@clef-sh/core 0.1.6-beta.32 → 0.1.7-beta.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAqH9F"}
|
package/dist/index.js
CHANGED
|
@@ -9595,7 +9595,7 @@ var LintRunner = class {
|
|
|
9595
9595
|
/**
|
|
9596
9596
|
* Lint service identity configurations for drift issues.
|
|
9597
9597
|
*/
|
|
9598
|
-
async lintServiceIdentities(identities, manifest,
|
|
9598
|
+
async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
|
|
9599
9599
|
const issues = [];
|
|
9600
9600
|
const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
|
|
9601
9601
|
const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
|
|
@@ -11129,6 +11129,55 @@ var ServiceIdentityManager = class {
|
|
|
11129
11129
|
get(manifest, name) {
|
|
11130
11130
|
return manifest.service_identities?.find((si) => si.name === name);
|
|
11131
11131
|
}
|
|
11132
|
+
/**
|
|
11133
|
+
* Update environment backends on an existing service identity.
|
|
11134
|
+
* Switches age → KMS (removes old recipient) or updates KMS config.
|
|
11135
|
+
* Returns new private keys for any environments switched from KMS → age.
|
|
11136
|
+
*/
|
|
11137
|
+
async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
|
|
11138
|
+
const identity = this.get(manifest, name);
|
|
11139
|
+
if (!identity) {
|
|
11140
|
+
throw new Error(`Service identity '${name}' not found.`);
|
|
11141
|
+
}
|
|
11142
|
+
const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
|
|
11143
|
+
const raw = fs15.readFileSync(manifestPath, "utf-8");
|
|
11144
|
+
const doc = YAML10.parse(raw);
|
|
11145
|
+
const identities = doc.service_identities;
|
|
11146
|
+
const siDoc = identities.find((si) => si.name === name);
|
|
11147
|
+
const envs = siDoc.environments;
|
|
11148
|
+
const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
|
|
11149
|
+
const privateKeys = {};
|
|
11150
|
+
for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
|
|
11151
|
+
const oldConfig = identity.environments[envName];
|
|
11152
|
+
if (!oldConfig) {
|
|
11153
|
+
throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
|
|
11154
|
+
}
|
|
11155
|
+
if (oldConfig.recipient) {
|
|
11156
|
+
const scopedCells = cells.filter(
|
|
11157
|
+
(c) => identity.namespaces.includes(c.namespace) && c.environment === envName
|
|
11158
|
+
);
|
|
11159
|
+
for (const cell of scopedCells) {
|
|
11160
|
+
try {
|
|
11161
|
+
await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
|
|
11162
|
+
} catch {
|
|
11163
|
+
}
|
|
11164
|
+
}
|
|
11165
|
+
}
|
|
11166
|
+
envs[envName] = { kms: kmsConfig };
|
|
11167
|
+
identity.environments[envName] = { kms: kmsConfig };
|
|
11168
|
+
}
|
|
11169
|
+
const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
|
|
11170
|
+
try {
|
|
11171
|
+
fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
|
|
11172
|
+
fs15.renameSync(tmp, manifestPath);
|
|
11173
|
+
} finally {
|
|
11174
|
+
try {
|
|
11175
|
+
fs15.unlinkSync(tmp);
|
|
11176
|
+
} catch {
|
|
11177
|
+
}
|
|
11178
|
+
}
|
|
11179
|
+
return { privateKeys };
|
|
11180
|
+
}
|
|
11132
11181
|
/**
|
|
11133
11182
|
* Register a service identity's public keys as SOPS recipients on scoped matrix files.
|
|
11134
11183
|
*/
|
|
@@ -11376,7 +11425,8 @@ var ArtifactPacker = class {
|
|
|
11376
11425
|
try {
|
|
11377
11426
|
const e = new Encrypter();
|
|
11378
11427
|
e.addRecipient(ephemeralPublicKey);
|
|
11379
|
-
|
|
11428
|
+
const encrypted = await e.encrypt(plaintext);
|
|
11429
|
+
ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
|
|
11380
11430
|
} catch {
|
|
11381
11431
|
throw new Error("Failed to age-encrypt artifact with ephemeral key.");
|
|
11382
11432
|
}
|
|
@@ -11405,7 +11455,8 @@ var ArtifactPacker = class {
|
|
|
11405
11455
|
const { Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
|
|
11406
11456
|
const e = new Encrypter();
|
|
11407
11457
|
e.addRecipient(resolved.recipient);
|
|
11408
|
-
|
|
11458
|
+
const encrypted = await e.encrypt(plaintext);
|
|
11459
|
+
ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
|
|
11409
11460
|
} catch {
|
|
11410
11461
|
throw new Error("Failed to age-encrypt artifact. Check recipient key.");
|
|
11411
11462
|
}
|