@clef-sh/core 0.1.27 → 0.2.0

package/dist/kms/aws-arn.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AWS KMS ARN validator with specific failure reasons.
+ *
+ * The parser already used a single regex (`AWS_KMS_ARN_PATTERN`) to accept-or-
+ * reject keyIds, but the failure message was generic. This validator walks the
+ * ARN segment-by-segment and returns a reason that points at the actual fault
+ * — empty region, malformed account, missing `key/`/`alias/`, etc. — so users
+ * fix the right segment without trial-and-error.
+ *
+ * Accepted forms:
+ *   - `arn:aws:kms:{region}:{account}:key/{key-id}`
+ *   - `arn:aws:kms:{region}:{account}:alias/{name}`
+ *   - `arn:aws-{partition}:kms:...` (gov, cn, etc.)
+ *
+ * Bare key UUIDs and bare aliases are rejected — region must be derivable
+ * from the ARN at synth time.
+ */
+export interface AwsKmsArnValidation {
+    ok: boolean;
+    /** Human-readable reason. Present when `ok` is `false`. */
+    reason?: string;
+}
+/**
+ * Validate an AWS KMS key or alias ARN. Returns `{ ok: true }` on a well-
+ * formed ARN, otherwise `{ ok: false, reason }` with a message that names the
+ * faulty segment.
+ */
+export declare function validateAwsKmsArn(input: unknown): AwsKmsArnValidation;
+//# sourceMappingURL=aws-arn.d.ts.map

package/dist/kms/aws-arn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-arn.d.ts","sourceRoot":"","sources":["../../src/kms/aws-arn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,OAAO,CAAC;IACZ,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB,CA4FrE"}

package/dist/kms/index.d.ts

@@ -1,3 +1,5 @@
 export type { KmsProviderType, KmsWrapResult, KmsProvider } from "./types";
 export { VALID_KMS_PROVIDERS } from "./types";
+export { validateAwsKmsArn } from "./aws-arn";
+export type { AwsKmsArnValidation } from "./aws-arn";
 //# sourceMappingURL=index.d.ts.map

package/dist/kms/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/kms/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/kms/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/lint/runner.d.ts

@@ -1,21 +1,21 @@
 import { ClefManifest, LintResult } from "../types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
-import { EncryptionBackend } from "../types";
+import type { Lintable, SecretSource } from "../source/types";
 /**
  * Runs matrix completeness, schema validation, SOPS integrity, and key-drift checks.
  *
  * @example
  * ```ts
- * const runner = new LintRunner(matrixManager, schemaValidator, sopsClient);
+ * const runner = new LintRunner(matrixManager, schemaValidator, source);
  * const result = await runner.run(manifest, repoRoot);
  * ```
  */
 export declare class LintRunner {
     private readonly matrixManager;
     private readonly schemaValidator;
-    private readonly sopsClient;
-    constructor(matrixManager: MatrixManager, schemaValidator: SchemaValidator, sopsClient: EncryptionBackend);
+    private readonly source;
+    constructor(matrixManager: MatrixManager, schemaValidator: SchemaValidator, source: SecretSource & Lintable);
     /**
      * Lint the entire matrix: check missing files, schema errors, SOPS integrity,
      * single-recipient warnings, and cross-environment key drift.
@@ -25,10 +25,10 @@ export declare class LintRunner {
      */
     run(manifest: ClefManifest, repoRoot: string): Promise<LintResult>;
     /**
-     * Cross-reference `.clef-meta.yaml` against the cipher's plaintext key
+     * Cross-reference cell metadata against the cipher's plaintext key
      * names for each existing cell.  Reports orphan rotation records and
-     * dual-state (pending + rotation) inconsistencies.  Uses
-     * {@link readSopsKeyNames} (plaintext YAML parse) — no decryption.
+     * dual-state (pending + rotation) inconsistencies.  Uses the source's
+     * `listKeys` (no decryption).
      */
     private lintMetadataConsistency;
     /**

package/dist/lint/runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAIX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAI7C;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAFV,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,UAAU,EAAE,iBAAiB;IAGhD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAmOxE;;;;;OAKG;YACW,uBAAuB;IAgDrC;;OAEG;YACW,qBAAqB;IAoGnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAWzE"}
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAIX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,KAAK,EAAW,QAAQ,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEvE;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,MAAM,EAAE,YAAY,GAAG,QAAQ;IAGlD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAqOxE;;;;;OAKG;YACW,uBAAuB;IA0DrC;;OAEG;YACW,qBAAqB;IAoGnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAczE"}

package/dist/manifest/io.d.ts

@@ -8,6 +8,12 @@ export declare function readManifestYaml(repoRoot: string): Record<string, unkno
  * contents — never a half-written file. If the process dies mid-write, the
  * temp file is cleaned up by write-file-atomic's signal-exit handler. Handles
  * Windows EPERM retries internally.
+ *
+ * **Validates before writing.** Any caller producing an invalid manifest
+ * (malformed KMS ARN, bad recipient, missing required field, etc.) gets
+ * rejected here instead of silently persisting corrupt YAML that would later
+ * brick every `clef <command>` invocation. The validation error names the
+ * specific field at fault, so callers can fix the input rather than guessing.
  */
 export declare function writeManifestYaml(repoRoot: string, doc: Record<string, unknown>): void;
 /**

package/dist/manifest/io.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"AAMA,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAGtF;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7E"}
+{"version":3,"file":"io.d.ts","sourceRoot":"","sources":["../../src/manifest/io.ts"],"names":[],"mappings":"AAOA,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAG1E;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAetF;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAG7E"}

package/dist/manifest/parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;AAGlB;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;AA4BlD;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;IA+mBtC;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/manifest/parser.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;AAIlB;;;GAGG;AACH,eAAO,MAAM,sBAAsB,cAAc,CAAC;AAuBlD;;;;;;;;GAQG;AACH,qBAAa,cAAc;IACzB;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY;IAsBrC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY;IAonBtC;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,GAAG,MAAM,IAAI;CAchF"}

package/dist/matrix/manager.d.ts

@@ -1,5 +1,4 @@
 import { ClefManifest, MatrixCell, MatrixStatus } from "../types";
-import { EncryptionBackend } from "../types";
 /**
  * Resolves and manages the namespace × environment matrix of encrypted files.
  *
@@ -25,28 +24,17 @@ export declare class MatrixManager {
      * @param repoRoot - Absolute path to the repository root.
      */
     detectMissingCells(manifest: ClefManifest, repoRoot: string): MatrixCell[];
-    /**
-     * Create an empty encrypted SOPS file for a missing matrix cell.
-     *
-     * @param cell - The cell to scaffold (must not already exist).
-     * @param sopsClient - SOPS client used to write the initial encrypted file.
-     * @param manifest - Parsed manifest used to determine the encryption backend.
-     */
-    scaffoldCell(cell: MatrixCell, sopsClient: EncryptionBackend, manifest: ClefManifest): Promise<void>;
     /**
      * Read each cell and return key counts, pending counts, and cross-environment issues.
      *
-     * The SOPS client parameter is currently unused — keys are read from the
-     * plaintext YAML structure directly, no decryption needed. It is retained
-     * in the signature for back-compat with callers that may need to swap to a
-     * decrypt-based implementation later (e.g. for backends that don't expose
-     * key names without decryption).
+     * Keys are read from the plaintext YAML structure directly — no
+     * decryption needed. A future backend that doesn't expose key names
+     * without decryption would need its own implementation.
      *
      * @param manifest - Parsed manifest.
      * @param repoRoot - Absolute path to the repository root.
-     * @param _sopsClient - Reserved for future use; pass any `EncryptionBackend`.
      */
-    getMatrixStatus(manifest: ClefManifest, repoRoot: string, _sopsClient: EncryptionBackend): Promise<MatrixStatus[]>;
+    getMatrixStatus(manifest: ClefManifest, repoRoot: string): Promise<MatrixStatus[]>;
     /**
      * Read top-level key names from a SOPS file without decryption.
      * SOPS stores key names in plaintext — only values are encrypted.

package/dist/matrix/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/matrix/manager.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAe,YAAY,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAI7C;;;;;;;;GAQG;AACH,qBAAa,aAAa;IACxB;;;;;;OAMG;IACH,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAsBrE;;;;;OAKG;IACH,kBAAkB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAI1E;;;;;;OAMG;IACG,YAAY,CAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,iBAAiB,EAC7B,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,IAAI,CAAC;IAShB;;;;;;;;;;;;OAYG;IACG,eAAe,CACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,iBAAiB,GAC7B,OAAO,CAAC,YAAY,EAAE,CAAC;IAiE1B;;;OAGG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAYxB;;;;;OAKG;IACH,sBAAsB,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;CAI7E"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/matrix/manager.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAe,YAAY,EAAE,MAAM,UAAU,CAAC;AAI/E;;;;;;;;GAQG;AACH,qBAAa,aAAa;IACxB;;;;;;OAMG;IACH,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAsBrE;;;;;OAKG;IACH,kBAAkB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAI1E;;;;;;;;;OASG;IACG,eAAe,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAiExF;;;OAGG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAYxB;;;;;OAKG;IACH,sBAAsB,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;CAI7E"}

package/dist/merge/driver.d.ts

@@ -1,4 +1,4 @@
-import { EncryptionBackend } from "../types";
+import { MergeDecrypter } from "../types";
 /** Status of a single key in a three-way merge. */
 export type MergeKeyStatus = "unchanged" | "ours" | "theirs" | "both_added" | "conflict";
 /** One key's resolution in the three-way merge. */
@@ -43,7 +43,7 @@ export interface MergeResult {
  */
 export declare class SopsMergeDriver {
     private readonly sopsClient;
-    constructor(sopsClient: EncryptionBackend);
+    constructor(sopsClient: MergeDecrypter);
     /**
      * Perform a three-way merge on three in-memory key/value maps.
      *

package/dist/merge/driver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../../src/merge/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,mDAAmD;AACnD,MAAM,MAAM,cAAc,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,CAAC;AAEzF,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,cAAc,CAAC;IACvB,oGAAoG;IACpG,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6EAA6E;IAC7E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,wEAAwE;IACxE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,4EAA4E;IAC5E,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,KAAK,EAAE,OAAO,CAAC;IACf,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,kCAAkC;IAClC,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,0EAA0E;IAC1E,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,iBAAiB;IAE1D;;;;;;;;;OASG;IACH,KAAK,CACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,WAAW;IAoEd;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAS/F"}
+{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../../src/merge/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C,mDAAmD;AACnD,MAAM,MAAM,cAAc,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,CAAC;AAEzF,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,cAAc,CAAC;IACvB,oGAAoG;IACpG,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6EAA6E;IAC7E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,wEAAwE;IACxE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,4EAA4E;IAC5E,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,KAAK,EAAE,OAAO,CAAC;IACf,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,kCAAkC;IAClC,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,0EAA0E;IAC1E,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,cAAc;IAEvD;;;;;;;;;OASG;IACH,KAAK,CACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,WAAW;IAoEd;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAS/F"}

package/dist/merge/metadata-driver.d.ts

@@ -8,10 +8,11 @@
  */
 export declare function mergeMetadataContents(oursContent: string, theirsContent: string): string;
 /**
- * Filesystem wrapper around {@link mergeMetadataContents}.  Reads ours and
- * theirs, writes the merged result back to `oursPath` (the conventional
- * destination git passes as `%A`).  Does not read `basePath` — see the
- * merge algorithm's docstring for why a base revision is not needed.
+ * Filesystem wrapper around `mergeMetadataContents` (internal).  Reads
+ * ours and theirs, writes the merged result back to `oursPath` (the
+ * conventional destination git passes as `%A`).  Does not read
+ * `basePath` — see the merge algorithm's docstring for why a base
+ * revision is not needed.
  */
 export declare function mergeMetadataFiles(_basePath: string, oursPath: string, theirsPath: string): void;
 //# sourceMappingURL=metadata-driver.d.ts.map

package/dist/merge/metadata-driver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"metadata-driver.d.ts","sourceRoot":"","sources":["../../src/merge/metadata-driver.ts"],"names":[],"mappings":"AAgNA;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAQxF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAKhG"}
+{"version":3,"file":"metadata-driver.d.ts","sourceRoot":"","sources":["../../src/merge/metadata-driver.ts"],"names":[],"mappings":"AAgNA;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAQxF;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAKhG"}

package/dist/migration/backend.d.ts

@@ -1,4 +1,5 @@
-import { BackendType, ClefManifest, EncryptionBackend, EnvironmentSopsOverride } from "../types";
+import { BackendType, ClefManifest, EnvironmentSopsOverride } from "../types";
+import type { SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 export interface MigrationTarget {
@@ -43,19 +44,21 @@ export declare const BACKEND_KEY_FIELDS: Record<BackendType, keyof EnvironmentSo
  */
 export declare function buildSopsOverride(backend: BackendType, key: string | undefined): EnvironmentSopsOverride;
 export declare class BackendMigrator {
+    private readonly buildSource;
     private readonly matrixManager;
     private readonly tx;
-    private readonly decryptBackend;
-    private readonly encryptBackend;
     /**
-     * @param encryption - Backend used for both decrypt and encrypt (standard case).
+     * @param buildSource - Factory that builds a `SecretSource` bound to a
+     *   given manifest. Called twice during a real migration: once with the
+     *   pre-migration manifest (for classification + decrypt) and once with
+     *   the post-mutation manifest (for re-encrypt + verify). The factory
+     *   pattern is required because the encryption layer of a composed
+     *   source is bound to a manifest at construction.
      * @param matrixManager - Matrix resolver.
      * @param tx - Transaction manager that wraps the migration in a single git commit
      *   so a partial failure rolls back ALL files + the manifest via `git reset --hard`.
-     * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
-     *   from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
      */
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager, targetEncryption?: EncryptionBackend);
+    constructor(buildSource: (manifest: ClefManifest) => SecretSource, matrixManager: MatrixManager, tx: TransactionManager);
     migrate(manifest: ClefManifest, repoRoot: string, options: MigrationOptions, onProgress?: (event: MigrationProgressEvent) => void): Promise<MigrationResult>;
     private updateManifestDoc;
     private checkAgeRecipientsWarning;

package/dist/migration/backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAcxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;OAOG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IAoL3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}
+{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAaxB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB;;;;;;;;;;OAUG;gBAEgB,WAAW,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,YAAY,EACrD,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGnC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IA0M3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}

package/dist/pack/backends/json-envelope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"json-envelope.d.ts","sourceRoot":"","sources":["../../../src/pack/backends/json-envelope.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,iFAAiF;IACjF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,QAAQ,CAAC,EAAE,mBAAmB;IAC9B,QAAQ,CAAC,WAAW,sEAAsE;IAE1F,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAY7C,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC;CA8BzD"}
+{"version":3,"file":"json-envelope.d.ts","sourceRoot":"","sources":["../../../src/pack/backends/json-envelope.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,iFAAiF;IACjF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,QAAQ,CAAC,EAAE,mBAAmB;IAC9B,QAAQ,CAAC,WAAW,sEAAsE;IAE1F,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAY7C,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC;CA0BzD"}

package/dist/pack/types.d.ts

@@ -1,13 +1,19 @@
-import type { ClefManifest, EncryptionBackend, SubprocessRunner } from "../types";
+import type { ClefManifest, SubprocessRunner } from "../types";
 import type { KmsProvider } from "../kms";
 import type { PackResult } from "../artifact/types";
+import type { SecretSource } from "../source/types";
 /**
  * Shared services a PackBackend may use. A backend is free to ignore any
  * field it does not need.
  */
 export interface PackServices {
-    /** Decryption/encryption of SOPS source files in the matrix. */
-    encryption: EncryptionBackend;
+    /**
+     * Plaintext-cell access to the matrix. Backends call `source.readCell`
+     * (typically via the shared `resolveIdentitySecrets` helper) to fetch
+     * decrypted values for an identity's scoped namespaces × environment.
+     * Encryption substrate is opaque to the backend.
+     */
+    source: SecretSource;
     /** KMS provider, already constructed. Undefined when the manifest does not require one. */
     kms?: KmsProvider;
     /** For subprocess access (git, external CLIs). Prefer this over child_process. */

package/dist/pack/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/pack/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEpD;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gEAAgE;IAChE,UAAU,EAAE,iBAAiB,CAAC;IAC9B,2FAA2F;IAC3F,GAAG,CAAC,EAAE,WAAW,CAAC;IAClB,kFAAkF;IAClF,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,QAAQ,EAAE,YAAY,CAAC;IACvB,8EAA8E;IAC9E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,oFAAoF;IACpF,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrD;;;OAGG;IACH,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CACpD;AAED,gEAAgE;AAChE,MAAM,MAAM,kBAAkB,GAAG,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/pack/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;;OAKG;IACH,MAAM,EAAE,YAAY,CAAC;IACrB,2FAA2F;IAC3F,GAAG,CAAC,EAAE,WAAW,CAAC;IAClB,kFAAkF;IAClF,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,QAAQ,EAAE,YAAY,CAAC;IACvB,8EAA8E;IAC9E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,oFAAoF;IACpF,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrD;;;OAGG;IACH,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CACpD;AAED,gEAAgE;AAChE,MAAM,MAAM,kBAAkB,GAAG,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC"}

package/dist/pending/metadata.d.ts

@@ -21,8 +21,6 @@ interface CellMetadata {
     pending: PendingKey[];
     rotations: RotationRecord[];
 }
-/** @deprecated Use {@link CellMetadata}.  Retained for external import compatibility. */
-type PendingMetadata = CellMetadata;
 /**
  * Derive the `.clef-meta.yaml` path from an `.enc.yaml` path.
  * Example: `database/dev.enc.yaml` → `database/dev.clef-meta.yaml`
@@ -67,5 +65,5 @@ declare function generateRandomValue(): string;
  * Same as {@link markPending} but retries once after `retryDelayMs` on transient failure.
  */
 declare function markPendingWithRetry(filePath: string, keys: string[], setBy: string, retryDelayMs?: number): Promise<void>;
-export { PendingKey, RotationRecord, CellMetadata, PendingMetadata, metadataPath, loadMetadata, saveMetadata, markPending, markPendingWithRetry, markResolved, getPendingKeys, isPending, recordRotation, removeRotation, getRotations, generateRandomValue, };
+export { PendingKey, RotationRecord, CellMetadata, metadataPath, loadMetadata, saveMetadata, markPending, markPendingWithRetry, markResolved, getPendingKeys, isPending, recordRotation, removeRotation, getRotations, generateRandomValue, };
 //# sourceMappingURL=metadata.d.ts.map

package/dist/pending/metadata.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/pending/metadata.ts"],"names":[],"mappings":"AAoCA,UAAU,UAAU;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,IAAI,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,UAAU,YAAY;IACpB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED,yFAAyF;AACzF,KAAK,eAAe,GAAG,YAAY,CAAC;AAEpC;;;GAGG;AACH,iBAAS,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAIvD;AAQD,yGAAyG;AACzG,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiDnE;AAED,qEAAqE;AACrE,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBnF;AAED;;;GAGG;AACH,iBAAe,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED,8EAA8E;AAC9E,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI3E;AAED,wFAAwF;AACxF,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAGjE;AAED,oFAAoF;AACpF,iBAAe,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGxE;AAED;;;;;;;;GAQG;AACH,iBAAe,cAAc,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,IAAiB,GACrB,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;GAIG;AACH,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAED,mFAAmF;AACnF,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAGvE;AAED,kGAAkG;AAClG,iBAAS,mBAAmB,IAAI,MAAM,CAErC;AAED;;GAEG;AACH,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,EACb,YAAY,SAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,OAAO,EACL,UAAU,EACV,cAAc,EACd,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,CAAC"}
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/pending/metadata.ts"],"names":[],"mappings":"AAoCA,UAAU,UAAU;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,IAAI,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,UAAU,YAAY;IACpB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,iBAAS,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAIvD;AAQD,yGAAyG;AACzG,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiDnE;AAED,qEAAqE;AACrE,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBnF;AAED;;;GAGG;AACH,iBAAe,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED,8EAA8E;AAC9E,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI3E;AAED,wFAAwF;AACxF,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAGjE;AAED,oFAAoF;AACpF,iBAAe,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGxE;AAED;;;;;;;;GAQG;AACH,iBAAe,cAAc,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,IAAiB,GACrB,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;GAIG;AACH,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAED,mFAAmF;AACnF,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAGvE;AAED,kGAAkG;AAClG,iBAAS,mBAAmB,IAAI,MAAM,CAErC;AAED;;GAEG;AACH,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,EACb,YAAY,SAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,OAAO,EACL,UAAU,EACV,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,CAAC"}

package/dist/recipients/index.d.ts

@@ -1,4 +1,5 @@
-import { ClefManifest, EncryptionBackend } from "../types";
+import { ClefManifest } from "../types";
+import type { Rotatable, SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 export interface Recipient {
@@ -28,10 +29,10 @@ export interface RecipientsResult {
  * ```
  */
 export declare class RecipientManager {
-    private readonly encryption;
+    private readonly source;
     private readonly matrixManager;
     private readonly tx;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
+    constructor(source: SecretSource & Rotatable, matrixManager: MatrixManager, tx: TransactionManager);
     /**
      * List all age recipients declared in the manifest.
      *

package/dist/recipients/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA0E5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAiE7B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAW,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,MAAM,EAAE,YAAY,GAAG,SAAS,EAChC,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA2E5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAkE7B"}

package/dist/report/generator.d.ts

@@ -1,6 +1,7 @@
-import { ClefReport, EncryptionBackend, SubprocessRunner } from "../types";
+import { ClefReport, SubprocessRunner } from "../types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
+import type { Lintable, SecretSource } from "../source/types";
 /**
  * Orchestrates all data-gathering for a `clef report` invocation.
  * Matrix key counts are read from SOPS YAML directly (no decryption).
@@ -8,10 +9,10 @@ import { SchemaValidator } from "../schema/validator";
  */
 export declare class ReportGenerator {
     private readonly runner;
-    private readonly sopsClient;
+    private readonly source;
     private readonly matrixManager;
     private readonly schemaValidator;
-    constructor(runner: SubprocessRunner, sopsClient: EncryptionBackend, matrixManager: MatrixManager, schemaValidator: SchemaValidator);
+    constructor(runner: SubprocessRunner, source: SecretSource & Lintable, matrixManager: MatrixManager, schemaValidator: SchemaValidator);
     /**
      * Generate a full {@link ClefReport} for the given repository root.
      * Each section gathers data independently — partial failures return empty

package/dist/report/generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,UAAU,EAEV,iBAAiB,EAQjB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAOtD;;;;GAIG;AACH,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAHf,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe;IAGnD;;;;;;;;OAQG;IACG,QAAQ,CACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GACrE,OAAO,CAAC,UAAU,CAAC;YAwCR,iBAAiB;IAwD/B,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,sBAAsB;YAiBhB,gBAAgB;YAuBhB,SAAS;IA8CvB,OAAO,CAAC,YAAY;YAIN,WAAW;IAUzB,OAAO,CAAC,eAAe;IAmCvB,OAAO,CAAC,kBAAkB;CAM3B"}
+{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,UAAU,EASV,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAKtD,OAAO,KAAK,EAAW,QAAQ,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEvE;;;;GAIG;AACH,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAHf,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,YAAY,GAAG,QAAQ,EAC/B,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe;IAGnD;;;;;;;;OAQG;IACG,QAAQ,CACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GACrE,OAAO,CAAC,UAAU,CAAC;YAwCR,iBAAiB;IAwD/B,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,sBAAsB;YAiBhB,gBAAgB;YAuBhB,SAAS;IA+CvB,OAAO,CAAC,YAAY;YAIN,WAAW;IAUzB,OAAO,CAAC,eAAe;IAmCvB,OAAO,CAAC,kBAAkB;CAM3B"}

package/dist/reset/manager.d.ts

@@ -1,4 +1,5 @@
-import { BackendType, ClefManifest, EncryptionBackend } from "../types";
+import { BackendType, ClefManifest } from "../types";
+import type { SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
 import { TransactionManager } from "../tx";
@@ -68,10 +69,27 @@ export interface ResetResult {
  */
 export declare class ResetManager {
     private readonly matrixManager;
-    private readonly encryption;
+    /**
+     * Factory rather than a single instance because reset can swap the
+     * SOPS backend mid-transaction (`opts.backend`).  The encryption
+     * layer of a composed source is bound to a manifest at construction,
+     * so writing cells under the *new* backend requires a fresh source.
+     * Callers pass `(m) => composeSecretSource(storage(m), enc, m)` (or
+     * equivalent) so the manager can recompose after the manifest swap.
+     */
+    private readonly buildSource;
     private readonly schemaValidator;
     private readonly tx;
-    constructor(matrixManager: MatrixManager, encryption: EncryptionBackend, schemaValidator: SchemaValidator, tx: TransactionManager);
+    constructor(matrixManager: MatrixManager, 
+    /**
+     * Factory rather than a single instance because reset can swap the
+     * SOPS backend mid-transaction (`opts.backend`).  The encryption
+     * layer of a composed source is bound to a manifest at construction,
+     * so writing cells under the *new* backend requires a fresh source.
+     * Callers pass `(m) => composeSecretSource(storage(m), enc, m)` (or
+     * equivalent) so the manager can recompose after the manifest swap.
+     */
+    buildSource: (manifest: ClefManifest) => SecretSource, schemaValidator: SchemaValidator, tx: TransactionManager);
     reset(opts: ResetOptions, manifest: ClefManifest, repoRoot: string): Promise<ResetResult>;
     /**
      * Resolve the scope into an explicit list of cells. Assumes the scope has

package/dist/reset/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/reset/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAc,MAAM,UAAU,CAAC;AACpF,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAItD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAG3C;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAHF,aAAa,EAAE,aAAa,EAC5B,UAAU,EAAE,iBAAiB,EAC7B,eAAe,EAAE,eAAe,EAChC,EAAE,EAAE,kBAAkB;IAGnC,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAwF/F;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAQzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE;IAAE,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAAC,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,GAC7E,IAAI,CA2BN"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/reset/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAc,MAAM,UAAU,CAAC;AACjE,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAItD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAG3C;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAXF,aAAa,EAAE,aAAa;IAC7C;;;;;;;OAOG;IACc,WAAW,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,YAAY,EACrD,eAAe,EAAE,eAAe,EAChC,EAAE,EAAE,kBAAkB;IAGnC,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAwF/F;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAQzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE;IAAE,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAAC,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,GAC7E,IAAI,CA2BN"}

package/dist/service-identity/manager.d.ts

@@ -1,4 +1,5 @@
-import { ClefManifest, EncryptionBackend, KmsConfig, ServiceIdentityDefinition, ServiceIdentityDriftIssue } from "../types";
+import { ClefManifest, KmsConfig, ServiceIdentityDefinition, ServiceIdentityDriftIssue } from "../types";
+import type { Rotatable, SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 /** Options for creating a new service identity. */
@@ -26,10 +27,12 @@ export interface CreateServiceIdentityOptions {
  * ```
  */
 export declare class ServiceIdentityManager {
-    private readonly encryption;
+    private readonly source;
     private readonly matrixManager;
     private readonly tx;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
+    constructor(source: SecretSource & Rotatable, matrixManager: MatrixManager, tx: TransactionManager);
+    /** Helper: cell → ref for the source seam. */
+    private ref;
     /**
      * Compute repo-relative paths for a set of cells plus the manifest. Used
      * to seed TransactionManager.run's `paths` argument.

package/dist/service-identity/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,SAAS,EAET,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,mDAAmD;AACnD,MAAM,WAAW,4BAA4B;IAC3C,2EAA2E;IAC3E,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,2EAA2E;IAC3E,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;OAGG;IACH,OAAO,CAAC,OAAO;IAIf;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,4BAA4B,GACrC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;IAkFF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA4DnD;;;OAGG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA4BhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EAAE,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAkExD;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,MAAM,EAAE,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAgE1D;;;;;;;;;;;;;;;;;OAiBG;IACG,qBAAqB,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,SAAS,GACpB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IAuE9C;;;;;;;;OAQG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuFlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAuG/F"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,SAAS,EAET,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAW,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,mDAAmD;AACnD,MAAM,WAAW,4BAA4B;IAC3C,2EAA2E;IAC3E,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,2EAA2E;IAC3E,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,MAAM,EAAE,YAAY,GAAG,SAAS,EAChC,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC,8CAA8C;IAC9C,OAAO,CAAC,GAAG;IAIX;;;OAGG;IACH,OAAO,CAAC,OAAO;IAIf;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,4BAA4B,GACrC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;IAkFF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA4DnD;;;OAGG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA4BhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EAAE,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAkExD;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,MAAM,EAAE,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAgE1D;;;;;;;;;;;;;;;;;OAiBG;IACG,qBAAqB,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,SAAS,GACpB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IAuE9C;;;;;;;;OAQG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuFlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAuG/F"}