@clef-sh/core 0.1.6-beta.22 → 0.1.7-beta.43

package/dist/index.js

@@ -156,7 +156,7 @@ var require_age_encryption = __commonJS({
       Object.assign(hashC, info);
       return Object.freeze(hashC);
     }
-    function randomBytes3(bytesLength = 32) {
+    function randomBytes4(bytesLength = 32) {
       const cr = typeof globalThis === "object" ? globalThis.crypto : null;
       if (typeof cr?.getRandomValues !== "function")
         throw new Error("crypto.getRandomValues must be defined");
@@ -608,7 +608,7 @@ var require_age_encryption = __commonJS({
       };
     }
     // @__NO_SIDE_EFFECTS__
-    function join15(separator = "") {
+    function join16(separator = "") {
       astr("join", separator);
       return {
         encode: (from) => {
@@ -738,9 +738,9 @@ var require_age_encryption = __commonJS({
       decode(s) {
         return decodeBase64Builtin(s, false);
       }
-    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join15(""));
-    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join15(""));
-    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join15(""));
+    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join16(""));
+    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join16(""));
+    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join16(""));
     var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
     function bech32Polymod(pre) {
       const b = pre >> 25;
@@ -4339,7 +4339,7 @@ var require_age_encryption = __commonJS({
       Object.assign(hashC, info);
       return Object.freeze(hashC);
     }
-    function randomBytes4(bytesLength = 32) {
+    function randomBytes42(bytesLength = 32) {
       const cr = typeof globalThis === "object" ? globalThis.crypto : null;
       if (typeof cr?.getRandomValues !== "function")
         throw new Error("crypto.getRandomValues must be defined");
@@ -5007,7 +5007,7 @@ var require_age_encryption = __commonJS({
         return values;
       };
     };
-    var randomBytes5 = randomBytes4;
+    var randomBytes5 = randomBytes42;
     function equalBytes2(a, b) {
       if (a.length !== b.length)
         return false;
@@ -5944,12 +5944,12 @@ var require_age_encryption = __commonJS({
       return generateX25519Identity();
     }
     function generateX25519Identity() {
-      const scalar = randomBytes3(32);
+      const scalar = randomBytes4(32);
       const identity = bech32.encodeFromBytes("AGE-SECRET-KEY-", scalar).toUpperCase();
       return Promise.resolve(identity);
     }
     function generateHybridIdentity() {
-      const scalar = randomBytes3(32);
+      const scalar = randomBytes4(32);
       const identity = bech32.encodeFromBytes("AGE-SECRET-KEY-PQ-", scalar).toUpperCase();
       return Promise.resolve(identity);
     }
@@ -6157,7 +6157,7 @@ var require_age_encryption = __commonJS({
         this.recipient = res.bytes;
       }
       async wrapFileKey(fileKey) {
-        const ephemeral = randomBytes3(32);
+        const ephemeral = randomBytes4(32);
         const share = await scalarMultBase(ephemeral);
         const secret = await scalarMult(ephemeral, this.recipient);
         const salt = new Uint8Array(share.length + this.recipient.length);
@@ -6218,7 +6218,7 @@ var require_age_encryption = __commonJS({
         this.logN = logN;
       }
       wrapFileKey(fileKey) {
-        const salt = randomBytes3(16);
+        const salt = randomBytes4(16);
         const label2 = "age-encryption.org/v1/scrypt";
         const labelAndSalt = new Uint8Array(label2.length + 16);
         labelAndSalt.set(new TextEncoder().encode(label2));
@@ -6553,7 +6553,7 @@ var require_age_encryption = __commonJS({
           rp: { name: "", id: options.rpId },
           user: {
             name: options.keyName,
-            id: domBuffer2(randomBytes3(8)),
+            id: domBuffer2(randomBytes4(8)),
             // avoid overwriting existing keys
             displayName: ""
           },
@@ -6623,7 +6623,7 @@ var require_age_encryption = __commonJS({
               transports: this.transports,
               type: "public-key"
             }] : [],
-            challenge: domBuffer2(randomBytes3(16)),
+            challenge: domBuffer2(randomBytes4(16)),
             extensions: { prf: { eval: prfInputs(nonce) } },
             userVerification: "required",
             // prf requires UV
@@ -6642,7 +6642,7 @@ var require_age_encryption = __commonJS({
        * Implements {@link Recipient.wrapFileKey}.
        */
       async wrapFileKey(fileKey) {
-        const nonce = randomBytes3(16);
+        const nonce = randomBytes4(16);
         const results = await this.getCredential(nonce);
         const key = deriveKey(results);
         return [new Stanza([label, base64nopad.encode(nonce)], encryptFileKey(fileKey, key))];
@@ -6765,7 +6765,7 @@ var require_age_encryption = __commonJS({
         }
       }
       async encrypt(file) {
-        const fileKey = randomBytes3(16);
+        const fileKey = randomBytes4(16);
         const stanzas = [];
         let recipients = this.recipients;
         if (this.passphrase !== null) {
@@ -6778,7 +6778,7 @@ var require_age_encryption = __commonJS({
         const hmacKey = hkdf(sha256, fileKey, void 0, labelHeader, 32);
         const mac = hmac(sha256, hmacKey, encodeHeaderNoMAC(stanzas));
         const header = encodeHeader(stanzas, mac);
-        const nonce = randomBytes3(16);
+        const nonce = randomBytes4(16);
         const labelPayload = new TextEncoder().encode("payload");
         const streamKey = hkdf(sha256, fileKey, nonce, labelPayload, 32);
         const encrypter = encryptSTREAM(streamKey);
@@ -6919,6 +6919,8 @@ __export(src_exports, {
   CLEF_REPORT_SCHEMA_VERSION: () => CLEF_REPORT_SCHEMA_VERSION,
   CLEF_SUPPORTED_EXTENSIONS: () => CLEF_SUPPORTED_EXTENSIONS,
   ClefError: () => ClefError,
+  CloudApiError: () => CloudApiError,
+  CloudClient: () => CloudClient,
   ConsumptionClient: () => ConsumptionClient,
   DiffEngine: () => DiffEngine,
   DriftDetector: () => DriftDetector,
@@ -6930,10 +6932,12 @@ __export(src_exports, {
   ManifestValidationError: () => ManifestValidationError,
   MatrixManager: () => MatrixManager,
   PartialRotationError: () => PartialRotationError,
+  REQUESTS_FILENAME: () => REQUESTS_FILENAME,
   REQUIREMENTS: () => REQUIREMENTS,
   RecipientManager: () => RecipientManager,
   ReportGenerator: () => ReportGenerator,
   ReportSanitizer: () => ReportSanitizer,
+  ReportTransformer: () => ReportTransformer,
   ScanRunner: () => ScanRunner,
   SchemaLoadError: () => SchemaLoadError,
   SchemaValidator: () => SchemaValidator,
@@ -6948,17 +6952,21 @@ __export(src_exports, {
   assertSops: () => assertSops,
   checkAll: () => checkAll,
   checkDependency: () => checkDependency,
+  collectCIContext: () => collectCIContext,
   deriveAgePublicKey: () => deriveAgePublicKey,
   detectFormat: () => detectFormat,
+  findRequest: () => findRequest,
   formatAgeKeyFile: () => formatAgeKeyFile,
   generateAgeIdentity: () => generateAgeIdentity,
   generateRandomValue: () => generateRandomValue,
   getPendingKeys: () => getPendingKeys,
   isHighEntropy: () => isHighEntropy,
+  isKmsEnvelope: () => isKmsEnvelope,
   isPending: () => isPending,
   keyPreview: () => keyPreview,
   loadIgnoreRules: () => loadIgnoreRules,
   loadMetadata: () => loadMetadata,
+  loadRequests: () => loadRequests,
   markPending: () => markPending,
   markPendingWithRetry: () => markPendingWithRetry,
   markResolved: () => markResolved,
@@ -6970,15 +6978,19 @@ __export(src_exports, {
   parseJson: () => parseJson,
   parseYaml: () => parseYaml,
   redactValue: () => redactValue,
+  removeAccessRequest: () => removeRequest,
+  requestsFilePath: () => requestsFilePath,
   resetSopsResolution: () => resetSopsResolution,
   resolveBackendConfig: () => resolveBackendConfig,
   resolveIdentitySecrets: () => resolveIdentitySecrets,
   resolveRecipientsForEnvironment: () => resolveRecipientsForEnvironment,
   resolveSopsPath: () => resolveSopsPath,
   saveMetadata: () => saveMetadata,
+  saveRequests: () => saveRequests,
   shannonEntropy: () => shannonEntropy,
   shouldIgnoreFile: () => shouldIgnoreFile,
   shouldIgnoreMatch: () => shouldIgnoreMatch,
+  upsertRequest: () => upsertRequest,
   validateAgePublicKey: () => validateAgePublicKey
 });
 module.exports = __toCommonJS(src_exports);
@@ -6992,6 +7004,7 @@ function resolveBackendConfig(manifest, environment) {
     backend: manifest.sops.default_backend,
     aws_kms_arn: manifest.sops.aws_kms_arn,
     gcp_kms_resource_id: manifest.sops.gcp_kms_resource_id,
+    azure_kv_url: manifest.sops.azure_kv_url,
     pgp_fingerprint: manifest.sops.pgp_fingerprint
   };
 }
@@ -7080,7 +7093,17 @@ Then run clef doctor to verify your setup.`
     this.name = "SopsVersionError";
   }
 };
+function isKmsEnvelope(cfg) {
+  return cfg.kms !== void 0;
+}
 var CLEF_REPORT_SCHEMA_VERSION = 1;
+var CloudApiError = class extends ClefError {
+  constructor(message, statusCode, fix) {
+    super(message, fix);
+    this.statusCode = statusCode;
+    this.name = "CloudApiError";
+  }
+};
 
 // src/manifest/parser.ts
 var fs = __toESM(require("fs"));
@@ -7122,14 +7145,15 @@ function keyPreview(key) {
 
 // src/manifest/parser.ts
 var CLEF_MANIFEST_FILENAME = "clef.yaml";
-var VALID_BACKENDS = ["age", "awskms", "gcpkms", "pgp"];
+var VALID_BACKENDS = ["age", "awskms", "gcpkms", "azurekv", "pgp"];
 var VALID_TOP_LEVEL_KEYS = [
   "version",
   "environments",
   "namespaces",
   "sops",
   "file_pattern",
-  "service_identities"
+  "service_identities",
+  "cloud"
 ];
 var ENV_NAME_PATTERN = /^[a-z][a-z0-9_-]*$/;
 var FILE_PATTERN_REQUIRED_TOKENS = ["{namespace}", "{environment}"];
@@ -7269,6 +7293,12 @@ var ManifestParser = class {
             "environments"
           );
         }
+        if (backend === "azurekv" && typeof sopsOverride.azure_kv_url !== "string") {
+          throw new ManifestValidationError(
+            `Environment '${envObj.name}' uses 'azurekv' backend but is missing 'azure_kv_url'.`,
+            "environments"
+          );
+        }
         if (backend === "pgp" && typeof sopsOverride.pgp_fingerprint !== "string") {
           throw new ManifestValidationError(
             `Environment '${envObj.name}' uses 'pgp' backend but is missing 'pgp_fingerprint'.`,
