@kitsy/cnos 1.10.0 → 1.11.0

package/dist/build/index.cjs

@@ -1601,11 +1601,19 @@ function normalizeVaults(vaults) {
         throw new CnosManifestError(`Vault "${name}" requires a provider`);
       }
       const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
-      const normalizedMapping = Object.fromEntries(
-        Object.entries(definition.mapping ?? {}).filter(
-          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
-        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
-      );
+      const normalizedMapping = normalizeVaultMapping(definition.mapping);
+      const fallback = (definition.fallback ?? []).map((entry, index) => {
+        const fallbackProvider = entry.provider?.trim();
+        if (!fallbackProvider) {
+          throw new CnosManifestError(`Vault "${name}" fallback ${index + 1} requires a provider`);
+        }
+        const fallbackMapping = normalizeVaultMapping(entry.mapping);
+        return {
+          provider: fallbackProvider,
+          auth: normalizeVaultAuth(name, fallbackProvider, entry.auth),
+          ...Object.keys(fallbackMapping).length > 0 ? { mapping: fallbackMapping } : {}
+        };
+      });
       return [
         name,
         {
@@ -1613,12 +1621,20 @@ function normalizeVaults(vaults) {
           auth: normalizedAuth,
           ...Object.keys(normalizedMapping).length > 0 ? {
             mapping: normalizedMapping
-          } : {}
+          } : {},
+          ...fallback.length > 0 ? { fallback } : {}
         }
       ];
     })
   );
 }
+function normalizeVaultMapping(mapping) {
+  return Object.fromEntries(
+    Object.entries(mapping ?? {}).filter(
+      (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+    ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+  );
+}
 function normalizeAuthSources(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return void 0;
@@ -2566,7 +2582,7 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path11.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
@@ -2913,6 +2929,23 @@ var SecretCache = class {
   get(vaultId, ref) {
     return this.cache.get(`${vaultId}:${ref}`);
   }
+  delete(vaultId, ref) {
+    this.cache.delete(`${vaultId}:${ref}`);
+  }
+  replace(vaultId, secrets) {
+    this.clear(vaultId);
+    this.load(vaultId, secrets);
+  }
+  entriesForVault(vaultId) {
+    const entries = /* @__PURE__ */ new Map();
+    for (const [key, value] of this.cache) {
+      const prefix = `${vaultId}:`;
+      if (key.startsWith(prefix)) {
+        entries.set(key.slice(prefix.length), value);
+      }
+    }
+    return entries;
+  }
   clear(vaultId) {
     if (!vaultId) {
       this.cache.clear();
@@ -3078,7 +3111,7 @@ var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
 };
 
 // ../core/src/secrets/providers/registry.ts
-function createSecretVaultProvider(vaultId, definition, processEnv) {
+function createSecretVaultProvider(vaultId, definition, processEnv, factories = []) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
@@ -3088,9 +3121,30 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
+  const factory = factories.find((candidate) => candidate.provider === definition.provider);
+  if (factory) {
+    return factory.create(vaultId, definition, processEnv);
+  }
   throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
 }
 
+// ../core/src/secrets/providerCompatibility.ts
+function assertSecretRefVaultProviderCompatible(manifest, ref, logicalKey = "secret ref") {
+  if (!ref.vault || !ref.provider) {
+    return;
+  }
+  const definition = manifest.vaults[ref.vault];
+  if (!definition || definition.provider === ref.provider) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Secret ref "${logicalKey}" declares provider "${ref.provider}" but vault "${ref.vault}" uses provider "${definition.provider}". Remove the ref provider or use a matching vault.`
+  );
+}
+
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -3131,6 +3185,23 @@ function toAuthError(vaultId, sources) {
     `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
   );
 }
+async function resolveTokenFromSource(source, processEnv) {
+  if (source.startsWith("env:")) {
+    return processEnv[source.slice(4)] || void 0;
+  }
+  if (source.startsWith("file:")) {
+    try {
+      const value = await (0, import_promises12.readFile)(expandHomePath(source.slice("file:".length)), "utf8");
+      return value.trim() || void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  if (source.startsWith("keychain:")) {
+    return readKeychain(source.slice("keychain:".length));
+  }
+  return void 0;
+}
 async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
   if (sessionKey) {
@@ -3146,6 +3217,32 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
+  if (definition.auth?.method === "iam") {
+    return {
+      method: "iam",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.auth?.method === "environment") {
+    return {
+      method: "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const tokenSources = definition.auth?.token?.from ?? [];
+  for (const source of tokenSources) {
+    const token = await resolveTokenFromSource(source, processEnv);
+    if (token) {
+      return {
+        token,
+        method: "token",
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      };
+    }
+  }
+  if (definition.auth?.method === "token") {
+    throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...tokenSources]);
+  }
   const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
   for (const source of sources) {
     if (source.startsWith("env:")) {
@@ -3197,22 +3294,76 @@ function collectSecretDescriptors(graph) {
     ref: entry.value
   }));
 }
-async function batchResolveSecrets(graph, manifest, processEnv = process.env) {
+function secretGroupKey(manifest, descriptor) {
+  assertSecretRefVaultProviderCompatible(manifest, descriptor.ref, descriptor.logicalKey);
+  const vaultId = descriptor.ref.vault ?? "default";
+  const provider = descriptor.ref.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
+  return `${vaultId}\0${provider}`;
+}
+function vaultDefinitionForRef(manifest, ref) {
+  assertSecretRefVaultProviderCompatible(manifest, ref);
+  const vaultId = ref.vault ?? "default";
+  const base = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
+  if (!ref.provider || ref.provider === base.provider) {
+    return base;
+  }
+  return {
+    ...base,
+    provider: ref.provider
+  };
+}
+async function resolveFromDefinition(vaultId, definition, refs, processEnv, factories) {
+  const runtimeDefinition = {
+    provider: definition.provider,
+    ...definition.auth ? { auth: definition.auth } : {},
+    ...definition.mapping ? { mapping: definition.mapping } : {}
+  };
+  const provider = createSecretVaultProvider(vaultId, runtimeDefinition, processEnv, factories);
+  const auth = await resolveVaultAuth(vaultId, runtimeDefinition, processEnv);
+  await provider.authenticate(auth);
+  return provider.batchGet(refs.map((entry) => entry.ref.ref));
+}
+async function batchResolveSecrets(graph, manifest, processEnv = process.env, factories = []) {
   const cache = new SecretCache();
   const descriptors = collectSecretDescriptors(graph);
   const grouped = descriptors.reduce((accumulator, descriptor) => {
-    const vaultId = descriptor.ref.vault ?? "default";
-    const bucket = accumulator.get(vaultId) ?? [];
+    const key = secretGroupKey(manifest, descriptor);
+    const bucket = accumulator.get(key) ?? [];
     bucket.push(descriptor);
-    accumulator.set(vaultId, bucket);
+    accumulator.set(key, bucket);
     return accumulator;
   }, /* @__PURE__ */ new Map());
-  for (const [vaultId, refs] of grouped) {
-    const definition = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const resolved = await provider.batchGet(refs.map((entry) => entry.ref.ref));
+  for (const refs of grouped.values()) {
+    const first = refs[0];
+    if (!first) {
+      continue;
+    }
+    const vaultId = first.ref.vault ?? "default";
+    const definition = vaultDefinitionForRef(manifest, first.ref);
+    const definitions = [definition, ...definition.fallback ?? []];
+    const resolved = /* @__PURE__ */ new Map();
+    let remaining = refs;
+    let lastError;
+    for (const candidate of definitions) {
+      try {
+        const candidateValues = await resolveFromDefinition(vaultId, candidate, remaining, processEnv, factories);
+        for (const descriptor of remaining) {
+          const value = candidateValues.get(descriptor.ref.ref);
+          if (value !== void 0) {
+            resolved.set(descriptor.ref.ref, value);
+          }
+        }
+        remaining = remaining.filter((descriptor) => !resolved.has(descriptor.ref.ref));
+        if (remaining.length === 0) {
+          break;
+        }
+      } catch (error) {
+        lastError = error;
+      }
+    }
+    if (resolved.size === 0 && lastError) {
+      throw lastError;
+    }
     cache.load(vaultId, resolved);
     await appendAuditEvent(
       {
@@ -3233,7 +3384,11 @@ function resolveSecretEntryValue(key, value, cache) {
     return value;
   }
   const vaultId = value.vault ?? "default";
-  return cache.get(vaultId, value.ref) ?? value;
+  const resolved = cache.get(vaultId, value.ref);
+  if (resolved !== void 0 || cache.isVaultAuthenticated(vaultId)) {
+    return resolved;
+  }
+  return value;
 }
 
 // ../core/src/runtime/projection.ts
@@ -3336,19 +3491,117 @@ function configHash(values) {
 function shouldProjectResolvedValue(sourceId) {
   return sourceId !== "process-env";
 }
+var SAFE_PROJECTED_CONFIG_KEYS = /* @__PURE__ */ new Set([
+  "address",
+  "audience",
+  "clientid",
+  "endpoint",
+  "mount",
+  "namespace",
+  "path",
+  "projectid",
+  "region",
+  "scope",
+  "scopes",
+  "serviceaccountemail",
+  "tenant",
+  "tenantid",
+  "url",
+  "version",
+  "vaulturl"
+]);
+function isSafeProjectedConfigKey(key) {
+  return SAFE_PROJECTED_CONFIG_KEYS.has(key.replace(/[^A-Za-z0-9]/g, "").toLowerCase());
+}
+function sanitizeProjectedConfigValue(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeProjectedConfigValue(item));
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  return stableSortObject(
+    Object.fromEntries(
+      Object.entries(value).map(([key, item]) => [key, sanitizeProjectedConfigValue(item)]).filter(([key, item]) => {
+        if (item && typeof item === "object" && !Array.isArray(item)) {
+          return Object.keys(item).length > 0;
+        }
+        return isSafeProjectedConfigKey(key);
+      })
+    )
+  );
+}
+function sanitizeProjectedConfig(config) {
+  const sanitized = sanitizeProjectedConfigValue(config);
+  if (!sanitized || typeof sanitized !== "object" || Array.isArray(sanitized)) {
+    return void 0;
+  }
+  return Object.keys(sanitized).length > 0 ? sanitized : void 0;
+}
+function projectVaultAuth(definition) {
+  const auth = definition.auth;
+  if (!auth) {
+    return void 0;
+  }
+  const config = auth.config ? sanitizeProjectedConfig(auth.config) : void 0;
+  const projected = {
+    ...auth.method ? { method: auth.method } : {},
+    ...auth.passphrase?.from ? {
+      passphrase: {
+        from: [...auth.passphrase.from]
+      }
+    } : {},
+    ...auth.token?.from ? {
+      token: {
+        from: [...auth.token.from]
+      }
+    } : {},
+    ...config ? { config } : {}
+  };
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
+function projectVaultDefinition(definition) {
+  const auth = projectVaultAuth(definition);
+  const mapping = definition.mapping ? stableSortObject(definition.mapping) : void 0;
+  const fallback = definition.fallback?.map((entry) => projectVaultDefinition({
+    provider: entry.provider,
+    ...entry.auth ? { auth: entry.auth } : {},
+    ...entry.mapping ? { mapping: entry.mapping } : {}
+  }));
+  return {
+    provider: definition.provider,
+    ...auth ? { auth } : {},
+    ...mapping && Object.keys(mapping).length > 0 ? { mapping } : {},
+    ...fallback && fallback.length > 0 ? { fallback } : {}
+  };
+}
+function projectReferencedVaults(manifest, vaultIds) {
+  const projected = {};
+  for (const vaultId of Array.from(vaultIds).sort((left, right) => left.localeCompare(right))) {
+    const definition = manifest.vaults[vaultId];
+    if (definition) {
+      projected[vaultId] = projectVaultDefinition(definition);
+    }
+  }
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
 function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
   const derived = {};
   const secretRefs = {};
+  const referencedVaultIds = /* @__PURE__ */ new Set();
   const namespaces = /* @__PURE__ */ new Set();
   const runtimeNamespaces = /* @__PURE__ */ new Set();
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      assertSecretRefVaultProviderCompatible(manifest, entry.value, key);
       const vaultId = entry.value.vault ?? "default";
+      const provider = entry.value.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
       const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
+      referencedVaultIds.add(vaultId);
       secretRefs[key.slice("secret.".length)] = {
-        provider: entry.value.provider,
+        provider,
         vault: vaultId,
         ref: entry.value.ref,
         ...envVar ? {
@@ -3394,6 +3647,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
       namespaces.add(entry.namespace);
     }
   }
+  const vaults = projectReferencedVaults(manifest, referencedVaultIds);
   return {
     version: 1,
     workspace: graph.workspace.workspaceId,
@@ -3403,6 +3657,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
     values: stableSortObject(values),
     derived: stableSortObject(derived),
     secretRefs: stableSortObject(secretRefs),
+    ...vaults ? { vaults } : {},
     publicKeys,
     runtimeNamespaces: Array.from(runtimeNamespaces).sort((left, right) => left.localeCompare(right)),
     meta: {
@@ -3517,9 +3772,10 @@ function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
 }
 
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev", secretVaultProviders = []) {
   const runtimeProviders = createDefaultRuntimeProviders(manifest, processEnv);
   const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
+  let activeSecretCache = secretCache;
   function resolveProjectedSourceKey(key) {
     if (!key.startsWith("public.")) {
       return key;
@@ -3536,30 +3792,38 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
       return;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
     const vaultId = entry.value.vault ?? "default";
-    const definition = manifest.vaults[vaultId] ?? {
-      provider: entry.value.provider,
-      auth: { passphrase: { from: [] } }
-    };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const value = await provider.get(entry.value.ref);
-    if (value !== void 0) {
-      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    const refreshed = await batchResolveSecrets(
+      {
+        ...graph,
+        entries: /* @__PURE__ */ new Map([[key, entry]])
+      },
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    const resolved = refreshed.get(vaultId, entry.value.ref);
+    const existing = activeSecretCache.entriesForVault(vaultId);
+    existing.delete(entry.value.ref);
+    if (resolved !== void 0) {
+      existing.set(entry.value.ref, resolved);
     }
+    activeSecretCache.replace(vaultId, existing);
   }
   async function refreshAllSecrets() {
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
-    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
-    for (const key of secretKeys) {
-      await refreshSecretEntry(key);
-    }
+    const refreshed = await batchResolveSecrets(
+      graph,
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    activeSecretCache = refreshed;
   }
   function readLogicalKey(key) {
     const resolved = derivedSupport.read(key, (ref) => {
@@ -3567,10 +3831,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
       if (!entry2) {
         return void 0;
       }
-      if (!secretCache) {
+      if (!activeSecretCache) {
         return entry2.value;
       }
-      return resolveSecretEntryValue(ref, entry2.value, secretCache);
+      return resolveSecretEntryValue(ref, entry2.value, activeSecretCache);
     });
     if (resolved !== void 0 || graph.entries.has(key) || manifest.runtimeNamespaces[key.split(".")[0] ?? ""]) {
       return resolved;
@@ -3579,10 +3843,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry) {
       return void 0;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return entry.value;
     }
-    return resolveSecretEntryValue(key, entry.value, secretCache);
+    return resolveSecretEntryValue(key, entry.value, activeSecretCache);
   }
   return {
     manifest,
@@ -3619,10 +3883,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
           if (!entry) {
             return void 0;
           }
-          if (!secretCache) {
+          if (!activeSecretCache) {
             return entry.value;
           }
-          return resolveSecretEntryValue(candidate, entry.value, secretCache);
+          return resolveSecretEntryValue(candidate, entry.value, activeSecretCache);
         })
       });
     },
@@ -3813,7 +4077,12 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(
+    promotedGraph,
+    loadedManifest.manifest,
+    options.processEnv,
+    options.secretVaultProviders
+  );
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3823,12 +4092,13 @@ async function createCnos(options = {}) {
     plugins,
     secretCache,
     options.processEnv,
-    options.cnosVersion
+    options.cnosVersion,
+    options.secretVaultProviders
   );
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -3866,7 +4136,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.10.0",
+  version: "1.11.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4065,7 +4335,7 @@ function createCliArgsPlugin() {
 }
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
@@ -4152,7 +4422,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises13.readFile)(filePath, "utf8");
+    return await (0, import_promises14.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }
@@ -4218,16 +4488,16 @@ function createPublicEnvExportPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises15 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises14 = require("fs/promises");
+var import_promises15 = require("fs/promises");
 var import_node_path15 = __toESM(require("path"), 1);
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat2 = await (0, import_promises14.readdir)(targetPath);
+    const stat2 = await (0, import_promises15.readdir)(targetPath);
     void stat2;
     return true;
   } catch {
@@ -4235,7 +4505,7 @@ async function existsDirectory(targetPath) {
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises14.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises15.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
     const absolutePath = import_node_path15.default.join(root, entry.name);
@@ -4337,7 +4607,7 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises15.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
@@ -4353,7 +4623,7 @@ function createFilesystemSecretsPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises16 = require("fs/promises");
+var import_promises17 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -4374,7 +4644,7 @@ function createFilesystemValuesPlugin() {
       ).map(([namespace]) => namespace);
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       for (const namespace of customNamespaces) {
@@ -4389,7 +4659,7 @@ function createFilesystemValuesPlugin() {
           layers
         );
         for (const file of namespaceFiles) {
-          const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+          const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
           entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
         }
       }
@@ -4635,15 +4905,13 @@ function validateServerProjectionSecretRefs(runtime) {
     }
     const vaultId = entry.value.vault ?? "default";
     const definition = runtime.manifest.vaults[vaultId];
-    if (!definition) {
+    if (!definition && entry.value.vault) {
       throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
     }
-    if (entry.value.provider !== definition.provider) {
-      throw new CnosManifestError(
-        `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
-      );
+    if (!definition && !entry.value.provider) {
+      throw new CnosManifestError(`Secret ref "${entry.key}" must declare a provider or reference a configured vault`);
     }
-    createSecretVaultProvider(vaultId, definition);
+    assertSecretRefVaultProviderCompatible(runtime.manifest, entry.value, entry.key);
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/build/index.d.cts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-Ud1o2MBn.cjs';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-BW8SLnRx.cjs';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});

package/dist/build/index.d.ts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-Ud1o2MBn.js';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-BW8SLnRx.js';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});