@kitsy/cnos 1.1.2 → 1.2.0

package/dist/internal.cjs

@@ -30,20 +30,52 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/internal.ts
 var internal_exports = {};
 __export(internal_exports, {
+  CNOS_GRAPH_ENV_VAR: () => CNOS_GRAPH_ENV_VAR,
+  CnosSecurityError: () => CnosSecurityError,
   createSecretVault: () => createSecretVault,
+  deserializeRuntimeGraph: () => deserializeRuntimeGraph,
+  ensureProjectionAllowed: () => ensureProjectionAllowed,
   flattenObject: () => flattenObject,
+  getVaultPassphraseEnvVar: () => getVaultPassphraseEnvVar,
+  isPassphraseEnvRef: () => isPassphraseEnvRef,
   listSecretVaults: () => listSecretVaults,
+  loadManifest: () => loadManifest,
   parseYaml: () => parseYaml,
+  readRuntimeGraphFromEnv: () => readRuntimeGraphFromEnv,
   resolveConfigDocumentPath: () => resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase: () => resolveConfiguredVaultPassphrase,
+  resolveManifestRoot: () => resolveManifestRoot,
   resolveSecretPassphrase: () => resolveSecretPassphrase,
   resolveSecretStoreRoot: () => resolveSecretStoreRoot,
   resolveSecretVaultFile: () => resolveSecretVaultFile,
+  resolveVaultDefinition: () => resolveVaultDefinition,
+  serializeRuntimeGraph: () => serializeRuntimeGraph,
   stringifyYaml: () => stringifyYaml,
   validateRuntime: () => validateRuntime,
   writeLocalSecret: () => writeLocalSecret
 });
 module.exports = __toCommonJS(internal_exports);
 
+// ../core/src/errors.ts
+var CnosError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
+  }
+};
+var CnosManifestError = class extends CnosError {
+  constructor(message, manifestPath) {
+    super(manifestPath ? `${message} (${manifestPath})` : message);
+    this.manifestPath = manifestPath;
+  }
+  manifestPath;
+};
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+
 // ../core/src/manifest/loadManifest.ts
 var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"), 1);
@@ -52,6 +84,35 @@ var import_node_path2 = __toESM(require("path"), 1);
 var import_promises = require("fs/promises");
 var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+var PRIMARY_CNOS_DIR = ".cnos";
+var LEGACY_CNOS_DIR = "cnos";
+async function exists(filePath) {
+  try {
+    await (0, import_promises.access)(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveCnosRoot(root = process.cwd()) {
+  const basePath = import_node_path.default.resolve(root);
+  const candidates = [
+    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    basePath
+  ];
+  for (const candidate of candidates) {
+    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+      return candidate;
+    }
+  }
+  throw new CnosManifestError(
+    `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
+  );
+}
+async function resolveManifestRoot(root = process.cwd()) {
+  return resolveCnosRoot(root);
+}
 function expandHomePath(targetPath) {
   if (targetPath === "~") {
     return import_node_os.default.homedir();
@@ -83,6 +144,230 @@ function stringifyYaml(value) {
   return (0, import_yaml.stringify)(value);
 }
 
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
+  }
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
+    }
+  }
+  return resolveFrom;
+}
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
+}
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
+}
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      return [
+        name,
+        {
+          provider,
+          ...definition.passphrase?.trim() ? {
+            passphrase: definition.passphrase.trim()
+          } : {}
+        }
+      ];
+    })
+  );
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
+  }
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
+}
+
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
+  }
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
+  }
+  return {
+    manifestRoot,
+    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
+}
+
 // ../core/src/manifest/loadWorkspaceFile.ts
 var import_promises3 = require("fs/promises");
 var import_node_path3 = __toESM(require("path"), 1);
@@ -91,6 +376,54 @@ var import_node_path3 = __toESM(require("path"), 1);
 var import_promises4 = require("fs/promises");
 var import_node_path4 = __toESM(require("path"), 1);
 
