@clef-sh/core 0.1.6-beta.32 → 0.1.7-beta.43

package/dist/index.mjs

@@ -2605,7 +2605,7 @@ var LintRunner = class {
   /**
    * Lint service identity configurations for drift issues.
    */
-  async lintServiceIdentities(identities, manifest, _repoRoot, existingCells) {
+  async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
     const issues = [];
     const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
     const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -4139,6 +4139,55 @@ var ServiceIdentityManager = class {
   get(manifest, name) {
     return manifest.service_identities?.find((si) => si.name === name);
   }
+  /**
+   * Update environment backends on an existing service identity.
+   * Switches age → KMS (removes old recipient) or updates KMS config.
+   * Returns new private keys for any environments switched from KMS → age.
+   */
+  async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
+    const identities = doc.service_identities;
+    const siDoc = identities.find((si) => si.name === name);
+    const envs = siDoc.environments;
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    const privateKeys = {};
+    for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+      const oldConfig = identity.environments[envName];
+      if (!oldConfig) {
+        throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+      }
+      if (oldConfig.recipient) {
+        const scopedCells = cells.filter(
+          (c) => identity.namespaces.includes(c.namespace) && c.environment === envName
+        );
+        for (const cell of scopedCells) {
+          try {
+            await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+          } catch {
+          }
+        }
+      }
+      envs[envName] = { kms: kmsConfig };
+      identity.environments[envName] = { kms: kmsConfig };
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+    return { privateKeys };
+  }
   /**
    * Register a service identity's public keys as SOPS recipients on scoped matrix files.
    */
@@ -4389,7 +4438,8 @@ var ArtifactPacker = class {
       try {
         const e = new Encrypter();
         e.addRecipient(ephemeralPublicKey);
-        ciphertext = await e.encrypt(plaintext);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact with ephemeral key.");
       }
@@ -4418,7 +4468,8 @@ var ArtifactPacker = class {
         const { Encrypter } = await import("age-encryption");
         const e = new Encrypter();
         e.addRecipient(resolved.recipient);
-        ciphertext = await e.encrypt(plaintext);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }