@kitsy/cnos-cli 1.1.0 → 1.1.1

package/dist/index.js

@@ -15,6 +15,7 @@ var COMMAND_OPTION_KEYS_WITH_VALUE = /* @__PURE__ */ new Set([
   "--to",
   "--provider",
   "--passphrase",
+  "--vault",
   "--inherit"
 ]);
 var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set(["--flatten", "--public", "--local", "--remote", "--ref"]);
@@ -99,6 +100,10 @@ function parseArgs(argv) {
       options.json = true;
       continue;
     }
+    if (token === "--verbose") {
+      options.verbose = true;
+      continue;
+    }
     if (token === "--help" || token === "-h") {
       options.help = true;
       continue;
@@ -181,12 +186,13 @@ function printJson(value) {
 }
 
 // src/services/writes.ts
-import { randomUUID } from "crypto";
 import { mkdir, readFile, rm, writeFile } from "fs/promises";
 import path from "path";
 import {
+  createSecretVault,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
   stringifyYaml,
   writeLocalSecret
@@ -315,6 +321,22 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
     value: parsedValue
   };
 }
+async function createVault(vault, options = {}) {
+  const passphrase = options.passphrase ?? resolveSecretPassphrase(vault, options.processEnv ?? process.env);
+  if (!passphrase) {
+    throw new Error("Vault creation requires --passphrase or CNOS_SECRET_PASSPHRASE");
+  }
+  const normalizedVault = vault.trim() || "default";
+  const filePath = await createSecretVault(
+    resolveSecretStoreRoot(options.processEnv),
+    normalizedVault,
+    passphrase
+  );
+  return {
+    vault: normalizedVault,
+    filePath
+  };
+}
 async function setSecret(configPath, rawValue, options = {}) {
   const runtime = await createRuntimeService(options);
   const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
@@ -322,25 +344,20 @@ async function setSecret(configPath, rawValue, options = {}) {
   const filePath = resolveConfigDocumentPath(workspaceRoot, "secret", configPath, profile);
   const document = await readYamlDocument(filePath);
   const mode = options.mode ?? "local";
+  const vault = options.vault?.trim() || "default";
   let reference;
   let storePath;
   if (mode === "local") {
-    const passphrase = options.passphrase ?? options.processEnv?.CNOS_SECRET_PASSPHRASE ?? process.env.CNOS_SECRET_PASSPHRASE;
+    const passphrase = options.passphrase ?? resolveSecretPassphrase(vault, options.processEnv ?? process.env);
     if (!passphrase) {
-      throw new Error("Local secret writes require --passphrase or CNOS_SECRET_PASSPHRASE");
+      throw new Error(`Vault "${vault}" requires --passphrase or CNOS_SECRET_PASSPHRASE`);
     }
-    const profileSegment = profile && profile !== "base" ? profile : "base";
-    const ref = [
-      runtime.manifest.project.name,
-      runtime.graph.workspace.workspaceId,
-      profileSegment,
-      ...configPath.split("."),
-      randomUUID()
-    ].map((segment) => segment.replace(/[^A-Za-z0-9._-]+/g, "-")).join("/");
-    storePath = await writeLocalSecret(resolveSecretStoreRoot(options.processEnv), ref, rawValue, passphrase);
+    const ref = configPath;
+    storePath = await writeLocalSecret(resolveSecretStoreRoot(options.processEnv), ref, rawValue, passphrase, vault);
     reference = {
       provider: "local",
-      ref
+      ref,
+      vault
     };
   } else {
     reference = {
@@ -355,6 +372,7 @@ async function setSecret(configPath, rawValue, options = {}) {
     filePath,
     provider: reference.provider,
     ref: reference.ref,
+    ...reference.vault ? { vault: reference.vault } : {},
     ...storePath ? { storePath } : {}
   };
 }
@@ -376,7 +394,13 @@ async function deleteSecret(configPath, options = {}) {
   let removedStore;
   const secretRef = metadata?.secretRef;
   if (isSecretReference(secretRef) && secretRef.provider === "local") {
-    const storePath = path.join(resolveSecretStoreRoot(options.processEnv), "store", ...secretRef.ref.split("/")).concat(".json");
+    const storePath = path.join(
+      resolveSecretStoreRoot(options.processEnv),
+      "vaults",
+      secretRef.vault ?? "default",
+      "store",
+      ...secretRef.ref.split("/")
+    ).concat(".json");
     await rm(storePath, { force: true });
     removedStore = storePath;
   }
@@ -608,7 +632,12 @@ async function runExportEnv(options = {}) {
   const env = isPublic ? runtime.toPublicEnv({
     ...framework ? { framework } : {},
     ...prefix ? { prefix } : {}
-  }) : runtime.toEnv();
+  }) : Object.fromEntries(
+    Object.entries(runtime.manifest.envMapping.explicit).map(([envVar, logicalKey]) => [envVar, runtime.read(logicalKey)]).filter((entry) => entry[1] !== void 0).map(([envVar, value]) => [
+      envVar,
+      typeof value === "string" ? value : typeof value === "number" || typeof value === "boolean" || typeof value === "bigint" ? String(value) : JSON.stringify(value)
+    ])
+  );
   if (options.json) {
     return printJson(env);
   }
@@ -645,6 +674,10 @@ var GLOBAL_OPTIONS = [
     flag: "--json",
     description: "Emit JSON output for commands that support structured responses."
   },
+  {
+    flag: "--verbose",
+    description: "Print full stack traces and verbose diagnostics for command failures."
+  },
   {
     flag: "--help, -h",
     description: "Show command help."
@@ -810,18 +843,18 @@ var COMMANDS = [
   {
     id: "use",
     summary: "Persist repo-local CLI defaults such as workspace and profile.",
-    usage: "cnos use [--workspace <id>] [--profile <name>] [--global-root <path>] [--root <path>] [--json]",
-    description: "Writes .cnos-workspace.yml so future CLI invocations can omit repeated workspace/profile/global-root flags.",
-    examples: ["cnos use --workspace api --profile stage", "cnos use --global-root ~/.cnos"]
+    usage: "cnos use [show] [--workspace <id>] [--profile <name>] [--global-root <path>] [--root <path>] [--json]",
+    description: "Shows the current repo-local CLI context by default, or writes .cnos-workspace.yml when workspace/profile/global-root flags are provided.",
+    examples: ["cnos use show", "cnos use --workspace api --profile stage", "cnos use --global-root ~/.cnos"]
   },
   {
     id: "list",
     summary: "List resolved config entries.",
-    usage: "cnos list [value|secret|meta|all] [--prefix <path>] [global-options]",
-    description: "Lists resolved config entries across one namespace or the full effective graph, with optional key-prefix filtering.",
+    usage: "cnos list [value|secret|meta|env|public|all] [--prefix <path>] [global-options]",
+    description: "Lists stored config or derived projections across one namespace or the full effective graph, with optional prefix filtering.",
     options: [
       {
-        flag: "--namespace <value|secret|meta|all>",
+        flag: "--namespace <value|secret|meta|env|public|all>",
         description: "Explicit namespace selector when not using a positional namespace argument."
       },
       {
@@ -829,7 +862,7 @@ var COMMANDS = [
         description: "Filter list output to entries whose logical keys begin with this prefix."
       }
     ],
-    examples: ["cnos list", "cnos list value --prefix app.", "cnos list --namespace secret"]
+    examples: ["cnos list", "cnos list value --prefix app.", "cnos list env", "cnos list --namespace secret"]
   },
   {
     id: "profile",
@@ -879,9 +912,19 @@ var COMMANDS = [
   {
     id: "secret set",
     summary: "Write a secret securely.",
-    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--provider <name>] [--passphrase <value>] [global-options]",
-    description: "Writes a secret reference into the repo and, when --local is used, stores encrypted secret material outside the repo under ~/.cnos/secrets.",
-    examples: ["cnos secret set app.token super-secret --local --passphrase dev-pass"]
+    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--vault <name>] [--provider <name>] [--passphrase <value>] [global-options]",
+    description: "Writes a secret reference into the repo and, when --local is used, stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>.",
+    examples: [
+      "cnos secret create vault db --passphrase dev-pass",
+      "cnos secret set app.token super-secret --local --vault db --passphrase dev-pass"
+    ]
+  },
+  {
+    id: "secret create vault",
+    summary: "Create a local secret vault.",
+    usage: "cnos secret create vault <name> --passphrase <value> [global-options]",
+    description: "Creates a named local secret vault under ~/.cnos/secrets/vaults.",
+    examples: ["cnos secret create vault db --passphrase dev-pass"]
   },
   {
     id: "secret list",
@@ -1363,25 +1406,54 @@ function printValue(value, json = false) {
 
 // src/services/listing.ts
 import { flattenObject as flattenObject2 } from "@kitsy/cnos/internal";
+function matchesPrefix(key, prefix) {
+  if (!prefix) {
+    return true;
+  }
+  return key.startsWith(prefix) || key.split(".").slice(1).join(".").startsWith(prefix);
+}
+function toStoredEntry(namespace, entry) {
+  const sourceId = namespace === "value" ? "filesystem-values" : "filesystem-secrets";
+  const candidates = [entry.winner, ...entry.overridden].filter((candidate) => candidate.sourceId === sourceId);
+  if (candidates.length === 0) {
+    return void 0;
+  }
+  return {
+    key: entry.key,
+    value: candidates[0]?.value
+  };
+}
+function listStoredNamespace(namespace, options) {
+  return createRuntimeService(options).then(
+    (runtime) => Array.from(runtime.graph.entries.values()).filter((entry) => entry.namespace === namespace).map((entry) => toStoredEntry(namespace, entry)).filter((entry) => Boolean(entry)).filter((entry) => matchesPrefix(entry.key, options.prefix)).sort((left, right) => left.key.localeCompare(right.key))
+  );
+}
+function listProjectedNamespace(namespace, options) {
+  return createRuntimeService(options).then((runtime) => {
+    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.manifest.envMapping.explicit : runtime.toPublicEnv();
+    const entries = namespace === "env" ? Object.entries(projected).map(([envVar, logicalKey]) => ({
+      key: envVar,
+      value: runtime.read(logicalKey)
+    })) : Object.entries(projected).map(([key, value]) => ({
+      key: namespace === "meta" ? `meta.${key}` : key,
+      value
+    }));
+    return entries.filter((entry) => entry.value !== void 0).filter((entry) => matchesPrefix(entry.key, options.prefix)).sort((left, right) => left.key.localeCompare(right.key));
+  });
+}
 async function listConfigEntries(namespace, options = {}) {
-  const runtime = await createRuntimeService(options);
-  const namespaces = namespace === "all" ? ["value", "secret", "meta"] : [namespace];
-  const entries = [];
-  const prefix = options.prefix?.trim();
-  for (const currentNamespace of namespaces) {
-    const projected = flattenObject2(runtime.toNamespace(currentNamespace));
-    for (const [path10, value] of Object.entries(projected)) {
-      const key = `${currentNamespace}.${path10}`;
-      if (prefix && !key.startsWith(prefix) && !path10.startsWith(prefix)) {
-        continue;
-      }
-      entries.push({
-        key,
-        value
-      });
-    }
+  if (namespace === "value" || namespace === "secret") {
+    return listStoredNamespace(namespace, options);
   }
-  return entries.sort((left, right) => left.key.localeCompare(right.key));
+  if (namespace === "meta" || namespace === "env" || namespace === "public") {
+    return listProjectedNamespace(namespace, options);
+  }
+  const [values, secrets, meta] = await Promise.all([
+    listStoredNamespace("value", options),
+    listStoredNamespace("secret", options),
+    listProjectedNamespace("meta", options)
+  ]);
+  return [...values, ...secrets, ...meta].sort((left, right) => left.key.localeCompare(right.key));
 }
 
 // src/commands/list.ts
@@ -1398,6 +1470,12 @@ function normalizeNamespace(value) {
   if (value === "meta") {
     return "meta";
   }
+  if (value === "env") {
+    return "env";
+  }
+  if (value === "public") {
+    return "public";
+  }
   throw new Error(`Unsupported list namespace: ${value}`);
 }
 async function runList(args = [], options = {}) {
@@ -1412,6 +1490,9 @@ async function runList(args = [], options = {}) {
   if (options.json) {
     return printJson(entries);
   }
+  if (entries.length === 0) {
+    return "";
+  }
   return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
 }
 
@@ -1691,19 +1772,25 @@ function isSecretRef(value) {
   );
 }
 function normalizeSecretCommand(args) {
-  const [actionOrPath, ...tail] = args;
+  const [actionOrPath, next, ...tail] = args;
   if (!actionOrPath) {
     return {
       action: "list",
       tail: []
     };
   }
-  if (["get", "set", "create", "add", "list", "delete", "remove"].includes(actionOrPath)) {
+  if ((actionOrPath === "create" || actionOrPath === "add") && next === "vault") {
     return {
-      action: actionOrPath === "remove" ? "delete" : actionOrPath === "create" || actionOrPath === "add" ? "set" : actionOrPath,
+      action: "create-vault",
       tail
     };
   }
+  if (["get", "set", "list", "delete", "remove"].includes(actionOrPath)) {
+    return {
+      action: actionOrPath === "remove" ? "delete" : actionOrPath,
+      tail: [next, ...tail].filter((value) => Boolean(value))
+    };
+  }
   return {
     action: "get",
     tail: args
@@ -1713,13 +1800,30 @@ async function runSecret(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeSecretCommand(args);
   const cliArgs = [...options.cliArgs ?? []];
+  if (action === "create-vault") {
+    const vault = tail[0] ?? "default";
+    const passphrase = consumeOption(cliArgs, "--passphrase");
+    const result = await createVault(vault, {
+      ...options,
+      cliArgs,
+      ...passphrase ? { passphrase } : {}
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return `created secret vault "${result.vault}" in ${result.filePath}`;
+  }
   if (action === "list") {
-    const runtime2 = await createRuntimeService(options);
-    const secrets = runtime2.toNamespace("secret");
+    const prefix = consumeOption(cliArgs, "--prefix");
+    const entries = await listConfigEntries("secret", {
+      ...options,
+      cliArgs,
+      ...prefix ? { prefix } : {}
+    });
     if (options.json) {
-      return printJson(secrets);
+      return printJson(entries);
     }
-    return Object.entries(secrets).sort(([left], [right]) => left.localeCompare(right)).map(([key, value2]) => `${key}=${printValue(value2)}`).join("\n");
+    return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
   }
   if (action === "set") {
     const secretPath = tail[0];
@@ -1730,19 +1834,21 @@ async function runSecret(argsOrPath, options = {}) {
     const target = consumeOption(cliArgs, "--target") ?? "local";
     const provider = consumeOption(cliArgs, "--provider");
     const passphrase = consumeOption(cliArgs, "--passphrase");
+    const vault = consumeOption(cliArgs, "--vault") ?? "default";
     const mode = local ? "local" : remote ? "remote" : ref ? "ref" : "local";
     const result = await setSecret(secretPath ?? "app.token", rawValue, {
       ...options,
       cliArgs,
       target,
       mode,
+      vault,
       ...provider ? { provider } : {},
       ...passphrase ? { passphrase } : {}
     });
     if (options.json) {
       return printJson(result);
     }
-    return `set secret.${secretPath} via ${result.provider} in ${result.filePath}`;
+    return result.provider === "local" ? `set secret.${secretPath} in vault "${result.vault ?? "default"}" with ref "${result.ref}" and repo pointer ${result.filePath}` : `set secret.${secretPath} via ${result.provider} in ${result.filePath}`;
   }
   if (action === "delete") {
     const secretPath = tail[0];
@@ -1763,8 +1869,9 @@ async function runSecret(argsOrPath, options = {}) {
     throw new Error(`Missing CNOS secret path: ${tail[0] ?? "app.token"}`);
   }
   if (isSecretRef(value)) {
+    const vault = value.vault ?? "default";
     throw new Error(
-      `Secret ${tail[0] ?? "app.token"} is stored as an unresolved ${value.provider} reference. Provide the required provider context to resolve it.`
+      `Secret ${tail[0] ?? "app.token"} is stored in vault "${vault}" as ref "${value.ref}". Provide the correct vault passphrase to resolve it.`
     );
   }
   if (options.json) {
@@ -1778,8 +1885,17 @@ async function runSecret(argsOrPath, options = {}) {
 
 // src/commands/use.ts
 import path9 from "path";
-async function runUse(options = {}) {
+async function runUse(args = [], options = {}) {
   const root = path9.resolve(options.root ?? process.cwd());
+  const action = args[0] ?? "show";
+  const hasUpdates = Boolean(options.workspace || options.profile || options.globalRoot);
+  if (action === "show" || !hasUpdates) {
+    const context = await loadCliContext(root);
+    if (options.json) {
+      return printJson(context);
+    }
+    return Object.keys(context).length === 0 ? "no CLI context configured" : printJson(context);
+  }
   const result = await saveCliContext({
     root,
     ...options.workspace ? { workspace: options.workspace } : {},
@@ -1807,7 +1923,7 @@ async function runValidate(options = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos-cli",
-  version: "1.0.1",
+  version: "1.1.1",
   description: "CLI entry point and developer tooling for CNOS.",
   type: "module",
   main: "./dist/index.js",
@@ -1850,6 +1966,7 @@ var package_default = {
     clean: "rimraf dist",
     dev: "tsup src/index.ts --watch --format esm --dts",
     lint: "eslint src test",
+    prepack: "pnpm build",
     test: "vitest run",
     typecheck: "tsc -p tsconfig.json --noEmit"
   }
@@ -1952,6 +2069,9 @@ function resolveHelpTopic(command, args) {
     return normalizeHelpTopic([command, args[0]]);
   }
   if (command === "secret" && args[0] && ["set", "create", "add", "list", "delete", "remove"].includes(args[0])) {
+    if ((args[0] === "create" || args[0] === "add") && args[1] === "vault") {
+      return normalizeHelpTopic(["secret", "create", "vault"]);
+    }
     return normalizeHelpTopic([
       command,
       args[0] === "remove" ? "delete" : args[0] === "create" || args[0] === "add" ? "set" : args[0]
@@ -1991,6 +2111,9 @@ async function main(argv) {
     ...options.json ? {
       json: true
     } : {},
+    ...options.verbose ? {
+      verbose: true
+    } : {},
     ...options.cliArgs.length > 0 ? {
       cliArgs: options.cliArgs
     } : {}
@@ -2029,7 +2152,7 @@ async function main(argv) {
 `);
       return;
     case "use":
-      process.stdout.write(`${await runUse(runtimeOptions)}
+      process.stdout.write(`${await runUse(args, runtimeOptions)}
 `);
       return;
     case "profile":
@@ -2084,7 +2207,18 @@ async function main(argv) {
       process.exitCode = 1;
   }
 }
-void main(process.argv.slice(2));
+void main(process.argv.slice(2)).catch((error) => {
+  const message = error instanceof Error ? error.message : String(error);
+  const verbose = process.argv.includes("--verbose");
+  if (verbose && error instanceof Error && error.stack) {
+    process.stderr.write(`${error.stack}
+`);
+  } else {
+    process.stderr.write(`${message}
+`);
+  }
+  process.exitCode = 1;
+});
 export {
   main
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos-cli",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "CLI entry point and developer tooling for CNOS.",
   "type": "module",
   "main": "./dist/index.js",
@@ -36,7 +36,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@kitsy/cnos": "1.1.0"
+    "@kitsy/cnos": "1.1.1"
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts",