@kitsy/cnos 1.1.1 → 1.2.0

package/dist/internal.d.cts

@@ -1,8 +1,21 @@
-import { d as CnosRuntime, V as ValidationSummary } from './plugin-BVNEHj19.cjs';
-export { i as ValidationIssue, W as WorkspaceFile } from './plugin-BVNEHj19.cjs';
+import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.cjs';
+export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.cjs';
+
+declare class CnosError extends Error {
+    constructor(message: string);
+}
+declare class CnosSecurityError extends CnosError {
+    constructor(message: string);
+}
+
+declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
+
+type ProjectionTarget = 'public' | 'env';
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
 
 declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
 
+declare function resolveManifestRoot(root?: string): Promise<string>;
 declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 
 interface SecretReference {
@@ -10,9 +23,17 @@ interface SecretReference {
     ref: string;
     vault?: string;
 }
+interface ResolvedVaultDefinition extends VaultDefinition {
+    name: string;
+    requiresPassphrase: boolean;
+}
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
 declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
 declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function getVaultPassphraseEnvVar(vault?: string): string;
+declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
 declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function listSecretVaults(storeRoot: string): Promise<string[]>;
 declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
@@ -22,4 +43,9 @@ declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };
+declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
+declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+
+export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.d.ts

@@ -1,8 +1,21 @@
-import { d as CnosRuntime, V as ValidationSummary } from './plugin-BVNEHj19.js';
-export { i as ValidationIssue, W as WorkspaceFile } from './plugin-BVNEHj19.js';
+import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.js';
+export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.js';
+
+declare class CnosError extends Error {
+    constructor(message: string);
+}
+declare class CnosSecurityError extends CnosError {
+    constructor(message: string);
+}
+
+declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
+
+type ProjectionTarget = 'public' | 'env';
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
 
 declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
 
+declare function resolveManifestRoot(root?: string): Promise<string>;
 declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 
 interface SecretReference {
@@ -10,9 +23,17 @@ interface SecretReference {
     ref: string;
     vault?: string;
 }
+interface ResolvedVaultDefinition extends VaultDefinition {
+    name: string;
+    requiresPassphrase: boolean;
+}
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
 declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
 declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function getVaultPassphraseEnvVar(vault?: string): string;
+declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
 declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function listSecretVaults(storeRoot: string): Promise<string[]>;
 declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
@@ -22,4 +43,9 @@ declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };
+declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
+declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+
+export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.js

@@ -1,25 +1,51 @@
 import {
+  CNOS_GRAPH_ENV_VAR,
+  deserializeRuntimeGraph,
+  readRuntimeGraphFromEnv,
+  serializeRuntimeGraph
+} from "./chunk-PQ4KSV76.js";
+import {
+  CnosSecurityError,
   createSecretVault,
+  ensureProjectionAllowed,
   flattenObject,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
   listSecretVaults,
+  loadManifest,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultDefinition,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret
-} from "./chunk-JPJ3S3CO.js";
+} from "./chunk-APCTXRUN.js";
 export {
+  CNOS_GRAPH_ENV_VAR,
+  CnosSecurityError,
   createSecretVault,
+  deserializeRuntimeGraph,
+  ensureProjectionAllowed,
   flattenObject,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
   listSecretVaults,
+  loadManifest,
   parseYaml,
+  readRuntimeGraphFromEnv,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultDefinition,
+  serializeRuntimeGraph,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/plugin/basic-schema.cjs

@@ -205,12 +205,12 @@ function applySchemaRules(graph, schema) {
   };
 }
 
-// ../core/src/runtime/dump.ts
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
+// ../core/src/runtime/dump.ts
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { j as ValidatorPlugin } from '../plugin-BVNEHj19.cjs';
+import { m as ValidatorPlugin } from '../plugin-DkOIT5uI.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.d.ts

@@ -1,4 +1,4 @@
-import { j as ValidatorPlugin } from '../plugin-BVNEHj19.js';
+import { m as ValidatorPlugin } from '../plugin-DkOIT5uI.js';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-L3HOQHCH.js";
-import "../chunk-JPJ3S3CO.js";
+} from "../chunk-MLQGYCO7.js";
+import "../chunk-APCTXRUN.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.cjs

@@ -63,12 +63,12 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
-// ../core/src/runtime/dump.ts
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
 
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
+// ../core/src/runtime/dump.ts
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/cli-args.d.cts

@@ -1,4 +1,4 @@
-import { f as ConfigEntry, L as LoaderPlugin } from '../plugin-BVNEHj19.cjs';
+import { f as ConfigEntry, L as LoaderPlugin } from '../plugin-DkOIT5uI.cjs';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.d.ts

@@ -1,4 +1,4 @@
-import { f as ConfigEntry, L as LoaderPlugin } from '../plugin-BVNEHj19.js';
+import { f as ConfigEntry, L as LoaderPlugin } from '../plugin-DkOIT5uI.js';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-M4S6PYM5.js";
-import "../chunk-JPJ3S3CO.js";
+} from "../chunk-ZA74BO47.js";
+import "../chunk-APCTXRUN.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.cjs

@@ -89,6 +89,15 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+
+// ../core/src/runtime/dump.ts
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -121,15 +130,6 @@ function envVarToLogicalKey(envVar, config = {}) {
   return `value.${fromScreamingSnake(envVar)}`;
 }
 
-// ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
-
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-
 // ../../plugins/dotenv/src/index.ts
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {

package/dist/plugin/dotenv.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-BVNEHj19.cjs';
-import { E as EnvMappingConfig } from '../envNaming-BrOk5ndZ.cjs';
+import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-DkOIT5uI.cjs';
+import { E as EnvMappingConfig } from '../envNaming-BTJpH93W.cjs';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-BVNEHj19.js';
-import { E as EnvMappingConfig } from '../envNaming-DCaNdnrF.js';
+import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-DkOIT5uI.js';
+import { E as EnvMappingConfig } from '../envNaming-CcsqAel3.js';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-7GNXYEO6.js";
-import "../chunk-JPJ3S3CO.js";
+} from "../chunk-RD5WMHPM.js";
+import "../chunk-APCTXRUN.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.cjs

@@ -60,6 +60,9 @@ var import_node_path2 = __toESM(require("path"), 1);
 var import_promises = require("fs/promises");
 var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+function stripNamespace(key) {
+  return key.split(".").slice(1).join(".");
+}
 
 // ../core/src/utils/yaml.ts
 var import_yaml = require("yaml");
@@ -72,52 +75,39 @@ var import_node_path3 = __toESM(require("path"), 1);
 var import_promises4 = require("fs/promises");
 var import_node_path4 = __toESM(require("path"), 1);
 
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+
 // ../core/src/workspaces/resolveWorkspaceContext.ts
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
-// ../core/src/utils/envNaming.ts
-function normalizeMappingConfig(config = {}) {
-  return {
-    convention: config.convention,
-    explicit: config.explicit ?? {}
-  };
-}
-function toScreamingSnakeSegment(segment) {
-  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function toScreamingSnake(path8) {
-  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function logicalKeyToEnvVar(key, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
-  if (explicitEntry) {
-    return explicitEntry[0];
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (key.startsWith("value.")) {
-    return toScreamingSnake(key.slice("value.".length));
-  }
-  if (key.startsWith("secret.")) {
-    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
-  }
-  return void 0;
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 
 // ../core/src/runtime/toEnv.ts
-function fallbackLogicalKeyToEnvVar(key) {
-  if (key.startsWith("value.")) {
-    return key.slice("value.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  }
-  if (key.startsWith("secret.")) {
-    const normalized = key.slice("secret.".length).replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-    return `SECRET_${normalized}`;
-  }
-  return key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
 function normalizeEnvValue(value) {
   if (value === void 0 || value === null) {
     return "";
@@ -133,25 +123,32 @@ function normalizeEnvValue(value) {
 function toEnv(graph, manifest, options = {}) {
   const includeSecrets = options.includeSecrets ?? true;
   const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
   );
-  for (const entry of resolvedEntries) {
-    if (entry.namespace === "meta") {
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
       continue;
     }
-    if (!includeSecrets && entry.namespace === "secret") {
+    const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
+    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
+      continue;
+    }
+    if (isSecretReference(entry.value)) {
       continue;
     }
-    const envVar = logicalKeyToEnvVar(entry.key, manifest.envMapping) ?? fallbackLogicalKeyToEnvVar(entry.key);
     output[envVar] = normalizeEnvValue(entry.value);
   }
   return output;
 }
 
 // ../core/src/runtime/toPublicEnv.ts
-function fallbackValueEnvVar(key) {
-  return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+function fallbackPublicEnvVar(valuePath) {
+  return valuePath.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
 function normalizeEnvValue2(value) {
   if (value === void 0 || value === null) {
@@ -178,22 +175,12 @@ function resolvePublicPrefix(manifest, options) {
   }
   return configuredPrefix;
 }
-function ensurePublicPromotionKey(key) {
-  if (!key.startsWith("value.")) {
-    throw new CnosManifestError(`public.promote may only contain value.* keys: ${key}`);
-  }
-}
 function toPublicEnv(graph, manifest, options = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
   const output = {};
-  const promotions = [...manifest.public.promote].sort((left, right) => left.localeCompare(right));
-  for (const key of promotions) {
-    ensurePublicPromotionKey(key);
-    const resolved = graph.entries.get(key);
-    if (!resolved) {
-      continue;
-    }
-    const baseEnvVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? fallbackValueEnvVar(key);
+  const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
+  for (const resolved of promotions) {
+    const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
     const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
     output[envVar] = normalizeEnvValue2(resolved.value);
   }
@@ -201,11 +188,6 @@ function toPublicEnv(graph, manifest, options = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
-
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
 var import_promises7 = require("fs/promises");
 var import_node_path7 = __toESM(require("path"), 1);
 

package/dist/plugin/env-export.d.cts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../plugin-BVNEHj19.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Dd152fFy.cjs';
+import { E as ExporterPlugin } from '../plugin-DkOIT5uI.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-DvFeV3qG.cjs';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.d.ts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../plugin-BVNEHj19.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Gwz3xTK0.js';
+import { E as ExporterPlugin } from '../plugin-DkOIT5uI.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C9clvXLo.js';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-PBU5NAX4.js";
+} from "../chunk-EIN55XXA.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-JPJ3S3CO.js";
+} from "../chunk-APCTXRUN.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,

package/dist/plugin/filesystem.cjs

@@ -100,14 +100,10 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
-// ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
-
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -115,10 +111,10 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
@@ -145,7 +141,7 @@ async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
     );
   }
   const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  const source = await (0, import_promises7.readFile)(filePath, "utf8");
+  const source = await (0, import_promises6.readFile)(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
     throw new CnosManifestError("Invalid local secret document", filePath);
@@ -153,6 +149,10 @@ async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
   return decryptDocument(document, passphrase);
 }
 
+// ../core/src/runtime/dump.ts
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
 // ../../plugins/filesystem/src/helpers.ts
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
@@ -257,7 +257,7 @@ async function resolveSecretValue(value, processEnv) {
       value.vault
     );
   }
-  if (value.provider === "env") {
+  if (value.provider === "env" || value.provider === "github-secrets") {
     const resolved = processEnv?.[value.ref];
     if (resolved === void 0) {
       return value;

package/dist/plugin/filesystem.d.cts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, f as ConfigEntry, k as WorkspaceRoot, l as NamespaceName } from '../plugin-BVNEHj19.cjs';
+import { L as LoaderPlugin, f as ConfigEntry, n as WorkspaceRoot, o as NamespaceName } from '../plugin-DkOIT5uI.cjs';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.d.ts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, f as ConfigEntry, k as WorkspaceRoot, l as NamespaceName } from '../plugin-BVNEHj19.js';
+import { L as LoaderPlugin, f as ConfigEntry, n as WorkspaceRoot, o as NamespaceName } from '../plugin-DkOIT5uI.js';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-QKJ6QLRS.js";
-import "../chunk-JPJ3S3CO.js";
+} from "../chunk-SXTMTACL.js";
+import "../chunk-APCTXRUN.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.cjs

@@ -59,6 +59,15 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+
+// ../core/src/runtime/dump.ts
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -91,15 +100,6 @@ function envVarToLogicalKey(envVar, config = {}) {
   return `value.${fromScreamingSnake(envVar)}`;
 }
 
-// ../core/src/runtime/dump.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
-
-// ../core/src/utils/secretStore.ts
-var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";
 function processEnvEntriesFromObject(env, mapping = {}, workspaceId = "default") {

package/dist/plugin/process-env.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-BVNEHj19.cjs';
-import { E as EnvMappingConfig } from '../envNaming-BrOk5ndZ.cjs';
+import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-DkOIT5uI.cjs';
+import { E as EnvMappingConfig } from '../envNaming-BTJpH93W.cjs';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function createProcessEnvPlugin(): LoaderPlugin;