npm - @clef-sh/core - Versions diffs - 0.1.7-beta.43 → 0.1.7-beta.45 - Mend

@clef-sh/core 0.1.7-beta.43 → 0.1.7-beta.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/artifact/packer.d.ts.map +1 -1
package/dist/index.js +124 -69
package/dist/index.js.map +3 -3
package/dist/index.mjs +124 -69
package/dist/index.mjs.map +3 -3
package/dist/matrix/manager.d.ts +10 -1
package/dist/matrix/manager.d.ts.map +1 -1
package/dist/service-identity/manager.d.ts +5 -0
package/dist/service-identity/manager.d.ts.map +1 -1
package/package.json +1 -1

package/dist/artifact/packer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;~~CAqH9F~~"}
1	+ {"version":3,"file":"packer.d.ts","sourceRoot":"","sources":["../../src/artifact/packer.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAkB,MAAM,SAAS,CAAC;AAGjE;;;;;GAKG;AACH,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAFJ,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,WAAW,YAAA;IAGpC;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA+G9F"}

package/dist/index.js CHANGED Viewed

@@ -6972,7 +6972,7 @@ __export(src_exports, {
   markResolved: () => markResolved,
   matchPatterns: () => matchPatterns,
   metadataPath: () => metadataPath,
-  parse: () => parse6,
+  parse: () => parse7,
   parseDotenv: () => parseDotenv,
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
@@ -8002,6 +8002,7 @@ var ScanRunner = class {
 // src/matrix/manager.ts
 var fs5 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
+var YAML3 = __toESM(require("yaml"));
 // src/pending/metadata.ts
 var fs4 = __toESM(require("fs"));
@@ -8146,9 +8147,15 @@ var MatrixManager = class {
    * @param repoRoot - Absolute path to the repository root.
    * @param sopsClient - SOPS client used to decrypt each cell.
    */
-  async getMatrixStatus(manifest, repoRoot, sopsClient) {
+  async getMatrixStatus(manifest, repoRoot, _sopsClient) {
     const cells = this.resolveMatrix(manifest, repoRoot);
     const statuses = [];
+    const cellKeys = /* @__PURE__ */ new Map();
+    for (const cell of cells) {
+      if (cell.exists) {
+        cellKeys.set(cell.filePath, this.readKeyNames(cell.filePath));
+      }
+    }
     for (const cell of cells) {
       if (!cell.exists) {
         statuses.push({
@@ -8171,48 +8178,56 @@ var MatrixManager = class {
         pendingCount = pending.length;
       } catch {
       }
-      try {
-        const decrypted = await sopsClient.decrypt(cell.filePath);
-        const keyCount = Object.keys(decrypted.values).length;
-        const lastModified = decrypted.metadata.lastModified;
-        const issues = [];
-        const siblingCells = cells.filter(
-          (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
-        );
-        for (const sibling of siblingCells) {
-          try {
-            const siblingDecrypted = await sopsClient.decrypt(sibling.filePath);
-            const siblingKeys = Object.keys(siblingDecrypted.values);
-            const currentKeys = Object.keys(decrypted.values);
-            const missingKeys = siblingKeys.filter((k) => !currentKeys.includes(k));
-            for (const mk of missingKeys) {
-              issues.push({
-                type: "missing_keys",
-                message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
-                key: mk
-              });
-            }
-          } catch {
-          }
+      const keys = cellKeys.get(cell.filePath) ?? [];
+      const keyCount = keys.length;
+      const lastModified = this.readLastModified(cell.filePath);
+      const issues = [];
+      const siblingCells = cells.filter(
+        (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
+      );
+      for (const sibling of siblingCells) {
+        const siblingKeys = cellKeys.get(sibling.filePath) ?? [];
+        const missingKeys = siblingKeys.filter((k) => !keys.includes(k));
+        for (const mk of missingKeys) {
+          issues.push({
+            type: "missing_keys",
+            message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
+            key: mk
+          });
         }
-        statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
-      } catch {
-        statuses.push({
-          cell,
-          keyCount: 0,
-          pendingCount: 0,
-          lastModified: null,
-          issues: [
-            {
-              type: "sops_error",
-              message: `Could not decrypt '${cell.filePath}'. Check your key configuration.`
-            }
-          ]
-        });
       }
+      statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
     }
     return statuses;
   }
+  /**
+   * Read top-level key names from a SOPS file without decryption.
+   * SOPS stores key names in plaintext — only values are encrypted.
+   */
+  readKeyNames(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      if (!parsed || typeof parsed !== "object") return [];
+      return Object.keys(parsed).filter((k) => k !== "sops");
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Read the lastModified timestamp from SOPS metadata without decryption.
+   */
+  readLastModified(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      const sops = parsed?.sops;
+      if (sops?.lastmodified) return new Date(String(sops.lastmodified));
+      return null;
+    } catch {
+      return null;
+    }
+  }
   /**
    * Check whether an environment has the `protected` flag set in the manifest.
    *
@@ -8227,7 +8242,7 @@ var MatrixManager = class {
 // src/schema/validator.ts
 var fs6 = __toESM(require("fs"));
-var YAML3 = __toESM(require("yaml"));
+var YAML4 = __toESM(require("yaml"));
 var SchemaValidator = class {
   /**
    * Read and parse a YAML schema file from disk.
@@ -8245,7 +8260,7 @@ var SchemaValidator = class {
     }
     let parsed;
     try {
-      parsed = YAML3.parse(raw);
+      parsed = YAML4.parse(raw);
     } catch {
       throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
     }
@@ -8813,7 +8828,7 @@ ${mergeRule}
 var fs10 = __toESM(require("fs"));
 var net = __toESM(require("net"));
 var import_crypto = require("crypto");
-var YAML4 = __toESM(require("yaml"));
+var YAML5 = __toESM(require("yaml"));
 // src/sops/resolver.ts
 var fs9 = __toESM(require("fs"));
@@ -9067,7 +9082,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(result.stdout) ?? {};
+      parsed = YAML5.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -9094,7 +9109,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML4.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -9294,7 +9309,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(content);
+      parsed = YAML5.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -9726,7 +9741,7 @@ var path12 = __toESM(require("path"));
 // src/import/parsers.ts
 var path11 = __toESM(require("path"));
-var YAML5 = __toESM(require("yaml"));
+var YAML6 = __toESM(require("yaml"));
 function detectFormat(filePath, content) {
   const base = path11.basename(filePath);
   const ext = path11.extname(filePath).toLowerCase();
@@ -9750,7 +9765,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML5.parse(content);
+    const parsed = YAML6.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -9831,7 +9846,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML5.parse(content);
+    parsed = YAML6.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -9865,7 +9880,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse6(content, format, filePath) {
+function parse7(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -9898,7 +9913,7 @@ var ImportRunner = class {
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
-    const parsed = parse6(content, options.format ?? "auto", sourcePath ?? "");
+    const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
       const prefix = options.prefix;
@@ -9954,7 +9969,7 @@ var ImportRunner = class {
 // src/recipients/index.ts
 var fs11 = __toESM(require("fs"));
 var path13 = __toESM(require("path"));
-var YAML6 = __toESM(require("yaml"));
+var YAML7 = __toESM(require("yaml"));
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -9978,11 +9993,11 @@ function toRecipient(entry) {
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
   const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML6.parse(raw);
+  return YAML7.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML6.stringify(doc), "utf-8");
+  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -10217,7 +10232,7 @@ var RecipientManager = class {
 // src/recipients/requests.ts
 var fs12 = __toESM(require("fs"));
 var path14 = __toESM(require("path"));
-var YAML7 = __toESM(require("yaml"));
+var YAML8 = __toESM(require("yaml"));
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
@@ -10228,7 +10243,7 @@ function loadRequests(repoRoot) {
   try {
     if (!fs12.existsSync(filePath)) return [];
     const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML7.parse(content);
+    const parsed = YAML8.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -10260,7 +10275,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML7.stringify(data), "utf-8");
+  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -10298,7 +10313,7 @@ function findInList(requests, identifier) {
 // src/drift/detector.ts
 var fs13 = __toESM(require("fs"));
 var path15 = __toESM(require("path"));
-var YAML8 = __toESM(require("yaml"));
+var YAML9 = __toESM(require("yaml"));
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -10385,7 +10400,7 @@ var DriftDetector = class {
     try {
       if (!fs13.existsSync(filePath)) return null;
       const raw = fs13.readFileSync(filePath, "utf-8");
-      const parsed = YAML8.parse(raw);
+      const parsed = YAML9.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
       return Object.keys(parsed).filter((k) => k !== "sops");
     } catch {
@@ -10397,7 +10412,7 @@ var DriftDetector = class {
 // src/report/generator.ts
 var fs14 = __toESM(require("fs"));
 var path16 = __toESM(require("path"));
-var YAML9 = __toESM(require("yaml"));
+var YAML10 = __toESM(require("yaml"));
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -10705,7 +10720,7 @@ var ReportGenerator = class {
     try {
       if (!fs14.existsSync(filePath)) return 0;
       const raw = fs14.readFileSync(filePath, "utf-8");
-      const parsed = YAML9.parse(raw);
+      const parsed = YAML10.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
       return Object.keys(parsed).filter((k) => k !== "sops").length;
     } catch {
@@ -11042,7 +11057,7 @@ var SopsMergeDriver = class {
 var fs15 = __toESM(require("fs"));
 var os = __toESM(require("os"));
 var path17 = __toESM(require("path"));
-var YAML10 = __toESM(require("yaml"));
+var YAML11 = __toESM(require("yaml"));
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
     super(message);
@@ -11095,7 +11110,7 @@ var ServiceIdentityManager = class {
     await this.registerRecipients(definition, manifest, repoRoot);
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
     }
@@ -11107,7 +11122,7 @@ var ServiceIdentityManager = class {
     });
     const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpCreate, manifestPath);
     } finally {
       try {
@@ -11129,6 +11144,46 @@ var ServiceIdentityManager = class {
   get(manifest, name) {
     return manifest.service_identities?.find((si) => si.name === name);
   }
+  /**
+   * Delete a service identity: remove its recipients from scoped SOPS files
+   * and remove it from the manifest.
+   */
+  async delete(name, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    for (const cell of cells) {
+      if (!identity.namespaces.includes(cell.namespace)) continue;
+      const envConfig = identity.environments[cell.environment];
+      if (!envConfig?.recipient) continue;
+      if (isKmsEnvelope(envConfig)) continue;
+      try {
+        await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+      } catch {
+      }
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML11.parse(raw);
+    const identities = doc.service_identities;
+    if (Array.isArray(identities)) {
+      doc.service_identities = identities.filter(
+        (si) => si.name !== name
+      );
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+  }
   /**
    * Update environment backends on an existing service identity.
    * Switches age → KMS (removes old recipient) or updates KMS config.
@@ -11141,7 +11196,7 @@ var ServiceIdentityManager = class {
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -11168,7 +11223,7 @@ var ServiceIdentityManager = class {
     }
     const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmp, manifestPath);
     } finally {
       try {
@@ -11210,7 +11265,7 @@ var ServiceIdentityManager = class {
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -11265,7 +11320,7 @@ var ServiceIdentityManager = class {
     }
     const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpRotate, manifestPath);
     } finally {
       try {
@@ -11426,7 +11481,7 @@ var ArtifactPacker = class {
         const e = new Encrypter();
         e.addRecipient(ephemeralPublicKey);
         const encrypted = await e.encrypt(plaintext);
-        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact with ephemeral key.");
       }
@@ -11456,7 +11511,7 @@ var ArtifactPacker = class {
         const e = new Encrypter();
         e.addRecipient(resolved.recipient);
         const encrypted = await e.encrypt(plaintext);
-        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }