@kitsy/cnos 1.1.1 → 1.2.0

package/dist/{chunk-JPJ3S3CO.js → chunk-APCTXRUN.js}

@@ -1,8 +1,3 @@
-// ../core/src/utils/path.ts
-import { access } from "fs/promises";
-import os from "os";
-import path from "path";
-
 // ../core/src/errors.ts
 var CnosError = class extends Error {
   constructor(message) {
@@ -17,6 +12,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosKeyNotFoundError = class extends CnosError {
   constructor(key) {
     super(`Missing required CNOS config key: ${key}`);
@@ -25,7 +25,43 @@ var CnosKeyNotFoundError = class extends CnosError {
   key;
 };
 
+// ../core/src/runtime/inspect.ts
+function inspectValue(graph, key) {
+  const entry = graph.entries.get(key);
+  if (!entry) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return {
+    key: entry.key,
+    value: entry.value,
+    namespace: entry.namespace,
+    profile: graph.profile,
+    profileSource: graph.profileSource,
+    workspace: {
+      id: graph.workspace.workspaceId,
+      source: graph.workspace.workspaceSource,
+      chain: graph.workspace.workspaceChain
+    },
+    winner: {
+      sourceId: entry.winner.sourceId,
+      pluginId: entry.winner.pluginId,
+      workspaceId: entry.winner.workspaceId,
+      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
+    },
+    overridden: entry.overridden.map((override) => ({
+      sourceId: override.sourceId,
+      pluginId: override.pluginId,
+      workspaceId: override.workspaceId,
+      value: override.value,
+      ...override.origin ? { origin: override.origin } : {}
+    }))
+  };
+}
+
 // ../core/src/utils/path.ts
+import { access } from "fs/promises";
+import os from "os";
+import path from "path";
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
 async function exists(filePath) {
@@ -120,158 +156,282 @@ function stringifyYaml(value) {
   return stringify(value);
 }
 
-// ../core/src/utils/envNaming.ts
-function normalizeMappingConfig(config = {}) {
-  return {
-    convention: config.convention,
-    explicit: config.explicit ?? {}
-  };
-}
-function toScreamingSnakeSegment(segment) {
-  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function toScreamingSnake(path8) {
-  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
-}
-function fromScreamingSnake(path8) {
-  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
-}
-function logicalKeyToEnvVar(key, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
-  if (explicitEntry) {
-    return explicitEntry[0];
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (key.startsWith("value.")) {
-    return toScreamingSnake(key.slice("value.".length));
-  }
-  if (key.startsWith("secret.")) {
-    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
-  }
-  return void 0;
-}
-function envVarToLogicalKey(envVar, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitMatch = normalized.explicit[envVar];
-  if (explicitMatch) {
-    return explicitMatch;
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
+// ../core/src/manifest/loadManifest.ts
+import { readFile } from "fs/promises";
+import path2 from "path";
+
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
   }
-  if (envVar.startsWith("SECRET_")) {
-    const stripped = envVar.slice("SECRET_".length);
-    if (!stripped) {
-      return void 0;
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
     }
-    return `secret.${fromScreamingSnake(stripped)}`;
   }
-  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
-    return void 0;
-  }
-  return `value.${fromScreamingSnake(envVar)}`;
+  return resolveFrom;
 }
-
-// ../core/src/runtime/toEnv.ts
-function fallbackLogicalKeyToEnvVar(key) {
-  if (key.startsWith("value.")) {
-    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  }
-  if (key.startsWith("secret.")) {
-    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-    return `SECRET_${normalized}`;
-  }
-  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
 }
-function normalizeEnvValue(value) {
-  if (value === void 0 || value === null) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value;
-  }
-  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
-    return String(value);
-  }
-  return JSON.stringify(value);
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
 }
-function toEnv(graph, manifest, options = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
-  const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      return [
+        name,
+        {
+          provider,
+          ...definition.passphrase?.trim() ? {
+            passphrase: definition.passphrase.trim()
+          } : {}
+        }
+      ];
+    })
   );
-  for (const entry of resolvedEntries) {
-    if (entry.namespace === "meta") {
-      continue;
-    }
-    if (!includeSecrets && entry.namespace === "secret") {
-      continue;
-    }
-    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
-    output[envVar] = normalizeEnvValue(entry.value);
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
   }
-  return output;
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
 }
 