@@ -7279,6 +7309,7 @@ var ManifestParser = class {
           backend,
           ...typeof sopsOverride.aws_kms_arn === "string" ? { aws_kms_arn: sopsOverride.aws_kms_arn } : {},
           ...typeof sopsOverride.gcp_kms_resource_id === "string" ? { gcp_kms_resource_id: sopsOverride.gcp_kms_resource_id } : {},
+          ...typeof sopsOverride.azure_kv_url === "string" ? { azure_kv_url: sopsOverride.azure_kv_url } : {},
           ...typeof sopsOverride.pgp_fingerprint === "string" ? { pgp_fingerprint: sopsOverride.pgp_fingerprint } : {}
         };
       }
@@ -7405,7 +7436,7 @@ var ManifestParser = class {
     const sopsObj = obj.sops;
     if (!sopsObj.default_backend || typeof sopsObj.default_backend !== "string") {
       throw new ManifestValidationError(
-        "Field 'sops.default_backend' is required and must be one of: age, awskms, gcpkms, pgp.",
+        "Field 'sops.default_backend' is required and must be one of: age, awskms, gcpkms, azurekv, pgp.",
         "sops.default_backend"
       );
     }
@@ -7419,6 +7450,7 @@ var ManifestParser = class {
       default_backend: sopsObj.default_backend,
       ...typeof sopsObj.aws_kms_arn === "string" ? { aws_kms_arn: sopsObj.aws_kms_arn } : {},
       ...typeof sopsObj.gcp_kms_resource_id === "string" ? { gcp_kms_resource_id: sopsObj.gcp_kms_resource_id } : {},
+      ...typeof sopsObj.azure_kv_url === "string" ? { azure_kv_url: sopsObj.azure_kv_url } : {},
       ...typeof sopsObj.pgp_fingerprint === "string" ? { pgp_fingerprint: sopsObj.pgp_fingerprint } : {}
     };
     for (const env of environments) {
@@ -7520,25 +7552,69 @@ var ManifestParser = class {
           }
           if (typeof envVal !== "object" || envVal === null) {
             throw new ManifestValidationError(
-              `Service identity '${siName}' environment '${envName}' must be an object with 'recipient'.`,
+              `Service identity '${siName}' environment '${envName}' must be an object with 'recipient' or 'kms'.`,
               "service_identities"
             );
           }
           const envObj = envVal;
-          if (!envObj.recipient || typeof envObj.recipient !== "string") {
+          const hasRecipient = envObj.recipient !== void 0;
+          const hasKms = envObj.kms !== void 0;
+          if (hasRecipient && hasKms) {
             throw new ManifestValidationError(
-              `Service identity '${siName}' environment '${envName}' is missing a 'recipient' string.`,
+              `Service identity '${siName}' environment '${envName}': 'recipient' and 'kms' are mutually exclusive.`,
               "service_identities"
             );
           }
-          const recipientValidation = validateAgePublicKey(envObj.recipient);
-          if (!recipientValidation.valid) {
+          if (!hasRecipient && !hasKms) {
             throw new ManifestValidationError(
-              `Service identity '${siName}' environment '${envName}': ${recipientValidation.error}`,
+              `Service identity '${siName}' environment '${envName}' must have either 'recipient' or 'kms'.`,
               "service_identities"
             );
           }
-          parsedEnvs[envName] = { recipient: recipientValidation.key };
+          if (hasRecipient) {
+            if (typeof envObj.recipient !== "string") {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': 'recipient' must be a string.`,
+                "service_identities"
+              );
+            }
+            const recipientValidation = validateAgePublicKey(envObj.recipient);
+            if (!recipientValidation.valid) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': ${recipientValidation.error}`,
+                "service_identities"
+              );
+            }
+            parsedEnvs[envName] = { recipient: recipientValidation.key };
+          } else {
+            const kmsObj = envObj.kms;
+            if (typeof kmsObj !== "object" || kmsObj === null) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': 'kms' must be an object.`,
+                "service_identities"
+              );
+            }
+            const validProviders = ["aws", "gcp", "azure"];
+            if (!kmsObj.provider || !validProviders.includes(kmsObj.provider)) {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.provider must be one of: ${validProviders.join(", ")}.`,
+                "service_identities"
+              );
+            }
+            if (!kmsObj.keyId || typeof kmsObj.keyId !== "string") {
+              throw new ManifestValidationError(
+                `Service identity '${siName}' environment '${envName}': kms.keyId must be a non-empty string.`,
+                "service_identities"
+              );
+            }
+            parsedEnvs[envName] = {
+              kms: {
+                provider: kmsObj.provider,
+                keyId: kmsObj.keyId,
+                region: typeof kmsObj.region === "string" ? kmsObj.region : void 0
+              }
+            };
+          }
         }
         return {
           name: siName,
@@ -7558,13 +7634,28 @@ var ManifestParser = class {
         siNames.add(si.name);
       }
     }
+    let cloud;
+    if (obj.cloud !== void 0) {
+      if (typeof obj.cloud !== "object" || obj.cloud === null || Array.isArray(obj.cloud)) {
+        throw new ManifestValidationError("Field 'cloud' must be an object.", "cloud");
+      }
+      const cloudObj = obj.cloud;
+      if (typeof cloudObj.integrationId !== "string" || cloudObj.integrationId.length === 0) {
+        throw new ManifestValidationError(
+          "Field 'cloud.integrationId' is required and must be a non-empty string.",
+          "cloud"
+        );
+      }
+      cloud = { integrationId: cloudObj.integrationId };
+    }
     return {
       version: 1,
       environments,
