@kitsy/cnos-docs 1.11.1 → 1.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/docs/cli/secret.mdx +4 -1
  2. package/docs/cli/vault.mdx +2 -0
  3. package/docs/guides/secrets.mdx +4 -1
  4. package/package.json +1 -1
package/docs/cli/secret.mdx CHANGED
@@ -9,10 +9,13 @@ description: Set, get, list, and delete secrets through configured vaults.
9
9
  cnos secret set app.token super-secret --vault default
10
10
  cnos secret set app.token --vault default
11
11
  printf "super-secret" | cnos secret set app.token --vault default --stdin
12
+ cnos secret set app.token --vault prod-gcp
12
13
  cnos secret get app.token --vault default --reveal
13
14
  cnos secret list
14
15
  cnos secret list --reveal
15
16
  cnos secret delete app.token
16
17
  ```
17
18
 
18
- If you omit `[value]`, CNOS prompts for a masked value interactively so the secret does not have to appear in shell history. In non-interactive environments, pass the value explicitly or use `--stdin`.
19
+ For local vaults, omitting `[value]` prompts for a masked value interactively so the secret does not have to appear in shell history. In non-interactive environments, pass the value explicitly or use `--stdin`.
20
+
21
+ For non-local vaults such as `environment`, `gcp-secret-manager`, `aws-secrets-manager`, `hashicorp-vault`, and `azure-key-vault`, `cnos secret set` writes repo-safe reference metadata only. If `[value]` is omitted, CNOS uses the logical path as the external ref and does not prompt for secret material. Create or update the actual secret in the backing vault separately.
package/docs/cli/vault.mdx CHANGED
@@ -18,3 +18,5 @@ For local vaults, `cnos vault create <name>` initializes the encrypted keystore
18
18
  `cnos vault auth <name>` re-authenticates an existing vault and fails on wrong credentials. Successful auth writes a derived session key under `~/.cnos/secrets/sessions`, so later CNOS commands can reuse it across shells until you run `cnos vault logout <name>` or `cnos vault logout --all`. With `--store-keychain`, CNOS also stores the derived key in the OS keychain.
19
19
 
20
20
  After local vault auth, `cnos secret set <path> --vault <name>` can prompt for a masked secret value interactively when you omit `[value]`.
21
+
22
+ `cnos vault list` can also run outside a CNOS project. In that mode it lists local vault stores from the configured CNOS secret home instead of requiring `.cnosrc.yml`. Project-scoped vault definitions are included when the command runs inside a CNOS workspace.
package/docs/guides/secrets.mdx CHANGED
@@ -15,7 +15,7 @@ cnos secret set app.token --vault default
15
15
 
16
16
  `cnos vault create default` initializes the local encrypted vault immediately. If CNOS cannot resolve a passphrase from env or keychain, it prompts interactively. `cnos vault auth default` is only for re-authenticating an existing vault and rejects wrong passphrases.
17
17
 
18
- When `[value]` is omitted, `cnos secret set` prompts for a masked secret value so it does not have to appear in shell history. For non-interactive pipelines, use `--stdin` instead:
18
+ For local vaults, when `[value]` is omitted, `cnos secret set` prompts for a masked secret value so it does not have to appear in shell history. For non-interactive pipelines, use `--stdin` instead:
19
19
 
20
20
  ```bash
21
21
  printf "super-secret" | cnos secret set app.token --vault default --stdin
@@ -26,10 +26,13 @@ Environment-backed vault:
26
26
  ```bash
27
27
  cnos vault create firebase-prod --provider environment --no-passphrase
28
28
  cnos secret set app.token APP_TOKEN --vault github-ci
29
+ cnos secret set app.token --vault firebase-prod
29
30
  ```
30
31
 
31
32
  `environment` is the generic provider for platforms that inject secrets into environment variables before your process starts. `github-secrets` remains a compatibility alias for the same behavior.
32
33
 
34
+ For non-local vaults such as `environment`, `gcp-secret-manager`, `aws-secrets-manager`, `hashicorp-vault`, and `azure-key-vault`, `cnos secret set` writes reference metadata only. CNOS does not prompt for or store secret material in the repo. If `[value]` is omitted, CNOS uses the logical secret path as the external ref; create or update the actual secret in the backing vault separately.
35
+
33
36
  This is the CNOS bridge for common cloud and CI runtimes:
34
37
 
35
38
  - GitHub Actions secrets
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kitsy/cnos-docs",
3
- "version": "1.11.1",
3
+ "version": "1.11.2",
4
4
  "description": "Source-of-truth CNOS documentation content for Astro Starlight and other static docs consumers.",
5
5
  "type": "module",
6
6
  "exports": {