-// ../core/src/runtime/toPublicEnv.ts
-function fallbackValueEnvVar(key) {
-  return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function normalizeEnvValue2(value) {
-  if (value === void 0 || value === null) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value;
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = path2.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await readFile(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
-  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
-    return String(value);
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
   }
-  return JSON.stringify(value);
+  return {
+    manifestRoot,
+    repoRoot: path2.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
 }
-function resolvePublicPrefix(manifest, options) {
-  if (options.prefix) {
-    return options.prefix;
+
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
   }
-  if (!options.framework) {
-    return "";
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
   }
-  const configuredPrefix = manifest.public.frameworks[options.framework];
-  if (!configuredPrefix) {
-    throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
   }
-  return configuredPrefix;
-}
-function ensurePublicPromotionKey(key) {
-  if (!key.startsWith("value.")) {
-    throw new CnosManifestError(`public.promote may only contain value.* keys: ${key}`);
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
   }
 }
-function toPublicEnv(graph, manifest, options = {}) {
-  const prefix = resolvePublicPrefix(manifest, options);
-  const output = {};
-  const promotions = [...manifest.public.promote].sort((left, right) => left.localeCompare(right));
-  for (const key of promotions) {
-    ensurePublicPromotionKey(key);
-    const resolved = graph.entries.get(key);
-    if (!resolved) {
-      continue;
-    }
-    const baseEnvVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? fallbackValueEnvVar(key);
-    const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
-    output[envVar] = normalizeEnvValue2(resolved.value);
+function validateProjectionIssue(manifest, key, target) {
+  try {
+    ensureProjectionAllowed(manifest, key, target);
+    return void 0;
+  } catch (error) {
+    return {
+      code: target === "public" ? "public.invalid-promotion" : "env.invalid-mapping",
+      key,
+      message: error instanceof Error ? error.message : String(error)
+    };
   }
-  return output;
 }
 
-// ../core/src/runtime/dump.ts
-import { mkdir, writeFile } from "fs/promises";
-import path2 from "path";
-
 // ../core/src/runtime/projection.ts
 function setNestedValue(target, pathSegments, value) {
   const [head, ...tail] = pathSegments;
@@ -302,66 +462,29 @@ function toNamespaceObject(graph, namespace) {
   return output;
 }
 
-// ../core/src/runtime/dump.ts
-function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path2.posix.join("workspaces", graph.workspace.workspaceId);
-  const values = toNamespaceObject(graph, "value");
-  const secrets = toNamespaceObject(graph, "secret");
-  const files = [];
-  if (Object.keys(values).length > 0) {
-    files.push({
-      path: path2.posix.join(basePath, "values", graph.profile, "app.yml"),
-      namespace: "value",
-      content: stringifyYaml(values)
-    });
-  }
-  if (Object.keys(secrets).length > 0) {
-    files.push({
-      path: path2.posix.join(basePath, "secrets", graph.profile, "app.yml"),
-      namespace: "secret",
-      content: stringifyYaml(secrets)
-    });
-  }
-  return files.sort((left, right) => left.path.localeCompare(right.path));
-}
-function planDump(graph, options = {}) {
-  return {
-    workspaceId: graph.workspace.workspaceId,
-    profile: graph.profile,
-    flatten: options.flatten ?? false,
-    files: buildDumpFiles(graph, options)
-  };
+// ../core/src/runtime/read.ts
+function readValue(graph, key) {
+  return graph.entries.get(key)?.value;
 }
-async function writeDump(graph, options) {
-  const root = path2.resolve(options.to);
-  const plan = planDump(graph, options);
-  for (const file of plan.files) {
-    const destination = path2.join(root, file.path);
-    await mkdir(path2.dirname(destination), { recursive: true });
-    await writeFile(destination, file.content, "utf8");
-  }
-  return {
-    ...plan,
-    root
-  };
+
+// ../core/src/runtime/readOr.ts
+function readOrValue(graph, key, fallback) {
+  const value = readValue(graph, key);
+  return value === void 0 ? fallback : value;
 }
 
-// ../core/src/utils/flatten.ts
-function flattenObject(value, prefix = "") {
-  return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
-    const nextKey = prefix ? `${prefix}.${key}` : key;
-    if (nestedValue && typeof nestedValue === "object" && !Array.isArray(nestedValue)) {
-      Object.assign(accumulator, flattenObject(nestedValue, nextKey));
-      return accumulator;
-    }
-    accumulator[nextKey] = nestedValue;
-    return accumulator;
-  }, {});
+// ../core/src/runtime/require.ts
+function requireValue(graph, key) {
+  const value = readValue(graph, key);
+  if (value === void 0) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return value;
 }
 
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { mkdir as mkdir2, readdir, readFile, writeFile as writeFile2 } from "fs/promises";
+import { mkdir, readdir, readFile as readFile2, writeFile } from "fs/promises";
 import path3 from "path";
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -385,6 +508,38 @@ function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
   const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
   return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
 }
+function getVaultPassphraseEnvVar(vault = "default") {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return vaultToken && vaultToken !== "DEFAULT" ? `CNOS_SECRET_PASSPHRASE_${vaultToken}` : "CNOS_SECRET_PASSPHRASE";
+}
+function isPassphraseEnvRef(value) {
+  return typeof value === "string" && value.startsWith("env:") && value.length > 4;
+}
+function resolveConfiguredVaultPassphrase(definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return void 0;
+  }
+  const passphraseRef = definition.passphrase;
+  if (typeof passphraseRef === "string" && passphraseRef.startsWith("env:") && passphraseRef.length > 4) {
+    return processEnv[passphraseRef.slice(4)];
+  }
+  if (passphraseRef) {
+    return passphraseRef;
+  }
+  return resolveSecretPassphrase(vault, processEnv);
+}
+function resolveVaultDefinition(vaults, vault = "default") {
+  const definition = vaults?.[vault];
+  const provider = definition?.provider ?? "local";
+  return {
+    name: vault,
+    provider,
+    ...definition?.passphrase ? {
+      passphrase: definition.passphrase
+    } : {},
+    requiresPassphrase: provider === "local"
+  };
+}
 function encryptDocument(value, passphrase) {
   const salt = randomBytes(16);
   const iv = randomBytes(12);
@@ -415,21 +570,21 @@ function decryptDocument(document, passphrase) {
 async function createSecretVault(storeRoot, vault, passphrase) {
   const normalizedVault = vault.trim() || "default";
   const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
-  await mkdir2(path3.dirname(filePath), { recursive: true });
+  await mkdir(path3.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     name: normalizedVault,
     createdAt: (/* @__PURE__ */ new Date()).toISOString(),
     verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
   };
-  await writeFile2(filePath, JSON.stringify(document, null, 2), "utf8");
+  await writeFile(filePath, JSON.stringify(document, null, 2), "utf8");
   return filePath;
 }
 async function ensureSecretVault(storeRoot, vault, passphrase) {
   const normalizedVault = vault.trim() || "default";
   const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
   try {
-    await readFile(filePath, "utf8");
+    await readFile2(filePath, "utf8");
     return filePath;
   } catch (error) {
     if (error.code !== "ENOENT") {
@@ -450,8 +605,8 @@ async function listSecretVaults(storeRoot) {
 async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
   await ensureSecretVault(storeRoot, vault, passphrase);
   const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  await mkdir2(path3.dirname(filePath), { recursive: true });
-  await writeFile2(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
+  await mkdir(path3.dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
   return filePath;
 }
 async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
@@ -461,16 +616,210 @@ async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
     );
   }
   const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  const source = await readFile(filePath, "utf8");
+  const source = await readFile2(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
     throw new CnosManifestError("Invalid local secret document", filePath);
   }
-  return decryptDocument(document, passphrase);
+  return decryptDocument(document, passphrase);
+}
+
+// ../core/src/runtime/toEnv.ts
+function normalizeEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function toEnv(graph, manifest, options = {}) {
+  const includeSecrets = options.includeSecrets ?? true;
+  const output = {};
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
+  );
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
+      continue;
+    }
+    const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
+    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
+      continue;
+    }
+    if (isSecretReference(entry.value)) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue(entry.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/toPublicEnv.ts
+function fallbackPublicEnvVar(valuePath) {
+  return valuePath.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function normalizeEnvValue2(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function resolvePublicPrefix(manifest, options) {
+  if (options.prefix) {
+    return options.prefix;
+  }
+  if (!options.framework) {
+    return "";
+  }
+  const configuredPrefix = manifest.public.frameworks[options.framework];
+  if (!configuredPrefix) {
+    throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
+  }
+  return configuredPrefix;
+}
+function toPublicEnv(graph, manifest, options = {}) {
+  const prefix = resolvePublicPrefix(manifest, options);
+  const output = {};
+  const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
+  for (const resolved of promotions) {
+    const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
+    const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
+    output[envVar] = normalizeEnvValue2(resolved.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/dump.ts
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import path4 from "path";
+function buildDumpFiles(graph, options = {}) {
+  const basePath = options.flatten ? "" : path4.posix.join("workspaces", graph.workspace.workspaceId);
+  const values = toNamespaceObject(graph, "value");
+  const secrets = toNamespaceObject(graph, "secret");
+  const files = [];
+  if (Object.keys(values).length > 0) {
+    files.push({
+      path: path4.posix.join(basePath, "values", graph.profile, "app.yml"),
+      namespace: "value",
+      content: stringifyYaml(values)
+    });
+  }
+  if (Object.keys(secrets).length > 0) {
+    files.push({
+      path: path4.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      namespace: "secret",
+      content: stringifyYaml(secrets)
+    });
+  }
+  return files.sort((left, right) => left.path.localeCompare(right.path));
+}
+function planDump(graph, options = {}) {
+  return {
+    workspaceId: graph.workspace.workspaceId,
+    profile: graph.profile,
+    flatten: options.flatten ?? false,
+    files: buildDumpFiles(graph, options)
+  };
+}
+async function writeDump(graph, options) {
+  const root = path4.resolve(options.to);
+  const plan = planDump(graph, options);
+  for (const file of plan.files) {
+    const destination = path4.join(root, file.path);
+    await mkdir2(path4.dirname(destination), { recursive: true });
+    await writeFile2(destination, file.content, "utf8");
+  }
+  return {
+    ...plan,
+    root
+  };
+}
+
+// ../core/src/utils/flatten.ts
+function flattenObject(value, prefix = "") {
+  return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
+    const nextKey = prefix ? `${prefix}.${key}` : key;
+    if (nestedValue && typeof nestedValue === "object" && !Array.isArray(nestedValue)) {
+      Object.assign(accumulator, flattenObject(nestedValue, nextKey));
+      return accumulator;
+    }
+    accumulator[nextKey] = nestedValue;
+    return accumulator;
+  }, {});
+}
+
+// ../core/src/utils/envNaming.ts
+function normalizeMappingConfig(config = {}) {
+  return {
+    convention: config.convention,
+    explicit: config.explicit ?? {}
+  };
+}
+function toScreamingSnakeSegment(segment) {
+  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function toScreamingSnake(path8) {
+  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+}
+function fromScreamingSnake(path8) {
+  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+}
+function logicalKeyToEnvVar(key, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
+  if (explicitEntry) {
+    return explicitEntry[0];
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (key.startsWith("value.")) {
+    return toScreamingSnake(key.slice("value.".length));
+  }
+  if (key.startsWith("secret.")) {
+    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
+  }
+  return void 0;
+}
+function envVarToLogicalKey(envVar, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitMatch = normalized.explicit[envVar];
+  if (explicitMatch) {
+    return explicitMatch;
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (envVar.startsWith("SECRET_")) {
+    const stripped = envVar.slice("SECRET_".length);
+    if (!stripped) {
+      return void 0;
+    }
+    return `secret.${fromScreamingSnake(stripped)}`;
+  }
+  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
+    return void 0;
+  }
+  return `value.${fromScreamingSnake(envVar)}`;
 }
 
