npm - @kitsy/cnos - Versions diffs - 1.1.2 → 1.2.0 - Mend

@kitsy/cnos 1.1.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/README.md +4 -1
package/dist/browser/index.cjs +94 -0
package/dist/browser/index.d.cts +16 -0
package/dist/browser/index.d.ts +16 -0
package/dist/browser/index.js +67 -0
package/dist/build/index.cjs +2100 -0
package/dist/build/index.d.cts +5 -0
package/dist/build/index.d.ts +5 -0
package/dist/build/index.js +14 -0
package/dist/{chunk-33ZDYDQJ.js → chunk-APCTXRUN.js} +550 -349
package/dist/{chunk-IHSV5AFX.js → chunk-EIN55XXA.js} +1 -1
package/dist/chunk-JUHPBAEH.js +20 -0
package/dist/{chunk-JQGGSNCL.js → chunk-MLQGYCO7.js} +1 -1
package/dist/chunk-PQ4KSV76.js +50 -0
package/dist/{chunk-IQOUWY6T.js → chunk-RD5WMHPM.js} +1 -1
package/dist/chunk-SO5XREEU.js +179 -0
package/dist/{chunk-7FBRVJD6.js → chunk-SXTMTACL.js} +2 -2
package/dist/{chunk-53HXUSM6.js → chunk-WHUGFPE4.js} +1 -1
package/dist/{chunk-HOS4E7XO.js → chunk-ZA74BO47.js} +1 -1
package/dist/{envNaming-BrOk5ndZ.d.cts → envNaming-BTJpH93W.d.cts} +1 -1
package/dist/{envNaming-DCaNdnrF.d.ts → envNaming-CcsqAel3.d.ts} +1 -1
package/dist/index.cjs +242 -74
package/dist/index.d.cts +4 -3
package/dist/index.d.ts +4 -3
package/dist/index.js +14 -132
package/dist/internal.cjs +428 -10
package/dist/internal.d.cts +29 -3
package/dist/internal.d.ts +29 -3
package/dist/internal.js +27 -1
package/dist/plugin/basic-schema.d.cts +1 -1
package/dist/plugin/basic-schema.d.ts +1 -1
package/dist/plugin/basic-schema.js +2 -2
package/dist/plugin/cli-args.d.cts +1 -1
package/dist/plugin/cli-args.d.ts +1 -1
package/dist/plugin/cli-args.js +2 -2
package/dist/plugin/dotenv.cjs +4 -4
package/dist/plugin/dotenv.d.cts +2 -2
package/dist/plugin/dotenv.d.ts +2 -2
package/dist/plugin/dotenv.js +2 -2
package/dist/plugin/env-export.cjs +29 -46
package/dist/plugin/env-export.d.cts +2 -2
package/dist/plugin/env-export.d.ts +2 -2
package/dist/plugin/env-export.js +2 -2
package/dist/plugin/filesystem.cjs +1 -1
package/dist/plugin/filesystem.d.cts +1 -1
package/dist/plugin/filesystem.d.ts +1 -1
package/dist/plugin/filesystem.js +2 -2
package/dist/plugin/process-env.cjs +4 -4
package/dist/plugin/process-env.d.cts +2 -2
package/dist/plugin/process-env.d.ts +2 -2
package/dist/plugin/process-env.js +2 -2
package/dist/{plugin-BVNEHj19.d.cts → plugin-DkOIT5uI.d.cts} +30 -2
package/dist/{plugin-BVNEHj19.d.ts → plugin-DkOIT5uI.d.ts} +30 -2
package/dist/runtime/index.cjs +2288 -0
package/dist/runtime/index.d.cts +23 -0
package/dist/runtime/index.d.ts +23 -0
package/dist/runtime/index.js +190 -0
package/dist/{toPublicEnv-Gwz3xTK0.d.ts → toPublicEnv-C9clvXLo.d.ts} +1 -1
package/dist/{toPublicEnv-Dd152fFy.d.cts → toPublicEnv-DvFeV3qG.d.cts} +1 -1
package/package.json +16 -1

package/dist/{chunk-33ZDYDQJ.js → chunk-APCTXRUN.js} RENAMED Viewed

@@ -1,8 +1,3 @@
-// ../core/src/utils/path.ts
-import { access } from "fs/promises";
-import os from "os";
-import path from "path";
 // ../core/src/errors.ts
 var CnosError = class extends Error {
   constructor(message) {
@@ -17,6 +12,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosKeyNotFoundError = class extends CnosError {
   constructor(key) {
     super(`Missing required CNOS config key: ${key}`);
@@ -25,7 +25,43 @@ var CnosKeyNotFoundError = class extends CnosError {
   key;
 };
+// ../core/src/runtime/inspect.ts
+function inspectValue(graph, key) {
+  const entry = graph.entries.get(key);
+  if (!entry) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return {
+    key: entry.key,
+    value: entry.value,
+    namespace: entry.namespace,
+    profile: graph.profile,
+    profileSource: graph.profileSource,
+    workspace: {
+      id: graph.workspace.workspaceId,
+      source: graph.workspace.workspaceSource,
+      chain: graph.workspace.workspaceChain
+    },
+    winner: {
+      sourceId: entry.winner.sourceId,
+      pluginId: entry.winner.pluginId,
+      workspaceId: entry.winner.workspaceId,
+      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
+    },
+    overridden: entry.overridden.map((override) => ({
+      sourceId: override.sourceId,
+      pluginId: override.pluginId,
+      workspaceId: override.workspaceId,
+      value: override.value,
+      ...override.origin ? { origin: override.origin } : {}
+    }))
+  };
+}
 // ../core/src/utils/path.ts
+import { access } from "fs/promises";
+import os from "os";
+import path from "path";
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
 async function exists(filePath) {
@@ -120,10 +156,336 @@ function stringifyYaml(value) {
   return stringify(value);
 }
+// ../core/src/manifest/loadManifest.ts
+import { readFile } from "fs/promises";
+import path2 from "path";
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
+  }
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
+    }
+  }
+  return resolveFrom;
+}
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
+}
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
+}
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      return [
+        name,
+        {
+          provider,
+          ...definition.passphrase?.trim() ? {
+            passphrase: definition.passphrase.trim()
+          } : {}
+        }
+      ];
+    })
+  );
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
+  }
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
+}
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = path2.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await readFile(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
+  }
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
+  }
+  return {
+    manifestRoot,
+    repoRoot: path2.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
+}
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
+  }
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
+  }
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
+  }
+}
+function validateProjectionIssue(manifest, key, target) {
+  try {
+    ensureProjectionAllowed(manifest, key, target);
+    return void 0;
+  } catch (error) {
+    return {
+      code: target === "public" ? "public.invalid-promotion" : "env.invalid-mapping",
+      key,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+// ../core/src/runtime/projection.ts
+function setNestedValue(target, pathSegments, value) {
+  const [head, ...tail] = pathSegments;
+  if (!head) {
+    return;
+  }
+  if (tail.length === 0) {
+    target[head] = value;
+    return;
+  }
+  const current = target[head];
+  const nextTarget = current && typeof current === "object" && !Array.isArray(current) ? current : {};
+  target[head] = nextTarget;
+  setNestedValue(nextTarget, tail, value);
+}
+function toNamespaceObject(graph, namespace) {
+  const output = {};
+  const resolvedEntries = Array.from(graph.entries.values()).sort(
+    (left, right) => left.key.localeCompare(right.key)
+  );
+  for (const entry of resolvedEntries) {
+    if (namespace && entry.namespace !== namespace) {
+      continue;
+    }
+    const valuePath = namespace ? stripNamespace(entry.key) : entry.key;
+    setNestedValue(output, valuePath.split("."), entry.value);
+  }
+  return output;
+}
+// ../core/src/runtime/read.ts
+function readValue(graph, key) {
+  return graph.entries.get(key)?.value;
+}
+// ../core/src/runtime/readOr.ts
+function readOrValue(graph, key, fallback) {
+  const value = readValue(graph, key);
+  return value === void 0 ? fallback : value;
+}
+// ../core/src/runtime/require.ts
+function requireValue(graph, key) {
+  const value = readValue(graph, key);
+  if (value === void 0) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return value;
+}
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-import { mkdir, readdir, readFile, writeFile } from "fs/promises";
-import path2 from "path";
+import { mkdir, readdir, readFile as readFile2, writeFile } from "fs/promises";
+import path3 from "path";
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
@@ -131,13 +493,13 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return path2.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function resolveSecretVaultFile(storeRoot, vault = "default") {
-  return path2.join(storeRoot, "vaults", `${vault}.json`);
+  return path3.join(storeRoot, "vaults", `${vault}.json`);
 }
 function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
-  return path2.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+  return path3.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
 }
 function deriveKey(passphrase, salt) {
   return scryptSync(passphrase, salt, 32);
@@ -146,6 +508,38 @@ function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
   const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
   return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
 }
+function getVaultPassphraseEnvVar(vault = "default") {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return vaultToken && vaultToken !== "DEFAULT" ? `CNOS_SECRET_PASSPHRASE_${vaultToken}` : "CNOS_SECRET_PASSPHRASE";
+}
+function isPassphraseEnvRef(value) {
+  return typeof value === "string" && value.startsWith("env:") && value.length > 4;
+}
+function resolveConfiguredVaultPassphrase(definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return void 0;
+  }
+  const passphraseRef = definition.passphrase;
+  if (typeof passphraseRef === "string" && passphraseRef.startsWith("env:") && passphraseRef.length > 4) {
+    return processEnv[passphraseRef.slice(4)];
+  }
+  if (passphraseRef) {
+    return passphraseRef;
+  }
+  return resolveSecretPassphrase(vault, processEnv);
+}
+function resolveVaultDefinition(vaults, vault = "default") {
+  const definition = vaults?.[vault];
+  const provider = definition?.provider ?? "local";
+  return {
+    name: vault,
+    provider,
+    ...definition?.passphrase ? {
+      passphrase: definition.passphrase
+    } : {},
+    requiresPassphrase: provider === "local"
+  };
+}
 function encryptDocument(value, passphrase) {
   const salt = randomBytes(16);
   const iv = randomBytes(12);
@@ -176,7 +570,7 @@ function decryptDocument(document, passphrase) {
 async function createSecretVault(storeRoot, vault, passphrase) {
   const normalizedVault = vault.trim() || "default";
   const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
-  await mkdir(path2.dirname(filePath), { recursive: true });
+  await mkdir(path3.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     name: normalizedVault,
@@ -190,7 +584,7 @@ async function ensureSecretVault(storeRoot, vault, passphrase) {
   const normalizedVault = vault.trim() || "default";
   const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
   try {
-    await readFile(filePath, "utf8");
+    await readFile2(filePath, "utf8");
     return filePath;
   } catch (error) {
     if (error.code !== "ENOENT") {
@@ -200,7 +594,7 @@ async function ensureSecretVault(storeRoot, vault, passphrase) {
   return createSecretVault(storeRoot, normalizedVault, passphrase);
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = path2.join(storeRoot, "vaults");
+  const vaultRoot = path3.join(storeRoot, "vaults");
   try {
     const entries = await readdir(vaultRoot, { withFileTypes: true });
     return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
@@ -211,7 +605,7 @@ async function listSecretVaults(storeRoot) {
 async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
   await ensureSecretVault(storeRoot, vault, passphrase);
   const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  await mkdir(path2.dirname(filePath), { recursive: true });
+  await mkdir(path3.dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
   return filePath;
 }
@@ -222,7 +616,7 @@ async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
     );
   }
   const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  const source = await readFile(filePath, "utf8");
+  const source = await readFile2(filePath, "utf8");
   const document = JSON.parse(source);
   if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
     throw new CnosManifestError("Invalid local secret document", filePath);
@@ -254,6 +648,10 @@ function toEnv(graph, manifest, options = {}) {
     if (!entry) {
       continue;
     }
+    const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
+    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+      continue;
+    }
     if (entry.namespace === "secret" && !includeSecrets) {
       continue;
     }
@@ -265,64 +663,9 @@ function toEnv(graph, manifest, options = {}) {
   return output;
 }
-// ../core/src/utils/envNaming.ts
-function normalizeMappingConfig(config = {}) {
-  return {
-    convention: config.convention,
-    explicit: config.explicit ?? {}
-  };
-}
-function toScreamingSnakeSegment(segment) {
-  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-}
-function toScreamingSnake(path8) {
-  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
-}
-function fromScreamingSnake(path8) {
-  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
-}
-function logicalKeyToEnvVar(key, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
-  if (explicitEntry) {
-    return explicitEntry[0];
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (key.startsWith("value.")) {
-    return toScreamingSnake(key.slice("value.".length));
-  }
-  if (key.startsWith("secret.")) {
-    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
-  }
-  return void 0;
-}
-function envVarToLogicalKey(envVar, config = {}) {
-  const normalized = normalizeMappingConfig(config);
-  const explicitMatch = normalized.explicit[envVar];
-  if (explicitMatch) {
-    return explicitMatch;
-  }
-  if (normalized.convention !== "SCREAMING_SNAKE") {
-    return void 0;
-  }
-  if (envVar.startsWith("SECRET_")) {
-    const stripped = envVar.slice("SECRET_".length);
-    if (!stripped) {
-      return void 0;
-    }
-    return `secret.${fromScreamingSnake(stripped)}`;
-  }
-  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
-    return void 0;
-  }
-  return `value.${fromScreamingSnake(envVar)}`;
-}
 // ../core/src/runtime/toPublicEnv.ts
-function fallbackValueEnvVar(key) {
-  return key.replace(/^value\./, "").replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+function fallbackPublicEnvVar(valuePath) {
+  return valuePath.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
 function normalizeEnvValue2(value) {
   if (value === void 0 || value === null) {
@@ -349,22 +692,12 @@ function resolvePublicPrefix(manifest, options) {
   }
   return configuredPrefix;
 }
-function ensurePublicPromotionKey(key) {
-  if (!key.startsWith("value.")) {
-    throw new CnosManifestError(`public.promote may only contain value.* keys: ${key}`);
-  }
-}
 function toPublicEnv(graph, manifest, options = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
   const output = {};
-  const promotions = [...manifest.public.promote].sort((left, right) => left.localeCompare(right));
-  for (const key of promotions) {
-    ensurePublicPromotionKey(key);
-    const resolved = graph.entries.get(key);
-    if (!resolved) {
-      continue;
-    }
-    const baseEnvVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? fallbackValueEnvVar(key);
+  const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
+  for (const resolved of promotions) {
+    const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
     const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
     output[envVar] = normalizeEnvValue2(resolved.value);
   }
@@ -373,54 +706,22 @@ function toPublicEnv(graph, manifest, options = {}) {
 // ../core/src/runtime/dump.ts
 import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
-import path3 from "path";
-// ../core/src/runtime/projection.ts
-function setNestedValue(target, pathSegments, value) {
-  const [head, ...tail] = pathSegments;
-  if (!head) {
-    return;
-  }
-  if (tail.length === 0) {
-    target[head] = value;
-    return;
-  }
-  const current = target[head];
-  const nextTarget = current && typeof current === "object" && !Array.isArray(current) ? current : {};
-  target[head] = nextTarget;
-  setNestedValue(nextTarget, tail, value);
-}
-function toNamespaceObject(graph, namespace) {
-  const output = {};
-  const resolvedEntries = Array.from(graph.entries.values()).sort(
-    (left, right) => left.key.localeCompare(right.key)
-  );
-  for (const entry of resolvedEntries) {
-    if (namespace && entry.namespace !== namespace) {
-      continue;
-    }
-    const valuePath = namespace ? stripNamespace(entry.key) : entry.key;
-    setNestedValue(output, valuePath.split("."), entry.value);
-  }
-  return output;
-}
-// ../core/src/runtime/dump.ts
+import path4 from "path";
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path3.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : path4.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: path3.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: path4.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: path3.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: path4.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -436,11 +737,11 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = path3.resolve(options.to);
+  const root = path4.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = path3.join(root, file.path);
-    await mkdir2(path3.dirname(destination), { recursive: true });
+    const destination = path4.join(root, file.path);
+    await mkdir2(path4.dirname(destination), { recursive: true });
     await writeFile2(destination, file.content, "utf8");
   }
   return {
@@ -457,9 +758,64 @@ function flattenObject(value, prefix = "") {
       Object.assign(accumulator, flattenObject(nestedValue, nextKey));
       return accumulator;
     }
-    accumulator[nextKey] = nestedValue;
-    return accumulator;
-  }, {});
+    accumulator[nextKey] = nestedValue;
+    return accumulator;
+  }, {});
+}
+// ../core/src/utils/envNaming.ts
+function normalizeMappingConfig(config = {}) {
+  return {
+    convention: config.convention,
+    explicit: config.explicit ?? {}
+  };
+}
+function toScreamingSnakeSegment(segment) {
+  return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function toScreamingSnake(path8) {
+  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+}
+function fromScreamingSnake(path8) {
+  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+}
+function logicalKeyToEnvVar(key, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitEntry = Object.entries(normalized.explicit).find(([, logicalKey]) => logicalKey === key);
+  if (explicitEntry) {
+    return explicitEntry[0];
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (key.startsWith("value.")) {
+    return toScreamingSnake(key.slice("value.".length));
+  }
+  if (key.startsWith("secret.")) {
+    return `SECRET_${toScreamingSnake(key.slice("secret.".length))}`;
+  }
+  return void 0;
+}
+function envVarToLogicalKey(envVar, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitMatch = normalized.explicit[envVar];
+  if (explicitMatch) {
+    return explicitMatch;
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (envVar.startsWith("SECRET_")) {
+    const stripped = envVar.slice("SECRET_".length);
+    if (!stripped) {
+      return void 0;
+    }
+    return `secret.${fromScreamingSnake(stripped)}`;
+  }
+  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
+    return void 0;
+  }
+  return `value.${fromScreamingSnake(envVar)}`;
 }
 // ../core/src/validation/envMapping.ts
@@ -475,7 +831,8 @@ function validateEnvMappingCollisions(manifest, graph) {
   ]);
   const collisions = /* @__PURE__ */ new Map();
   for (const key of candidates) {
-    if (key.startsWith("meta.")) {
+    const definition = getNamespaceDefinition(manifest, key);
+    if (definition.kind !== "data") {
       continue;
     }
     const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar(key) : void 0);
@@ -494,11 +851,7 @@ function validateEnvMappingCollisions(manifest, graph) {
 // ../core/src/validation/publicSafety.ts
 function validatePublicSafety(manifest) {
-  return manifest.public.promote.filter((key) => !key.startsWith("value.")).map((key) => ({
-    code: "public.invalid-promotion",
-    key,
-    message: `public.promote may only include value.* keys: ${key}`
-  }));
+  return manifest.public.promote.map((key) => validateProjectionIssue(manifest, key, "public")).filter((issue) => Boolean(issue));
 }
 // ../core/src/validation/workspaceSafety.ts
@@ -564,39 +917,6 @@ async function validateRuntime(runtime) {
   };
 }
-// ../core/src/runtime/inspect.ts
-function inspectValue(graph, key) {
-  const entry = graph.entries.get(key);
-  if (!entry) {
-    throw new CnosKeyNotFoundError(key);
-  }
-  return {
-    key: entry.key,
-    value: entry.value,
-    namespace: entry.namespace,
-    profile: graph.profile,
-    profileSource: graph.profileSource,
-    workspace: {
-      id: graph.workspace.workspaceId,
-      source: graph.workspace.workspaceSource,
-      chain: graph.workspace.workspaceChain
-    },
-    winner: {
-      sourceId: entry.winner.sourceId,
-      pluginId: entry.winner.pluginId,
-      workspaceId: entry.winner.workspaceId,
-      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
-    },
-    overridden: entry.overridden.map((override) => ({
-      sourceId: override.sourceId,
-      pluginId: override.pluginId,
-      workspaceId: override.workspaceId,
-      value: override.value,
-      ...override.origin ? { origin: override.origin } : {}
-    }))
-  };
-}
 // ../core/src/inspectors/provenance.ts
 function createProvenanceInspector() {
   return {
@@ -608,167 +928,6 @@ function createProvenanceInspector() {
   };
 }
-// ../core/src/manifest/loadManifest.ts
-import { readFile as readFile2 } from "fs/promises";
-import path4 from "path";
-// ../core/src/manifest/normalizeManifest.ts
-var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
-var DEFAULT_LOADERS = [
-  "filesystem-values",
-  "filesystem-secrets",
-  "dotenv",
-  "process-env",
-  "cli-args"
-];
-var DEFAULT_VALIDATORS = ["basic-schema"];
-var DEFAULT_EXPORTERS = ["env", "public-env"];
-var DEFAULT_INSPECTORS = ["provenance"];
-var DEFAULT_FRAMEWORK_PREFIXES = {
-  next: "NEXT_PUBLIC_",
-  vite: "VITE_",
-  nuxt: "NUXT_PUBLIC_"
-};
-function validateResolveFrom(resolveFrom) {
-  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
-  for (const entry of resolveFrom) {
-    if (!validValues.includes(entry)) {
-      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
-    }
-  }
-  return resolveFrom;
-}
-function normalizeWorkspaceItems(items) {
-  return Object.fromEntries(
-    Object.entries(items ?? {}).map(([workspaceId, item]) => [
-      workspaceId,
-      {
-        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
-        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
-      }
-    ])
-  );
-}
-function normalizeManifest(manifest) {
-  const version = manifest.version ?? 1;
-  if (version !== 1) {
-    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
-  }
-  const projectName = manifest.project?.name?.trim();
-  if (!projectName) {
-    throw new CnosManifestError("Manifest requires project.name");
-  }
-  const defaultProfile = manifest.profiles?.default?.trim() || "base";
-  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
-  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
-  const filesystemValues = {
-    root: "./",
-    format: "yaml",
-    ...manifest.sources?.["filesystem-values"] ?? {}
-  };
-  const filesystemSecrets = {
-    root: "./",
-    format: "yaml",
-    ...manifest.sources?.["filesystem-secrets"] ?? {}
-  };
-  const dotenv = {
-    root: "./env",
-    ...manifest.sources?.dotenv ?? {}
-  };
-  return {
-    version: 1,
-    project: {
-      name: projectName
-    },
-    workspaces: {
-      ...manifest.workspaces?.default?.trim() ? {
-        default: manifest.workspaces.default.trim()
-      } : {},
-      global: {
-        enabled: manifest.workspaces?.global?.enabled ?? false,
-        ...manifest.workspaces?.global?.root?.trim() ? {
-          root: manifest.workspaces.global.root.trim()
-        } : {},
-        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
-      },
-      items: workspaceItems
-    },
-    profiles: {
-      default: defaultProfile,
-      resolveFrom
-    },
-    plugins: {
-      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
-      resolver: manifest.plugins?.resolver ?? "profile-aware",
-      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
-      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
-      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
-    },
-    sources: {
-      ...manifest.sources ?? {},
-      "filesystem-values": filesystemValues,
-      "filesystem-secrets": filesystemSecrets,
-      dotenv
-    },
-    resolution: {
-      precedence: manifest.resolution?.precedence ?? [
-        "filesystem-values",
-        "filesystem-secrets",
-        "dotenv",
-        "process-env",
-        "cli-args"
-      ],
-      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
-    },
-    envMapping: {
-      ...manifest.envMapping?.convention ? {
-        convention: manifest.envMapping.convention
-      } : {},
-      explicit: manifest.envMapping?.explicit ?? {}
-    },
-    public: {
-      promote: manifest.public?.promote ?? [],
-      frameworks: {
-        ...DEFAULT_FRAMEWORK_PREFIXES,
-        ...manifest.public?.frameworks ?? {}
-      }
-    },
-    writePolicy: {
-      define: {
-        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
-        targets: {
-          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
-          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
-        }
-      }
-    },
-    schema: manifest.schema ?? {}
-  };
-}
-// ../core/src/manifest/loadManifest.ts
-async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = path4.join(manifestRoot, "cnos.yml");
-  let source;
-  try {
-    source = await readFile2(manifestPath, "utf8");
-  } catch {
-    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
-  }
-  const rawManifest = parseYaml(source);
-  if (!rawManifest || typeof rawManifest !== "object") {
-    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
-  }
-  return {
-    manifestRoot,
-    repoRoot: path4.dirname(manifestRoot),
-    manifestPath,
-    manifest: normalizeManifest(rawManifest),
-    rawManifest
-  };
-}
 // ../core/src/manifest/loadWorkspaceFile.ts
 import { readFile as readFile3 } from "fs/promises";
 import path5 from "path";
@@ -936,6 +1095,50 @@ async function expandProfileChain(activeProfile, options = {}) {
   };
 }
+// ../core/src/promotions/promoteToPublic.ts
+function toPublicKey(key) {
+  const namespace = getNamespaceNameForKey(key);
+  return namespace === "value" ? `public.${stripNamespace(key)}` : `public.${key}`;
+}
+function toPromotedConfigEntry(entry, key, promotedFrom) {
+  return {
+    ...entry,
+    key,
+    namespace: "public",
+    sourceId: "public-promote",
+    pluginId: "core",
+    metadata: {
+      ...entry.metadata ?? {},
+      promotedFrom
+    }
+  };
+}
+function toPromotedResolvedEntry(entry) {
+  const key = toPublicKey(entry.key);
+  return {
+    key,
+    value: entry.value,
+    namespace: "public",
+    winner: toPromotedConfigEntry(entry.winner, key, entry.key),
+    overridden: entry.overridden.map((override) => toPromotedConfigEntry(override, key, entry.key))
+  };
+}
+function promoteToPublic(graph, manifest) {
+  const entries = new Map(graph.entries);
+  for (const key of manifest.public.promote) {
+    ensureProjectionAllowed(manifest, key, "public");
+    const resolved = graph.entries.get(key);
+    if (!resolved) {
+      continue;
+    }
+    entries.set(toPublicKey(key), toPromotedResolvedEntry(resolved));
+  }
+  return {
+    ...graph,
+    entries
+  };
+}
 // ../core/src/profiles/resolveActiveProfile.ts
 function resolveActiveProfile(manifest, options = {}) {
   for (const source of manifest.profiles.resolveFrom) {
@@ -1370,26 +1573,6 @@ async function runPipeline(options) {
   return collectedEntries.flat();
 }
-// ../core/src/runtime/read.ts
-function readValue(graph, key) {
-  return graph.entries.get(key)?.value;
-}
-// ../core/src/runtime/readOr.ts
-function readOrValue(graph, key, fallback) {
-  const value = readValue(graph, key);
-  return value === void 0 ? fallback : value;
-}
-// ../core/src/runtime/require.ts
-function requireValue(graph, key) {
-  const value = readValue(graph, key);
-  if (value === void 0) {
-    throw new CnosKeyNotFoundError(key);
-  }
-  return value;
-}
 // ../core/src/orchestrator/runtime.ts
 function createRuntime(manifest, graph, plugins = []) {
   return {
@@ -1527,6 +1710,9 @@ function appendMetaEntries(graph, cnosVersion) {
 }
 async function createCnos(options = {}) {
   const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  for (const key of loadedManifest.manifest.public.promote) {
+    ensureProjectionAllowed(loadedManifest.manifest, key, "public");
+  }
   const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
@@ -1566,10 +1752,11 @@ async function createCnos(options = {}) {
     workspace
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
+  const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
-      ...schemaApplied.graph,
+      ...promotedGraph,
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins
@@ -1578,28 +1765,42 @@ async function createCnos(options = {}) {
 export {
   CnosManifestError,
+  CnosSecurityError,
+  inspectValue,
   createProvenanceInspector,
+  resolveManifestRoot,
   resolveWorkspaceScopedPath,
   resolveConfigDocumentPath,
   toPortablePath,
   joinConfigPath,
+  toLogicalKey,
   parseYaml,
   stringifyYaml,
+  loadManifest,
+  ensureProjectionAllowed,
   applySchemaRules,
+  toNamespaceObject,
+  readValue,
+  readOrValue,
+  requireValue,
   isSecretReference,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
   resolveSecretPassphrase,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
+  resolveConfiguredVaultPassphrase,
+  resolveVaultDefinition,
   createSecretVault,
   listSecretVaults,
   writeLocalSecret,
   readLocalSecret,
   toEnv,
-  envVarToLogicalKey,
   toPublicEnv,
   createCnos,
   planDump,
   writeDump,
+  envVarToLogicalKey,
   flattenObject,
   validateRuntime
 };