@kitsy/cnos 0.0.1 → 1.0.1

package/dist/chunk-K2T4R5WH.js

@@ -0,0 +1,1565 @@
+// ../core/src/utils/path.ts
+import { access } from "fs/promises";
+import os from "os";
+import path from "path";
+
+// ../core/src/errors.ts
+var CnosError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
+  }
+};
+var CnosManifestError = class extends CnosError {
+  constructor(message, manifestPath) {
+    super(manifestPath ? `${message} (${manifestPath})` : message);
+    this.manifestPath = manifestPath;
+  }
+  manifestPath;
+};
+var CnosKeyNotFoundError = class extends CnosError {
+  constructor(key) {
+    super(`Missing required CNOS config key: ${key}`);
+    this.key = key;
+  }
+  key;
+};
+
+// ../core/src/utils/path.ts
+var PRIMARY_CNOS_DIR = ".cnos";
+var LEGACY_CNOS_DIR = "cnos";
+async function exists(filePath) {
+  try {
+    await access(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveCnosRoot(root = process.cwd()) {
+  const basePath = path.resolve(root);
+  const candidates = [
+    path.join(basePath, PRIMARY_CNOS_DIR),
+    path.join(basePath, LEGACY_CNOS_DIR),
+    basePath
+  ];
+  for (const candidate of candidates) {
+    if (await exists(path.join(candidate, "cnos.yml"))) {
+      return candidate;
+    }
+  }
+  throw new CnosManifestError(
+    `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
+  );
+}
+async function resolveManifestRoot(root = process.cwd()) {
+  return resolveCnosRoot(root);
+}
+function interpolatePathTemplate(template, tokens) {
+  return Object.entries(tokens).reduce(
+    (result, [token, value]) => result.replaceAll(`{${token}}`, value),
+    template
+  );
+}
+function expandHomePath(targetPath) {
+  if (targetPath === "~") {
+    return os.homedir();
+  }
+  if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
+    return path.join(os.homedir(), targetPath.slice(2));
+  }
+  return targetPath;
+}
+function stripWorkspaceTemplatePrefix(template) {
+  const normalized = template.replace(/\\/g, "/").replace(/^\.\//, "");
+  const marker = "workspaces/{workspace}";
+  if (normalized === marker) {
+    return ".";
+  }
+  if (normalized.startsWith(`${marker}/`)) {
+    return normalized.slice(marker.length + 1);
+  }
+  return template;
+}
+function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
+  const relativeTemplate = stripWorkspaceTemplatePrefix(template);
+  const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
+  return path.resolve(workspaceRoot, interpolated);
+}
+function resolveNamespaceDirectory(workspaceRoot, namespace, profile) {
+  const rootFolder = namespace === "value" ? "values" : "secrets";
+  if (profile && profile !== "base") {
+    return path.resolve(workspaceRoot, "profiles", profile, rootFolder);
+  }
+  return path.resolve(workspaceRoot, rootFolder);
+}
+function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile) {
+  const namespaceRoot = resolveNamespaceDirectory(workspaceRoot, namespace, profile);
+  const fileName = `${configPath.split(".").shift() ?? "app"}.yml`;
+  return path.resolve(namespaceRoot, fileName);
+}
+function toPortablePath(targetPath) {
+  return targetPath.replace(/\\/g, "/");
+}
+function joinConfigPath(...parts) {
+  return parts.flatMap((part) => part.split(".")).map((part) => part.trim()).filter(Boolean).join(".");
+}
+function toLogicalKey(namespace, valuePath) {
+  return `${namespace}.${joinConfigPath(valuePath)}`;
+}
+function stripNamespace(key) {
+  return key.split(".").slice(1).join(".");
+}
+
+// ../core/src/utils/yaml.ts
+import { parse, stringify } from "yaml";
+function parseYaml(source) {
+  return parse(source);
+}
+function stringifyYaml(value) {
+  return stringify(value);
+}
+
+// ../core/src/utils/envNaming.ts
+function normalizeMappingConfig(config = {}) {
+  return {
+    convention: config.convention,
+    explicit: config.explicit ?? {}
+  };
+}
+function toScreamingSnakeSegment(segment) {
+  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function toScreamingSnake(path8) {
+  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+}
+function fromScreamingSnake(path8) {
+  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+}
+function logicalKeyToEnvVar(key, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
+  if (explicitEntry) {
+    return explicitEntry[0];
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (key.startsWith("value.")) {
+    return toScreamingSnake(key.slice("value.".length));
+  }
+  if (key.startsWith("secret.")) {
+    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
+  }
+  return void 0;
+}
+function envVarToLogicalKey(envVar, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitMatch = normalized.explicit[envVar];
+  if (explicitMatch) {
+    return explicitMatch;
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (envVar.startsWith("SECRET_")) {
+    const stripped = envVar.slice("SECRET_".length);
+    if (!stripped) {
+      return void 0;
+    }
+    return `secret.${fromScreamingSnake(stripped)}`;
+  }
+  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
+    return void 0;
+  }
+  return `value.${fromScreamingSnake(envVar)}`;
+}
+
+// ../core/src/runtime/toEnv.ts
+function fallbackLogicalKeyToEnvVar(key) {
+  if (key.startsWith("value.")) {
+    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  }
+  if (key.startsWith("secret.")) {
+    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+    return `SECRET_${normalized}`;
+  }
+  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function normalizeEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function toEnv(graph, manifest, options = {}) {
+  const includeSecrets = options.includeSecrets ?? true;
+  const output = {};
+  const resolvedEntries = Array.from(graph.entries.values()).sort(
+    (left, right) => left.key.localeCompare(right.key)
+  );
+  for (const entry of resolvedEntries) {
+    if (entry.namespace === "meta") {
+      continue;
+    }
+    if (!includeSecrets && entry.namespace === "secret") {
+      continue;
+    }
+    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
+    output[envVar] = normalizeEnvValue(entry.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/toPublicEnv.ts
+function fallbackValueEnvVar(key) {
+  return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function normalizeEnvValue2(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function resolvePublicPrefix(manifest, options) {
+  if (options.prefix) {
+    return options.prefix;
+  }
+  if (!options.framework) {
+    return "";
+  }
+  const configuredPrefix = manifest.public.frameworks[options.framework];
+  if (!configuredPrefix) {
+    throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
+  }
+  return configuredPrefix;
+}
+function ensurePublicPromotionKey(key) {
+  if (!key.startsWith("value.")) {
+    throw new CnosManifestError(`public.promote may only contain value.* keys: ${key}`);
+  }
+}
+function toPublicEnv(graph, manifest, options = {}) {
+  const prefix = resolvePublicPrefix(manifest, options);
+  const output = {};
+  const promotions = [...manifest.public.promote].sort((left, right) => left.localeCompare(right));
+  for (const key of promotions) {
+    ensurePublicPromotionKey(key);
+    const resolved = graph.entries.get(key);
+    if (!resolved) {
+      continue;
+    }
+    const baseEnvVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? fallbackValueEnvVar(key);
+    const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
+    output[envVar] = normalizeEnvValue2(resolved.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/dump.ts
+import { mkdir, writeFile } from "fs/promises";
+import path2 from "path";
+
+// ../core/src/runtime/projection.ts
+function setNestedValue(target, pathSegments, value) {
+  const [head, ...tail] = pathSegments;
+  if (!head) {
+    return;
+  }
+  if (tail.length === 0) {
+    target[head] = value;
+    return;
+  }
+  const current = target[head];
+  const nextTarget = current && typeof current === "object" && !Array.isArray(current) ? current : {};
+  target[head] = nextTarget;
+  setNestedValue(nextTarget, tail, value);
+}
+function toNamespaceObject(graph, namespace) {
+  const output = {};
+  const resolvedEntries = Array.from(graph.entries.values()).sort(
+    (left, right) => left.key.localeCompare(right.key)
+  );
+  for (const entry of resolvedEntries) {
+    if (namespace && entry.namespace !== namespace) {
+      continue;
+    }
+    const valuePath = namespace ? stripNamespace(entry.key) : entry.key;
+    setNestedValue(output, valuePath.split("."), entry.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/dump.ts
+function buildDumpFiles(graph, options = {}) {
+  const basePath = options.flatten ? "" : path2.posix.join("workspaces", graph.workspace.workspaceId);
+  const values = toNamespaceObject(graph, "value");
+  const secrets = toNamespaceObject(graph, "secret");
+  const files = [];
+  if (Object.keys(values).length > 0) {
+    files.push({
+      path: path2.posix.join(basePath, "values", graph.profile, "app.yml"),
+      namespace: "value",
+      content: stringifyYaml(values)
+    });
+  }
+  if (Object.keys(secrets).length > 0) {
+    files.push({
+      path: path2.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      namespace: "secret",
+      content: stringifyYaml(secrets)
+    });
+  }
+  return files.sort((left, right) => left.path.localeCompare(right.path));
+}
+function planDump(graph, options = {}) {
+  return {
+    workspaceId: graph.workspace.workspaceId,
+    profile: graph.profile,
+    flatten: options.flatten ?? false,
+    files: buildDumpFiles(graph, options)
+  };
+}
+async function writeDump(graph, options) {
+  const root = path2.resolve(options.to);
+  const plan = planDump(graph, options);
+  for (const file of plan.files) {
+    const destination = path2.join(root, file.path);
+    await mkdir(path2.dirname(destination), { recursive: true });
+    await writeFile(destination, file.content, "utf8");
+  }
+  return {
+    ...plan,
+    root
+  };
+}
+
+// ../core/src/utils/flatten.ts
+function flattenObject(value, prefix = "") {
+  return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
+    const nextKey = prefix ? `${prefix}.${key}` : key;
+    if (nestedValue && typeof nestedValue === "object" && !Array.isArray(nestedValue)) {
+      Object.assign(accumulator, flattenObject(nestedValue, nextKey));
+      return accumulator;
+    }
+    accumulator[nextKey] = nestedValue;
+    return accumulator;
+  }, {});
+}
+