 // ../core/src/validation/envMapping.ts
-function fallbackLogicalKeyToEnvVar2(key) {
+function fallbackLogicalKeyToEnvVar(key) {
   return key.replace(/^(value|secret)\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
 function validateEnvMappingCollisions(manifest, graph) {
@@ -482,10 +831,11 @@ function validateEnvMappingCollisions(manifest, graph) {
   ]);
   const collisions = /* @__PURE__ */ new Map();
   for (const key of candidates) {
-    if (key.startsWith("meta.")) {
+    const definition = getNamespaceDefinition(manifest, key);
+    if (definition.kind !== "data") {
       continue;
     }
-    const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar2(key) : void 0);
+    const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar(key) : void 0);
     if (!envVar) {
       continue;
     }
@@ -501,11 +851,7 @@ function validateEnvMappingCollisions(manifest, graph) {
 
 // ../core/src/validation/publicSafety.ts
 function validatePublicSafety(manifest) {
-  return manifest.public.promote.filter((key) => !key.startsWith("value.")).map((key) => ({
-    code: "public.invalid-promotion",
-    key,
-    message: `public.promote may only include value.* keys: ${key}`
-  }));
+  return manifest.public.promote.map((key) => validateProjectionIssue(manifest, key, "public")).filter((issue) => Boolean(issue));
 }
 
 // ../core/src/validation/workspaceSafety.ts
@@ -571,39 +917,6 @@ async function validateRuntime(runtime) {
   };
 }
 
-// ../core/src/runtime/inspect.ts
-function inspectValue(graph, key) {
-  const entry = graph.entries.get(key);
-  if (!entry) {
-    throw new CnosKeyNotFoundError(key);
-  }
-  return {
-    key: entry.key,
-    value: entry.value,
-    namespace: entry.namespace,
-    profile: graph.profile,
-    profileSource: graph.profileSource,
-    workspace: {
-      id: graph.workspace.workspaceId,
-      source: graph.workspace.workspaceSource,
-      chain: graph.workspace.workspaceChain
-    },
-    winner: {
-      sourceId: entry.winner.sourceId,
-      pluginId: entry.winner.pluginId,
-      workspaceId: entry.winner.workspaceId,
-      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
-    },
-    overridden: entry.overridden.map((override) => ({
-      sourceId: override.sourceId,
-      pluginId: override.pluginId,
-      workspaceId: override.workspaceId,
-      value: override.value,
-      ...override.origin ? { origin: override.origin } : {}
-    }))
-  };
-}
-
 // ../core/src/inspectors/provenance.ts
 function createProvenanceInspector() {
   return {
@@ -615,167 +928,6 @@ function createProvenanceInspector() {
   };
 }
 
