@clef-sh/runtime 0.1.6-beta.32

package/dist/decrypt.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Decrypts age-encrypted ciphertext using the age-encryption npm package.
+ *
+ * Follows the same dynamic import pattern as the bundle runtime to handle
+ * the ESM-only age-encryption package from CJS context.
+ */
+export declare class AgeDecryptor {
+    /**
+     * Decrypt an age-encrypted PEM-armored ciphertext string.
+     *
+     * @param ciphertext - PEM-armored age ciphertext.
+     * @param privateKey - Age private key string (AGE-SECRET-KEY-...).
+     * @returns The decrypted plaintext string.
+     */
+    decrypt(ciphertext: string, privateKey: string): Promise<string>;
+    /**
+     * Resolve the age private key from either an inline value or a file path.
+     *
+     * @param ageKey - Inline age private key, if set.
+     * @param ageKeyFile - Path to age key file, if set.
+     * @returns The age private key string.
+     */
+    resolveKey(ageKey?: string, ageKeyFile?: string): string;
+}
+//# sourceMappingURL=decrypt.d.ts.map

package/dist/decrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,qBAAa,YAAY;IACvB;;;;;;OAMG;IACG,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQtE;;;;;;OAMG;IACH,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM;CAazD"}

package/dist/decrypt.js

@@ -0,0 +1,82 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgeDecryptor = void 0;
+const fs = __importStar(require("fs"));
+/**
+ * Decrypts age-encrypted ciphertext using the age-encryption npm package.
+ *
+ * Follows the same dynamic import pattern as the bundle runtime to handle
+ * the ESM-only age-encryption package from CJS context.
+ */
+class AgeDecryptor {
+    /**
+     * Decrypt an age-encrypted PEM-armored ciphertext string.
+     *
+     * @param ciphertext - PEM-armored age ciphertext.
+     * @param privateKey - Age private key string (AGE-SECRET-KEY-...).
+     * @returns The decrypted plaintext string.
+     */
+    async decrypt(ciphertext, privateKey) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic ESM import of CJS-incompatible package
+        const { Decrypter } = await Promise.resolve(`${"age-encryption"}`).then(s => __importStar(require(s)));
+        const d = new Decrypter();
+        d.addIdentity(privateKey);
+        return d.decrypt(ciphertext, "text");
+    }
+    /**
+     * Resolve the age private key from either an inline value or a file path.
+     *
+     * @param ageKey - Inline age private key, if set.
+     * @param ageKeyFile - Path to age key file, if set.
+     * @returns The age private key string.
+     */
+    resolveKey(ageKey, ageKeyFile) {
+        if (ageKey)
+            return ageKey.trim();
+        if (ageKeyFile) {
+            const content = fs.readFileSync(ageKeyFile, "utf-8").trim();
+            // age key files can contain comments — extract the actual key line
+            const lines = content.split("\n").filter((l) => l.startsWith("AGE-SECRET-KEY-"));
+            if (lines.length === 0) {
+                throw new Error(`No age secret key found in file: ${ageKeyFile}`);
+            }
+            return lines[0].trim();
+        }
+        throw new Error("No age key available. Set CLEF_AGE_KEY or CLEF_AGE_KEY_FILE.");
+    }
+}
+exports.AgeDecryptor = AgeDecryptor;
+//# sourceMappingURL=decrypt.js.map

package/dist/decrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB;;;;;GAKG;AACH,MAAa,YAAY;IACvB;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,UAAkB;QAClD,gHAAgH;QAChH,MAAM,EAAE,SAAS,EAAE,GAAG,yBAAa,gBAAuB,uCAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC;QAC1B,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED;;;;;;OAMG;IACH,UAAU,CAAC,MAAe,EAAE,UAAmB;QAC7C,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,mEAAmE;YACnE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;YACjF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,UAAU,EAAE,CAAC,CAAC;YACpE,CAAC;YACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;CACF;AApCD,oCAoCC"}

package/dist/disk-cache.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Disk-based cache for artifact fallback.
+ *
+ * Writes artifact JSON and metadata to disk so the runtime can recover
+ * from VCS API failures by falling back to the last known good artifact.
+ */
+export declare class DiskCache {
+    private readonly artifactPath;
+    private readonly metaPath;
+    constructor(cachePath: string, identity: string, environment: string);
+    /** Write an artifact and optional metadata to disk (atomic via tmp+rename). */
+    write(raw: string, sha?: string): void;
+    /** Read the cached artifact. Returns null if no cache file exists. */
+    read(): string | null;
+    /** Get the SHA from the cached metadata, if available. */
+    getCachedSha(): string | undefined;
+    /** Get the fetchedAt timestamp from metadata, if available. */
+    getFetchedAt(): string | undefined;
+    /** Remove cached artifact and metadata files. */
+    purge(): void;
+}
+//# sourceMappingURL=disk-cache.d.ts.map

package/dist/disk-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"disk-cache.d.ts","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":"AAQA;;;;;GAKG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM;IAMpE,+EAA+E;IAC/E,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI;IActC,sEAAsE;IACtE,IAAI,IAAI,MAAM,GAAG,IAAI;IAQrB,0DAA0D;IAC1D,YAAY,IAAI,MAAM,GAAG,SAAS;IAUlC,+DAA+D;IAC/D,YAAY,IAAI,MAAM,GAAG,SAAS;IAUlC,iDAAiD;IACjD,KAAK,IAAI,IAAI;CAYd"}

package/dist/disk-cache.js

@@ -0,0 +1,113 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DiskCache = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/**
+ * Disk-based cache for artifact fallback.
+ *
+ * Writes artifact JSON and metadata to disk so the runtime can recover
+ * from VCS API failures by falling back to the last known good artifact.
+ */
+class DiskCache {
+    artifactPath;
+    metaPath;
+    constructor(cachePath, identity, environment) {
+        const dir = path.join(cachePath, identity);
+        this.artifactPath = path.join(dir, `${environment}.age.json`);
+        this.metaPath = path.join(dir, `${environment}.meta`);
+    }
+    /** Write an artifact and optional metadata to disk (atomic via tmp+rename). */
+    write(raw, sha) {
+        const dir = path.dirname(this.artifactPath);
+        fs.mkdirSync(dir, { recursive: true });
+        const tmpArtifact = `${this.artifactPath}.tmp.${process.pid}`;
+        fs.writeFileSync(tmpArtifact, raw, "utf-8");
+        fs.renameSync(tmpArtifact, this.artifactPath);
+        const meta = { sha, fetchedAt: new Date().toISOString() };
+        const tmpMeta = `${this.metaPath}.tmp.${process.pid}`;
+        fs.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
+        fs.renameSync(tmpMeta, this.metaPath);
+    }
+    /** Read the cached artifact. Returns null if no cache file exists. */
+    read() {
+        try {
+            return fs.readFileSync(this.artifactPath, "utf-8");
+        }
+        catch {
+            return null;
+        }
+    }
+    /** Get the SHA from the cached metadata, if available. */
+    getCachedSha() {
+        try {
+            const raw = fs.readFileSync(this.metaPath, "utf-8");
+            const meta = JSON.parse(raw);
+            return meta.sha;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /** Get the fetchedAt timestamp from metadata, if available. */
+    getFetchedAt() {
+        try {
+            const raw = fs.readFileSync(this.metaPath, "utf-8");
+            const meta = JSON.parse(raw);
+            return meta.fetchedAt;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /** Remove cached artifact and metadata files. */
+    purge() {
+        try {
+            fs.unlinkSync(this.artifactPath);
+        }
+        catch {
+            // ENOENT is fine
+        }
+        try {
+            fs.unlinkSync(this.metaPath);
+        }
+        catch {
+            // ENOENT is fine
+        }
+    }
+}
+exports.DiskCache = DiskCache;
+//# sourceMappingURL=disk-cache.js.map

package/dist/disk-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"disk-cache.js","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAO7B;;;;;GAKG;AACH,MAAa,SAAS;IACH,YAAY,CAAS;IACrB,QAAQ,CAAS;IAElC,YAAY,SAAiB,EAAE,QAAgB,EAAE,WAAmB;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,WAAW,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,GAAW,EAAE,GAAY;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEvC,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,YAAY,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9D,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5C,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAE9C,MAAM,IAAI,GAAkB,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACzE,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,QAAQ,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QACzD,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,sEAAsE;IACtE,IAAI;QACF,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,YAAY;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,IAAI,GAAkB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;YAC7D,OAAO,IAAI,CAAC,GAAG,CAAC;QAClB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,YAAY;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,IAAI,GAAkB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;YAC7D,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,KAAK;QACH,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;QACD,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;CACF;AArED,8BAqEC"}

