ServiceIdentityManager = class {
       if (isKmsEnvelope(envConfig)) continue;
       if (!envConfig.recipient) continue;
       try {
-        await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
+        await this.source.rotate(this.ref(cell), { addAge: envConfig.recipient });
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
         if (!message.includes("already")) {
@@ -16867,7 +16943,7 @@ var ServiceIdentityManager = class {
             if (isKmsEnvelope(envConfig)) continue;
             if (!envConfig.recipient) continue;
             try {
-              await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
+              await this.source.rotate(this.ref(cell), { addAge: envConfig.recipient });
               affectedFiles.push(cell.filePath);
             } catch (err) {
               const message = err instanceof Error ? err.message : String(err);
@@ -16928,7 +17004,7 @@ var ServiceIdentityManager = class {
             if (isKmsEnvelope(envConfig)) continue;
             if (!envConfig.recipient) continue;
             try {
-              await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+              await this.source.rotate(this.ref(cell), { rmAge: envConfig.recipient });
               affectedFiles.push(cell.filePath);
             } catch {
             }
@@ -16997,7 +17073,7 @@ var ServiceIdentityManager = class {
         if (!identity.pack_only && !isKmsEnvelope(envConfig) && envConfig.recipient) {
           for (const cell of cells) {
             try {
-              await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
+              await this.source.rotate(this.ref(cell), { addAge: envConfig.recipient });
             } catch (err) {
               const message = err instanceof Error ? err.message : String(err);
               if (!message.includes("already")) {
@@ -17074,10 +17150,10 @@ var ServiceIdentityManager = class {
             const scopedCells = cells.filter((c) => c.environment === envName);
             for (const cell of scopedCells) {
               try {
-                await this.encryption.removeRecipient(cell.filePath, oldRecipient);
+                await this.source.rotate(this.ref(cell), { rmAge: oldRecipient });
               } catch {
               }
-              await this.encryption.addRecipient(cell.filePath, newPublicKey);
+              await this.source.rotate(this.ref(cell), { addAge: newPublicKey });
             }
           }
         }
@@ -17136,7 +17212,7 @@ var ServiceIdentityManager = class {
         if (!envConfig.recipient) continue;
         if (si.namespaces.includes(cell.namespace)) {
           try {
-            const metadata = await this.encryption.getMetadata(cell.filePath);
+            const metadata = await this.source.getCellMetadata(this.ref(cell));
             if (!metadata.recipients.includes(envConfig.recipient)) {
               issues.push({
                 identity: si.name,
@@ -17151,7 +17227,7 @@ var ServiceIdentityManager = class {
           }
         } else {
           try {
-            const metadata = await this.encryption.getMetadata(cell.filePath);
+            const metadata = await this.source.getCellMetadata(this.ref(cell));
             if (metadata.recipients.includes(envConfig.recipient)) {
               issues.push({
                 identity: si.name,
@@ -17173,15 +17249,15 @@ var ServiceIdentityManager = class {
 
 // src/structure/manager.ts
 var fs19 = __toESM(require("fs"));
-var path23 = __toESM(require("path"));
+var path21 = __toESM(require("path"));
 var StructureManager = class {
-  constructor(matrixManager, encryption, tx) {
+  constructor(matrixManager, buildSource, tx) {
     this.matrixManager = matrixManager;
-    this.encryption = encryption;
+    this.buildSource = buildSource;
     this.tx = tx;
   }
   matrixManager;
-  encryption;
+  buildSource;
   tx;
   // ── add ──────────────────────────────────────────────────────────────────
   /**
@@ -17197,7 +17273,7 @@ var StructureManager = class {
     this.assertValidIdentifier("namespace", name);
     const newCellPaths = manifest.environments.map((env) => ({
       environment: env.name,
-      filePath: path23.join(
+      filePath: path21.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", name).replace("{environment}", env.name)
       )
@@ -17205,7 +17281,7 @@ var StructureManager = class {
     for (const cell of newCellPaths) {
       if (fs19.existsSync(cell.filePath)) {
         throw new Error(
-          `Cannot add namespace '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
+          `Cannot add namespace '${name}': file '${path21.relative(repoRoot, cell.filePath)}' already exists.`
         );
       }
     }
@@ -17224,21 +17300,14 @@ var StructureManager = class {
     await this.tx.run(repoRoot, {
       description: `clef namespace add ${name}`,
       paths: [
-        ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
+        ...newCellPaths.map((c) => path21.relative(repoRoot, c.filePath)),
         CLEF_MANIFEST_FILENAME
       ],
       mutate: async () => {
+        const source = this.buildSource(updatedManifest);
         for (const cell of newCellPaths) {
-          await this.matrixManager.scaffoldCell(
-            {
-              namespace: name,
-              environment: cell.environment,
-              filePath: cell.filePath,
-              exists: false
-            },
-            this.encryption,
-            updatedManifest
-          );
+          const ref = { namespace: name, environment: cell.environment };
+          await source.scaffoldCell(ref, updatedManifest);
         }
         const doc = readManifestYaml(repoRoot);
         const namespaces = doc.namespaces;
@@ -17269,7 +17338,7 @@ var StructureManager = class {
     this.assertValidIdentifier("environment", name);
     const newCellPaths = manifest.namespaces.map((ns) => ({
       namespace: ns.name,
-      filePath: path23.join(
+      filePath: path21.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", name)
       )
@@ -17277,7 +17346,7 @@ var StructureManager = class {
     for (const cell of newCellPaths) {
       if (fs19.existsSync(cell.filePath)) {
         throw new Error(
-          `Cannot add environment '${name}': file '${path23.relative(repoRoot, cell.filePath)}' already exists.`
+          `Cannot add environment '${name}': file '${path21.relative(repoRoot, cell.filePath)}' already exists.`
         );
       }
     }
@@ -17296,21 +17365,14 @@ var StructureManager = class {
     await this.tx.run(repoRoot, {
       description: `clef env add ${name}`,
       paths: [
-        ...newCellPaths.map((c) => path23.relative(repoRoot, c.filePath)),
+        ...newCellPaths.map((c) => path21.relative(repoRoot, c.filePath)),
         CLEF_MANIFEST_FILENAME
       ],
       mutate: async () => {
+        const source = this.buildSource(updatedManifest);
         for (const cell of newCellPaths) {
-          await this.matrixManager.scaffoldCell(
-            {
-              namespace: cell.namespace,
-              environment: name,
-              filePath: cell.filePath,
-              exists: false
-            },
-            this.encryption,
-            updatedManifest
-          );
+          const ref = { namespace: cell.namespace, environment: name };
+          await source.scaffoldCell(ref, updatedManifest);
         }
         const doc = readManifestYaml(repoRoot);
         const environments = doc.environments;
@@ -17453,7 +17515,7 @@ var StructureManager = class {
       for (const pair of renamePairs) {
         if (fs19.existsSync(pair.to)) {
           throw new Error(
-            `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
+            `Rename target '${path21.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
         }
       }
@@ -17496,7 +17558,7 @@ var StructureManager = class {
       for (const pair of renamePairs) {
         if (fs19.existsSync(pair.to)) {
           throw new Error(
-            `Rename target '${path23.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
+            `Rename target '${path21.relative(repoRoot, pair.to)}' already exists. Move or remove it first.`
           );
         }
       }
@@ -17546,7 +17608,7 @@ var StructureManager = class {
   swapAxisInCellPath(repoRoot, manifest, cell, axis, newName) {
     const ns = axis === "namespace" ? newName : cell.namespace;
     const env = axis === "environment" ? newName : cell.environment;
-    return path23.join(
+    return path21.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
@@ -17558,8 +17620,8 @@ var StructureManager = class {
   txPaths(repoRoot, renamePairs) {
     const paths = /* @__PURE__ */ new Set();
     for (const pair of renamePairs) {
-      paths.add(path23.relative(repoRoot, pair.from));
-      paths.add(path23.relative(repoRoot, pair.to));
+      paths.add(path21.relative(repoRoot, pair.from));
+      paths.add(path21.relative(repoRoot, pair.to));
     }
     paths.add(CLEF_MANIFEST_FILENAME);
     return [...paths];
@@ -17570,7 +17632,7 @@ var StructureManager = class {
    */
   applyRenames(pairs) {
     for (const pair of pairs) {
-      const targetDir = path23.dirname(pair.to);
+      const targetDir = path21.dirname(pair.to);
       if (!fs19.existsSync(targetDir)) {
         fs19.mkdirSync(targetDir, { recursive: true });
       }
@@ -17585,10 +17647,10 @@ var StructureManager = class {
   deletePaths(repoRoot, cells) {
     const paths = /* @__PURE__ */ new Set();
     for (const cell of cells) {
-      paths.add(path23.relative(repoRoot, cell.filePath));
+      paths.add(path21.relative(repoRoot, cell.filePath));
       const meta = cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml");
       if (fs19.existsSync(meta)) {
-        paths.add(path23.relative(repoRoot, meta));
+        paths.add(path21.relative(repoRoot, meta));
       }
     }
     paths.add(CLEF_MANIFEST_FILENAME);
@@ -17703,7 +17765,7 @@ function renameKeyPreservingOrder(obj, oldKey, newKey) {
 }
 
 // src/artifact/resolve.ts
-async function resolveIdentitySecrets(identityName, environment, manifest, repoRoot, encryption, matrixManager) {
+async function resolveIdentitySecrets(identityName, environment, manifest, repoRoot, source, matrixManager) {
   const identity = manifest.service_identities?.find((si) => si.name === identityName);
   if (!identity) {
     throw new Error(`Service identity '${identityName}' not found in manifest.`);
@@ -17719,7 +17781,10 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
     (c) => c.exists && identity.namespaces.includes(c.namespace) && c.environment === environment
   );
   for (const cell of cells) {
-    const decrypted = await encryption.decrypt(cell.filePath);
+    const decrypted = await source.readCell({
+      namespace: cell.namespace,
+      environment: cell.environment
+    });
     const bucket = allValues[cell.namespace] ??= {};
     for (const [key, value] of Object.entries(decrypted.values)) {
       if (key in bucket && bucket[key] !== value) {
