@kitsy/cnos-docs 1.9.0 → 1.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/cli/build.mdx +1 -1
- package/docs/cli/doctor.mdx +5 -0
- package/docs/cli/promote.mdx +5 -0
- package/docs/cli/secret.mdx +1 -0
- package/docs/cli/ui.mdx +3 -2
- package/package.json +1 -1
package/docs/cli/build.mdx
CHANGED
|
@@ -39,4 +39,4 @@ cnos build env --profile prod --reveal --to .env.production.local
|
|
|
39
39
|
CNOS protects this path in two ways:
|
|
40
40
|
|
|
41
41
|
- it verifies that the target file is gitignored before writing secrets
|
|
42
|
-
- in interactive terminals
|
|
42
|
+
- it prints explicit risk warnings and, in interactive terminals, asks `Do you want to continue?` before continuing
|
package/docs/cli/doctor.mdx
CHANGED
|
@@ -8,4 +8,9 @@ description: Run diagnostics across workspaces, exports, and security rules.
|
|
|
8
8
|
```bash
|
|
9
9
|
cnos doctor
|
|
10
10
|
cnos doctor --json
|
|
11
|
+
cnos doctor --fix-secret-env-mappings
|
|
11
12
|
```
|
|
13
|
+
|
|
14
|
+
The security diagnostics now flag explicit `secret.*` env mappings as a risk because they enable plaintext secret emission into private env surfaces.
|
|
15
|
+
|
|
16
|
+
If those mappings were added by mistake, `cnos doctor --fix-secret-env-mappings` removes them from `envMapping.explicit` in one shot and then reruns diagnostics.
|
package/docs/cli/promote.mdx
CHANGED
|
@@ -8,4 +8,9 @@ description: Promote shareable values into public or env export surfaces.
|
|
|
8
8
|
```bash
|
|
9
9
|
cnos promote value.flag.auth.upi_enabled --to public
|
|
10
10
|
cnos promote value.server.port --to env --as PORT
|
|
11
|
+
cnos promote secret.db.password --to env --as POSTGRES_PASSWORD --allow-secret
|
|
11
12
|
```
|
|
13
|
+
|
|
14
|
+
`public` promotion never allows `secret.*`.
|
|
15
|
+
|
|
16
|
+
`env` mapping can allow `secret.*`, but only when you opt in explicitly with `--allow-secret`. This is intentionally narrow: it declares that a private env surface may carry plaintext secrets for runtimes that do not use the CNOS client directly.
|
package/docs/cli/secret.mdx
CHANGED
|
@@ -9,5 +9,6 @@ description: Set, get, list, and delete secrets through configured vaults.
|
|
|
9
9
|
cnos secret set app.token super-secret --vault default
|
|
10
10
|
cnos secret get app.token --vault default --reveal
|
|
11
11
|
cnos secret list
|
|
12
|
+
cnos secret list --reveal
|
|
12
13
|
cnos secret delete app.token
|
|
13
14
|
```
|
package/docs/cli/ui.mdx
CHANGED
|
@@ -18,7 +18,7 @@ cnos ui --port 4400 --api-port 4401
|
|
|
18
18
|
Use it when you want a faster adoption path than raw CLI output for:
|
|
19
19
|
|
|
20
20
|
- value and meta browsing
|
|
21
|
-
- secret listing with
|
|
21
|
+
- secret listing, with optional reveal using a supplied vault passphrase
|
|
22
22
|
- env mapping review
|
|
23
23
|
- public promotion review
|
|
24
24
|
- inspect/provenance tracing
|
|
@@ -38,5 +38,6 @@ Workspace and profile switching now happen inside the UI itself.
|
|
|
38
38
|
## Notes
|
|
39
39
|
|
|
40
40
|
- The UI is read-only in this first cut.
|
|
41
|
-
- Secret keys stay masked in the browser.
|
|
41
|
+
- Secret keys stay masked by default in the browser.
|
|
42
|
+
- Revealing secrets is local-only and uses the supplied passphrase or existing vault auth state.
|
|
42
43
|
- Use `cnos inspect` or `cnos read --reveal` when you need terminal-first detail.
|