+// ../core/src/utils/secretStore.ts
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { mkdir as mkdir2, readFile, writeFile as writeFile2 } from "fs/promises";
+import path3 from "path";
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
+}
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+}
+function resolveSecretStoreFile(storeRoot, ref) {
+  return path3.join(storeRoot, "store", ...ref.split("/")).concat(".json");
+}
+function deriveKey(passphrase, salt) {
+  return scryptSync(passphrase, salt, 32);
+}
+function encryptDocument(value, passphrase) {
+  const salt = randomBytes(16);
+  const iv = randomBytes(12);
+  const key = deriveKey(passphrase, salt);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    version: 1,
+    algorithm: "aes-256-gcm",
+    salt: salt.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64"),
+    ciphertext: ciphertext.toString("base64")
+  };
+}
+function decryptDocument(document, passphrase) {
+  const salt = Buffer.from(document.salt, "base64");
+  const iv = Buffer.from(document.iv, "base64");
+  const tag = Buffer.from(document.tag, "base64");
+  const ciphertext = Buffer.from(document.ciphertext, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return plaintext.toString("utf8");
+}
+async function writeLocalSecret(storeRoot, ref, value, passphrase) {
+  const filePath = resolveSecretStoreFile(storeRoot, ref);
+  await mkdir2(path3.dirname(filePath), { recursive: true });
+  await writeFile2(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
+  return filePath;
+}
+async function readLocalSecret(storeRoot, ref, passphrase) {
+  if (!passphrase) {
+    throw new CnosManifestError(
+      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
+    );
+  }
+  const filePath = resolveSecretStoreFile(storeRoot, ref);
+  const source = await readFile(filePath, "utf8");
+  const document = JSON.parse(source);
+  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
+    throw new CnosManifestError("Invalid local secret document", filePath);
+  }
+  return decryptDocument(document, passphrase);
+}
+
+// ../core/src/validation/envMapping.ts
+function fallbackLogicalKeyToEnvVar2(key) {
+  return key.replace(/^(value|secret)\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function validateEnvMappingCollisions(manifest, graph) {
+  const candidates = /* @__PURE__ */ new Set([
+    ...Object.values(manifest.envMapping.explicit),
+    ...manifest.public.promote,
+    ...Object.keys(manifest.schema),
+    ...graph ? Array.from(graph.entries.keys()) : []
+  ]);
+  const collisions = /* @__PURE__ */ new Map();
+  for (const key of candidates) {
+    if (key.startsWith("meta.")) {
+      continue;
+    }
+    const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar2(key) : void 0);
+    if (!envVar) {
+      continue;
+    }
+    const keys = collisions.get(envVar) ?? [];
+    keys.push(key);
+    collisions.set(envVar, keys);
+  }
+  return Array.from(collisions.entries()).filter(([, keys]) => new Set(keys).size > 1).map(([envVar, keys]) => ({
+    code: "env-mapping.collision",
+    message: `Multiple logical keys map to env var ${envVar}: ${Array.from(new Set(keys)).join(", ")}`
+  }));
+}
+
+// ../core/src/validation/publicSafety.ts
+function validatePublicSafety(manifest) {
+  return manifest.public.promote.filter((key) => !key.startsWith("value.")).map((key) => ({
+    code: "public.invalid-promotion",
+    key,
+    message: `public.promote may only include value.* keys: ${key}`
+  }));
+}
+
+// ../core/src/validation/workspaceSafety.ts
+function validateWorkspaceSafety(manifest, graph) {
+  const issues = [];
+  const localRoot = graph.workspace.workspaceRoots.find(
+    (entry) => entry.scope === "local" && entry.workspaceId === graph.workspace.workspaceId
+  );
+  if (!localRoot) {
+    issues.push({
+      code: "workspace.missing-local-root",
+      message: `Missing local workspace root for ${graph.workspace.workspaceId}`
+    });
+  }
+  if (manifest.workspaces.global.allowWrite && !manifest.workspaces.global.enabled) {
+    issues.push({
+      code: "workspace.global-write-policy",
+      message: "workspaces.global.allowWrite requires workspaces.global.enabled: true"
+    });
+  }
+  return issues;
+}
+
+// ../core/src/validation/validateRuntime.ts
+async function validateRuntime(runtime) {
+  const validatorPlugins = runtime.plugins.filter(
+    (plugin) => plugin.kind === "validator"
+  );
+  const pluginResults = await Promise.all(
+    validatorPlugins.map(
+      (plugin) => plugin.validate(runtime.graph, {
+        manifest: runtime.manifest,
+        schema: runtime.manifest.schema
+      })
+    )
+  );
+  const builtInResults = [
+    {
+      pluginId: "public-safety",
+      valid: true,
+      issues: validatePublicSafety(runtime.manifest)
+    },
+    {
+      pluginId: "env-mapping",
+      valid: true,
+      issues: validateEnvMappingCollisions(runtime.manifest, runtime.graph)
+    },
+    {
+      pluginId: "workspace-safety",
+      valid: true,
+      issues: validateWorkspaceSafety(runtime.manifest, runtime.graph)
+    }
+  ].map((result) => ({
+    ...result,
+    valid: result.issues.length === 0
+  }));
+  const results = [...pluginResults, ...builtInResults];
