@kitsy/cnos 1.1.2 → 1.3.0

package/dist/plugin/filesystem.cjs

@@ -40,11 +40,11 @@ __export(filesystem_exports, {
 module.exports = __toCommonJS(filesystem_exports);
 
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises9 = require("fs/promises");
+var import_promises11 = require("fs/promises");
 
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises8 = require("fs/promises");
-var import_node_path8 = __toESM(require("path"), 1);
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
 
 // ../core/src/errors.ts
 var CnosError = class extends Error {
@@ -61,6 +61,21 @@ var CnosManifestError = class extends CnosError {
   manifestPath;
 };
 
+// ../core/src/keychain/linux.ts
+var import_node_child_process = require("child_process");
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+
+// ../core/src/keychain/macos.ts
+var import_node_child_process2 = require("child_process");
+var import_node_util2 = require("util");
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process2.execFile);
+
+// ../core/src/keychain/windows.ts
+var import_node_child_process3 = require("child_process");
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process3.execFile);
+
 // ../core/src/manifest/loadManifest.ts
 var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"), 1);
@@ -69,15 +84,6 @@ var import_node_path2 = __toESM(require("path"), 1);
 var import_promises = require("fs/promises");
 var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
-function expandHomePath(targetPath) {
-  if (targetPath === "~") {
-    return import_node_os.default.homedir();
-  }
-  if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return import_node_path.default.join(import_node_os.default.homedir(), targetPath.slice(2));
-  }
-  return targetPath;
-}
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
 }
@@ -100,81 +106,57 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/auditLog.ts
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
+
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
+// ../core/src/secrets/sessionStore.ts
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
+
+// ../core/src/utils/secretStore.ts
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
-function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
-}
-function resolveSecretStoreFile(storeRoot, ref, vault = "default") {
-  return import_node_path6.default.join(storeRoot, "vaults", vault, "store", ...ref.split("/")).concat(".json");
-}
-function deriveKey(passphrase, salt) {
-  return (0, import_node_crypto.scryptSync)(passphrase, salt, 32);
-}
-function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
-  const vaultToken = vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
-  return processEnv[`CNOS_SECRET_PASSPHRASE_${vaultToken}`] ?? processEnv.CNOS_SECRET_PASSPHRASE;
-}
-function decryptDocument(document, passphrase) {
-  const salt = Buffer.from(document.salt, "base64");
-  const iv = Buffer.from(document.iv, "base64");
-  const tag = Buffer.from(document.tag, "base64");
-  const ciphertext = Buffer.from(document.ciphertext, "base64");
-  const key = deriveKey(passphrase, salt);
-  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
-  decipher.setAuthTag(tag);
-  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
-}
-async function readLocalSecret(storeRoot, ref, passphrase, vault = "default") {
-  if (!passphrase) {
-    throw new CnosManifestError(
-      `Missing CNOS secret passphrase for local secret ref "${ref}". Set CNOS_SECRET_PASSPHRASE or pass processEnv explicitly.`
-    );
-  }
-  const filePath = resolveSecretStoreFile(storeRoot, ref, vault);
-  const source = await (0, import_promises6.readFile)(filePath, "utf8");
-  const document = JSON.parse(source);
-  if (document.version !== 1 || document.algorithm !== "aes-256-gcm" || typeof document.salt !== "string" || typeof document.iv !== "string" || typeof document.tag !== "string" || typeof document.ciphertext !== "string") {
-    throw new CnosManifestError("Invalid local secret document", filePath);
-  }
-  return decryptDocument(document, passphrase);
-}
+
+// ../core/src/secrets/prompt.ts
+var import_node_readline = __toESM(require("readline"), 1);
+var import_node_stream = require("stream");
 
 // ../core/src/runtime/dump.ts
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
 
 // ../../plugins/filesystem/src/helpers.ts
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat = await (0, import_promises8.readdir)(targetPath);
-    void stat;
+    const stat2 = await (0, import_promises10.readdir)(targetPath);
+    void stat2;
     return true;
   } catch {
     return false;
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises8.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises10.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
-    const absolutePath = import_node_path8.default.join(root, entry.name);
+    const absolutePath = import_node_path10.default.join(root, entry.name);
     if (entry.isDirectory()) {
       results.push(...await collectYamlFiles(absolutePath));
       continue;
     }
-    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path8.default.extname(entry.name).toLowerCase())) {
+    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path10.default.extname(entry.name).toLowerCase())) {
       results.push(absolutePath);
     }
   }
@@ -182,16 +164,16 @@ async function collectYamlFiles(root) {
 }
 async function collectFilesystemLayerFiles(manifestRoot, workspaceRoots, sourceRoot, activeLayers) {
   const files = [];
-  const repoRoot = import_node_path8.default.dirname(manifestRoot);
+  const repoRoot = import_node_path10.default.dirname(manifestRoot);
   for (const workspaceRoot of workspaceRoots) {
-    const resolvedRoot = import_node_path8.default.resolve(workspaceRoot.path, sourceRoot);
+    const resolvedRoot = import_node_path10.default.resolve(workspaceRoot.path, sourceRoot);
     for (const layer of activeLayers) {
-      const layerRoot = import_node_path8.default.join(resolvedRoot, layer);
+      const layerRoot = import_node_path10.default.join(resolvedRoot, layer);
       if (!await existsDirectory(layerRoot)) {
         continue;
       }
       for (const absolutePath of await collectYamlFiles(layerRoot)) {
-        const relativePath = import_node_path8.default.relative(repoRoot, absolutePath);
+        const relativePath = import_node_path10.default.relative(repoRoot, absolutePath);
         files.push({
           absolutePath,
           relativePath: toPortablePath(relativePath.startsWith("..") ? absolutePath : relativePath),
@@ -241,31 +223,6 @@ function yamlObjectToEntries(document, filePath, namespace, sourceId, workspaceI
     }
   }));
 }
-async function resolveSecretValue(value, processEnv) {
-  if (!isSecretReference(value)) {
-    return value;
-  }
-  if (value.provider === "local") {
-    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
-    if (!passphrase) {
-      return value;
-    }
-    return readLocalSecret(
-      resolveSecretStoreRoot(processEnv),
-      value.ref,
-      passphrase,
-      value.vault
-    );
-  }
-  if (value.provider === "env") {
-    const resolved = processEnv?.[value.ref];
-    if (resolved === void 0) {
-      return value;
-    }
-    return resolved;
-  }
-  return value;
-}
 function toSecretReferenceMetadata(value) {
   if (!isSecretReference(value)) {
     return void 0;
@@ -293,14 +250,12 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises9.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises11.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
-          const resolvedValue = await resolveSecretValue(entry.value, context.processEnv);
           entries.push({
             ...entry,
-            value: resolvedValue,
             ...metadata ? { metadata } : {}
           });
         }
@@ -311,7 +266,7 @@ function createFilesystemSecretsPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises10 = require("fs/promises");
+var import_promises12 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -329,7 +284,7 @@ function createFilesystemValuesPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises10.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises12.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       return entries;

package/dist/plugin/filesystem.d.cts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, f as ConfigEntry, k as WorkspaceRoot, l as NamespaceName } from '../plugin-BVNEHj19.cjs';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, i as NamespaceName } from '../plugin-CyNkf7Dm.cjs';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.d.ts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, f as ConfigEntry, k as WorkspaceRoot, l as NamespaceName } from '../plugin-BVNEHj19.js';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, i as NamespaceName } from '../plugin-CyNkf7Dm.js';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-7FBRVJD6.js";
-import "../chunk-33ZDYDQJ.js";
+} from "../chunk-FC3IV6A7.js";
+import "../chunk-DRKDNY4I.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.cjs

@@ -35,6 +35,21 @@ __export(process_env_exports, {
 });
 module.exports = __toCommonJS(process_env_exports);
 
+// ../core/src/keychain/linux.ts
+var import_node_child_process = require("child_process");
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+
+// ../core/src/keychain/macos.ts
+var import_node_child_process2 = require("child_process");
+var import_node_util2 = require("util");
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process2.execFile);
+
+// ../core/src/keychain/windows.ts
+var import_node_child_process3 = require("child_process");
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process3.execFile);
+
 // ../core/src/manifest/loadManifest.ts
 var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"), 1);
@@ -59,11 +74,27 @@ var import_node_path4 = __toESM(require("path"), 1);
 var import_promises5 = require("fs/promises");
 var import_node_path5 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/auditLog.ts
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
+
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
+// ../core/src/secrets/sessionStore.ts
 var import_promises6 = require("fs/promises");
 var import_node_path6 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/prompt.ts
+var import_node_readline = __toESM(require("readline"), 1);
+var import_node_stream = require("stream");
+
+// ../core/src/runtime/dump.ts
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
+
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
   return {
@@ -71,8 +102,8 @@ function normalizeMappingConfig(config = {}) {
     explicit: config.explicit ?? {}
   };
 }
-function fromScreamingSnake(path8) {
-  return path8.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path10) {
+  return path10.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function envVarToLogicalKey(envVar, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -96,10 +127,6 @@ function envVarToLogicalKey(envVar, config = {}) {
   return `value.${fromScreamingSnake(envVar)}`;
 }
 
-// ../core/src/runtime/dump.ts
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
-
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";
 function processEnvEntriesFromObject(env, mapping = {}, workspaceId = "default") {

package/dist/plugin/process-env.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-BVNEHj19.cjs';
-import { E as EnvMappingConfig } from '../envNaming-BrOk5ndZ.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../plugin-CyNkf7Dm.cjs';
+import { E as EnvMappingConfig } from '../envNaming-D6k66myh.cjs';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function createProcessEnvPlugin(): LoaderPlugin;

package/dist/plugin/process-env.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, f as ConfigEntry } from '../plugin-BVNEHj19.js';
-import { E as EnvMappingConfig } from '../envNaming-DCaNdnrF.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../plugin-CyNkf7Dm.js';
+import { E as EnvMappingConfig } from '../envNaming-Dy3WYiGK.js';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function createProcessEnvPlugin(): LoaderPlugin;

package/dist/plugin/process-env.js

@@ -1,8 +1,8 @@
 import {
   createProcessEnvPlugin,
   processEnvEntriesFromObject
-} from "../chunk-53HXUSM6.js";
-import "../chunk-33ZDYDQJ.js";
+} from "../chunk-CDXJISGB.js";
+import "../chunk-DRKDNY4I.js";
 export {
   createProcessEnvPlugin,
   processEnvEntriesFromObject

