@kitsy/cnos 1.1.0 → 1.1.1

package/README.md

@@ -2,4 +2,18 @@
 
 Developer-friendly CNOS runtime assembly. It bundles the core engine plus the official built-in plugins, exposes the main `createCnos(...)` entry point for app code, and re-exports the built-ins under `@kitsy/cnos/plugins/*`.
 
+Current runtime surface includes:
+- `createCnos()`
+- `read`, `require`, `readOr`
+- `value`, `secret`, `meta`
+- `inspect`
+- `toObject`, `toNamespace`
+- `toEnv`, `toPublicEnv`
+
+CLI-oriented storage/export rules to be aware of:
+- user-defined values and secrets remain private by default
+- public/browser exposure comes from `public.promote`
+- shell env export comes from explicit `envMapping.explicit`
+- local secret material lives outside the repo in encrypted vault storage under `~/.cnos/secrets`
+
 Use `@kitsy/cnos-vite` for Vite projects and `@kitsy/cnos-next` for Next.js projects when you want CNOS public values projected into framework-native env surfaces.

package/dist/{chunk-44JOQPSN.js → chunk-7GNXYEO6.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-K2T4R5WH.js → chunk-JPJ3S3CO.js}

@@ -361,23 +361,30 @@ function flattenObject(value, prefix = "") {
 
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { mkdir as mkdir2, readFile, writeFile as writeFile2 } from "fs/promises";
+import { mkdir as mkdir2, readdir, readFile, writeFile as writeFile2 } from "fs/promises";
 import path3 from "path";
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function resolveSecretStoreFile(storeRoot, ref) {
-  return path3.join(storeRoot, "store", ...ref.split("/")).concat(".json");
+function resolveSecretVaultFile(storeRoot, vault = "default") {
+  return path3.join(storeRoot, "vaults", `${vault}.json`);
+}
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return path3.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return scryptSync(passphrase, salt, 32);
 }
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
 function encryptDocument(value, passphrase) {
   const salt = randomBytes(16);
   const iv = randomBytes(12);
@@ -405,19 +412,55 @@ function decryptDocument(document, passphrase) {
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
   return plaintext.toString("utf8");
 }
-async function writeLocalSecret(storeRoot, ref, value, passphrase) {
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  await mkdir2(path3.dirname(filePath), { recursive: true });
+  const document = {
+    version: 1,
+    name: normalizedVault,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
+  };
+  await writeFile2(filePath, JSON.stringify(document, null, 2), "utf8");
+  return filePath;
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  try {
+    await readFile(filePath, "utf8");
+    return filePath;
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+async function listSecretVaults(storeRoot) {
+  const vaultRoot = path3.join(storeRoot, "vaults");
+  try {
+    const entries = await readdir(vaultRoot, { withFileTypes: true });
+    return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
+  } catch {
+    return [];
+  }
+}
+async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
+  await ensureSecretVault(storeRoot, vault, passphrase);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
   await mkdir2(path3.dirname(filePath), { recursive: true });
   await writeFile2(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
   return filePath;
 }
-async function readLocalSecret(storeRoot, ref, passphrase) {
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
   if (!passphrase) {
     throw new CnosManifestError(
       `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
     );
   }
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
   const source = await readFile(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
@@ -1559,6 +1602,10 @@ export {
   flattenObject,
   isSecretReference,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
+  resolveSecretPassphrase,
+  createSecretVault,
+  listSecretVaults,
   writeLocalSecret,
   readLocalSecret,
   validateRuntime

package/dist/{chunk-H65FPTDM.js → chunk-L3HOQHCH.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/{chunk-GGYIRIGU.js → chunk-M4S6PYM5.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-ASZ7I3JJ.js → chunk-PBU5NAX4.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-KG6OZX5C.js → chunk-QKJ6QLRS.js}

@@ -3,9 +3,10 @@ import {
   isSecretReference,
   parseYaml,
   readLocalSecret,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
   toPortablePath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";
@@ -102,13 +103,15 @@ async function resolveSecretValue(value, processEnv) {
     return value;
   }
   if (value.provider === "local") {
-    if (!processEnv?.CNOS_SECRET_PASSPHRASE) {
+    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
+    if (!passphrase) {
       return value;
     }
     return readLocalSecret(
       resolveSecretStoreRoot(processEnv),
       value.ref,
-      processEnv?.CNOS_SECRET_PASSPHRASE
+      passphrase,
+      value.vault
     );
   }
   if (value.provider === "env") {

package/dist/{chunk-CGTFH4QQ.js → chunk-X4GOXEKX.js}

@@ -1,6 +1,6 @@
 import {
   envVarToLogicalKey
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";

