@kitsy/cnos 1.10.0 → 1.11.0

package/dist/{chunk-EIK7OUFP.js → chunk-XGK6DXQL.js}

@@ -3,7 +3,7 @@ import {
   graphRequiresSecretHydration,
   readRuntimeGraphFromEnv,
   readServerProjectionFromEnv
-} from "./chunk-UKNL2Y4N.js";
+} from "./chunk-T3E57MSQ.js";
 import {
   createCnos,
   getBootstrappedSecretHydrationRequired,
@@ -12,8 +12,9 @@ import {
   setBootstrappedSecretHydrationRequired,
   setSingletonReady,
   setSingletonRuntime
-} from "./chunk-CSA4L64V.js";
+} from "./chunk-NFGPS7VJ.js";
 import {
+  assertSecretRefVaultProviderCompatible,
   createDefaultRuntimeProviders,
   createDerivedRuntimeSupport,
   createSecretVaultProvider,
@@ -28,12 +29,25 @@ import {
   toLogicalKey,
   toNamespaceObject,
   toPublicEnv
-} from "./chunk-MQ4WG3K6.js";
+} from "./chunk-WPB4HB2K.js";
 
 // src/runtime/index.ts
 import { existsSync, readFileSync } from "fs";
 import path from "path";
 var NOT_READY_MESSAGE = "CNOS not initialized. Call await cnos.ready() or use cnos run.";
+var bootstrappedProjection;
+var singletonRuntimeProviders = /* @__PURE__ */ new Map();
+var singletonSecretVaultProviders = /* @__PURE__ */ new Map();
+function registerSingletonSecretVaultProvider(factory) {
+  singletonSecretVaultProviders.set(factory.provider, factory);
+}
+function mergeSecretVaultProviders(factories = []) {
+  const merged = new Map(singletonSecretVaultProviders);
+  for (const factory of factories) {
+    merged.set(factory.provider, factory);
+  }
+  return Array.from(merged.values());
+}
 function getRuntimeOrThrow() {
   const runtime = getSingletonRuntime();
   if (!runtime) {
@@ -97,6 +111,7 @@ function attachBootstrappedGraph(graph) {
   if (getSingletonRuntime()) {
     return;
   }
+  bootstrappedProjection = void 0;
   const bootstrappedManifest = {
     version: 1,
     project: {
@@ -167,6 +182,9 @@ function attachBootstrappedGraph(graph) {
     schema: {}
   };
   const runtimeProviders = createDefaultRuntimeProviders(bootstrappedManifest, process.env);
+  for (const [namespace, provider] of singletonRuntimeProviders) {
+    registerRuntimeProvider(bootstrappedManifest, runtimeProviders, namespace, provider);
+  }
   const derivedSupport = createDerivedRuntimeSupport(graph, bootstrappedManifest, runtimeProviders);
   const resolveProjectedSourceKey = (key) => {
     if (!key.startsWith("public.")) {
@@ -235,6 +253,7 @@ function attachBootstrappedGraph(graph) {
     },
     registerRuntimeProvider(namespace, provider) {
       registerRuntimeProvider(bootstrappedManifest, runtimeProviders, namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
     },
     async refreshSecrets() {
       return;
@@ -246,7 +265,7 @@ function attachBootstrappedGraph(graph) {
   setSingletonRuntime(runtime);
   setBootstrappedSecretHydrationRequired(graphRequiresSecretHydration(graph));
 }
-function toBootstrappedManifest(graph, runtimeNamespaces = []) {
+function toBootstrappedManifest(graph, runtimeNamespaces = [], vaults = {}) {
   return {
     version: 1,
     project: {
@@ -307,7 +326,7 @@ function toBootstrappedManifest(graph, runtimeNamespaces = []) {
         ])
       )
     },
-    vaults: {},
+    vaults,
     writePolicy: {
       define: {
         defaultProfile: graph.profile,
@@ -442,14 +461,34 @@ function graphFromProjection(projection) {
     }
   };
 }
-function attachBootstrappedProjection(projection, force = false) {
+function vaultDefinitionFromProjection(manifest, projection, key, ref) {
+  assertSecretRefVaultProviderCompatible(manifest, ref, key);
+  const vaultId = ref.vault ?? "default";
+  const projected = projection.vaults?.[vaultId];
+  const mapping = {
+    ...projected?.mapping ?? {},
+    ...ref.envVar ? { [ref.envVar]: ref.ref } : {}
+  };
+  return {
+    provider: projected?.provider ?? ref.provider ?? "local",
+    ...projected?.auth ? { auth: projected.auth } : {},
+    ...Object.keys(mapping).length > 0 ? { mapping } : {},
+    ...projected?.fallback ? { fallback: projected.fallback } : {}
+  };
+}
+function attachBootstrappedProjection(projection, force = false, options = {}) {
   if (getSingletonRuntime() && !force) {
     return;
   }
+  bootstrappedProjection = projection;
   const graph = graphFromProjection(projection);
-  const manifest = toBootstrappedManifest(graph, projection.runtimeNamespaces);
+  const manifest = toBootstrappedManifest(graph, projection.runtimeNamespaces, projection.vaults ?? {});
   const hydratedSecrets = /* @__PURE__ */ new Map();
+  const secretVaultProviders = mergeSecretVaultProviders(options.secretVaultProviders);
   const runtimeProviders = createDefaultRuntimeProviders(manifest, process.env);
+  for (const [namespace, provider] of singletonRuntimeProviders) {
+    registerRuntimeProvider(manifest, runtimeProviders, namespace, provider);
+  }
   const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
   const resolveProjectedSourceKey = (key) => {
     if (!key.startsWith("public.")) {
@@ -462,32 +501,95 @@ function attachBootstrappedProjection(projection, force = false) {
     const fallback = `value.${key.slice("public.".length)}`;
     return graph.entries.has(fallback) ? fallback : key;
   };
-  const resolveSecretValue = async (key) => {
+  const projectedDescriptorForKey = (key) => {
     const entry = graph.entries.get(key);
     if (!entry || entry.namespace !== "secret") {
-      return entry?.value;
-    }
-    if (hydratedSecrets.has(key)) {
-      return hydratedSecrets.get(key);
+      return void 0;
     }
     const ref = projection.secretRefs[key.slice("secret.".length)];
     if (!ref) {
       return void 0;
     }
-    const definition = {
-      provider: ref.provider,
-      ...ref.envVar ? {
-        mapping: {
-          [ref.envVar]: ref.ref
-        }
-      } : {}
+    const definition = vaultDefinitionFromProjection(manifest, projection, key, ref);
+    return {
+      key,
+      ref,
+      vaultId: ref.vault ?? "default",
+      definitions: [definition, ...definition.fallback ?? []]
     };
-    const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
-    const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
-    await provider.authenticate(auth);
-    const value = await provider.get(ref.ref);
-    hydratedSecrets.set(key, value);
-    return value;
+  };
+  const runtimeDefinitionForCandidate = (candidate) => ({
+    provider: candidate.provider,
+    ...candidate.auth ? { auth: candidate.auth } : {},
+    ...candidate.mapping ? { mapping: candidate.mapping } : {}
+  });
+  const hydrateProjectedSecrets = async (keys) => {
+    const requestedKeys = keys ?? Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`);
+    let remaining = requestedKeys.filter((key) => !hydratedSecrets.has(key)).map((key) => projectedDescriptorForKey(key)).filter((descriptor) => Boolean(descriptor));
+    const lastErrors = /* @__PURE__ */ new Map();
+    let candidateIndex = 0;
+    while (remaining.length > 0) {
+      const grouped = /* @__PURE__ */ new Map();
+      const exhausted = [];
+      for (const descriptor of remaining) {
+        const candidate = descriptor.definitions[candidateIndex];
+        if (!candidate) {
+          exhausted.push(descriptor);
+          continue;
+        }
+        const groupKey = `${descriptor.vaultId}\0${candidate.provider}`;
+        const group = grouped.get(groupKey) ?? {
+          vaultId: descriptor.vaultId,
+          definition: candidate,
+          descriptors: []
+        };
+        group.descriptors.push(descriptor);
+        grouped.set(groupKey, group);
+      }
+      if (grouped.size === 0) {
+        remaining = exhausted;
+        break;
+      }
+      const unresolved = [...exhausted];
+      for (const group of grouped.values()) {
+        const runtimeDefinition = runtimeDefinitionForCandidate(group.definition);
+        try {
+          const provider = createSecretVaultProvider(
+            group.vaultId,
+            runtimeDefinition,
+            process.env,
+            secretVaultProviders
+          );
+          const auth = await resolveVaultAuth(group.vaultId, runtimeDefinition, process.env);
+          await provider.authenticate(auth);
+          const refs = Array.from(new Set(group.descriptors.map((descriptor) => descriptor.ref.ref))).sort((left, right) => left.localeCompare(right));
+          const values = await provider.batchGet(refs);
+          for (const descriptor of group.descriptors) {
+            const value = values.get(descriptor.ref.ref);
+            if (value !== void 0) {
+              hydratedSecrets.set(descriptor.key, value);
+              lastErrors.delete(descriptor.key);
+            } else {
+              unresolved.push(descriptor);
+            }
+          }
+        } catch (error) {
+          for (const descriptor of group.descriptors) {
+            lastErrors.set(descriptor.key, error);
+            unresolved.push(descriptor);
+          }
+        }
+      }
+      remaining = unresolved.filter((descriptor) => !hydratedSecrets.has(descriptor.key));
+      candidateIndex += 1;
+    }
+    for (const descriptor of remaining) {
+      const error = lastErrors.get(descriptor.key);
+      if (error) {
+        throw error;
+      }
+      hydratedSecrets.set(descriptor.key, void 0);
+    }
   };
   const runtime = {
     manifest,
@@ -557,14 +659,14 @@ function attachBootstrappedProjection(projection, force = false) {
     toNamespace(namespace) {
       return toNamespaceObject(graph, namespace, (key) => this.read(key));
     },
-    toEnv(options) {
-      return toEnv(graph, manifest, options, {
+    toEnv(options2) {
+      return toEnv(graph, manifest, options2, {
         read: (key) => this.read(key),
         isRuntimeDependent: (key) => derivedSupport.isRuntimeDependentKey(key)
       });
     },
-    toPublicEnv(options) {
-      return toPublicEnv(graph, manifest, options, {
+    toPublicEnv(options2) {
+      return toPublicEnv(graph, manifest, options2, {
         read: (key) => derivedSupport.toConcreteValue(
           resolveProjectedSourceKey(key),
           (ref) => {
@@ -587,16 +689,18 @@ function attachBootstrappedProjection(projection, force = false) {
     },
     registerRuntimeProvider(namespace, provider) {
       registerRuntimeProvider(manifest, runtimeProviders, namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
     },
     async refreshSecrets() {
-      for (const key of Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`)) {
+      const keys = Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`);
+      for (const key of keys) {
         hydratedSecrets.delete(key);
-        await resolveSecretValue(key);
       }
+      await hydrateProjectedSecrets(keys);
     },
     async refreshSecret(key) {
       hydratedSecrets.delete(key);
-      await resolveSecretValue(key);
+      await hydrateProjectedSecrets([key]);
     }
   };
   setSingletonRuntime(runtime);
@@ -703,14 +807,23 @@ var cnos = Object.assign(
       console.log(formatted);
       return formatted;
     },
-    async loadProjection(source) {
+    async loadProjection(source, options = {}) {
       const resolvedSource = path.resolve(source);
       const projection = deserializeServerProjection(readFileSync(resolvedSource, "utf8"));
-      attachBootstrappedProjection(projection, true);
+      attachBootstrappedProjection(projection, true, options);
       setBootstrappedSecretHydrationRequired(Object.keys(projection.secretRefs).length > 0);
     },
     registerRuntimeProvider(namespace, provider) {
       getRuntimeOrThrow().registerRuntimeProvider(namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
+    },
+    registerSecretVaultProvider(factory) {
+      registerSingletonSecretVaultProvider(factory);
+    },
+    registerSecretVaultProviders(factories) {
+      for (const factory of factories) {
+        registerSingletonSecretVaultProvider(factory);
+      }
     },
     async refreshSecrets() {
       await getRuntimeOrThrow().refreshSecrets();
@@ -719,10 +832,14 @@ var cnos = Object.assign(
     async refreshSecret(key) {
       await getRuntimeOrThrow().refreshSecret(key);
     },
-    async ready() {
+    async ready(options = {}) {
       const runtime = getSingletonRuntime();
+      const secretVaultProviders = mergeSecretVaultProviders(options.secretVaultProviders);
       if (runtime && getBootstrappedSecretHydrationRequired()) {
-        await runtime.refreshSecrets();
+        const runtimeToHydrate = bootstrappedProjection && secretVaultProviders.length > 0 ? (attachBootstrappedProjection(bootstrappedProjection, true, {
+          secretVaultProviders
+        }), getRuntimeOrThrow()) : runtime;
+        await runtimeToHydrate.refreshSecrets();
         setBootstrappedSecretHydrationRequired(false);
         return;
       }
@@ -734,7 +851,10 @@ var cnos = Object.assign(
         await existing;
         return;
       }
-      const readyPromise = createCnos().then((runtime2) => {
+      const readyPromise = createCnos({
+        ...options,
+        secretVaultProviders
+      }).then((runtime2) => {
         setSingletonRuntime(runtime2);
         setBootstrappedSecretHydrationRequired(false);
         return runtime2;