@kitsy/cnos 1.1.0 → 1.1.2

package/dist/index.cjs

@@ -1003,6 +1003,90 @@ function requireValue(graph, key) {
   return value;
 }
 
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+}
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+}
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+}
+function deriveKey(passphrase, salt) {
+  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
+}
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function decryptDocument(document, passphrase) {
+  const salt = Buffer.from(document.salt, "base64");
+  const iv = Buffer.from(document.iv, "base64");
+  const tag = Buffer.from(document.tag, "base64");
+  const ciphertext = Buffer.from(document.ciphertext, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return plaintext.toString("utf8");
+}
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
+  if (!passphrase) {
+    throw new CnosManifestError(
+      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
+    );
+  }
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
+  const source = await (0, import_promises6.readFile)(filePath, "utf8");
+  const document = JSON.parse(source);
+  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
+    throw new CnosManifestError("Invalid local secret document", filePath);
+  }
+  return decryptDocument(document, passphrase);
+}
+
+// ../core/src/runtime/toEnv.ts
+function normalizeEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function toEnv(graph, manifest, options = {}) {
+  const includeSecrets = options.includeSecrets ?? true;
+  const output = {};
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
+  );
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
+      continue;
+    }
+    if (isSecretReference(entry.value)) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue(entry.value);
+  }
+  return output;
+}
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -1058,48 +1142,6 @@ function envVarToLogicalKey(envVar, config = {}) {
   return `value.${fromScreamingSnake(envVar)}`;
 }
 
-// ../core/src/runtime/toEnv.ts
-function fallbackLogicalKeyToEnvVar(key) {
-  if (key.startsWith("value.")) {
-    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  }
-  if (key.startsWith("secret.")) {
-    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-    return `SECRET_${normalized}`;
-  }
-  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function normalizeEnvValue(value) {
-  if (value === void 0 || value === null) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value;
-  }
-  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
-    return String(value);
-  }
-  return JSON.stringify(value);
-}
-function toEnv(graph, manifest, options = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
-  const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
-  );
-  for (const entry of resolvedEntries) {
-    if (entry.namespace === "meta") {
-      continue;
-    }
-    if (!includeSecrets && entry.namespace === "secret") {
-      continue;
-    }
-    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
-    output[envVar] = normalizeEnvValue(entry.value);
-  }
-  return output;
-}
-
 // ../core/src/runtime/toPublicEnv.ts
 function fallbackValueEnvVar(key) {
   return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -1338,23 +1380,23 @@ async function createCnos(options = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : import_node_path6.default.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : import_node_path7.default.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: import_node_path6.default.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: import_node_path7.default.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: import_node_path6.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: import_node_path7.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -1370,12 +1412,12 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = import_node_path6.default.resolve(options.to);
+  const root = import_node_path7.default.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = import_node_path6.default.join(root, file.path);
-    await (0, import_promises6.mkdir)(import_node_path6.default.dirname(destination), { recursive: true });
-    await (0, import_promises6.writeFile)(destination, file.content, "utf8");
+    const destination = import_node_path7.default.join(root, file.path);
+    await (0, import_promises7.mkdir)(import_node_path7.default.dirname(destination), { recursive: true });
+    await (0, import_promises7.writeFile)(destination, file.content, "utf8");
   }
   return {
     ...plan,
@@ -1383,55 +1425,10 @@ async function writeDump(graph, options) {
   };
 }
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-function isObject(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && Object.keys(value).every((key) => ["provider", "ref"].includes(key));
-}
-function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
-}
-function resolveSecretStoreFile(storeRoot, ref) {
-  return import_node_path7.default.join(storeRoot, "store", ...ref.split("/")).concat(".json");
-}
-function deriveKey(passphrase, salt) {
-  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
-}
-function decryptDocument(document, passphrase) {
-  const salt = Buffer.from(document.salt, "base64");
-  const iv = Buffer.from(document.iv, "base64");
-  const tag = Buffer.from(document.tag, "base64");
-  const ciphertext = Buffer.from(document.ciphertext, "base64");
-  const key = deriveKey(passphrase, salt);
-  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
-  decipher.setAuthTag(tag);
-  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
-}
-async function readLocalSecret(storeRoot, ref, passphrase) {
-  if (!passphrase) {
-    throw new CnosManifestError(
-      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
-    );
-  }
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
-  const source = await (0, import_promises7.readFile)(filePath, "utf8");
-  const document = JSON.parse(source);
-  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
-    throw new CnosManifestError("Invalid local secret document", filePath);
-  }
-  return decryptDocument(document, passphrase);
-}
-
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.0.1",
+  version: "1.1.2",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -1504,10 +1501,11 @@ var package_default = {
     yaml: "^2.8.3"
   },
   scripts: {
-    build: "tsup --config tsup.config.ts",
+    build: "rimraf dist && tsup --config tsup.config.ts",
     clean: "rimraf dist",
     dev: "tsup --config tsup.config.ts --watch",
     lint: "eslint src test",
+    prepack: "pnpm build",
     test: "vitest run",
     typecheck: "tsc -p tsconfig.json --noEmit"
   }
@@ -1825,13 +1823,15 @@ async function resolveSecretValue(value, processEnv) {
     return value;
   }
   if (value.provider === "local") {
-    if (!processEnv?.CNOS_SECRET_PASSPHRASE) {
+    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
+    if (!passphrase) {
       return value;
     }
     return readLocalSecret(
       resolveSecretStoreRoot(processEnv),
       value.ref,
-      processEnv?.CNOS_SECRET_PASSPHRASE
+      passphrase,
+      value.vault
     );
   }
   if (value.provider === "env") {

package/dist/index.js

@@ -1,23 +1,23 @@
 import {
   createBasicSchemaPlugin
-} from "./chunk-H65FPTDM.js";
+} from "./chunk-JQGGSNCL.js";
 import {
   createCliArgsPlugin
-} from "./chunk-GGYIRIGU.js";
+} from "./chunk-HOS4E7XO.js";
 import {
   createDotenvPlugin
-} from "./chunk-44JOQPSN.js";
+} from "./chunk-IQOUWY6T.js";
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "./chunk-ASZ7I3JJ.js";
+} from "./chunk-IHSV5AFX.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-KG6OZX5C.js";
+} from "./chunk-7FBRVJD6.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-CGTFH4QQ.js";
+} from "./chunk-53HXUSM6.js";
 import {
   createCnos,
   createProvenanceInspector,
@@ -25,12 +25,12 @@ import {
   toEnv,
   toPublicEnv,
   writeDump
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.0.1",
+  version: "1.1.2",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -103,10 +103,11 @@ var package_default = {
     yaml: "^2.8.3"
   },
   scripts: {
-    build: "tsup --config tsup.config.ts",
+    build: "rimraf dist && tsup --config tsup.config.ts",
     clean: "rimraf dist",
     dev: "tsup --config tsup.config.ts --watch",
     lint: "eslint src test",
+    prepack: "pnpm build",
     test: "vitest run",
     typecheck: "tsc -p tsconfig.json --noEmit"
   }

package/dist/internal.cjs

@@ -30,10 +30,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/internal.ts
 var internal_exports = {};
 __export(internal_exports, {
+  createSecretVault: () => createSecretVault,
   flattenObject: () => flattenObject,
+  listSecretVaults: () => listSecretVaults,
   parseYaml: () => parseYaml,
   resolveConfigDocumentPath: () => resolveConfigDocumentPath,
+  resolveSecretPassphrase: () => resolveSecretPassphrase,
   resolveSecretStoreRoot: () => resolveSecretStoreRoot,
+  resolveSecretVaultFile: () => resolveSecretVaultFile,
   stringifyYaml: () => stringifyYaml,
   validateRuntime: () => validateRuntime,
   writeLocalSecret: () => writeLocalSecret
@@ -91,6 +95,85 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+}
+function resolveSecretVaultFile(storeRoot, vault = "default") {
+  return import_node_path6.default.join(storeRoot, "vaults", `${vault}.json`);
+}
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+}
+function deriveKey(passphrase, salt) {
+  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
+}
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function encryptDocument(value, passphrase) {
+  const salt = (0, import_node_crypto.randomBytes)(16);
+  const iv = (0, import_node_crypto.randomBytes)(12);
+  const key = deriveKey(passphrase, salt);
+  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    version: 1,
+    algorithm: "aes-256-gcm",
+    salt: salt.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64"),
+    ciphertext: ciphertext.toString("base64")
+  };
+}
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
+  const document = {
+    version: 1,
+    name: normalizedVault,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
+  };
+  await (0, import_promises6.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
+  return filePath;
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+  try {
+    await (0, import_promises6.readFile)(filePath, "utf8");
+    return filePath;
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+async function listSecretVaults(storeRoot) {
+  const vaultRoot = import_node_path6.default.join(storeRoot, "vaults");
+  try {
+    const entries = await (0, import_promises6.readdir)(vaultRoot, { withFileTypes: true });
+    return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
+  } catch {
+    return [];
+  }
+}
+async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
+  await ensureSecretVault(storeRoot, vault, passphrase);
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
+  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
+  await (0, import_promises6.writeFile)(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
+  return filePath;
+}
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -123,8 +206,8 @@ function logicalKeyToEnvVar(key, config = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 
 // ../core/src/utils/flatten.ts
 function flattenObject(value, prefix = "") {
@@ -139,42 +222,6 @@ function flattenObject(value, prefix = "") {
   }, {});
 }
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
-}
-function resolveSecretStoreFile(storeRoot, ref) {
-  return import_node_path7.default.join(storeRoot, "store", ...ref.split("/")).concat(".json");
-}
-function deriveKey(passphrase, salt) {
-  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
-}
-function encryptDocument(value, passphrase) {
-  const salt = (0, import_node_crypto.randomBytes)(16);
-  const iv = (0, import_node_crypto.randomBytes)(12);
-  const key = deriveKey(passphrase, salt);
-  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
-  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return {
-    version: 1,
-    algorithm: "aes-256-gcm",
-    salt: salt.toString("base64"),
-    iv: iv.toString("base64"),
-    tag: tag.toString("base64"),
-    ciphertext: ciphertext.toString("base64")
-  };
-}
-async function writeLocalSecret(storeRoot, ref, value, passphrase) {
-  const filePath = resolveSecretStoreFile(storeRoot, ref);
-  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(filePath), { recursive: true });
-  await (0, import_promises7.writeFile)(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
-  return filePath;
-}
-
 // ../core/src/validation/envMapping.ts
 function fallbackLogicalKeyToEnvVar(key) {
   return key.replace(/^(value|secret)\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -278,10 +325,14 @@ async function validateRuntime(runtime) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/internal.d.cts

@@ -8,13 +8,18 @@ declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'va
 interface SecretReference {
     provider: string;
     ref: string;
+    vault?: string;
 }
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string): Promise<string>;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
 
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, flattenObject, parseYaml, resolveConfigDocumentPath, resolveSecretStoreRoot, stringifyYaml, validateRuntime, writeLocalSecret };
+export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.d.ts

@@ -8,13 +8,18 @@ declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'va
 interface SecretReference {
     provider: string;
     ref: string;
+    vault?: string;
 }
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string): Promise<string>;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
 
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, flattenObject, parseYaml, resolveConfigDocumentPath, resolveSecretStoreRoot, stringifyYaml, validateRuntime, writeLocalSecret };
+export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.js

@@ -1,17 +1,25 @@
 import {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret
-} from "./chunk-K2T4R5WH.js";
+} from "./chunk-33ZDYDQJ.js";
 export {
+  createSecretVault,
   flattenObject,
+  listSecretVaults,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveSecretPassphrase,
   resolveSecretStoreRoot,
+  resolveSecretVaultFile,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/plugin/basic-schema.cjs

@@ -205,12 +205,12 @@ function applySchemaRules(graph, schema) {
   };
 }
 
-// ../core/src/runtime/dump.ts
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
+// ../core/src/runtime/dump.ts
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-H65FPTDM.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-JQGGSNCL.js";
+import "../chunk-33ZDYDQJ.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.cjs

@@ -63,12 +63,12 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
-// ../core/src/runtime/dump.ts
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
+// ../core/src/runtime/dump.ts
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-GGYIRIGU.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-HOS4E7XO.js";
+import "../chunk-33ZDYDQJ.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.cjs

@@ -89,6 +89,11 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -122,11 +127,6 @@ function envVarToLogicalKey(envVar, config = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
-
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-44JOQPSN.js";
-import "../chunk-K2T4R5WH.js";
+} from "../chunk-IQOUWY6T.js";
+import "../chunk-33ZDYDQJ.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,