@kitsy/cnos 1.1.2 → 1.3.0

package/dist/chunk-E7SE6N26.js

@@ -0,0 +1,189 @@
+import {
+  graphRequiresSecretHydration,
+  readRuntimeGraphFromEnv
+} from "./chunk-K6QYI2T4.js";
+import {
+  createCnos,
+  getBootstrappedSecretHydrationRequired,
+  getSingletonReady,
+  getSingletonRuntime,
+  setBootstrappedSecretHydrationRequired,
+  setSingletonReady,
+  setSingletonRuntime
+} from "./chunk-EDCLLCNL.js";
+import {
+  inspectValue,
+  readOrValue,
+  readValue,
+  requireValue,
+  toEnv,
+  toLogicalKey,
+  toNamespaceObject,
+  toPublicEnv
+} from "./chunk-DRKDNY4I.js";
+
+// src/runtime/index.ts
+var NOT_READY_MESSAGE = "CNOS not initialized. Call await cnos.ready() or use cnos run.";
+function getRuntimeOrThrow() {
+  const runtime = getSingletonRuntime();
+  if (!runtime) {
+    throw new Error(NOT_READY_MESSAGE);
+  }
+  return runtime;
+}
+function attachBootstrappedGraph(graph) {
+  if (getSingletonRuntime()) {
+    return;
+  }
+  const bootstrappedManifest = {
+    version: 1,
+    project: {
+      name: "bootstrapped"
+    },
+    workspaces: {
+      global: {
+        enabled: Boolean(graph.workspace.globalRoot),
+        ...graph.workspace.globalRoot ? {
+          root: graph.workspace.globalRoot
+        } : {},
+        allowWrite: false
+      },
+      items: {},
+      ...graph.workspace.workspaceSource === "implicit" ? {} : {
+        default: graph.workspace.workspaceId
+      }
+    },
+    profiles: {
+      default: graph.profile,
+      resolveFrom: ["default"]
+    },
+    plugins: {
+      loaders: [],
+      resolver: "profile-aware",
+      validators: [],
+      exporters: [],
+      inspectors: []
+    },
+    sources: {},
+    resolution: {
+      precedence: [],
+      arrayPolicy: "replace"
+    },
+    envMapping: {
+      explicit: {}
+    },
+    public: {
+      promote: [],
+      frameworks: {}
+    },
+    namespaces: {},
+    vaults: {},
+    writePolicy: {
+      define: {
+        defaultProfile: graph.profile,
+        targets: {
+          value: "./values/app.yml",
+          secret: "./secrets/app.yml"
+        }
+      }
+    },
+    schema: {}
+  };
+  const runtime = {
+    manifest: bootstrappedManifest,
+    plugins: [],
+    graph,
+    read(key) {
+      return readValue(graph, key);
+    },
+    require(key) {
+      return requireValue(graph, key);
+    },
+    readOr(key, fallback) {
+      return readOrValue(graph, key, fallback);
+    },
+    value(path) {
+      return readValue(graph, toLogicalKey("value", path));
+    },
+    secret(path) {
+      return readValue(graph, toLogicalKey("secret", path));
+    },
+    meta(path) {
+      return readValue(graph, toLogicalKey("meta", path));
+    },
+    inspect(key) {
+      return inspectValue(graph, key);
+    },
+    toObject() {
+      return toNamespaceObject(graph);
+    },
+    toNamespace(namespace) {
+      return toNamespaceObject(graph, namespace);
+    },
+    toEnv(options) {
+      return toEnv(graph, bootstrappedManifest, options);
+    },
+    toPublicEnv(options) {
+      return toPublicEnv(graph, bootstrappedManifest, options);
+    }
+  };
+  setSingletonRuntime(runtime);
+  setBootstrappedSecretHydrationRequired(graphRequiresSecretHydration(graph));
+}
+function bootstrapFromProcessEnv() {
+  if (typeof process === "undefined") {
+    return;
+  }
+  try {
+    const graph = readRuntimeGraphFromEnv(process.env);
+    if (graph) {
+      attachBootstrappedGraph(graph);
+    }
+  } catch {
+  }
+}
+bootstrapFromProcessEnv();
+var cnos = Object.assign(
+  ((key) => readValue(getRuntimeOrThrow().graph, key)),
+  {
+    read(key) {
+      return readValue(getRuntimeOrThrow().graph, key);
+    },
+    require(key) {
+      return requireValue(getRuntimeOrThrow().graph, key);
+    },
+    readOr(key, fallback) {
+      return readOrValue(getRuntimeOrThrow().graph, key, fallback);
+    },
+    value(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("value", path));
+    },
+    secret(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("secret", path));
+    },
+    meta(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("meta", path));
+    },
+    async ready() {
+      if (getSingletonRuntime() && !getBootstrappedSecretHydrationRequired()) {
+        return;
+      }
+      const existing = getSingletonReady();
+      if (existing && !getBootstrappedSecretHydrationRequired()) {
+        await existing;
+        return;
+      }
+      const readyPromise = createCnos().then((runtime) => {
+        setSingletonRuntime(runtime);
+        return runtime;
+      });
+      setSingletonReady(readyPromise);
+      await readyPromise;
+    }
+  }
+);
+var runtime_default = cnos;
+
+export {
+  runtime_default
+};

package/dist/chunk-EDCLLCNL.js

@@ -0,0 +1,200 @@
+import {
+  createEnvExportPlugin,
+  createPublicEnvExportPlugin
+} from "./chunk-OOKFRWTN.js";
+import {
+  createFilesystemSecretsPlugin,
+  createFilesystemValuesPlugin
+} from "./chunk-FC3IV6A7.js";
+import {
+  createProcessEnvPlugin
+} from "./chunk-CDXJISGB.js";
+import {
+  createBasicSchemaPlugin
+} from "./chunk-JDII6O72.js";
+import {
+  createCliArgsPlugin
+} from "./chunk-OWUZQ4OH.js";
+import {
+  createDotenvPlugin
+} from "./chunk-QTKXPY3N.js";
+import {
+  createCnos,
+  createProvenanceInspector
+} from "./chunk-DRKDNY4I.js";
+
+// src/defaultPlugins.ts
+function defaultPlugins() {
+  return [
+    createFilesystemValuesPlugin(),
+    createFilesystemSecretsPlugin(),
+    createDotenvPlugin(),
+    createProcessEnvPlugin(),
+    createCliArgsPlugin(),
+    createBasicSchemaPlugin(),
+    createEnvExportPlugin(),
+    createPublicEnvExportPlugin(),
+    createProvenanceInspector()
+  ];
+}
+
+// src/runtime/state.ts
+var singletonRuntime;
+var singletonReady;
+var bootstrappedSecretHydrationRequired = false;
+function getSingletonRuntime() {
+  return singletonRuntime;
+}
+function setSingletonRuntime(runtime) {
+  singletonRuntime = runtime;
+  singletonReady = Promise.resolve(runtime);
+  bootstrappedSecretHydrationRequired = false;
+  return runtime;
+}
+function getSingletonReady() {
+  return singletonReady;
+}
+function setSingletonReady(promise) {
+  singletonReady = promise;
+  return promise;
+}
+function getBootstrappedSecretHydrationRequired() {
+  return bootstrappedSecretHydrationRequired;
+}
+function setBootstrappedSecretHydrationRequired(value) {
+  bootstrappedSecretHydrationRequired = value;
+}
+
+// package.json
+var package_default = {
+  name: "@kitsy/cnos",
+  version: "1.3.0",
+  description: "Batteries-included CNOS runtime package wired with the official plugins.",
+  type: "module",
+  main: "./dist/index.cjs",
+  module: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js",
+      require: "./dist/index.cjs"
+    },
+    "./configure": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
+    "./create": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
+    "./internal": {
+      types: "./dist/internal.d.ts",
+      import: "./dist/internal.js",
+      require: "./dist/internal.cjs"
+    },
+    "./runtime": {
+      types: "./dist/runtime/index.d.ts",
+      import: "./dist/runtime/index.js",
+      require: "./dist/runtime/index.cjs"
+    },
+    "./browser": {
+      types: "./dist/browser/index.d.ts",
+      import: "./dist/browser/index.js",
+      require: "./dist/browser/index.cjs"
+    },
+    "./build": {
+      types: "./dist/build/index.d.ts",
+      import: "./dist/build/index.js",
+      require: "./dist/build/index.cjs"
+    },
+    "./plugins/filesystem": {
+      types: "./dist/plugin/filesystem.d.ts",
+      import: "./dist/plugin/filesystem.js",
+      require: "./dist/plugin/filesystem.cjs"
+    },
+    "./plugins/dotenv": {
+      types: "./dist/plugin/dotenv.d.ts",
+      import: "./dist/plugin/dotenv.js",
+      require: "./dist/plugin/dotenv.cjs"
+    },
+    "./plugins/process-env": {
+      types: "./dist/plugin/process-env.d.ts",
+      import: "./dist/plugin/process-env.js",
+      require: "./dist/plugin/process-env.cjs"
+    },
+    "./plugins/cli-args": {
+      types: "./dist/plugin/cli-args.d.ts",
+      import: "./dist/plugin/cli-args.js",
+      require: "./dist/plugin/cli-args.cjs"
+    },
+    "./plugins/basic-schema": {
+      types: "./dist/plugin/basic-schema.d.ts",
+      import: "./dist/plugin/basic-schema.js",
+      require: "./dist/plugin/basic-schema.cjs"
+    },
+    "./plugins/env-export": {
+      types: "./dist/plugin/env-export.d.ts",
+      import: "./dist/plugin/env-export.js",
+      require: "./dist/plugin/env-export.cjs"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  license: "MIT",
+  repository: {
+    type: "git",
+    url: "https://github.com/kitsyai/cnos.git",
+    directory: "packages/cnos"
+  },
+  homepage: "https://github.com/kitsyai/cnos/tree/main/packages/cnos",
+  bugs: {
+    url: "https://github.com/kitsyai/cnos/issues"
+  },
+  keywords: [
+    "cnos",
+    "config",
+    "runtime"
+  ],
+  publishConfig: {
+    access: "public"
+  },
+  dependencies: {
+    yaml: "^2.8.3"
+  },
+  scripts: {
+    build: "rimraf dist && tsup --config tsup.config.ts",
+    clean: "rimraf dist",
+    dev: "tsup --config tsup.config.ts --watch",
+    lint: "eslint src test",
+    prepack: "pnpm build",
+    test: "vitest run",
+    typecheck: "tsc -p tsconfig.json --noEmit"
+  }
+};
+
+// src/createCnos.ts
+async function createCnos2(options = {}) {
+  const runtime = await createCnos({
+    ...options,
+    processEnv: options.processEnv ?? process.env,
+    cnosVersion: package_default.version,
+    plugins: [...defaultPlugins(), ...options.plugins ?? []]
+  });
+  setSingletonRuntime(runtime);
+  return runtime;
+}
+
+export {
+  defaultPlugins,
+  getSingletonRuntime,
+  setSingletonRuntime,
+  getSingletonReady,
+  setSingletonReady,
+  getBootstrappedSecretHydrationRequired,
+  setBootstrappedSecretHydrationRequired,
+  createCnos2 as createCnos
+};

package/dist/{chunk-7FBRVJD6.js → chunk-FC3IV6A7.js}

@@ -2,11 +2,8 @@ import {
   CnosManifestError,
   isSecretReference,
   parseYaml,
-  readLocalSecret,
-  resolveSecretPassphrase,
-  resolveSecretStoreRoot,
   toPortablePath
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";
@@ -98,31 +95,6 @@ function yamlObjectToEntries(document, filePath, namespace, sourceId, workspaceI
     }
   }));
 }
-async function resolveSecretValue(value, processEnv) {
-  if (!isSecretReference(value)) {
-    return value;
-  }
-  if (value.provider === "local") {
-    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
-    if (!passphrase) {
-      return value;
-    }
-    return readLocalSecret(
-      resolveSecretStoreRoot(processEnv),
-      value.ref,
-      passphrase,
-      value.vault
-    );
-  }
-  if (value.provider === "env") {
-    const resolved = processEnv?.[value.ref];
-    if (resolved === void 0) {
-      return value;
-    }
-    return resolved;
-  }
-  return value;
-}
 function toSecretReferenceMetadata(value) {
   if (!isSecretReference(value)) {
     return void 0;
@@ -155,10 +127,8 @@ function createFilesystemSecretsPlugin() {
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
-          const resolvedValue = await resolveSecretValue(entry.value, context.processEnv);
           entries.push({
             ...entry,
-            value: resolvedValue,
             ...metadata ? { metadata } : {}
           });
         }

package/dist/{chunk-JQGGSNCL.js → chunk-JDII6O72.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/chunk-K6QYI2T4.js

@@ -0,0 +1,105 @@
+import {
+  isSecretReference
+} from "./chunk-DRKDNY4I.js";
+
+// src/runtime/bootstrap.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+var CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
+var CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
+function serializeRuntimeGraph(graph) {
+  const payload = {
+    entries: Array.from(graph.entries.values()),
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    profileSource: graph.profileSource,
+    workspace: graph.workspace
+  };
+  return JSON.stringify(payload);
+}
+function deserializeRuntimeGraph(source) {
+  const payload = JSON.parse(source);
+  if (!payload || !Array.isArray(payload.entries) || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || !payload.profileSource || !payload.workspace || typeof payload.workspace.workspaceId !== "string" || !Array.isArray(payload.workspace.workspaceChain) || !Array.isArray(payload.workspace.workspaceRoots)) {
+    throw new Error("Invalid CNOS runtime bootstrap payload");
+  }
+  return {
+    entries: new Map(
+      payload.entries.map((entry) => [
+        entry.key,
+        {
+          key: entry.key,
+          value: entry.value,
+          namespace: entry.namespace,
+          winner: entry.winner,
+          overridden: entry.overridden ?? []
+        }
+      ])
+    ),
+    profile: payload.profile,
+    resolvedAt: payload.resolvedAt,
+    profileSource: payload.profileSource,
+    workspace: payload.workspace
+  };
+}
+function decryptSecretPayload(serialized, sessionKey) {
+  const payload = JSON.parse(serialized);
+  if (!payload || typeof payload.iv !== "string" || typeof payload.tag !== "string" || typeof payload.ciphertext !== "string") {
+    throw new Error("Invalid CNOS secret payload");
+  }
+  const key = Buffer.from(sessionKey, "hex");
+  const iv = Buffer.from(payload.iv, "base64");
+  const tag = Buffer.from(payload.tag, "base64");
+  const ciphertext = Buffer.from(payload.ciphertext, "base64");
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+  return JSON.parse(plaintext);
+}
+function serializeSecretPayload(values) {
+  const key = randomBytes(32);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(JSON.stringify(values), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    payload: JSON.stringify({
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      ciphertext: ciphertext.toString("base64")
+    }),
+    sessionKey: key.toString("hex")
+  };
+}
+function readRuntimeGraphFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_GRAPH_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  const graph = deserializeRuntimeGraph(serialized);
+  const secretPayload = processEnv[CNOS_SECRET_PAYLOAD_ENV_VAR];
+  const sessionKey = processEnv[CNOS_SESSION_KEY_ENV_VAR];
+  if (secretPayload && sessionKey) {
+    const decrypted = decryptSecretPayload(secretPayload, sessionKey);
+    for (const [key, value] of Object.entries(decrypted)) {
+      const entry = graph.entries.get(key);
+      if (entry) {
+        entry.value = value;
+      }
+    }
+  }
+  return graph;
+}
+function graphRequiresSecretHydration(graph) {
+  return Array.from(graph.entries.values()).some((entry) => entry.namespace === "secret" && isSecretReference(entry.value));
+}
+
+export {
+  CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
+  serializeRuntimeGraph,
+  deserializeRuntimeGraph,
+  serializeSecretPayload,
+  readRuntimeGraphFromEnv,
+  graphRequiresSecretHydration
+};

package/dist/{chunk-IHSV5AFX.js → chunk-OOKFRWTN.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-HOS4E7XO.js → chunk-OWUZQ4OH.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-IQOUWY6T.js → chunk-QTKXPY3N.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-33ZDYDQJ.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";