-// ../core/src/manifest/loadManifest.ts
-import { readFile as readFile2 } from "fs/promises";
-import path4 from "path";
-
-// ../core/src/manifest/normalizeManifest.ts
-var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
-var DEFAULT_LOADERS = [
-  "filesystem-values",
-  "filesystem-secrets",
-  "dotenv",
-  "process-env",
-  "cli-args"
-];
-var DEFAULT_VALIDATORS = ["basic-schema"];
-var DEFAULT_EXPORTERS = ["env", "public-env"];
-var DEFAULT_INSPECTORS = ["provenance"];
-var DEFAULT_FRAMEWORK_PREFIXES = {
-  next: "NEXT_PUBLIC_",
-  vite: "VITE_",
-  nuxt: "NUXT_PUBLIC_"
-};
-function validateResolveFrom(resolveFrom) {
-  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
-  for (const entry of resolveFrom) {
-    if (!validValues.includes(entry)) {
-      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
-    }
-  }
-  return resolveFrom;
-}
-function normalizeWorkspaceItems(items) {
-  return Object.fromEntries(
-    Object.entries(items ?? {}).map(([workspaceId, item]) => [
-      workspaceId,
-      {
-        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
-        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
-      }
-    ])
-  );
-}
-function normalizeManifest(manifest) {
-  const version = manifest.version ?? 1;
-  if (version !== 1) {
-    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
-  }
-  const projectName = manifest.project?.name?.trim();
-  if (!projectName) {
-    throw new CnosManifestError("Manifest requires project.name");
-  }
-  const defaultProfile = manifest.profiles?.default?.trim() || "base";
-  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
-  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
-  const filesystemValues = {
-    root: "./",
-    format: "yaml",
-    ...manifest.sources?.["filesystem-values"] ?? {}
-  };
-  const filesystemSecrets = {
-    root: "./",
-    format: "yaml",
-    ...manifest.sources?.["filesystem-secrets"] ?? {}
-  };
-  const dotenv = {
-    root: "./env",
-    ...manifest.sources?.dotenv ?? {}
-  };
-  return {
-    version: 1,
-    project: {
-      name: projectName
-    },
-    workspaces: {
-      ...manifest.workspaces?.default?.trim() ? {
-        default: manifest.workspaces.default.trim()
-      } : {},
-      global: {
-        enabled: manifest.workspaces?.global?.enabled ?? false,
-        ...manifest.workspaces?.global?.root?.trim() ? {
-          root: manifest.workspaces.global.root.trim()
-        } : {},
-        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
-      },
-      items: workspaceItems
-    },
-    profiles: {
-      default: defaultProfile,
-      resolveFrom
-    },
-    plugins: {
-      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
-      resolver: manifest.plugins?.resolver ?? "profile-aware",
-      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
-      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
-      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
-    },
-    sources: {
-      ...manifest.sources ?? {},
-      "filesystem-values": filesystemValues,
-      "filesystem-secrets": filesystemSecrets,
-      dotenv
-    },
-    resolution: {
-      precedence: manifest.resolution?.precedence ?? [
-        "filesystem-values",
-        "filesystem-secrets",
-        "dotenv",
-        "process-env",
-        "cli-args"
-      ],
-      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
-    },
-    envMapping: {
-      ...manifest.envMapping?.convention ? {
-        convention: manifest.envMapping.convention
-      } : {},
-      explicit: manifest.envMapping?.explicit ?? {}
-    },
-    public: {
-      promote: manifest.public?.promote ?? [],
-      frameworks: {
-        ...DEFAULT_FRAMEWORK_PREFIXES,
-        ...manifest.public?.frameworks ?? {}
-      }
-    },
-    writePolicy: {
-      define: {
-        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
-        targets: {
-          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
-          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
-        }
-      }
-    },
-    schema: manifest.schema ?? {}
-  };
-}
-
-// ../core/src/manifest/loadManifest.ts
-async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = path4.join(manifestRoot, "cnos.yml");
-  let source;
-  try {
-    source = await readFile2(manifestPath, "utf8");
-  } catch {
-    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
-  }
-  const rawManifest = parseYaml(source);
-  if (!rawManifest || typeof rawManifest !== "object") {
-    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
-  }
-  return {
-    manifestRoot,
-    repoRoot: path4.dirname(manifestRoot),
-    manifestPath,
-    manifest: normalizeManifest(rawManifest),
-    rawManifest
-  };
-}
-
 // ../core/src/manifest/loadWorkspaceFile.ts
 import { readFile as readFile3 } from "fs/promises";
 import path5 from "path";
@@ -943,6 +1095,50 @@ async function expandProfileChain(activeProfile, options = {}) {
   };
 }
 
+// ../core/src/promotions/promoteToPublic.ts
+function toPublicKey(key) {
+  const namespace = getNamespaceNameForKey(key);
+  return namespace === "value" ? `public.${stripNamespace(key)}` : `public.${key}`;
+}
+function toPromotedConfigEntry(entry, key, promotedFrom) {
+  return {
+    ...entry,
+    key,
+    namespace: "public",
+    sourceId: "public-promote",
+    pluginId: "core",
+    metadata: {
+      ...entry.metadata ?? {},
+      promotedFrom
+    }
+  };
+}
+function toPromotedResolvedEntry(entry) {
+  const key = toPublicKey(entry.key);
+  return {
+    key,
+    value: entry.value,
+    namespace: "public",
+    winner: toPromotedConfigEntry(entry.winner, key, entry.key),
+    overridden: entry.overridden.map((override) => toPromotedConfigEntry(override, key, entry.key))
+  };
+}
+function promoteToPublic(graph, manifest) {
+  const entries = new Map(graph.entries);
+  for (const key of manifest.public.promote) {
+    ensureProjectionAllowed(manifest, key, "public");
+    const resolved = graph.entries.get(key);
+    if (!resolved) {
+      continue;
+    }
+    entries.set(toPublicKey(key), toPromotedResolvedEntry(resolved));
+  }
+  return {
+    ...graph,
+    entries
+  };
+}
+
 // ../core/src/profiles/resolveActiveProfile.ts
 function resolveActiveProfile(manifest, options = {}) {
   for (const source of manifest.profiles.resolveFrom) {
@@ -1377,26 +1573,6 @@ async function runPipeline(options) {
   return collectedEntries.flat();
 }
 
-// ../core/src/runtime/read.ts
-function readValue(graph, key) {
-  return graph.entries.get(key)?.value;
-}
-
-// ../core/src/runtime/readOr.ts
-function readOrValue(graph, key, fallback) {
-  const value = readValue(graph, key);
-  return value === void 0 ? fallback : value;
-}
-
-// ../core/src/runtime/require.ts
-function requireValue(graph, key) {
-  const value = readValue(graph, key);
-  if (value === void 0) {
-    throw new CnosKeyNotFoundError(key);
-  }
-  return value;
-}
-
 // ../core/src/orchestrator/runtime.ts
 function createRuntime(manifest, graph, plugins = []) {
   return {
@@ -1534,6 +1710,9 @@ function appendMetaEntries(graph, cnosVersion) {
 }
 async function createCnos(options = {}) {
   const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  for (const key of loadedManifest.manifest.public.promote) {
+    ensureProjectionAllowed(loadedManifest.manifest, key, "public");
+  }
   const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
@@ -1573,10 +1752,11 @@ async function createCnos(options = {}) {
     workspace
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
+  const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
-      ...schemaApplied.graph,
+      ...promotedGraph,
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins
@@ -1585,28 +1765,42 @@ async function createCnos(options = {}) {
 
 export {
   CnosManifestError,
+  CnosSecurityError,
+  inspectValue,
   createProvenanceInspector,
+  resolveManifestRoot,
   resolveWorkspaceScopedPath,
   resolveConfigDocumentPath,
   toPortablePath,
   joinConfigPath,
+  toLogicalKey,
   parseYaml,
   stringifyYaml,
+  loadManifest,
+  ensureProjectionAllowed,
   applySchemaRules,
-  envVarToLogicalKey,
-  toEnv,
-  toPublicEnv,
-  createCnos,
-  planDump,
-  writeDump,
-  flattenObject,
+  toNamespaceObject,
+  readValue,
+  readOrValue,
+  requireValue,
   isSecretReference,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
   resolveSecretPassphrase,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
+  resolveConfiguredVaultPassphrase,
+  resolveVaultDefinition,
   createSecretVault,
   listSecretVaults,
   writeLocalSecret,
   readLocalSecret,
+  toEnv,
+  toPublicEnv,
+  createCnos,
+  planDump,
+  writeDump,
+  envVarToLogicalKey,
+  flattenObject,
   validateRuntime
 };