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
+  }
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
+  }
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
+  }
+}
+function validateProjectionIssue(manifest, key, target) {
+  try {
+    ensureProjectionAllowed(manifest, key, target);
+    return void 0;
+  } catch (error) {
+    return {
+      code: target === "public" ? "public.invalid-promotion" : "env.invalid-mapping",
+      key,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+
 // ../core/src/workspaces/resolveWorkspaceContext.ts
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
@@ -115,6 +448,38 @@ function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
   const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
   return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
 }
+function getVaultPassphraseEnvVar(vault = "default") {
+  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  return vaultToken && vaultToken !== "DEFAULT" ? `CNOS_SECRET_PASSPHRASE_${vaultToken}` : "CNOS_SECRET_PASSPHRASE";
+}
+function isPassphraseEnvRef(value) {
+  return typeof value === "string" && value.startsWith("env:") && value.length > 4;
+}
+function resolveConfiguredVaultPassphrase(definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return void 0;
+  }
+  const passphraseRef = definition.passphrase;
+  if (typeof passphraseRef === "string" && passphraseRef.startsWith("env:") && passphraseRef.length > 4) {
+    return processEnv[passphraseRef.slice(4)];
+  }
+  if (passphraseRef) {
+    return passphraseRef;
+  }
+  return resolveSecretPassphrase(vault, processEnv);
+}
+function resolveVaultDefinition(vaults, vault = "default") {
+  const definition = vaults?.[vault];
+  const provider = definition?.provider ?? "local";
+  return {
+    name: vault,
+    provider,
+    ...definition?.passphrase ? {
+      passphrase: definition.passphrase
+    } : {},
+    requiresPassphrase: provider === "local"
+  };
+}
 function encryptDocument(value, passphrase) {
   const salt = (0, import_node_crypto.randomBytes)(16);
   const iv = (0, import_node_crypto.randomBytes)(12);
@@ -174,6 +539,10 @@ async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "defa
   return filePath;
 }
 
+// ../core/src/runtime/dump.ts
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -205,10 +574,6 @@ function logicalKeyToEnvVar(key, config = {}) {
   return void 0;
 }
 
-// ../core/src/runtime/dump.ts
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-
 // ../core/src/utils/flatten.ts
 function flattenObject(value, prefix = "") {
   return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
@@ -235,7 +600,8 @@ function validateEnvMappingCollisions(manifest, graph) {
   ]);
   const collisions = /* @__PURE__ */ new Map();
   for (const key of candidates) {
-    if (key.startsWith("meta.")) {
+    const definition = getNamespaceDefinition(manifest, key);
+    if (definition.kind !== "data") {
       continue;
     }
     const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar(key) : void 0);
@@ -254,11 +620,7 @@ function validateEnvMappingCollisions(manifest, graph) {
 
 // ../core/src/validation/publicSafety.ts
 function validatePublicSafety(manifest) {
-  return manifest.public.promote.filter((key) => !key.startsWith("value.")).map((key) => ({
-    code: "public.invalid-promotion",
-    key,
-    message: `public.promote may only include value.* keys: ${key}`
-  }));
+  return manifest.public.promote.map((key) => validateProjectionIssue(manifest, key, "public")).filter((issue) => Boolean(issue));
 }
 
 // ../core/src/validation/workspaceSafety.ts
@@ -323,16 +685,72 @@ async function validateRuntime(runtime) {
     results
   };
 }
+
+// src/runtime/bootstrap.ts
+var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+function serializeRuntimeGraph(graph) {
+  const payload = {
+    entries: Array.from(graph.entries.values()),
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    profileSource: graph.profileSource,
+    workspace: graph.workspace
+  };
+  return JSON.stringify(payload);
+}
+function deserializeRuntimeGraph(source) {
+  const payload = JSON.parse(source);
+  if (!payload || !Array.isArray(payload.entries) || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || !payload.profileSource || !payload.workspace || typeof payload.workspace.workspaceId !== "string" || !Array.isArray(payload.workspace.workspaceChain) || !Array.isArray(payload.workspace.workspaceRoots)) {
+    throw new Error("Invalid CNOS runtime bootstrap payload");
+  }
+  return {
+    entries: new Map(
+      payload.entries.map((entry) => [
+        entry.key,
+        {
+          key: entry.key,
+          value: entry.value,
+          namespace: entry.namespace,
+          winner: entry.winner,
+          overridden: entry.overridden ?? []
+        }
+      ])
+    ),
+    profile: payload.profile,
+    resolvedAt: payload.resolvedAt,
+    profileSource: payload.profileSource,
+    workspace: payload.workspace
+  };
+}
+function readRuntimeGraphFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_GRAPH_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  return deserializeRuntimeGraph(serialized);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  CNOS_GRAPH_ENV_VAR,
+  CnosSecurityError,
   createSecretVault,
+  deserializeRuntimeGraph,
+  ensureProjectionAllowed,
   flattenObject,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
   listSecretVaults,
+  loadManifest,
   parseYaml,
+  readRuntimeGraphFromEnv,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultDefinition,
+  serializeRuntimeGraph,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/internal.d.cts

@@ -1,8 +1,21 @@
-import { d as CnosRuntime, V as ValidationSummary } from './plugin-BVNEHj19.cjs';
-export { i as ValidationIssue, W as WorkspaceFile } from './plugin-BVNEHj19.cjs';
+import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.cjs';
+export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.cjs';
+
+declare class CnosError extends Error {
+    constructor(message: string);
+}
+declare class CnosSecurityError extends CnosError {
+    constructor(message: string);
+}
+
+declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
+
+type ProjectionTarget = 'public' | 'env';
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
 
 declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
 
+declare function resolveManifestRoot(root?: string): Promise<string>;
 declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 
 interface SecretReference {
@@ -10,9 +23,17 @@ interface SecretReference {
     ref: string;
     vault?: string;
 }
+interface ResolvedVaultDefinition extends VaultDefinition {
+    name: string;
+    requiresPassphrase: boolean;
+}
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
 declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
 declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function getVaultPassphraseEnvVar(vault?: string): string;
+declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
 declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function listSecretVaults(storeRoot: string): Promise<string[]>;
 declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
@@ -22,4 +43,9 @@ declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };
+declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
+declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+
+export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.d.ts

@@ -1,8 +1,21 @@
-import { d as CnosRuntime, V as ValidationSummary } from './plugin-BVNEHj19.js';
-export { i as ValidationIssue, W as WorkspaceFile } from './plugin-BVNEHj19.js';
+import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.js';
+export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.js';
+
+declare class CnosError extends Error {
+    constructor(message: string);
+}
+declare class CnosSecurityError extends CnosError {
+    constructor(message: string);
+}
+
+declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
+
+type ProjectionTarget = 'public' | 'env';
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
 
 declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
 
+declare function resolveManifestRoot(root?: string): Promise<string>;
 declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 
 interface SecretReference {
@@ -10,9 +23,17 @@ interface SecretReference {
     ref: string;
     vault?: string;
 }
+interface ResolvedVaultDefinition extends VaultDefinition {
+    name: string;
+    requiresPassphrase: boolean;
+}
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
 declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
 declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function getVaultPassphraseEnvVar(vault?: string): string;
+declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
 declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function listSecretVaults(storeRoot: string): Promise<string[]>;
 declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
@@ -22,4 +43,9 @@ declare function stringifyYaml(value: unknown): string;
 
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 
-export { type SecretReference, ValidationSummary, createSecretVault, flattenObject, listSecretVaults, parseYaml, resolveConfigDocumentPath, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, stringifyYaml, validateRuntime, writeLocalSecret };
+declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
+declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+
+export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };

package/dist/internal.js

@@ -1,25 +1,51 @@
 import {
+  CNOS_GRAPH_ENV_VAR,
+  deserializeRuntimeGraph,
+  readRuntimeGraphFromEnv,
+  serializeRuntimeGraph
+} from "./chunk-PQ4KSV76.js";
+import {
+  CnosSecurityError,
   createSecretVault,
+  ensureProjectionAllowed,
   flattenObject,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
   listSecretVaults,
+  loadManifest,
   parseYaml,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultDefinition,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-APCTXRUN.js";
 export {
+  CNOS_GRAPH_ENV_VAR,
+  CnosSecurityError,
   createSecretVault,
+  deserializeRuntimeGraph,
+  ensureProjectionAllowed,
   flattenObject,
+  getVaultPassphraseEnvVar,
+  isPassphraseEnvRef,
   listSecretVaults,
+  loadManifest,
   parseYaml,
+  readRuntimeGraphFromEnv,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultDefinition,
+  serializeRuntimeGraph,
   stringifyYaml,
   validateRuntime,
   writeLocalSecret

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { j as ValidatorPlugin } from '../plugin-BVNEHj19.cjs';
+import { m as ValidatorPlugin } from '../plugin-DkOIT5uI.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;