@@ -17743,14 +17808,14 @@ var crypto5 = __toESM(require("crypto"));
 
 // src/artifact/output.ts
 var fs20 = __toESM(require("fs"));
-var path24 = __toESM(require("path"));
+var path22 = __toESM(require("path"));
 var FilePackOutput = class {
   constructor(outputPath) {
     this.outputPath = outputPath;
   }
   outputPath;
   async write(_artifact, json) {
-    const outputDir = path24.dirname(this.outputPath);
+    const outputDir = path22.dirname(this.outputPath);
     if (!fs20.existsSync(outputDir)) {
       fs20.mkdirSync(outputDir, { recursive: true });
     }
@@ -17797,17 +17862,6 @@ function buildSigningPayload(artifact) {
   ];
   return Buffer.from(fields.join("\n"), "utf-8");
 }
-function generateSigningKeyPair() {
-  const pair = crypto3.generateKeyPairSync("ed25519");
-  return {
-    publicKey: pair.publicKey.export({ type: "spki", format: "der" }).toString(
-      "base64"
-    ),
-    privateKey: pair.privateKey.export({ type: "pkcs8", format: "der" }).toString(
-      "base64"
-    )
-  };
-}
 function signEd25519(payload, privateKeyBase64) {
   const keyObj = crypto3.createPrivateKey({
     key: Buffer.from(privateKeyBase64, "base64"),
@@ -17843,17 +17897,6 @@ function verifySignature(payload, signatureBase64, publicKeyBase64) {
   }
   throw new Error(`Unsupported key type for signature verification: ${keyType}`);
 }
-function detectAlgorithm(publicKeyBase64) {
-  const keyObj = crypto3.createPublicKey({
-    key: Buffer.from(publicKeyBase64, "base64"),
-    format: "der",
-    type: "spki"
-  });
-  const keyType = keyObj.asymmetricKeyType;
-  if (keyType === "ed25519") return "Ed25519";
-  if (keyType === "ec") return "ECDSA_SHA256";
-  throw new Error(`Unsupported key type: ${keyType}`);
-}
 
 // src/artifact/hash.ts
 var crypto4 = __toESM(require("crypto"));
@@ -17863,12 +17906,12 @@ function computeCiphertextHash(ciphertext) {
 
 // src/artifact/packer.ts
 var ArtifactPacker = class {
-  constructor(encryption, matrixManager, kms) {
-    this.encryption = encryption;
+  constructor(source, matrixManager, kms) {
+    this.source = source;
     this.matrixManager = matrixManager;
     this.kms = kms;
   }
-  encryption;
+  source;
   matrixManager;
   kms;
   /**
@@ -17886,7 +17929,7 @@ var ArtifactPacker = class {
       config.environment,
       manifest,
       repoRoot,
-      this.encryption,
+      this.source,
       this.matrixManager
     );
     const plaintext = JSON.stringify(resolved.values);
@@ -18271,11 +18314,7 @@ var JsonEnvelopeBackend = class {
   }
   async pack(req) {
     const opts = req.backendOptions;
-    const packer = new ArtifactPacker(
-      req.services.encryption,
-      new MatrixManager(),
-      req.services.kms
-    );
+    const packer = new ArtifactPacker(req.services.source, new MatrixManager(), req.services.kms);
     const output = opts.output ?? (opts.outputPath ? new FilePackOutput(opts.outputPath) : void 0);
     const result = await packer.pack(
       {
@@ -18304,7 +18343,7 @@ var JsonEnvelopeBackend = class {
 var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
 
 // src/migration/backend.ts
-var path25 = __toESM(require("path"));
+var path23 = __toESM(require("path"));
 var YAML12 = __toESM(require("yaml"));
 var BACKEND_KEY_FIELDS = {
   age: void 0,
@@ -18332,23 +18371,24 @@ function metadataMatchesTarget(meta, target) {
 }
 var BackendMigrator = class {
   /**
-   * @param encryption - Backend used for both decrypt and encrypt (standard case).
+   * @param buildSource - Factory that builds a `SecretSource` bound to a
+   *   given manifest. Called twice during a real migration: once with the
+   *   pre-migration manifest (for classification + decrypt) and once with
+   *   the post-mutation manifest (for re-encrypt + verify). The factory
+   *   pattern is required because the encryption layer of a composed
+   *   source is bound to a manifest at construction.
    * @param matrixManager - Matrix resolver.
    * @param tx - Transaction manager that wraps the migration in a single git commit
    *   so a partial failure rolls back ALL files + the manifest via `git reset --hard`.
-   * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
-   *   from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
    */
-  constructor(encryption, matrixManager, tx, targetEncryption) {
+  constructor(buildSource, matrixManager, tx) {
+    this.buildSource = buildSource;
     this.matrixManager = matrixManager;
     this.tx = tx;
-    this.decryptBackend = encryption;
-    this.encryptBackend = targetEncryption ?? encryption;
   }
+  buildSource;
   matrixManager;
   tx;
-  decryptBackend;
-  encryptBackend;
   async migrate(manifest, repoRoot, options, onProgress) {
     const { target, environment, dryRun, skipVerify } = options;
     if (environment) {
@@ -18368,10 +18408,12 @@ var BackendMigrator = class {
         warnings: ["No encrypted files found to migrate."]
       };
     }
+    const sourceBefore = this.buildSource(manifest);
     const toMigrate = [];
     const skippedFiles = [];
     for (const cell of targetCells) {
-      const meta = await this.decryptBackend.getMetadata(cell.filePath);
+      const ref = { namespace: cell.namespace, environment: cell.environment };
+      const meta = await sourceBefore.getCellMetadata(ref);
       if (metadataMatchesTarget(meta, target)) {
         skippedFiles.push(cell.filePath);
         onProgress?.({
@@ -18392,6 +18434,8 @@ var BackendMigrator = class {
         warnings: ["All files already use the target backend and key. Nothing to migrate."]
       };
     }
+    const preMigrationWarnings = [];
+    this.checkAgeRecipientsWarning(manifest, target, environment, preMigrationWarnings);
     if (dryRun) {
       const warnings2 = [];
       for (const cell of toMigrate) {
@@ -18408,7 +18452,7 @@ var BackendMigrator = class {
       } else {
         warnings2.push(`Would update global default_backend \u2192 ${target.backend}`);
       }
-      this.checkAgeRecipientsWarning(manifest, target, environment, warnings2);
+      warnings2.push(...preMigrationWarnings);
       return {
         migratedFiles: [],
         skippedFiles,
@@ -18420,11 +18464,12 @@ var BackendMigrator = class {
     const migratedFiles = [];
     let migrationFailed = false;
     let migrationError;
+    let sourceAfter;
     try {
       await this.tx.run(repoRoot, {
         description: environment ? `clef migrate-backend ${target.backend}: ${environment}` : `clef migrate-backend ${target.backend}`,
         paths: [
-          ...toMigrate.map((c) => path25.relative(repoRoot, c.filePath)),
+          ...toMigrate.map((c) => path23.relative(repoRoot, c.filePath)),
           CLEF_MANIFEST_FILENAME
         ],
         mutate: async () => {
@@ -18432,19 +18477,16 @@ var BackendMigrator = class {
           this.updateManifestDoc(doc, target, environment);
           writeManifestYaml(repoRoot, doc);
           const updatedManifest = YAML12.parse(YAML12.stringify(doc));
+          sourceAfter = this.buildSource(updatedManifest);
           for (const cell of toMigrate) {
             onProgress?.({
               type: "migrate",
               file: cell.filePath,
               message: `Migrating ${cell.namespace}/${cell.environment}...`
             });
-            const decrypted = await this.decryptBackend.decrypt(cell.filePath);
-            await this.encryptBackend.encrypt(
-              cell.filePath,
-              decrypted.values,
-              updatedManifest,
-              cell.environment
-            );
+            const ref = { namespace: cell.namespace, environment: cell.environment };
+            const decrypted = await sourceBefore.readCell(ref);
+            await sourceAfter.writeCell(ref, decrypted.values);
             migratedFiles.push(cell.filePath);
           }
         }
@@ -18464,12 +18506,17 @@ var BackendMigrator = class {
         rolledBack: true,
         error: migrationError.message,
         verifiedFiles: [],
-        warnings: ["All changes have been rolled back."]
+        // Surface pre-migration warnings even on rollback. The new manifest
+        // validator can reject the write (e.g. per-env recipients vs.
+        // non-age backend), and without these warnings the user only sees
+        // an opaque "rolled back" message — not the actionable hint about
+        // what to clean up first.
+        warnings: ["All changes have been rolled back.", ...preMigrationWarnings]
       };
     }
     const verifiedFiles = [];
     const warnings = [];
-    if (!skipVerify) {
+    if (!skipVerify && sourceAfter) {
       for (const cell of toMigrate) {
         try {
           onProgress?.({
@@ -18477,7 +18524,8 @@ var BackendMigrator = class {
             file: cell.filePath,
             message: `Verifying ${cell.namespace}/${cell.environment}...`
           });
-          await this.encryptBackend.decrypt(cell.filePath);
+          const ref = { namespace: cell.namespace, environment: cell.environment };
+          await sourceAfter.readCell(ref);
           verifiedFiles.push(cell.filePath);
         } catch (err) {
           const errorMsg = err instanceof Error ? err.message : String(err);
@@ -18487,7 +18535,7 @@ var BackendMigrator = class {
         }
       }
     }
-    this.checkAgeRecipientsWarning(manifest, target, environment, warnings);
+    warnings.push(...preMigrationWarnings);
     return { migratedFiles, skippedFiles, rolledBack: false, verifiedFiles, warnings };
   }
   // ── Private helpers ──────────────────────────────────────────────────
@@ -18522,16 +18570,16 @@ var BackendMigrator = class {
 };
 
 // src/reset/manager.ts
-var path26 = __toESM(require("path"));
+var path24 = __toESM(require("path"));
 var ResetManager = class {
-  constructor(matrixManager, encryption, schemaValidator, tx) {
+  constructor(matrixManager, buildSource, schemaValidator, tx) {
     this.matrixManager = matrixManager;
-    this.encryption = encryption;
+    this.buildSource = buildSource;
     this.schemaValidator = schemaValidator;
     this.tx = tx;
   }
   matrixManager;
-  encryption;
+  buildSource;
   schemaValidator;
   tx;
   async reset(opts, manifest, repoRoot) {
@@ -18551,11 +18599,11 @@ var ResetManager = class {
       txPaths.push(CLEF_MANIFEST_FILENAME);
     }
     for (const cell of targetCells) {
-      txPaths.push(path26.relative(repoRoot, cell.filePath));
+      txPaths.push(path24.relative(repoRoot, cell.filePath));
       const cellKeys = keyPlan.get(cell.namespace) ?? [];
       if (cellKeys.length > 0) {
         txPaths.push(
-          path26.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
+          path24.relative(repoRoot, cell.filePath.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"))
         );
       }
     }
@@ -18572,17 +18620,14 @@ var ResetManager = class {
           writeManifestYaml(repoRoot, doc);
           effectiveManifest = withBackendOverride(manifest, affectedEnvs, opts.backend, opts.key);
         }
+        const source = this.buildSource(effectiveManifest);
         for (const cell of targetCells) {
           const keys = keyPlan.get(cell.namespace) ?? [];
           const placeholders = this.buildPlaceholders(keys);
-          await this.encryption.encrypt(
-            cell.filePath,
-            placeholders,
-            effectiveManifest,
-            cell.environment
-          );
+          const ref = { namespace: cell.namespace, environment: cell.environment };
+          await source.writeCell(ref, placeholders);
           if (keys.length > 0) {
-            await markPendingWithRetry(cell.filePath, keys, "clef reset");
+            await source.markPending(ref, keys, "clef reset");
             pendingKeysByCell[cell.filePath] = keys;
           }
           scaffoldedCells.push(cell.filePath);
@@ -18643,7 +18688,7 @@ var ResetManager = class {
     for (const namespace of namespaces) {
       const nsDef = manifest.namespaces.find((n) => n.name === namespace);
       if (nsDef?.schema) {
-        const schema = this.schemaValidator.loadSchema(path26.join(repoRoot, nsDef.schema));
+        const schema = this.schemaValidator.loadSchema(path24.join(repoRoot, nsDef.schema));
         plan.set(namespace, Object.keys(schema.keys));
         continue;
       }
@@ -18722,15 +18767,15 @@ function withBackendOverride(manifest, envNames, backend, key) {
 }
 
 // src/sync/manager.ts
-var path27 = __toESM(require("path"));
+var path25 = __toESM(require("path"));
 var SyncManager = class {
-  constructor(matrixManager, encryption, tx) {
+  constructor(matrixManager, source, tx) {
     this.matrixManager = matrixManager;
-    this.encryption = encryption;
+    this.source = source;
     this.tx = tx;
   }
   matrixManager;
-  encryption;
+  source;
   tx;
   /**
    * Compute what sync would do without mutating anything.
@@ -18747,8 +18792,13 @@ var SyncManager = class {
     const targetCells = opts.namespace ? existingCells.filter((c) => c.namespace === opts.namespace) : existingCells;
     const keysByNsEnv = {};
     for (const cell of targetCells) {
-      const keys = readSopsKeyNames(cell.filePath);
-      if (!keys) continue;
+      const ref = { namespace: cell.namespace, environment: cell.environment };
+      let keys;
+      try {
+        keys = await this.source.listKeys(ref);
+      } catch {
+        continue;
+      }
       if (!keysByNsEnv[cell.namespace]) keysByNsEnv[cell.namespace] = {};
       keysByNsEnv[cell.namespace][cell.environment] = new Set(keys);
     }
@@ -18794,7 +18844,7 @@ var SyncManager = class {
     }
     const txPaths = [];
     for (const cell of syncPlan.cells) {
-      const rel = path27.relative(repoRoot, cell.filePath);
+      const rel = path25.relative(repoRoot, cell.filePath);
       txPaths.push(rel);
       txPaths.push(rel.replace(/\.enc\.(yaml|json)$/, ".clef-meta.yaml"));
     }
@@ -18807,17 +18857,13 @@ var SyncManager = class {
       paths: txPaths,
       mutate: async () => {
         for (const cell of syncPlan.cells) {
-          const decrypted = await this.encryption.decrypt(cell.filePath);
+          const ref = { namespace: cell.namespace, environment: cell.environment };
+          const decrypted = await this.source.readCell(ref);
           for (const key of cell.missingKeys) {
             decrypted.values[key] = generateRandomValue();
           }
-          await this.encryption.encrypt(
-            cell.filePath,
-            decrypted.values,
-            manifest,
-            cell.environment
-          );
-          await markPendingWithRetry(cell.filePath, cell.missingKeys, "clef sync");
+          await this.source.writeCell(ref, decrypted.values);
+          await this.source.markPending(ref, cell.missingKeys, "clef sync");
           const cellLabel = `${cell.namespace}/${cell.environment}`;
           modifiedCells.push(cellLabel);
           scaffoldedKeys[cellLabel] = cell.missingKeys;
@@ -19077,13 +19123,272 @@ var ComplianceGenerator = class {
 };
 
 // src/compliance/run.ts
-var path28 = __toESM(require("path"));
+var path27 = __toESM(require("path"));
+
+// src/source/compose.ts
+var YAML14 = __toESM(require("yaml"));
+
+// src/source/default-bulk.ts
+function defaultBulk(source) {
+  return {
+    async bulkSet(namespace, key, valuesByEnv, _manifest) {
+      for (const [environment, value] of Object.entries(valuesByEnv)) {
+        const cell = { namespace, environment };
+        const existing = await source.cellExists(cell) ? (await source.readCell(cell)).values : {};
+        await source.writeCell(cell, { ...existing, [key]: value });
+      }
+    },
+    async bulkDelete(namespace, key, manifest) {
+      for (const env of manifest.environments) {
+        const cell = { namespace, environment: env.name };
+        if (!await source.cellExists(cell)) continue;
+        const data = await source.readCell(cell);
+        if (!(key in data.values)) continue;
+        const next = { ...data.values };
+        delete next[key];
+        await source.writeCell(cell, next);
+      }
+    },
+    async copyValue(key, from, to, _manifest) {
+      const src = await source.readCell(from);
+      if (!(key in src.values)) {
+        throw new Error(
+          `Cannot copy: key '${key}' not present in ${from.namespace}/${from.environment}`
+        );
+      }
+      const dst = await source.cellExists(to) ? (await source.readCell(to)).values : {};
+      await source.writeCell(to, { ...dst, [key]: src.values[key] });
+    }
+  };
+}
+
+// src/source/compose.ts
+function composeSecretSource(storage, encryption, manifest) {
+  return new ComposedSecretSource(storage, encryption, manifest);
+}
+var ComposedSecretSource = class {
+  constructor(storage, encryption, manifest) {
+    this.storage = storage;
+    this.encryption = encryption;
+    this.manifest = manifest;
+    this.id = `${storage.id}+${encryption.id}`;
+    this.description = `${storage.description} / ${encryption.description}`;
+  }
+  storage;
+  encryption;
+  manifest;
+  id;
+  description;
+  context(cell) {
+    return {
+      manifest: this.manifest,
+      environment: cell.environment,
+      format: this.storage.blobFormat(cell)
+    };
+  }
+  // ── Core SecretSource ──────────────────────────────────────────────────
+  async readCell(cell) {
+    const blob = await this.storage.readBlob(cell);
+    return this.encryption.decrypt(blob, this.context(cell));
+  }
+  async writeCell(cell, values) {
+    const blob = await this.encryption.encrypt(values, this.context(cell));
+    await this.storage.writeBlob(cell, blob);
+  }
+  async deleteCell(cell) {
+    await this.storage.deleteBlob(cell);
+  }
+  async cellExists(cell) {
+    return this.storage.blobExists(cell);
+  }
+  /**
+   * List cell keys WITHOUT decrypting. SOPS files store key names in
+   * plaintext at the top level of the YAML/JSON document — we read the
+   * blob and return everything except the `sops:` metadata block.
+   *
+   * NOTE: this is currently SOPS-shaped. A future non-SOPS
+   * `EncryptionBackend` whose ciphertext doesn't expose key names in
+   * the clear would need its own listing strategy — likely a
+   * `listKeys(blob)` method on `EncryptionBackend`. Deferred until a
+   * second backend exists.
+   */
+  async listKeys(cell) {
+    if (!await this.storage.blobExists(cell)) return [];
+    const blob = await this.storage.readBlob(cell);
+    const parsed = YAML14.parse(blob);
+    if (!parsed || typeof parsed !== "object") return [];
+    return Object.keys(parsed).filter((k) => k !== "sops");
+  }
+  async getCellMetadata(cell) {
+    const blob = await this.storage.readBlob(cell);
+    return this.encryption.getMetadata(blob);
+  }
+  async scaffoldCell(cell, manifest) {
+    if (await this.storage.blobExists(cell)) return;
+    const blob = await this.encryption.encrypt(
+      {},
+      {
+        manifest,
+        environment: cell.environment,
+        format: this.storage.blobFormat(cell)
+      }
+    );
+    await this.storage.writeBlob(cell, blob);
+  }
+  // ── Pending / rotation metadata ────────────────────────────────────────
+  async getPendingMetadata(cell) {
+    return this.storage.readPendingMetadata(cell);
+  }
+  async markPending(cell, keys, setBy) {
+    const meta = await this.storage.readPendingMetadata(cell);
+    const now = /* @__PURE__ */ new Date();
+    for (const key of keys) {
+      if (!meta.pending.find((p) => p.key === key)) {
+        meta.pending.push({ key, since: now, setBy });
+      }
+    }
+    await this.storage.writePendingMetadata(cell, meta);
+  }
+  async markResolved(cell, keys) {
+    const meta = await this.storage.readPendingMetadata(cell);
+    meta.pending = meta.pending.filter((p) => !keys.includes(p.key));
+    await this.storage.writePendingMetadata(cell, meta);
+  }
+  async recordRotation(cell, keys, rotatedBy) {
+    const meta = await this.storage.readPendingMetadata(cell);
+    const now = /* @__PURE__ */ new Date();
+    for (const key of keys) {
+      const existing = meta.rotations.find((r) => r.key === key);
+      if (existing) {
+        existing.lastRotatedAt = now;
+        existing.rotatedBy = rotatedBy;
+        existing.rotationCount += 1;
+      } else {
+        meta.rotations.push({ key, lastRotatedAt: now, rotatedBy, rotationCount: 1 });
+      }
+    }
+    meta.pending = meta.pending.filter((p) => !keys.includes(p.key));
+    await this.storage.writePendingMetadata(cell, meta);
+  }
+  async removeRotation(cell, keys) {
+    const meta = await this.storage.readPendingMetadata(cell);
+    meta.rotations = meta.rotations.filter((r) => !keys.includes(r.key));
+    await this.storage.writePendingMetadata(cell, meta);
+  }
+  // ── Lintable ───────────────────────────────────────────────────────────
+  async validateEncryption(cell) {
+    if (!await this.storage.blobExists(cell)) return false;
+    const blob = await this.storage.readBlob(cell);
+    return this.encryption.validateEncryption(blob);
+  }
+  async checkRecipientDrift(cell, expected) {
+    const blob = await this.storage.readBlob(cell);
+    const meta = this.encryption.getMetadata(blob);
+    const actual = new Set(meta.recipients);
+    const expectedSet = new Set(expected);
+    return {
+      missing: expected.filter((r) => !actual.has(r)),
+      unexpected: meta.recipients.filter((r) => !expectedSet.has(r))
+    };
+  }
+  // ── Rotatable ──────────────────────────────────────────────────────────
+  async rotate(cell, opts) {
+    const blob = await this.storage.readBlob(cell);
+    const rotated = await this.encryption.rotate(blob, opts, this.context(cell));
+    await this.storage.writeBlob(cell, rotated);
+  }
+  // ── Bulk ───────────────────────────────────────────────────────────────
+  //
+  // Default looped implementation. A future StorageBackend that supports
+  // batch operations (e.g. PostgresStorageBackend with row-level UPDATE
+  // batching) can override these by wrapping `composeSecretSource`'s
+  // output and replacing just the bulk methods.
+  bulkSet = (namespace, key, valuesByEnv, manifest) => defaultBulk(this).bulkSet(namespace, key, valuesByEnv, manifest);
+  bulkDelete = (namespace, key, manifest) => defaultBulk(this).bulkDelete(namespace, key, manifest);
+  copyValue = (key, from, to, manifest) => defaultBulk(this).copyValue(key, from, to, manifest);
+};
+
+// src/source/filesystem-storage-backend.ts
+var fs22 = __toESM(require("fs"));
+var path26 = __toESM(require("path"));
+var import_crypto3 = require("crypto");
+var FilesystemStorageBackend = class {
+  constructor(manifest, repoRoot) {
+    this.manifest = manifest;
+    this.repoRoot = repoRoot;
+  }
+  manifest;
+  repoRoot;
+  id = "filesystem";
+  description = "Filesystem-backed cell storage (default substrate)";
+  /**
+   * Resolve a cell reference to its absolute filesystem path. Public —
+   * used by substrate-specific trait implementations.
+   */
+  cellPath(cell) {
+    const relativePath = this.manifest.file_pattern.replace("{namespace}", cell.namespace).replace("{environment}", cell.environment);
+    return path26.join(this.repoRoot, relativePath);
+  }
+  /** The repo root, exposed for filesystem-shaped trait implementations. */
+  getRepoRoot() {
+    return this.repoRoot;
+  }
+  blobFormat(cell) {
+    return this.cellPath(cell).endsWith(".json") ? "json" : "yaml";
+  }
+  async readBlob(cell) {
+    const filePath = this.cellPath(cell);
+    return fs22.readFileSync(filePath, "utf-8");
+  }
+  async writeBlob(cell, blob) {
+    const filePath = this.cellPath(cell);
+    const dir = path26.dirname(filePath);
+    if (!fs22.existsSync(dir)) {
+      fs22.mkdirSync(dir, { recursive: true });
+    }
+    const tmpPath = `${filePath}.${Date.now()}.${(0, import_crypto3.randomBytes)(4).toString("hex")}.tmp`;
+    const handle = fs22.openSync(tmpPath, "w");
+    try {
+      fs22.writeFileSync(handle, blob);
+      fs22.fsyncSync(handle);
+    } finally {
+      fs22.closeSync(handle);
+    }
+    fs22.renameSync(tmpPath, filePath);
+  }
+  async deleteBlob(cell) {
+    const filePath = this.cellPath(cell);
+    if (fs22.existsSync(filePath)) {
+      fs22.unlinkSync(filePath);
+    }
+    const sidecar = this.sidecarPath(filePath);
+    if (fs22.existsSync(sidecar)) {
+      fs22.unlinkSync(sidecar);
+    }
+  }
+  async blobExists(cell) {
+    return fs22.existsSync(this.cellPath(cell));
+  }
+  async readPendingMetadata(cell) {
+    return loadMetadata(this.cellPath(cell));
+  }
+  async writePendingMetadata(cell, meta) {
+    await saveMetadata(this.cellPath(cell), meta);
+  }
+  sidecarPath(filePath) {
+    const dir = path26.dirname(filePath);
+    const base = path26.basename(filePath).replace(/\.enc\.(yaml|json)$/, "");
+    return path26.join(dir, `${base}.clef-meta.yaml`);
+  }
+};
+
+// src/compliance/run.ts
 var UNKNOWN = "unknown";
 async function runCompliance(opts) {
   const start = Date.now();
   const repoRoot = opts.repoRoot ?? process.cwd();
-  const manifestPath = opts.manifestPath ?? path28.join(repoRoot, "clef.yaml");
-  const policyPath = opts.policyPath ?? path28.join(repoRoot, CLEF_POLICY_FILENAME);
+  const manifestPath = opts.manifestPath ?? path27.join(repoRoot, "clef.yaml");
+  const policyPath = opts.policyPath ?? path27.join(repoRoot, CLEF_POLICY_FILENAME);
   const include = {
     scan: opts.include?.scan ?? true,
     lint: opts.include?.lint ?? true,
@@ -19095,6 +19400,11 @@ async function runCompliance(opts) {
   const sopsClient = new SopsClient(opts.runner, opts.ageKeyFile, opts.ageKey, opts.sopsPath);
   const matrixManager = new MatrixManager();
   const schemaValidator = new SchemaValidator();
+  const lintSource = composeSecretSource(
+    new FilesystemStorageBackend(manifest, repoRoot),
+    sopsClient,
+    manifest
+  );
   const [sha, repo, files, scanResult, lintResult] = await Promise.all([
     opts.sha !== void 0 ? Promise.resolve(opts.sha) : detectSha(opts.runner, repoRoot),
     opts.repo !== void 0 ? Promise.resolve(opts.repo) : detectRepo(opts.runner, repoRoot),
@@ -19103,12 +19413,12 @@ async function runCompliance(opts) {
       repoRoot,
       policy,
       matrixManager,
-      sopsClient,
+      source: lintSource,
       filter: opts.filter,
       now
     }) : Promise.resolve([]),
     include.scan ? new ScanRunner(opts.runner).scan(repoRoot, manifest) : Promise.resolve(emptyScan()),
-    include.lint ? new LintRunner(matrixManager, schemaValidator, sopsClient).run(manifest, repoRoot) : Promise.resolve(emptyLint())
+    include.lint ? new LintRunner(matrixManager, schemaValidator, lintSource).run(manifest, repoRoot) : Promise.resolve(emptyLint())
   ]);
   const adjustedLint = downgradeDecryptIssues(lintResult);
   const document = new ComplianceGenerator().generate({
@@ -19128,8 +19438,11 @@ async function evaluateMatrix(args) {
   const cells = args.matrixManager.resolveMatrix(args.manifest, args.repoRoot).filter((c) => applyFilter(c.namespace, c.environment, args.filter)).filter((c) => c.exists);
   return Promise.all(
     cells.map(async (cell) => {
-      const metadata = await args.sopsClient.getMetadata(cell.filePath);
-      const relPath = path28.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
+      const metadata = await args.source.getCellMetadata({
+        namespace: cell.namespace,
+        environment: cell.environment
+      });
+      const relPath = path27.relative(args.repoRoot, cell.filePath).replace(/\\/g, "/");
       const keys = readSopsKeyNames(cell.filePath) ?? [];
