@clef-sh/core 0.1.6-beta.32 → 0.1.7-beta.45

package/dist/artifact/packer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA6G9F"}
+{"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA+G9F"}

package/dist/index.js

@@ -6972,7 +6972,7 @@ __export(src_exports, {
   markResolved: () => markResolved,
   matchPatterns: () => matchPatterns,
   metadataPath: () => metadataPath,
-  parse: () => parse6,
+  parse: () => parse7,
   parseDotenv: () => parseDotenv,
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
@@ -8002,6 +8002,7 @@ var ScanRunner = class {
 // src/matrix/manager.ts
 var fs5 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
+var YAML3 = __toESM(require("yaml"));
 
 // src/pending/metadata.ts
 var fs4 = __toESM(require("fs"));
@@ -8146,9 +8147,15 @@ var MatrixManager = class {
    * @param repoRoot - Absolute path to the repository root.
    * @param sopsClient - SOPS client used to decrypt each cell.
    */
-  async getMatrixStatus(manifest, repoRoot, sopsClient) {
+  async getMatrixStatus(manifest, repoRoot, _sopsClient) {
     const cells = this.resolveMatrix(manifest, repoRoot);
     const statuses = [];
+    const cellKeys = /* @__PURE__ */ new Map();
+    for (const cell of cells) {
+      if (cell.exists) {
+        cellKeys.set(cell.filePath, this.readKeyNames(cell.filePath));
+      }
+    }
     for (const cell of cells) {
       if (!cell.exists) {
         statuses.push({
@@ -8171,48 +8178,56 @@ var MatrixManager = class {
         pendingCount = pending.length;
       } catch {
       }
-      try {
-        const decrypted = await sopsClient.decrypt(cell.filePath);
-        const keyCount = Object.keys(decrypted.values).length;
-        const lastModified = decrypted.metadata.lastModified;
-        const issues = [];
-        const siblingCells = cells.filter(
-          (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
-        );
-        for (const sibling of siblingCells) {
-          try {
-            const siblingDecrypted = await sopsClient.decrypt(sibling.filePath);
-            const siblingKeys = Object.keys(siblingDecrypted.values);
-            const currentKeys = Object.keys(decrypted.values);
-            const missingKeys = siblingKeys.filter((k) => !currentKeys.includes(k));
-            for (const mk of missingKeys) {
-              issues.push({
-                type: "missing_keys",
-                message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
-                key: mk
-              });
-            }
-          } catch {
-          }
+      const keys = cellKeys.get(cell.filePath) ?? [];
+      const keyCount = keys.length;
+      const lastModified = this.readLastModified(cell.filePath);
+      const issues = [];
+      const siblingCells = cells.filter(
+        (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
+      );
+      for (const sibling of siblingCells) {
+        const siblingKeys = cellKeys.get(sibling.filePath) ?? [];
+        const missingKeys = siblingKeys.filter((k) => !keys.includes(k));
+        for (const mk of missingKeys) {
+          issues.push({
+            type: "missing_keys",
+            message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
+            key: mk
+          });
         }
-        statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
-      } catch {
-        statuses.push({
-          cell,
-          keyCount: 0,
-          pendingCount: 0,
-          lastModified: null,
-          issues: [
-            {
-              type: "sops_error",
-              message: `Could not decrypt '${cell.filePath}'. Check your key configuration.`
-            }
-          ]
-        });
       }
+      statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
     }
     return statuses;
   }
+  /**
+   * Read top-level key names from a SOPS file without decryption.
+   * SOPS stores key names in plaintext — only values are encrypted.
+   */
+  readKeyNames(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      if (!parsed || typeof parsed !== "object") return [];
+      return Object.keys(parsed).filter((k) => k !== "sops");
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Read the lastModified timestamp from SOPS metadata without decryption.
+   */
+  readLastModified(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      const sops = parsed?.sops;
+      if (sops?.lastmodified) return new Date(String(sops.lastmodified));
+      return null;
+    } catch {
+      return null;
+    }
+  }
   /**
    * Check whether an environment has the `protected` flag set in the manifest.
    *
@@ -8227,7 +8242,7 @@ var MatrixManager = class {
 
 // src/schema/validator.ts
 var fs6 = __toESM(require("fs"));
-var YAML3 = __toESM(require("yaml"));
+var YAML4 = __toESM(require("yaml"));
 var SchemaValidator = class {
   /**
    * Read and parse a YAML schema file from disk.
@@ -8245,7 +8260,7 @@ var SchemaValidator = class {
     }
     let parsed;
     try {
-      parsed = YAML3.parse(raw);
+      parsed = YAML4.parse(raw);
     } catch {
       throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
     }
@@ -8813,7 +8828,7 @@ ${mergeRule}
 var fs10 = __toESM(require("fs"));
 var net = __toESM(require("net"));
 var import_crypto = require("crypto");
-var YAML4 = __toESM(require("yaml"));
+var YAML5 = __toESM(require("yaml"));
 
 // src/sops/resolver.ts
 var fs9 = __toESM(require("fs"));
@@ -9067,7 +9082,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(result.stdout) ?? {};
+      parsed = YAML5.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -9094,7 +9109,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML4.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -9294,7 +9309,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(content);
+      parsed = YAML5.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -9595,7 +9610,7 @@ var LintRunner = class {
   /**
    * Lint service identity configurations for drift issues.
    */
-  async lintServiceIdentities(identities, manifest, _repoRoot, existingCells) {
+  async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
     const issues = [];
     const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
     const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -9726,7 +9741,7 @@ var path12 = __toESM(require("path"));
 
 // src/import/parsers.ts
 var path11 = __toESM(require("path"));
-var YAML5 = __toESM(require("yaml"));
+var YAML6 = __toESM(require("yaml"));
 function detectFormat(filePath, content) {
   const base = path11.basename(filePath);
   const ext = path11.extname(filePath).toLowerCase();
@@ -9750,7 +9765,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML5.parse(content);
+    const parsed = YAML6.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -9831,7 +9846,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML5.parse(content);
+    parsed = YAML6.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -9865,7 +9880,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse6(content, format, filePath) {
+function parse7(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -9898,7 +9913,7 @@ var ImportRunner = class {
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
-    const parsed = parse6(content, options.format ?? "auto", sourcePath ?? "");
+    const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
       const prefix = options.prefix;
@@ -9954,7 +9969,7 @@ var ImportRunner = class {
 // src/recipients/index.ts
 var fs11 = __toESM(require("fs"));
 var path13 = __toESM(require("path"));
-var YAML6 = __toESM(require("yaml"));
+var YAML7 = __toESM(require("yaml"));
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -9978,11 +9993,11 @@ function toRecipient(entry) {
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
   const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML6.parse(raw);
+  return YAML7.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML6.stringify(doc), "utf-8");
+  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -10217,7 +10232,7 @@ var RecipientManager = class {
 // src/recipients/requests.ts
 var fs12 = __toESM(require("fs"));
 var path14 = __toESM(require("path"));
-var YAML7 = __toESM(require("yaml"));
+var YAML8 = __toESM(require("yaml"));
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
@@ -10228,7 +10243,7 @@ function loadRequests(repoRoot) {
   try {
     if (!fs12.existsSync(filePath)) return [];
     const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML7.parse(content);
+    const parsed = YAML8.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -10260,7 +10275,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML7.stringify(data), "utf-8");
+  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -10298,7 +10313,7 @@ function findInList(requests, identifier) {
 // src/drift/detector.ts
 var fs13 = __toESM(require("fs"));
 var path15 = __toESM(require("path"));
-var YAML8 = __toESM(require("yaml"));
+var YAML9 = __toESM(require("yaml"));
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -10385,7 +10400,7 @@ var DriftDetector = class {
     try {
       if (!fs13.existsSync(filePath)) return null;
       const raw = fs13.readFileSync(filePath, "utf-8");
-      const parsed = YAML8.parse(raw);
+      const parsed = YAML9.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
       return Object.keys(parsed).filter((k) => k !== "sops");
     } catch {
@@ -10397,7 +10412,7 @@ var DriftDetector = class {
 // src/report/generator.ts
 var fs14 = __toESM(require("fs"));
 var path16 = __toESM(require("path"));
-var YAML9 = __toESM(require("yaml"));
+var YAML10 = __toESM(require("yaml"));
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -10705,7 +10720,7 @@ var ReportGenerator = class {
     try {
       if (!fs14.existsSync(filePath)) return 0;
       const raw = fs14.readFileSync(filePath, "utf-8");
-      const parsed = YAML9.parse(raw);
+      const parsed = YAML10.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
       return Object.keys(parsed).filter((k) => k !== "sops").length;
     } catch {
@@ -11042,7 +11057,7 @@ var SopsMergeDriver = class {
 var fs15 = __toESM(require("fs"));
 var os = __toESM(require("os"));
 var path17 = __toESM(require("path"));
-var YAML10 = __toESM(require("yaml"));
+var YAML11 = __toESM(require("yaml"));
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
     super(message);
@@ -11095,7 +11110,7 @@ var ServiceIdentityManager = class {
     await this.registerRecipients(definition, manifest, repoRoot);
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
     }
@@ -11107,7 +11122,7 @@ var ServiceIdentityManager = class {
     });
     const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpCreate, manifestPath);
     } finally {
       try {
@@ -11129,6 +11144,95 @@ var ServiceIdentityManager = class {
   get(manifest, name) {
     return manifest.service_identities?.find((si) => si.name === name);
   }
+  /**
+   * Delete a service identity: remove its recipients from scoped SOPS files
+   * and remove it from the manifest.
+   */
+  async delete(name, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    for (const cell of cells) {
+      if (!identity.namespaces.includes(cell.namespace)) continue;
+      const envConfig = identity.environments[cell.environment];
+      if (!envConfig?.recipient) continue;
+      if (isKmsEnvelope(envConfig)) continue;
+      try {
+        await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+      } catch {
+      }
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML11.parse(raw);
+    const identities = doc.service_identities;
+    if (Array.isArray(identities)) {
+      doc.service_identities = identities.filter(
+        (si) => si.name !== name
+      );
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+  }
+  /**
+   * Update environment backends on an existing service identity.
+   * Switches age → KMS (removes old recipient) or updates KMS config.
+   * Returns new private keys for any environments switched from KMS → age.
+   */
+  async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML11.parse(raw);
+    const identities = doc.service_identities;
+    const siDoc = identities.find((si) => si.name === name);
+    const envs = siDoc.environments;
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    const privateKeys = {};
+    for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+      const oldConfig = identity.environments[envName];
+      if (!oldConfig) {
+        throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+      }
+      if (oldConfig.recipient) {
+        const scopedCells = cells.filter(
+          (c) => identity.namespaces.includes(c.namespace) && c.environment === envName
+        );
+        for (const cell of scopedCells) {
+          try {
+            await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+          } catch {
+          }
+        }
+      }
+      envs[envName] = { kms: kmsConfig };
+      identity.environments[envName] = { kms: kmsConfig };
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+    return { privateKeys };
+  }
   /**
    * Register a service identity's public keys as SOPS recipients on scoped matrix files.
    */
@@ -11161,7 +11265,7 @@ var ServiceIdentityManager = class {
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -11216,7 +11320,7 @@ var ServiceIdentityManager = class {
     }
     const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpRotate, manifestPath);
     } finally {
       try {
@@ -11376,7 +11480,8 @@ var ArtifactPacker = class {
       try {
         const e = new Encrypter();
         e.addRecipient(ephemeralPublicKey);
-        ciphertext = await e.encrypt(plaintext);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact with ephemeral key.");
       }
@@ -11405,7 +11510,8 @@ var ArtifactPacker = class {
         const { Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
         const e = new Encrypter();
         e.addRecipient(resolved.recipient);
-        ciphertext = await e.encrypt(plaintext);
+        const encrypted = await e.encrypt(plaintext);
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }