@kitsy/cnos 1.1.2 → 1.3.0

package/dist/internal.cjs

@@ -30,20 +30,197 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/internal.ts
 var internal_exports = {};
 __export(internal_exports, {
+  CNOS_GRAPH_ENV_VAR: () => CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR: () => CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR: () => CNOS_SESSION_KEY_ENV_VAR,
+  CnosAuthenticationError: () => CnosAuthenticationError,
+  CnosSecurityError: () => CnosSecurityError,
+  applyManifestMappings: () => applyManifestMappings,
+  clearAllVaultSessionKeys: () => clearAllVaultSessionKeys,
+  clearVaultSessionKey: () => clearVaultSessionKey,
+  compareSchemaToGraph: () => compareSchemaToGraph,
   createSecretVault: () => createSecretVault,
+  createSecretVaultProvider: () => createSecretVaultProvider,
+  deleteLocalSecret: () => deleteLocalSecret,
+  deriveVaultKey: () => deriveVaultKey,
+  deserializeRuntimeGraph: () => deserializeRuntimeGraph,
+  detectLegacyVaultFormat: () => detectLegacyVaultFormat,
+  diffGraphs: () => diffGraphs,
+  ensureProjectionAllowed: () => ensureProjectionAllowed,
   flattenObject: () => flattenObject,
+  formatDriftReport: () => formatDriftReport,
+  generateCodegenContent: () => generateCodegenContent,
+  getVaultPassphraseEnvVar: () => getVaultPassphraseEnvVar,
+  getVaultSessionKeyEnvVar: () => getVaultSessionKeyEnvVar,
+  graphRequiresSecretHydration: () => graphRequiresSecretHydration,
+  isPassphraseEnvRef: () => isPassphraseEnvRef,
+  isSecretReference: () => isSecretReference,
+  listLocalSecrets: () => listLocalSecrets,
   listSecretVaults: () => listSecretVaults,
+  loadManifest: () => loadManifest,
   parseYaml: () => parseYaml,
+  proposeMapping: () => proposeMapping,
+  readKeychain: () => readKeychain,
+  readLocalSecret: () => readLocalSecret,
+  readRuntimeGraphFromEnv: () => readRuntimeGraphFromEnv,
+  readVaultMetadata: () => readVaultMetadata,
+  removeLocalVaultFiles: () => removeLocalVaultFiles,
+  resolveCodegenPaths: () => resolveCodegenPaths,
   resolveConfigDocumentPath: () => resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase: () => resolveConfiguredVaultPassphrase,
+  resolveManifestRoot: () => resolveManifestRoot,
   resolveSecretPassphrase: () => resolveSecretPassphrase,
   resolveSecretStoreRoot: () => resolveSecretStoreRoot,
   resolveSecretVaultFile: () => resolveSecretVaultFile,
+  resolveVaultAccessKey: () => resolveVaultAccessKey,
+  resolveVaultAuth: () => resolveVaultAuth,
+  resolveVaultDefinition: () => resolveVaultDefinition,
+  rewriteSourceFiles: () => rewriteSourceFiles,
+  scanEnvUsage: () => scanEnvUsage,
+  serializeRuntimeGraph: () => serializeRuntimeGraph,
+  serializeSecretPayload: () => serializeSecretPayload,
   stringifyYaml: () => stringifyYaml,
   validateRuntime: () => validateRuntime,
-  writeLocalSecret: () => writeLocalSecret
+  watchFiles: () => watchFiles,
+  watchSchema: () => watchSchema,
+  writeCodegenOutput: () => writeCodegenOutput,
+  writeKeychain: () => writeKeychain,
+  writeLocalSecret: () => writeLocalSecret,
+  writeVaultSessionKey: () => writeVaultSessionKey
 });
 module.exports = __toCommonJS(internal_exports);
 
+// ../core/src/errors.ts
+var CnosError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
+  }
+};
+var CnosManifestError = class extends CnosError {
+  constructor(message, manifestPath) {
+    super(manifestPath ? `${message} (${manifestPath})` : message);
+    this.manifestPath = manifestPath;
+  }
+  manifestPath;
+};
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+var CnosAuthenticationError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+
+// ../core/src/keychain/linux.ts
+var import_node_child_process = require("child_process");
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+async function readLinuxKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync("secret-tool", ["lookup", "service", "cnos", "account", entry]);
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function writeLinuxKeychain(entry, value) {
+  await new Promise((resolve, reject) => {
+    const child = (0, import_node_child_process.spawn)("secret-tool", ["store", "--label", `CNOS ${entry}`, "service", "cnos", "account", entry], {
+      stdio: ["pipe", "ignore", "pipe"]
+    });
+    let stderr = "";
+    child.stdin?.end(value);
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      reject(new Error(stderr || `secret-tool exited with code ${code ?? 1}`));
+    });
+  });
+}
+
+// ../core/src/keychain/macos.ts
+var import_node_child_process2 = require("child_process");
+var import_node_util2 = require("util");
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process2.execFile);
+async function readMacosKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync2("security", ["find-generic-password", "-a", "cnos", "-s", entry, "-w"]);
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function writeMacosKeychain(entry, value) {
+  await execFileAsync2("security", ["add-generic-password", "-a", "cnos", "-s", entry, "-w", value, "-U"]);
+}
+
+// ../core/src/keychain/windows.ts
+var import_node_child_process3 = require("child_process");
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process3.execFile);
+function wrap(script) {
+  return ["-NoProfile", "-Command", script];
+}
+async function readWindowsKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync3(
+      "powershell",
+      wrap(`Add-Type -AssemblyName System.Runtime.WindowsRuntime; [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] > $null; $vault = New-Object Windows.Security.Credentials.PasswordVault; $credential = $vault.Retrieve('cnos','${entry}'); $credential.RetrievePassword(); Write-Output $credential.Password`)
+    );
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function writeWindowsKeychain(entry, value) {
+  await execFileAsync3(
+    "powershell",
+    wrap(`Add-Type -AssemblyName System.Runtime.WindowsRuntime; [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] > $null; $vault = New-Object Windows.Security.Credentials.PasswordVault; try { $existing = $vault.Retrieve('cnos','${entry}'); $vault.Remove($existing) } catch {}; $credential = New-Object Windows.Security.Credentials.PasswordCredential('cnos','${entry}','${value}'); $vault.Add($credential)`)
+  );
+}
+
+// ../core/src/keychain/index.ts
+async function readKeychain(entry) {
+  if (process.platform === "win32") {
+    return readWindowsKeychain(entry);
+  }
+  if (process.platform === "darwin") {
+    return readMacosKeychain(entry);
+  }
+  if (process.platform === "linux") {
+    return readLinuxKeychain(entry);
+  }
+  return void 0;
+}
+async function writeKeychain(entry, value) {
+  if (process.platform === "win32") {
+    await writeWindowsKeychain(entry, value);
+    return;
+  }
+  if (process.platform === "darwin") {
+    await writeMacosKeychain(entry, value);
+    return;
+  }
+  if (process.platform === "linux") {
+    await writeLinuxKeychain(entry, value);
+    return;
+  }
+  throw new CnosAuthenticationError(`OS keychain is not supported on platform "${process.platform}".`);
+}
+
 // ../core/src/manifest/loadManifest.ts
 var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"), 1);
@@ -52,6 +229,35 @@ var import_node_path2 = __toESM(require("path"), 1);
 var import_promises = require("fs/promises");
 var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+var PRIMARY_CNOS_DIR = ".cnos";
+var LEGACY_CNOS_DIR = "cnos";
+async function exists(filePath) {
+  try {
+    await (0, import_promises.access)(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveCnosRoot(root = process.cwd()) {
+  const basePath = import_node_path.default.resolve(root);
+  const candidates = [
+    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    basePath
+  ];
+  for (const candidate of candidates) {
+    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+      return candidate;
+    }
+  }
+  throw new CnosManifestError(
+    `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
+  );
+}
+async function resolveManifestRoot(root = process.cwd()) {
+  return resolveCnosRoot(root);
+}
 function expandHomePath(targetPath) {
   if (targetPath === "~") {
     return import_node_os.default.homedir();
@@ -83,6 +289,290 @@ function stringifyYaml(value) {
   return (0, import_yaml.stringify)(value);
 }
 
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
+  }
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
+    }
+  }
+  return resolveFrom;
+}
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
+}
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
+}
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const legacyPassphrase = definition.passphrase;
+      if (legacyPassphrase !== void 0) {
+        throw new CnosManifestError(
+          `Vault "${name}" uses legacy passphrase configuration. Use vaults.${name}.auth instead.`
+        );
+      }
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
+      const normalizedMapping = Object.fromEntries(
+        Object.entries(definition.mapping ?? {}).filter(
+          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+      );
+      return [
+        name,
+        {
+          provider,
+          auth: normalizedAuth,
+          ...Object.keys(normalizedMapping).length > 0 ? {
+            mapping: normalizedMapping
+          } : {}
+        }
+      ];
+    })
+  );
+}
+function normalizeAuthSources(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return void 0;
+  }
+  const sources = Array.isArray(value.from) ? value.from : void 0;
+  const normalized = (sources ?? []).map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
+  return normalized.length > 0 ? normalized : void 0;
+}
+function normalizeVaultAuth(vaultName, provider, auth) {
+  if (provider === "local") {
+    const passphraseSources = normalizeAuthSources(auth?.passphrase);
+    const defaultToken = vaultName.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+    const defaultSources = [
+      ...defaultToken ? [`env:CNOS_SECRET_PASSPHRASE_${defaultToken}`] : [],
+      "env:CNOS_SECRET_PASSPHRASE",
+      `keychain:cnos/${vaultName}`,
+      "prompt"
+    ];
+    return {
+      method: auth?.method ?? "passphrase",
+      passphrase: {
+        from: passphraseSources ?? defaultSources
+      },
+      ...auth?.config ? { config: auth.config } : {}
+    };
+  }
+  if (provider === "github-secrets") {
+    return {
+      method: auth?.method ?? "environment",
+      ...auth?.config ? { config: auth.config } : {}
+    };
+  }
+  return {
+    ...auth?.method ? { method: auth.method } : {},
+    ...normalizeAuthSources(auth?.passphrase) ? {
+      passphrase: {
+        from: normalizeAuthSources(auth?.passphrase) ?? []
+      }
+    } : {},
+    ...normalizeAuthSources(auth?.token) ? {
+      token: {
+        from: normalizeAuthSources(auth?.token) ?? []
+      }
+    } : {},
+    ...auth?.config ? { config: auth.config } : {}
+  };
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
+  }
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
+}
+
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
+  }
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
+  }
+  return {
+    manifestRoot,
+    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
+}
+
 // ../core/src/manifest/loadWorkspaceFile.ts
 var import_promises3 = require("fs/promises");
 var import_node_path3 = __toESM(require("path"), 1);
@@ -91,89 +581,735 @@ var import_node_path3 = __toESM(require("path"), 1);
 var import_promises4 = require("fs/promises");
 var import_node_path4 = __toESM(require("path"), 1);
 
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
+  }
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
+  }
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
+  }
+}
+function validateProjectionIssue(manifest, key, target) {
+  try {
+    ensureProjectionAllowed(manifest, key, target);
+    return void 0;
+  } catch (error) {
+    return {
+      code: target === "public" ? "public.invalid-promotion" : "env.invalid-mapping",
+      key,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+
 // ../core/src/workspaces/resolveWorkspaceContext.ts
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/auditLog.ts
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
+
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
+// ../core/src/secrets/sessionStore.ts
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
+function buildSessionRoot(processEnv = process.env) {
+  return import_node_path6.default.join(import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+}
+function buildSessionPath(vault, processEnv) {
+  return import_node_path6.default.join(buildSessionRoot(processEnv), `${vault}.json`);
+}
+async function writeVaultSessionKey(vault, derivedKey, processEnv) {
+  const filePath = buildSessionPath(vault, processEnv);
+  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
+  const document = {
+    version: 1,
+    vault,
+    derivedKey: derivedKey.toString("hex"),
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await (0, import_promises6.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
+  return filePath;
+}
+async function readVaultSessionKey(vault, processEnv) {
+  try {
+    const source = await (0, import_promises6.readFile)(buildSessionPath(vault, processEnv), "utf8");
+    const document = JSON.parse(source);
+    if (document.version !== 1 || typeof document.derivedKey !== "string") {
+      return void 0;
+    }
+    const key = Buffer.from(document.derivedKey, "hex");
+    return key.length > 0 ? key : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function clearVaultSessionKey(vault, processEnv) {
+  await (0, import_promises6.rm)(buildSessionPath(vault, processEnv), { force: true });
+}
+async function clearAllVaultSessionKeys(processEnv) {
+  const root = buildSessionRoot(processEnv);
+  try {
+    const entries = await (0, import_promises6.readdir)(root);
+    await Promise.all(entries.map((entry) => (0, import_promises6.rm)(import_node_path6.default.join(root, entry), { force: true })));
+  } catch {
+  }
+}
+
+// ../core/src/utils/secretStore.ts
+var KEY_LENGTH = 32;
+var SALT_LENGTH = 32;
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var PBKDF2_ITERATIONS = 6e5;
+var KEYSTORE_VERSION = 1;
+var METADATA_VERSION = 1;
+var META_FILENAME = "meta.yml";
+var KEYSTORE_FILENAME = "keystore.enc";
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+}
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
-function resolveSecretVaultFile(storeRoot, vault = "default") {
-  return import_node_path6.default.join(storeRoot, "vaults", `${vault}.json`);
+function normalizeVaultToken(vault = "default") {
+  return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function getVaultPassphraseEnvVar(vault = "default") {
+  const vaultToken = normalizeVaultToken(vault);
+  return vaultToken && vaultToken !== "DEFAULT" ? `CNOS_SECRET_PASSPHRASE_${vaultToken}` : "CNOS_SECRET_PASSPHRASE";
 }
-function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
-  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
+function isPassphraseEnvRef(value) {
+  return typeof value === "string" && value.startsWith("env:") && value.length > 4;
 }
-function deriveKey(passphrase, salt) {
-  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
+function getVaultSessionKeyEnvVar(vault = "default") {
+  const vaultToken = normalizeVaultToken(vault);
+  return `__CNOS_VAULT_KEY_${vaultToken || "DEFAULT"}__`;
 }
 function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
-  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+  return processEnv[getVaultPassphraseEnvVar(vault)] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function resolveVaultSessionKey(vault = "default", processEnv = process.env) {
+  const encoded = processEnv[getVaultSessionKeyEnvVar(vault)];
+  if (!encoded) {
+    return readVaultSessionKey(vault, processEnv);
+  }
+  try {
+    const key = Buffer.from(encoded, "hex");
+    return key.length === KEY_LENGTH ? key : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
+  return (0, import_node_crypto.pbkdf2Sync)(passphrase, salt, iterations, KEY_LENGTH, "sha512");
+}
+function buildMetaPath(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, META_FILENAME);
 }
-function encryptDocument(value, passphrase) {
-  const salt = (0, import_node_crypto.randomBytes)(16);
-  const iv = (0, import_node_crypto.randomBytes)(12);
-  const key = deriveKey(passphrase, salt);
+function resolveSecretVaultFile(storeRoot, vault = "default") {
+  return buildMetaPath(storeRoot, vault);
+}
+function buildKeystorePath(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+}
+function buildLegacyVaultFile(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+}
+function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, "store");
+}
+function assertVaultMetadata(value, filePath) {
+  if (!isObject(value)) {
+    throw new CnosManifestError("Invalid CNOS vault metadata", filePath);
+  }
+  if (value.version !== METADATA_VERSION || value.algorithm !== "aes-256-gcm" || value.kdf !== "pbkdf2-sha512" || typeof value.iterations !== "number" || typeof value.salt !== "string" || typeof value.createdAt !== "string" || typeof value.secretCount !== "number") {
+    throw new CnosManifestError("Invalid CNOS vault metadata", filePath);
+  }
+  return value;
+}
+async function exists2(targetPath) {
+  try {
+    await (0, import_promises7.stat)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function detectLegacyVaultFormat(storeRoot, vault = "default") {
+  const legacyFile = buildLegacyVaultFile(storeRoot, vault);
+  const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
+  if (await exists2(legacyFile)) {
+    return legacyFile;
+  }
+  if (await exists2(legacyStore)) {
+    return legacyStore;
+  }
+  return void 0;
+}
+async function assertNoLegacyVaultFormat(storeRoot, vault = "default") {
+  const legacyPath = await detectLegacyVaultFormat(storeRoot, vault);
+  if (!legacyPath) {
+    return;
+  }
+  throw new CnosSecurityError(
+    `Legacy CNOS local vault format detected for vault "${vault}" at ${legacyPath}. CNOS 1.4 requires the new keystore format. Remove and recreate the vault.`
+  );
+}
+function encryptPayload(payload, key) {
+  const iv = (0, import_node_crypto.randomBytes)(IV_LENGTH);
   const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
-  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
   const tag = cipher.getAuthTag();
+  return Buffer.concat([
+    Buffer.from(Uint32Array.of(KEYSTORE_VERSION).buffer),
+    iv,
+    tag,
+    ciphertext
+  ]);
+}
+function decryptPayload(buffer, key) {
+  if (buffer.length < 4 + IV_LENGTH + AUTH_TAG_LENGTH) {
+    throw new CnosSecurityError("Invalid CNOS local vault keystore");
+  }
+  const version = buffer.readUInt32LE(0);
+  if (version !== KEYSTORE_VERSION) {
+    throw new CnosSecurityError(`Unsupported CNOS local vault keystore version: ${version}`);
+  }
+  const ivOffset = 4;
+  const tagOffset = ivOffset + IV_LENGTH;
+  const cipherOffset = tagOffset + AUTH_TAG_LENGTH;
+  const iv = buffer.subarray(ivOffset, tagOffset);
+  const tag = buffer.subarray(tagOffset, cipherOffset);
+  const ciphertext = buffer.subarray(cipherOffset);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  try {
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+    const payload = JSON.parse(plaintext);
+    if (!payload || !isObject(payload.secrets) || !isObject(payload.metadata)) {
+      throw new Error("invalid");
+    }
+    return {
+      secrets: Object.fromEntries(
+        Object.entries(payload.secrets).filter((entry) => typeof entry[1] === "string")
+      ),
+      metadata: Object.fromEntries(
+        Object.entries(payload.metadata).filter(
+          (entry) => isObject(entry[1]) && typeof entry[1].createdAt === "string" && typeof entry[1].updatedAt === "string"
+        )
+      )
+    };
+  } catch {
+    throw new CnosAuthenticationError("Failed to decrypt CNOS local vault. Check vault authentication.");
+  }
+}
+function buildInitialPayload() {
   return {
-    version: 1,
-    algorithm: "aes-256-gcm",
-    salt: salt.toString("base64"),
-    iv: iv.toString("base64"),
-    tag: tag.toString("base64"),
-    ciphertext: ciphertext.toString("base64")
+    secrets: {},
+    metadata: {}
   };
 }
-async function createSecretVault(storeRoot, vault, passphrase) {
-  const normalizedVault = vault.trim() || "default";
-  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
-  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
-  const document = {
-    version: 1,
-    name: normalizedVault,
-    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-    verifier: encryptDocument(`cnos-vault:${normalizedVault}`, passphrase)
-  };
-  await (0, import_promises6.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
-  return filePath;
+async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
+  const metaPath = buildMetaPath(storeRoot, vault);
+  const keystorePath = buildKeystorePath(storeRoot, vault);
+  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(metaPath), { recursive: true });
+  await (0, import_promises7.writeFile)(metaPath, stringifyYaml(meta), "utf8");
+  await (0, import_promises7.writeFile)(keystorePath, encryptPayload(payload, key));
 }
-async function ensureSecretVault(storeRoot, vault, passphrase) {
-  const normalizedVault = vault.trim() || "default";
-  const filePath = resolveSecretVaultFile(storeRoot, normalizedVault);
+async function readVaultMetadata(storeRoot, vault = "default") {
+  await assertNoLegacyVaultFormat(storeRoot, vault);
+  const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    await (0, import_promises6.readFile)(filePath, "utf8");
-    return filePath;
+    const source = await (0, import_promises7.readFile)(metaPath, "utf8");
+    return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
-    if (error.code !== "ENOENT") {
-      throw error;
+    if (error.code === "ENOENT") {
+      return void 0;
     }
+    throw error;
   }
-  return createSecretVault(storeRoot, normalizedVault, passphrase);
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = import_node_path6.default.join(storeRoot, "vaults");
+  const vaultRoot = import_node_path7.default.join(storeRoot, "vaults");
   try {
-    const entries = await (0, import_promises6.readdir)(vaultRoot, { withFileTypes: true });
-    return entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => entry.name.replace(/\.json$/, "")).sort((left, right) => left.localeCompare(right));
+    const entries = await (0, import_promises7.readdir)(vaultRoot, { withFileTypes: true });
+    const vaults = await Promise.all(
+      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists2(import_node_path7.default.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
+    );
+    return vaults.filter((value) => Boolean(value)).sort((left, right) => left.localeCompare(right));
   } catch {
     return [];
   }
 }
-async function writeLocalSecret(storeRoot, ref, value, passphrase, vault = "default") {
-  await ensureSecretVault(storeRoot, vault, passphrase);
-  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
-  await (0, import_promises6.writeFile)(filePath, JSON.stringify(encryptDocument(value, passphrase), null, 2), "utf8");
-  return filePath;
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  await assertNoLegacyVaultFormat(storeRoot, normalizedVault);
+  const salt = (0, import_node_crypto.randomBytes)(SALT_LENGTH);
+  const key = deriveVaultKey(passphrase, salt, PBKDF2_ITERATIONS);
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const meta = {
+    version: METADATA_VERSION,
+    algorithm: "aes-256-gcm",
+    kdf: "pbkdf2-sha512",
+    iterations: PBKDF2_ITERATIONS,
+    salt: salt.toString("base64"),
+    createdAt,
+    secretCount: 0
+  };
+  await writeVaultFiles(storeRoot, normalizedVault, meta, buildInitialPayload(), key);
+  return buildMetaPath(storeRoot, normalizedVault);
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const meta = await readVaultMetadata(storeRoot, normalizedVault);
+  if (meta) {
+    return buildMetaPath(storeRoot, normalizedVault);
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+function resolveConfiguredVaultPassphrase(definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return void 0;
+  }
+  const configuredSources = definition.auth?.passphrase?.from ?? [];
+  for (const source of configuredSources) {
+    if (source.startsWith("env:")) {
+      const value = processEnv[source.slice(4)];
+      if (value) {
+        return value;
+      }
+    }
+  }
+  return resolveSecretPassphrase(vault, processEnv);
+}
+async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return definition?.provider === "github-secrets" ? {
+      method: definition.auth?.method ?? "environment",
+      ...definition?.auth?.config ? { config: definition.auth.config } : {}
+    } : void 0;
+  }
+  const sessionKey = await resolveVaultSessionKey(vault, processEnv);
+  if (sessionKey) {
+    return {
+      derivedKey: sessionKey,
+      method: "keychain",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const passphrase = resolveConfiguredVaultPassphrase(definition, vault, processEnv);
+  if (passphrase) {
+    return {
+      passphrase,
+      method: "passphrase",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const metadata = await readVaultMetadata(storeRoot, vault);
+  if (!metadata) {
+    return void 0;
+  }
+  throw new CnosAuthenticationError(
+    `Cannot authenticate to vault "${vault}". Set ${getVaultPassphraseEnvVar(vault)} or run cnos vault auth ${vault}.`
+  );
+}
+async function loadVaultPayload(storeRoot, vault, auth) {
+  const meta = await readVaultMetadata(storeRoot, vault);
+  if (!meta) {
+    throw new CnosManifestError(`Missing CNOS vault metadata for "${vault}"`);
+  }
+  const salt = Buffer.from(meta.salt, "base64");
+  const key = auth.derivedKey ?? (auth.passphrase ? deriveVaultKey(auth.passphrase, salt, meta.iterations) : void 0);
+  if (!key) {
+    throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
+  }
+  const buffer = await (0, import_promises7.readFile)(buildKeystorePath(storeRoot, vault));
+  return {
+    meta,
+    payload: decryptPayload(buffer, key),
+    key
+  };
+}
+async function writeLocalSecret(storeRoot, ref, value, authOrPassphrase, vault = "default") {
+  const auth = typeof authOrPassphrase === "string" ? {
+    passphrase: authOrPassphrase,
+    method: "passphrase"
+  } : authOrPassphrase;
+  if (auth.passphrase) {
+    await ensureSecretVault(storeRoot, vault, auth.passphrase);
+  } else {
+    const meta2 = await readVaultMetadata(storeRoot, vault);
+    if (!meta2) {
+      throw new CnosAuthenticationError(`Vault "${vault}" requires passphrase-based authentication for initial creation.`);
+    }
+  }
+  const { meta, payload, key } = await loadVaultPayload(storeRoot, vault, auth);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const existing = payload.metadata[ref];
+  payload.secrets[ref] = value;
+  payload.metadata[ref] = {
+    createdAt: existing?.createdAt ?? now,
+    updatedAt: now
+  };
+  const nextMeta = {
+    ...meta,
+    secretCount: Object.keys(payload.secrets).length
+  };
+  await writeVaultFiles(storeRoot, vault, nextMeta, payload, key);
+  return buildKeystorePath(storeRoot, vault);
+}
+async function deleteLocalSecret(storeRoot, ref, auth, vault = "default") {
+  const { meta, payload, key } = await loadVaultPayload(storeRoot, vault, auth);
+  if (!(ref in payload.secrets)) {
+    return false;
+  }
+  delete payload.secrets[ref];
+  delete payload.metadata[ref];
+  const nextMeta = {
+    ...meta,
+    secretCount: Object.keys(payload.secrets).length
+  };
+  await writeVaultFiles(storeRoot, vault, nextMeta, payload, key);
+  return true;
+}
+async function readLocalSecret(storeRoot, ref, auth, vault = "default") {
+  const { payload } = await loadVaultPayload(storeRoot, vault, auth);
+  const value = payload.secrets[ref];
+  if (value === void 0) {
+    throw new CnosManifestError(`Missing local secret ref "${ref}" in vault "${vault}"`);
+  }
+  return value;
+}
+async function listLocalSecrets(storeRoot, auth, vault = "default") {
+  const { payload } = await loadVaultPayload(storeRoot, vault, auth);
+  return Object.keys(payload.secrets).sort((left, right) => left.localeCompare(right));
+}
+function resolveVaultDefinition(vaults, vault = "default") {
+  const definition = vaults?.[vault];
+  const provider = definition?.provider ?? "local";
+  return {
+    name: vault,
+    provider,
+    ...definition?.auth ? { auth: definition.auth } : {},
+    ...definition?.mapping ? { mapping: definition.mapping } : {},
+    requiresAuthentication: provider === "local"
+  };
+}
+async function removeLocalVaultFiles(storeRoot, vault = "default") {
+  await (0, import_promises7.rm)(import_node_path7.default.join(storeRoot, "vaults", vault), { recursive: true, force: true });
+}
+
+// ../core/src/secrets/auditLog.ts
+async function appendAuditEvent(event, processEnv = process.env) {
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path8.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(auditFile), { recursive: true });
+  await (0, import_promises8.appendFile)(
+    auditFile,
+    `${JSON.stringify({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      ...event
+    })}
+`,
+    "utf8"
+  );
 }
 
+// ../core/src/secrets/providers/github.ts
+var GithubSecretsVaultProvider = class {
+  constructor(vaultId, definition, processEnv = process.env) {
+    this.vaultId = vaultId;
+    this.definition = definition;
+    this.processEnv = processEnv;
+  }
+  vaultId;
+  definition;
+  processEnv;
+  authenticated = false;
+  async authenticate(_authConfig) {
+    void _authConfig;
+    this.authenticated = true;
+  }
+  isAuthenticated() {
+    return this.authenticated;
+  }
+  resolveEnvVar(ref) {
+    if (this.processEnv[ref] !== void 0) {
+      return ref;
+    }
+    return Object.entries(this.definition.mapping ?? {}).find(([, logicalRef]) => logicalRef === ref)?.[0];
+  }
+  async batchGet(refs) {
+    this.authenticated = true;
+    const resolved = /* @__PURE__ */ new Map();
+    for (const ref of Array.from(new Set(refs)).sort((left, right) => left.localeCompare(right))) {
+      const envVar = this.resolveEnvVar(ref);
+      const value = envVar ? this.processEnv[envVar] : void 0;
+      if (value !== void 0) {
+        resolved.set(ref, value);
+      }
+    }
+    return resolved;
+  }
+  async get(ref) {
+    const envVar = this.resolveEnvVar(ref);
+    this.authenticated = true;
+    return envVar ? this.processEnv[envVar] : void 0;
+  }
+  async set(ref, value) {
+    void ref;
+    void value;
+    throw new Error(`Vault "${this.vaultId}" is environment-backed and cannot be written by CNOS.`);
+  }
+  async delete(ref) {
+    void ref;
+    throw new Error(`Vault "${this.vaultId}" is environment-backed and cannot be mutated by CNOS.`);
+  }
+  async list() {
+    return Object.values(this.definition.mapping ?? {}).sort((left, right) => left.localeCompare(right));
+  }
+};
+
+// ../core/src/secrets/providers/local.ts
+var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
+  constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
+    this.vaultId = vaultId;
+    this.processEnv = processEnv;
+    this.storeRoot = storeRoot;
+    this.definition = definition;
+  }
+  vaultId;
+  processEnv;
+  storeRoot;
+  authConfig;
+  definition;
+  static fromVaults(vaults, vaultId, processEnv) {
+    const definition = resolveVaultDefinition(vaults, vaultId);
+    return new _LocalSecretVaultProvider(vaultId, definition, processEnv);
+  }
+  async authenticate(authConfig) {
+    this.authConfig = authConfig;
+    await this.list();
+  }
+  isAuthenticated() {
+    return Boolean(this.authConfig);
+  }
+  async requireAuth() {
+    if (this.authConfig) {
+      return this.authConfig;
+    }
+    const resolved = await resolveVaultAccessKey(this.storeRoot, this.definition, this.vaultId, this.processEnv);
+    if (!resolved) {
+      throw new CnosAuthenticationError(
+        `Cannot authenticate to vault "${this.vaultId}". Set the configured passphrase env var or run cnos vault auth ${this.vaultId}.`
+      );
+    }
+    this.authConfig = resolved;
+    return resolved;
+  }
+  async batchGet(refs) {
+    const auth = await this.requireAuth();
+    const entries = await Promise.all(
+      Array.from(new Set(refs)).sort((left, right) => left.localeCompare(right)).map(async (ref) => [ref, await readLocalSecret(this.storeRoot, ref, auth, this.vaultId)])
+    );
+    return new Map(entries);
+  }
+  async get(ref) {
+    const auth = await this.requireAuth();
+    try {
+      return await readLocalSecret(this.storeRoot, ref, auth, this.vaultId);
+    } catch {
+      return void 0;
+    }
+  }
+  async set(ref, value) {
+    const auth = await this.requireAuth();
+    await writeLocalSecret(this.storeRoot, ref, value, auth, this.vaultId);
+    await appendAuditEvent(
+      {
+        action: "write",
+        vault: this.vaultId,
+        ref,
+        caller: "cli"
+      },
+      this.processEnv
+    );
+  }
+  async delete(ref) {
+    const auth = await this.requireAuth();
+    await deleteLocalSecret(this.storeRoot, ref, auth, this.vaultId);
+    await appendAuditEvent(
+      {
+        action: "delete",
+        vault: this.vaultId,
+        ref,
+        caller: "cli"
+      },
+      this.processEnv
+    );
+  }
+  async list() {
+    const auth = this.authConfig ?? await resolveVaultAccessKey(this.storeRoot, this.definition, this.vaultId, this.processEnv);
+    if (!auth) {
+      throw new CnosAuthenticationError(
+        `Cannot authenticate to vault "${this.vaultId}". Set the configured passphrase env var or run cnos vault auth ${this.vaultId}.`
+      );
+    }
+    this.authConfig = auth;
+    return listLocalSecrets(this.storeRoot, auth, this.vaultId);
+  }
+};
+
+// ../core/src/secrets/providers/registry.ts
+function createSecretVaultProvider(vaultId, definition, processEnv) {
+  if (definition.provider === "local") {
+    return new LocalSecretVaultProvider(vaultId, definition, processEnv);
+  }
+  if (definition.provider === "github-secrets") {
+    return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
+  }
+  throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
+}
+
+// ../core/src/secrets/prompt.ts
+var import_node_readline = __toESM(require("readline"), 1);
+var import_node_stream = require("stream");
+async function promptHidden(message) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    return void 0;
+  }
+  const mutableStdout = new WritableMask();
+  const rl = import_node_readline.default.createInterface({
+    input: process.stdin,
+    output: mutableStdout,
+    terminal: true
+  });
+  try {
+    mutableStdout.muted = true;
+    const value = await new Promise((resolve) => {
+      rl.question(message, resolve);
+    });
+    process.stdout.write("\n");
+    return value;
+  } finally {
+    rl.close();
+  }
+}
+var WritableMask = class extends import_node_stream.Writable {
+  muted = false;
+  _write(chunk, _encoding, callback) {
+    if (!this.muted) {
+      process.stdout.write(chunk);
+    }
+    callback();
+  }
+};
+
+// ../core/src/secrets/resolveAuth.ts
+function toAuthError(vaultId, sources) {
+  return new CnosAuthenticationError(
+    `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
+  );
+}
+async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
+  const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
+  if (sessionKey) {
+    return {
+      derivedKey: sessionKey,
+      method: "keychain",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.provider === "github-secrets") {
+    return {
+      method: definition.auth?.method ?? "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
+  for (const source of sources) {
+    if (source.startsWith("env:")) {
+      const value = processEnv[source.slice(4)];
+      if (value) {
+        return {
+          passphrase: value,
+          method: "passphrase",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+    if (source.startsWith("keychain:")) {
+      const value = await readKeychain(source.slice("keychain:".length));
+      if (value) {
+        return {
+          derivedKey: Buffer.from(value, "hex"),
+          method: "keychain",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+    if (source === "prompt") {
+      const value = await promptHidden(`Enter passphrase for vault "${vaultId}": `);
+      if (value) {
+        return {
+          passphrase: value,
+          method: "passphrase",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+  }
+  const fallback = resolveSecretPassphrase(vaultId, processEnv);
+  if (fallback) {
+    return {
+      passphrase: fallback,
+      method: "passphrase",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...sources]);
+}
+
+// ../core/src/runtime/dump.ts
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -184,8 +1320,8 @@ function normalizeMappingConfig(config = {}) {
 function toScreamingSnakeSegment(segment) {
   return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
-function toScreamingSnake(path8) {
-  return path8.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function toScreamingSnake(path13) {
+  return path13.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
 }
 function logicalKeyToEnvVar(key, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -205,10 +1341,6 @@ function logicalKeyToEnvVar(key, config = {}) {
   return void 0;
 }
 
-// ../core/src/runtime/dump.ts
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-
 // ../core/src/utils/flatten.ts
 function flattenObject(value, prefix = "") {
   return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
@@ -235,7 +1367,8 @@ function validateEnvMappingCollisions(manifest, graph) {
   ]);
   const collisions = /* @__PURE__ */ new Map();
   for (const key of candidates) {
-    if (key.startsWith("meta.")) {
+    const definition = getNamespaceDefinition(manifest, key);
+    if (definition.kind !== "data") {
       continue;
     }
     const envVar = logicalKeyToEnvVar(key, manifest.envMapping) ?? (key.startsWith("value.") || key.startsWith("secret.") ? fallbackLogicalKeyToEnvVar(key) : void 0);
@@ -254,11 +1387,7 @@ function validateEnvMappingCollisions(manifest, graph) {
 
 // ../core/src/validation/publicSafety.ts
 function validatePublicSafety(manifest) {
-  return manifest.public.promote.filter((key) => !key.startsWith("value.")).map((key) => ({
-    code: "public.invalid-promotion",
-    key,
-    message: `public.promote may only include value.* keys: ${key}`
-  }));
+  return manifest.public.promote.map((key) => validateProjectionIssue(manifest, key, "public")).filter((issue) => Boolean(issue));
 }
 
 // ../core/src/validation/workspaceSafety.ts
@@ -323,17 +1452,738 @@ async function validateRuntime(runtime) {
     results
   };
 }
+
+// src/runtime/bootstrap.ts
+var import_node_crypto2 = require("crypto");
+var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+var CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
+var CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
+function serializeRuntimeGraph(graph) {
+  const payload = {
+    entries: Array.from(graph.entries.values()),
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    profileSource: graph.profileSource,
+    workspace: graph.workspace
+  };
+  return JSON.stringify(payload);
+}
+function deserializeRuntimeGraph(source) {
+  const payload = JSON.parse(source);
+  if (!payload || !Array.isArray(payload.entries) || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || !payload.profileSource || !payload.workspace || typeof payload.workspace.workspaceId !== "string" || !Array.isArray(payload.workspace.workspaceChain) || !Array.isArray(payload.workspace.workspaceRoots)) {
+    throw new Error("Invalid CNOS runtime bootstrap payload");
+  }
+  return {
+    entries: new Map(
+      payload.entries.map((entry) => [
+        entry.key,
+        {
+          key: entry.key,
+          value: entry.value,
+          namespace: entry.namespace,
+          winner: entry.winner,
+          overridden: entry.overridden ?? []
+        }
+      ])
+    ),
+    profile: payload.profile,
+    resolvedAt: payload.resolvedAt,
+    profileSource: payload.profileSource,
+    workspace: payload.workspace
+  };
+}
+function decryptSecretPayload(serialized, sessionKey) {
+  const payload = JSON.parse(serialized);
+  if (!payload || typeof payload.iv !== "string" || typeof payload.tag !== "string" || typeof payload.ciphertext !== "string") {
+    throw new Error("Invalid CNOS secret payload");
+  }
+  const key = Buffer.from(sessionKey, "hex");
+  const iv = Buffer.from(payload.iv, "base64");
+  const tag = Buffer.from(payload.tag, "base64");
+  const ciphertext = Buffer.from(payload.ciphertext, "base64");
+  const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+  return JSON.parse(plaintext);
+}
+function serializeSecretPayload(values) {
+  const key = (0, import_node_crypto2.randomBytes)(32);
+  const iv = (0, import_node_crypto2.randomBytes)(12);
+  const cipher = (0, import_node_crypto2.createCipheriv)("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(JSON.stringify(values), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    payload: JSON.stringify({
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      ciphertext: ciphertext.toString("base64")
+    }),
+    sessionKey: key.toString("hex")
+  };
+}
+function readRuntimeGraphFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_GRAPH_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  const graph = deserializeRuntimeGraph(serialized);
+  const secretPayload = processEnv[CNOS_SECRET_PAYLOAD_ENV_VAR];
+  const sessionKey = processEnv[CNOS_SESSION_KEY_ENV_VAR];
+  if (secretPayload && sessionKey) {
+    const decrypted = decryptSecretPayload(secretPayload, sessionKey);
+    for (const [key, value] of Object.entries(decrypted)) {
+      const entry = graph.entries.get(key);
+      if (entry) {
+        entry.value = value;
+      }
+    }
+  }
+  return graph;
+}
+function graphRequiresSecretHydration(graph) {
+  return Array.from(graph.entries.values()).some((entry) => entry.namespace === "secret" && isSecretReference(entry.value));
+}
+
+// src/codegen/generateTypes.ts
+function toPascalCase(value) {
+  return value.split(/[^A-Za-z0-9]+/).filter((segment) => segment.length > 0).map((segment) => segment.charAt(0).toUpperCase() + segment.slice(1)).join("");
+}
+function mapSchemaType(rule) {
+  switch (rule?.type) {
+    case "number":
+      return "number";
+    case "string":
+      return "string";
+    case "boolean":
+      return "boolean";
+    case "object":
+      return "Record<string, unknown>";
+    case "array":
+      return "unknown[]";
+    default:
+      return "unknown";
+  }
+}
+function isOptional(rule) {
+  return !(rule?.required ?? false) && rule?.default === void 0;
+}
+function buildNamespaceInterfaces(schema) {
+  const namespaceGroups = /* @__PURE__ */ new Map();
+  for (const [logicalKey, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const separatorIndex = logicalKey.indexOf(".");
+    if (separatorIndex <= 0 || separatorIndex >= logicalKey.length - 1) {
+      continue;
+    }
+    const namespace = logicalKey.slice(0, separatorIndex);
+    const path13 = logicalKey.slice(separatorIndex + 1);
+    const existing = namespaceGroups.get(namespace) ?? [];
+    existing.push({
+      key: path13,
+      rule
+    });
+    namespaceGroups.set(namespace, existing);
+  }
+  const orderedNamespaces = Array.from(namespaceGroups.keys()).sort((left, right) => {
+    if (left === "value") {
+      return -1;
+    }
+    if (right === "value") {
+      return 1;
+    }
+    if (left === "secret") {
+      return -1;
+    }
+    if (right === "secret") {
+      return 1;
+    }
+    return left.localeCompare(right);
+  });
+  if (orderedNamespaces.length === 0) {
+    return [
+      "export interface CnosValueConfig {}",
+      "export interface CnosSecretConfig {}",
+      "",
+      "export interface CnosConfig {",
+      "  value: CnosValueConfig;",
+      "  secret: CnosSecretConfig;",
+      "}"
+    ];
+  }
+  const blocks = [];
+  for (const namespace of orderedNamespaces) {
+    const entries = namespaceGroups.get(namespace) ?? [];
+    const interfaceName = namespace === "value" ? "CnosValueConfig" : namespace === "secret" ? "CnosSecretConfig" : `Cnos${toPascalCase(namespace)}Config`;
+    blocks.push(`export interface ${interfaceName} {`);
+    for (const entry of entries) {
+      const optional = isOptional(entry.rule) ? "?" : "";
+      blocks.push(`  "${entry.key}"${optional}: ${mapSchemaType(entry.rule)};`);
+    }
+    blocks.push("}");
+    blocks.push("");
+  }
+  const configEntries = orderedNamespaces.map((namespace) => {
+    const interfaceName = namespace === "value" ? "CnosValueConfig" : namespace === "secret" ? "CnosSecretConfig" : `Cnos${toPascalCase(namespace)}Config`;
+    return `  ${namespace}: ${interfaceName};`;
+  });
+  blocks.push("export interface CnosConfig {");
+  blocks.push(...configEntries);
+  blocks.push("}");
+  if (!orderedNamespaces.includes("value")) {
+    blocks.push("");
+    blocks.push("export interface CnosValueConfig {}");
+  }
+  if (!orderedNamespaces.includes("secret")) {
+    blocks.push("");
+    blocks.push("export interface CnosSecretConfig {}");
+  }
+  return blocks;
+}
+function generateCodegenContent(manifest, sourcePath, typeModuleImport = "./cnos") {
+  const schema = manifest.schema ?? {};
+  const hasSchema = Object.keys(schema).length > 0;
+  const interfaceBlocks = buildNamespaceInterfaces(schema);
+  const typesLines = [
+    "// Auto-generated by cnos codegen. Do not edit.",
+    `// Source: ${sourcePath}`,
+    "",
+    ...interfaceBlocks,
+    "",
+    'import type { CnosRuntime } from "@kitsy/cnos";',
+    "",
+    "export interface TypedCnosRuntime extends CnosRuntime {",
+    "  value<K extends keyof CnosValueConfig>(path: K): CnosValueConfig[K] | undefined;",
+    "  secret<K extends keyof CnosSecretConfig>(path: K): CnosSecretConfig[K] | undefined;",
+    "  require(key: `value.${keyof CnosValueConfig}`): CnosValueConfig[keyof CnosValueConfig];",
+    "  require(key: `secret.${keyof CnosSecretConfig}`): CnosSecretConfig[keyof CnosSecretConfig];",
+    "}",
+    ""
+  ];
+  if (!hasSchema) {
+    typesLines.push("// Hint: add a schema section to .cnos/cnos.yml for typed key generation.");
+    typesLines.push("");
+  }
+  const runtimeLines = [
+    "// Auto-generated by cnos codegen. Do not edit.",
+    `// Source: ${sourcePath}`,
+    "",
+    'import { createCnos as _createCnos, type CnosCreateOptions } from "@kitsy/cnos/configure";',
+    `import type { TypedCnosRuntime } from "${typeModuleImport}";`,
+    "",
+    "export async function createCnos(options: CnosCreateOptions = {}): Promise<TypedCnosRuntime> {",
+    "  return (await _createCnos(options)) as TypedCnosRuntime;",
+    "}",
+    ""
+  ];
+  return {
+    typesContent: typesLines.join("\n"),
+    runtimeContent: runtimeLines.join("\n"),
+    schemaEntryCount: Object.keys(schema).length,
+    hasSchema
+  };
+}
+
+// src/codegen/writeOutput.ts
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
+function stripTsExtension(filePath) {
+  return filePath.replace(/(\.d)?\.[cm]?tsx?$/i, "").replace(/\.[cm]?jsx?$/i, "");
+}
+function resolveCodegenPaths(repoRoot, out) {
+  const typesPath = out ? import_node_path10.default.resolve(repoRoot, out) : import_node_path10.default.join(repoRoot, ".cnos", "types", "cnos.d.ts");
+  const runtimePath = import_node_path10.default.join(import_node_path10.default.dirname(typesPath), "runtime.ts");
+  const typeImportPath = `./${import_node_path10.default.basename(stripTsExtension(typesPath))}`;
+  return {
+    typesPath,
+    runtimePath,
+    typeImportPath
+  };
+}
+async function writeCodegenOutput(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const paths = resolveCodegenPaths(loadedManifest.repoRoot, options.out);
+  const generated = generateCodegenContent(loadedManifest.manifest, loadedManifest.manifestPath, paths.typeImportPath);
+  await (0, import_promises10.mkdir)(import_node_path10.default.dirname(paths.typesPath), { recursive: true });
+  await (0, import_promises10.mkdir)(import_node_path10.default.dirname(paths.runtimePath), { recursive: true });
+  await (0, import_promises10.writeFile)(paths.typesPath, generated.typesContent, "utf8");
+  await (0, import_promises10.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
+  return {
+    manifestPath: loadedManifest.manifestPath,
+    typesPath: paths.typesPath,
+    runtimePath: paths.runtimePath,
+    schemaEntryCount: generated.schemaEntryCount,
+    hasSchema: generated.hasSchema
+  };
+}
+
+// src/codegen/watchSchema.ts
+var import_node_fs = require("fs");
+async function watchSchema(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  let timeout;
+  const debounceMs = options.debounceMs ?? 300;
+  const runWrite = async () => {
+    try {
+      const result = await writeCodegenOutput(options);
+      await options.onWrite?.(result);
+    } catch (error) {
+      await options.onError?.(error);
+    }
+  };
+  await runWrite();
+  const watcher = (0, import_node_fs.watch)(loadedManifest.manifestPath, () => {
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    timeout = setTimeout(() => {
+      void runWrite();
+    }, debounceMs);
+  });
+  watcher.on("close", () => {
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+  });
+  return watcher;
+}
+
+// src/drift/compareSchemaToGraph.ts
+function describeValueType(value) {
+  if (Array.isArray(value)) {
+    return "array";
+  }
+  if (value === null) {
+    return "null";
+  }
+  return typeof value;
+}
+function matchesType(value, type) {
+  if (!type) {
+    return true;
+  }
+  switch (type) {
+    case "array":
+      return Array.isArray(value);
+    case "object":
+      return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+    default:
+      return typeof value === type;
+  }
+}
+function isSchemaDefault(entry) {
+  return entry.winner.metadata?.schemaDefault === true;
+}
+function shouldTrackKey(key) {
+  return key.startsWith("value.") || key.startsWith("secret.");
+}
+function compareSchemaToGraph(runtime) {
+  const schema = runtime.manifest.schema;
+  const missing = [];
+  const mismatches = [];
+  const defaultsApplied = [];
+  for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const entry = runtime.graph.entries.get(key);
+    if (!entry) {
+      if (rule.required && rule.default === void 0) {
+        missing.push({
+          key,
+          ...rule.type ? {
+            expectedType: rule.type
+          } : {}
+        });
+      }
+      continue;
+    }
+    if (isSchemaDefault(entry)) {
+      defaultsApplied.push({
+        key,
+        value: entry.value
+      });
+    }
+    const actualValue = entry.winner.value;
+    if (!matchesType(actualValue, rule.type)) {
+      mismatches.push({
+        key,
+        ...rule.type ? {
+          expectedType: rule.type
+        } : {},
+        actualType: describeValueType(actualValue),
+        value: actualValue,
+        ...entry.winner.origin?.file ? {
+          sourceFile: entry.winner.origin.file
+        } : {}
+      });
+    }
+  }
+  const undeclared = Array.from(runtime.graph.entries.values()).filter((entry) => shouldTrackKey(entry.key) && !schema[entry.key] && !isSchemaDefault(entry)).map((entry) => {
+    const issue = {
+      key: entry.key,
+      value: entry.winner.value,
+      actualType: describeValueType(entry.winner.value)
+    };
+    if (entry.winner.origin?.file) {
+      issue.sourceFile = entry.winner.origin.file;
+    }
+    return issue;
+  }).sort((left, right) => left.key.localeCompare(right.key));
+  return {
+    profile: runtime.graph.profile,
+    workspace: runtime.graph.workspace.workspaceId,
+    missing,
+    undeclared,
+    mismatches,
+    defaultsApplied
+  };
+}
+
+// src/drift/formatDriftReport.ts
+function formatIssueList(title, marker, issues, formatter) {
+  if (issues.length === 0) {
+    return [];
+  }
+  return [
+    `${title}:`,
+    ...issues.map((issue) => `  ${marker} ${formatter(issue)}`),
+    ""
+  ];
+}
+function formatDriftReport(report) {
+  const lines = [
+    `Schema vs resolved config (${report.workspace} / ${report.profile}):`,
+    ""
+  ];
+  lines.push(
+    ...formatIssueList("Missing (required, not defined)", "x", report.missing, (issue) => issue.key)
+  );
+  lines.push(
+    ...formatIssueList(
+      "Undeclared (defined, not in schema)",
+      "?",
+      report.undeclared,
+      (issue) => issue.sourceFile ? `${issue.key} (found in ${issue.sourceFile})` : issue.key
+    )
+  );
+  lines.push(
+    ...formatIssueList("Type mismatches", "x", report.mismatches, (issue) => {
+      const actual = issue.value === void 0 ? issue.actualType : `${issue.actualType} ${JSON.stringify(issue.value)}`;
+      return `${issue.key} (schema: ${issue.expectedType}, actual: ${actual})`;
+    })
+  );
+  lines.push(
+    ...formatIssueList(
+      "Defaults applied",
+      "i",
+      report.defaultsApplied,
+      (issue) => `${issue.key} (using default: ${JSON.stringify(issue.value)})`
+    )
+  );
+  if (lines[lines.length - 1] === "") {
+    lines.pop();
+  }
+  if (lines.length === 2) {
+    lines.push("No drift detected.");
+  }
+  return lines.join("\n");
+}
+
+// src/migrate/applyManifest.ts
+var import_promises11 = require("fs/promises");
+function sortRecord(record) {
+  return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
+}
+async function applyManifestMappings(proposals, root) {
+  const loadedManifest = await loadManifest(root ? { root } : {});
+  const rawManifest = {
+    ...loadedManifest.rawManifest
+  };
+  const explicit = {
+    ...rawManifest.envMapping?.explicit ?? {}
+  };
+  const promoted = new Set(rawManifest.public?.promote ?? []);
+  let appliedMappings = 0;
+  let appliedPromotions = 0;
+  for (const proposal of proposals) {
+    if (explicit[proposal.envVar] !== proposal.logicalKey) {
+      explicit[proposal.envVar] = proposal.logicalKey;
+      appliedMappings += 1;
+    }
+    if (proposal.public && !promoted.has(proposal.logicalKey)) {
+      promoted.add(proposal.logicalKey);
+      appliedPromotions += 1;
+    }
+  }
+  rawManifest.envMapping = {
+    ...rawManifest.envMapping ?? {},
+    explicit: sortRecord(explicit)
+  };
+  if (promoted.size > 0) {
+    rawManifest.public = {
+      ...rawManifest.public ?? {},
+      promote: Array.from(promoted).sort((left, right) => left.localeCompare(right))
+    };
+  }
+  await (0, import_promises11.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
+  return {
+    manifestPath: loadedManifest.manifestPath,
+    appliedMappings,
+    appliedPromotions
+  };
+}
+
+// src/migrate/proposeMapping.ts
+var SECRET_TOKENS = ["PASSWORD", "SECRET", "KEY", "TOKEN"];
+function normalizeSegments(value) {
+  return value.split("_").map((segment) => segment.trim().toLowerCase()).filter((segment) => segment.length > 0);
+}
+function isSecretEnvVar(value) {
+  return SECRET_TOKENS.some((token) => value.includes(`_${token}`) || value.endsWith(token));
+}
+function proposeMapping(envVar) {
+  const framework = envVar.startsWith("VITE_") ? "vite" : envVar.startsWith("NEXT_PUBLIC_") ? "next" : void 0;
+  const strippedEnvVar = framework === "vite" ? envVar.slice("VITE_".length) : framework === "next" ? envVar.slice("NEXT_PUBLIC_".length) : envVar;
+  const namespace = isSecretEnvVar(strippedEnvVar) && !framework ? "secret" : "value";
+  const segments = normalizeSegments(strippedEnvVar);
+  const logicalPath = segments.join(".");
+  return {
+    envVar,
+    namespace,
+    logicalPath,
+    logicalKey: `${namespace}.${logicalPath}`,
+    public: Boolean(framework),
+    ...framework ? {
+      framework
+    } : {}
+  };
+}
+
+// src/migrate/rewriteSource.ts
+var import_promises12 = require("fs/promises");
+function importStatementFor(kind) {
+  return kind === "import-meta-env" ? "import cnos from '@kitsy/cnos/browser';" : "import cnos from '@kitsy/cnos';";
+}
+function replacementFor(proposal) {
+  if (proposal.public) {
+    return `cnos.read(${JSON.stringify(`public.${proposal.logicalPath}`)})`;
+  }
+  return proposal.namespace === "secret" ? `cnos.secret(${JSON.stringify(proposal.logicalPath)})` : `cnos.value(${JSON.stringify(proposal.logicalPath)})`;
+}
+async function rewriteSourceFiles(usages, proposals) {
+  const fileGroups = /* @__PURE__ */ new Map();
+  for (const usage of usages) {
+    const existing = fileGroups.get(usage.filePath) ?? [];
+    existing.push(usage);
+    fileGroups.set(usage.filePath, existing);
+  }
+  const rewrittenFiles = [];
+  const backupFiles = [];
+  const skippedUsages = [];
+  for (const [filePath, fileUsages] of fileGroups.entries()) {
+    const original = await (0, import_promises12.readFile)(filePath, "utf8");
+    let nextSource = original;
+    let changed = false;
+    const importKinds = /* @__PURE__ */ new Set();
+    for (const usage of fileUsages) {
+      const proposal = proposals.get(usage.envVar);
+      if (!proposal) {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      if (usage.kind === "import-meta-env" && proposal.namespace === "secret") {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      const replacement = replacementFor(proposal);
+      if (!nextSource.includes(usage.source)) {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      nextSource = nextSource.split(usage.source).join(replacement);
+      changed = true;
+      importKinds.add(usage.kind);
+    }
+    if (!changed) {
+      continue;
+    }
+    const backupPath = `${filePath}.bak`;
+    await (0, import_promises12.copyFile)(filePath, backupPath);
+    backupFiles.push(backupPath);
+    for (const kind of Array.from(importKinds)) {
+      const importStatement = importStatementFor(kind);
+      if (!nextSource.includes(importStatement)) {
+        nextSource = `${importStatement}
+${nextSource}`;
+      }
+    }
+    await (0, import_promises12.writeFile)(filePath, nextSource, "utf8");
+    rewrittenFiles.push(filePath);
+  }
+  return {
+    rewrittenFiles: rewrittenFiles.sort((left, right) => left.localeCompare(right)),
+    backupFiles: backupFiles.sort((left, right) => left.localeCompare(right)),
+    skippedUsages: skippedUsages.sort((left, right) => left.localeCompare(right))
+  };
+}
+
+// src/migrate/scanEnvUsage.ts
+var import_promises13 = require("fs/promises");
+var import_node_path11 = __toESM(require("path"), 1);
+var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts", ".mjs", ".cjs"]);
+var PROCESS_ENV_DOT = /process\.env\.([A-Z][A-Z0-9_]*)/g;
+var PROCESS_ENV_BRACKET = /process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
+var IMPORT_META_ENV_DOT = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
+var IMPORT_META_ENV_BRACKET = /import\.meta\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
+async function collectFiles(root) {
+  const entries = await (0, import_promises13.readdir)(root, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const filePath = import_node_path11.default.join(root, entry.name);
+    if (entry.isDirectory()) {
+      if (entry.name === "node_modules" || entry.name === "dist" || entry.name === ".git") {
+        continue;
+      }
+      files.push(...await collectFiles(filePath));
+      continue;
+    }
+    if (SOURCE_EXTENSIONS.has(import_node_path11.default.extname(entry.name))) {
+      files.push(filePath);
+    }
+  }
+  return files;
+}
+function collectMatches(filePath, source, pattern, kind) {
+  const matches = [];
+  for (const match of source.matchAll(pattern)) {
+    const envVar = match[1];
+    if (!envVar) {
+      continue;
+    }
+    matches.push({
+      filePath,
+      envVar,
+      source: match[0],
+      kind
+    });
+  }
+  return matches;
+}
+async function scanEnvUsage(scanRoot) {
+  const files = await collectFiles(scanRoot);
+  const usages = [];
+  for (const filePath of files) {
+    const source = await (0, import_promises13.readFile)(filePath, "utf8");
+    usages.push(...collectMatches(filePath, source, PROCESS_ENV_DOT, "process-env"));
+    usages.push(...collectMatches(filePath, source, PROCESS_ENV_BRACKET, "process-env"));
+    usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_DOT, "import-meta-env"));
+    usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_BRACKET, "import-meta-env"));
+  }
+  return usages.sort((left, right) => {
+    const byFile = left.filePath.localeCompare(right.filePath);
+    if (byFile !== 0) {
+      return byFile;
+    }
+    return left.envVar.localeCompare(right.envVar);
+  });
+}
+
+// src/watch/diffGraphs.ts
+function stableStringify(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((entry) => stableStringify(entry)).join(",")}]`;
+  }
+  if (value && typeof value === "object") {
+    return `{${Object.entries(value).sort(([left], [right]) => left.localeCompare(right)).map(([key, entry]) => `${JSON.stringify(key)}:${stableStringify(entry)}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+function diffGraphs(previous, next) {
+  const keys = /* @__PURE__ */ new Set([
+    ...Array.from(previous.entries.keys()),
+    ...Array.from(next.entries.keys())
+  ]);
+  return Array.from(keys).filter((key) => !key.startsWith("meta.")).filter((key) => {
+    const previousEntry = previous.entries.get(key);
+    const nextEntry = next.entries.get(key);
+    if (!previousEntry || !nextEntry) {
+      return previousEntry?.namespace !== "meta" && nextEntry?.namespace !== "meta";
+    }
+    return stableStringify(previousEntry.value) !== stableStringify(nextEntry.value);
+  }).sort((left, right) => left.localeCompare(right));
+}
+
+// src/watch/watchFiles.ts
+var import_node_path12 = __toESM(require("path"), 1);
+async function watchFiles(runtime, root) {
+  const manifest = await loadManifest(root ? { root } : {});
+  const roots = Array.from(
+    new Set(runtime.graph.workspace.workspaceRoots.map((workspaceRoot) => workspaceRoot.path))
+  ).sort((left, right) => left.localeCompare(right));
+  const files = Array.from(
+    new Set(
+      Array.from(runtime.graph.entries.values()).map((entry) => entry.winner.origin?.file).filter((file) => Boolean(file)).map((file) => import_node_path12.default.resolve(manifest.repoRoot, file))
+    )
+  ).sort((left, right) => left.localeCompare(right));
+  return {
+    manifestPath: manifest.manifestPath,
+    roots,
+    files
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
+  CnosAuthenticationError,
+  CnosSecurityError,
+  applyManifestMappings,
+  clearAllVaultSessionKeys,
+  clearVaultSessionKey,
+  compareSchemaToGraph,
   createSecretVault,
+  createSecretVaultProvider,
+  deleteLocalSecret,
+  deriveVaultKey,
+  deserializeRuntimeGraph,
+  detectLegacyVaultFormat,
+  diffGraphs,
+  ensureProjectionAllowed,
   flattenObject,
+  formatDriftReport,
+  generateCodegenContent,
+  getVaultPassphraseEnvVar,
+  getVaultSessionKeyEnvVar,
+  graphRequiresSecretHydration,
+  isPassphraseEnvRef,
+  isSecretReference,
+  listLocalSecrets,
   listSecretVaults,
+  loadManifest,
   parseYaml,
+  proposeMapping,
+  readKeychain,
+  readLocalSecret,
+  readRuntimeGraphFromEnv,
+  readVaultMetadata,
+  removeLocalVaultFiles,
+  resolveCodegenPaths,
   resolveConfigDocumentPath,
+  resolveConfiguredVaultPassphrase,
+  resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultAccessKey,
+  resolveVaultAuth,
+  resolveVaultDefinition,
+  rewriteSourceFiles,
+  scanEnvUsage,
+  serializeRuntimeGraph,
+  serializeSecretPayload,
   stringifyYaml,
   validateRuntime,
-  writeLocalSecret
+  watchFiles,
+  watchSchema,
+  writeCodegenOutput,
+  writeKeychain,
+  writeLocalSecret,
+  writeVaultSessionKey
 });