       const rotations = await getRotations(cell.filePath);
       return evaluator.evaluateFile(relPath, cell.environment, metadata, keys, rotations, args.now);
@@ -19187,11 +19500,62 @@ async function detectRepo(runner, repoRoot) {
   const match = url.match(/[:/]([^/:]+)\/([^/]+?)(?:\.git)?\/?$/);
   return match ? `${match[1]}/${match[2]}` : UNKNOWN;
 }
+
+// src/source/guards.ts
+function isFn(o, name) {
+  return typeof o === "object" && o !== null && typeof o[name] === "function";
+}
+function isLintable(s) {
+  return isFn(s, "validateEncryption") && isFn(s, "checkRecipientDrift");
+}
+function isRotatable(s) {
+  return isFn(s, "rotate");
+}
+function isRecipientManaged(s) {
+  return isFn(s, "listRecipients") && isFn(s, "addRecipient") && isFn(s, "removeRecipient");
+}
+function isMergeAware(s) {
+  return isFn(s, "mergeCells") && isFn(s, "installMergeDriver");
+}
+function isMigratable(s) {
+  return isFn(s, "migrateBackend");
+}
+function isBulk(s) {
+  return isFn(s, "bulkSet") && isFn(s, "bulkDelete") && isFn(s, "copyValue");
+}
+function isStructural(s) {
+  return isFn(s, "addNamespace") && isFn(s, "addEnvironment") && isFn(s, "renameNamespace") && isFn(s, "renameEnvironment");
+}
+function describeCapabilities(s) {
+  return {
+    lint: isLintable(s),
+    rotate: isRotatable(s),
+    recipients: isRecipientManaged(s),
+    merge: isMergeAware(s),
+    migrate: isMigratable(s),
+    bulk: isBulk(s),
+    structural: isStructural(s)
+  };
+}
+
+// src/source/errors.ts
+var SourceCapabilityUnsupportedError = class extends ClefError {
+  constructor(capability, sourceId) {
+    super(
+      `'${capability}' is not supported by the '${sourceId}' source.`,
+      `Switch to a source that implements ${capability}, or use a different command.`
+    );
+    this.capability = capability;
+    this.sourceId = sourceId;
+    this.name = "SourceCapabilityUnsupportedError";
+  }
+  capability;
+  sourceId;
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ArtifactPacker,
   BackendMigrator,
-  BulkOps,
   CLEF_MANIFEST_FILENAME,
   CLEF_POLICY_FILENAME,
   CLEF_REPORT_SCHEMA_VERSION,
@@ -19205,6 +19569,7 @@ async function detectRepo(runner, repoRoot) {
   DiffEngine,
   DriftDetector,
   FilePackOutput,
+  FilesystemStorageBackend,
   GitIntegration,
   GitOperationError,
   ImportRunner,
@@ -19221,7 +19586,6 @@ async function detectRepo(runner, repoRoot) {
   PolicyValidationError,
   REQUESTS_FILENAME,
   REQUIREMENTS,
-  REVEAL_WARNING,
   RecipientManager,
   ReportGenerator,
   ReportSanitizer,
@@ -19238,6 +19602,7 @@ async function detectRepo(runner, repoRoot) {
   SopsMergeDriver,
   SopsMissingError,
   SopsVersionError,
+  SourceCapabilityUnsupportedError,
   StructureManager,
   SyncManager,
   TransactionLockError,
@@ -19257,11 +19622,11 @@ async function detectRepo(runner, repoRoot) {
   checkAll,
   checkDependency,
   collectCIContext,
+  composeSecretSource,
   computeCiphertextHash,
   deriveAgePublicKey,
+  describeCapabilities,
   describeScope,
-  detectAlgorithm,
-  detectFormat,
   emptyTemplate,
   exampleTemplate,
   findRequest,
@@ -19269,35 +19634,27 @@ async function detectRepo(runner, repoRoot) {
   formatRevealWarning,
   generateAgeIdentity,
   generateRandomValue,
-  generateSigningKeyPair,
-  getPendingKeys,
-  getRotations,
+  isBulk,
   isClefHsmArn,
-  isHighEntropy,
   isKmsEnvelope,
+  isLintable,
+  isMergeAware,
+  isMigratable,
   isPackedArtifact,
-  isPending,
+  isRecipientManaged,
+  isRotatable,
+  isStructural,
   keyPreview,
-  loadIgnoreRules,
-  loadMetadata,
   loadRequests,
   markPending,
-  markPendingWithRetry,
   markResolved,
-  matchPatterns,
-  mergeMetadataContents,
   mergeMetadataFiles,
-  metadataPath,
   parse,
-  parseDotenv,
-  parseIgnoreContent,
-  parseJson,
   parseSignerKey,
   parseYaml,
   pkcs11UriToSyntheticArn,
   readManifestYaml,
   recordRotation,
-  redactValue,
   removeAccessRequest,
   removeRotation,
   requestsFilePath,
@@ -19309,22 +19666,18 @@ async function detectRepo(runner, repoRoot) {
   resolveRecipientsForEnvironment,
   resolveSopsPath,
   runCompliance,
-  saveMetadata,
   saveRequests,
-  serializeSchema,
-  shannonEntropy,
-  shouldIgnoreFile,
-  shouldIgnoreMatch,
-  signEd25519,
-  signKms,
+  shouldUseLinuxStdinFifo,
   spawnKeyservice,
   syntheticArnToPkcs11Uri,
   tryBundledKeyservice,
   upsertRequest,
   validateAgePublicKey,
+  validateAwsKmsArn,
   validatePackedArtifact,
   validateResetScope,
   verifySignature,
+  wrapWithLinuxStdinFifo,
   writeManifestYaml,
   writeManifestYamlRaw,
   writeSchema,