@clef-sh/core 0.1.7-beta.43 → 0.1.7-beta.45

package/dist/index.mjs

@@ -1012,6 +1012,7 @@ var ScanRunner = class {
 // src/matrix/manager.ts
 import * as fs5 from "fs";
 import * as path4 from "path";
+import * as YAML3 from "yaml";
 
 // src/pending/metadata.ts
 import * as fs4 from "fs";
@@ -1156,9 +1157,15 @@ var MatrixManager = class {
    * @param repoRoot - Absolute path to the repository root.
    * @param sopsClient - SOPS client used to decrypt each cell.
    */
-  async getMatrixStatus(manifest, repoRoot, sopsClient) {
+  async getMatrixStatus(manifest, repoRoot, _sopsClient) {
     const cells = this.resolveMatrix(manifest, repoRoot);
     const statuses = [];
+    const cellKeys = /* @__PURE__ */ new Map();
+    for (const cell of cells) {
+      if (cell.exists) {
+        cellKeys.set(cell.filePath, this.readKeyNames(cell.filePath));
+      }
+    }
     for (const cell of cells) {
       if (!cell.exists) {
         statuses.push({
@@ -1181,48 +1188,56 @@ var MatrixManager = class {
         pendingCount = pending.length;
       } catch {
       }
-      try {
-        const decrypted = await sopsClient.decrypt(cell.filePath);
-        const keyCount = Object.keys(decrypted.values).length;
-        const lastModified = decrypted.metadata.lastModified;
-        const issues = [];
-        const siblingCells = cells.filter(
-          (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
-        );
-        for (const sibling of siblingCells) {
-          try {
-            const siblingDecrypted = await sopsClient.decrypt(sibling.filePath);
-            const siblingKeys = Object.keys(siblingDecrypted.values);
-            const currentKeys = Object.keys(decrypted.values);
-            const missingKeys = siblingKeys.filter((k) => !currentKeys.includes(k));
-            for (const mk of missingKeys) {
-              issues.push({
-                type: "missing_keys",
-                message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
-                key: mk
-              });
-            }
-          } catch {
-          }
+      const keys = cellKeys.get(cell.filePath) ?? [];
+      const keyCount = keys.length;
+      const lastModified = this.readLastModified(cell.filePath);
+      const issues = [];
+      const siblingCells = cells.filter(
+        (c) => c.namespace === cell.namespace && c.environment !== cell.environment && c.exists
+      );
+      for (const sibling of siblingCells) {
+        const siblingKeys = cellKeys.get(sibling.filePath) ?? [];
+        const missingKeys = siblingKeys.filter((k) => !keys.includes(k));
+        for (const mk of missingKeys) {
+          issues.push({
+            type: "missing_keys",
+            message: `Key '${mk}' exists in ${sibling.environment} but is missing here.`,
+            key: mk
+          });
         }
-        statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
-      } catch {
-        statuses.push({
-          cell,
-          keyCount: 0,
-          pendingCount: 0,
-          lastModified: null,
-          issues: [
-            {
-              type: "sops_error",
-              message: `Could not decrypt '${cell.filePath}'. Check your key configuration.`
-            }
-          ]
-        });
       }
+      statuses.push({ cell, keyCount, pendingCount, lastModified, issues });
     }
     return statuses;
   }
+  /**
+   * Read top-level key names from a SOPS file without decryption.
+   * SOPS stores key names in plaintext — only values are encrypted.
+   */
+  readKeyNames(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      if (!parsed || typeof parsed !== "object") return [];
+      return Object.keys(parsed).filter((k) => k !== "sops");
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Read the lastModified timestamp from SOPS metadata without decryption.
+   */
+  readLastModified(filePath) {
+    try {
+      const raw = fs5.readFileSync(filePath, "utf-8");
+      const parsed = YAML3.parse(raw);
+      const sops = parsed?.sops;
+      if (sops?.lastmodified) return new Date(String(sops.lastmodified));
+      return null;
+    } catch {
+      return null;
+    }
+  }
   /**
    * Check whether an environment has the `protected` flag set in the manifest.
    *
@@ -1237,7 +1252,7 @@ var MatrixManager = class {
 
 // src/schema/validator.ts
 import * as fs6 from "fs";
-import * as YAML3 from "yaml";
+import * as YAML4 from "yaml";
 var SchemaValidator = class {
   /**
    * Read and parse a YAML schema file from disk.
@@ -1255,7 +1270,7 @@ var SchemaValidator = class {
     }
     let parsed;
     try {
-      parsed = YAML3.parse(raw);
+      parsed = YAML4.parse(raw);
     } catch {
       throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
     }
@@ -1823,7 +1838,7 @@ ${mergeRule}
 import * as fs10 from "fs";
 import * as net from "net";
 import { randomBytes as randomBytes2 } from "crypto";
-import * as YAML4 from "yaml";
+import * as YAML5 from "yaml";
 
 // src/sops/resolver.ts
 import * as fs9 from "fs";
@@ -2077,7 +2092,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(result.stdout) ?? {};
+      parsed = YAML5.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -2104,7 +2119,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML4.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -2304,7 +2319,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML4.parse(content);
+      parsed = YAML5.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -2736,7 +2751,7 @@ import * as path12 from "path";
 
