@caplets/core 0.25.1 → 0.26.0

package/dist/caplet-source.js

@@ -10243,7 +10243,7 @@ const capletMcpServerSchema = object({
 		path: ["url"],
 		message: "remote servers require url"
 	});
-	if (server.url && !hasEnvReference$2(server.url) && !isAllowedRemoteUrl(server.url)) ctx.addIssue({
+	if (server.url && !hasInterpolationReference(server.url) && !isAllowedRemoteUrl(server.url)) ctx.addIssue({
 		code: "custom",
 		path: ["url"],
 		message: "remote url must use https except loopback development urls"
@@ -10256,7 +10256,7 @@ const capletMcpServerSchema = object({
 		"redirectUri"
 	]) {
 		const value = server.auth[field];
-		if (value && !hasEnvReference$2(value) && !isUrl(value)) ctx.addIssue({
+		if (value && !hasInterpolationReference(value) && !isUrl(value)) ctx.addIssue({
 			code: "custom",
 			path: ["auth", field],
 			message: `${field} must be a URL or environment reference`
@@ -10290,12 +10290,12 @@ const capletOpenApiEndpointSchema = object({
 		code: "custom",
 		message: "openapiEndpoint must define exactly one spec source: specPath or specUrl"
 	});
-	if (endpoint.specUrl && !hasEnvReference$2(endpoint.specUrl) && !isAllowedRemoteUrl(endpoint.specUrl)) ctx.addIssue({
+	if (endpoint.specUrl && !hasInterpolationReference(endpoint.specUrl) && !isAllowedRemoteUrl(endpoint.specUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["specUrl"],
 		message: "OpenAPI specUrl must use https except loopback development urls"
 	});
-	if (endpoint.baseUrl && !hasEnvReference$2(endpoint.baseUrl) && !isAllowedRemoteUrl(endpoint.baseUrl)) ctx.addIssue({
+	if (endpoint.baseUrl && !hasInterpolationReference(endpoint.baseUrl) && !isAllowedRemoteUrl(endpoint.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "OpenAPI baseUrl must use https except loopback development urls"
@@ -10320,12 +10320,12 @@ const capletGoogleDiscoveryApiSchema = object({
 		code: "custom",
 		message: "googleDiscoveryApi must define exactly one discovery source: discoveryPath or discoveryUrl"
 	});
-	if (api.discoveryUrl && !hasEnvReference$2(api.discoveryUrl) && !isAllowedRemoteUrl(api.discoveryUrl)) ctx.addIssue({
+	if (api.discoveryUrl && !hasInterpolationReference(api.discoveryUrl) && !isAllowedRemoteUrl(api.discoveryUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["discoveryUrl"],
 		message: "Google Discovery discoveryUrl must use https except loopback development urls"
 	});
-	if (api.baseUrl && !hasEnvReference$2(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
+	if (api.baseUrl && !hasInterpolationReference(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "Google Discovery baseUrl must use https except loopback development urls and must not include credentials, query, or fragment"
@@ -10362,12 +10362,12 @@ const capletGraphQlEndpointSchema = object({
 		code: "custom",
 		message: "graphqlEndpoint must define exactly one schema source: schemaPath, schemaUrl, or introspection"
 	});
-	if (endpoint.endpointUrl && !hasEnvReference$2(endpoint.endpointUrl) && !isAllowedRemoteUrl(endpoint.endpointUrl)) ctx.addIssue({
+	if (endpoint.endpointUrl && !hasInterpolationReference(endpoint.endpointUrl) && !isAllowedRemoteUrl(endpoint.endpointUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["endpointUrl"],
 		message: "GraphQL endpointUrl must use https except loopback development urls"
 	});
-	if (endpoint.schemaUrl && !hasEnvReference$2(endpoint.schemaUrl) && !isAllowedRemoteUrl(endpoint.schemaUrl)) ctx.addIssue({
+	if (endpoint.schemaUrl && !hasInterpolationReference(endpoint.schemaUrl) && !isAllowedRemoteUrl(endpoint.schemaUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["schemaUrl"],
 		message: "GraphQL schemaUrl must use https except loopback development urls"
@@ -10411,7 +10411,7 @@ const capletHttpApiSchema = object({
 	projectBinding: capletProjectBindingSchema.optional(),
 	runtime: capletRuntimeRequirementsSchema.optional()
 }).strict().superRefine((api, ctx) => {
-	if (api.baseUrl && !hasEnvReference$2(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
+	if (api.baseUrl && !hasInterpolationReference(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "HTTP API baseUrl must use https except loopback development urls and must not include credentials, query, or fragment"
@@ -10716,7 +10716,7 @@ function normalizeGraphQlOperations(operations, baseDir, normalizePath) {
 	}]));
 }
 function normalizeBundleLocalPath(value, baseDir) {
-	if (!value || isMapAbsolutePath(value) || hasEnvReference$2(value)) return value;
+	if (!value || isMapAbsolutePath(value) || hasInterpolationReference(value)) return value;
 	const parts = [...baseDir ? baseDir.split("/") : [], ...value.split("/")];
 	const normalized = [];
 	for (const part of parts) {
@@ -10796,8 +10796,8 @@ function validateCapletId(id, path) {
 function errorMessage$1(error) {
 	return error instanceof Error ? error.message : String(error);
 }
-function hasEnvReference$2(value) {
-	return /\$\{[A-Za-z_][A-Za-z0-9_]*\}|\$env:[A-Za-z_][A-Za-z0-9_]*/.test(value);
+function hasInterpolationReference(value) {
+	return /\$\{[A-Za-z_][A-Za-z0-9_]*\}|\$env:[A-Za-z_][A-Za-z0-9_]*|\$\{vault:[^}]+\}|\$vault:[A-Za-z0-9_-]+/.test(value);
 }
 //#endregion
 //#region src/config-runtime.ts

package/dist/cli/auth.d.ts

@@ -70,6 +70,7 @@ export declare function localAuthTargets(options: {
 })[];
 export declare function localAuthConfigForTarget(options: {
     serverId: string;
+    authDir?: string | undefined;
     configPath?: string;
     projectConfigPath?: string;
     source: Exclude<AuthSource, "remote">;

package/dist/cli/commands.d.ts

@@ -31,8 +31,9 @@ export declare const cliCommands: {
     readonly complete: "complete";
     readonly config: "config";
     readonly auth: "auth";
+    readonly vault: "vault";
 };
-export declare const topLevelCommandNames: readonly ["serve", "daemon", "code-mode", "attach", "remote", "cloud", "init", "setup", "doctor", "list", "install", "add", "inspect", "check-backend", "list-tools", "search-tools", "get-tool", "call-tool", "list-resources", "search-resources", "list-resource-templates", "read-resource", "list-prompts", "search-prompts", "get-prompt", "complete", "config", "auth", "completion"];
+export declare const topLevelCommandNames: readonly ["serve", "daemon", "code-mode", "attach", "remote", "cloud", "init", "setup", "doctor", "list", "install", "add", "inspect", "check-backend", "list-tools", "search-tools", "get-tool", "call-tool", "list-resources", "search-resources", "list-resource-templates", "read-resource", "list-prompts", "search-prompts", "get-prompt", "complete", "config", "auth", "vault", "completion"];
 export declare const cliSubcommands: {
     readonly add: readonly ["cli", "mcp", "openapi", "google-discovery", "graphql", "http"];
     readonly auth: readonly ["login", "logout", "list", "refresh"];
@@ -43,11 +44,15 @@ export declare const cliSubcommands: {
     readonly config: readonly ["path", "paths"];
     readonly daemon: readonly ["install", "uninstall", "start", "restart", "stop", "status", "logs"];
     readonly setup: readonly ["codex", "claude-code", "opencode", "pi", "mcp-client"];
+    readonly vault: readonly ["set", "get", "list", "delete", "access"];
 };
 export declare const cliNestedSubcommands: {
     readonly remote: {
         readonly host: readonly ["pair", "clients", "revoke"];
     };
+    readonly vault: {
+        readonly access: readonly ["grant", "list", "revoke"];
+    };
 };
 export declare const capletIdCommands: Set<string>;
 export declare const qualifiedToolCommands: Set<string>;

