@kitsy/cnos 1.1.0 → 1.1.2

package/README.md

@@ -2,4 +2,18 @@
 
 Developer-friendly CNOS runtime assembly. It bundles the core engine plus the official built-in plugins, exposes the main `createCnos(...)` entry point for app code, and re-exports the built-ins under `@kitsy/cnos/plugins/*`.
 
+Current runtime surface includes:
+- `createCnos()`
+- `read`, `require`, `readOr`
+- `value`, `secret`, `meta`
+- `inspect`
+- `toObject`, `toNamespace`
+- `toEnv`, `toPublicEnv`
+
+CLI-oriented storage/export rules to be aware of:
+- user-defined values and secrets remain private by default
+- public/browser exposure comes from `public.promote`
+- shell env export comes from explicit `envMapping.explicit`
+- local secret material lives outside the repo in encrypted vault storage under `~/.cnos/secrets`
+
 Use `@kitsy/cnos-vite` for Vite projects and `@kitsy/cnos-next` for Next.js projects when you want CNOS public values projected into framework-native env surfaces.

package/dist/{chunk-K2T4R5WH.js → chunk-33ZDYDQJ.js}

@@ -120,6 +120,151 @@ function stringifyYaml(value) {
   return stringify(value);
 }
 
+// ../core/src/utils/secretStore.ts
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { mkdir, readdir, readFile, writeFile } from "fs/promises";
+import path2 from "path";
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+}
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return path2.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+}
+function resolveSecretVaultFile(storeRoot, vault = "default") {
+  return path2.join(storeRoot, "vaults", `${vault}.json`);
+}
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return path2.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+}
+function deriveKey(passphrase, salt) {
+  return scryptSync(passphrase, salt, 32);
+}
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function encryptDocument(value, passphrase) {
+  const salt = randomBytes(16);
+  const iv = randomBytes(12);
+  const key = deriveKey(passphrase, salt);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    version: 1,
+    algorithm: "aes-256-gcm",
+    salt: salt.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64"),
+    ciphertext: ciphertext.toString("base64")
+  };
+}
+function decryptDocument(document, passphrase) {
+  const salt = Buffer.from(document.salt, "base64");
+  const iv = Buffer.from(document.iv, "base64");
+  const tag = Buffer.from(document.tag, "base64");
+  const ciphertext = Buffer.from(document.ciphertext, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return plaintext.toString("utf8");
+}
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  await mkdir(path2.dirname(filePath), { recursive: true });
+  const document = {
+    version: 1,
+    name: normalizedVault,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
+  };
+  await writeFile(filePath, JSON.stringify(document, null, 2), "utf8");
+  return filePath;
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  try {
+    await readFile(filePath, "utf8");
+    return filePath;
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+async function listSecretVaults(storeRoot) {
+  const vaultRoot = path2.join(storeRoot, "vaults");
+  try {
+    const entries = await readdir(vaultRoot, { withFileTypes: true });
+    return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
+  } catch {
+    return [];
+  }
+}
+async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
+  await ensureSecretVault(storeRoot, vault, passphrase);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
+  await mkdir(path2.dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
+  return filePath;
+}
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
+  if (!passphrase) {
+    throw new CnosManifestError(
+      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
+    );
+  }
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
+  const source = await readFile(filePath, "utf8");
+  const document = JSON.parse(source);
+  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
+    throw new CnosManifestError("Invalid local secret document", filePath);
+  }
+  return decryptDocument(document, passphrase);
+}
+
+// ../core/src/runtime/toEnv.ts
+function normalizeEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function toEnv(graph, manifest, options = {}) {
+  const includeSecrets = options.includeSecrets ?? true;
+  const output = {};
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
+  );
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
+      continue;
+    }
+    if (isSecretReference(entry.value)) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue(entry.value);
+  }
+  return output;
+}
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -175,48 +320,6 @@ function envVarToLogicalKey(envVar, config = {}) {
   return `value.${fromScreamingSnake(envVar)}`;
 }
 
-// ../core/src/runtime/toEnv.ts
-function fallbackLogicalKeyToEnvVar(key) {
-  if (key.startsWith("value.")) {
-    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  }
-  if (key.startsWith("secret.")) {
-    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-    return `SECRET_${normalized}`;
-  }
-  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function normalizeEnvValue(value) {
-  if (value === void 0 || value === null) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value;
-  }
-  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
-    return String(value);
-  }
-  return JSON.stringify(value);
-}
-function toEnv(graph, manifest, options = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
-  const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
-  );
-  for (const entry of resolvedEntries) {
-    if (entry.namespace === "meta") {
-      continue;
-    }
-    if (!includeSecrets && entry.namespace === "secret") {
-      continue;
-    }
-    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
-    output[envVar] = normalizeEnvValue(entry.value);
-  }
-  return output;
-}
-
 // ../core/src/runtime/toPublicEnv.ts
 function fallbackValueEnvVar(key) {
   return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -269,8 +372,8 @@ function toPublicEnv(graph, manifest, options = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-import { mkdir, writeFile } from "fs/promises";
-import path2 from "path";
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import path3 from "path";
 
 // ../core/src/runtime/projection.ts
 function setNestedValue(target, pathSegments, value) {
@@ -304,20 +407,20 @@ function toNamespaceObject(graph, namespace) {
 
