@clef-sh/core 0.1.8 → 0.1.9

package/dist/index.mjs

@@ -411,6 +411,12 @@ var ManifestParser = class {
           "namespaces"
         );
       }
+      if (!ENV_NAME_PATTERN.test(nsObj.name)) {
+        throw new ManifestValidationError(
+          `Namespace name '${nsObj.name}' is invalid. Names must start with a lowercase letter and contain only lowercase letters, digits, hyphens, and underscores.`,
+          "namespaces"
+        );
+      }
       if (!nsObj.description || typeof nsObj.description !== "string") {
         throw new ManifestValidationError(
           `Namespace '${nsObj.name}' is missing a 'description' string.`,
@@ -511,9 +517,9 @@ var ManifestParser = class {
           );
         }
         const siName = siObj.name;
-        if (!siObj.description || typeof siObj.description !== "string") {
+        if (siObj.description != null && typeof siObj.description !== "string") {
           throw new ManifestValidationError(
-            `Service identity '${siName}' is missing a 'description' string.`,
+            `Service identity '${siName}' has a non-string 'description'.`,
             "service_identities"
           );
         }
@@ -628,7 +634,7 @@ var ManifestParser = class {
         }
         return {
           name: siName,
-          description: siObj.description,
+          description: siObj.description ?? "",
           namespaces: siObj.namespaces,
           environments: parsedEnvs
         };
@@ -809,7 +815,11 @@ function matchesGlob(filePath, pattern) {
 
 // src/scanner/index.ts
 var ALWAYS_SKIP_EXTENSIONS = [".enc.yaml", ".enc.json"];
-var ALWAYS_SKIP_NAMES = [".clef-meta.yaml"];
+var ALWAYS_SKIP_NAMES = [
+  ".clef-meta.yaml",
+  ".sops.yaml"
+  // contains age public keys and KMS ARNs — configuration, not secrets
+];
 var ALWAYS_SKIP_DIRS = ["node_modules", ".git"];
 var MAX_FILE_SIZE = 1024 * 1024;
 var ScanRunner = class {
@@ -1010,9 +1020,9 @@ var ScanRunner = class {
 };
 
 // src/matrix/manager.ts
-import * as fs5 from "fs";
+import * as fs6 from "fs";
 import * as path4 from "path";
-import * as YAML3 from "yaml";
+import * as YAML4 from "yaml";
 
 // src/pending/metadata.ts
 import * as fs4 from "fs";
@@ -1102,6 +1112,20 @@ async function markPendingWithRetry(filePath, keys, setBy, retryDelayMs = 200) {
   }
 }
 
+// src/sops/keys.ts
+import * as fs5 from "fs";
+import * as YAML3 from "yaml";
+function readSopsKeyNames(filePath) {
+  try {
+    const raw = fs5.readFileSync(filePath, "utf-8");
+    const parsed = YAML3.parse(raw);
+    if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
+    return Object.keys(parsed).filter((k) => k !== "sops");
+  } catch {
+    return null;
+  }
+}
+
 // src/matrix/manager.ts
 var MatrixManager = class {
   /**
@@ -1121,7 +1145,7 @@ var MatrixManager = class {
           namespace: ns.name,
           environment: env.name,
           filePath,
-          exists: fs5.existsSync(filePath)
+          exists: fs6.existsSync(filePath)
         });
       }
     }
@@ -1145,8 +1169,8 @@ var MatrixManager = class {
    */
   async scaffoldCell(cell, sopsClient, manifest) {
     const dir = path4.dirname(cell.filePath);
-    if (!fs5.existsSync(dir)) {
-      fs5.mkdirSync(dir, { recursive: true });
+    if (!fs6.existsSync(dir)) {
+      fs6.mkdirSync(dir, { recursive: true });
     }
     await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
   }
@@ -1215,22 +1239,15 @@ var MatrixManager = class {
    * SOPS stores key names in plaintext — only values are encrypted.
    */
   readKeyNames(filePath) {
-    try {
-      const raw = fs5.readFileSync(filePath, "utf-8");
-      const parsed = YAML3.parse(raw);
-      if (!parsed || typeof parsed !== "object") return [];
-      return Object.keys(parsed).filter((k) => k !== "sops");
-    } catch {
-      return [];
-    }
+    return readSopsKeyNames(filePath) ?? [];
   }
   /**
    * Read the lastModified timestamp from SOPS metadata without decryption.
    */
   readLastModified(filePath) {
     try {
-      const raw = fs5.readFileSync(filePath, "utf-8");
-      const parsed = YAML3.parse(raw);
+      const raw = fs6.readFileSync(filePath, "utf-8");
+      const parsed = YAML4.parse(raw);
       const sops = parsed?.sops;
       if (sops?.lastmodified) return new Date(String(sops.lastmodified));
       return null;
@@ -1251,8 +1268,8 @@ var MatrixManager = class {
 };
 
 // src/schema/validator.ts
-import * as fs6 from "fs";
-import * as YAML4 from "yaml";
+import * as fs7 from "fs";
+import * as YAML5 from "yaml";
 var SchemaValidator = class {
   /**
    * Read and parse a YAML schema file from disk.
@@ -1264,13 +1281,13 @@ var SchemaValidator = class {
   loadSchema(filePath) {
     let raw;
     try {
-      raw = fs6.readFileSync(filePath, "utf-8");
+      raw = fs7.readFileSync(filePath, "utf-8");
     } catch {
       throw new SchemaLoadError(`Could not read schema file at '${filePath}'.`, filePath);
     }
     let parsed;
     try {
-      parsed = YAML4.parse(raw);
+      parsed = YAML5.parse(raw);
     } catch {
       throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
     }
@@ -1571,7 +1588,7 @@ ${details}`
 };
 
 // src/git/integration.ts
-import * as fs7 from "fs";
+import * as fs8 from "fs";
 import * as path7 from "path";
 var PRE_COMMIT_HOOK = `#!/bin/sh
 # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
@@ -1780,14 +1797,14 @@ var GitIntegration = class {
     });
     const gitConfig = configResult.exitCode === 0 && configResult.stdout.trim().length > 0;
     const attrFilePath = path7.join(repoRoot, ".gitattributes");
-    const attrContent = fs7.existsSync(attrFilePath) ? fs7.readFileSync(attrFilePath, "utf-8") : "";
+    const attrContent = fs8.existsSync(attrFilePath) ? fs8.readFileSync(attrFilePath, "utf-8") : "";
     const gitattributes = attrContent.includes("merge=sops");
     return { gitConfig, gitattributes };
   }
   async ensureGitattributes(repoRoot) {
     const attrPath = path7.join(repoRoot, ".gitattributes");
     const mergeRule = "*.enc.yaml merge=sops\n*.enc.json merge=sops";
-    const existing = fs7.existsSync(attrPath) ? fs7.readFileSync(attrPath, "utf-8") : "";
+    const existing = fs8.existsSync(attrPath) ? fs8.readFileSync(attrPath, "utf-8") : "";
     if (existing.includes("merge=sops")) {
       return;
     }
@@ -1835,17 +1852,17 @@ ${mergeRule}
 };
 
 // src/sops/client.ts
-import * as fs10 from "fs";
+import * as fs11 from "fs";
 import * as net from "net";
 import { randomBytes as randomBytes2 } from "crypto";
-import * as YAML5 from "yaml";
+import * as YAML6 from "yaml";
 
 // src/sops/resolver.ts
-import * as fs9 from "fs";
+import * as fs10 from "fs";
 import * as path9 from "path";
 
 // src/sops/bundled.ts
-import * as fs8 from "fs";
+import * as fs9 from "fs";
 import * as path8 from "path";
 function tryBundled() {
   const platform = process.platform;
@@ -1860,7 +1877,7 @@ function tryBundled() {
     const packageMain = __require.resolve(`${packageName}/package.json`);
     const packageDir = path8.dirname(packageMain);
     const binPath = path8.join(packageDir, "bin", binName);
-    return fs8.existsSync(binPath) ? binPath : null;
+    return fs9.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
   }
@@ -1884,7 +1901,7 @@ function resolveSopsPath() {
   const envPath = process.env.CLEF_SOPS_PATH?.trim();
   if (envPath) {
     validateSopsPath(envPath);
-    if (!fs9.existsSync(envPath)) {
+    if (!fs10.existsSync(envPath)) {
       throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
     }
     cached = { path: envPath, source: "env" };
@@ -2092,7 +2109,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML5.parse(result.stdout) ?? {};
+      parsed = YAML6.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -2119,7 +2136,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML6.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -2163,7 +2180,7 @@ var SopsClient = class {
       );
     }
     try {
-      fs10.writeFileSync(filePath, result.stdout);
+      fs11.writeFileSync(filePath, result.stdout);
     } catch {
       throw new SopsEncryptionError(`Failed to write encrypted data to '${filePath}'.`, filePath);
     }
@@ -2176,21 +2193,7 @@ var SopsClient = class {
    * @throws {@link SopsEncryptionError} On failure.
    */
   async reEncrypt(filePath, newKey) {
-    await assertSops(this.runner, this.sopsCommand);
-    const env = this.buildSopsEnv();
-    const result = await this.runner.run(
-      this.sopsCommand,
-      ["rotate", "-i", "--add-age", newKey, filePath],
-      {
-        ...env ? { env } : {}
-      }
-    );
-    if (result.exitCode !== 0) {
-      throw new SopsEncryptionError(
-        `Failed to re-encrypt '${filePath}': ${result.stderr.trim()}`,
-        filePath
-      );
-    }
+    await this.addRecipient(filePath, newKey);
   }
   /**
    * Add an age recipient to an existing SOPS file.
@@ -2293,7 +2296,7 @@ var SopsClient = class {
     if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
     let keyContent;
     try {
-      keyContent = this.ageKey ?? fs10.readFileSync(this.ageKeyFile, "utf-8");
+      keyContent = this.ageKey ?? fs11.readFileSync(this.ageKeyFile, "utf-8");
     } catch {
       return "key-not-found";
     }
@@ -2310,7 +2313,7 @@ var SopsClient = class {
   parseMetadataFromFile(filePath) {
     let content;
     try {
-      content = fs10.readFileSync(filePath, "utf-8");
+      content = fs11.readFileSync(filePath, "utf-8");
     } catch {
       throw new SopsDecryptionError(
         `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -2319,7 +2322,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML5.parse(content);
+      parsed = YAML6.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -2751,7 +2754,7 @@ import * as path12 from "path";
 
 // src/import/parsers.ts
 import * as path11 from "path";
-import * as YAML6 from "yaml";
+import * as YAML7 from "yaml";
 function detectFormat(filePath, content) {
   const base = path11.basename(filePath);
   const ext = path11.extname(filePath).toLowerCase();
@@ -2775,7 +2778,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML6.parse(content);
+    const parsed = YAML7.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -2856,7 +2859,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML6.parse(content);
+    parsed = YAML7.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -2890,7 +2893,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse7(content, format, filePath) {
+function parse8(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -2923,7 +2926,7 @@ var ImportRunner = class {
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
-    const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
+    const parsed = parse8(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
       const prefix = options.prefix;
@@ -2977,9 +2980,9 @@ var ImportRunner = class {
 };
 
 // src/recipients/index.ts
-import * as fs11 from "fs";
+import * as fs12 from "fs";
 import * as path13 from "path";
-import * as YAML7 from "yaml";
+import * as YAML8 from "yaml";
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -3002,12 +3005,12 @@ function toRecipient(entry) {
 }
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML7.parse(raw);
+  const raw = fs12.readFileSync(manifestPath, "utf-8");
+  return YAML8.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
+  fs12.writeFileSync(manifestPath, YAML8.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -3108,7 +3111,7 @@ var RecipientManager = class {
       throw new Error(`Recipient '${keyPreview(normalizedKey)}' is already present.`);
     }
     const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const manifestBackup = fs11.readFileSync(manifestPath, "utf-8");
+    const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
     const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
     if (label) {
       recipients.push({ key: normalizedKey, label });
@@ -3123,16 +3126,16 @@ var RecipientManager = class {
     const fileBackups = /* @__PURE__ */ new Map();
     for (const cell of cells) {
       try {
-        fileBackups.set(cell.filePath, fs11.readFileSync(cell.filePath, "utf-8"));
+        fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
         await this.encryption.addRecipient(cell.filePath, normalizedKey);
         reEncryptedFiles.push(cell.filePath);
       } catch {
         failedFiles.push(cell.filePath);
-        fs11.writeFileSync(manifestPath, manifestBackup, "utf-8");
+        fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
         for (const reEncryptedFile of reEncryptedFiles) {
           const backup = fileBackups.get(reEncryptedFile);
           if (backup) {
-            fs11.writeFileSync(reEncryptedFile, backup, "utf-8");
+            fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
           }
         }
         const restoredDoc = readManifestYaml(repoRoot);
@@ -3186,7 +3189,7 @@ var RecipientManager = class {
     }
     const removedEntry = parsed[matchIndex];
     const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const manifestBackup = fs11.readFileSync(manifestPath, "utf-8");
+    const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
     const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
     recipients.splice(matchIndex, 1);
     writeManifestYaml(repoRoot, doc);
@@ -3197,16 +3200,16 @@ var RecipientManager = class {
     const fileBackups = /* @__PURE__ */ new Map();
     for (const cell of cells) {
       try {
-        fileBackups.set(cell.filePath, fs11.readFileSync(cell.filePath, "utf-8"));
+        fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
         await this.encryption.removeRecipient(cell.filePath, trimmedKey);
         reEncryptedFiles.push(cell.filePath);
       } catch {
         failedFiles.push(cell.filePath);
-        fs11.writeFileSync(manifestPath, manifestBackup, "utf-8");
+        fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
         for (const reEncryptedFile of reEncryptedFiles) {
           const backup = fileBackups.get(reEncryptedFile);
           if (backup) {
-            fs11.writeFileSync(reEncryptedFile, backup, "utf-8");
+            fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
           }
         }
         const restoredDoc = readManifestYaml(repoRoot);
@@ -3240,9 +3243,9 @@ var RecipientManager = class {
 };
 
 // src/recipients/requests.ts
-import * as fs12 from "fs";
+import * as fs13 from "fs";
 import * as path14 from "path";
-import * as YAML8 from "yaml";
+import * as YAML9 from "yaml";
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
@@ -3251,9 +3254,9 @@ function requestsFilePath(repoRoot) {
 function loadRequests(repoRoot) {
   const filePath = requestsFilePath(repoRoot);
   try {
-    if (!fs12.existsSync(filePath)) return [];
-    const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML8.parse(content);
+    if (!fs13.existsSync(filePath)) return [];
+    const content = fs13.readFileSync(filePath, "utf-8");
+    const parsed = YAML9.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -3269,7 +3272,7 @@ function saveRequests(repoRoot, requests) {
   const filePath = requestsFilePath(repoRoot);
   if (requests.length === 0) {
     try {
-      fs12.unlinkSync(filePath);
+      fs13.unlinkSync(filePath);
     } catch {
     }
     return;
@@ -3285,7 +3288,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
+  fs13.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -3321,9 +3324,7 @@ function findInList(requests, identifier) {
 }
 
 // src/drift/detector.ts
-import * as fs13 from "fs";
 import * as path15 from "path";
-import * as YAML9 from "yaml";
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -3351,45 +3352,30 @@ var DriftDetector = class {
     }
     const issues = [];
     let namespacesClean = 0;
+    const remoteEnvSet = new Set(remoteEnvNames);
+    const sharedEnvSet = new Set(localEnvNames.filter((e) => remoteEnvSet.has(e)));
     for (const ns of sharedNamespaces) {
-      const keyEnvs = /* @__PURE__ */ new Map();
-      const allEnvs = /* @__PURE__ */ new Set();
-      const localNsCells = localCells.filter((c) => c.namespace === ns);
-      for (const cell of localNsCells) {
-        const keys = this.readKeysFromFile(cell.filePath);
-        if (keys === null) continue;
-        allEnvs.add(cell.environment);
-        for (const key of keys) {
-          if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
-          keyEnvs.get(key).add(cell.environment);
-        }
-      }
-      const remoteNsCells = remoteCells.filter((c) => c.namespace === ns);
-      for (const cell of remoteNsCells) {
-        const keys = this.readKeysFromFile(cell.filePath);
-        if (keys === null) continue;
-        allEnvs.add(cell.environment);
-        for (const key of keys) {
-          if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
-          keyEnvs.get(key).add(cell.environment);
-        }
-      }
-      const envList = [...allEnvs];
+      const localKeyEnvs = this.collectKeyEnvs(localCells, ns, sharedEnvSet);
+      const remoteKeyEnvs = this.collectKeyEnvs(remoteCells, ns, sharedEnvSet);
       let nsClean = true;
-      for (const [key, envSet] of keyEnvs) {
-        const missingFrom = envList.filter((e) => !envSet.has(e));
-        if (missingFrom.length > 0) {
-          nsClean = false;
-          const presentIn = [...envSet].sort();
-          issues.push({
-            namespace: ns,
-            key,
-            presentIn,
-            missingFrom: missingFrom.sort(),
-            message: `Key '${key}' in namespace '${ns}' exists in [${presentIn.join(", ")}] but is missing from [${missingFrom.sort().join(", ")}]`
-          });
+      const reportDrift = (sourceMap, targetMap, direction) => {
+        for (const [key, sourceEnvs] of sourceMap) {
+          const targetEnvs = targetMap.get(key);
+          const missingFrom = [...sourceEnvs].filter((e) => !targetEnvs?.has(e)).sort();
+          if (missingFrom.length > 0) {
+            nsClean = false;
+            issues.push({
+              namespace: ns,
+              key,
+              presentIn: [...sourceEnvs].sort(),
+              missingFrom,
+              message: `Key '${key}' in namespace '${ns}' exists in ${direction} [${[...sourceEnvs].sort().join(", ")}] but is missing from [${missingFrom.join(", ")}]`
+            });
+          }
         }
-      }
+      };
+      reportDrift(remoteKeyEnvs, localKeyEnvs, "remote");
+      reportDrift(localKeyEnvs, remoteKeyEnvs, "local");
       if (nsClean) namespacesClean++;
     }
     return {
@@ -3400,29 +3386,23 @@ var DriftDetector = class {
       remoteEnvironments: remoteEnvNames
     };
   }
-  /**
-   * Read top-level key names from an encrypted SOPS YAML file,
-   * filtering out the `sops` metadata key.
-   *
-   * @returns Array of key names, or `null` if the file cannot be read.
-   */
-  readKeysFromFile(filePath) {
-    try {
-      if (!fs13.existsSync(filePath)) return null;
-      const raw = fs13.readFileSync(filePath, "utf-8");
-      const parsed = YAML9.parse(raw);
-      if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
-      return Object.keys(parsed).filter((k) => k !== "sops");
-    } catch {
-      return null;
+  collectKeyEnvs(cells, ns, sharedEnvSet) {
+    const keyEnvs = /* @__PURE__ */ new Map();
+    for (const cell of cells) {
+      if (cell.namespace !== ns || !sharedEnvSet.has(cell.environment)) continue;
+      const keys = readSopsKeyNames(cell.filePath);
+      if (keys === null) continue;
+      for (const key of keys) {
+        if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
+        keyEnvs.get(key).add(cell.environment);
+      }
     }
+    return keyEnvs;
   }
 };
 
 // src/report/generator.ts
-import * as fs14 from "fs";
 import * as path16 from "path";
-import * as YAML10 from "yaml";
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -3727,15 +3707,7 @@ var ReportGenerator = class {
     };
   }
   readKeyCount(filePath) {
-    try {
-      if (!fs14.existsSync(filePath)) return 0;
-      const raw = fs14.readFileSync(filePath, "utf-8");
-      const parsed = YAML10.parse(raw);
-      if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
-      return Object.keys(parsed).filter((k) => k !== "sops").length;
-    } catch {
-      return 0;
-    }
+    return readSopsKeyNames(filePath)?.length ?? 0;
   }
   async buildPolicy(manifest, repoRoot) {
     try {
@@ -4064,10 +4036,10 @@ var SopsMergeDriver = class {
 };
 
 // src/service-identity/manager.ts
-import * as fs15 from "fs";
+import * as fs14 from "fs";
 import * as os from "os";
 import * as path17 from "path";
-import * as YAML11 from "yaml";
+import * as YAML10 from "yaml";
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
     super(message);
@@ -4119,8 +4091,8 @@ var ServiceIdentityManager = class {
     };
     await this.registerRecipients(definition, manifest, repoRoot);
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML11.parse(raw);
+    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
     }
@@ -4132,11 +4104,11 @@ var ServiceIdentityManager = class {
     });
     const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
-      fs15.renameSync(tmpCreate, manifestPath);
+      fs14.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs14.renameSync(tmpCreate, manifestPath);
     } finally {
       try {
-        fs15.unlinkSync(tmpCreate);
+        fs14.unlinkSync(tmpCreate);
       } catch {
       }
     }
@@ -4175,8 +4147,8 @@ var ServiceIdentityManager = class {
       }
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML11.parse(raw);
+    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     if (Array.isArray(identities)) {
       doc.service_identities = identities.filter(
@@ -4185,11 +4157,11 @@ var ServiceIdentityManager = class {
     }
     const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
-      fs15.renameSync(tmp, manifestPath);
+      fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs14.renameSync(tmp, manifestPath);
     } finally {
       try {
-        fs15.unlinkSync(tmp);
+        fs14.unlinkSync(tmp);
       } catch {
       }
     }
@@ -4205,8 +4177,8 @@ var ServiceIdentityManager = class {
       throw new Error(`Service identity '${name}' not found.`);
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML11.parse(raw);
+    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -4233,11 +4205,11 @@ var ServiceIdentityManager = class {
     }
     const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
-      fs15.renameSync(tmp, manifestPath);
+      fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs14.renameSync(tmp, manifestPath);
     } finally {
       try {
-        fs15.unlinkSync(tmp);
+        fs14.unlinkSync(tmp);
       } catch {
       }
     }
@@ -4274,8 +4246,8 @@ var ServiceIdentityManager = class {
       throw new Error(`Service identity '${name}' not found.`);
     }
     const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs15.readFileSync(manifestPath, "utf-8");
-    const doc = YAML11.parse(raw);
+    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
     const envs = siDoc.environments;
@@ -4330,11 +4302,11 @@ var ServiceIdentityManager = class {
     }
     const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
-      fs15.renameSync(tmpRotate, manifestPath);
+      fs14.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs14.renameSync(tmpRotate, manifestPath);
     } finally {
       try {
-        fs15.unlinkSync(tmpRotate);
+        fs14.unlinkSync(tmpRotate);
       } catch {
       }
     }
@@ -4455,7 +4427,7 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 }
 
 // src/artifact/packer.ts
-import * as fs16 from "fs";
+import * as fs15 from "fs";
 import * as path18 from "path";
 import * as crypto3 from "crypto";
 
@@ -4463,7 +4435,7 @@ import * as crypto3 from "crypto";
 import * as crypto2 from "crypto";
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v1",
+    "clef-sig-v2",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
@@ -4475,7 +4447,9 @@ function buildSigningPayload(artifact) {
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
     artifact.envelope?.wrappedKey ?? "",
-    artifact.envelope?.algorithm ?? ""
+    artifact.envelope?.algorithm ?? "",
+    artifact.envelope?.iv ?? "",
+    artifact.envelope?.authTag ?? ""
   ];
   return Buffer.from(fields.join("\n"), "utf-8");
 }
@@ -4569,40 +4543,41 @@ var ArtifactPacker = class {
       if (!this.kms) {
         throw new Error("KMS provider required for envelope encryption but none was provided.");
       }
-      const { generateIdentity, identityToRecipient, Encrypter } = await import(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic ESM import of CJS-incompatible package
-        "age-encryption"
-      );
-      const ephemeralPrivateKey = await generateIdentity();
-      const ephemeralPublicKey = await identityToRecipient(ephemeralPrivateKey);
+      const dek = crypto3.randomBytes(32);
+      const iv = crypto3.randomBytes(12);
       try {
-        const e = new Encrypter();
-        e.addRecipient(ephemeralPublicKey);
-        const encrypted = await e.encrypt(plaintext);
-        ciphertext = Buffer.from(encrypted).toString("base64");
-      } catch {
-        throw new Error("Failed to age-encrypt artifact with ephemeral key.");
+        const cipher = crypto3.createCipheriv("aes-256-gcm", dek, iv);
+        const ciphertextBuf = Buffer.concat([
+          cipher.update(Buffer.from(plaintext, "utf-8")),
+          cipher.final()
+        ]);
+        const authTag = cipher.getAuthTag();
+        ciphertext = ciphertextBuf.toString("base64");
+        const kmsConfig = resolved.envConfig.kms;
+        const wrapped = await this.kms.wrap(kmsConfig.keyId, dek);
+        const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
+        const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+        artifact = {
+          version: 1,
+          identity: config.identity,
+          environment: config.environment,
+          packedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          revision,
+          ciphertextHash,
+          ciphertext,
+          keys: Object.keys(resolved.values),
+          envelope: {
+            provider: kmsConfig.provider,
+            keyId: kmsConfig.keyId,
+            wrappedKey: wrapped.wrappedKey.toString("base64"),
+            algorithm: wrapped.algorithm,
+            iv: iv.toString("base64"),
+            authTag: authTag.toString("base64")
+          }
+        };
+      } finally {
+        dek.fill(0);
       }
-      const kmsConfig = resolved.envConfig.kms;
-      const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
-      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
-      artifact = {
-        version: 1,
-        identity: config.identity,
-        environment: config.environment,
-        packedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        revision,
-        ciphertextHash,
-        ciphertext,
-        keys: Object.keys(resolved.values),
-        envelope: {
-          provider: kmsConfig.provider,
-          keyId: kmsConfig.keyId,
-          wrappedKey: wrapped.wrappedKey.toString("base64"),
-          algorithm: wrapped.algorithm
-        }
-      };
     } else {
       try {
         const { Encrypter } = await import("age-encryption");
@@ -4610,8 +4585,10 @@ var ArtifactPacker = class {
         e.addRecipient(resolved.recipient);
         const encrypted = await e.encrypt(plaintext);
         ciphertext = Buffer.from(encrypted).toString("base64");
-      } catch {
-        throw new Error("Failed to age-encrypt artifact. Check recipient key.");
+      } catch (err) {
+        throw new Error(
+          `Failed to age-encrypt artifact: ${err instanceof Error ? err.message : String(err)}`
+        );
       }
       const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
       const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
@@ -4627,8 +4604,8 @@ var ArtifactPacker = class {
       };
     }
     const outputDir = path18.dirname(config.outputPath);
-    if (!fs16.existsSync(outputDir)) {
-      fs16.mkdirSync(outputDir, { recursive: true });
+    if (!fs15.existsSync(outputDir)) {
+      fs15.mkdirSync(outputDir, { recursive: true });
     }
     if (config.ttl && config.ttl > 0) {
       artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
@@ -4647,8 +4624,8 @@ var ArtifactPacker = class {
     }
     const json = JSON.stringify(artifact, null, 2);
     const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
-    fs16.writeFileSync(tmpOutput, json, "utf-8");
-    fs16.renameSync(tmpOutput, config.outputPath);
+    fs15.writeFileSync(tmpOutput, json, "utf-8");
+    fs15.renameSync(tmpOutput, config.outputPath);
     return {
       outputPath: config.outputPath,
       namespaceCount: resolved.identity.namespaces.length,
@@ -4658,6 +4635,9 @@ var ArtifactPacker = class {
     };
   }
 };
+
+// src/kms/types.ts
+var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
 export {
   ArtifactPacker,
   BulkOps,
@@ -4695,6 +4675,7 @@ export {
   SopsMergeDriver,
   SopsMissingError,
   SopsVersionError,
+  VALID_KMS_PROVIDERS,
   assertSops,
   buildSigningPayload,
   checkAll,
@@ -4721,7 +4702,7 @@ export {
   markResolved,
   matchPatterns,
   metadataPath,
-  parse7 as parse,
+  parse8 as parse,
   parseDotenv,
   parseIgnoreContent,
   parseJson,