 // src/import/parsers.ts
 import * as path11 from "path";
-import * as YAML5 from "yaml";
+import * as YAML6 from "yaml";
 function detectFormat(filePath, content) {
   const base = path11.basename(filePath);
   const ext = path11.extname(filePath).toLowerCase();
@@ -2760,7 +2775,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML5.parse(content);
+    const parsed = YAML6.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -2841,7 +2856,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML5.parse(content);
+    parsed = YAML6.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -2875,7 +2890,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse6(content, format, filePath) {
+function parse7(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -2908,7 +2923,7 @@ var ImportRunner = class {
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
-    const parsed = parse6(content, options.format ?? "auto", sourcePath ?? "");
+    const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
       const prefix = options.prefix;
@@ -2964,7 +2979,7 @@ var ImportRunner = class {
 // src/recipients/index.ts
 import * as fs11 from "fs";
 import * as path13 from "path";
-import * as YAML6 from "yaml";
+import * as YAML7 from "yaml";
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -2988,11 +3003,11 @@ function toRecipient(entry) {
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
   const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML6.parse(raw);
+  return YAML7.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML6.stringify(doc), "utf-8");
+  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -3227,7 +3242,7 @@ var RecipientManager = class {
 // src/recipients/requests.ts
 import * as fs12 from "fs";
 import * as path14 from "path";
-import * as YAML7 from "yaml";
+import * as YAML8 from "yaml";
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
@@ -3238,7 +3253,7 @@ function loadRequests(repoRoot) {
   try {
     if (!fs12.existsSync(filePath)) return [];
     const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML7.parse(content);
+    const parsed = YAML8.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -3270,7 +3285,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML7.stringify(data), "utf-8");
+  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -3308,7 +3323,7 @@ function findInList(requests, identifier) {
 // src/drift/detector.ts
 import * as fs13 from "fs";
 import * as path15 from "path";
-import * as YAML8 from "yaml";
+import * as YAML9 from "yaml";
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -3395,7 +3410,7 @@ var DriftDetector = class {
     try {
       if (!fs13.existsSync(filePath)) return null;
       const raw = fs13.readFileSync(filePath, "utf-8");
-      const parsed = YAML8.parse(raw);
+      const parsed = YAML9.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
       return Object.keys(parsed).filter((k) => k !== "sops");
     } catch {
@@ -3407,7 +3422,7 @@ var DriftDetector = class {
 // src/report/generator.ts
 import * as fs14 from "fs";
 import * as path16 from "path";
-import * as YAML9 from "yaml";
+import * as YAML10 from "yaml";
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -3715,7 +3730,7 @@ var ReportGenerator = class {
     try {
       if (!fs14.existsSync(filePath)) return 0;
       const raw = fs14.readFileSync(filePath, "utf-8");
-      const parsed = YAML9.parse(raw);
+      const parsed = YAML10.parse(raw);
       if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
       return Object.keys(parsed).filter((k) => k !== "sops").length;
     } catch {
@@ -4052,7 +4067,7 @@ var SopsMergeDriver = class {
 import * as fs15 from "fs";
 import * as os from "os";
 import * as path17 from "path";
-import * as YAML10 from "yaml";
+import * as YAML11 from "yaml";
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
     super(message);
@@ -4105,7 +4120,7 @@ var ServiceIdentityManager = class {
     await this.registerRecipients(definition, manifest, repoRoot);
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
     }
@@ -4117,7 +4132,7 @@ var ServiceIdentityManager = class {
     });
     const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpCreate, manifestPath);
     } finally {
       try {
@@ -4139,6 +4154,46 @@ var ServiceIdentityManager = class {
   get(manifest, name) {
     return manifest.service_identities?.find((si) => si.name === name);
   }
+  /**
+   * Delete a service identity: remove its recipients from scoped SOPS files
+   * and remove it from the manifest.
+   */
+  async delete(name, manifest, repoRoot) {
+    const identity = this.get(manifest, name);
+    if (!identity) {
+      throw new Error(`Service identity '${name}' not found.`);
+    }
+    const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    for (const cell of cells) {
+      if (!identity.namespaces.includes(cell.namespace)) continue;
+      const envConfig = identity.environments[cell.environment];
+      if (!envConfig?.recipient) continue;
+      if (isKmsEnvelope(envConfig)) continue;
+      try {
+        await this.encryption.removeRecipient(cell.filePath, envConfig.recipient);
+      } catch {
+      }
+    }
+    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
+    const doc = YAML11.parse(raw);
+    const identities = doc.service_identities;
+    if (Array.isArray(identities)) {
+      doc.service_identities = identities.filter(
+        (si) => si.name !== name
+      );
+    }
+    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    try {
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
+    } finally {
+      try {
+        fs15.unlinkSync(tmp);
+      } catch {
+      }
+    }
+  }
   /**
    * Update environment backends on an existing service identity.
    * Switches age → KMS (removes old recipient) or updates KMS config.
@@ -4151,7 +4206,7 @@ var ServiceIdentityManager = class {
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -4178,7 +4233,7 @@ var ServiceIdentityManager = class {
     }
     const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmp, manifestPath);
     } finally {
       try {
@@ -4220,7 +4275,7 @@ var ServiceIdentityManager = class {
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
     const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML10.parse(raw);
+    const doc = YAML11.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -4275,7 +4330,7 @@ var ServiceIdentityManager = class {
     }
     const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
       fs15.renameSync(tmpRotate, manifestPath);
     } finally {
       try {
@@ -4439,7 +4494,7 @@ var ArtifactPacker = class {
         const e = new Encrypter();
         e.addRecipient(ephemeralPublicKey);
         const encrypted = await e.encrypt(plaintext);
-        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact with ephemeral key.");
       }
@@ -4469,7 +4524,7 @@ var ArtifactPacker = class {
         const e = new Encrypter();
         e.addRecipient(resolved.recipient);
         const encrypted = await e.encrypt(plaintext);
-        ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
+        ciphertext = Buffer.from(encrypted).toString("base64");
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }
@@ -4566,7 +4621,7 @@ export {
   markResolved,
   matchPatterns,
   metadataPath,
-  parse6 as parse,
+  parse7 as parse,
   parseDotenv,
   parseIgnoreContent,
   parseJson,