@clef-sh/core 0.1.28 → 0.3.0

package/dist/lint/runner.d.ts

@@ -1,21 +1,21 @@
 import { ClefManifest, LintResult } from "../types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
-import { EncryptionBackend } from "../types";
+import type { Lintable, SecretSource } from "../source/types";
 /**
  * Runs matrix completeness, schema validation, SOPS integrity, and key-drift checks.
  *
  * @example
  * ```ts
- * const runner = new LintRunner(matrixManager, schemaValidator, sopsClient);
+ * const runner = new LintRunner(matrixManager, schemaValidator, source);
  * const result = await runner.run(manifest, repoRoot);
  * ```
  */
 export declare class LintRunner {
     private readonly matrixManager;
     private readonly schemaValidator;
-    private readonly sopsClient;
-    constructor(matrixManager: MatrixManager, schemaValidator: SchemaValidator, sopsClient: EncryptionBackend);
+    private readonly source;
+    constructor(matrixManager: MatrixManager, schemaValidator: SchemaValidator, source: SecretSource & Lintable);
     /**
      * Lint the entire matrix: check missing files, schema errors, SOPS integrity,
      * single-recipient warnings, and cross-environment key drift.
@@ -25,10 +25,10 @@ export declare class LintRunner {
      */
     run(manifest: ClefManifest, repoRoot: string): Promise<LintResult>;
     /**
-     * Cross-reference `.clef-meta.yaml` against the cipher's plaintext key
+     * Cross-reference cell metadata against the cipher's plaintext key
      * names for each existing cell.  Reports orphan rotation records and
-     * dual-state (pending + rotation) inconsistencies.  Uses
-     * {@link readSopsKeyNames} (plaintext YAML parse) — no decryption.
+     * dual-state (pending + rotation) inconsistencies.  Uses the source's
+     * `listKeys` (no decryption).
      */
     private lintMetadataConsistency;
     /**

package/dist/lint/runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAIX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAI7C;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAFV,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,UAAU,EAAE,iBAAiB;IAGhD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAmOxE;;;;;OAKG;YACW,uBAAuB;IAgDrC;;OAEG;YACW,qBAAqB;IAoGnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAWzE"}
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/lint/runner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EAEZ,UAAU,EAIX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,KAAK,EAAW,QAAQ,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEvE;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe,EAChC,MAAM,EAAE,YAAY,GAAG,QAAQ;IAGlD;;;;;;OAMG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAqOxE;;;;;OAKG;YACW,uBAAuB;IA0DrC;;OAEG;YACW,qBAAqB;IAoGnC;;;;;OAKG;IACG,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAczE"}

package/dist/matrix/manager.d.ts

@@ -1,5 +1,4 @@
 import { ClefManifest, MatrixCell, MatrixStatus } from "../types";
-import { EncryptionBackend } from "../types";
 /**
  * Resolves and manages the namespace × environment matrix of encrypted files.
  *
@@ -25,28 +24,17 @@ export declare class MatrixManager {
      * @param repoRoot - Absolute path to the repository root.
      */
     detectMissingCells(manifest: ClefManifest, repoRoot: string): MatrixCell[];
-    /**
-     * Create an empty encrypted SOPS file for a missing matrix cell.
-     *
-     * @param cell - The cell to scaffold (must not already exist).
-     * @param sopsClient - SOPS client used to write the initial encrypted file.
-     * @param manifest - Parsed manifest used to determine the encryption backend.
-     */
-    scaffoldCell(cell: MatrixCell, sopsClient: EncryptionBackend, manifest: ClefManifest): Promise<void>;
     /**
      * Read each cell and return key counts, pending counts, and cross-environment issues.
      *
-     * The SOPS client parameter is currently unused — keys are read from the
-     * plaintext YAML structure directly, no decryption needed. It is retained
-     * in the signature for back-compat with callers that may need to swap to a
-     * decrypt-based implementation later (e.g. for backends that don't expose
-     * key names without decryption).
+     * Keys are read from the plaintext YAML structure directly — no
+     * decryption needed. A future backend that doesn't expose key names
+     * without decryption would need its own implementation.
      *
      * @param manifest - Parsed manifest.
      * @param repoRoot - Absolute path to the repository root.
-     * @param _sopsClient - Reserved for future use; pass any `EncryptionBackend`.
      */
-    getMatrixStatus(manifest: ClefManifest, repoRoot: string, _sopsClient: EncryptionBackend): Promise<MatrixStatus[]>;
+    getMatrixStatus(manifest: ClefManifest, repoRoot: string): Promise<MatrixStatus[]>;
     /**
      * Read top-level key names from a SOPS file without decryption.
      * SOPS stores key names in plaintext — only values are encrypted.

package/dist/matrix/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/matrix/manager.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAe,YAAY,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAI7C;;;;;;;;GAQG;AACH,qBAAa,aAAa;IACxB;;;;;;OAMG;IACH,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAsBrE;;;;;OAKG;IACH,kBAAkB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAI1E;;;;;;OAMG;IACG,YAAY,CAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,iBAAiB,EAC7B,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,IAAI,CAAC;IAShB;;;;;;;;;;;;OAYG;IACG,eAAe,CACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,iBAAiB,GAC7B,OAAO,CAAC,YAAY,EAAE,CAAC;IAiE1B;;;OAGG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAYxB;;;;;OAKG;IACH,sBAAsB,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;CAI7E"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/matrix/manager.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAe,YAAY,EAAE,MAAM,UAAU,CAAC;AAI/E;;;;;;;;GAQG;AACH,qBAAa,aAAa;IACxB;;;;;;OAMG;IACH,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAsBrE;;;;;OAKG;IACH,kBAAkB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE;IAI1E;;;;;;;;;OASG;IACG,eAAe,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAiExF;;;OAGG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAYxB;;;;;OAKG;IACH,sBAAsB,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;CAI7E"}

package/dist/merge/driver.d.ts

@@ -1,4 +1,4 @@
-import { EncryptionBackend } from "../types";
+import { MergeDecrypter } from "../types";
 /** Status of a single key in a three-way merge. */
 export type MergeKeyStatus = "unchanged" | "ours" | "theirs" | "both_added" | "conflict";
 /** One key's resolution in the three-way merge. */
@@ -43,7 +43,7 @@ export interface MergeResult {
  */
 export declare class SopsMergeDriver {
     private readonly sopsClient;
-    constructor(sopsClient: EncryptionBackend);
+    constructor(sopsClient: MergeDecrypter);
     /**
      * Perform a three-way merge on three in-memory key/value maps.
      *

package/dist/merge/driver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../../src/merge/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,mDAAmD;AACnD,MAAM,MAAM,cAAc,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,CAAC;AAEzF,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,cAAc,CAAC;IACvB,oGAAoG;IACpG,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6EAA6E;IAC7E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,wEAAwE;IACxE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,4EAA4E;IAC5E,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,KAAK,EAAE,OAAO,CAAC;IACf,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,kCAAkC;IAClC,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,0EAA0E;IAC1E,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,iBAAiB;IAE1D;;;;;;;;;OASG;IACH,KAAK,CACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,WAAW;IAoEd;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAS/F"}
+{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../../src/merge/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C,mDAAmD;AACnD,MAAM,MAAM,cAAc,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,CAAC;AAEzF,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,cAAc,CAAC;IACvB,oGAAoG;IACpG,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,6EAA6E;IAC7E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,wEAAwE;IACxE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,4EAA4E;IAC5E,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,KAAK,EAAE,OAAO,CAAC;IACf,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,kCAAkC;IAClC,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,0EAA0E;IAC1E,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,cAAc;IAEvD;;;;;;;;;OASG;IACH,KAAK,CACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7B,WAAW;IAoEd;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAS/F"}

package/dist/merge/metadata-driver.d.ts

@@ -8,10 +8,11 @@
  */
 export declare function mergeMetadataContents(oursContent: string, theirsContent: string): string;
 /**
- * Filesystem wrapper around {@link mergeMetadataContents}.  Reads ours and
- * theirs, writes the merged result back to `oursPath` (the conventional
- * destination git passes as `%A`).  Does not read `basePath` — see the
- * merge algorithm's docstring for why a base revision is not needed.
+ * Filesystem wrapper around `mergeMetadataContents` (internal).  Reads
+ * ours and theirs, writes the merged result back to `oursPath` (the
+ * conventional destination git passes as `%A`).  Does not read
+ * `basePath` — see the merge algorithm's docstring for why a base
+ * revision is not needed.
  */
 export declare function mergeMetadataFiles(_basePath: string, oursPath: string, theirsPath: string): void;
 //# sourceMappingURL=metadata-driver.d.ts.map

package/dist/merge/metadata-driver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"metadata-driver.d.ts","sourceRoot":"","sources":["../../src/merge/metadata-driver.ts"],"names":[],"mappings":"AAgNA;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAQxF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAKhG"}
+{"version":3,"file":"metadata-driver.d.ts","sourceRoot":"","sources":["../../src/merge/metadata-driver.ts"],"names":[],"mappings":"AAgNA;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAQxF;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAKhG"}

package/dist/migration/backend.d.ts

@@ -1,4 +1,5 @@
-import { BackendType, ClefManifest, EncryptionBackend, EnvironmentSopsOverride } from "../types";
+import { BackendType, ClefManifest, EnvironmentSopsOverride } from "../types";
+import type { SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 export interface MigrationTarget {
@@ -43,19 +44,21 @@ export declare const BACKEND_KEY_FIELDS: Record<BackendType, keyof EnvironmentSo
  */
 export declare function buildSopsOverride(backend: BackendType, key: string | undefined): EnvironmentSopsOverride;
 export declare class BackendMigrator {
+    private readonly buildSource;
     private readonly matrixManager;
     private readonly tx;
-    private readonly decryptBackend;
-    private readonly encryptBackend;
     /**
-     * @param encryption - Backend used for both decrypt and encrypt (standard case).
+     * @param buildSource - Factory that builds a `SecretSource` bound to a
+     *   given manifest. Called twice during a real migration: once with the
+     *   pre-migration manifest (for classification + decrypt) and once with
+     *   the post-mutation manifest (for re-encrypt + verify). The factory
+     *   pattern is required because the encryption layer of a composed
+     *   source is bound to a manifest at construction.
      * @param matrixManager - Matrix resolver.
      * @param tx - Transaction manager that wraps the migration in a single git commit
      *   so a partial failure rolls back ALL files + the manifest via `git reset --hard`.
-     * @param targetEncryption - Optional separate backend for encrypt. Use when migrating
-     *   from cloud (decrypt via keyservice) to another backend (encrypt via local credentials).
      */
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager, targetEncryption?: EncryptionBackend);
+    constructor(buildSource: (manifest: ClefManifest) => SecretSource, matrixManager: MatrixManager, tx: TransactionManager);
     migrate(manifest: ClefManifest, repoRoot: string, options: MigrationOptions, onProgress?: (event: MigrationProgressEvent) => void): Promise<MigrationResult>;
     private updateManifestDoc;
     private checkAgeRecipientsWarning;

package/dist/migration/backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAcxB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IACnD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;OAOG;gBAED,UAAU,EAAE,iBAAiB,EACZ,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,iBAAiB;IAMhC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IAwM3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}
+{"version":3,"file":"backend.d.ts","sourceRoot":"","sources":["../../src/migration/backend.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,uBAAuB,EAGxB,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,uBAAuB,GAAG,SAAS,CAO7F,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,GAAG,EAAE,MAAM,GAAG,SAAS,GACtB,uBAAuB,CAOzB;AAUD,qBAAa,eAAe;IAaxB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAdrB;;;;;;;;;;OAUG;gBAEgB,WAAW,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,YAAY,EACrD,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGnC,OAAO,CACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,gBAAgB,EACzB,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,IAAI,GACnD,OAAO,CAAC,eAAe,CAAC;IA0M3B,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;CAmBlC"}

package/dist/pack/backends/json-envelope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"json-envelope.d.ts","sourceRoot":"","sources":["../../../src/pack/backends/json-envelope.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,iFAAiF;IACjF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,QAAQ,CAAC,EAAE,mBAAmB;IAC9B,QAAQ,CAAC,WAAW,sEAAsE;IAE1F,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAY7C,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC;CA8BzD"}
+{"version":3,"file":"json-envelope.d.ts","sourceRoot":"","sources":["../../../src/pack/backends/json-envelope.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,iFAAiF;IACjF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,QAAQ,CAAC,EAAE,mBAAmB;IAC9B,QAAQ,CAAC,WAAW,sEAAsE;IAE1F,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAY7C,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC;CA0BzD"}

package/dist/pack/types.d.ts

@@ -1,13 +1,19 @@
-import type { ClefManifest, EncryptionBackend, SubprocessRunner } from "../types";
+import type { ClefManifest, SubprocessRunner } from "../types";
 import type { KmsProvider } from "../kms";
 import type { PackResult } from "../artifact/types";
+import type { SecretSource } from "../source/types";
 /**
  * Shared services a PackBackend may use. A backend is free to ignore any
  * field it does not need.
  */
 export interface PackServices {
-    /** Decryption/encryption of SOPS source files in the matrix. */
-    encryption: EncryptionBackend;
+    /**
+     * Plaintext-cell access to the matrix. Backends call `source.readCell`
+     * (typically via the shared `resolveIdentitySecrets` helper) to fetch
+     * decrypted values for an identity's scoped namespaces × environment.
+     * Encryption substrate is opaque to the backend.
+     */
+    source: SecretSource;
     /** KMS provider, already constructed. Undefined when the manifest does not require one. */
     kms?: KmsProvider;
     /** For subprocess access (git, external CLIs). Prefer this over child_process. */

package/dist/pack/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/pack/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEpD;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gEAAgE;IAChE,UAAU,EAAE,iBAAiB,CAAC;IAC9B,2FAA2F;IAC3F,GAAG,CAAC,EAAE,WAAW,CAAC;IAClB,kFAAkF;IAClF,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,QAAQ,EAAE,YAAY,CAAC;IACvB,8EAA8E;IAC9E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,oFAAoF;IACpF,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrD;;;OAGG;IACH,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CACpD;AAED,gEAAgE;AAChE,MAAM,MAAM,kBAAkB,GAAG,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/pack/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;;OAKG;IACH,MAAM,EAAE,YAAY,CAAC;IACrB,2FAA2F;IAC3F,GAAG,CAAC,EAAE,WAAW,CAAC;IAClB,kFAAkF;IAClF,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,QAAQ,EAAE,YAAY,CAAC;IACvB,8EAA8E;IAC9E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,oFAAoF;IACpF,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IACrD;;;OAGG;IACH,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;CACpD;AAED,gEAAgE;AAChE,MAAM,MAAM,kBAAkB,GAAG,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC"}

package/dist/pending/metadata.d.ts

@@ -21,8 +21,6 @@ interface CellMetadata {
     pending: PendingKey[];
     rotations: RotationRecord[];
 }
-/** @deprecated Use {@link CellMetadata}.  Retained for external import compatibility. */
-type PendingMetadata = CellMetadata;
 /**
  * Derive the `.clef-meta.yaml` path from an `.enc.yaml` path.
  * Example: `database/dev.enc.yaml` → `database/dev.clef-meta.yaml`
@@ -67,5 +65,5 @@ declare function generateRandomValue(): string;
  * Same as {@link markPending} but retries once after `retryDelayMs` on transient failure.
  */
 declare function markPendingWithRetry(filePath: string, keys: string[], setBy: string, retryDelayMs?: number): Promise<void>;
-export { PendingKey, RotationRecord, CellMetadata, PendingMetadata, metadataPath, loadMetadata, saveMetadata, markPending, markPendingWithRetry, markResolved, getPendingKeys, isPending, recordRotation, removeRotation, getRotations, generateRandomValue, };
+export { PendingKey, RotationRecord, CellMetadata, metadataPath, loadMetadata, saveMetadata, markPending, markPendingWithRetry, markResolved, getPendingKeys, isPending, recordRotation, removeRotation, getRotations, generateRandomValue, };
 //# sourceMappingURL=metadata.d.ts.map

package/dist/pending/metadata.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/pending/metadata.ts"],"names":[],"mappings":"AAoCA,UAAU,UAAU;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,IAAI,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,UAAU,YAAY;IACpB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED,yFAAyF;AACzF,KAAK,eAAe,GAAG,YAAY,CAAC;AAEpC;;;GAGG;AACH,iBAAS,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAIvD;AAQD,yGAAyG;AACzG,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiDnE;AAED,qEAAqE;AACrE,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBnF;AAED;;;GAGG;AACH,iBAAe,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED,8EAA8E;AAC9E,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI3E;AAED,wFAAwF;AACxF,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAGjE;AAED,oFAAoF;AACpF,iBAAe,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGxE;AAED;;;;;;;;GAQG;AACH,iBAAe,cAAc,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,IAAiB,GACrB,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;GAIG;AACH,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAED,mFAAmF;AACnF,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAGvE;AAED,kGAAkG;AAClG,iBAAS,mBAAmB,IAAI,MAAM,CAErC;AAED;;GAEG;AACH,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,EACb,YAAY,SAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,OAAO,EACL,UAAU,EACV,cAAc,EACd,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,CAAC"}
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/pending/metadata.ts"],"names":[],"mappings":"AAoCA,UAAU,UAAU;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,IAAI,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,UAAU,YAAY;IACpB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,iBAAS,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAIvD;AAQD,yGAAyG;AACzG,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiDnE;AAED,qEAAqE;AACrE,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBnF;AAED;;;GAGG;AACH,iBAAe,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED,8EAA8E;AAC9E,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI3E;AAED,wFAAwF;AACxF,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAGjE;AAED,oFAAoF;AACpF,iBAAe,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGxE;AAED;;;;;;;;GAQG;AACH,iBAAe,cAAc,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,IAAiB,GACrB,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;GAIG;AACH,iBAAe,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAED,mFAAmF;AACnF,iBAAe,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAGvE;AAED,kGAAkG;AAClG,iBAAS,mBAAmB,IAAI,MAAM,CAErC;AAED;;GAEG;AACH,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,EACb,YAAY,SAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,OAAO,EACL,UAAU,EACV,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,SAAS,EACT,cAAc,EACd,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,CAAC"}

package/dist/recipients/index.d.ts

@@ -1,4 +1,5 @@
-import { ClefManifest, EncryptionBackend } from "../types";
+import { ClefManifest } from "../types";
+import type { Rotatable, SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 export interface Recipient {
@@ -28,10 +29,10 @@ export interface RecipientsResult {
  * ```
  */
 export declare class RecipientManager {
-    private readonly encryption;
+    private readonly source;
     private readonly matrixManager;
     private readonly tx;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
+    constructor(source: SecretSource & Rotatable, matrixManager: MatrixManager, tx: TransactionManager);
     /**
      * List all age recipients declared in the manifest.
      *

package/dist/recipients/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA0E5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAiE7B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/recipients/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAW,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAsFD;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,MAAM,EAAE,YAAY,GAAG,SAAS,EAChC,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAchG;;;;;;;;;;OAUG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA2E5B;;;;;;;;;;OAUG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;CAkE7B"}

package/dist/report/generator.d.ts

@@ -1,6 +1,7 @@
-import { ClefReport, EncryptionBackend, SubprocessRunner } from "../types";
+import { ClefReport, SubprocessRunner } from "../types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
+import type { Lintable, SecretSource } from "../source/types";
 /**
  * Orchestrates all data-gathering for a `clef report` invocation.
  * Matrix key counts are read from SOPS YAML directly (no decryption).
@@ -8,10 +9,10 @@ import { SchemaValidator } from "../schema/validator";
  */
 export declare class ReportGenerator {
     private readonly runner;
-    private readonly sopsClient;
+    private readonly source;
     private readonly matrixManager;
     private readonly schemaValidator;
-    constructor(runner: SubprocessRunner, sopsClient: EncryptionBackend, matrixManager: MatrixManager, schemaValidator: SchemaValidator);
+    constructor(runner: SubprocessRunner, source: SecretSource & Lintable, matrixManager: MatrixManager, schemaValidator: SchemaValidator);
     /**
      * Generate a full {@link ClefReport} for the given repository root.
      * Each section gathers data independently — partial failures return empty

package/dist/report/generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,UAAU,EAEV,iBAAiB,EAQjB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAOtD;;;;GAIG;AACH,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAHf,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe;IAGnD;;;;;;;;OAQG;IACG,QAAQ,CACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GACrE,OAAO,CAAC,UAAU,CAAC;YAwCR,iBAAiB;IAwD/B,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,sBAAsB;YAiBhB,gBAAgB;YAuBhB,SAAS;IA8CvB,OAAO,CAAC,YAAY;YAIN,WAAW;IAUzB,OAAO,CAAC,eAAe;IAmCvB,OAAO,CAAC,kBAAkB;CAM3B"}
+{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,UAAU,EASV,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAKtD,OAAO,KAAK,EAAW,QAAQ,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEvE;;;;GAIG;AACH,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAHf,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,YAAY,GAAG,QAAQ,EAC/B,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,eAAe;IAGnD;;;;;;;;OAQG;IACG,QAAQ,CACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GACrE,OAAO,CAAC,UAAU,CAAC;YAwCR,iBAAiB;IAwD/B,OAAO,CAAC,mBAAmB;IAQ3B,OAAO,CAAC,sBAAsB;YAiBhB,gBAAgB;YAuBhB,SAAS;IA+CvB,OAAO,CAAC,YAAY;YAIN,WAAW;IAUzB,OAAO,CAAC,eAAe;IAmCvB,OAAO,CAAC,kBAAkB;CAM3B"}

package/dist/reset/manager.d.ts

@@ -1,4 +1,5 @@
-import { BackendType, ClefManifest, EncryptionBackend } from "../types";
+import { BackendType, ClefManifest } from "../types";
+import type { SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { SchemaValidator } from "../schema/validator";
 import { TransactionManager } from "../tx";
@@ -68,10 +69,27 @@ export interface ResetResult {
  */
 export declare class ResetManager {
     private readonly matrixManager;
-    private readonly encryption;
+    /**
+     * Factory rather than a single instance because reset can swap the
+     * SOPS backend mid-transaction (`opts.backend`).  The encryption
+     * layer of a composed source is bound to a manifest at construction,
+     * so writing cells under the *new* backend requires a fresh source.
+     * Callers pass `(m) => composeSecretSource(storage(m), enc, m)` (or
+     * equivalent) so the manager can recompose after the manifest swap.
+     */
+    private readonly buildSource;
     private readonly schemaValidator;
     private readonly tx;
-    constructor(matrixManager: MatrixManager, encryption: EncryptionBackend, schemaValidator: SchemaValidator, tx: TransactionManager);
+    constructor(matrixManager: MatrixManager, 
+    /**
+     * Factory rather than a single instance because reset can swap the
+     * SOPS backend mid-transaction (`opts.backend`).  The encryption
+     * layer of a composed source is bound to a manifest at construction,
+     * so writing cells under the *new* backend requires a fresh source.
+     * Callers pass `(m) => composeSecretSource(storage(m), enc, m)` (or
+     * equivalent) so the manager can recompose after the manifest swap.
+     */
+    buildSource: (manifest: ClefManifest) => SecretSource, schemaValidator: SchemaValidator, tx: TransactionManager);
     reset(opts: ResetOptions, manifest: ClefManifest, repoRoot: string): Promise<ResetResult>;
     /**
      * Resolve the scope into an explicit list of cells. Assumes the scope has

package/dist/reset/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/reset/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAc,MAAM,UAAU,CAAC;AACpF,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAItD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAG3C;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAHF,aAAa,EAAE,aAAa,EAC5B,UAAU,EAAE,iBAAiB,EAC7B,eAAe,EAAE,eAAe,EAChC,EAAE,EAAE,kBAAkB;IAGnC,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAwF/F;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAQzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE;IAAE,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAAC,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,GAC7E,IAAI,CA2BN"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/reset/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAc,MAAM,UAAU,CAAC;AACjE,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAItD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAG3C;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAXF,aAAa,EAAE,aAAa;IAC7C;;;;;;;OAOG;IACc,WAAW,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,YAAY,EACrD,eAAe,EAAE,eAAe,EAChC,EAAE,EAAE,kBAAkB;IAGnC,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAwF/F;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAQzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASvD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE;IAAE,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAAC,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,GAC7E,IAAI,CA2BN"}

package/dist/service-identity/manager.d.ts

@@ -1,4 +1,5 @@
-import { ClefManifest, EncryptionBackend, KmsConfig, ServiceIdentityDefinition, ServiceIdentityDriftIssue } from "../types";
+import { ClefManifest, KmsConfig, ServiceIdentityDefinition, ServiceIdentityDriftIssue } from "../types";
+import type { Rotatable, SecretSource } from "../source/types";
 import { MatrixManager } from "../matrix/manager";
 import { TransactionManager } from "../tx";
 /** Options for creating a new service identity. */
@@ -26,10 +27,12 @@ export interface CreateServiceIdentityOptions {
  * ```
  */
 export declare class ServiceIdentityManager {
-    private readonly encryption;
+    private readonly source;
     private readonly matrixManager;
     private readonly tx;
-    constructor(encryption: EncryptionBackend, matrixManager: MatrixManager, tx: TransactionManager);
+    constructor(source: SecretSource & Rotatable, matrixManager: MatrixManager, tx: TransactionManager);
+    /** Helper: cell → ref for the source seam. */
+    private ref;
     /**
      * Compute repo-relative paths for a set of cells plus the manifest. Used
      * to seed TransactionManager.run's `paths` argument.

package/dist/service-identity/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,SAAS,EAET,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,mDAAmD;AACnD,MAAM,WAAW,4BAA4B;IAC3C,2EAA2E;IAC3E,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,2EAA2E;IAC3E,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC;;;OAGG;IACH,OAAO,CAAC,OAAO;IAIf;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,4BAA4B,GACrC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;IAkFF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA4DnD;;;OAGG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA4BhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EAAE,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAkExD;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,MAAM,EAAE,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAgE1D;;;;;;;;;;;;;;;;;OAiBG;IACG,qBAAqB,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,SAAS,GACpB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IAuE9C;;;;;;;;OAQG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuFlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAuG/F"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/service-identity/manager.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,SAAS,EAET,yBAAyB,EACzB,yBAAyB,EAG1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAW,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAE3C,mDAAmD;AACnD,MAAM,WAAW,4BAA4B;IAC3C,2EAA2E;IAC3E,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,2EAA2E;IAC3E,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAsB;IAE/B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAFF,MAAM,EAAE,YAAY,GAAG,SAAS,EAChC,aAAa,EAAE,aAAa,EAC5B,EAAE,EAAE,kBAAkB;IAGzC,8CAA8C;IAC9C,OAAO,CAAC,GAAG;IAIX;;;OAGG;IACH,OAAO,CAAC,OAAO;IAIf;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,4BAA4B,GACrC,OAAO,CAAC;QACT,QAAQ,EAAE,yBAAyB,CAAC;QACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;IAkFF;;OAEG;IACH,IAAI,CAAC,QAAQ,EAAE,YAAY,GAAG,yBAAyB,EAAE;IAIzD;;OAEG;IACH,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,yBAAyB,GAAG,SAAS;IAIhF;;;OAGG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnF;;;;OAIG;IACG,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EACxC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC;IA4DnD;;;OAGG;IACG,kBAAkB,CACtB,QAAQ,EAAE,yBAAyB,EACnC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IA4BhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,eAAe,EAAE,MAAM,EAAE,EACzB,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAkExD;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,MAAM,EAAE,EAC5B,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAgE1D;;;;;;;;;;;;;;;;;OAiBG;IACG,qBAAqB,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,SAAS,GACpB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IAuE9C;;;;;;;;OAQG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuFlC;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC;CAuG/F"}

package/dist/sops/client.d.ts

@@ -1,18 +1,39 @@
-import { ClefManifest, DecryptedFile, EncryptionBackend, SopsMetadata, SubprocessRunner } from "../types";
+import { DecryptedFile, MergeDecrypter, SopsMetadata, SubprocessRunner } from "../types";
+import type { EncryptionBackend, EncryptionContext, RotateOptions } from "../source/encryption-backend";
 /**
- * Wraps the `sops` binary for encryption, decryption, re-encryption, and metadata extraction.
- * All decrypt/encrypt operations are piped via stdin/stdout — plaintext never touches disk.
+ * Wraps the `sops` binary for encryption, decryption, rotation, and metadata
+ * extraction. All blob operations are piped via stdin/stdout — plaintext
+ * never touches disk.
+ *
+ * `SopsClient` implements {@link EncryptionBackend} directly — pass it
+ * straight to `composeSecretSource(storage, client, manifest)` without
+ * any adapter. The legacy file-path methods (`encrypt(filePath, ...)`,
+ * `addRecipient`, `removeRecipient`, `reEncrypt`,
+ * `validateEncryption(filePath)`, `getMetadata(filePath)`) were removed
+ * in Phase 7. The only remaining file-path entry point is
+ * {@link decryptFile}, kept for the merge driver which receives temp
+ * file paths from git — the contract for that surface is
+ * {@link MergeDecrypter}.
  *
  * @example
  * ```ts
  * const client = new SopsClient(runner, "/home/user/.age/key.txt");
- * const decrypted = await client.decrypt("secrets/production.enc.yaml");
+ * const source = composeSecretSource(
+ *   new FilesystemStorageBackend(manifest, repoRoot),
+ *   client,
+ *   manifest,
+ * );
+ * const cell = await source.readCell({ namespace: "db", environment: "prod" });
  * ```
  */
-export declare class SopsClient implements EncryptionBackend {
+export declare class SopsClient implements EncryptionBackend, MergeDecrypter {
     private readonly runner;
     private readonly ageKeyFile?;
     private readonly ageKey?;
+    /** {@link EncryptionBackend} identifier. */
+    readonly id = "sops";
+    /** {@link EncryptionBackend} short description (used by `clef doctor`). */
+    readonly description = "SOPS-based encryption via the bundled `sops` binary";
     private readonly sopsCommand;
     private readonly keyserviceArgs;
     /**
@@ -36,77 +57,81 @@ export declare class SopsClient implements EncryptionBackend {
     constructor(runner: SubprocessRunner, ageKeyFile?: string | undefined, ageKey?: string | undefined, sopsPath?: string, keyserviceAddr?: string);
     private buildSopsEnv;
     /**
-     * Decrypt a SOPS-encrypted file and return its values and metadata.
+     * Decrypt a SOPS-encrypted file by path. The only remaining file-path
+     * entry point on this class — kept for the merge driver, which
+     * receives temp filesystem paths from git that don't map onto a
+     * `CellRef`. Production `SecretSource` consumers should call
+     * `source.readCell` instead.
      *
      * @param filePath - Path to the `.enc.yaml` or `.enc.json` file.
      * @returns {@link DecryptedFile} with plaintext values in memory only.
      * @throws {@link SopsKeyNotFoundError} If no matching decryption key is available.
      * @throws {@link SopsDecryptionError} On any other decryption failure.
      */
-    decrypt(filePath: string): Promise<DecryptedFile>;
+    decryptFile(filePath: string): Promise<DecryptedFile>;
     /**
-     * Encrypt a key/value map and write it to an encrypted SOPS file.
+     * Determine whether a decrypt failure is caused by a missing/mismatched key (vs. some other
+     * SOPS error) without relying on stderr message text.
      *
-     * @param filePath - Destination path for the encrypted file.
-     * @param values - Flat key/value map to encrypt.
-     * @param manifest - Manifest used to determine the encryption backend and key configuration.
-     * @param environment - Optional environment name. When provided, per-env backend overrides
-     *   are resolved from the manifest. When omitted, the global `sops.default_backend` is used.
-     * @throws {@link SopsEncryptionError} On encryption or write failure.
+     * For age backends: reads the file's recipient list and checks whether any of the configured
+     * private keys derive to a matching public key. For non-age backends (pgp, kms) we cannot
+     * perform an equivalent check, so those always return "other".
      */
-    encrypt(filePath: string, values: Record<string, string>, manifest: ClefManifest, environment?: string): Promise<void>;
+    private classifyDecryptError;
+    private parseMetadataFromFile;
     /**
-     * Rotate encryption by adding a new age recipient key to an existing SOPS file.
-     *
-     * @param filePath - Path to the encrypted file to re-encrypt.
-     * @param newKey - New age public key to add as a recipient.
-     * @throws {@link SopsEncryptionError} On failure.
+     * Parse SOPS metadata from a string (no IO). Used by both
+     * `parseMetadataFromFile` (after reading from disk) and the blob-shaped
+     * `getMetadataFromBlob` (which receives ciphertext directly from a
+     * BlobStore). The `label` is woven into error messages so callers can
+     * include the file path or cell ref the content came from.
      */
-    reEncrypt(filePath: string, newKey: string): Promise<void>;
+    private parseMetadataFromContent;
+    private detectBackend;
+    private extractRecipients;
+    private buildEncryptArgs;
     /**
-     * Add an age recipient to an existing SOPS file.
-     *
-     * @param filePath - Path to the encrypted file.
-     * @param key - age public key to add as a recipient.
-     * @throws {@link SopsEncryptionError} On failure.
+     * {@link EncryptionBackend.decrypt} — decrypt SOPS-encrypted bytes (e.g.
+     * read from a `StorageBackend`) and return plaintext values + metadata.
+     * Plaintext lives only in memory.
      */
-    addRecipient(filePath: string, key: string): Promise<void>;
+    decrypt(blob: string, ctx: EncryptionContext): Promise<DecryptedFile>;
     /**
-     * Remove an age recipient from an existing SOPS file.
-     *
-     * @param filePath - Path to the encrypted file.
-     * @param key - age public key to remove.
-     * @throws {@link SopsEncryptionError} On failure.
+     * {@link EncryptionBackend.encrypt} — encrypt plaintext values into a
+     * SOPS-formatted ciphertext blob. Returns the bytes as a string;
+     * caller (typically a `StorageBackend`) decides where to put them.
+     * Plaintext is piped via stdin only.
      */
-    removeRecipient(filePath: string, key: string): Promise<void>;
+    encrypt(values: Record<string, string>, ctx: EncryptionContext): Promise<string>;
     /**
-     * Check whether a file contains valid SOPS encryption metadata.
+     * {@link EncryptionBackend.rotate} — add or remove recipients from an
+     * encrypted SOPS blob via stdin/stdout. Drops the in-place `-i` flag
+     * the deleted file-path-shaped methods used, so SOPS writes the
+     * rotated ciphertext to stdout instead of back to a file. Plaintext
+     * stays inside the SOPS subprocess; no plaintext window exists in
+     * this Node process.
      *
-     * @param filePath - Path to the file to check.
-     * @returns `true` if valid SOPS metadata is present; `false` otherwise. Never throws.
+     * Single SOPS invocation can both add and remove recipients
+     * simultaneously (matches the CLI flag set).
      */
-    validateEncryption(filePath: string): Promise<boolean>;
+    rotate(blob: string, opts: RotateOptions, ctx: EncryptionContext): Promise<string>;
     /**
-     * Extract SOPS metadata (backend, recipients, last-modified timestamp) from an encrypted file
-     * without decrypting its values.
-     *
-     * @param filePath - Path to the encrypted file.
-     * @returns {@link SopsMetadata} parsed from the file's `sops:` block.
-     * @throws {@link SopsDecryptionError} If the file cannot be read or parsed.
+     * {@link EncryptionBackend.getMetadata} — extract SOPS metadata from a
+     * ciphertext blob without decrypting. Pure parser, no IO, no
+     * subprocess.
      */
-    getMetadata(filePath: string): Promise<SopsMetadata>;
+    getMetadata(content: string): SopsMetadata;
     /**
-     * Determine whether a decrypt failure is caused by a missing/mismatched key (vs. some other
-     * SOPS error) without relying on stderr message text.
-     *
-     * For age backends: reads the file's recipient list and checks whether any of the configured
-     * private keys derive to a matching public key. For non-age backends (pgp, kms) we cannot
-     * perform an equivalent check, so those always return "other".
+     * {@link EncryptionBackend.validateEncryption} — whether `content` is a
+     * valid SOPS-encrypted blob (parses + has the `sops:` metadata
+     * block). Never throws.
      */
-    private classifyDecryptError;
-    private parseMetadataFromFile;
-    private detectBackend;
-    private extractRecipients;
-    private buildEncryptArgs;
+    validateEncryption(content: string): boolean;
+    /**
+     * Blob-shaped variant of `classifyDecryptError`. Same logic as the
+     * file-path version but reads metadata from the in-memory ciphertext
+     * instead of disk.
+     */
+    private classifyDecryptErrorFromContent;
 }
 //# sourceMappingURL=client.d.ts.map

package/dist/sops/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/sops/client.ts"],"names":[],"mappings":"AAiBA,OAAO,EAEL,YAAY,EACZ,aAAa,EACb,iBAAiB,EAIjB,YAAY,EACZ,gBAAgB,EAGjB,MAAM,UAAU,CAAC;AA0ClB;;;;;;;;;GASG;AACH,qBAAa,UAAW,YAAW,iBAAiB;IAuBhD,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAxB1B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;;;;;;;;;;;OAiBG;gBAEgB,MAAM,EAAE,gBAAgB,EACxB,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,MAAM,CAAC,EAAE,MAAM,YAAA,EAChC,QAAQ,CAAC,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,MAAM;IAQzB,OAAO,CAAC,YAAY;IAWpB;;;;;;;OAOG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IA6CvD;;;;;;;;;OASG;IACG,OAAO,CACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9B,QAAQ,EAAE,YAAY,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAuEhB;;;;;;OAMG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhE;;;;;;OAMG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBhE;;;;;;OAMG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBnE;;;;;OAKG;IACG,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5D;;;;;;;OAOG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgB1D;;;;;;;OAOG;YACW,oBAAoB;IAsClC,OAAO,CAAC,qBAAqB;IAuC7B,OAAO,CAAC,aAAa;IAoBrB,OAAO,CAAC,iBAAiB;IA6CzB,OAAO,CAAC,gBAAgB;CA+DzB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/sops/client.ts"],"names":[],"mappings":"AAgBA,OAAO,EAGL,aAAa,EACb,cAAc,EAId,YAAY,EACZ,gBAAgB,EAGjB,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACd,MAAM,8BAA8B,CAAC;AAsEtC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,UAAW,YAAW,iBAAiB,EAAE,cAAc;IA4BhE,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IA7B1B,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,UAAU;IACrB,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,yDAAyD;IAE7E,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAoB;IAEnD;;;;;;;;;;;;;;;;;OAiBG;gBAEgB,MAAM,EAAE,gBAAgB,EACxB,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,MAAM,CAAC,EAAE,MAAM,YAAA,EAChC,QAAQ,CAAC,EAAE,MAAM,EACjB,cAAc,CAAC,EAAE,MAAM;IAQzB,OAAO,CAAC,YAAY;IAWpB;;;;;;;;;;;OAWG;IACG,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAiD3D;;;;;;;OAOG;YACW,oBAAoB;IAsClC,OAAO,CAAC,qBAAqB;IAa7B;;;;;;OAMG;IACH,OAAO,CAAC,wBAAwB;IA6BhC,OAAO,CAAC,aAAa;IAoBrB,OAAO,CAAC,iBAAiB;IA6CzB,OAAO,CAAC,gBAAgB;IAoExB;;;;OAIG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,aAAa,CAAC;IAmD3E;;;;;OAKG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IAwCtF;;;;;;;;;;OAUG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IAiDxF;;;;OAIG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY;IAI1C;;;;OAIG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAS5C;;;;OAIG;YACW,+BAA+B;CAmC9C"}