package/dist/index.cjs

@@ -1391,17 +1391,21 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function resolveSecretStoreFile(storeRoot, ref) {
-  return import_node_path7.default.join(storeRoot, "store", ...ref.split("/")).concat(".json");
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
 }
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
 function decryptDocument(document, passphrase) {
   const salt = Buffer.from(document.salt, "base64");
   const iv = Buffer.from(document.iv, "base64");
@@ -1413,13 +1417,13 @@ function decryptDocument(document, passphrase) {
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
   return plaintext.toString("utf8");
 }
-async function readLocalSecret(storeRoot, ref, passphrase) {
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
   if (!passphrase) {
     throw new CnosManifestError(
       `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
     );
   }
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
   const source = await (0, import_promises7.readFile)(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
@@ -1431,7 +1435,7 @@ async function readLocalSecret(storeRoot, ref, passphrase) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.0.1",
+  version: "1.1.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -1504,10 +1508,11 @@ var package_default = {
     yaml: "^2.8.3"
   },
   scripts: {
-    build: "tsup --config tsup.config.ts",
+    build: "rimraf dist && tsup --config tsup.config.ts",
     clean: "rimraf dist",
     dev: "tsup --config tsup.config.ts --watch",
     lint: "eslint src test",
+    prepack: "pnpm build",
     test: "vitest run",
     typecheck: "tsc -p tsconfig.json --noEmit"
   }
@@ -1825,13 +1830,15 @@ async function resolveSecretValue(value, processEnv) {
     return value;
   }
   if (value.provider === "local") {
-    if (!processEnv?.CNOS_SECRET_PASSPHRASE) {
+    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
+    if (!passphrase) {
       return value;
     }
     return readLocalSecret(
       resolveSecretStoreRoot(processEnv),
       value.ref,
-      processEnv?.CNOS_SECRET_PASSPHRASE
+      passphrase,
+      value.vault
     );
   }
   if (value.provider === "env") {

package/dist/index.js

@@ -1,23 +1,23 @@
 import {
   createBasicSchemaPlugin
-} from "./chunk-H65FPTDM.js";
+} from "./chunk-L3HOQHCH.js";
 import {
   createCliArgsPlugin
-} from "./chunk-GGYIRIGU.js";
+} from "./chunk-M4S6PYM5.js";
 import {
   createDotenvPlugin
-} from "./chunk-44JOQPSN.js";
+} from "./chunk-7GNXYEO6.js";
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "./chunk-ASZ7I3JJ.js";
+} from "./chunk-PBU5NAX4.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-KG6OZX5C.js";
+} from "./chunk-QKJ6QLRS.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-CGTFH4QQ.js";
+} from "./chunk-X4GOXEKX.js";
 import {
   createCnos,
   createProvenanceInspector,
@@ -25,12 +25,12 @@ import {
   toEnv,
   toPublicEnv,
   writeDump
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.0.1",
+  version: "1.1.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -103,10 +103,11 @@ var package_default = {
     yaml: "^2.8.3"
   },
   scripts: {
-    build: "tsup --config tsup.config.ts",
+    build: "rimraf dist && tsup --config tsup.config.ts",
     clean: "rimraf dist",
     dev: "tsup --config tsup.config.ts --watch",
     lint: "eslint src test",
+    prepack: "pnpm build",
     test: "vitest run",
     typecheck: "tsc -p tsconfig.json --noEmit"
   }

package/dist/internal.cjs

@@ -30,10 +30,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/internal.ts
 var internal_exports = {};
 __export(internal_exports, {
+  createSecretVault: () => createSecretVault,
   flattenObject: () => flattenObject,
+  listSecretVaults: () => listSecretVaults,
   parseYaml: () => parseYaml,
   resolveConfigDocumentPath: () => resolveConfigDocumentPath,
+  resolveSecretPassphrase: () => resolveSecretPassphrase,
   resolveSecretStoreRoot: () => resolveSecretStoreRoot,
+  resolveSecretVaultFile: () => resolveSecretVaultFile,
   stringifyYaml: () => stringifyYaml,
   validateRuntime: () => validateRuntime,
   writeLocalSecret: () => writeLocalSecret
@@ -146,12 +150,19 @@ var import_node_path7 = __toESM(require("path"), 1);
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function resolveSecretStoreFile(storeRoot, ref) {
-  return import_node_path7.default.join(storeRoot, "store", ...ref.split("/")).concat(".json");
+function resolveSecretVaultFile(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+}
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
 }
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
 function encryptDocument(value, passphrase) {
   const salt = (0, import_node_crypto.randomBytes)(16);
   const iv = (0, import_node_crypto.randomBytes)(12);
@@ -168,8 +179,44 @@ function encryptDocument(value, passphrase) {
     ciphertext: ciphertext.toString("base64")
   };
 }
-async function writeLocalSecret(storeRoot, ref, value, passphrase) {
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(filePath), { recursive: true });
+  const document = {
+    version: 1,
+    name: normalizedVault,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
+  };
+  await (0, import_promises7.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
+  return filePath;
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  try {
+    await (0, import_promises7.readFile)(filePath, "utf8");
+    return filePath;
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+async function listSecretVaults(storeRoot) {
+  const vaultRoot = import_node_path7.default.join(storeRoot, "vaults");
+  try {
+    const entries = await (0, import_promises7.readdir)(vaultRoot, { withFileTypes: true });
+    return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
+  } catch {
+    return [];
+  }
+}
+async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
+  await ensureSecretVault(storeRoot, vault, passphrase);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
   await (0, import_promises7.mkdir)(import_node_path7.default.dirname(filePath), { recursive: true });
   await (0, import_promises7.writeFile)(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
   return filePath;
@@ -278,10 +325,14 @@ async function validateRuntime(runtime) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/internal.d.cts

@@ -8,13 +8,18 @@ declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'va
 interface SecretReference {
     provider: string;
     ref: string;
+    vault?: string;
 }
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string): Promise<string>;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
 
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, flattenObject, parseYaml, resolveConfigDocumentPath, resolveSecretStoreRoot, stringifyYaml, validateRuntime, writeLocalSecret };
+export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.d.ts

@@ -8,13 +8,18 @@ declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'va
 interface SecretReference {
     provider: string;
     ref: string;
+    vault?: string;
 }
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string): Promise<string>;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
 
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, flattenObject, parseYaml, resolveConfigDocumentPath, resolveSecretStoreRoot, stringifyYaml, validateRuntime, writeLocalSecret };
+export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.js

@@ -1,17 +1,25 @@
 import {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-JPJ3S3CO.js";
 export {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-H65FPTDM.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-L3HOQHCH.js";
+import "../chunk-JPJ3S3CO.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-GGYIRIGU.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-M4S6PYM5.js";
+import "../chunk-JPJ3S3CO.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-44JOQPSN.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-7GNXYEO6.js";
+import "../chunk-JPJ3S3CO.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-ASZ7I3JJ.js";
+} from "../chunk-PBU5NAX4.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-K2T4R5WH.js";
+} from "../chunk-JPJ3S3CO.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,

package/dist/plugin/filesystem.cjs

@@ -112,17 +112,21 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function resolveSecretStoreFile(storeRoot, ref) {
-  return import_node_path7.default.join(storeRoot, "store", ...ref.split("/")).concat(".json");
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
 }
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
 function decryptDocument(document, passphrase) {
   const salt = Buffer.from(document.salt, "base64");
   const iv = Buffer.from(document.iv, "base64");
@@ -134,13 +138,13 @@ function decryptDocument(document, passphrase) {
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
   return plaintext.toString("utf8");
 }
-async function readLocalSecret(storeRoot, ref, passphrase) {
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
   if (!passphrase) {
     throw new CnosManifestError(
       `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
     );
   }
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
   const source = await (0, import_promises7.readFile)(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
@@ -242,13 +246,15 @@ async function resolveSecretValue(value, processEnv) {
     return value;
   }
   if (value.provider === "local") {
-    if (!processEnv?.CNOS_SECRET_PASSPHRASE) {
+    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
+    if (!passphrase) {
       return value;
     }
     return readLocalSecret(
       resolveSecretStoreRoot(processEnv),
       value.ref,
-      processEnv?.CNOS_SECRET_PASSPHRASE
+      passphrase,
+      value.vault
     );
   }
   if (value.provider === "env") {

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-KG6OZX5C.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-QKJ6QLRS.js";
+import "../chunk-JPJ3S3CO.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.js

@@ -1,8 +1,8 @@
 import {
   createProcessEnvPlugin,
   processEnvEntriesFromObject
-} from "../chunk-CGTFH4QQ.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-X4GOXEKX.js";
+import "../chunk-JPJ3S3CO.js";
 export {
   createProcessEnvPlugin,
   processEnvEntriesFromObject

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Batteries-included CNOS runtime package wired with the official plugins.",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -73,7 +73,7 @@
     "yaml": "^2.8.3"
   },
   "scripts": {
-    "build": "tsup --config tsup.config.ts",
+    "build": "rimraf dist && tsup --config tsup.config.ts",
     "clean": "rimraf dist",
     "dev": "tsup --config tsup.config.ts --watch",
     "lint": "eslint src test",