+  const issues = results.flatMap((result) => result.issues);
+  return {
+    valid: issues.length === 0,
+    issues,
+    results
+  };
+}
+
+// ../core/src/runtime/inspect.ts
+function inspectValue(graph, key) {
+  const entry = graph.entries.get(key);
+  if (!entry) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return {
+    key: entry.key,
+    value: entry.value,
+    namespace: entry.namespace,
+    profile: graph.profile,
+    profileSource: graph.profileSource,
+    workspace: {
+      id: graph.workspace.workspaceId,
+      source: graph.workspace.workspaceSource,
+      chain: graph.workspace.workspaceChain
+    },
+    winner: {
+      sourceId: entry.winner.sourceId,
+      pluginId: entry.winner.pluginId,
+      workspaceId: entry.winner.workspaceId,
+      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
+    },
+    overridden: entry.overridden.map((override) => ({
+      sourceId: override.sourceId,
+      pluginId: override.pluginId,
+      workspaceId: override.workspaceId,
+      value: override.value,
+      ...override.origin ? { origin: override.origin } : {}
+    }))
+  };
+}
+
+// ../core/src/inspectors/provenance.ts
+function createProvenanceInspector() {
+  return {
+    id: "provenance",
+    kind: "inspector",
+    async inspect(key, graph) {
+      return inspectValue(graph, key);
+    }
+  };
+}
+
+// ../core/src/manifest/loadManifest.ts
+import { readFile as readFile2 } from "fs/promises";
+import path4 from "path";
+
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
+    }
+  }
+  return resolveFrom;
+}
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
+  }
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
+}
+
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = path4.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await readFile2(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
+  }
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
+  }
+  return {
+    manifestRoot,
+    repoRoot: path4.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
+}
+
+// ../core/src/manifest/loadWorkspaceFile.ts
+import { readFile as readFile3 } from "fs/promises";
+import path5 from "path";
+async function loadWorkspaceFile(repoRoot) {
+  const workspaceFilePath = path5.join(repoRoot, ".cnos-workspace.yml");
+  try {
+    const source = await readFile3(workspaceFilePath, "utf8");
+    const parsed = parseYaml(source);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
+    }
+    const config = parsed;
+    return {
+      path: workspaceFilePath,
+      config: {
+        ...config.workspace ? { workspace: config.workspace.trim() } : {},
+        ...config.profile ? { profile: config.profile.trim() } : {},
+        ...config.globalRoot ? { globalRoot: config.globalRoot.trim() } : {}
+      }
+    };
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  }
+}
+
+// ../core/src/profiles/expandProfileChain.ts
+import { access as access2, readFile as readFile4 } from "fs/promises";
+import path6 from "path";
+async function fileExists(targetPath) {
+  try {
+    await access2(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function normalizeProfileDefinition(profileName, rawDefinition, filePath) {
+  const normalizeActivationLayer = (entry, namespace) => {
+    const normalized = entry.trim();
+    if (!normalized) {
+      return normalized;
+    }
+    if (normalized.includes("/") || normalized.includes("\\") || normalized.startsWith(".")) {
+      return normalized.replace(/\\/g, "/");
+    }
+    return `${namespace}/${normalized}`;
+  };
+  return {
+    name: rawDefinition?.name?.trim() || profileName,
+    extends: Array.isArray(rawDefinition?.extends) ? rawDefinition.extends.map((entry) => entry.trim()).filter(Boolean) : rawDefinition?.extends ? [rawDefinition.extends.trim()].filter(Boolean) : [],
+    activate: {
+      values: rawDefinition?.activate?.values?.map((entry) => normalizeActivationLayer(entry, "values")).filter(Boolean) ?? [],
+      secrets: rawDefinition?.activate?.secrets?.map((entry) => normalizeActivationLayer(entry, "secrets")).filter(Boolean) ?? [],
+      envFiles: rawDefinition?.activate?.envFiles?.map((entry) => entry.trim()).filter(Boolean) ?? []
+    },
+    ...filePath ? { filePath } : {}
+  };
+}
+async function loadProfileDefinition(profileName, options) {
+  const workspaceRoots = options.workspace?.workspaceRoots ?? [];
+  if (workspaceRoots.length === 0) {
+    return normalizeProfileDefinition(profileName, void 0);
+  }
+  for (const workspaceRoot of [...workspaceRoots].reverse()) {
+    const profilePath = path6.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    if (!await fileExists(profilePath)) {
+      continue;
+    }
+    const document = await readFile4(profilePath, "utf8");
+    const parsed = parseYaml(document);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
+    }
+    const definition = normalizeProfileDefinition(
+      profileName,
+      parsed,
+      options.manifestRoot ? toPortablePath(path6.relative(path6.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+    );
+    if (definition.name !== profileName) {
+      throw new CnosManifestError(
+        `Profile file name mismatch: expected "${profileName}" but found "${definition.name}"`,
+        profilePath
+      );
+    }
+    return definition;
+  }
+  return normalizeProfileDefinition(profileName, void 0);
+}
+function pushUnique(target, values) {
+  for (const value of values) {
+    if (!target.includes(value)) {
+      target.push(value);
+    }
+  }
+}
+function buildFallbackActivation(activeProfile, orderedProfiles) {
+  const overlayProfiles = orderedProfiles.filter((profile) => profile !== "base");
+  return {
+    values: [
+      "values",
+      ...activeProfile !== "base" ? ["values/base"] : [],
+      ...overlayProfiles.flatMap((profile) => [`profiles/${profile}/values`, `values/${profile}`])
+    ],
+    secrets: [
+      "secrets",
+      ...overlayProfiles.flatMap((profile) => [`profiles/${profile}/secrets`, `secrets/${profile}`])
+    ],
+    envFiles: activeProfile === "base" ? [".env"] : [".env", `.env.${activeProfile}`]
+  };
+}
+async function expandProfileChain(activeProfile, options = {}) {
+  const visiting = /* @__PURE__ */ new Set();
+  const resolved = /* @__PURE__ */ new Set();
+  const orderedProfiles = [];
+  const definitions = /* @__PURE__ */ new Map();
+  const visit = async (profileName) => {
+    if (resolved.has(profileName)) {
+      return;
+    }
+    if (visiting.has(profileName)) {
+      throw new CnosManifestError(`Detected profile inheritance cycle involving "${profileName}"`);
+    }
+    visiting.add(profileName);
+    const definition = await loadProfileDefinition(profileName, options);
+    definitions.set(profileName, definition);
+    for (const parent of definition.extends) {
+      await visit(parent);
+    }
+    visiting.delete(profileName);
+    resolved.add(profileName);
+    orderedProfiles.push(profileName);
+  };
+  await visit(activeProfile);
+  const activation = {
+    values: [],
+    secrets: [],
+    envFiles: []
+  };
+  for (const profileName of orderedProfiles) {
+    const definition = definitions.get(profileName);
+    if (!definition) {
+      continue;
+    }
+    pushUnique(activation.values, definition.activate.values);
+    pushUnique(activation.secrets, definition.activate.secrets);
+    pushUnique(activation.envFiles, definition.activate.envFiles);
+  }
+  const fallback = buildFallbackActivation(activeProfile, orderedProfiles);
+  if (activation.values.length === 0) {
+    activation.values = fallback.values;
+  }
+  if (activation.secrets.length === 0) {
+    activation.secrets = fallback.secrets;
+  }
+  if (activation.envFiles.length === 0) {
+    activation.envFiles = fallback.envFiles;
+  }
+  return {
+    activeProfile,
+    profiles: orderedProfiles,
+    activation
+  };
+}
+
+// ../core/src/profiles/resolveActiveProfile.ts
+function resolveActiveProfile(manifest, options = {}) {
+  for (const source of manifest.profiles.resolveFrom) {
+    if (source === "cli.profile" && options.profile) {
+      return {
+        profile: options.profile,
+        source: "cli"
+      };
+    }
+    if (source === "env.CNOS_PROFILE") {
+      if (options.workspaceFile?.profile) {
+        return {
+          profile: options.workspaceFile.profile,
+          source: "workspace-file"
+        };
+      }
+      const envProfile = options.processEnv?.CNOS_PROFILE;
+      if (envProfile) {
+        return {
+          profile: envProfile,
+          source: "env"
+        };
+      }
+    }
+    if (source === "default") {
+      return {
+        profile: manifest.profiles.default,
+        source: "manifest-default"
+      };
+    }
+  }
+  return {
+    profile: manifest.profiles.default,
+    source: "manifest-default"
+  };
+}
+
+// ../core/src/utils/deepMerge.ts
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function deepMerge(base, override) {
+  const merged = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    const currentValue = merged[key];
+    if (isPlainObject(currentValue) && isPlainObject(value)) {
+      merged[key] = deepMerge(currentValue, value);
+      continue;
+    }
+    merged[key] = value;
+  }
+  return merged;
+}
+
+// ../core/src/resolvers/profileAwareResolver.ts
+function mergeResolvedValue(currentValue, nextValue, arrayPolicy) {
+  if (Array.isArray(currentValue) && Array.isArray(nextValue)) {
+    if (arrayPolicy === "append") {
+      return [...currentValue, ...nextValue];
+    }
+    if (arrayPolicy === "unique-append") {
+      return [.../* @__PURE__ */ new Set([...currentValue, ...nextValue])];
+    }
+    return [...nextValue];
+  }
+  if (isPlainObject(currentValue) && isPlainObject(nextValue)) {
+    return deepMerge(currentValue, nextValue);
+  }
+  return nextValue;
+}
+function createProfileAwareResolver() {
+  return {
+    id: "profile-aware",
+    kind: "resolver",
+    async resolve(entries, context) {
+      const precedence = new Map(context.precedenceOrder.map((sourceId, index) => [sourceId, index]));
+      const sortedEntries = entries.map((entry, index) => ({
+        entry,
+        index,
+        precedence: precedence.get(entry.sourceId) ?? context.precedenceOrder.length
+      })).sort((left, right) => left.precedence - right.precedence || left.index - right.index);
+      const resolvedEntries = /* @__PURE__ */ new Map();
+      for (const { entry } of sortedEntries) {
+        const current = resolvedEntries.get(entry.key);
+        if (!current) {
+          resolvedEntries.set(entry.key, {
+            key: entry.key,
+            value: entry.value,
+            namespace: entry.namespace,
+            winner: entry,
+            overridden: []
+          });
+          continue;
+        }
+        resolvedEntries.set(entry.key, {
+          key: entry.key,
+          value: mergeResolvedValue(current.value, entry.value, context.manifest.resolution.arrayPolicy),
+          namespace: current.namespace,
+          winner: entry,
+          overridden: [...current.overridden, current.winner]
+        });
+      }
+      return {
+        entries: resolvedEntries,
+        profile: context.profile,
+        resolvedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        profileSource: "manifest-default",
+        workspace: context.workspace
+      };
+    }
+  };
+}
+
+// ../core/src/workspaces/resolveWorkspaceContext.ts
+import { access as access3 } from "fs/promises";
+import path7 from "path";
+
+// ../core/src/workspaces/expandWorkspaceChain.ts
+function expandWorkspaceChain(workspaceId, items) {
+  if (Object.keys(items).length === 0) {
+    return [workspaceId];
+  }
+  if (!items[workspaceId]) {
+    throw new CnosManifestError(`Unknown workspace "${workspaceId}"`);
+  }
+  const visiting = /* @__PURE__ */ new Set();
+  const resolved = /* @__PURE__ */ new Set();
+  const chain = [];
+  const visit = (currentWorkspaceId) => {
+    if (resolved.has(currentWorkspaceId)) {
+      return;
+    }
+    if (visiting.has(currentWorkspaceId)) {
+      throw new CnosManifestError(`Detected workspace inheritance cycle involving "${currentWorkspaceId}"`);
+    }
+    const item = items[currentWorkspaceId];
+    if (!item) {
+      throw new CnosManifestError(`Unknown workspace "${currentWorkspaceId}"`);
+    }
+    visiting.add(currentWorkspaceId);
+    for (const parentWorkspaceId of item.extends) {
+      visit(parentWorkspaceId);
+    }
+    visiting.delete(currentWorkspaceId);
+    resolved.add(currentWorkspaceId);
+    chain.push(currentWorkspaceId);
+  };
+  visit(workspaceId);
+  return chain;
+}
+
+// ../core/src/workspaces/resolveWorkspaceContext.ts
+async function exists2(targetPath) {
+  try {
+    await access3(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId) {
+  const workspaceRoot = path7.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists2(workspaceRoot)) {
+    return workspaceRoot;
+  }
+  const legacyMarkers = ["values", "secrets", "env", "profiles"].map(
+    (segment) => path7.join(manifestRoot, segment)
+  );
+  if ((await Promise.all(legacyMarkers.map((marker) => exists2(marker)))).some(Boolean)) {
+    return manifestRoot;
+  }
+  return workspaceRoot;
+}
+function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+  if (workspaceOption) {
+    return {
+      workspaceId: workspaceOption,
+      source: "cli"
+    };
+  }
+  if (workspaceFile?.workspace) {
+    return {
+      workspaceId: workspaceFile.workspace,
+      source: "workspace-file"
+    };
+  }
+  if (manifest.workspaces.default) {
+    return {
+      workspaceId: manifest.workspaces.default,
+      source: "manifest-default"
+    };
+  }
+  if (Object.keys(manifest.workspaces.items).length === 0) {
+    return {
+      workspaceId: "default",
+      source: "implicit"
+    };
+  }
+  throw new CnosManifestError(
+    "Workspace selection requires --workspace, .cnos-workspace.yml, or workspaces.default when workspaces.items are defined"
+  );
+}
+function resolveGlobalRoot(manifest, workspaceFile, options) {
+  if (!manifest.workspaces.global.enabled) {
+    return {};
+  }
+  if (options.globalRoot) {
+    return {
+      value: path7.resolve(expandHomePath(options.globalRoot)),
+      source: "cli"
+    };
+  }
+  if (workspaceFile?.globalRoot) {
+    return {
+      value: path7.resolve(expandHomePath(workspaceFile.globalRoot)),
+      source: "workspace-file"
+    };
+  }
+  if (manifest.workspaces.global.root) {
+    return {
+      value: path7.resolve(expandHomePath(manifest.workspaces.global.root)),
+      source: "manifest"
+    };
+  }
+  const cnosHome = options.processEnv?.CNOS_HOME;
+  if (cnosHome) {
+    return {
+      value: path7.resolve(expandHomePath(cnosHome)),
+      source: "CNOS_HOME"
+    };
+  }
+  return {};
+}
+async function resolveWorkspaceContext(manifest, options) {
+  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
+  const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
+  const workspaceRoots = [];
+  if (globalRoot.value) {
+    for (const chainWorkspaceId of workspaceChain) {
+      const globalWorkspaceId = manifest.workspaces.items[chainWorkspaceId]?.globalId ?? chainWorkspaceId;
+      workspaceRoots.push({
+        scope: "global",
+        workspaceId: chainWorkspaceId,
+        path: path7.join(globalRoot.value, "workspaces", globalWorkspaceId)
+      });
+    }
+  }
+  for (const chainWorkspaceId of workspaceChain) {
+    workspaceRoots.push({
+      scope: "local",
+      workspaceId: chainWorkspaceId,
+      path: await resolveLocalWorkspaceRoot(options.manifestRoot, chainWorkspaceId)
+    });
+  }
+  return {
+    workspaceId: selectedWorkspace.workspaceId,
+    workspaceSource: selectedWorkspace.source,
+    ...globalRoot.value ? { globalRoot: globalRoot.value } : {},
+    ...globalRoot.source ? { globalRootSource: globalRoot.source } : {},
+    workspaceChain,
+    workspaceRoots
+  };
+}
+
+// ../core/src/validation/basicSchema.ts
+function describeValueType(value) {
+  if (Array.isArray(value)) {
+    return "array";
+  }
+  if (value === null) {
+    return "null";
+  }
+  return typeof value;
+}
+function coerceBoolean(value) {
+  if (value === "true") {
+    return true;
+  }
+  if (value === "false") {
+    return false;
+  }
+  return void 0;
+}
+function coerceValue(value, rule) {
+  if (typeof value !== "string" || !rule.type) {
+    return value;
+  }
+  switch (rule.type) {
+    case "number": {
+      const parsed = Number(value);
+      return Number.isNaN(parsed) ? value : parsed;
+    }
+    case "boolean":
+      return coerceBoolean(value) ?? value;
+    case "object":
+    case "array": {
+      try {
+        const parsed = JSON.parse(value);
+        if (rule.type === "array" && Array.isArray(parsed)) {
+          return parsed;
+        }
+        if (rule.type === "object" && parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+          return parsed;
+        }
+        return value;
+      } catch {
+        return value;
+      }
+    }
+    default:
+      return value;
+  }
+}
+function matchesType(value, type) {
+  if (!type) {
+    return true;
+  }
+  switch (type) {
+    case "array":
+      return Array.isArray(value);
+    case "object":
+      return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+    default:
+      return typeof value === type;
+  }
+}
+function enumMatches(value, allowed) {
+  const serialized = JSON.stringify(value);
+  return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
+}
+function applySchemaRules(graph, schema) {
+  const nextEntries = new Map(graph.entries);
+  const issues = [];
+  for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const resolvedEntry = nextEntries.get(key);
+    if (!resolvedEntry) {
+      if (rule.default !== void 0) {
+        const defaultEntry = {
+          key,
+          value: rule.default,
+          namespace: key.startsWith("secret.") ? "secret" : key.startsWith("meta.") ? "meta" : "value",
+          sourceId: "schema-default",
+          pluginId: "basic-schema",
+          workspaceId: graph.workspace.workspaceId,
+          metadata: {
+            schemaDefault: true
+          }
+        };
+        nextEntries.set(key, {
+          key,
+          value: rule.default,
+          namespace: defaultEntry.namespace,
+          winner: defaultEntry,
+          overridden: []
+        });
+        continue;
+      }
+      if (rule.required) {
+        issues.push({
+          code: "schema.required",
+          key,
+          message: `Missing required config key: ${key}`
+        });
+      }
+      continue;
+    }
+    const coercedValue = coerceValue(resolvedEntry.value, rule);
+    const nextResolvedEntry = coercedValue === resolvedEntry.value ? resolvedEntry : {
+      ...resolvedEntry,
+      value: coercedValue
+    };
+    if (!matchesType(coercedValue, rule.type)) {
+      issues.push({
+        code: "schema.type",
+        key,
+        message: `Config key ${key} expected type ${rule.type} but got ${describeValueType(coercedValue)}`
+      });
+    }
+    if (rule.enum && !enumMatches(coercedValue, rule.enum)) {
+      issues.push({
+        code: "schema.enum",
+        key,
+        message: `Config key ${key} must be one of ${rule.enum.map((entry) => JSON.stringify(entry)).join(", ")}`
+      });
+    }
+    if (rule.pattern) {
+      if (typeof coercedValue !== "string") {
+        issues.push({
+          code: "schema.pattern",
+          key,
+          message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
+        });
+      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+        issues.push({
+          code: "schema.pattern",
+          key,
+          message: `Config key ${key} does not match pattern ${rule.pattern}`
+        });
+      }
+    }
+    nextEntries.set(key, nextResolvedEntry);
+  }
+  return {
+    graph: {
+      ...graph,
+      entries: nextEntries
+    },
+    issues
+  };
+}
+
+// ../core/src/orchestrator/pipeline.ts
+async function runPipeline(options) {
+  const collectedEntries = await Promise.all(
+    options.plugins.map(
+      (plugin) => plugin.load({
+        manifestConfig: {
+          ...options.manifest.sources[plugin.id] ?? {},
+          envMapping: options.manifest.envMapping
+        },
+        profile: options.profile,
+        profileChain: options.profileChain,
+        profileActivation: options.profileActivation,
+        manifestRoot: options.manifestRoot,
+        workspace: options.workspace,
+        ...options.cliArgs ? { cliArgs: options.cliArgs } : {},
+        ...options.processEnv ? { processEnv: options.processEnv } : {}
+      })
+    )
+  );
+  return collectedEntries.flat();
+}
+
+// ../core/src/runtime/read.ts
+function readValue(graph, key) {
+  return graph.entries.get(key)?.value;
+}
+
+// ../core/src/runtime/readOr.ts
+function readOrValue(graph, key, fallback) {
+  const value = readValue(graph, key);
+  return value === void 0 ? fallback : value;
+}
+
+// ../core/src/runtime/require.ts
+function requireValue(graph, key) {
+  const value = readValue(graph, key);
+  if (value === void 0) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return value;
+}
+
+// ../core/src/orchestrator/runtime.ts
+function createRuntime(manifest, graph, plugins = []) {
+  return {
+    manifest,
+    plugins,
+    graph,
+    read(key) {
+      return readValue(graph, key);
+    },
+    require(key) {
+      return requireValue(graph, key);
+    },
+    readOr(key, fallback) {
+      return readOrValue(graph, key, fallback);
+    },
+    value(path8) {
+      return readValue(graph, toLogicalKey("value", path8));
+    },
+    secret(path8) {
+      return readValue(graph, toLogicalKey("secret", path8));
+    },
+    meta(path8) {
+      return readValue(graph, toLogicalKey("meta", path8));
+    },
+    inspect(key) {
+      return inspectValue(graph, key);
+    },
+    toObject() {
+      return toNamespaceObject(graph);
+    },
+    toNamespace(namespace) {
+      return toNamespaceObject(graph, namespace);
+    },
+    toEnv(options) {
+      return toEnv(graph, manifest, options);
+    },
+    toPublicEnv(options) {
+      return toPublicEnv(graph, manifest, options);
+    }
+  };
+}
+
+// ../core/src/orchestrator/createCnos.ts
+function buildMetaEntries(graph, cnosVersion) {
+  return [
+    {
+      key: "meta.profile",
+      value: graph.profile,
+      namespace: "meta",
+      sourceId: "profile-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.cnos.version",
+      value: cnosVersion ?? "0.0.0-dev",
+      namespace: "meta",
+      sourceId: "core",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.resolved.at",
+      value: graph.resolvedAt,
+      namespace: "meta",
+      sourceId: "core",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.resolved.from",
+      value: graph.profileSource,
+      namespace: "meta",
+      sourceId: "profile-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace",
+      value: graph.workspace.workspaceId,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace.source",
+      value: graph.workspace.workspaceSource,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace.chain",
+      value: graph.workspace.workspaceChain,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.globalRoot",
+      value: graph.workspace.globalRoot ?? null,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.global.enabled",
+      value: Boolean(graph.workspace.globalRoot),
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    }
+  ];
+}
+function appendMetaEntries(graph, cnosVersion) {
+  const nextEntries = new Map(graph.entries);
+  for (const entry of buildMetaEntries(graph, cnosVersion)) {
+    nextEntries.set(entry.key, {
+      key: entry.key,
+      value: entry.value,
+      namespace: entry.namespace,
+      winner: entry,
+      overridden: []
+    });
+  }
+  return {
+    ...graph,
+    entries: nextEntries
+  };
+}
+async function createCnos(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
+    manifestRoot: loadedManifest.manifestRoot,
+    ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...options.workspace ? { workspace: options.workspace } : {},
+    ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const activeProfile = resolveActiveProfile(loadedManifest.manifest, {
+    ...options.profile ? { profile: options.profile } : {},
+    ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const profileChain = await expandProfileChain(activeProfile.profile, {
+    manifestRoot: loadedManifest.manifestRoot,
+    workspace
+  });
+  const plugins = options.plugins ?? [];
+  const loaderPlugins = plugins.filter((plugin) => plugin.kind === "loader");
+  const resolverPlugin = plugins.find((plugin) => plugin.kind === "resolver") ?? createProfileAwareResolver();
+  const entries = await runPipeline({
+    manifestRoot: loadedManifest.manifestRoot,
+    manifest: loadedManifest.manifest,
+    profile: activeProfile.profile,
+    profileChain: profileChain.profiles,
+    profileActivation: profileChain.activation,
+    workspace,
+    plugins: loaderPlugins,
+    ...options.cliArgs ? { cliArgs: options.cliArgs } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const graph = await resolverPlugin.resolve(entries, {
+    manifest: loadedManifest.manifest,
+    profile: activeProfile.profile,
+    profileChain: profileChain.profiles,
+    precedenceOrder: loadedManifest.manifest.resolution.precedence,
+    workspace
+  });
+  const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
+  return createRuntime(
+    loadedManifest.manifest,
+    appendMetaEntries({
+      ...schemaApplied.graph,
+      profileSource: activeProfile.source
+    }, options.cnosVersion),
+    plugins
+  );
+}
+
+export {
+  CnosManifestError,
+  createProvenanceInspector,
+  resolveWorkspaceScopedPath,
+  resolveConfigDocumentPath,
+  toPortablePath,
+  joinConfigPath,
+  parseYaml,
+  stringifyYaml,
+  applySchemaRules,
+  envVarToLogicalKey,
+  toEnv,
+  toPublicEnv,
+  createCnos,
+  planDump,
+  writeDump,
+  flattenObject,
+  isSecretReference,
+  resolveSecretStoreRoot,
+  writeLocalSecret,
+  readLocalSecret,
+  validateRuntime
+};