package/dist/{plugin-BVNEHj19.d.cts → plugin-CyNkf7Dm.d.cts}

@@ -44,6 +44,31 @@ interface WorkspaceContext {
 }
 
 type ResolutionArrayPolicy = 'replace' | 'append' | 'unique-append';
+type NamespaceKind = 'data' | 'projection' | 'system';
+type NamespaceProjectionSource = 'promote' | 'envMapping';
+type VaultProviderName = 'local' | 'github-secrets' | (string & {});
+type VaultAuthMethod = 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
+interface VaultAuthSourceConfig {
+    from?: string[];
+}
+interface VaultAuthDefinition {
+    method?: VaultAuthMethod;
+    passphrase?: VaultAuthSourceConfig;
+    token?: VaultAuthSourceConfig;
+    config?: Record<string, unknown>;
+}
+interface NamespaceDefinition {
+    kind: NamespaceKind;
+    shareable: boolean;
+    sensitive?: boolean;
+    readonly?: boolean;
+    source?: NamespaceProjectionSource;
+}
+interface VaultDefinition {
+    provider: VaultProviderName;
+    auth?: VaultAuthDefinition;
+    mapping?: Record<string, string>;
+}
 interface ManifestFile {
     version?: number;
     project?: {
@@ -82,6 +107,8 @@ interface ManifestFile {
         promote?: LogicalKey[];
         frameworks?: Record<string, string>;
     };
+    namespaces?: Record<string, Partial<NamespaceDefinition>>;
+    vaults?: Record<string, Partial<VaultDefinition>>;
     writePolicy?: {
         define?: {
             defaultProfile?: string;
@@ -128,6 +155,8 @@ interface NormalizedManifest {
         promote: LogicalKey[];
         frameworks: Record<string, string>;
     };
+    namespaces: Record<string, NamespaceDefinition>;
+    vaults: Record<string, VaultDefinition>;
     writePolicy: {
         define: {
             defaultProfile: string;
@@ -136,9 +165,19 @@ interface NormalizedManifest {
     };
     schema: Record<LogicalKey, SchemaRule>;
 }
+interface LoadManifestOptions {
+    root?: string;
+}
+interface LoadedManifest {
+    manifestRoot: string;
+    repoRoot: string;
+    manifestPath: string;
+    manifest: NormalizedManifest;
+    rawManifest: ManifestFile;
+}
 
 type LogicalKey = string;
-type NamespaceName = 'value' | 'secret' | 'meta';
+type NamespaceName = string;
 interface ConfigOrigin {
     file?: string;
     line?: number;
@@ -200,6 +239,7 @@ interface CnosCreateOptions {
     profile?: string;
     workspace?: string;
     globalRoot?: string;
+    secretResolution?: 'eager' | 'lazy';
     cnosVersion?: string;
     plugins?: CnosPlugin[];
     cliArgs?: string[];
@@ -306,4 +346,4 @@ interface ExporterPlugin extends CnosPlugin {
     export(graph: ResolvedGraph, context: ExportContext): Promise<ExportResult>;
 }
 
-export type { CnosCreateOptions as C, DumpPlanOptions as D, ExporterPlugin as E, InspectResult as I, LoaderPlugin as L, ManifestFile as M, NormalizedManifest as N, ResolvedGraph as R, ToEnvOptions as T, ValidationSummary as V, WorkspaceFile as W, DumpPlan as a, DumpOptions as b, DumpResult as c, CnosRuntime as d, CnosPlugin as e, ConfigEntry as f, LogicalKey as g, ToPublicEnvOptions as h, ValidationIssue as i, ValidatorPlugin as j, WorkspaceRoot as k, NamespaceName as l };
+export type { CnosCreateOptions as C, DumpPlanOptions as D, ExporterPlugin as E, InspectResult as I, LoaderPlugin as L, ManifestFile as M, NormalizedManifest as N, ResolvedGraph as R, ToEnvOptions as T, ValidatorPlugin as V, WorkspaceRoot as W, ConfigEntry as a, LogicalKey as b, ToPublicEnvOptions as c, DumpPlan as d, DumpOptions as e, DumpResult as f, CnosRuntime as g, CnosPlugin as h, NamespaceName as i, LoadManifestOptions as j, LoadedManifest as k, VaultDefinition as l, ValidationSummary as m, ValidationIssue as n, WorkspaceFile as o };

package/dist/{plugin-BVNEHj19.d.ts → plugin-CyNkf7Dm.d.ts}

@@ -44,6 +44,31 @@ interface WorkspaceContext {
 }
 
 type ResolutionArrayPolicy = 'replace' | 'append' | 'unique-append';
+type NamespaceKind = 'data' | 'projection' | 'system';
+type NamespaceProjectionSource = 'promote' | 'envMapping';
+type VaultProviderName = 'local' | 'github-secrets' | (string & {});
+type VaultAuthMethod = 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
+interface VaultAuthSourceConfig {
+    from?: string[];
+}
+interface VaultAuthDefinition {
+    method?: VaultAuthMethod;
+    passphrase?: VaultAuthSourceConfig;
+    token?: VaultAuthSourceConfig;
+    config?: Record<string, unknown>;
+}
+interface NamespaceDefinition {
+    kind: NamespaceKind;
+    shareable: boolean;
+    sensitive?: boolean;
+    readonly?: boolean;
+    source?: NamespaceProjectionSource;
+}
+interface VaultDefinition {
+    provider: VaultProviderName;
+    auth?: VaultAuthDefinition;
+    mapping?: Record<string, string>;
+}
 interface ManifestFile {
     version?: number;
     project?: {
@@ -82,6 +107,8 @@ interface ManifestFile {
         promote?: LogicalKey[];
         frameworks?: Record<string, string>;
     };
+    namespaces?: Record<string, Partial<NamespaceDefinition>>;
+    vaults?: Record<string, Partial<VaultDefinition>>;
     writePolicy?: {
         define?: {
             defaultProfile?: string;
@@ -128,6 +155,8 @@ interface NormalizedManifest {
         promote: LogicalKey[];
         frameworks: Record<string, string>;
     };
+    namespaces: Record<string, NamespaceDefinition>;
+    vaults: Record<string, VaultDefinition>;
     writePolicy: {
         define: {
             defaultProfile: string;
@@ -136,9 +165,19 @@ interface NormalizedManifest {
     };
     schema: Record<LogicalKey, SchemaRule>;
 }
+interface LoadManifestOptions {
+    root?: string;
+}
+interface LoadedManifest {
+    manifestRoot: string;
+    repoRoot: string;
+    manifestPath: string;
+    manifest: NormalizedManifest;
+    rawManifest: ManifestFile;
+}
 
 type LogicalKey = string;
-type NamespaceName = 'value' | 'secret' | 'meta';
+type NamespaceName = string;
 interface ConfigOrigin {
     file?: string;
     line?: number;
@@ -200,6 +239,7 @@ interface CnosCreateOptions {
     profile?: string;
     workspace?: string;
     globalRoot?: string;
+    secretResolution?: 'eager' | 'lazy';
     cnosVersion?: string;
     plugins?: CnosPlugin[];
     cliArgs?: string[];
@@ -306,4 +346,4 @@ interface ExporterPlugin extends CnosPlugin {
     export(graph: ResolvedGraph, context: ExportContext): Promise<ExportResult>;
 }
 
-export type { CnosCreateOptions as C, DumpPlanOptions as D, ExporterPlugin as E, InspectResult as I, LoaderPlugin as L, ManifestFile as M, NormalizedManifest as N, ResolvedGraph as R, ToEnvOptions as T, ValidationSummary as V, WorkspaceFile as W, DumpPlan as a, DumpOptions as b, DumpResult as c, CnosRuntime as d, CnosPlugin as e, ConfigEntry as f, LogicalKey as g, ToPublicEnvOptions as h, ValidationIssue as i, ValidatorPlugin as j, WorkspaceRoot as k, NamespaceName as l };
+export type { CnosCreateOptions as C, DumpPlanOptions as D, ExporterPlugin as E, InspectResult as I, LoaderPlugin as L, ManifestFile as M, NormalizedManifest as N, ResolvedGraph as R, ToEnvOptions as T, ValidatorPlugin as V, WorkspaceRoot as W, ConfigEntry as a, LogicalKey as b, ToPublicEnvOptions as c, DumpPlan as d, DumpOptions as e, DumpResult as f, CnosRuntime as g, CnosPlugin as h, NamespaceName as i, LoadManifestOptions as j, LoadedManifest as k, VaultDefinition as l, ValidationSummary as m, ValidationIssue as n, WorkspaceFile as o };