@kitsy/cnos-cli 1.9.0 → 1.9.2

package/dist/index.js

@@ -54,7 +54,9 @@ var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set([
   "--signal",
   "--derive",
   "--materialize",
-  "--source-only"
+  "--source-only",
+  "--allow-secret",
+  "--fix-secret-env-mappings"
 ]);
 function normalizeCommand(argv) {
   const [command = "doctor", ...rest] = argv;
@@ -324,12 +326,31 @@ import { spawnSync } from "child_process";
 function isInteractiveSession() {
   return process.stdin.isTTY && process.stdout.isTTY && !process.env.CI;
 }
+function printSecretEnvBuildWarnings(targetPath, mappings) {
+  console.error(`!WARN CNOS detected explicit secret env mappings for ${targetPath}.`);
+  console.error(`!WARN Writing revealed env artifacts is a security risk and may leak plaintext secrets outside CNOS.`);
+  console.error(`!WARN Secret env vars: ${mappings.map((mapping) => mapping.envVar).join(", ")}`);
+}
 function getSecretEnvMappings(runtime) {
   return Object.entries(runtime.manifest.envMapping.explicit).filter(([, logicalKey]) => runtime.graph.entries.get(logicalKey)?.namespace === "secret").map(([envVar, logicalKey]) => ({
     envVar,
     logicalKey
   })).sort((left, right) => left.envVar.localeCompare(right.envVar));
 }
+async function hydrateSecretEnvMappings(runtime, mappings) {
+  for (const mapping of mappings) {
+    await runtime.refreshSecret(mapping.logicalKey);
+  }
+}
+function applyMaskedSecretEnvMappings(env, mappings) {
+  const nextEnv = { ...env };
+  for (const { envVar } of mappings) {
+    if (!(envVar in nextEnv)) {
+      nextEnv[envVar] = "****";
+    }
+  }
+  return nextEnv;
+}
 function resolveGitRoot(cwd) {
   const result = spawnSync("git", ["rev-parse", "--show-toplevel"], {
     cwd,
@@ -377,19 +398,16 @@ async function assertSecretEnvTargetIsGitIgnored(targetPath, cwd) {
   }
 }
 async function confirmSecretEnvBuild(targetPath, mappings) {
+  printSecretEnvBuildWarnings(targetPath, mappings);
   if (!isInteractiveSession()) {
     return;
   }
-  console.error(`!WARN CNOS is about to write resolved secret values into ${targetPath}.`);
-  console.error(
-    `!WARN Secret env vars: ${mappings.map((mapping) => mapping.envVar).join(", ")}`
-  );
   const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout
   });
   try {
-    const answer = (await rl.question("Continue writing secrets to this env artifact? [y/N] ")).trim().toLowerCase();
+    const answer = (await rl.question("Do you want to continue? [y/N] ")).trim().toLowerCase();
     if (answer !== "y" && answer !== "yes") {
       throw new Error("Aborted secret env build.");
     }
@@ -503,14 +521,13 @@ async function buildEnvProjectionArtifact(to, options = {}, format = "dotenv") {
   if (revealSecrets && secretMappings.length > 0) {
     await assertSecretEnvTargetIsGitIgnored(targetPath, basePath);
     await confirmSecretEnvBuild(targetPath, secretMappings);
+    await hydrateSecretEnvMappings(runtime, secretMappings);
   }
-  const env = runtime.toEnv({
+  let env = runtime.toEnv({
     includeSecrets: revealSecrets
   });
-  for (const { envVar } of secretMappings) {
-    if (!revealSecrets && !(envVar in env)) {
-      env[envVar] = "****";
-    }
+  if (!revealSecrets) {
+    env = applyMaskedSecretEnvMappings(env, secretMappings);
   }
   const output = formatKeyValueMap(env, format);
   const writtenTargetPath = await writeProjectionFile(to, output, basePath);
@@ -1333,7 +1350,7 @@ async function runDiff(leftProfile, rightProfile, options = {}) {
 }
 
 // src/services/doctor.ts
-import { readdir as readdir2, readFile as readFile3 } from "fs/promises";
+import { readdir as readdir2, readFile as readFile3, writeFile as writeFile4 } from "fs/promises";
 import path9 from "path";
 import {
   detectLegacyVaultFormat,
@@ -1341,7 +1358,8 @@ import {
   loadManifest as loadManifest3,
   parseYaml as parseYaml2,
   readKeychain,
-  resolveSecretStoreRoot
+  resolveSecretStoreRoot,
+  stringifyYaml as stringifyYaml3
 } from "@kitsy/cnos/internal";
 
 // src/services/validation.ts
@@ -1443,6 +1461,7 @@ async function checkSecretSecurity(options, runtime) {
   const warnings = [
     ...legacyDetected.map((entry) => `legacy vault ${entry.vault}: ${entry.path}`),
     ...plaintextFiles.map((file) => `plaintext secret file: ${file}`),
+    ...Object.entries(runtime.manifest.envMapping.explicit).filter(([, logicalKey]) => logicalKey.startsWith("secret.")).map(([envVar, logicalKey]) => `secret env mapping: ${envVar} -> ${logicalKey}`),
     ...keychainWarnings.filter((entry) => !entry.value).map((entry) => `no keychain entry for vault ${entry.vault} (${entry.source})`)
   ];
   return {
@@ -1451,6 +1470,39 @@ async function checkSecretSecurity(options, runtime) {
     details: warnings.length === 0 ? "no legacy vaults, plaintext secret files, or missing keychain entries" : warnings.join("; ")
   };
 }
+async function repairSecretEnvMappings(options = {}) {
+  const loadedManifest = await loadManifest3({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {},
+    ...options.cacheMode ? { cacheMode: options.cacheMode } : {},
+    ...typeof options.cacheTtlSeconds === "number" ? { cacheTtlSeconds: options.cacheTtlSeconds } : {},
+    ...options.forceRefresh ? { forceRefresh: true } : {}
+  });
+  const explicit = loadedManifest.rawManifest.envMapping?.explicit ?? {};
+  const removed = Object.entries(explicit).filter(([, logicalKey]) => logicalKey.startsWith("secret.")).map(([envVar, logicalKey]) => ({ envVar, logicalKey }));
+  if (removed.length === 0) {
+    return {
+      manifestPath: loadedManifest.manifestPath,
+      removed
+    };
+  }
+  const nextExplicit = Object.fromEntries(
+    Object.entries(explicit).filter(([, logicalKey]) => !logicalKey.startsWith("secret."))
+  );
+  const nextRawManifest = {
+    ...loadedManifest.rawManifest,
+    envMapping: {
+      ...loadedManifest.rawManifest.envMapping ?? {},
+      explicit: nextExplicit
+    }
+  };
+  await writeFile4(loadedManifest.manifestPath, stringifyYaml3(nextRawManifest), "utf8");
+  return {
+    manifestPath: loadedManifest.manifestPath,
+    removed
+  };
+}
 async function evaluateDoctor(options = {}) {
   const root = resolveFilesystemBasePath(options.root, options.cwd ?? process.cwd());
   const loadedManifest = await loadManifest3({
@@ -1508,15 +1560,22 @@ async function evaluateDoctor(options = {}) {
 
 // src/commands/doctor.ts
 async function runDoctor(options = {}) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const shouldFixSecretEnvMappings = cliArgs.includes("--fix-secret-env-mappings");
+  const repairResult = shouldFixSecretEnvMappings ? await repairSecretEnvMappings(options) : void 0;
   const checks = await evaluateDoctor(options);
   const hasFailures = checks.some((check) => !check.ok);
   if (hasFailures) {
     process.exitCode = 1;
   }
   if (options.json) {
-    return printJson(checks);
+    return printJson({
+      ...repairResult ? { repair: repairResult } : {},
+      checks
+    });
   }
-  return checks.map((check) => `${check.ok ? "OK" : "FAIL"} ${check.name}: ${check.details}`).join("\n");
+  const repairLine = repairResult ? repairResult.removed.length > 0 ? `REPAIRED secret-env-mappings: removed ${repairResult.removed.map((entry) => `${entry.envVar} -> ${entry.logicalKey}`).join(", ")}` : "REPAIRED secret-env-mappings: no secret env mappings found" : void 0;
+  return [repairLine, ...checks.map((check) => `${check.ok ? "OK" : "FAIL"} ${check.name}: ${check.details}`)].filter((value) => Boolean(value)).join("\n");
 }
 
 // src/commands/dump.ts
@@ -2092,8 +2151,8 @@ var COMMANDS = [
   {
     id: "promote",
     summary: "Promote shareable config into public or env projection surfaces.",
-    usage: "cnos promote <key...> --to <public|env> [--as <ENV_VAR>] [global-options]",
-    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected, but declared shareable data namespaces such as flags are allowed.",
+    usage: "cnos promote <key...> --to <public|env> [--as <ENV_VAR>] [--allow-secret] [global-options]",
+    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected by default, but secret.* may be mapped to env explicitly when you pass --allow-secret. public never allows secret promotion.",
     options: [
       {
         flag: "--to <public|env>",
@@ -2102,23 +2161,30 @@ var COMMANDS = [
       {
         flag: "--as <ENV_VAR>",
         description: "Required for --to env. Sets the exported env var name for the promoted key."
+      },
+      {
+        flag: "--allow-secret",
+        description: "Allow secret.* only for --to env. This does not permit secret promotion to public."
       }
     ],
     examples: [
       "cnos promote value.flag.auth.upi_enabled --to public",
       "cnos promote flags.upi_enabled --to public",
-      "cnos promote value.server.port --to env --as PORT"
+      "cnos promote value.server.port --to env --as PORT",
+      "cnos promote secret.db.password --to env --as POSTGRES_PASSWORD --allow-secret"
     ]
   },
   {
     id: "secret set",
     summary: "Write a secret securely.",
-    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--vault <name>] [--provider <name>] [global-options]",
-    description: "Writes a secret reference into the repo. When a local vault is selected, CNOS stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>; when an environment-backed vault is selected, CNOS writes an env-backed ref for CI or cloud runtimes.",
+    usage: "cnos secret set <path> [value] [--local|--remote|--ref] [--vault <name>] [--provider <name>] [--stdin] [global-options]",
+    description: "Writes a secret reference into the repo. When a local vault is selected, CNOS stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>; when an environment-backed vault is selected, CNOS writes an env-backed ref for CI or cloud runtimes. If [value] is omitted, CNOS prompts for a masked value interactively; use --stdin for pipelines.",
     examples: [
       "cnos vault create db",
       "cnos vault auth db",
       "cnos secret set app.token super-secret --vault db",
+      "cnos secret set app.token --vault db",
+      'printf "super-secret" | cnos secret set app.token --vault db --stdin',
       "cnos vault create github-ci --provider environment --no-passphrase",
       "cnos secret set app.token APP_TOKEN --vault github-ci"
     ]
@@ -2133,9 +2199,13 @@ var COMMANDS = [
   {
     id: "secret list",
     summary: "List resolved secrets.",
-    usage: "cnos secret list [--vault <name>] [--provider <name>] [global-options]",
-    description: "Lists stored secret entries for the selected workspace and profile, optionally filtered by vault or provider.",
-    examples: ["cnos secret list --workspace api", "cnos secret list --vault github-ci"]
+    usage: "cnos secret list [--vault <name>] [--provider <name>] [--reveal] [global-options]",
+    description: "Lists secret keys for the selected workspace and profile as masked values by default, or as resolved values when --reveal is supplied. Supports optional vault and provider filtering.",
+    examples: [
+      "cnos secret list --workspace api",
+      "cnos secret list --vault github-ci",
+      "cnos secret list --workspace api --reveal"
+    ]
   },
   {
     id: "secret delete",
@@ -2220,7 +2290,7 @@ var COMMANDS = [
     id: "build env",
     summary: "Build a flat env-file artifact from CNOS.",
     usage: "cnos build env --to <path> [--format <dotenv|docker-env|json|shell|toml|yaml>] [--reveal] [global-options]",
-    description: "Builds a deterministic KEY=VALUE artifact for legacy build and runtime workflows. Secret env mappings stay masked by default; use --reveal only when the target env file is gitignored and you intentionally want concrete secret values.",
+    description: "Builds a deterministic KEY=VALUE artifact for legacy build and runtime workflows. Secret env mappings stay masked by default; use --reveal only when the target env file is gitignored and you intentionally want concrete secret values. CNOS prints explicit risk warnings before revealed secret writes.",
     options: [
       {
         flag: "--to <path>",
@@ -2472,9 +2542,9 @@ var COMMANDS = [
   {
     id: "doctor",
     summary: "Run repository and workspace diagnostics.",
-    usage: "cnos doctor [global-options]",
-    description: "Checks manifest/workspace setup, gitignore coverage, and related diagnostics for the selected workspace.",
-    examples: ["cnos doctor", "cnos doctor --workspace api --json"]
+    usage: "cnos doctor [--fix-secret-env-mappings] [global-options]",
+    description: "Checks manifest/workspace setup, gitignore coverage, and related diagnostics for the selected workspace. Secret env mappings are reported as a security risk; use --fix-secret-env-mappings to remove them from envMapping.explicit in one shot.",
+    examples: ["cnos doctor", "cnos doctor --workspace api --json", "cnos doctor --fix-secret-env-mappings"]
   },
   {
     id: "drift",
@@ -2747,7 +2817,7 @@ function runHelpAi(topic, cliArgs = []) {
 import path11 from "path";
 
 // src/services/scaffold.ts
-import { mkdir as mkdir4, readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile4, writeFile as writeFile5 } from "fs/promises";
 import path10 from "path";
 function scaffoldManifest(projectName, options = {}) {
   const mode = options.mode ?? "regular";
@@ -2791,7 +2861,7 @@ async function ensureFile(filePath, content) {
     await readFile4(filePath, "utf8");
     return false;
   } catch {
-    await writeFile4(filePath, content, "utf8");
+    await writeFile5(filePath, content, "utf8");
     return true;
   }
 }
@@ -2819,7 +2889,7 @@ async function ensureGitignore(root) {
   }
   const prefix = current.trim().length > 0 ? `${current.trimEnd()}
 ` : "";
-  await writeFile4(gitignorePath, `${prefix}${missingEntries.join("\n")}
+  await writeFile5(gitignorePath, `${prefix}${missingEntries.join("\n")}
 `, "utf8");
   return true;
 }
@@ -2995,6 +3065,45 @@ async function runInspect(key, options = {}) {
   return printInspect(printable);
 }
 
+// src/format/printTable.ts
+function stringifyCell(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function printTable(rows) {
+  if (rows.length === 0) {
+    return "";
+  }
+  const columns = Array.from(
+    rows.reduce((set, row) => {
+      for (const key of Object.keys(row)) {
+        set.add(key);
+      }
+      return set;
+    }, /* @__PURE__ */ new Set())
+  );
+  const widths = columns.map(
+    (column) => Math.max(
+      column.length,
+      ...rows.map((row) => stringifyCell(row[column]).length)
+    )
+  );
+  const renderRow = (row) => columns.map((column, index) => stringifyCell(row[column]).padEnd(widths[index], " ")).join("  ").trimEnd();
+  return [
+    columns.map((column, index) => column.padEnd(widths[index], " ")).join("  ").trimEnd(),
+    widths.map((width) => "-".repeat(width)).join("  "),
+    ...rows.map(renderRow)
+  ].join("\n");
+}
+
 // src/format/printValue.ts
 function printValue(value, json = false) {
   if (json) {
@@ -3040,6 +3149,10 @@ function toStoredEntry(namespace, entry, filter = {}) {
   return {
     key: entry.key,
     value: selectedCandidate.value,
+    ...namespace === "secret" ? {
+      vault: selectedCandidate.metadata?.secretRef?.vault ?? "default",
+      provider: selectedCandidate.metadata?.secretRef?.provider ?? "local"
+    } : {},
     ...typeof selectedCandidate.value === "object" && selectedCandidate.value !== null && !Array.isArray(selectedCandidate.value) && "$derive" in selectedCandidate.value ? {
       derived: true
     } : {}
@@ -3050,20 +3163,35 @@ async function listStoredNamespace(namespace, options) {
     ...options,
     ...namespace === "secret" ? { secretResolution: "lazy" } : {}
   });
-  return Array.from(runtime.graph.entries.values()).filter((entry) => entry.namespace === namespace).map((entry) => {
+  const revealSecrets = namespace === "secret" && (options.cliArgs?.includes("--reveal") ?? false);
+  const results = [];
+  for (const entry of Array.from(runtime.graph.entries.values()).filter((candidate) => candidate.namespace === namespace)) {
     const stored = toStoredEntry(namespace, entry, options);
     if (!stored) {
-      return void 0;
+      continue;
     }
-    return {
+    const value = namespace === "secret" ? revealSecrets ? (await runtime.refreshSecret(entry.key), runtime.secret(entry.key.slice("secret.".length))) : maskSecretValue(stored.value) : stored.derived ? runtime.read(entry.key) : stored.value;
+    if (value === void 0 || !matchesPrefix(stored.key, options.prefix)) {
+      continue;
+    }
+    results.push({
       ...stored,
-      value: stored.derived ? runtime.read(entry.key) : stored.value
-    };
-  }).filter((entry) => Boolean(entry)).filter((entry) => entry.value !== void 0).filter((entry) => matchesPrefix(entry.key, options.prefix)).sort((left, right) => left.key.localeCompare(right.key));
+      value
+    });
+  }
+  return results.sort((left, right) => left.key.localeCompare(right.key));
 }
 function listProjectedNamespace(namespace, options) {
-  return createRuntimeService(options).then((runtime) => {
-    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.toEnv() : namespace === "public" ? runtime.toPublicEnv({
+  return createRuntimeService({
+    ...options,
+    ...namespace === "env" ? { secretResolution: "lazy" } : {}
+  }).then(async (runtime) => {
+    const revealSecrets = options.cliArgs?.includes("--reveal") ?? false;
+    const secretMappings = namespace === "env" ? getSecretEnvMappings(runtime) : [];
+    if (namespace === "env" && revealSecrets && secretMappings.length > 0) {
+      await hydrateSecretEnvMappings(runtime, secretMappings);
+    }
+    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? revealSecrets ? runtime.toEnv({ includeSecrets: true }) : applyMaskedSecretEnvMappings(runtime.toEnv(), secretMappings) : namespace === "public" ? runtime.toPublicEnv({
       ...options.framework ? {
         framework: options.framework
       } : {}
@@ -3129,11 +3257,15 @@ async function runList(args = [], options = {}) {
   const namespace = normalizeNamespace(args[0] ?? consumeOption(cliArgs, "--namespace"));
   const prefix = consumeOption(cliArgs, "--prefix");
   const framework = consumeOption(cliArgs, "--framework");
+  const vault = consumeOption(cliArgs, "--vault");
+  const provider = consumeOption(cliArgs, "--provider");
   const entries = await listConfigEntries(namespace, {
     ...options,
     cliArgs,
     ...prefix ? { prefix } : {},
-    ...framework ? { framework } : {}
+    ...framework ? { framework } : {},
+    ...vault ? { vault } : {},
+    ...provider ? { provider } : {}
   });
   if (options.json) {
     return printJson(entries);
@@ -3141,6 +3273,16 @@ async function runList(args = [], options = {}) {
   if (entries.length === 0) {
     return "";
   }
+  if (namespace === "secret") {
+    return printTable(
+      entries.map((entry) => ({
+        key: entry.key,
+        value: printValue(entry.value),
+        vault: entry.vault ?? "default",
+        provider: entry.provider ?? "local"
+      }))
+    );
+  }
   return entries.map((entry) => `${entry.key}=${printValue(entry.value)}${entry.derived ? "  (derived)" : ""}`).join("\n");
 }
 
@@ -3603,9 +3745,9 @@ async function runOnboard(options = {}) {
 import path17 from "path";
 
 // src/services/context.ts
-import { readFile as readFile6, writeFile as writeFile5 } from "fs/promises";
+import { readFile as readFile6, writeFile as writeFile6 } from "fs/promises";
 import path15 from "path";
-import { parseYaml as parseYaml4, stringifyYaml as stringifyYaml3 } from "@kitsy/cnos/internal";
+import { parseYaml as parseYaml4, stringifyYaml as stringifyYaml4 } from "@kitsy/cnos/internal";
 async function loadCliContext(root = process.cwd()) {
   const filePath = path15.join(path15.resolve(root), ".cnos-workspace.yml");
   try {
@@ -3631,7 +3773,7 @@ async function saveCliContext(options = {}) {
     ...options.profile ? { profile: options.profile } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {}
   };
-  await writeFile5(filePath, stringifyYaml3(next), "utf8");
+  await writeFile6(filePath, stringifyYaml4(next), "utf8");
   return {
     filePath,
     context: next
@@ -3639,9 +3781,9 @@ async function saveCliContext(options = {}) {
 }
 
 // src/services/profiles.ts
-import { mkdir as mkdir6, readdir as readdir4, readFile as readFile7, rm as rm3, writeFile as writeFile6 } from "fs/promises";
+import { mkdir as mkdir6, readdir as readdir4, readFile as readFile7, rm as rm3, writeFile as writeFile7 } from "fs/promises";
 import path16 from "path";
-import { loadManifest as loadManifest6, parseYaml as parseYaml5, stringifyYaml as stringifyYaml4 } from "@kitsy/cnos/internal";
+import { loadManifest as loadManifest6, parseYaml as parseYaml5, stringifyYaml as stringifyYaml5 } from "@kitsy/cnos/internal";
 async function resolveProfilesRoot(root = process.cwd()) {
   try {
     const loadedManifest = await loadManifest6({ root });
@@ -3667,7 +3809,7 @@ async function createProfileDefinition(root = process.cwd(), profile, inherit, o
   } : {
     name: profile
   };
-  await writeFile6(filePath, stringifyYaml4(document), "utf8");
+  await writeFile7(filePath, stringifyYaml5(document), "utf8");
   return {
     filePath,
     profile,
@@ -3790,11 +3932,11 @@ async function runProfile(args, options = {}) {
 
 // src/commands/promote.ts
 import path18 from "path";
-import { writeFile as writeFile7 } from "fs/promises";
+import { writeFile as writeFile8 } from "fs/promises";
 import {
   ensureProjectionAllowed,
   loadManifest as loadManifest7,
-  stringifyYaml as stringifyYaml5
+  stringifyYaml as stringifyYaml6
 } from "@kitsy/cnos/internal";
 function normalizeTarget(value) {
   if (value === "public" || value === "env") {
@@ -3810,6 +3952,7 @@ async function runPromote(args = [], options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
   const target = normalizeTarget(consumeOption(cliArgs, "--to"));
   const alias = consumeOption(cliArgs, "--as");
+  const allowSecret = cliArgs.includes("--allow-secret");
   const keys = args.filter(Boolean);
   if (keys.length === 0) {
     throw new Error("promote requires at least one logical key");
@@ -3821,6 +3964,8 @@ async function runPromote(args = [], options = {}) {
     if (!alias) {
       throw new Error("promote --to env requires --as <ENV_VAR>");
     }
+  } else if (allowSecret) {
+    throw new Error("--allow-secret is only supported with promote --to env");
   }
   const loadedManifest = await loadManifest7({
     ...options.root ? { root: options.root } : {},
@@ -3832,7 +3977,9 @@ async function runPromote(args = [], options = {}) {
   });
   await assertWritableConfigRoot(`promote ${keys.join(", ")}`, options);
   for (const key of keys) {
-    ensureProjectionAllowed(loadedManifest.manifest, key, target);
+    ensureProjectionAllowed(loadedManifest.manifest, key, target, {
+      allowSecretForEnv: allowSecret && target === "env"
+    });
   }
   const rawManifest = {
     ...loadedManifest.rawManifest
@@ -3853,7 +4000,7 @@ async function runPromote(args = [], options = {}) {
       })
     };
   }
-  await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
+  await writeFile8(loadedManifest.manifestPath, stringifyYaml6(rawManifest), "utf8");
   if (options.json) {
     return printJson({
       target,
@@ -3862,7 +4009,7 @@ async function runPromote(args = [], options = {}) {
       manifestPath: loadedManifest.manifestPath
     });
   }
-  return target === "public" ? `promoted ${keys.join(", ")} to public in ${displayPath(loadedManifest.manifestPath, root)}` : `promoted ${keys[0]} to env as ${alias} in ${displayPath(loadedManifest.manifestPath, root)}`;
+  return target === "public" ? `promoted ${keys.join(", ")} to public in ${displayPath(loadedManifest.manifestPath, root)}` : `promoted ${keys[0]} to env as ${alias}${allowSecret ? " with secret override" : ""} in ${displayPath(loadedManifest.manifestPath, root)}`;
 }
 
 // src/commands/read.ts
@@ -3987,12 +4134,14 @@ async function runCommand(command, options = {}) {
 
 // src/commands/secret.ts
 import path21 from "path";
+import readline3 from "readline";
+import { Writable } from "stream";
 
 // src/commands/vault.ts
 import path20 from "path";
 
 // src/services/vaults.ts
-import { rm as rm4, writeFile as writeFile8 } from "fs/promises";
+import { rm as rm4, writeFile as writeFile9 } from "fs/promises";
 import path19 from "path";
 import {
   clearAllVaultSessionKeys,
@@ -4006,7 +4155,7 @@ import {
   resolveSecretStoreRoot as resolveSecretStoreRoot2,
   resolveVaultAuth as resolveVaultAuth2,
   resolveVaultDefinition,
-  stringifyYaml as stringifyYaml6,
+  stringifyYaml as stringifyYaml7,
   writeKeychain,
   writeVaultSessionKey
 } from "@kitsy/cnos/internal";
@@ -4055,7 +4204,7 @@ async function createVaultDefinition(name, options = {}) {
       [vault]: vaultDefinition
     }
   };
-  await writeFile8(loadedManifest.manifestPath, stringifyYaml6(rawManifest), "utf8");
+  await writeFile9(loadedManifest.manifestPath, stringifyYaml7(rawManifest), "utf8");
   const definition = resolveVaultDefinition({ [vault]: vaultDefinition }, vault);
   if (provider === "local") {
     const auth = await resolveVaultAuth2(vault, vaultDefinition, options.processEnv ?? process.env);
@@ -4121,7 +4270,7 @@ async function removeVaultDefinition(name, options = {}) {
   if (Object.keys(nextVaults).length === 0) {
     delete rawManifest.vaults;
   }
-  await writeFile8(loadedManifest.manifestPath, stringifyYaml6(rawManifest), "utf8");
+  await writeFile9(loadedManifest.manifestPath, stringifyYaml7(rawManifest), "utf8");
   const vaultRoot = path19.join(resolveSecretStoreRoot2(options.processEnv), "vaults", vault);
   let removedStore;
   try {
@@ -4325,6 +4474,45 @@ async function readStdinValue() {
   }
   return Buffer.concat(chunks).toString("utf8").trimEnd();
 }
+async function promptHiddenValue(message) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error("Cannot prompt for a secret value in non-interactive mode. Pass <value> explicitly or use --stdin.");
+  }
+  const mutableStdout = new WritableMask();
+  const rl = readline3.createInterface({
+    input: process.stdin,
+    output: mutableStdout,
+    terminal: true
+  });
+  try {
+    mutableStdout.muted = true;
+    const value = await new Promise((resolve) => {
+      rl.question(message, resolve);
+    });
+    process.stdout.write("\n");
+    return value;
+  } finally {
+    rl.close();
+  }
+}
+async function resolveSecretSetValue(secretPath, providedValue, stdin) {
+  if (stdin) {
+    return readStdinValue();
+  }
+  if (providedValue !== void 0) {
+    return providedValue;
+  }
+  return promptHiddenValue(`Enter value for secret "${secretPath}": `);
+}
+var WritableMask = class extends Writable {
+  muted = false;
+  _write(chunk, _encoding, callback) {
+    if (!this.muted) {
+      process.stdout.write(chunk);
+    }
+    callback();
+  }
+};
 async function runSecret(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeSecretCommand(args);
@@ -4337,34 +4525,27 @@ async function runSecret(argsOrPath, options = {}) {
     return runVault(["create", tail[0] ?? "default"], options);
   }
   if (action === "list") {
-    const runtime2 = await createRuntimeService({
-      ...options,
-      secretResolution: "lazy"
-    });
     const prefix = consumeOption(cliArgs, "--prefix");
     const vault = consumeOption(cliArgs, "--vault");
     const provider = consumeOption(cliArgs, "--provider");
-    const entries = Array.from(runtime2.graph.entries.values()).filter((entry2) => entry2.namespace === "secret").filter((entry2) => !prefix || entry2.key.startsWith(`secret.${prefix}`) || entry2.key.startsWith(prefix)).filter((entry2) => {
-      const secretRef2 = entry2.winner.metadata?.secretRef;
-      if (vault && secretRef2?.vault !== vault) {
-        return false;
-      }
-      if (provider && secretRef2?.provider !== provider) {
-        return false;
-      }
-      return true;
-    }).map((entry2) => {
-      const secretRef2 = entry2.winner.metadata?.secretRef;
-      return {
-        key: entry2.key,
-        vault: secretRef2?.vault ?? "default",
-        provider: secretRef2?.provider ?? "local"
-      };
-    }).sort((left, right) => left.key.localeCompare(right.key));
+    const entries = await listConfigEntries("secret", {
+      ...options,
+      cliArgs,
+      ...prefix ? { prefix } : {},
+      ...vault ? { vault } : {},
+      ...provider ? { provider } : {}
+    });
     if (options.json) {
       return printJson(entries);
     }
-    return entries.map((entry2) => `${entry2.key} (vault: ${entry2.vault}, provider: ${entry2.provider})`).join("\n");
+    return printTable(
+      entries.map((entry2) => ({
+        key: entry2.key,
+        value: printValue(entry2.value),
+        vault: entry2.vault ?? "default",
+        provider: entry2.provider ?? "local"
+      }))
+    );
   }
   if (action === "set") {
     const secretPath2 = tail[0];
@@ -4376,8 +4557,9 @@ async function runSecret(argsOrPath, options = {}) {
     const provider = consumeOption(cliArgs, "--provider");
     const vault = consumeOption(cliArgs, "--vault") ?? "default";
     const mode = local ? "local" : remote ? "remote" : ref ? "ref" : void 0;
-    const rawValue = stdin ? await readStdinValue() : tail[1] ?? "";
-    const result = await setSecret(secretPath2 ?? "app.token", rawValue, {
+    const resolvedSecretPath = secretPath2 ?? "app.token";
+    const rawValue = await resolveSecretSetValue(resolvedSecretPath, tail[1], stdin);
+    const result = await setSecret(resolvedSecretPath, rawValue, {
       ...options,
       cliArgs,
       target,
@@ -4486,6 +4668,16 @@ function writeJson(response, statusCode, payload) {
   response.end(`${printJson(payload)}
 `);
 }
+async function readJsonBody(request) {
+  const chunks = [];
+  for await (const chunk of request) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+}
 function maskInspectResult(key, value) {
   if (!key.startsWith("secret.")) {
     return value;
@@ -4517,6 +4709,24 @@ function toRuntimeOptionsFromQuery(baseOptions, searchParams) {
     ...profile ? { profile } : {}
   };
 }
+function toRuntimeOptionsFromBody(baseOptions, body) {
+  const workspace = typeof body.workspace === "string" ? body.workspace.trim() : "";
+  const profile = typeof body.profile === "string" ? body.profile.trim() : "";
+  return {
+    ...baseOptions,
+    ...workspace ? { workspace } : {},
+    ...profile ? { profile } : {}
+  };
+}
+function withUiPassphrase(processEnv, passphrase) {
+  if (!passphrase?.trim()) {
+    return processEnv;
+  }
+  return {
+    ...processEnv ?? process.env,
+    CNOS_SECRET_PASSPHRASE: passphrase.trim()
+  };
+}
 async function handleSummary(options, searchParams) {
   const runtimeOptions = toRuntimeOptionsFromQuery(options, searchParams);
   const runtime = await createRuntimeService({
@@ -4562,21 +4772,62 @@ async function handleSummary(options, searchParams) {
     vaults: Object.keys(runtime.manifest.vaults)
   };
 }
+async function handleRevealList(body, options) {
+  const prefix = typeof body.prefix === "string" ? body.prefix.trim() : "";
+  const passphrase = typeof body.passphrase === "string" ? body.passphrase : void 0;
+  const runtimeOptions = toRuntimeOptionsFromBody(options, body);
+  const runtime = await createRuntimeService({
+    ...runtimeOptions,
+    processEnv: withUiPassphrase(options.processEnv, passphrase),
+    secretResolution: "lazy"
+  });
+  const entries = [];
+  for (const entry of Array.from(runtime.graph.entries.values()).filter((candidate) => candidate.namespace === "secret").filter((candidate) => {
+    if (!prefix) {
+      return true;
+    }
+    return candidate.key.startsWith(prefix) || candidate.key.split(".").slice(1).join(".").startsWith(prefix);
+  }).sort((left, right) => left.key.localeCompare(right.key))) {
+    await runtime.refreshSecret(entry.key);
+    entries.push({
+      key: entry.key,
+      value: runtime.read(entry.key),
+      ...typeof entry.winner.value === "object" && entry.winner.value !== null && !Array.isArray(entry.winner.value) && "$derive" in entry.winner.value ? { derived: true } : {}
+    });
+  }
+  return {
+    namespace: "secret",
+    entries
+  };
+}
+async function handleRevealInspect(body, options) {
+  const key = typeof body.key === "string" ? body.key.trim() : "";
+  if (!key) {
+    throw new Error("Missing key");
+  }
+  const passphrase = typeof body.passphrase === "string" ? body.passphrase : void 0;
+  const runtimeOptions = toRuntimeOptionsFromBody(options, body);
+  const runtime = await createRuntimeService({
+    ...runtimeOptions,
+    processEnv: withUiPassphrase(options.processEnv, passphrase),
+    ...key.startsWith("secret.") ? { secretResolution: "lazy" } : {}
+  });
+  if (key.startsWith("secret.")) {
+    await runtime.refreshSecret(key);
+  }
+  return runtime.inspect(key);
+}
 async function handleRequest(request, response, options) {
   const url = new URL(request.url ?? "/", "http://127.0.0.1");
-  if (request.method !== "GET") {
-    writeJson(response, 405, { error: "Method not allowed" });
-    return;
-  }
-  if (url.pathname === "/api/health") {
+  if (request.method === "GET" && url.pathname === "/api/health") {
     writeJson(response, 200, { ok: true });
     return;
   }
-  if (url.pathname === "/api/summary") {
+  if (request.method === "GET" && url.pathname === "/api/summary") {
     writeJson(response, 200, await handleSummary(options, url.searchParams));
     return;
   }
-  if (url.pathname === "/api/list") {
+  if (request.method === "GET" && url.pathname === "/api/list") {
     const namespace = url.searchParams.get("namespace") ?? "value";
     const prefix = url.searchParams.get("prefix") ?? void 0;
     const runtimeOptions = toRuntimeOptionsFromQuery(options, url.searchParams);
@@ -4591,7 +4842,7 @@ async function handleRequest(request, response, options) {
     });
     return;
   }
-  if (url.pathname === "/api/inspect") {
+  if (request.method === "GET" && url.pathname === "/api/inspect") {
     const key = url.searchParams.get("key");
     if (!key) {
       writeJson(response, 400, { error: "Missing key query parameter" });
@@ -4605,6 +4856,20 @@ async function handleRequest(request, response, options) {
     writeJson(response, 200, maskInspectResult(key, runtime.inspect(key)));
     return;
   }
+  if (request.method === "POST" && url.pathname === "/api/reveal/list") {
+    const body = await readJsonBody(request);
+    writeJson(response, 200, await handleRevealList(body, options));
+    return;
+  }
+  if (request.method === "POST" && url.pathname === "/api/reveal/inspect") {
+    const body = await readJsonBody(request);
+    writeJson(response, 200, await handleRevealInspect(body, options));
+    return;
+  }
+  if (request.method !== "GET" && request.method !== "POST") {
+    writeJson(response, 405, { error: "Method not allowed" });
+    return;
+  }
   writeJson(response, 404, { error: "Not found" });
 }
 function resolveUiUrl(host, port) {
@@ -4684,7 +4949,7 @@ async function runValidate(options = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos-cli",
-  version: "1.9.0",
+  version: "1.9.2",
   description: "CLI entry point and developer tooling for CNOS.",
   type: "module",
   main: "./dist/index.js",
@@ -4961,9 +5226,9 @@ async function runWatch(command, options = {}) {
 }
 
 // src/commands/workspace.ts
-import { cp, mkdir as mkdir7, readdir as readdir5, readFile as readFile8, rename, rm as rm5, stat as stat3, writeFile as writeFile9 } from "fs/promises";
+import { cp, mkdir as mkdir7, readdir as readdir5, readFile as readFile8, rename, rm as rm5, stat as stat3, writeFile as writeFile10 } from "fs/promises";
 import path25 from "path";
-import { loadManifest as loadManifest10, parseYaml as parseYaml6, stringifyYaml as stringifyYaml7 } from "@kitsy/cnos/internal";
+import { loadManifest as loadManifest10, parseYaml as parseYaml6, stringifyYaml as stringifyYaml8 } from "@kitsy/cnos/internal";
 async function exists2(targetPath) {
   try {
     await stat3(targetPath);
@@ -5002,9 +5267,9 @@ async function mergeWorkspaceRootsIntoStandalone(targetCnosRoot, sourceRoots) {
 async function writeAnchor(packageRoot, manifestRoot, workspace) {
   const relativeRoot = path25.relative(packageRoot, manifestRoot).replace(/\\/g, "/");
   const rootValue = relativeRoot.length === 0 ? "./.cnos" : relativeRoot.startsWith(".") ? relativeRoot : `./${relativeRoot}`;
-  await writeFile9(
+  await writeFile10(
     path25.join(packageRoot, ".cnosrc.yml"),
-    stringifyYaml7({
+    stringifyYaml8({
       root: rootValue,
       ...workspace ? { workspace } : {}
     }),
@@ -5054,9 +5319,9 @@ async function hasDirectConfigData(cnosRoot) {
 async function updateRootAnchorToWorkspace(packageRoot, workspaceId) {
   const anchorPath = path25.join(packageRoot, ".cnosrc.yml");
   const current = await exists2(anchorPath) ? parseYaml6(await readFile8(anchorPath, "utf8")) : void 0;
-  await writeFile9(
+  await writeFile10(
     anchorPath,
-    stringifyYaml7({
+    stringifyYaml8({
       root: typeof current?.root === "string" ? current.root : "./.cnos",
       workspace: workspaceId
     }),
@@ -5066,9 +5331,9 @@ async function updateRootAnchorToWorkspace(packageRoot, workspaceId) {
 async function updateWorkspaceContext(packageRoot, workspaceId) {
   const workspacePath = path25.join(packageRoot, ".cnos-workspace.yml");
   const current = await exists2(workspacePath) ? parseYaml6(await readFile8(workspacePath, "utf8")) : void 0;
-  await writeFile9(
+  await writeFile10(
     workspacePath,
-    stringifyYaml7({
+    stringifyYaml8({
       workspace: workspaceId,
       ...typeof current?.profile === "string" ? { profile: current.profile } : {},
       ...typeof current?.globalRoot === "string" ? { globalRoot: current.globalRoot } : { globalRoot: "~/.cnos" }
@@ -5097,9 +5362,9 @@ async function runDetach(packageRoot, options = {}) {
   const localRoots = runtime.graph.workspace.workspaceRoots.filter((root) => root.scope === "local").map((root) => root.path);
   await mkdir7(targetCnosRoot, { recursive: true });
   await mergeWorkspaceRootsIntoStandalone(targetCnosRoot, localRoots);
-  await writeFile9(
+  await writeFile10(
     path25.join(targetCnosRoot, "cnos.yml"),
-    stringifyYaml7(createDetachedManifest(loaded.rawManifest)),
+    stringifyYaml8(createDetachedManifest(loaded.rawManifest)),
     "utf8"
   );
   const relativeRoot = path25.relative(packageRoot, loaded.manifestRoot).replace(/\\/g, "/");
@@ -5112,8 +5377,8 @@ async function runDetach(packageRoot, options = {}) {
       workspace: loaded.anchoredWorkspace
     }
   };
-  await writeFile9(path25.join(targetCnosRoot, ".detached"), stringifyYaml7(marker), "utf8");
-  await writeFile9(path25.join(packageRoot, ".cnosrc.yml"), stringifyYaml7({ root: "./.cnos" }), "utf8");
+  await writeFile10(path25.join(targetCnosRoot, ".detached"), stringifyYaml8(marker), "utf8");
+  await writeFile10(path25.join(packageRoot, ".cnosrc.yml"), stringifyYaml8({ root: "./.cnos" }), "utf8");
   if (options.json) {
     return printJson({
       packageRoot,
@@ -5160,7 +5425,7 @@ async function runAttach(packageRoot, options = {}) {
   items[workspaceId] = items[workspaceId] ?? {};
   workspaces.items = items;
   rawManifest.workspaces = workspaces;
-  await writeFile9(path25.join(parentLoaded.manifestRoot, "cnos.yml"), stringifyYaml7(rawManifest), "utf8");
+  await writeFile10(path25.join(parentLoaded.manifestRoot, "cnos.yml"), stringifyYaml8(rawManifest), "utf8");
   const archivePath = path25.join(packageRoot, ".cnos.detached.bak");
   await rm5(archivePath, { recursive: true, force: true });
   await rename(childCnosRoot, archivePath);
@@ -5242,7 +5507,7 @@ async function runEnable(manifestCwd, packageRoot, options = {}) {
     base: {}
   };
   rawManifest.workspaces = rawWorkspaces;
-  await writeFile9(path25.join(cnosRoot, "cnos.yml"), stringifyYaml7(rawManifest), "utf8");
+  await writeFile10(path25.join(cnosRoot, "cnos.yml"), stringifyYaml8(rawManifest), "utf8");
   await updateRootAnchorToWorkspace(packageRoot, "base");
   await updateWorkspaceContext(packageRoot, "base");
   await ensureGitignore(path25.dirname(cnosRoot));
@@ -5295,7 +5560,7 @@ async function runAddOrScaffold(action, workspaceId, manifestCwd, packageRoot, o
   rawManifest.workspaces = rawWorkspaces;
   const workspaceRoot = path25.join(cnosRoot, "workspaces", workspaceId);
   const created = await ensureWorkspaceLayout(cnosRoot, workspaceId);
-  await writeFile9(path25.join(cnosRoot, "cnos.yml"), stringifyYaml7(rawManifest), "utf8");
+  await writeFile10(path25.join(cnosRoot, "cnos.yml"), stringifyYaml8(rawManifest), "utf8");
   await ensureGitignore(path25.dirname(cnosRoot));
   await writeAnchor(packageRoot, cnosRoot, workspaceId);
   await updateWorkspaceContext(packageRoot, workspaceId);
@@ -5339,7 +5604,7 @@ async function runRemove(workspaceId, manifestCwd, options = {}) {
   delete rawItems[workspaceId];
   rawWorkspaces.items = rawItems;
   rawManifest.workspaces = rawWorkspaces;
-  await writeFile9(path25.join(loaded.manifestRoot, "cnos.yml"), stringifyYaml7(rawManifest), "utf8");
+  await writeFile10(path25.join(loaded.manifestRoot, "cnos.yml"), stringifyYaml8(rawManifest), "utf8");
   await rm5(path25.join(loaded.manifestRoot, "workspaces", workspaceId), { recursive: true, force: true });
   if (options.json) {
     return printJson({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos-cli",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "CLI entry point and developer tooling for CNOS.",
   "type": "module",
   "main": "./dist/index.js",
@@ -37,8 +37,8 @@
   },
   "dependencies": {
     "smol-toml": "^1.4.2",
-    "@kitsy/cnos": "1.9.0",
-    "@kitsy/cnos-ui": "1.9.0"
+    "@kitsy/cnos-ui": "1.9.2",
+    "@kitsy/cnos": "1.9.2"
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts",