@kitsy/cnos 1.1.2 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -3
- package/dist/browser/index.cjs +94 -0
- package/dist/browser/index.d.cts +16 -0
- package/dist/browser/index.d.ts +16 -0
- package/dist/browser/index.js +67 -0
- package/dist/build/index.cjs +2889 -0
- package/dist/build/index.d.cts +5 -0
- package/dist/build/index.d.ts +5 -0
- package/dist/build/index.js +26 -0
- package/dist/{chunk-53HXUSM6.js → chunk-CDXJISGB.js} +1 -1
- package/dist/{chunk-33ZDYDQJ.js → chunk-DRKDNY4I.js} +1470 -462
- package/dist/chunk-E7SE6N26.js +189 -0
- package/dist/chunk-EDCLLCNL.js +200 -0
- package/dist/{chunk-7FBRVJD6.js → chunk-FC3IV6A7.js} +1 -31
- package/dist/{chunk-JQGGSNCL.js → chunk-JDII6O72.js} +1 -1
- package/dist/chunk-K6QYI2T4.js +105 -0
- package/dist/{chunk-IHSV5AFX.js → chunk-OOKFRWTN.js} +1 -1
- package/dist/{chunk-HOS4E7XO.js → chunk-OWUZQ4OH.js} +1 -1
- package/dist/{chunk-IQOUWY6T.js → chunk-QTKXPY3N.js} +1 -1
- package/dist/configure/index.cjs +2928 -0
- package/dist/configure/index.d.cts +12 -0
- package/dist/configure/index.d.ts +12 -0
- package/dist/configure/index.js +24 -0
- package/dist/{envNaming-BrOk5ndZ.d.cts → envNaming-D6k66myh.d.cts} +1 -1
- package/dist/{envNaming-DCaNdnrF.d.ts → envNaming-Dy3WYiGK.d.ts} +1 -1
- package/dist/index.cjs +1396 -264
- package/dist/index.d.cts +2 -12
- package/dist/index.d.ts +2 -12
- package/dist/index.js +13 -143
- package/dist/internal.cjs +1913 -63
- package/dist/internal.d.cts +190 -8
- package/dist/internal.d.ts +190 -8
- package/dist/internal.js +669 -3
- package/dist/plugin/basic-schema.cjs +29 -2
- package/dist/plugin/basic-schema.d.cts +1 -1
- package/dist/plugin/basic-schema.d.ts +1 -1
- package/dist/plugin/basic-schema.js +2 -2
- package/dist/plugin/cli-args.cjs +29 -2
- package/dist/plugin/cli-args.d.cts +1 -1
- package/dist/plugin/cli-args.d.ts +1 -1
- package/dist/plugin/cli-args.js +2 -2
- package/dist/plugin/dotenv.cjs +38 -11
- package/dist/plugin/dotenv.d.cts +2 -2
- package/dist/plugin/dotenv.d.ts +2 -2
- package/dist/plugin/dotenv.js +2 -2
- package/dist/plugin/env-export.cjs +60 -48
- package/dist/plugin/env-export.d.cts +2 -2
- package/dist/plugin/env-export.d.ts +2 -2
- package/dist/plugin/env-export.js +2 -2
- package/dist/plugin/filesystem.cjs +46 -91
- package/dist/plugin/filesystem.d.cts +1 -1
- package/dist/plugin/filesystem.d.ts +1 -1
- package/dist/plugin/filesystem.js +2 -2
- package/dist/plugin/process-env.cjs +33 -6
- package/dist/plugin/process-env.d.cts +2 -2
- package/dist/plugin/process-env.d.ts +2 -2
- package/dist/plugin/process-env.js +2 -2
- package/dist/{plugin-BVNEHj19.d.cts → plugin-CyNkf7Dm.d.cts} +42 -2
- package/dist/{plugin-BVNEHj19.d.ts → plugin-CyNkf7Dm.d.ts} +42 -2
- package/dist/runtime/index.cjs +3116 -0
- package/dist/runtime/index.d.cts +23 -0
- package/dist/runtime/index.d.ts +23 -0
- package/dist/runtime/index.js +15 -0
- package/dist/{toPublicEnv-Dd152fFy.d.cts → toPublicEnv-Cz72m6y0.d.cts} +1 -1
- package/dist/{toPublicEnv-Gwz3xTK0.d.ts → toPublicEnv-D2PZkaN-.d.ts} +1 -1
- package/package.json +26 -1
package/dist/internal.d.cts
CHANGED
|
@@ -1,25 +1,207 @@
|
|
|
1
|
-
import {
|
|
2
|
-
export {
|
|
1
|
+
import { j as LoadManifestOptions, k as LoadedManifest, N as NormalizedManifest, b as LogicalKey, l as VaultDefinition, g as CnosRuntime, m as ValidationSummary, R as ResolvedGraph } from './plugin-CyNkf7Dm.cjs';
|
|
2
|
+
export { n as ValidationIssue, o as WorkspaceFile } from './plugin-CyNkf7Dm.cjs';
|
|
3
3
|
|
|
4
|
-
declare
|
|
4
|
+
declare class CnosError extends Error {
|
|
5
|
+
constructor(message: string);
|
|
6
|
+
}
|
|
7
|
+
declare class CnosSecurityError extends CnosError {
|
|
8
|
+
constructor(message: string);
|
|
9
|
+
}
|
|
10
|
+
declare class CnosAuthenticationError extends CnosError {
|
|
11
|
+
constructor(message: string);
|
|
12
|
+
}
|
|
5
13
|
|
|
6
|
-
declare function
|
|
14
|
+
declare function readKeychain(entry: string): Promise<string | undefined>;
|
|
15
|
+
declare function writeKeychain(entry: string, value: string): Promise<void>;
|
|
16
|
+
|
|
17
|
+
declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
|
|
18
|
+
|
|
19
|
+
type ProjectionTarget = 'public' | 'env';
|
|
20
|
+
declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
|
|
7
21
|
|
|
8
22
|
interface SecretReference {
|
|
9
23
|
provider: string;
|
|
10
24
|
ref: string;
|
|
11
25
|
vault?: string;
|
|
12
26
|
}
|
|
27
|
+
interface VaultAuthConfig {
|
|
28
|
+
passphrase?: string;
|
|
29
|
+
token?: string;
|
|
30
|
+
derivedKey?: Buffer;
|
|
31
|
+
method: 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
|
|
32
|
+
config?: Record<string, unknown>;
|
|
33
|
+
}
|
|
34
|
+
interface SecretVaultProvider {
|
|
35
|
+
readonly vaultId: string;
|
|
36
|
+
readonly definition: VaultDefinition;
|
|
37
|
+
authenticate(authConfig: VaultAuthConfig): Promise<void>;
|
|
38
|
+
isAuthenticated(): boolean;
|
|
39
|
+
batchGet(refs: string[]): Promise<Map<string, string>>;
|
|
40
|
+
get(ref: string): Promise<string | undefined>;
|
|
41
|
+
set(ref: string, value: string): Promise<void>;
|
|
42
|
+
delete(ref: string): Promise<void>;
|
|
43
|
+
list(): Promise<string[]>;
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
|
|
47
|
+
|
|
48
|
+
declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, processEnv?: Record<string, string | undefined>): Promise<string>;
|
|
49
|
+
declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
|
|
50
|
+
declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
|
|
51
|
+
|
|
52
|
+
declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
|
|
53
|
+
|
|
54
|
+
declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
|
|
55
|
+
|
|
56
|
+
declare function resolveManifestRoot(root?: string): Promise<string>;
|
|
57
|
+
declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
|
|
58
|
+
|
|
59
|
+
interface ResolvedVaultDefinition extends VaultDefinition {
|
|
60
|
+
name: string;
|
|
61
|
+
requiresAuthentication: boolean;
|
|
62
|
+
}
|
|
63
|
+
interface VaultMetadata {
|
|
64
|
+
version: 1;
|
|
65
|
+
algorithm: 'aes-256-gcm';
|
|
66
|
+
kdf: 'pbkdf2-sha512';
|
|
67
|
+
iterations: number;
|
|
68
|
+
salt: string;
|
|
69
|
+
createdAt: string;
|
|
70
|
+
secretCount: number;
|
|
71
|
+
}
|
|
72
|
+
declare function isSecretReference(value: unknown): value is SecretReference;
|
|
13
73
|
declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
|
|
14
|
-
declare function
|
|
74
|
+
declare function getVaultPassphraseEnvVar(vault?: string): string;
|
|
75
|
+
declare function isPassphraseEnvRef(value: string | undefined): boolean;
|
|
76
|
+
declare function getVaultSessionKeyEnvVar(vault?: string): string;
|
|
15
77
|
declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
|
|
16
|
-
declare function
|
|
78
|
+
declare function deriveVaultKey(passphrase: string, salt: Buffer, iterations?: number): Buffer;
|
|
79
|
+
declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
|
|
80
|
+
declare function detectLegacyVaultFormat(storeRoot: string, vault?: string): Promise<string | undefined>;
|
|
81
|
+
declare function readVaultMetadata(storeRoot: string, vault?: string): Promise<VaultMetadata | undefined>;
|
|
17
82
|
declare function listSecretVaults(storeRoot: string): Promise<string[]>;
|
|
18
|
-
declare function
|
|
83
|
+
declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
|
|
84
|
+
declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
|
|
85
|
+
declare function resolveVaultAccessKey(storeRoot: string, definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig | undefined>;
|
|
86
|
+
declare function writeLocalSecret(storeRoot: string, ref: string, value: string, authOrPassphrase: VaultAuthConfig | string, vault?: string): Promise<string>;
|
|
87
|
+
declare function deleteLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<boolean>;
|
|
88
|
+
declare function readLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<string>;
|
|
89
|
+
declare function listLocalSecrets(storeRoot: string, auth: VaultAuthConfig, vault?: string): Promise<string[]>;
|
|
90
|
+
declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
|
|
91
|
+
declare function removeLocalVaultFiles(storeRoot: string, vault?: string): Promise<void>;
|
|
19
92
|
|
|
20
93
|
declare function parseYaml<T>(source: string): T;
|
|
21
94
|
declare function stringifyYaml(value: unknown): string;
|
|
22
95
|
|
|
23
96
|
declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
|
|
24
97
|
|
|
25
|
-
|
|
98
|
+
declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
|
|
99
|
+
declare const CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
|
|
100
|
+
declare const CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
|
|
101
|
+
declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
|
|
102
|
+
declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
|
|
103
|
+
declare function serializeSecretPayload(values: Record<string, unknown>): {
|
|
104
|
+
payload: string;
|
|
105
|
+
sessionKey: string;
|
|
106
|
+
};
|
|
107
|
+
declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
|
|
108
|
+
declare function graphRequiresSecretHydration(graph: ResolvedGraph): boolean;
|
|
109
|
+
|
|
110
|
+
interface GeneratedCodegenContent {
|
|
111
|
+
typesContent: string;
|
|
112
|
+
runtimeContent: string;
|
|
113
|
+
schemaEntryCount: number;
|
|
114
|
+
hasSchema: boolean;
|
|
115
|
+
}
|
|
116
|
+
declare function generateCodegenContent(manifest: NormalizedManifest, sourcePath: string, typeModuleImport?: string): GeneratedCodegenContent;
|
|
117
|
+
|
|
118
|
+
interface WriteCodegenOutputOptions {
|
|
119
|
+
root?: string;
|
|
120
|
+
out?: string;
|
|
121
|
+
}
|
|
122
|
+
interface CodegenWriteResult {
|
|
123
|
+
manifestPath: string;
|
|
124
|
+
typesPath: string;
|
|
125
|
+
runtimePath: string;
|
|
126
|
+
schemaEntryCount: number;
|
|
127
|
+
hasSchema: boolean;
|
|
128
|
+
}
|
|
129
|
+
declare function resolveCodegenPaths(repoRoot: string, out?: string): {
|
|
130
|
+
typesPath: string;
|
|
131
|
+
runtimePath: string;
|
|
132
|
+
typeImportPath: string;
|
|
133
|
+
};
|
|
134
|
+
declare function writeCodegenOutput(options?: WriteCodegenOutputOptions): Promise<CodegenWriteResult>;
|
|
135
|
+
|
|
136
|
+
interface WatchSchemaOptions extends WriteCodegenOutputOptions {
|
|
137
|
+
debounceMs?: number;
|
|
138
|
+
onWrite?: (result: CodegenWriteResult) => void | Promise<void>;
|
|
139
|
+
onError?: (error: unknown) => void | Promise<void>;
|
|
140
|
+
}
|
|
141
|
+
interface CnosWatchHandle {
|
|
142
|
+
close(): void;
|
|
143
|
+
on(event: 'close', listener: () => void): this;
|
|
144
|
+
}
|
|
145
|
+
declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
|
|
146
|
+
|
|
147
|
+
interface DriftIssue {
|
|
148
|
+
key: string;
|
|
149
|
+
expectedType?: string;
|
|
150
|
+
actualType?: string;
|
|
151
|
+
value?: unknown;
|
|
152
|
+
sourceFile?: string;
|
|
153
|
+
}
|
|
154
|
+
interface DriftReport {
|
|
155
|
+
profile: string;
|
|
156
|
+
workspace: string;
|
|
157
|
+
missing: DriftIssue[];
|
|
158
|
+
undeclared: DriftIssue[];
|
|
159
|
+
mismatches: DriftIssue[];
|
|
160
|
+
defaultsApplied: DriftIssue[];
|
|
161
|
+
}
|
|
162
|
+
declare function compareSchemaToGraph(runtime: CnosRuntime): DriftReport;
|
|
163
|
+
|
|
164
|
+
declare function formatDriftReport(report: DriftReport): string;
|
|
165
|
+
|
|
166
|
+
interface EnvMappingProposal {
|
|
167
|
+
envVar: string;
|
|
168
|
+
namespace: 'value' | 'secret';
|
|
169
|
+
logicalPath: string;
|
|
170
|
+
logicalKey: string;
|
|
171
|
+
public: boolean;
|
|
172
|
+
framework?: 'vite' | 'next';
|
|
173
|
+
}
|
|
174
|
+
declare function proposeMapping(envVar: string): EnvMappingProposal;
|
|
175
|
+
|
|
176
|
+
interface ApplyManifestResult {
|
|
177
|
+
manifestPath: string;
|
|
178
|
+
appliedMappings: number;
|
|
179
|
+
appliedPromotions: number;
|
|
180
|
+
}
|
|
181
|
+
declare function applyManifestMappings(proposals: EnvMappingProposal[], root?: string): Promise<ApplyManifestResult>;
|
|
182
|
+
|
|
183
|
+
interface EnvUsage {
|
|
184
|
+
filePath: string;
|
|
185
|
+
envVar: string;
|
|
186
|
+
source: string;
|
|
187
|
+
kind: 'process-env' | 'import-meta-env';
|
|
188
|
+
}
|
|
189
|
+
declare function scanEnvUsage(scanRoot: string): Promise<EnvUsage[]>;
|
|
190
|
+
|
|
191
|
+
interface RewriteSourceResult {
|
|
192
|
+
rewrittenFiles: string[];
|
|
193
|
+
backupFiles: string[];
|
|
194
|
+
skippedUsages: string[];
|
|
195
|
+
}
|
|
196
|
+
declare function rewriteSourceFiles(usages: EnvUsage[], proposals: Map<string, EnvMappingProposal>): Promise<RewriteSourceResult>;
|
|
197
|
+
|
|
198
|
+
declare function diffGraphs(previous: ResolvedGraph, next: ResolvedGraph): string[];
|
|
199
|
+
|
|
200
|
+
interface WatchTargetSet {
|
|
201
|
+
manifestPath: string;
|
|
202
|
+
roots: string[];
|
|
203
|
+
files: string[];
|
|
204
|
+
}
|
|
205
|
+
declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
|
|
206
|
+
|
|
207
|
+
export { CNOS_GRAPH_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRuntimeGraphFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, stringifyYaml, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeVaultSessionKey };
|
package/dist/internal.d.ts
CHANGED
|
@@ -1,25 +1,207 @@
|
|
|
1
|
-
import {
|
|
2
|
-
export {
|
|
1
|
+
import { j as LoadManifestOptions, k as LoadedManifest, N as NormalizedManifest, b as LogicalKey, l as VaultDefinition, g as CnosRuntime, m as ValidationSummary, R as ResolvedGraph } from './plugin-CyNkf7Dm.js';
|
|
2
|
+
export { n as ValidationIssue, o as WorkspaceFile } from './plugin-CyNkf7Dm.js';
|
|
3
3
|
|
|
4
|
-
declare
|
|
4
|
+
declare class CnosError extends Error {
|
|
5
|
+
constructor(message: string);
|
|
6
|
+
}
|
|
7
|
+
declare class CnosSecurityError extends CnosError {
|
|
8
|
+
constructor(message: string);
|
|
9
|
+
}
|
|
10
|
+
declare class CnosAuthenticationError extends CnosError {
|
|
11
|
+
constructor(message: string);
|
|
12
|
+
}
|
|
5
13
|
|
|
6
|
-
declare function
|
|
14
|
+
declare function readKeychain(entry: string): Promise<string | undefined>;
|
|
15
|
+
declare function writeKeychain(entry: string, value: string): Promise<void>;
|
|
16
|
+
|
|
17
|
+
declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
|
|
18
|
+
|
|
19
|
+
type ProjectionTarget = 'public' | 'env';
|
|
20
|
+
declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
|
|
7
21
|
|
|
8
22
|
interface SecretReference {
|
|
9
23
|
provider: string;
|
|
10
24
|
ref: string;
|
|
11
25
|
vault?: string;
|
|
12
26
|
}
|
|
27
|
+
interface VaultAuthConfig {
|
|
28
|
+
passphrase?: string;
|
|
29
|
+
token?: string;
|
|
30
|
+
derivedKey?: Buffer;
|
|
31
|
+
method: 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
|
|
32
|
+
config?: Record<string, unknown>;
|
|
33
|
+
}
|
|
34
|
+
interface SecretVaultProvider {
|
|
35
|
+
readonly vaultId: string;
|
|
36
|
+
readonly definition: VaultDefinition;
|
|
37
|
+
authenticate(authConfig: VaultAuthConfig): Promise<void>;
|
|
38
|
+
isAuthenticated(): boolean;
|
|
39
|
+
batchGet(refs: string[]): Promise<Map<string, string>>;
|
|
40
|
+
get(ref: string): Promise<string | undefined>;
|
|
41
|
+
set(ref: string, value: string): Promise<void>;
|
|
42
|
+
delete(ref: string): Promise<void>;
|
|
43
|
+
list(): Promise<string[]>;
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
|
|
47
|
+
|
|
48
|
+
declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, processEnv?: Record<string, string | undefined>): Promise<string>;
|
|
49
|
+
declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
|
|
50
|
+
declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
|
|
51
|
+
|
|
52
|
+
declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
|
|
53
|
+
|
|
54
|
+
declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
|
|
55
|
+
|
|
56
|
+
declare function resolveManifestRoot(root?: string): Promise<string>;
|
|
57
|
+
declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
|
|
58
|
+
|
|
59
|
+
interface ResolvedVaultDefinition extends VaultDefinition {
|
|
60
|
+
name: string;
|
|
61
|
+
requiresAuthentication: boolean;
|
|
62
|
+
}
|
|
63
|
+
interface VaultMetadata {
|
|
64
|
+
version: 1;
|
|
65
|
+
algorithm: 'aes-256-gcm';
|
|
66
|
+
kdf: 'pbkdf2-sha512';
|
|
67
|
+
iterations: number;
|
|
68
|
+
salt: string;
|
|
69
|
+
createdAt: string;
|
|
70
|
+
secretCount: number;
|
|
71
|
+
}
|
|
72
|
+
declare function isSecretReference(value: unknown): value is SecretReference;
|
|
13
73
|
declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
|
|
14
|
-
declare function
|
|
74
|
+
declare function getVaultPassphraseEnvVar(vault?: string): string;
|
|
75
|
+
declare function isPassphraseEnvRef(value: string | undefined): boolean;
|
|
76
|
+
declare function getVaultSessionKeyEnvVar(vault?: string): string;
|
|
15
77
|
declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
|
|
16
|
-
declare function
|
|
78
|
+
declare function deriveVaultKey(passphrase: string, salt: Buffer, iterations?: number): Buffer;
|
|
79
|
+
declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
|
|
80
|
+
declare function detectLegacyVaultFormat(storeRoot: string, vault?: string): Promise<string | undefined>;
|
|
81
|
+
declare function readVaultMetadata(storeRoot: string, vault?: string): Promise<VaultMetadata | undefined>;
|
|
17
82
|
declare function listSecretVaults(storeRoot: string): Promise<string[]>;
|
|
18
|
-
declare function
|
|
83
|
+
declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
|
|
84
|
+
declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
|
|
85
|
+
declare function resolveVaultAccessKey(storeRoot: string, definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig | undefined>;
|
|
86
|
+
declare function writeLocalSecret(storeRoot: string, ref: string, value: string, authOrPassphrase: VaultAuthConfig | string, vault?: string): Promise<string>;
|
|
87
|
+
declare function deleteLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<boolean>;
|
|
88
|
+
declare function readLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<string>;
|
|
89
|
+
declare function listLocalSecrets(storeRoot: string, auth: VaultAuthConfig, vault?: string): Promise<string[]>;
|
|
90
|
+
declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
|
|
91
|
+
declare function removeLocalVaultFiles(storeRoot: string, vault?: string): Promise<void>;
|
|
19
92
|
|
|
20
93
|
declare function parseYaml<T>(source: string): T;
|
|
21
94
|
declare function stringifyYaml(value: unknown): string;
|
|
22
95
|
|
|
23
96
|
declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
|
|
24
97
|
|
|
25
|
-
|
|
98
|
+
declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
|
|
99
|
+
declare const CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
|
|
100
|
+
declare const CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
|
|
101
|
+
declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
|
|
102
|
+
declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
|
|
103
|
+
declare function serializeSecretPayload(values: Record<string, unknown>): {
|
|
104
|
+
payload: string;
|
|
105
|
+
sessionKey: string;
|
|
106
|
+
};
|
|
107
|
+
declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
|
|
108
|
+
declare function graphRequiresSecretHydration(graph: ResolvedGraph): boolean;
|
|
109
|
+
|
|
110
|
+
interface GeneratedCodegenContent {
|
|
111
|
+
typesContent: string;
|
|
112
|
+
runtimeContent: string;
|
|
113
|
+
schemaEntryCount: number;
|
|
114
|
+
hasSchema: boolean;
|
|
115
|
+
}
|
|
116
|
+
declare function generateCodegenContent(manifest: NormalizedManifest, sourcePath: string, typeModuleImport?: string): GeneratedCodegenContent;
|
|
117
|
+
|
|
118
|
+
interface WriteCodegenOutputOptions {
|
|
119
|
+
root?: string;
|
|
120
|
+
out?: string;
|
|
121
|
+
}
|
|
122
|
+
interface CodegenWriteResult {
|
|
123
|
+
manifestPath: string;
|
|
124
|
+
typesPath: string;
|
|
125
|
+
runtimePath: string;
|
|
126
|
+
schemaEntryCount: number;
|
|
127
|
+
hasSchema: boolean;
|
|
128
|
+
}
|
|
129
|
+
declare function resolveCodegenPaths(repoRoot: string, out?: string): {
|
|
130
|
+
typesPath: string;
|
|
131
|
+
runtimePath: string;
|
|
132
|
+
typeImportPath: string;
|
|
133
|
+
};
|
|
134
|
+
declare function writeCodegenOutput(options?: WriteCodegenOutputOptions): Promise<CodegenWriteResult>;
|
|
135
|
+
|
|
136
|
+
interface WatchSchemaOptions extends WriteCodegenOutputOptions {
|
|
137
|
+
debounceMs?: number;
|
|
138
|
+
onWrite?: (result: CodegenWriteResult) => void | Promise<void>;
|
|
139
|
+
onError?: (error: unknown) => void | Promise<void>;
|
|
140
|
+
}
|
|
141
|
+
interface CnosWatchHandle {
|
|
142
|
+
close(): void;
|
|
143
|
+
on(event: 'close', listener: () => void): this;
|
|
144
|
+
}
|
|
145
|
+
declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
|
|
146
|
+
|
|
147
|
+
interface DriftIssue {
|
|
148
|
+
key: string;
|
|
149
|
+
expectedType?: string;
|
|
150
|
+
actualType?: string;
|
|
151
|
+
value?: unknown;
|
|
152
|
+
sourceFile?: string;
|
|
153
|
+
}
|
|
154
|
+
interface DriftReport {
|
|
155
|
+
profile: string;
|
|
156
|
+
workspace: string;
|
|
157
|
+
missing: DriftIssue[];
|
|
158
|
+
undeclared: DriftIssue[];
|
|
159
|
+
mismatches: DriftIssue[];
|
|
160
|
+
defaultsApplied: DriftIssue[];
|
|
161
|
+
}
|
|
162
|
+
declare function compareSchemaToGraph(runtime: CnosRuntime): DriftReport;
|
|
163
|
+
|
|
164
|
+
declare function formatDriftReport(report: DriftReport): string;
|
|
165
|
+
|
|
166
|
+
interface EnvMappingProposal {
|
|
167
|
+
envVar: string;
|
|
168
|
+
namespace: 'value' | 'secret';
|
|
169
|
+
logicalPath: string;
|
|
170
|
+
logicalKey: string;
|
|
171
|
+
public: boolean;
|
|
172
|
+
framework?: 'vite' | 'next';
|
|
173
|
+
}
|
|
174
|
+
declare function proposeMapping(envVar: string): EnvMappingProposal;
|
|
175
|
+
|
|
176
|
+
interface ApplyManifestResult {
|
|
177
|
+
manifestPath: string;
|
|
178
|
+
appliedMappings: number;
|
|
179
|
+
appliedPromotions: number;
|
|
180
|
+
}
|
|
181
|
+
declare function applyManifestMappings(proposals: EnvMappingProposal[], root?: string): Promise<ApplyManifestResult>;
|
|
182
|
+
|
|
183
|
+
interface EnvUsage {
|
|
184
|
+
filePath: string;
|
|
185
|
+
envVar: string;
|
|
186
|
+
source: string;
|
|
187
|
+
kind: 'process-env' | 'import-meta-env';
|
|
188
|
+
}
|
|
189
|
+
declare function scanEnvUsage(scanRoot: string): Promise<EnvUsage[]>;
|
|
190
|
+
|
|
191
|
+
interface RewriteSourceResult {
|
|
192
|
+
rewrittenFiles: string[];
|
|
193
|
+
backupFiles: string[];
|
|
194
|
+
skippedUsages: string[];
|
|
195
|
+
}
|
|
196
|
+
declare function rewriteSourceFiles(usages: EnvUsage[], proposals: Map<string, EnvMappingProposal>): Promise<RewriteSourceResult>;
|
|
197
|
+
|
|
198
|
+
declare function diffGraphs(previous: ResolvedGraph, next: ResolvedGraph): string[];
|
|
199
|
+
|
|
200
|
+
interface WatchTargetSet {
|
|
201
|
+
manifestPath: string;
|
|
202
|
+
roots: string[];
|
|
203
|
+
files: string[];
|
|
204
|
+
}
|
|
205
|
+
declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
|
|
206
|
+
|
|
207
|
+
export { CNOS_GRAPH_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRuntimeGraphFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, stringifyYaml, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeVaultSessionKey };
|