@kitsy/cnos 1.1.1 → 1.2.0

package/dist/index.cjs

@@ -33,6 +33,7 @@ __export(index_exports, {
   createCnos: () => createCnos2,
   defaultPlugins: () => defaultPlugins,
   planDump: () => planDump,
+  resolveBrowserData: () => resolveBrowserData,
   toEnv: () => toEnv,
   toPublicEnv: () => toPublicEnv,
   writeDump: () => writeDump
@@ -53,6 +54,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosKeyNotFoundError = class extends CnosError {
   constructor(key) {
     super(`Missing required CNOS config key: ${key}`);
@@ -212,6 +218,34 @@ var DEFAULT_FRAMEWORK_PREFIXES = {
   vite: "VITE_",
   nuxt: "NUXT_PUBLIC_"
 };
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
+  }
+};
 function validateResolveFrom(resolveFrom) {
   const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
   for (const entry of resolveFrom) {
@@ -232,6 +266,43 @@ function normalizeWorkspaceItems(items) {
     ])
   );
 }
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
+}
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      return [
+        name,
+        {
+          provider,
+          ...definition.passphrase?.trim() ? {
+            passphrase: definition.passphrase.trim()
+          } : {}
+        }
+      ];
+    })
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -316,6 +387,8 @@ function normalizeManifest(manifest) {
         ...manifest.public?.frameworks ?? {}
       }
     },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
     writePolicy: {
       define: {
         defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
@@ -519,6 +592,86 @@ async function expandProfileChain(activeProfile, options = {}) {
   };
 }
 
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
+  }
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
+  }
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
+  }
+}
+
+// ../core/src/promotions/promoteToPublic.ts
+function toPublicKey(key) {
+  const namespace = getNamespaceNameForKey(key);
+  return namespace === "value" ? `public.${stripNamespace(key)}` : `public.${key}`;
+}
+function toPromotedConfigEntry(entry, key, promotedFrom) {
+  return {
+    ...entry,
+    key,
+    namespace: "public",
+    sourceId: "public-promote",
+    pluginId: "core",
+    metadata: {
+      ...entry.metadata ?? {},
+      promotedFrom
+    }
+  };
+}
+function toPromotedResolvedEntry(entry) {
+  const key = toPublicKey(entry.key);
+  return {
+    key,
+    value: entry.value,
+    namespace: "public",
+    winner: toPromotedConfigEntry(entry.winner, key, entry.key),
+    overridden: entry.overridden.map((override) => toPromotedConfigEntry(override, key, entry.key))
+  };
+}
+function promoteToPublic(graph, manifest) {
+  const entries = new Map(graph.entries);
+  for (const key of manifest.public.promote) {
+    ensureProjectionAllowed(manifest, key, "public");
+    const resolved = graph.entries.get(key);
+    if (!resolved) {
+      continue;
+    }
+    entries.set(toPublicKey(key), toPromotedResolvedEntry(resolved));
+  }
+  return {
+    ...graph,
+    entries
+  };
+}
+
 // ../core/src/profiles/resolveActiveProfile.ts
 function resolveActiveProfile(manifest, options = {}) {
   for (const source of manifest.profiles.resolveFrom) {
@@ -1003,72 +1156,56 @@ function requireValue(graph, key) {
   return value;
 }
 
-// ../core/src/utils/envNaming.ts
-function normalizeMappingConfig(config = {}) {
-  return {
-    convention: config.convention,
-    explicit: config.explicit ?? {}
-  };
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function toScreamingSnakeSegment(segment) {
-  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
-function toScreamingSnake(path10) {
-  return path10.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function fromScreamingSnake(path10) {
-  return path10.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
+  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
-function logicalKeyToEnvVar(key, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
-  if (explicitEntry) {
-    return explicitEntry[0];
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (key.startsWith("value.")) {
-    return toScreamingSnake(key.slice("value.".length));
-  }
-  if (key.startsWith("secret.")) {
-    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
-  }
-  return void 0;
+function deriveKey(passphrase, salt) {
+  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
 }
-function envVarToLogicalKey(envVar, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitMatch = normalized.explicit[envVar];
-  if (explicitMatch) {
-    return explicitMatch;
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (envVar.startsWith("SECRET_")) {
-    const stripped = envVar.slice("SECRET_".length);
-    if (!stripped) {
-      return void 0;
-    }
-    return `secret.${fromScreamingSnake(stripped)}`;
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function decryptDocument(document, passphrase) {
+  const salt = Buffer.from(document.salt, "base64");
+  const iv = Buffer.from(document.iv, "base64");
+  const tag = Buffer.from(document.tag, "base64");
+  const ciphertext = Buffer.from(document.ciphertext, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return plaintext.toString("utf8");
+}
+async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
+  if (!passphrase) {
+    throw new CnosManifestError(
+      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
+    );
   }
-  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
-    return void 0;
+  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
+  const source = await (0, import_promises6.readFile)(filePath, "utf8");
+  const document = JSON.parse(source);
+  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
+    throw new CnosManifestError("Invalid local secret document", filePath);
   }
-  return `value.${fromScreamingSnake(envVar)}`;
+  return decryptDocument(document, passphrase);
 }
 
 // ../core/src/runtime/toEnv.ts
-function fallbackLogicalKeyToEnvVar(key) {
-  if (key.startsWith("value.")) {
-    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  }
-  if (key.startsWith("secret.")) {
-    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-    return `SECRET_${normalized}`;
-  }
-  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
 function normalizeEnvValue(value) {
   if (value === void 0 || value === null) {
     return "";
@@ -1084,25 +1221,32 @@ function normalizeEnvValue(value) {
 function toEnv(graph, manifest, options = {}) {
   const includeSecrets = options.includeSecrets ?? true;
   const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
   );
-  for (const entry of resolvedEntries) {
-    if (entry.namespace === "meta") {
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
+      continue;
+    }
+    const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
+    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
       continue;
     }
-    if (!includeSecrets && entry.namespace === "secret") {
+    if (isSecretReference(entry.value)) {
       continue;
     }
-    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
     output[envVar] = normalizeEnvValue(entry.value);
   }
   return output;
 }
 
 // ../core/src/runtime/toPublicEnv.ts
-function fallbackValueEnvVar(key) {
-  return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+function fallbackPublicEnvVar(valuePath) {
+  return valuePath.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
 function normalizeEnvValue2(value) {
   if (value === void 0 || value === null) {
@@ -1129,22 +1273,12 @@ function resolvePublicPrefix(manifest, options) {
   }
   return configuredPrefix;
 }
-function ensurePublicPromotionKey(key) {
-  if (!key.startsWith("value.")) {
-    throw new CnosManifestError(`public.promote may only contain value.* keys: ${key}`);
-  }
-}
 function toPublicEnv(graph, manifest, options = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
   const output = {};
-  const promotions = [...manifest.public.promote].sort((left, right) => left.localeCompare(right));
-  for (const key of promotions) {
-    ensurePublicPromotionKey(key);
-    const resolved = graph.entries.get(key);
-    if (!resolved) {
-      continue;
-    }
-    const baseEnvVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? fallbackValueEnvVar(key);
+  const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
+  for (const resolved of promotions) {
+    const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
     const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
     output[envVar] = normalizeEnvValue2(resolved.value);
   }
@@ -1288,6 +1422,9 @@ function appendMetaEntries(graph, cnosVersion) {
 }
 async function createCnos(options = {}) {
   const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  for (const key of loadedManifest.manifest.public.promote) {
+    ensureProjectionAllowed(loadedManifest.manifest, key, "public");
+  }
   const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
@@ -1327,10 +1464,11 @@ async function createCnos(options = {}) {
     workspace
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
+  const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
-      ...schemaApplied.graph,
+      ...promotedGraph,
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins
@@ -1338,23 +1476,23 @@ async function createCnos(options = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : import_node_path6.default.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : import_node_path7.default.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: import_node_path6.default.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: import_node_path7.default.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: import_node_path6.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: import_node_path7.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -1370,12 +1508,12 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = import_node_path6.default.resolve(options.to);
+  const root = import_node_path7.default.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = import_node_path6.default.join(root, file.path);
-    await (0, import_promises6.mkdir)(import_node_path6.default.dirname(destination), { recursive: true });
-    await (0, import_promises6.writeFile)(destination, file.content, "utf8");
+    const destination = import_node_path7.default.join(root, file.path);
+    await (0, import_promises7.mkdir)(import_node_path7.default.dirname(destination), { recursive: true });
+    await (0, import_promises7.writeFile)(destination, file.content, "utf8");
   }
   return {
     ...plan,
@@ -1383,59 +1521,42 @@ async function writeDump(graph, options) {
   };
 }
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-function isObject(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
-}
-function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
-}
-function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
-}
-function deriveKey(passphrase, salt) {
-  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
-}
-function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
-  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+// ../core/src/utils/envNaming.ts
+function normalizeMappingConfig(config = {}) {
+  return {
+    convention: config.convention,
+    explicit: config.explicit ?? {}
+  };
 }
-function decryptDocument(document, passphrase) {
-  const salt = Buffer.from(document.salt, "base64");
-  const iv = Buffer.from(document.iv, "base64");
-  const tag = Buffer.from(document.tag, "base64");
-  const ciphertext = Buffer.from(document.ciphertext, "base64");
-  const key = deriveKey(passphrase, salt);
-  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
-  decipher.setAuthTag(tag);
-  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
+function fromScreamingSnake(path10) {
+  return path10.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
-async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
-  if (!passphrase) {
-    throw new CnosManifestError(
-      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
-    );
+function envVarToLogicalKey(envVar, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitMatch = normalized.explicit[envVar];
+  if (explicitMatch) {
+    return explicitMatch;
   }
-  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  const source = await (0, import_promises7.readFile)(filePath, "utf8");
-  const document = JSON.parse(source);
-  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
-    throw new CnosManifestError("Invalid local secret document", filePath);
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
   }
-  return decryptDocument(document, passphrase);
+  if (envVar.startsWith("SECRET_")) {
+    const stripped = envVar.slice("SECRET_".length);
+    if (!stripped) {
+      return void 0;
+    }
+    return `secret.${fromScreamingSnake(stripped)}`;
+  }
+  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
+    return void 0;
+  }
+  return `value.${fromScreamingSnake(envVar)}`;
 }
 
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.1.1",
+  version: "1.2.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -1452,6 +1573,21 @@ var package_default = {
       import: "./dist/internal.js",
       require: "./dist/internal.cjs"
     },
+    "./runtime": {
+      types: "./dist/runtime/index.d.ts",
+      import: "./dist/runtime/index.js",
+      require: "./dist/runtime/index.cjs"
+    },
+    "./browser": {
+      types: "./dist/browser/index.d.ts",
+      import: "./dist/browser/index.js",
+      require: "./dist/browser/index.cjs"
+    },
+    "./build": {
+      types: "./dist/build/index.d.ts",
+      import: "./dist/build/index.js",
+      require: "./dist/build/index.cjs"
+    },
     "./plugins/filesystem": {
       types: "./dist/plugin/filesystem.d.ts",
       import: "./dist/plugin/filesystem.js",
@@ -1841,7 +1977,7 @@ async function resolveSecretValue(value, processEnv) {
       value.vault
     );
   }
-  if (value.provider === "env") {
+  if (value.provider === "env" || value.provider === "github-secrets") {
     const resolved = processEnv?.[value.ref];
     if (resolved === void 0) {
       return value;
@@ -1977,19 +2113,44 @@ function defaultPlugins() {
   ];
 }
 
+// src/runtime/state.ts
+var singletonRuntime;
+var singletonReady;
+function setSingletonRuntime(runtime) {
+  singletonRuntime = runtime;
+  singletonReady = Promise.resolve(runtime);
+  return runtime;
+}
+
 // src/createCnos.ts
 async function createCnos2(options = {}) {
-  return createCnos({
+  const runtime = await createCnos({
     ...options,
     cnosVersion: package_default.version,
     plugins: [...defaultPlugins(), ...options.plugins ?? []]
   });
+  setSingletonRuntime(runtime);
+  return runtime;
+}
+
+// src/build/index.ts
+async function resolveBrowserData(options = {}) {
+  const runtime = await createCnos2(options);
+  const browserData = {};
+  for (const [key, entry] of runtime.graph.entries) {
+    if (!key.startsWith("public.")) {
+      continue;
+    }
+    browserData[key] = entry.value;
+  }
+  return browserData;
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   createCnos,
   defaultPlugins,
   planDump,
+  resolveBrowserData,
   toEnv,
   toPublicEnv,
   writeDump

package/dist/index.d.cts

@@ -1,6 +1,7 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, a as DumpPlan, b as DumpOptions, c as DumpResult, C as CnosCreateOptions, d as CnosRuntime, e as CnosPlugin } from './plugin-BVNEHj19.cjs';
-export { f as ConfigEntry, I as InspectResult, L as LoaderPlugin, g as LogicalKey, M as ManifestFile, N as NormalizedManifest, T as ToEnvOptions, h as ToPublicEnvOptions } from './plugin-BVNEHj19.cjs';
-export { t as toEnv, a as toPublicEnv } from './toPublicEnv-Dd152fFy.cjs';
+import { R as ResolvedGraph, D as DumpPlanOptions, a as DumpPlan, b as DumpOptions, c as DumpResult, C as CnosCreateOptions, d as CnosRuntime, e as CnosPlugin } from './plugin-DkOIT5uI.cjs';
+export { f as ConfigEntry, I as InspectResult, L as LoaderPlugin, g as LogicalKey, M as ManifestFile, N as NormalizedManifest, T as ToEnvOptions, h as ToPublicEnvOptions } from './plugin-DkOIT5uI.cjs';
+export { t as toEnv, a as toPublicEnv } from './toPublicEnv-DvFeV3qG.cjs';
+export { resolveBrowserData } from './build/index.cjs';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, a as DumpPlan, b as DumpOptions, c as DumpResult, C as CnosCreateOptions, d as CnosRuntime, e as CnosPlugin } from './plugin-BVNEHj19.js';
-export { f as ConfigEntry, I as InspectResult, L as LoaderPlugin, g as LogicalKey, M as ManifestFile, N as NormalizedManifest, T as ToEnvOptions, h as ToPublicEnvOptions } from './plugin-BVNEHj19.js';
-export { t as toEnv, a as toPublicEnv } from './toPublicEnv-Gwz3xTK0.js';
+import { R as ResolvedGraph, D as DumpPlanOptions, a as DumpPlan, b as DumpOptions, c as DumpResult, C as CnosCreateOptions, d as CnosRuntime, e as CnosPlugin } from './plugin-DkOIT5uI.js';
+export { f as ConfigEntry, I as InspectResult, L as LoaderPlugin, g as LogicalKey, M as ManifestFile, N as NormalizedManifest, T as ToEnvOptions, h as ToPublicEnvOptions } from './plugin-DkOIT5uI.js';
+export { t as toEnv, a as toPublicEnv } from './toPublicEnv-C9clvXLo.js';
+export { resolveBrowserData } from './build/index.js';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;