package/dist/cli/doctor.d.ts

@@ -17,6 +17,7 @@ export type DoctorJsonReport = {
     sync: Record<string, unknown>;
     daemon: Record<string, unknown>;
     remoteLogin: Record<string, unknown>;
+    vault: Record<string, unknown>;
     exposure: Record<string, unknown>;
     codeMode: Record<string, unknown>;
 };

package/dist/cli/vault.d.ts

@@ -0,0 +1,7 @@
+import type { VaultAccessGrant, VaultDeleteStatus, VaultValueStatus } from "../vault";
+export declare function formatVaultValueStatus(status: VaultValueStatus, json?: boolean): string;
+export declare function formatVaultValueList(statuses: VaultValueStatus[], json?: boolean): string;
+export declare function formatVaultDeleteStatus(status: VaultDeleteStatus, json?: boolean): string;
+export declare function formatVaultAccessGrant(grant: VaultAccessGrant, json?: boolean): string;
+export declare function formatVaultAccessList(grants: VaultAccessGrant[], json?: boolean): string;
+export declare function formatVaultAccessRevoke(count: number, json?: boolean): string;

package/dist/cloud/client.d.ts

@@ -17,6 +17,49 @@ export type RegisterPresenceResult = {
     expiresAt: string;
 };
 export type HeartbeatPresenceResult = RegisterPresenceResult;
+export type CloudVaultValueStatus = {
+    key: string;
+    present: boolean;
+    valueBytes?: number | undefined;
+    createdAt?: string | undefined;
+    updatedAt?: string | undefined;
+};
+export type CloudVaultAccessGrant = {
+    storedKey: string;
+    referenceName: string;
+    capletId: string;
+    origin?: {
+        kind: string;
+        path: string;
+    } | undefined;
+    createdAt?: string | undefined;
+    updatedAt?: string | undefined;
+};
+export type CloudVaultSetInput = {
+    workspace: string;
+    name: string;
+    value: string;
+    force?: boolean | undefined;
+    grant?: string | undefined;
+    referenceName?: string | undefined;
+};
+export type CloudVaultNameInput = {
+    workspace: string;
+    name: string;
+};
+export type CloudVaultGetInput = CloudVaultNameInput & {
+    reveal?: boolean | undefined;
+    revealContext?: "human-cli" | undefined;
+};
+export type CloudVaultAccessGrantInput = CloudVaultNameInput & {
+    capletId: string;
+    referenceName?: string | undefined;
+};
+export type CloudVaultAccessListInput = {
+    workspace: string;
+    name?: string | undefined;
+    capletId?: string | undefined;
+};
 export declare class CapletsCloudClient {
     private readonly options;
     private readonly fetchImpl;
@@ -25,6 +68,22 @@ export declare class CapletsCloudClient {
     stopPresence(presenceId: string): Promise<void>;
     heartbeatPresence(presenceId: string): Promise<HeartbeatPresenceResult>;
     updatePresenceCaplets(presenceId: string, allowedCapletIds: string[]): Promise<void>;
+    setVaultValue(input: CloudVaultSetInput): Promise<CloudVaultValueStatus>;
+    getVaultValue(input: CloudVaultGetInput): Promise<CloudVaultValueStatus | {
+        key: string;
+        value: string;
+    }>;
+    listVaultValues(input: {
+        workspace: string;
+    }): Promise<CloudVaultValueStatus[]>;
+    deleteVaultValue(input: CloudVaultNameInput): Promise<{
+        key: string;
+        deleted: boolean;
+        grantsRetained?: number | undefined;
+    }>;
+    grantVaultAccess(input: CloudVaultAccessGrantInput): Promise<CloudVaultAccessGrant>;
+    listVaultAccess(input: CloudVaultAccessListInput): Promise<CloudVaultAccessGrant[]>;
+    revokeVaultAccess(input: CloudVaultAccessGrantInput): Promise<CloudVaultAccessGrant[]>;
     private headers;
     private endpoint;
 }

package/dist/{completion-De4t5MtT.js → completion-DaYL-XQN.js}

@@ -1,4 +1,4 @@
-import { Dt as DEFAULT_AUTH_DIR, Ft as resolveConfigPath, Lt as resolveProjectConfigPath, Nn as __exportAll, Ot as DEFAULT_COMPLETION_CACHE_DIR, Pt as resolveCapletsRoot, ct as loadConfigWithSources } from "./service-Ut6dN9M8.js";
+import { Bn as __exportAll, Ft as DEFAULT_COMPLETION_CACHE_DIR, Ht as resolveConfigPath, Pt as DEFAULT_AUTH_DIR, Vt as resolveCapletsRoot, Wt as resolveProjectConfigPath, lt as loadConfigWithSources } from "./service-rvZ7z6FI.js";
 import { u as CapletsError } from "./validation-C4tYXw6G.js";
 import { mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
@@ -41,7 +41,8 @@ const cliCommands = {
 	getPrompt: "get-prompt",
 	complete: "complete",
 	config: "config",
-	auth: "auth"
+	auth: "auth",
+	vault: "vault"
 };
 const topLevelCommandNames = [
 	cliCommands.serve,
@@ -72,6 +73,7 @@ const topLevelCommandNames = [
 	cliCommands.complete,
 	cliCommands.config,
 	cliCommands.auth,
+	cliCommands.vault,
 	cliCommands.completion
 ];
 const cliSubcommands = {
@@ -114,13 +116,27 @@ const cliSubcommands = {
 		"opencode",
 		"pi",
 		"mcp-client"
+	],
+	[cliCommands.vault]: [
+		"set",
+		"get",
+		"list",
+		"delete",
+		"access"
 	]
 };
-const cliNestedSubcommands = { [cliCommands.remote]: { host: [
-	"pair",
-	"clients",
-	"revoke"
-] } };
+const cliNestedSubcommands = {
+	[cliCommands.remote]: { host: [
+		"pair",
+		"clients",
+		"revoke"
+	] },
+	[cliCommands.vault]: { access: [
+		"grant",
+		"list",
+		"revoke"
+	] }
+};
 const capletIdCommands = /* @__PURE__ */ new Set([
 	cliCommands.inspect,
 	cliCommands.checkBackend,

package/dist/config.d.ts

@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { FileVaultStore, type VaultConfigOrigin } from "./vault";
 export { DEFAULT_AUTH_DIR, DEFAULT_COMPLETION_CACHE_DIR, DEFAULT_CONFIG_PATH, PROJECT_CONFIG_FILE, defaultCacheBaseDir, defaultCompletionCacheDir, resolveCapletsRoot, resolveConfigPath, resolveProjectCapletsRoot, resolveProjectConfigPath, } from "./config/paths";
 export type RemoteAuthConfig = {
     type: "none";
@@ -303,6 +304,29 @@ export type LocalOverlayConfigWarning = {
 };
 export type LocalOverlayConfigWithSources = ConfigWithSources & {
     warnings: LocalOverlayConfigWarning[];
+    sourceFound: boolean;
+};
+export type ConfigVaultReference = {
+    referenceName: string;
+    capletId: string;
+    origin: VaultConfigOrigin;
+    path: string;
+};
+export type ConfigVaultResolution = {
+    storedKey: string;
+    value: string;
+} | {
+    reason: "missing" | "ungranted" | "unavailable" | "invalid-key-source";
+    storedKey?: string | undefined;
+    referenceName: string;
+    capletId: string;
+    origin: VaultConfigOrigin;
+};
+export type ConfigVaultResolver = (reference: ConfigVaultReference) => ConfigVaultResolution;
+export type ConfigParseOptions = {
+    sources?: Record<string, ConfigSource> | undefined;
+    vaultResolver?: ConfigVaultResolver | undefined;
+    vaultRecoveryTarget?: "global" | "remote" | undefined;
 };
 export declare const configFileSchema: z.ZodObject<{
     $schema: z.ZodOptional<z.ZodString>;
@@ -335,16 +359,25 @@ export declare const configFileSchema: z.ZodObject<{
     capletSets: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>>;
 }, z.core.$strict>;
 export declare function configJsonSchema(): unknown;
-export declare function loadConfig(path?: string, projectPath?: string): CapletsConfig;
-export declare function loadConfigWithSources(path?: string, projectPath?: string): ConfigWithSources;
-export declare function loadGlobalConfig(path?: string): CapletsConfig;
-export declare function loadProjectConfig(projectPath?: string): CapletsConfig;
-export declare function loadLocalOverlayConfigWithSources(path?: string, projectPath?: string): LocalOverlayConfigWithSources;
+export declare function loadConfig(path?: string, projectPath?: string, options?: Pick<ConfigParseOptions, "vaultResolver">): CapletsConfig;
+export declare function loadConfigWithSources(path?: string, projectPath?: string, options?: Pick<ConfigParseOptions, "vaultResolver">): ConfigWithSources;
+export declare function loadGlobalConfig(path?: string, options?: Pick<ConfigParseOptions, "vaultResolver">): CapletsConfig;
+export declare function loadProjectConfig(projectPath?: string, options?: Pick<ConfigParseOptions, "vaultResolver">): CapletsConfig;
+export declare function loadLocalOverlayConfigWithSources(path?: string, projectPath?: string, options?: Pick<ConfigParseOptions, "vaultResolver" | "vaultRecoveryTarget">): LocalOverlayConfigWithSources;
+export declare function loadLocalRuntimeConfig(path?: string, projectPath?: string, options?: Pick<ConfigParseOptions, "vaultResolver" | "vaultRecoveryTarget"> & {
+    writeWarning?: ((warning: LocalOverlayConfigWarning) => void) | undefined;
+}): CapletsConfig;
+export declare function defaultVaultResolver(store?: FileVaultStore): ConfigVaultResolver;
+export declare function vaultStoreForAuthDir(authDir: string | undefined): FileVaultStore;
+export declare function vaultResolverForAuthDir(authDir: string | undefined): ConfigVaultResolver;
+export declare const vaultBootstrapResolver: ConfigVaultResolver;
 export declare function loadIsolatedConfig(options: {
     configPath?: string;
     capletsRoot?: string;
     defaultSearchLimit: number;
     maxSearchLimit: number;
+    vaultResolver?: ConfigVaultResolver | undefined;
+    vaultRecoveryTarget?: ConfigParseOptions["vaultRecoveryTarget"];
 }): CapletsConfig;
-export declare function parseConfig(input: unknown): CapletsConfig;
+export declare function parseConfig(input: unknown, options?: ConfigParseOptions): CapletsConfig;
 export declare function interpolateEnv(value: string): string;

package/dist/engine.d.ts

@@ -1,4 +1,4 @@
-import { type CapletConfig, type CapletsConfig } from "./config";
+import { type CapletConfig, type CapletsConfig, type LocalOverlayConfigWarning } from "./config";
 import { type ObservedOutputShapeKey, type ObservedOutputShapeStore } from "./observed-output-shapes";
 import { type ExposureSnapshot } from "./exposure/discovery";
 export type CapletsEngineOptions = {
@@ -10,11 +10,14 @@ export type CapletsEngineOptions = {
     watchDebounceMs?: number;
     watch?: boolean;
     writeErr?: (value: string) => void;
-    configLoader?: (configPath: string, projectConfigPath: string) => CapletsConfig;
+    configLoader?: (configPath: string, projectConfigPath: string, options?: {
+        writeWarning?: ((warning: LocalOverlayConfigWarning) => void) | undefined;
+    }) => CapletsConfig;
     observedOutputShapeStore?: ObservedOutputShapeStore | undefined;
     observedOutputShapeScope?: ObservedOutputShapeKey["scope"] | undefined;
     observedOutputShapeCacheDir?: string | undefined;
     projectFingerprint?: string | undefined;
+    vaultRecoveryTarget?: "global" | "remote" | undefined;
 };
 export type CapletsEngineReloadEvent = {
     previous: CapletsConfig;
@@ -68,6 +71,7 @@ export declare class CapletsEngine {
     private callTool;
     private optionalMcpList;
     private reloadOnce;
+    private loadConfigWithWarnings;
     private reloadUntilSettled;
     private emitReload;
     private invalidateChangedBackends;