 // ../core/src/runtime/dump.ts
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path2.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : path3.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: path2.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: path3.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: path2.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: path3.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -333,12 +436,12 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = path2.resolve(options.to);
+  const root = path3.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = path2.join(root, file.path);
-    await mkdir(path2.dirname(destination), { recursive: true });
-    await writeFile(destination, file.content, "utf8");
+    const destination = path3.join(root, file.path);
+    await mkdir2(path3.dirname(destination), { recursive: true });
+    await writeFile2(destination, file.content, "utf8");
   }
   return {
     ...plan,
@@ -359,75 +462,8 @@ function flattenObject(value, prefix = "") {
   }, {});
 }
 
-// ../core/src/utils/secretStore.ts
-import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { mkdir as mkdir2, readFile, writeFile as writeFile2 } from "fs/promises";
-import path3 from "path";
-function isObject(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
-}
-function resolveSecretStoreRoot(processEnv = process.env) {
-  return path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
-}
-function resolveSecretStoreFile(storeRoot, ref) {
-  return path3.join(storeRoot, "store", ...ref.split("/")).concat(".json");
-}
-function deriveKey(passphrase, salt) {
-  return scryptSync(passphrase, salt, 32);
-}
-function encryptDocument(value, passphrase) {
-  const salt = randomBytes(16);
-  const iv = randomBytes(12);
-  const key = deriveKey(passphrase, salt);
-  const cipher = createCipheriv("aes-256-gcm", key, iv);
-  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return {
-    version: 1,
-    algorithm: "aes-256-gcm",
-    salt: salt.toString("base64"),
-    iv: iv.toString("base64"),
-    tag: tag.toString("base64"),
-    ciphertext: ciphertext.toString("base64")
-  };
-}
-function decryptDocument(document, passphrase) {
-  const salt = Buffer.from(document.salt, "base64");
-  const iv = Buffer.from(document.iv, "base64");
-  const tag = Buffer.from(document.tag, "base64");
-  const ciphertext = Buffer.from(document.ciphertext, "base64");
-  const key = deriveKey(passphrase, salt);
-  const decipher = createDecipheriv("aes-256-gcm", key, iv);
-  decipher.setAuthTag(tag);
-  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
-}
-async function writeLocalSecret(storeRoot, ref, value, passphrase) {
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
-  await mkdir2(path3.dirname(filePath), { recursive: true });
-  await writeFile2(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
-  return filePath;
-}
-async function readLocalSecret(storeRoot, ref, passphrase) {
-  if (!passphrase) {
-    throw new CnosManifestError(
-      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
-    );
-  }
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
-  const source = await readFile(filePath, "utf8");
-  const document = JSON.parse(source);
-  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
-    throw new CnosManifestError("Invalid local secret document", filePath);
-  }
-  return decryptDocument(document, passphrase);
-}
-
 // ../core/src/validation/envMapping.ts
-function fallbackLogicalKeyToEnvVar2(key) {
+function fallbackLogicalKeyToEnvVar(key) {
   return key.replace(/^(value|secret)\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
 function validateEnvMappingCollisions(manifest, graph) {
@@ -442,7 +478,7 @@ function validateEnvMappingCollisions(manifest, graph) {
     if (key.startsWith("meta.")) {
       continue;
     }
-    const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar2(key) : void 0);
+    const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar(key) : void 0);
     if (!envVar) {
       continue;
     }
@@ -1550,16 +1586,20 @@ export {
   parseYaml,
   stringifyYaml,
   applySchemaRules,
-  envVarToLogicalKey,
+  isSecretReference,
+  resolveSecretStoreRoot,
+  resolveSecretVaultFile,
+  resolveSecretPassphrase,
+  createSecretVault,
+  listSecretVaults,
+  writeLocalSecret,
+  readLocalSecret,
   toEnv,
+  envVarToLogicalKey,
   toPublicEnv,
   createCnos,
   planDump,
   writeDump,
   flattenObject,
-  isSecretReference,
-  resolveSecretStoreRoot,
-  writeLocalSecret,
-  readLocalSecret,
   validateRuntime
 };

package/dist/{chunk-CGTFH4QQ.js → chunk-53HXUSM6.js}

@@ -1,6 +1,6 @@
 import {
   envVarToLogicalKey
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";

package/dist/{chunk-KG6OZX5C.js → chunk-7FBRVJD6.js}

@@ -3,9 +3,10 @@ import {
   isSecretReference,
   parseYaml,
   readLocalSecret,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
   toPortablePath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";
@@ -102,13 +103,15 @@ async function resolveSecretValue(value, processEnv) {
     return value;
   }
   if (value.provider === "local") {
-    if (!processEnv?.CNOS_SECRET_PASSPHRASE) {
+    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
+    if (!passphrase) {
       return value;
     }
     return readLocalSecret(
       resolveSecretStoreRoot(processEnv),
       value.ref,
-      processEnv?.CNOS_SECRET_PASSPHRASE
+      passphrase,
+      value.vault
     );
   }
   if (value.provider === "env") {

package/dist/{chunk-GGYIRIGU.js → chunk-HOS4E7XO.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-ASZ7I3JJ.js → chunk-IHSV5AFX.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-44JOQPSN.js → chunk-IQOUWY6T.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-H65FPTDM.js → chunk-JQGGSNCL.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {