@kitsy/cnos-docs 1.9.0 → 1.9.2

package/docs/cli/build.mdx

@@ -39,4 +39,4 @@ cnos build env --profile prod --reveal --to .env.production.local
 CNOS protects this path in two ways:
 
 - it verifies that the target file is gitignored before writing secrets
-- in interactive terminals it prints a warning prompt before continuing
+- it prints explicit risk warnings and, in interactive terminals, asks `Do you want to continue?` before continuing

package/docs/cli/doctor.mdx

@@ -8,4 +8,9 @@ description: Run diagnostics across workspaces, exports, and security rules.
 ```bash
 cnos doctor
 cnos doctor --json
+cnos doctor --fix-secret-env-mappings
 ```
+
+The security diagnostics now flag explicit `secret.*` env mappings as a risk because they enable plaintext secret emission into private env surfaces.
+
+If those mappings were added by mistake, `cnos doctor --fix-secret-env-mappings` removes them from `envMapping.explicit` in one shot and then reruns diagnostics.

package/docs/cli/promote.mdx

@@ -8,4 +8,9 @@ description: Promote shareable values into public or env export surfaces.
 ```bash
 cnos promote value.flag.auth.upi_enabled --to public
 cnos promote value.server.port --to env --as PORT
+cnos promote secret.db.password --to env --as POSTGRES_PASSWORD --allow-secret
 ```
+
+`public` promotion never allows `secret.*`.
+
+`env` mapping can allow `secret.*`, but only when you opt in explicitly with `--allow-secret`. This is intentionally narrow: it declares that a private env surface may carry plaintext secrets for runtimes that do not use the CNOS client directly.

package/docs/cli/secret.mdx

@@ -7,7 +7,12 @@ description: Set, get, list, and delete secrets through configured vaults.
 
 ```bash
 cnos secret set app.token super-secret --vault default
+cnos secret set app.token --vault default
+printf "super-secret" | cnos secret set app.token --vault default --stdin
 cnos secret get app.token --vault default --reveal
 cnos secret list
+cnos secret list --reveal
 cnos secret delete app.token
 ```
+
+If you omit `[value]`, CNOS prompts for a masked value interactively so the secret does not have to appear in shell history. In non-interactive environments, pass the value explicitly or use `--stdin`.

package/docs/cli/ui.mdx

@@ -18,7 +18,7 @@ cnos ui --port 4400 --api-port 4401
 Use it when you want a faster adoption path than raw CLI output for:
 
 - value and meta browsing
-- secret listing with masking intact
+- secret listing, with optional reveal using a supplied vault passphrase
 - env mapping review
 - public promotion review
 - inspect/provenance tracing
@@ -38,5 +38,6 @@ Workspace and profile switching now happen inside the UI itself.
 ## Notes
 
 - The UI is read-only in this first cut.
-- Secret keys stay masked in the browser.
+- Secret keys stay masked by default in the browser.
+- Revealing secrets is local-only and uses the supplied passphrase or existing vault auth state.
 - Use `cnos inspect` or `cnos read --reveal` when you need terminal-first detail.

package/docs/cli/vault.mdx

@@ -16,3 +16,5 @@ cnos vault remove default
 For local vaults, `cnos vault create <name>` initializes the encrypted keystore immediately. CNOS prompts for a passphrase if one is not already available through `CNOS_SECRET_PASSPHRASE_<VAULT>`, `CNOS_SECRET_PASSPHRASE`, or the OS keychain.
 
 `cnos vault auth <name>` re-authenticates an existing vault and fails on wrong credentials. Successful auth writes a derived session key under `~/.cnos/secrets/sessions`, so later CNOS commands can reuse it across shells until you run `cnos vault logout <name>` or `cnos vault logout --all`. With `--store-keychain`, CNOS also stores the derived key in the OS keychain.
+
+After local vault auth, `cnos secret set <path> --vault <name>` can prompt for a masked secret value interactively when you omit `[value]`.

package/docs/getting-started/your-first-project.mdx

@@ -31,9 +31,11 @@ Create a local vault and authenticate it:
 ```bash
 cnos vault create default
 cnos vault auth default
-cnos secret set app.token super-secret --vault default
+cnos secret set app.token --vault default
 ```
 
+CNOS prompts for the secret with masked input when you omit the value, which keeps it out of shell history. For non-interactive scripts, pass the secret over `--stdin`.
+
 If the project later becomes a monorepo, do not create a second `.cnos`. Convert the existing repo and add children:
 
 ```bash

package/docs/guides/secrets.mdx

@@ -10,11 +10,17 @@ Local vault:
 ```bash
 cnos vault create default
 cnos vault auth default
-cnos secret set app.token super-secret --vault default
+cnos secret set app.token --vault default
 ```
 
 `cnos vault create default` initializes the local encrypted vault immediately. If CNOS cannot resolve a passphrase from env or keychain, it prompts interactively. `cnos vault auth default` is only for re-authenticating an existing vault and rejects wrong passphrases.
 
+When `[value]` is omitted, `cnos secret set` prompts for a masked secret value so it does not have to appear in shell history. For non-interactive pipelines, use `--stdin` instead:
+
+```bash
+printf "super-secret" | cnos secret set app.token --vault default --stdin
+```
+
 Environment-backed vault:
 
 ```bash

package/manifest.yml

@@ -1,7 +1,7 @@
 product: cnos
 title: CNOS Documentation
 tagline: Configuration orchestration for apps, monorepos, and deployment pipelines
-version: "1.8.4"
+version: "1.9.2"
 
 sidebar:
   - group: Getting Started

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos-docs",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "Source-of-truth CNOS documentation content for Astro Starlight and other static docs consumers.",
   "type": "module",
   "exports": {