       namespaces,
       sops: sopsConfig,
       file_pattern: obj.file_pattern,
-      ...serviceIdentities ? { service_identities: serviceIdentities } : {}
+      ...serviceIdentities ? { service_identities: serviceIdentities } : {},
+      ...cloud ? { cloud } : {}
     };
   }
   /**
@@ -9227,6 +9318,8 @@ var SopsClient = class {
     if (sops.kms && Array.isArray(sops.kms) && sops.kms.length > 0) return "awskms";
     if (sops.gcp_kms && Array.isArray(sops.gcp_kms) && sops.gcp_kms.length > 0)
       return "gcpkms";
+    if (sops.azure_kv && Array.isArray(sops.azure_kv) && sops.azure_kv.length > 0)
+      return "azurekv";
     if (sops.pgp && Array.isArray(sops.pgp) && sops.pgp.length > 0) return "pgp";
     return "age";
   }
@@ -9244,6 +9337,14 @@ var SopsClient = class {
         const entries = sops.gcp_kms;
         return entries?.map((e) => String(e.resource_id ?? "")) ?? [];
       }
+      case "azurekv": {
+        const entries = sops.azure_kv;
+        return entries?.map((e) => {
+          const vaultUrl = String(e.vaultUrl ?? e.vault_url ?? "");
+          const name = String(e.name ?? e.key ?? "");
+          return vaultUrl && name ? `${vaultUrl}/keys/${name}` : vaultUrl || name;
+        }) ?? [];
+      }
       case "pgp": {
         const entries = sops.pgp;
         return entries?.map((e) => String(e.fp ?? "")) ?? [];
@@ -9256,6 +9357,7 @@ var SopsClient = class {
       backend: manifest.sops.default_backend,
       aws_kms_arn: manifest.sops.aws_kms_arn,
       gcp_kms_resource_id: manifest.sops.gcp_kms_resource_id,
+      azure_kv_url: manifest.sops.azure_kv_url,
       pgp_fingerprint: manifest.sops.pgp_fingerprint
     };
     switch (config.backend) {
@@ -9271,6 +9373,11 @@ var SopsClient = class {
           args.push("--gcp-kms", config.gcp_kms_resource_id);
         }
         break;
+      case "azurekv":
+        if (config.azure_kv_url) {
+          args.push("--azure-kv", config.azure_kv_url);
+        }
+        break;
       case "pgp":
         if (config.pgp_fingerprint) {
           args.push("--pgp", config.pgp_fingerprint);
@@ -9488,7 +9595,7 @@ var LintRunner = class {
   /**
    * Lint service identity configurations for drift issues.
    */
-  async lintServiceIdentities(identities, manifest, _repoRoot, existingCells) {
+  async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
     const issues = [];
     const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
     const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -9516,6 +9623,7 @@ var LintRunner = class {
       for (const cell of existingCells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
+        if (!envConfig.recipient) continue;
         if (si.namespaces.includes(cell.namespace)) {
           try {
             const metadata = await this.sopsClient.getMetadata(cell.filePath);
@@ -10106,10 +10214,91 @@ var RecipientManager = class {
   }
 };
 
-// src/drift/detector.ts
+// src/recipients/requests.ts
 var fs12 = __toESM(require("fs"));
 var path14 = __toESM(require("path"));
 var YAML7 = __toESM(require("yaml"));
+var REQUESTS_FILENAME = ".clef-requests.yaml";
+var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
+function requestsFilePath(repoRoot) {
+  return path14.join(repoRoot, REQUESTS_FILENAME);
+}
+function loadRequests(repoRoot) {
+  const filePath = requestsFilePath(repoRoot);
+  try {
+    if (!fs12.existsSync(filePath)) return [];
+    const content = fs12.readFileSync(filePath, "utf-8");
+    const parsed = YAML7.parse(content);
+    if (!parsed || !Array.isArray(parsed.requests)) return [];
+    return parsed.requests.map((r) => ({
+      key: r.key,
+      label: r.label,
+      requestedAt: new Date(r.requested_at),
+      environment: r.environment
+    }));
+  } catch {
+    return [];
+  }
+}
+function saveRequests(repoRoot, requests) {
+  const filePath = requestsFilePath(repoRoot);
+  if (requests.length === 0) {
+    try {
+      fs12.unlinkSync(filePath);
+    } catch {
+    }
+    return;
+  }
+  const data = {
+    requests: requests.map((r) => {
+      const raw = {
+        key: r.key,
+        label: r.label,
+        requested_at: r.requestedAt.toISOString()
+      };
+      if (r.environment) raw.environment = r.environment;
+      return raw;
+    })
+  };
+  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML7.stringify(data), "utf-8");
+}
+function upsertRequest(repoRoot, key, label, environment) {
+  const requests = loadRequests(repoRoot);
+  const now = /* @__PURE__ */ new Date();
+  const request = { key, label, requestedAt: now, environment };
+  const existingIndex = requests.findIndex((r) => r.key === key);
+  if (existingIndex >= 0) {
+    requests[existingIndex] = request;
+  } else {
+    requests.push(request);
+  }
+  saveRequests(repoRoot, requests);
+  return request;
+}
+function removeRequest(repoRoot, identifier) {
+  const requests = loadRequests(repoRoot);
+  const match = findInList(requests, identifier);
+  if (!match) return null;
+  const filtered = requests.filter((r) => r.key !== match.key);
+  saveRequests(repoRoot, filtered);
+  return match;
+}
+function findRequest(repoRoot, identifier) {
+  const requests = loadRequests(repoRoot);
+  return findInList(requests, identifier);
+}
+function findInList(requests, identifier) {
+  const lower = identifier.toLowerCase();
+  const byLabel = requests.find((r) => r.label.toLowerCase() === lower);
+  if (byLabel) return byLabel;
+  const byKey = requests.find((r) => r.key === identifier);
+  return byKey ?? null;
+}
+
+// src/drift/detector.ts
+var fs13 = __toESM(require("fs"));
+var path15 = __toESM(require("path"));
+var YAML8 = __toESM(require("yaml"));
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -10122,8 +10311,8 @@ var DriftDetector = class {
    * @returns Drift result with any issues found.
    */
   detect(localRoot, remoteRoot, namespaceFilter) {
-    const localManifest = this.parser.parse(path14.join(localRoot, CLEF_MANIFEST_FILENAME));
-    const remoteManifest = this.parser.parse(path14.join(remoteRoot, CLEF_MANIFEST_FILENAME));
+    const localManifest = this.parser.parse(path15.join(localRoot, CLEF_MANIFEST_FILENAME));
+    const remoteManifest = this.parser.parse(path15.join(remoteRoot, CLEF_MANIFEST_FILENAME));
     const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
     const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
     const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -10194,9 +10383,9 @@ var DriftDetector = class {
    */
   readKeysFromFile(filePath) {
     try {
-      if (!fs12.existsSync(filePath)) return null;
-      const raw = fs12.readFileSync(filePath, "utf-8");
-      const parsed = YAML7.parse(raw);
+      if (!fs13.existsSync(filePath)) return null;
+      const raw = fs13.readFileSync(filePath, "utf-8");
+      const parsed = YAML8.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
       return Object.keys(parsed).filter((k) => k !== "sops");
     } catch {
@@ -10206,9 +10395,9 @@ var DriftDetector = class {
 };
 
 // src/report/generator.ts
-var fs13 = __toESM(require("fs"));
-var path15 = __toESM(require("path"));
-var YAML8 = __toESM(require("yaml"));
+var fs14 = __toESM(require("fs"));
+var path16 = __toESM(require("path"));
+var YAML9 = __toESM(require("yaml"));
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -10364,7 +10553,7 @@ var ReportGenerator = class {
     let manifest = null;
     try {
       const parser = new ManifestParser();
-      manifest = parser.parse(path15.join(repoRoot, "clef.yaml"));
+      manifest = parser.parse(path16.join(repoRoot, "clef.yaml"));
     } catch {
       const emptyManifest = {
         manifestVersion: 0,
@@ -10514,9 +10703,9 @@ var ReportGenerator = class {
   }
   readKeyCount(filePath) {
     try {
-      if (!fs13.existsSync(filePath)) return 0;
-      const raw = fs13.readFileSync(filePath, "utf-8");
-      const parsed = YAML8.parse(raw);
+      if (!fs14.existsSync(filePath)) return 0;
+      const raw = fs14.readFileSync(filePath, "utf-8");
+      const parsed = YAML9.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
       return Object.keys(parsed).filter((k) => k !== "sops").length;
     } catch {
@@ -10569,6 +10758,202 @@ var ReportGenerator = class {
   }
 };
 
+// src/report/transformer.ts
+var ReportTransformer = class {
+  transform(report) {
+    const summary = this.buildSummary(report);
+    const drift = this.buildDrift(report);
+    const policyResults = this.buildPolicyResults(report.policy.issues);
+    return {
+      commitSha: report.repoIdentity.commitSha,
+      branch: report.repoIdentity.branch,
+      commitTimestamp: new Date(report.repoIdentity.commitTimestamp).getTime(),
+      cliVersion: report.repoIdentity.clefVersion,
+      summary,
+      drift,
+      policyResults
+    };
+  }
+  buildSummary(report) {
+    const namespaces = [...new Set(report.matrix.map((c) => c.namespace))];
+    const environments = [...new Set(report.matrix.map((c) => c.environment))];
+    const cells = report.matrix.map((cell) => this.buildCell(cell, report.policy.issues));
+    const violations = report.policy.issues.filter((i) => i.severity === "error").length;
+    return {
+      filesScanned: report.matrix.length,
+      namespaces,
+      environments,
+      cells,
+      violations,
+      passed: violations === 0
+    };
+  }
+  buildCell(cell, issues) {
+    const healthStatus = this.computeHealthStatus(cell, issues);
+    const description = this.describeCell(cell, healthStatus);
+    return {
+      namespace: cell.namespace,
+      environment: cell.environment,
+      healthStatus,
+      description
+    };
+  }
+  computeHealthStatus(cell, issues) {
+    if (!cell.exists) return "unknown";
+    const cellIssues = issues.filter(
+      (i) => i.namespace === cell.namespace && i.environment === cell.environment || i.file !== void 0 && i.file.includes(cell.namespace) && i.file.includes(cell.environment)
+    );
+    if (cellIssues.some((i) => i.severity === "error")) return "critical";
+    if (cellIssues.some((i) => i.severity === "warning") || cell.pendingCount > 0) return "warning";
+    return "healthy";
+  }
+  describeCell(cell, status) {
+    switch (status) {
+      case "unknown":
+        return "File does not exist";
+      case "critical":
+        return "Has error-severity policy issues";
+      case "warning":
+        return cell.pendingCount > 0 ? `${cell.pendingCount} pending key(s) awaiting values` : "Has warning-severity policy issues";
+      case "healthy":
+        return `${cell.keyCount} key(s), no issues`;
+    }
+  }
+  buildDrift(report) {
+    const namespaces = [...new Set(report.matrix.map((c) => c.namespace))];
+    const driftIssues = report.policy.issues.filter((i) => i.category === "drift");
+    return namespaces.map((namespace) => {
+      const nsIssues = driftIssues.filter((i) => i.namespace === namespace);
+      const totalDrift = nsIssues.reduce((sum, i) => sum + (i.driftCount ?? 1), 0);
+      return {
+        namespace,
+        isDrifted: totalDrift > 0,
+        driftCount: totalDrift
+      };
+    });
+  }
+  buildPolicyResults(issues) {
+    return issues.map((issue) => ({
+      ruleId: `${issue.category}/${issue.severity}`,
+      ruleName: issue.category,
+      passed: issue.severity !== "error",
+      severity: issue.severity,
+      message: issue.message,
+      ...issue.namespace || issue.environment ? {
+        scope: {
+          ...issue.namespace ? { namespace: issue.namespace } : {},
+          ...issue.environment ? { environment: issue.environment } : {}
+        }
+      } : {}
+    }));
+  }
+};
+
+// src/report/cloud-client.ts
+var DEFAULT_RETRY_DELAY_MS = 1e3;
+var CloudClient = class {
+  retryDelayMs;
+  constructor(options) {
+    this.retryDelayMs = options?.retryDelayMs ?? DEFAULT_RETRY_DELAY_MS;
+  }
+  async fetchIntegration(apiUrl, apiKey, integrationId) {
+    const url = `${apiUrl}/api/v1/integrations/${encodeURIComponent(integrationId)}`;
+    return this.request("GET", url, apiKey);
+  }
+  async submitReport(apiUrl, apiKey, report) {
+    const url = `${apiUrl}/api/v1/reports`;
+    return this.request("POST", url, apiKey, report);
+  }
+  async submitBatchReports(apiUrl, apiKey, batch) {
+    const url = `${apiUrl}/api/v1/reports/batch`;
+    return this.request("POST", url, apiKey, batch);
+  }
+  async request(method, url, apiKey, body) {
+    const headers = {
+      Authorization: `Bearer ${apiKey}`,
+      "Content-Type": "application/json"
+    };
+    const init = {
+      method,
+      headers,
+      ...body !== void 0 ? { body: JSON.stringify(body) } : {}
+    };
+    let response;
+    try {
+      response = await fetch(url, init);
+    } catch {
+      await this.delay(this.retryDelayMs);
+      try {
+        response = await fetch(url, init);
+      } catch (retryErr) {
+        throw new CloudApiError(
+          `Network error contacting Clef Pro: ${retryErr.message}`,
+          0,
+          "Check your network connection and CLEF_API_URL."
+        );
+      }
+    }
+    if (response.ok) {
+      return await response.json();
+    }
+    if (response.status >= 500 && response.status < 600) {
+      await this.delay(this.retryDelayMs);
+      const retryResponse = await fetch(url, init);
+      if (retryResponse.ok) {
+        return await retryResponse.json();
+      }
+      throw this.buildError(retryResponse);
+    }
+    throw this.buildError(response);
+  }
+  buildError(response) {
+    const hint = response.status === 401 || response.status === 403 ? "Check your API token (--api-token or CLEF_API_TOKEN)." : response.status === 404 ? "Check your cloud.integrationId in clef.yaml." : void 0;
+    return new CloudApiError(
+      `Clef Pro API returned ${response.status} ${response.statusText}`,
+      response.status,
+      hint
+    );
+  }
+  delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+
+// src/report/ci-context.ts
+function collectCIContext() {
+  const env = process.env;
+  if (env.GITHUB_ACTIONS) {
+    const serverUrl = env.GITHUB_SERVER_URL ?? "https://github.com";
+    const repo = env.GITHUB_REPOSITORY ?? "";
+    const runId = env.GITHUB_RUN_ID ?? "";
+    const pipelineUrl = repo && runId ? `${serverUrl}/${repo}/actions/runs/${runId}` : void 0;
+    return {
+      provider: "github-actions",
+      pipelineUrl,
+      trigger: env.GITHUB_EVENT_NAME
+    };
+  }
+  if (env.GITLAB_CI) {
+    return {
+      provider: "gitlab-ci",
+      pipelineUrl: env.CI_PIPELINE_URL,
+      trigger: env.CI_PIPELINE_SOURCE
+    };
+  }
+  if (env.CIRCLECI) {
+    return {
+      provider: "circleci",
+      pipelineUrl: env.CIRCLE_BUILD_URL
+    };
+  }
+  if (env.CI) {
+    return {
+      provider: "unknown"
+    };
+  }
+  return void 0;
+}
+
 // src/merge/driver.ts
 var SopsMergeDriver = class {
   constructor(sopsClient) {
@@ -10654,10 +11039,10 @@ var SopsMergeDriver = class {
 };
 
 // src/service-identity/manager.ts
-var fs14 = __toESM(require("fs"));
+var fs15 = __toESM(require("fs"));
 var os = __toESM(require("os"));
-var path16 = __toESM(require("path"));
-var YAML9 = __toESM(require("yaml"));
+var path17 = __toESM(require("path"));
+var YAML10 = __toESM(require("yaml"));
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
     super(message);
@@ -10671,12 +11056,15 @@ var ServiceIdentityManager = class {
     this.matrixManager = matrixManager;
   }
   /**
-   * Create a new service identity with per-environment age key pairs.
-   * Generates keys, updates the manifest, and registers public keys as SOPS recipients.
+   * Create a new service identity with per-environment age key pairs or KMS envelope config.
+   * For age-only: generates keys, updates the manifest, and registers public keys as SOPS recipients.
+   * For KMS: stores KMS config in manifest, no age keys generated.
    *
-   * @returns The created identity definition and the per-environment private keys (printed once).
+   * @param kmsEnvConfigs - Optional per-environment KMS config. When provided, those envs use
+   *   KMS envelope encryption instead of generating age keys.
+   * @returns The created identity definition and the per-environment private keys (empty for KMS envs).
    */
-  async create(name, namespaces, description, manifest, repoRoot) {
+  async create(name, namespaces, description, manifest, repoRoot, kmsEnvConfigs) {
     if (manifest.service_identities?.some((si) => si.name === name)) {
       throw new Error(`Service identity '${name}' already exists.`);
     }
@@ -10689,9 +11077,14 @@ var ServiceIdentityManager = class {
     const environments = {};
     const privateKeys = {};
     for (const env of manifest.environments) {
-      const identity = await generateAgeIdentity();
-      environments[env.name] = { recipient: identity.publicKey };
-      privateKeys[env.name] = identity.privateKey;
+      const kmsConfig = kmsEnvConfigs?.[env.name];
+      if (kmsConfig) {
+        environments[env.name] = { kms: kmsConfig };
+      } else {
+        const identity = await generateAgeIdentity();
+        environments[env.name] = { recipient: identity.publicKey };
+        privateKeys[env.name] = identity.privateKey;
+      }
     }
     const definition = {
       name,
@@ -10700,9 +11093,9 @@ var ServiceIdentityManager = class {
       environments
     };
     await this.registerRecipients(definition, manifest, repoRoot);
-    const manifestPath = path16.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
-    const doc = YAML9.parse(raw);
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
     }
@@ -10712,9 +11105,16 @@ var ServiceIdentityManager = class {
       namespaces,
       environments
     });
-    const tmpCreate = path16.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
-    fs14.writeFileSync(tmpCreate, YAML9.stringify(doc), "utf-8");
-    fs14.renameSync(tmpCreate, manifestPath);
+    const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmpCreate, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmpCreate);
+      } catch {
+      }
+    }
     return { identity: definition, privateKeys };
   }
   /**
@@ -10729,6 +11129,55 @@ var ServiceIdentityManager = class {
   get(manifest, name) {
     return manifest.service_identities?.find((si) => si.name === name);
   }
+  /**
+   * Update environment backends on an existing service identity.
+   * Switches age → KMS (removes old recipient) or updates KMS config.
+   * Returns new private keys for any environments switched from KMS → age.
+   */
+  async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
+    const identities = doc.service_identities;
+    const siDoc = identities.find((si) => si.name === name);
+    const envs = siDoc.environments;
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    const privateKeys = {};
+    for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+      const oldConfig = identity.environments[envName];
+      if (!oldConfig) {
+        throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+      }
+      if (oldConfig.recipient) {
+        const scopedCells = cells.filter(
+          (c) => identity.namespaces.includes(c.namespace) && c.environment === envName
+        );
+        for (const cell of scopedCells) {
+          try {
+            await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+          } catch {
+          }
+        }
+      }
+      envs[envName] = { kms: kmsConfig };
+      identity.environments[envName] = { kms: kmsConfig };
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+    return { privateKeys };
+  }
   /**
    * Register a service identity's public keys as SOPS recipients on scoped matrix files.
    */
@@ -10738,9 +11187,15 @@ var ServiceIdentityManager = class {
       if (!identity.namespaces.includes(cell.namespace)) continue;
       const envConfig = identity.environments[cell.environment];
       if (!envConfig) continue;
+      if (isKmsEnvelope(envConfig)) continue;
+      if (!envConfig.recipient) continue;
       try {
         await this.encryption.addRecipient(cell.filePath, envConfig.recipient);
-      } catch {
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        if (!message.includes("already")) {
+          throw err;
+        }
       }
     }
   }
@@ -10753,9 +11208,9 @@ var ServiceIdentityManager = class {
     if (!identity) {
       throw new Error(`Service identity '${name}' not found.`);
     }
-    const manifestPath = path16.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
-    const doc = YAML9.parse(raw);
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -10764,7 +11219,12 @@ var ServiceIdentityManager = class {
     const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
     try {
       for (const envName of envsToRotate) {
-        const oldRecipient = identity.environments[envName]?.recipient;
+        const envConfig = identity.environments[envName];
+        if (!envConfig) {
+          throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+        }
+        if (isKmsEnvelope(envConfig)) continue;
+        const oldRecipient = envConfig.recipient;
         if (!oldRecipient) {
           throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
         }
@@ -10803,9 +11263,16 @@ var ServiceIdentityManager = class {
       }
       throw err;
     }
-    const tmpRotate = path16.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
-    fs14.writeFileSync(tmpRotate, YAML9.stringify(doc), "utf-8");
-    fs14.renameSync(tmpRotate, manifestPath);
+    const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmpRotate, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmpRotate);
+      } catch {
+      }
+    }
     return newPrivateKeys;
   }
   /**
@@ -10842,6 +11309,8 @@ var ServiceIdentityManager = class {
       for (const cell of cells) {
         const envConfig = si.environments[cell.environment];
         if (!envConfig) continue;
+        if (isKmsEnvelope(envConfig)) continue;
+        if (!envConfig.recipient) continue;
         if (si.namespaces.includes(cell.namespace)) {
           try {
             const metadata = await this.encryption.getMetadata(cell.filePath);
@@ -10915,18 +11384,20 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
   return {
     values: allValues,
     identity,
-    recipient: envConfig.recipient
+    recipient: envConfig.recipient,
+    envConfig
   };
 }
 
 // src/artifact/packer.ts
-var fs15 = __toESM(require("fs"));
-var path17 = __toESM(require("path"));
+var fs16 = __toESM(require("fs"));
+var path18 = __toESM(require("path"));
 var crypto3 = __toESM(require("crypto"));
 var ArtifactPacker = class {
-  constructor(encryption, matrixManager) {
+  constructor(encryption, matrixManager, kms) {
     this.encryption = encryption;
     this.matrixManager = matrixManager;
+    this.kms = kms;
   }
   /**
    * Pack an artifact: decrypt scoped SOPS files, age-encrypt the merged
@@ -10943,38 +11414,82 @@ var ArtifactPacker = class {
     );
     const plaintext = JSON.stringify(resolved.values);
     let ciphertext;
-    try {
-      const { Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
-      const e = new Encrypter();
-      e.addRecipient(resolved.recipient);
-      ciphertext = await e.encrypt(plaintext);
-    } catch {
-      throw new Error("Failed to age-encrypt artifact. Check recipient key.");
+    let artifact;
+    if (isKmsEnvelope(resolved.envConfig)) {
+      if (!this.kms) {
+        throw new Error("KMS provider required for envelope encryption but none was provided.");
+      }
+      const { generateIdentity, identityToRecipient, Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
+      const ephemeralPrivateKey = await generateIdentity();
+      const ephemeralPublicKey = await identityToRecipient(ephemeralPrivateKey);
+      try {
+        const e = new Encrypter();
+        e.addRecipient(ephemeralPublicKey);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+      } catch {
+        throw new Error("Failed to age-encrypt artifact with ephemeral key.");
+      }
+      const kmsConfig = resolved.envConfig.kms;
+      const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
+      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+      artifact = {
+        version: 1,
+        identity: config.identity,
+        environment: config.environment,
+        packedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        revision,
+        ciphertextHash,
+        ciphertext,
+        keys: Object.keys(resolved.values),
+        envelope: {
+          provider: kmsConfig.provider,
+          keyId: kmsConfig.keyId,
+          wrappedKey: wrapped.wrappedKey.toString("base64"),
+          algorithm: wrapped.algorithm
+        }
+      };
+    } else {
+      try {
+        const { Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
+        const e = new Encrypter();
+        e.addRecipient(resolved.recipient);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+      } catch {
+        throw new Error("Failed to age-encrypt artifact. Check recipient key.");
+      }
+      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+      artifact = {
+        version: 1,
+        identity: config.identity,
+        environment: config.environment,
+        packedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        revision,
+        ciphertextHash,
+        ciphertext,
+        keys: Object.keys(resolved.values)
+      };
     }
-    const revision = Date.now().toString();
-    const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
-    const artifact = {
-      version: 1,
-      identity: config.identity,
-      environment: config.environment,
-      packedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      revision,
-      ciphertextHash,
-      ciphertext,
-      keys: Object.keys(resolved.values)
-    };
-    const outputDir = path17.dirname(config.outputPath);
-    if (!fs15.existsSync(outputDir)) {
-      fs15.mkdirSync(outputDir, { recursive: true });
+    const outputDir = path18.dirname(config.outputPath);
+    if (!fs16.existsSync(outputDir)) {
+      fs16.mkdirSync(outputDir, { recursive: true });
+    }
+    if (config.ttl && config.ttl > 0) {
+      artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
     }
     const json = JSON.stringify(artifact, null, 2);
-    fs15.writeFileSync(config.outputPath, json, "utf-8");
+    const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
+    fs16.writeFileSync(tmpOutput, json, "utf-8");
+    fs16.renameSync(tmpOutput, config.outputPath);
     return {
       outputPath: config.outputPath,
       namespaceCount: resolved.identity.namespaces.length,
       keyCount: Object.keys(resolved.values).length,
       artifactSize: Buffer.byteLength(json, "utf-8"),
-      revision
+      revision: artifact.revision
     };
   }
 };
@@ -10986,6 +11501,8 @@ var ArtifactPacker = class {
   CLEF_REPORT_SCHEMA_VERSION,
   CLEF_SUPPORTED_EXTENSIONS,
   ClefError,
+  CloudApiError,
+  CloudClient,
   ConsumptionClient,
   DiffEngine,
   DriftDetector,
@@ -10997,10 +11514,12 @@ var ArtifactPacker = class {
   ManifestValidationError,
   MatrixManager,
   PartialRotationError,
+  REQUESTS_FILENAME,
   REQUIREMENTS,
   RecipientManager,
   ReportGenerator,
   ReportSanitizer,
+  ReportTransformer,
   ScanRunner,
   SchemaLoadError,
   SchemaValidator,
@@ -11015,17 +11534,21 @@ var ArtifactPacker = class {
   assertSops,
   checkAll,
   checkDependency,
+  collectCIContext,
   deriveAgePublicKey,
   detectFormat,
+  findRequest,
   formatAgeKeyFile,
   generateAgeIdentity,
   generateRandomValue,
   getPendingKeys,
   isHighEntropy,
+  isKmsEnvelope,
   isPending,
   keyPreview,
   loadIgnoreRules,
   loadMetadata,
+  loadRequests,
   markPending,
   markPendingWithRetry,
   markResolved,
@@ -11037,15 +11560,19 @@ var ArtifactPacker = class {
   parseJson,
   parseYaml,
   redactValue,
+  removeAccessRequest,
+  requestsFilePath,
   resetSopsResolution,
   resolveBackendConfig,
   resolveIdentitySecrets,
   resolveRecipientsForEnvironment,
   resolveSopsPath,
   saveMetadata,
+  saveRequests,
   shannonEntropy,
   shouldIgnoreFile,
   shouldIgnoreMatch,
+  upsertRequest,
   validateAgePublicKey
 });
 /*! Bundled license information: