npm - @kitsy/cnos - Versions diffs - 1.10.0 → 1.11.0 - Mend

@kitsy/cnos 1.10.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/dist/build/index.cjs +331 -63
package/dist/build/index.d.cts +1 -1
package/dist/build/index.d.ts +1 -1
package/dist/build/index.js +13 -15
package/dist/{chunk-A5U7EZCJ.js → chunk-2DMCB3PK.js} +1 -1
package/dist/{chunk-RTHKUGJV.js → chunk-5JGNRADB.js} +1 -1
package/dist/{chunk-3EZGPQCE.js → chunk-DPC2BV3S.js} +1 -1
package/dist/{chunk-FHXLOWAB.js → chunk-KJ57PF47.js} +1 -1
package/dist/{chunk-CSA4L64V.js → chunk-NFGPS7VJ.js} +10 -10
package/dist/{chunk-ESBHCFC6.js → chunk-NU25VFA2.js} +1 -1
package/dist/{chunk-UGLATJJD.js → chunk-RNTTPI5S.js} +1 -1
package/dist/{chunk-UKNL2Y4N.js → chunk-T3E57MSQ.js} +1 -1
package/dist/{chunk-MQ4WG3K6.js → chunk-WPB4HB2K.js} +320 -49
package/dist/{chunk-EIK7OUFP.js → chunk-XGK6DXQL.js} +157 -37
package/dist/configure/index.cjs +329 -59
package/dist/configure/index.d.cts +3 -3
package/dist/configure/index.d.ts +3 -3
package/dist/configure/index.js +8 -8
package/dist/{core-Ud1o2MBn.d.cts → core-BW8SLnRx.d.cts} +34 -2
package/dist/{core-Ud1o2MBn.d.ts → core-BW8SLnRx.d.ts} +34 -2
package/dist/{envNaming-DxxqiGKN.d.cts → envNaming-1rk7BR0e.d.cts} +1 -1
package/dist/{envNaming-CPwXl4I6.d.ts → envNaming-CjL28IeH.d.ts} +1 -1
package/dist/index.cjs +480 -91
package/dist/index.d.cts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +10 -10
package/dist/internal.cjs +89 -23
package/dist/internal.d.cts +3 -3
package/dist/internal.d.ts +3 -3
package/dist/internal.js +2 -2
package/dist/plugin/basic-schema.cjs +4 -1
package/dist/plugin/basic-schema.d.cts +1 -1
package/dist/plugin/basic-schema.d.ts +1 -1
package/dist/plugin/basic-schema.js +2 -2
package/dist/plugin/cli-args.cjs +4 -1
package/dist/plugin/cli-args.d.cts +1 -1
package/dist/plugin/cli-args.d.ts +1 -1
package/dist/plugin/cli-args.js +2 -2
package/dist/plugin/dotenv.cjs +6 -3
package/dist/plugin/dotenv.d.cts +2 -2
package/dist/plugin/dotenv.d.ts +2 -2
package/dist/plugin/dotenv.js +2 -2
package/dist/plugin/env-export.cjs +5 -2
package/dist/plugin/env-export.d.cts +2 -2
package/dist/plugin/env-export.d.ts +2 -2
package/dist/plugin/env-export.js +2 -2
package/dist/plugin/filesystem.cjs +13 -10
package/dist/plugin/filesystem.d.cts +1 -1
package/dist/plugin/filesystem.d.ts +1 -1
package/dist/plugin/filesystem.js +2 -2
package/dist/plugin/process-env.cjs +4 -1
package/dist/plugin/process-env.d.cts +2 -2
package/dist/plugin/process-env.d.ts +2 -2
package/dist/plugin/process-env.js +2 -2
package/dist/runtime/index.cjs +480 -91
package/dist/runtime/index.d.cts +13 -6
package/dist/runtime/index.d.ts +13 -6
package/dist/runtime/index.js +10 -10
package/dist/{toPublicEnv-fUZMRUOz.d.cts → toPublicEnv-CZzpvhGg.d.cts} +1 -1
package/dist/{toPublicEnv-C9wPSpRo.d.ts → toPublicEnv-CmydGcxg.d.ts} +1 -1
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -1603,11 +1603,19 @@ function normalizeVaults(vaults) {
         throw new CnosManifestError(`Vault "${name}" requires a provider`);
       }
       const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
-      const normalizedMapping = Object.fromEntries(
-        Object.entries(definition.mapping ?? {}).filter(
-          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
-        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
-      );
+      const normalizedMapping = normalizeVaultMapping(definition.mapping);
+      const fallback = (definition.fallback ?? []).map((entry, index) => {
+        const fallbackProvider = entry.provider?.trim();
+        if (!fallbackProvider) {
+          throw new CnosManifestError(`Vault "${name}" fallback ${index + 1} requires a provider`);
+        }
+        const fallbackMapping = normalizeVaultMapping(entry.mapping);
+        return {
+          provider: fallbackProvider,
+          auth: normalizeVaultAuth(name, fallbackProvider, entry.auth),
+          ...Object.keys(fallbackMapping).length > 0 ? { mapping: fallbackMapping } : {}
+        };
+      });
       return [
         name,
         {
@@ -1615,12 +1623,20 @@ function normalizeVaults(vaults) {
           auth: normalizedAuth,
           ...Object.keys(normalizedMapping).length > 0 ? {
             mapping: normalizedMapping
-          } : {}
+          } : {},
+          ...fallback.length > 0 ? { fallback } : {}
         }
       ];
     })
   );
 }
+function normalizeVaultMapping(mapping) {
+  return Object.fromEntries(
+    Object.entries(mapping ?? {}).filter(
+      (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+    ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+  );
+}
 function normalizeAuthSources(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return void 0;
@@ -2568,7 +2584,7 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path11.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
@@ -2915,6 +2931,23 @@ var SecretCache = class {
   get(vaultId, ref) {
     return this.cache.get(`${vaultId}:${ref}`);
   }
+  delete(vaultId, ref) {
+    this.cache.delete(`${vaultId}:${ref}`);
+  }
+  replace(vaultId, secrets) {
+    this.clear(vaultId);
+    this.load(vaultId, secrets);
+  }
+  entriesForVault(vaultId) {
+    const entries = /* @__PURE__ */ new Map();
+    for (const [key, value] of this.cache) {
+      const prefix = `${vaultId}:`;
+      if (key.startsWith(prefix)) {
+        entries.set(key.slice(prefix.length), value);
+      }
+    }
+    return entries;
+  }
   clear(vaultId) {
     if (!vaultId) {
       this.cache.clear();
@@ -3080,7 +3113,7 @@ var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
 };
 // ../core/src/secrets/providers/registry.ts
-function createSecretVaultProvider(vaultId, definition, processEnv) {
+function createSecretVaultProvider(vaultId, definition, processEnv, factories = []) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
@@ -3090,9 +3123,30 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
+  const factory = factories.find((candidate) => candidate.provider === definition.provider);
+  if (factory) {
+    return factory.create(vaultId, definition, processEnv);
+  }
   throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
 }
+// ../core/src/secrets/providerCompatibility.ts
+function assertSecretRefVaultProviderCompatible(manifest, ref, logicalKey = "secret ref") {
+  if (!ref.vault || !ref.provider) {
+    return;
+  }
+  const definition = manifest.vaults[ref.vault];
+  if (!definition || definition.provider === ref.provider) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Secret ref "${logicalKey}" declares provider "${ref.provider}" but vault "${ref.vault}" uses provider "${definition.provider}". Remove the ref provider or use a matching vault.`
+  );
+}
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -3133,6 +3187,23 @@ function toAuthError(vaultId, sources) {
     `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
   );
 }
+async function resolveTokenFromSource(source, processEnv) {
+  if (source.startsWith("env:")) {
+    return processEnv[source.slice(4)] || void 0;
+  }
+  if (source.startsWith("file:")) {
+    try {
+      const value = await (0, import_promises12.readFile)(expandHomePath(source.slice("file:".length)), "utf8");
+      return value.trim() || void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  if (source.startsWith("keychain:")) {
+    return readKeychain(source.slice("keychain:".length));
+  }
+  return void 0;
+}
 async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
   if (sessionKey) {
@@ -3148,6 +3219,32 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
+  if (definition.auth?.method === "iam") {
+    return {
+      method: "iam",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.auth?.method === "environment") {
+    return {
+      method: "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const tokenSources = definition.auth?.token?.from ?? [];
+  for (const source of tokenSources) {
+    const token = await resolveTokenFromSource(source, processEnv);
+    if (token) {
+      return {
+        token,
+        method: "token",
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      };
+    }
+  }
+  if (definition.auth?.method === "token") {
+    throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...tokenSources]);
+  }
   const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
   for (const source of sources) {
     if (source.startsWith("env:")) {
@@ -3199,22 +3296,76 @@ function collectSecretDescriptors(graph) {
     ref: entry.value
   }));
 }
-async function batchResolveSecrets(graph, manifest, processEnv = process.env) {
+function secretGroupKey(manifest, descriptor) {
+  assertSecretRefVaultProviderCompatible(manifest, descriptor.ref, descriptor.logicalKey);
+  const vaultId = descriptor.ref.vault ?? "default";
+  const provider = descriptor.ref.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
+  return `${vaultId}\0${provider}`;
+}
+function vaultDefinitionForRef(manifest, ref) {
+  assertSecretRefVaultProviderCompatible(manifest, ref);
+  const vaultId = ref.vault ?? "default";
+  const base = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
+  if (!ref.provider || ref.provider === base.provider) {
+    return base;
+  }
+  return {
+    ...base,
+    provider: ref.provider
+  };
+}
+async function resolveFromDefinition(vaultId, definition, refs, processEnv, factories) {
+  const runtimeDefinition = {
+    provider: definition.provider,
+    ...definition.auth ? { auth: definition.auth } : {},
+    ...definition.mapping ? { mapping: definition.mapping } : {}
+  };
+  const provider = createSecretVaultProvider(vaultId, runtimeDefinition, processEnv, factories);
+  const auth = await resolveVaultAuth(vaultId, runtimeDefinition, processEnv);
+  await provider.authenticate(auth);
+  return provider.batchGet(refs.map((entry) => entry.ref.ref));
+}
+async function batchResolveSecrets(graph, manifest, processEnv = process.env, factories = []) {
   const cache = new SecretCache();
   const descriptors = collectSecretDescriptors(graph);
   const grouped = descriptors.reduce((accumulator, descriptor) => {
-    const vaultId = descriptor.ref.vault ?? "default";
-    const bucket = accumulator.get(vaultId) ?? [];
+    const key = secretGroupKey(manifest, descriptor);
+    const bucket = accumulator.get(key) ?? [];
     bucket.push(descriptor);
-    accumulator.set(vaultId, bucket);
+    accumulator.set(key, bucket);
     return accumulator;
   }, /* @__PURE__ */ new Map());
-  for (const [vaultId, refs] of grouped) {
-    const definition = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const resolved = await provider.batchGet(refs.map((entry) => entry.ref.ref));
+  for (const refs of grouped.values()) {
+    const first = refs[0];
+    if (!first) {
+      continue;
+    }
+    const vaultId = first.ref.vault ?? "default";
+    const definition = vaultDefinitionForRef(manifest, first.ref);
+    const definitions = [definition, ...definition.fallback ?? []];
+    const resolved = /* @__PURE__ */ new Map();
+    let remaining = refs;
+    let lastError;
+    for (const candidate of definitions) {
+      try {
+        const candidateValues = await resolveFromDefinition(vaultId, candidate, remaining, processEnv, factories);
+        for (const descriptor of remaining) {
+          const value = candidateValues.get(descriptor.ref.ref);
+          if (value !== void 0) {
+            resolved.set(descriptor.ref.ref, value);
+          }
+        }
+        remaining = remaining.filter((descriptor) => !resolved.has(descriptor.ref.ref));
+        if (remaining.length === 0) {
+          break;
+        }
+      } catch (error) {
+        lastError = error;
+      }
+    }
+    if (resolved.size === 0 && lastError) {
+      throw lastError;
+    }
     cache.load(vaultId, resolved);
     await appendAuditEvent(
       {
@@ -3235,7 +3386,11 @@ function resolveSecretEntryValue(key, value, cache) {
     return value;
   }
   const vaultId = value.vault ?? "default";
-  return cache.get(vaultId, value.ref) ?? value;
+  const resolved = cache.get(vaultId, value.ref);
+  if (resolved !== void 0 || cache.isVaultAuthenticated(vaultId)) {
+    return resolved;
+  }
+  return value;
 }
 // ../core/src/runtime/projection.ts
@@ -3338,19 +3493,117 @@ function configHash(values) {
 function shouldProjectResolvedValue(sourceId) {
   return sourceId !== "process-env";
 }
+var SAFE_PROJECTED_CONFIG_KEYS = /* @__PURE__ */ new Set([
+  "address",
+  "audience",
+  "clientid",
+  "endpoint",
+  "mount",
+  "namespace",
+  "path",
+  "projectid",
+  "region",
+  "scope",
+  "scopes",
+  "serviceaccountemail",
+  "tenant",
+  "tenantid",
+  "url",
+  "version",
+  "vaulturl"
+]);
+function isSafeProjectedConfigKey(key) {
+  return SAFE_PROJECTED_CONFIG_KEYS.has(key.replace(/[^A-Za-z0-9]/g, "").toLowerCase());
+}
+function sanitizeProjectedConfigValue(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeProjectedConfigValue(item));
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  return stableSortObject(
+    Object.fromEntries(
+      Object.entries(value).map(([key, item]) => [key, sanitizeProjectedConfigValue(item)]).filter(([key, item]) => {
+        if (item && typeof item === "object" && !Array.isArray(item)) {
+          return Object.keys(item).length > 0;
+        }
+        return isSafeProjectedConfigKey(key);
+      })
+    )
+  );
+}
+function sanitizeProjectedConfig(config) {
+  const sanitized = sanitizeProjectedConfigValue(config);
+  if (!sanitized || typeof sanitized !== "object" || Array.isArray(sanitized)) {
+    return void 0;
+  }
+  return Object.keys(sanitized).length > 0 ? sanitized : void 0;
+}
+function projectVaultAuth(definition) {
+  const auth = definition.auth;
+  if (!auth) {
+    return void 0;
+  }
+  const config = auth.config ? sanitizeProjectedConfig(auth.config) : void 0;
+  const projected = {
+    ...auth.method ? { method: auth.method } : {},
+    ...auth.passphrase?.from ? {
+      passphrase: {
+        from: [...auth.passphrase.from]
+      }
+    } : {},
+    ...auth.token?.from ? {
+      token: {
+        from: [...auth.token.from]
+      }
+    } : {},
+    ...config ? { config } : {}
+  };
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
+function projectVaultDefinition(definition) {
+  const auth = projectVaultAuth(definition);
+  const mapping = definition.mapping ? stableSortObject(definition.mapping) : void 0;
+  const fallback = definition.fallback?.map((entry) => projectVaultDefinition({
+    provider: entry.provider,
+    ...entry.auth ? { auth: entry.auth } : {},
+    ...entry.mapping ? { mapping: entry.mapping } : {}
+  }));
+  return {
+    provider: definition.provider,
+    ...auth ? { auth } : {},
+    ...mapping && Object.keys(mapping).length > 0 ? { mapping } : {},
+    ...fallback && fallback.length > 0 ? { fallback } : {}
+  };
+}
+function projectReferencedVaults(manifest, vaultIds) {
+  const projected = {};
+  for (const vaultId of Array.from(vaultIds).sort((left, right) => left.localeCompare(right))) {
+    const definition = manifest.vaults[vaultId];
+    if (definition) {
+      projected[vaultId] = projectVaultDefinition(definition);
+    }
+  }
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
 function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
   const derived = {};
   const secretRefs = {};
+  const referencedVaultIds = /* @__PURE__ */ new Set();
   const namespaces = /* @__PURE__ */ new Set();
   const runtimeNamespaces = /* @__PURE__ */ new Set();
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      assertSecretRefVaultProviderCompatible(manifest, entry.value, key);
       const vaultId = entry.value.vault ?? "default";
+      const provider = entry.value.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
       const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
+      referencedVaultIds.add(vaultId);
       secretRefs[key.slice("secret.".length)] = {
-        provider: entry.value.provider,
+        provider,
         vault: vaultId,
         ref: entry.value.ref,
         ...envVar ? {
@@ -3396,6 +3649,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
       namespaces.add(entry.namespace);
     }
   }
+  const vaults = projectReferencedVaults(manifest, referencedVaultIds);
   return {
     version: 1,
     workspace: graph.workspace.workspaceId,
@@ -3405,6 +3659,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
     values: stableSortObject(values),
     derived: stableSortObject(derived),
     secretRefs: stableSortObject(secretRefs),
+    ...vaults ? { vaults } : {},
     publicKeys,
     runtimeNamespaces: Array.from(runtimeNamespaces).sort((left, right) => left.localeCompare(right)),
     meta: {
@@ -3519,9 +3774,10 @@ function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
 }
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev", secretVaultProviders = []) {
   const runtimeProviders = createDefaultRuntimeProviders(manifest, processEnv);
   const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
+  let activeSecretCache = secretCache;
   function resolveProjectedSourceKey(key) {
     if (!key.startsWith("public.")) {
       return key;
@@ -3538,30 +3794,38 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
       return;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
     const vaultId = entry.value.vault ?? "default";
-    const definition = manifest.vaults[vaultId] ?? {
-      provider: entry.value.provider,
-      auth: { passphrase: { from: [] } }
-    };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const value = await provider.get(entry.value.ref);
-    if (value !== void 0) {
-      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    const refreshed = await batchResolveSecrets(
+      {
+        ...graph,
+        entries: /* @__PURE__ */ new Map([[key, entry]])
+      },
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    const resolved = refreshed.get(vaultId, entry.value.ref);
+    const existing = activeSecretCache.entriesForVault(vaultId);
+    existing.delete(entry.value.ref);
+    if (resolved !== void 0) {
+      existing.set(entry.value.ref, resolved);
     }
+    activeSecretCache.replace(vaultId, existing);
   }
   async function refreshAllSecrets() {
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
-    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
-    for (const key of secretKeys) {
-      await refreshSecretEntry(key);
-    }
+    const refreshed = await batchResolveSecrets(
+      graph,
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    activeSecretCache = refreshed;
   }
   function readLogicalKey2(key) {
     const resolved = derivedSupport.read(key, (ref) => {
@@ -3569,10 +3833,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
       if (!entry2) {
         return void 0;
       }
-      if (!secretCache) {
+      if (!activeSecretCache) {
         return entry2.value;
       }
-      return resolveSecretEntryValue(ref, entry2.value, secretCache);
+      return resolveSecretEntryValue(ref, entry2.value, activeSecretCache);
     });
     if (resolved !== void 0 || graph.entries.has(key) || manifest.runtimeNamespaces[key.split(".")[0] ?? ""]) {
       return resolved;
@@ -3581,10 +3845,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry) {
       return void 0;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return entry.value;
     }
-    return resolveSecretEntryValue(key, entry.value, secretCache);
+    return resolveSecretEntryValue(key, entry.value, activeSecretCache);
   }
   return {
     manifest,
@@ -3621,10 +3885,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
           if (!entry) {
             return void 0;
           }
-          if (!secretCache) {
+          if (!activeSecretCache) {
             return entry.value;
           }
-          return resolveSecretEntryValue(candidate, entry.value, secretCache);
+          return resolveSecretEntryValue(candidate, entry.value, activeSecretCache);
         })
       });
     },
@@ -3815,7 +4079,12 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(
+    promotedGraph,
+    loadedManifest.manifest,
+    options.processEnv,
+    options.secretVaultProviders
+  );
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3825,12 +4094,13 @@ async function createCnos(options = {}) {
     plugins,
     secretCache,
     options.processEnv,
-    options.cnosVersion
+    options.cnosVersion,
+    options.secretVaultProviders
   );
 }
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 // ../core/src/utils/envNaming.ts
@@ -3868,7 +4138,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.10.0",
+  version: "1.11.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4067,7 +4337,7 @@ function createCliArgsPlugin() {
 }
 // ../../plugins/dotenv/src/index.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
@@ -4154,7 +4424,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises13.readFile)(filePath, "utf8");
+    return await (0, import_promises14.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }
@@ -4220,16 +4490,16 @@ function createPublicEnvExportPlugin() {
 }
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises15 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises14 = require("fs/promises");
+var import_promises15 = require("fs/promises");
 var import_node_path15 = __toESM(require("path"), 1);
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat2 = await (0, import_promises14.readdir)(targetPath);
+    const stat2 = await (0, import_promises15.readdir)(targetPath);
     void stat2;
     return true;
   } catch {
@@ -4237,7 +4507,7 @@ async function existsDirectory(targetPath) {
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises14.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises15.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
     const absolutePath = import_node_path15.default.join(root, entry.name);
@@ -4339,7 +4609,7 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises15.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
@@ -4355,7 +4625,7 @@ function createFilesystemSecretsPlugin() {
 }
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises16 = require("fs/promises");
+var import_promises17 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -4376,7 +4646,7 @@ function createFilesystemValuesPlugin() {
       ).map(([namespace]) => namespace);
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       for (const namespace of customNamespaces) {
@@ -4391,7 +4661,7 @@ function createFilesystemValuesPlugin() {
           layers
         );
         for (const file of namespaceFiles) {
-          const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+          const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
           entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
         }
       }
@@ -4647,6 +4917,19 @@ function graphRequiresSecretHydration(graph) {
 // src/runtime/index.ts
 var NOT_READY_MESSAGE = "CNOS not initialized. Call await cnos.ready() or use cnos run.";
+var bootstrappedProjection;
+var singletonRuntimeProviders = /* @__PURE__ */ new Map();
+var singletonSecretVaultProviders = /* @__PURE__ */ new Map();
+function registerSingletonSecretVaultProvider(factory) {
+  singletonSecretVaultProviders.set(factory.provider, factory);
+}
+function mergeSecretVaultProviders(factories = []) {
+  const merged = new Map(singletonSecretVaultProviders);
+  for (const factory of factories) {
+    merged.set(factory.provider, factory);
+  }
+  return Array.from(merged.values());
+}
 function getRuntimeOrThrow() {
   const runtime = getSingletonRuntime();
   if (!runtime) {
@@ -4710,6 +4993,7 @@ function attachBootstrappedGraph(graph) {
   if (getSingletonRuntime()) {
     return;
   }
+  bootstrappedProjection = void 0;
   const bootstrappedManifest = {
     version: 1,
     project: {
@@ -4780,6 +5064,9 @@ function attachBootstrappedGraph(graph) {
     schema: {}
   };
   const runtimeProviders = createDefaultRuntimeProviders(bootstrappedManifest, process.env);
+  for (const [namespace, provider] of singletonRuntimeProviders) {
+    registerRuntimeProvider(bootstrappedManifest, runtimeProviders, namespace, provider);
+  }
   const derivedSupport = createDerivedRuntimeSupport(graph, bootstrappedManifest, runtimeProviders);
   const resolveProjectedSourceKey = (key) => {
     if (!key.startsWith("public.")) {
@@ -4848,6 +5135,7 @@ function attachBootstrappedGraph(graph) {
     },
     registerRuntimeProvider(namespace, provider) {
       registerRuntimeProvider(bootstrappedManifest, runtimeProviders, namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
     },
     async refreshSecrets() {
       return;
@@ -4859,7 +5147,7 @@ function attachBootstrappedGraph(graph) {
   setSingletonRuntime(runtime);
   setBootstrappedSecretHydrationRequired(graphRequiresSecretHydration(graph));
 }
-function toBootstrappedManifest(graph, runtimeNamespaces = []) {
+function toBootstrappedManifest(graph, runtimeNamespaces = [], vaults = {}) {
   return {
     version: 1,
     project: {
@@ -4920,7 +5208,7 @@ function toBootstrappedManifest(graph, runtimeNamespaces = []) {
         ])
       )
     },
-    vaults: {},
+    vaults,
     writePolicy: {
       define: {
         defaultProfile: graph.profile,
@@ -5055,14 +5343,34 @@ function graphFromProjection(projection) {
     }
   };
 }
-function attachBootstrappedProjection(projection, force = false) {
+function vaultDefinitionFromProjection(manifest, projection, key, ref) {
+  assertSecretRefVaultProviderCompatible(manifest, ref, key);
+  const vaultId = ref.vault ?? "default";
+  const projected = projection.vaults?.[vaultId];
+  const mapping = {
+    ...projected?.mapping ?? {},
+    ...ref.envVar ? { [ref.envVar]: ref.ref } : {}
+  };
+  return {
+    provider: projected?.provider ?? ref.provider ?? "local",
+    ...projected?.auth ? { auth: projected.auth } : {},
+    ...Object.keys(mapping).length > 0 ? { mapping } : {},
+    ...projected?.fallback ? { fallback: projected.fallback } : {}
+  };
+}
+function attachBootstrappedProjection(projection, force = false, options = {}) {
   if (getSingletonRuntime() && !force) {
     return;
   }
+  bootstrappedProjection = projection;
   const graph = graphFromProjection(projection);
-  const manifest = toBootstrappedManifest(graph, projection.runtimeNamespaces);
+  const manifest = toBootstrappedManifest(graph, projection.runtimeNamespaces, projection.vaults ?? {});
   const hydratedSecrets = /* @__PURE__ */ new Map();
+  const secretVaultProviders = mergeSecretVaultProviders(options.secretVaultProviders);
   const runtimeProviders = createDefaultRuntimeProviders(manifest, process.env);
+  for (const [namespace, provider] of singletonRuntimeProviders) {
+    registerRuntimeProvider(manifest, runtimeProviders, namespace, provider);
+  }
   const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
   const resolveProjectedSourceKey = (key) => {
     if (!key.startsWith("public.")) {
@@ -5075,32 +5383,95 @@ function attachBootstrappedProjection(projection, force = false) {
     const fallback = `value.${key.slice("public.".length)}`;
     return graph.entries.has(fallback) ? fallback : key;
   };
-  const resolveSecretValue = async (key) => {
+  const projectedDescriptorForKey = (key) => {
     const entry = graph.entries.get(key);
     if (!entry || entry.namespace !== "secret") {
-      return entry?.value;
-    }
-    if (hydratedSecrets.has(key)) {
-      return hydratedSecrets.get(key);
+      return void 0;
     }
     const ref = projection.secretRefs[key.slice("secret.".length)];
     if (!ref) {
       return void 0;
     }
-    const definition = {
-      provider: ref.provider,
-      ...ref.envVar ? {
-        mapping: {
-          [ref.envVar]: ref.ref
-        }
-      } : {}
+    const definition = vaultDefinitionFromProjection(manifest, projection, key, ref);
+    return {
+      key,
+      ref,
+      vaultId: ref.vault ?? "default",
+      definitions: [definition, ...definition.fallback ?? []]
     };
-    const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
-    const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
-    await provider.authenticate(auth);
-    const value = await provider.get(ref.ref);
-    hydratedSecrets.set(key, value);
-    return value;
+  };
+  const runtimeDefinitionForCandidate = (candidate) => ({
+    provider: candidate.provider,
+    ...candidate.auth ? { auth: candidate.auth } : {},
+    ...candidate.mapping ? { mapping: candidate.mapping } : {}
+  });
+  const hydrateProjectedSecrets = async (keys) => {
+    const requestedKeys = keys ?? Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`);
+    let remaining = requestedKeys.filter((key) => !hydratedSecrets.has(key)).map((key) => projectedDescriptorForKey(key)).filter((descriptor) => Boolean(descriptor));
+    const lastErrors = /* @__PURE__ */ new Map();
+    let candidateIndex = 0;
+    while (remaining.length > 0) {
+      const grouped = /* @__PURE__ */ new Map();
+      const exhausted = [];
+      for (const descriptor of remaining) {
+        const candidate = descriptor.definitions[candidateIndex];
+        if (!candidate) {
+          exhausted.push(descriptor);
+          continue;
+        }
+        const groupKey = `${descriptor.vaultId}\0${candidate.provider}`;
+        const group = grouped.get(groupKey) ?? {
+          vaultId: descriptor.vaultId,
+          definition: candidate,
+          descriptors: []
+        };
+        group.descriptors.push(descriptor);
+        grouped.set(groupKey, group);
+      }
+      if (grouped.size === 0) {
+        remaining = exhausted;
+        break;
+      }
+      const unresolved = [...exhausted];
+      for (const group of grouped.values()) {
+        const runtimeDefinition = runtimeDefinitionForCandidate(group.definition);
+        try {
+          const provider = createSecretVaultProvider(
+            group.vaultId,
+            runtimeDefinition,
+            process.env,
+            secretVaultProviders
+          );
+          const auth = await resolveVaultAuth(group.vaultId, runtimeDefinition, process.env);
+          await provider.authenticate(auth);
+          const refs = Array.from(new Set(group.descriptors.map((descriptor) => descriptor.ref.ref))).sort((left, right) => left.localeCompare(right));
+          const values = await provider.batchGet(refs);
+          for (const descriptor of group.descriptors) {
+            const value = values.get(descriptor.ref.ref);
+            if (value !== void 0) {
+              hydratedSecrets.set(descriptor.key, value);
+              lastErrors.delete(descriptor.key);
+            } else {
+              unresolved.push(descriptor);
+            }
+          }
+        } catch (error) {
+          for (const descriptor of group.descriptors) {
+            lastErrors.set(descriptor.key, error);
+            unresolved.push(descriptor);
+          }
+        }
+      }
+      remaining = unresolved.filter((descriptor) => !hydratedSecrets.has(descriptor.key));
+      candidateIndex += 1;
+    }
+    for (const descriptor of remaining) {
+      const error = lastErrors.get(descriptor.key);
+      if (error) {
+        throw error;
+      }
+      hydratedSecrets.set(descriptor.key, void 0);
+    }
   };
   const runtime = {
     manifest,
@@ -5170,14 +5541,14 @@ function attachBootstrappedProjection(projection, force = false) {
     toNamespace(namespace) {
       return toNamespaceObject(graph, namespace, (key) => this.read(key));
     },
-    toEnv(options) {
-      return toEnv(graph, manifest, options, {
+    toEnv(options2) {
+      return toEnv(graph, manifest, options2, {
         read: (key) => this.read(key),
         isRuntimeDependent: (key) => derivedSupport.isRuntimeDependentKey(key)
       });
     },
-    toPublicEnv(options) {
-      return toPublicEnv(graph, manifest, options, {
+    toPublicEnv(options2) {
+      return toPublicEnv(graph, manifest, options2, {
         read: (key) => derivedSupport.toConcreteValue(
           resolveProjectedSourceKey(key),
           (ref) => {
@@ -5200,16 +5571,18 @@ function attachBootstrappedProjection(projection, force = false) {
     },
     registerRuntimeProvider(namespace, provider) {
       registerRuntimeProvider(manifest, runtimeProviders, namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
     },
     async refreshSecrets() {
-      for (const key of Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`)) {
+      const keys = Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`);
+      for (const key of keys) {
         hydratedSecrets.delete(key);
-        await resolveSecretValue(key);
       }
+      await hydrateProjectedSecrets(keys);
     },
     async refreshSecret(key) {
       hydratedSecrets.delete(key);
-      await resolveSecretValue(key);
+      await hydrateProjectedSecrets([key]);
     }
   };
   setSingletonRuntime(runtime);
@@ -5316,14 +5689,23 @@ var cnos = Object.assign(
       console.log(formatted);
       return formatted;
     },
-    async loadProjection(source) {
+    async loadProjection(source, options = {}) {
       const resolvedSource = import_node_path16.default.resolve(source);
       const projection = deserializeServerProjection((0, import_node_fs.readFileSync)(resolvedSource, "utf8"));
-      attachBootstrappedProjection(projection, true);
+      attachBootstrappedProjection(projection, true, options);
       setBootstrappedSecretHydrationRequired(Object.keys(projection.secretRefs).length > 0);
     },
     registerRuntimeProvider(namespace, provider) {
       getRuntimeOrThrow().registerRuntimeProvider(namespace, provider);
+      singletonRuntimeProviders.set(namespace, provider);
+    },
+    registerSecretVaultProvider(factory) {
+      registerSingletonSecretVaultProvider(factory);
+    },
+    registerSecretVaultProviders(factories) {
+      for (const factory of factories) {
+        registerSingletonSecretVaultProvider(factory);
+      }
     },
     async refreshSecrets() {
       await getRuntimeOrThrow().refreshSecrets();
@@ -5332,10 +5714,14 @@ var cnos = Object.assign(
     async refreshSecret(key) {
       await getRuntimeOrThrow().refreshSecret(key);
     },
-    async ready() {
+    async ready(options = {}) {
       const runtime = getSingletonRuntime();
+      const secretVaultProviders = mergeSecretVaultProviders(options.secretVaultProviders);
       if (runtime && getBootstrappedSecretHydrationRequired()) {
-        await runtime.refreshSecrets();
+        const runtimeToHydrate = bootstrappedProjection && secretVaultProviders.length > 0 ? (attachBootstrappedProjection(bootstrappedProjection, true, {
+          secretVaultProviders
+        }), getRuntimeOrThrow()) : runtime;
+        await runtimeToHydrate.refreshSecrets();
         setBootstrappedSecretHydrationRequired(false);
         return;
       }
@@ -5347,7 +5733,10 @@ var cnos = Object.assign(
         await existing;
         return;
       }
-      const readyPromise = createCnos2().then((runtime2) => {
+      const readyPromise = createCnos2({
+        ...options,
+        secretVaultProviders
+      }).then((runtime2) => {
         setSingletonRuntime(runtime2);
         setBootstrappedSecretHydrationRequired(false);
         return runtime2;