package/dist/index.d.ts

@@ -0,0 +1,96 @@
+export { SecretsCache } from "./secrets-cache";
+export { DiskCache } from "./disk-cache";
+export { AgeDecryptor } from "./decrypt";
+export { ArtifactPoller } from "./poller";
+export type { PollerOptions, ArtifactEnvelope } from "./poller";
+export { TelemetryEmitter } from "./telemetry";
+export type { TelemetryOptions, TelemetryEvent, AgentStartedEvent, AgentStoppedEvent, ArtifactRefreshedEvent, ArtifactRevokedEvent, ArtifactExpiredEvent, FetchFailedEvent, CacheExpiredEvent, ArtifactInvalidEvent, } from "./telemetry";
+export type { VcsProvider, VcsProviderConfig, VcsFileResult } from "./vcs/types";
+export { GitHubProvider } from "./vcs/github";
+export { GitLabProvider } from "./vcs/gitlab";
+export { BitbucketProvider } from "./vcs/bitbucket";
+export { createVcsProvider } from "./vcs/index";
+export type { KmsProvider, KmsWrapResult, KmsProviderType } from "./kms";
+export { AwsKmsProvider } from "./kms";
+export { createKmsProvider } from "./kms";
+export type { ArtifactSource, ArtifactFetchResult } from "./sources/types";
+export { HttpArtifactSource } from "./sources/http";
+export { FileArtifactSource } from "./sources/file";
+export { VcsArtifactSource } from "./sources/vcs";
+import { SecretsCache } from "./secrets-cache";
+import { ArtifactPoller } from "./poller";
+import { TelemetryEmitter } from "./telemetry";
+/**
+ * Configuration for {@link ClefRuntime}.
+ *
+ * Supply **either** VCS fields (`provider`, `repo`, `token`, `identity`, `environment`)
+ * **or** a `source` URL/path. VCS is the recommended approach — the runtime fetches
+ * packed artifacts directly from your git repository via the provider API.
+ */
+export interface RuntimeConfig {
+    /** VCS platform: `"github"`, `"gitlab"`, or `"bitbucket"`. */
+    provider?: "github" | "gitlab" | "bitbucket";
+    /** Repository identifier, e.g. `"org/secrets"`. */
+    repo?: string;
+    /** Service identity name as declared in `clef.yaml`. */
+    identity?: string;
+    /** Target environment (e.g. `"production"`). */
+    environment?: string;
+    /** VCS authentication token (GitHub PAT, GitLab PAT, Bitbucket app password). */
+    token?: string;
+    /** Git ref — branch, tag, or commit SHA. Defaults to the repo's default branch. */
+    ref?: string;
+    /** Custom VCS API base URL for self-hosted instances. */
+    apiUrl?: string;
+    /** HTTP URL or local file path to a packed artifact (alternative to VCS). */
+    source?: string;
+    /** Inline age private key (`AGE-SECRET-KEY-...`). */
+    ageKey?: string;
+    /** Path to an age key file. */
+    ageKeyFile?: string;
+    /** Disk cache directory. Enables fallback to the last fetched artifact on VCS failure. */
+    cachePath?: string;
+    /** Max seconds the runtime serves secrets without a successful refresh. */
+    cacheTtl?: number;
+    /** Optional telemetry emitter for event reporting. */
+    telemetry?: TelemetryEmitter;
+}
+/**
+ * High-level runtime for fetching and caching secrets.
+ *
+ * Supports VCS providers (GitHub, GitLab, Bitbucket), HTTP URLs, and
+ * local file sources. Decrypts age-encrypted artifacts and serves
+ * secrets from an in-memory cache with optional background polling.
+ */
+export declare class ClefRuntime {
+    private readonly cache;
+    private readonly poller;
+    private readonly config;
+    constructor(config: RuntimeConfig);
+    /** Initial fetch + decrypt. Must be called before get/getAll. */
+    start(): Promise<void>;
+    /** Start background polling. Schedule is derived from artifact expiresAt or cacheTtl. */
+    startPolling(): void;
+    /** Stop background polling. */
+    stopPolling(): void;
+    /** Get a single secret value by key. */
+    get(key: string): string | undefined;
+    /** Get all secrets as key-value map. */
+    getAll(): Record<string, string>;
+    /** Alias for getAll() — convenience for env injection. */
+    env(): Record<string, string>;
+    /** List available key names. */
+    keys(): string[];
+    /** Current artifact revision. */
+    get revision(): string;
+    /** Whether secrets have been loaded. */
+    get ready(): boolean;
+    /** Get the underlying poller (for agent integration). */
+    getPoller(): ArtifactPoller;
+    /** Get the underlying cache (for agent integration). */
+    getCache(): SecretsCache;
+    private resolveSource;
+}
+/** Convenience one-shot function (no polling). Initializes and returns a ready runtime. */
+export declare function init(config: RuntimeConfig): Promise<ClefRuntime>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAGrB,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGhD,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG1C,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG/C,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAM1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;IAC7C,mDAAmD;IACnD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,0FAA0F;IAC1F,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,sDAAsD;IACtD,SAAS,CAAC,EAAE,gBAAgB,CAAC;CAC9B;AAED;;;;;;GAMG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;gBAE3B,MAAM,EAAE,aAAa;IA+BjC,iEAAiE;IAC3D,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,yFAAyF;IACzF,YAAY,IAAI,IAAI;IAIpB,+BAA+B;IAC/B,WAAW,IAAI,IAAI;IAInB,wCAAwC;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAIpC,wCAAwC;IACxC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAIhC,0DAA0D;IAC1D,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAI7B,gCAAgC;IAChC,IAAI,IAAI,MAAM,EAAE;IAIhB,iCAAiC;IACjC,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,wCAAwC;IACxC,IAAI,KAAK,IAAI,OAAO,CAEnB;IAED,yDAAyD;IACzD,SAAS,IAAI,cAAc;IAI3B,wDAAwD;IACxD,QAAQ,IAAI,YAAY;IAIxB,OAAO,CAAC,aAAa;CA0CtB;AAED,2FAA2F;AAC3F,wBAAsB,IAAI,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,CAItE"}

package/dist/index.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClefRuntime = exports.VcsArtifactSource = exports.FileArtifactSource = exports.HttpArtifactSource = exports.createKmsProvider = exports.AwsKmsProvider = exports.createVcsProvider = exports.BitbucketProvider = exports.GitLabProvider = exports.GitHubProvider = exports.TelemetryEmitter = exports.ArtifactPoller = exports.AgeDecryptor = exports.DiskCache = exports.SecretsCache = void 0;
+exports.init = init;
+// Core modules
+var secrets_cache_1 = require("./secrets-cache");
+Object.defineProperty(exports, "SecretsCache", { enumerable: true, get: function () { return secrets_cache_1.SecretsCache; } });
+var disk_cache_1 = require("./disk-cache");
+Object.defineProperty(exports, "DiskCache", { enumerable: true, get: function () { return disk_cache_1.DiskCache; } });
+var decrypt_1 = require("./decrypt");
+Object.defineProperty(exports, "AgeDecryptor", { enumerable: true, get: function () { return decrypt_1.AgeDecryptor; } });
+var poller_1 = require("./poller");
+Object.defineProperty(exports, "ArtifactPoller", { enumerable: true, get: function () { return poller_1.ArtifactPoller; } });
+// Telemetry
+var telemetry_1 = require("./telemetry");
+Object.defineProperty(exports, "TelemetryEmitter", { enumerable: true, get: function () { return telemetry_1.TelemetryEmitter; } });
+var github_1 = require("./vcs/github");
+Object.defineProperty(exports, "GitHubProvider", { enumerable: true, get: function () { return github_1.GitHubProvider; } });
+var gitlab_1 = require("./vcs/gitlab");
+Object.defineProperty(exports, "GitLabProvider", { enumerable: true, get: function () { return gitlab_1.GitLabProvider; } });
+var bitbucket_1 = require("./vcs/bitbucket");
+Object.defineProperty(exports, "BitbucketProvider", { enumerable: true, get: function () { return bitbucket_1.BitbucketProvider; } });
+var index_1 = require("./vcs/index");
+Object.defineProperty(exports, "createVcsProvider", { enumerable: true, get: function () { return index_1.createVcsProvider; } });
+var kms_1 = require("./kms");
+Object.defineProperty(exports, "AwsKmsProvider", { enumerable: true, get: function () { return kms_1.AwsKmsProvider; } });
+var kms_2 = require("./kms");
+Object.defineProperty(exports, "createKmsProvider", { enumerable: true, get: function () { return kms_2.createKmsProvider; } });
+var http_1 = require("./sources/http");
+Object.defineProperty(exports, "HttpArtifactSource", { enumerable: true, get: function () { return http_1.HttpArtifactSource; } });
+var file_1 = require("./sources/file");
+Object.defineProperty(exports, "FileArtifactSource", { enumerable: true, get: function () { return file_1.FileArtifactSource; } });
+var vcs_1 = require("./sources/vcs");
+Object.defineProperty(exports, "VcsArtifactSource", { enumerable: true, get: function () { return vcs_1.VcsArtifactSource; } });
+// High-level API
+const secrets_cache_2 = require("./secrets-cache");
+const disk_cache_2 = require("./disk-cache");
+const decrypt_2 = require("./decrypt");
+const poller_2 = require("./poller");
+const index_2 = require("./vcs/index");
+const vcs_2 = require("./sources/vcs");
+const http_2 = require("./sources/http");
+const file_2 = require("./sources/file");
+/**
+ * High-level runtime for fetching and caching secrets.
+ *
+ * Supports VCS providers (GitHub, GitLab, Bitbucket), HTTP URLs, and
+ * local file sources. Decrypts age-encrypted artifacts and serves
+ * secrets from an in-memory cache with optional background polling.
+ */
+class ClefRuntime {
+    cache = new secrets_cache_2.SecretsCache();
+    poller;
+    config;
+    constructor(config) {
+        this.config = config;
+        // Age key is optional — KMS envelope artifacts don't need one
+        let privateKey;
+        try {
+            const decryptor = new decrypt_2.AgeDecryptor();
+            privateKey = decryptor.resolveKey(config.ageKey, config.ageKeyFile);
+        }
+        catch {
+            // OK — will work if artifact uses KMS envelope encryption
+        }
+        const source = this.resolveSource(config);
+        const diskCache = config.cachePath
+            ? new disk_cache_2.DiskCache(config.cachePath, config.identity ?? "default", config.environment ?? "default")
+            : undefined;
+        this.poller = new poller_2.ArtifactPoller({
+            source,
+            privateKey,
+            cache: this.cache,
+            diskCache,
+            cacheTtl: config.cacheTtl,
+            telemetry: config.telemetry,
+        });
+    }
+    /** Initial fetch + decrypt. Must be called before get/getAll. */
+    async start() {
+        await this.poller.fetchAndDecrypt();
+    }
+    /** Start background polling. Schedule is derived from artifact expiresAt or cacheTtl. */
+    startPolling() {
+        this.poller.startPolling();
+    }
+    /** Stop background polling. */
+    stopPolling() {
+        this.poller.stop();
+    }
+    /** Get a single secret value by key. */
+    get(key) {
+        return this.cache.get(key);
+    }
+    /** Get all secrets as key-value map. */
+    getAll() {
+        return this.cache.getAll() ?? {};
+    }
+    /** Alias for getAll() — convenience for env injection. */
+    env() {
+        return this.getAll();
+    }
+    /** List available key names. */
+    keys() {
+        return this.cache.getKeys();
+    }
+    /** Current artifact revision. */
+    get revision() {
+        return this.cache.getRevision() ?? "";
+    }
+    /** Whether secrets have been loaded. */
+    get ready() {
+        return this.cache.isReady();
+    }
+    /** Get the underlying poller (for agent integration). */
+    getPoller() {
+        return this.poller;
+    }
+    /** Get the underlying cache (for agent integration). */
+    getCache() {
+        return this.cache;
+    }
+    resolveSource(config) {
+        // VCS source
+        const vcsFields = {
+            provider: config.provider,
+            repo: config.repo,
+            token: config.token,
+            identity: config.identity,
+            environment: config.environment,
+        };
+        const presentVcs = Object.entries(vcsFields).filter(([, v]) => !!v);
+        const missingVcs = Object.entries(vcsFields).filter(([, v]) => !v);
+        if (presentVcs.length > 0 && missingVcs.length > 0) {
+            const missing = missingVcs.map(([k]) => k).join(", ");
+            throw new Error(`Partial VCS config detected. Missing: ${missing}. Provide all VCS fields (provider, repo, token, identity, environment) or use a source URL/path instead.`);
+        }
+        if (presentVcs.length === Object.keys(vcsFields).length) {
+            const provider = (0, index_2.createVcsProvider)({
+                provider: config.provider,
+                repo: config.repo,
+                token: config.token,
+                ref: config.ref,
+                apiUrl: config.apiUrl,
+            });
+            return new vcs_2.VcsArtifactSource(provider, config.identity, config.environment);
+        }
+        // HTTP or file source
+        if (config.source) {
+            if (config.source.startsWith("http://") || config.source.startsWith("https://")) {
+                return new http_2.HttpArtifactSource(config.source);
+            }
+            return new file_2.FileArtifactSource(config.source);
+        }
+        throw new Error("No artifact source configured. Provide VCS config (provider, repo, token, identity, environment) or a source URL/path.");
+    }
+}
+exports.ClefRuntime = ClefRuntime;
+/** Convenience one-shot function (no polling). Initializes and returns a ready runtime. */
+async function init(config) {
+    const runtime = new ClefRuntime(config);
+    await runtime.start();
+    return runtime;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AA2OA,oBAIC;AA/OD,eAAe;AACf,iDAA+C;AAAtC,6GAAA,YAAY,OAAA;AACrB,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,qCAAyC;AAAhC,uGAAA,YAAY,OAAA;AACrB,mCAA0C;AAAjC,wGAAA,cAAc,OAAA;AAGvB,YAAY;AACZ,yCAA+C;AAAtC,6GAAA,gBAAgB,OAAA;AAgBzB,uCAA8C;AAArC,wGAAA,cAAc,OAAA;AACvB,uCAA8C;AAArC,wGAAA,cAAc,OAAA;AACvB,6CAAoD;AAA3C,8GAAA,iBAAiB,OAAA;AAC1B,qCAAgD;AAAvC,0GAAA,iBAAiB,OAAA;AAI1B,6BAAuC;AAA9B,qGAAA,cAAc,OAAA;AACvB,6BAA0C;AAAjC,wGAAA,iBAAiB,OAAA;AAI1B,uCAAoD;AAA3C,0GAAA,kBAAkB,OAAA;AAC3B,uCAAoD;AAA3C,0GAAA,kBAAkB,OAAA;AAC3B,qCAAkD;AAAzC,wGAAA,iBAAiB,OAAA;AAE1B,iBAAiB;AACjB,mDAA+C;AAC/C,6CAAyC;AACzC,uCAAyC;AACzC,qCAA0C;AAC1C,uCAAgD;AAChD,uCAAkD;AAClD,yCAAoD;AACpD,yCAAoD;AA4CpD;;;;;;GAMG;AACH,MAAa,WAAW;IACL,KAAK,GAAG,IAAI,4BAAY,EAAE,CAAC;IAC3B,MAAM,CAAiB;IACvB,MAAM,CAAgB;IAEvC,YAAY,MAAqB;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,8DAA8D;QAC9D,IAAI,UAA8B,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,sBAAY,EAAE,CAAC;YACrC,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS;YAChC,CAAC,CAAC,IAAI,sBAAS,CACX,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,IAAI,SAAS,EAC5B,MAAM,CAAC,WAAW,IAAI,SAAS,CAChC;YACH,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAc,CAAC;YAC/B,MAAM;YACN,UAAU;YACV,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;IACtC,CAAC;IAED,yFAAyF;IACzF,YAAY;QACV,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;IAC7B,CAAC;IAED,+BAA+B;IAC/B,WAAW;QACT,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACrB,CAAC;IAED,wCAAwC;IACxC,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,wCAAwC;IACxC,MAAM;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,0DAA0D;IAC1D,GAAG;QACD,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IAED,gCAAgC;IAChC,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;IACxC,CAAC;IAED,wCAAwC;IACxC,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,yDAAyD;IACzD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,wDAAwD;IACxD,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAEO,aAAa,CAAC,MAAqB;QACzC,aAAa;QACb,MAAM,SAAS,GAAG;YAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,IAAI,KAAK,CACb,yCAAyC,OAAO,2GAA2G,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,QAAQ,GAAG,IAAA,yBAAiB,EAAC;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAS;gBAC1B,IAAI,EAAE,MAAM,CAAC,IAAK;gBAClB,KAAK,EAAE,MAAM,CAAC,KAAM;gBACpB,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;YACH,OAAO,IAAI,uBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAS,EAAE,MAAM,CAAC,WAAY,CAAC,CAAC;QAChF,CAAC;QAED,sBAAsB;QACtB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChF,OAAO,IAAI,yBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YACD,OAAO,IAAI,yBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,KAAK,CACb,wHAAwH,CACzH,CAAC;IACJ,CAAC;CACF;AArID,kCAqIC;AAED,2FAA2F;AACpF,KAAK,UAAU,IAAI,CAAC,MAAqB;IAC9C,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACtB,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/kms/aws.d.ts

@@ -0,0 +1,15 @@
+import { KmsProvider, KmsWrapResult } from "./types";
+/**
+ * AWS KMS provider for envelope encryption.
+ * Dynamically imports `@aws-sdk/client-kms` — the SDK is an optional dependency.
+ */
+export declare class AwsKmsProvider implements KmsProvider {
+    private client;
+    private sdk;
+    private readonly region?;
+    constructor(region?: string);
+    private ensureClient;
+    wrap(keyId: string, plaintext: Buffer): Promise<KmsWrapResult>;
+    unwrap(keyId: string, wrappedKey: Buffer, algorithm: string): Promise<Buffer>;
+}
+//# sourceMappingURL=aws.d.ts.map

package/dist/kms/aws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAErD;;;GAGG;AACH,qBAAa,cAAe,YAAW,WAAW;IAEhD,OAAO,CAAC,MAAM,CAAM;IAEpB,OAAO,CAAC,GAAG,CAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;gBAErB,MAAM,CAAC,EAAE,MAAM;YAIb,YAAY;IAYpB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB9D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAepF"}

package/dist/kms/aws.js

@@ -0,0 +1,92 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsKmsProvider = void 0;
+/**
+ * AWS KMS provider for envelope encryption.
+ * Dynamically imports `@aws-sdk/client-kms` — the SDK is an optional dependency.
+ */
+class AwsKmsProvider {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK client
+    client;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK module
+    sdk;
+    region;
+    constructor(region) {
+        this.region = region;
+    }
+    async ensureClient() {
+        if (this.client)
+            return;
+        try {
+            this.sdk = await Promise.resolve().then(() => __importStar(require("@aws-sdk/client-kms")));
+            this.client = new this.sdk.KMSClient({ region: this.region });
+        }
+        catch {
+            throw new Error("AWS KMS requires @aws-sdk/client-kms. Install it with: npm install @aws-sdk/client-kms");
+        }
+    }
+    async wrap(keyId, plaintext) {
+        await this.ensureClient();
+        const command = new this.sdk.EncryptCommand({
+            KeyId: keyId,
+            Plaintext: plaintext,
+            EncryptionAlgorithm: "SYMMETRIC_DEFAULT",
+        });
+        const response = await this.client.send(command);
+        if (!response.CiphertextBlob) {
+            throw new Error("AWS KMS Encrypt returned no ciphertext.");
+        }
+        return {
+            wrappedKey: Buffer.from(response.CiphertextBlob),
+            algorithm: "SYMMETRIC_DEFAULT",
+        };
+    }
+    async unwrap(keyId, wrappedKey, algorithm) {
+        await this.ensureClient();
+        const command = new this.sdk.DecryptCommand({
+            KeyId: keyId,
+            CiphertextBlob: wrappedKey,
+            EncryptionAlgorithm: algorithm,
+        });
+        const response = await this.client.send(command);
+        if (!response.Plaintext) {
+            throw new Error("AWS KMS Decrypt returned no plaintext.");
+        }
+        return Buffer.from(response.Plaintext);
+    }
+}
+exports.AwsKmsProvider = AwsKmsProvider;
+//# sourceMappingURL=aws.js.map

package/dist/kms/aws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA;;;GAGG;AACH,MAAa,cAAc;IACzB,wFAAwF;IAChF,MAAM,CAAM;IACpB,wFAAwF;IAChF,GAAG,CAAM;IACA,MAAM,CAAU;IAEjC,YAAY,MAAe;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,GAAG,wDAAa,qBAAqB,GAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,SAAiB;QACzC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,SAAS;YACpB,mBAAmB,EAAE,mBAAmB;SACzC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChD,SAAS,EAAE,mBAAmB;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,UAAkB,EAAE,SAAiB;QAC/D,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,cAAc,EAAE,UAAU;YAC1B,mBAAmB,EAAE,SAAS;SAC/B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;CACF;AAzDD,wCAyDC"}