@kitsy/cnos 1.10.0 → 1.11.1

package/dist/index.d.cts

@@ -1,2 +1,2 @@
-export { CnosSingleton, default as cnos, default } from './runtime/index.cjs';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-Ud1o2MBn.cjs';
+export { CnosSingleton, CnosSingletonProjectionOptions, default as cnos, default } from './runtime/index.cjs';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, A as RemoteSecretVaultProvider, l as RuntimeProvider, t as SecretVaultProvider, s as SecretVaultProviderFactory, r as VaultAuthConfig, q as VaultDefinition } from './core-CGJObpyy.cjs';

package/dist/index.d.ts

@@ -1,2 +1,2 @@
-export { CnosSingleton, default as cnos, default } from './runtime/index.js';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-Ud1o2MBn.js';
+export { CnosSingleton, CnosSingletonProjectionOptions, default as cnos, default } from './runtime/index.js';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, A as RemoteSecretVaultProvider, l as RuntimeProvider, t as SecretVaultProvider, s as SecretVaultProviderFactory, r as VaultAuthConfig, q as VaultDefinition } from './core-CGJObpyy.js';

package/dist/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "./chunk-EIK7OUFP.js";
-import "./chunk-UKNL2Y4N.js";
-import "./chunk-CSA4L64V.js";
-import "./chunk-3EZGPQCE.js";
-import "./chunk-RTHKUGJV.js";
-import "./chunk-ESBHCFC6.js";
-import "./chunk-UGLATJJD.js";
-import "./chunk-A5U7EZCJ.js";
-import "./chunk-FHXLOWAB.js";
-import "./chunk-MQ4WG3K6.js";
+} from "./chunk-X4PBPUKL.js";
+import "./chunk-T3E57MSQ.js";
+import "./chunk-V3USPV5U.js";
+import "./chunk-DPC2BV3S.js";
+import "./chunk-5JGNRADB.js";
+import "./chunk-NU25VFA2.js";
+import "./chunk-RNTTPI5S.js";
+import "./chunk-2DMCB3PK.js";
+import "./chunk-KJ57PF47.js";
+import "./chunk-WPB4HB2K.js";
 export {
   runtime_default as cnos,
   runtime_default as default

package/dist/internal.cjs

@@ -1295,11 +1295,19 @@ function normalizeVaults(vaults) {
         throw new CnosManifestError(`Vault "${name}" requires a provider`);
       }
       const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
-      const normalizedMapping = Object.fromEntries(
-        Object.entries(definition.mapping ?? {}).filter(
-          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
-        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
-      );
+      const normalizedMapping = normalizeVaultMapping(definition.mapping);
+      const fallback = (definition.fallback ?? []).map((entry, index) => {
+        const fallbackProvider = entry.provider?.trim();
+        if (!fallbackProvider) {
+          throw new CnosManifestError(`Vault "${name}" fallback ${index + 1} requires a provider`);
+        }
+        const fallbackMapping = normalizeVaultMapping(entry.mapping);
+        return {
+          provider: fallbackProvider,
+          auth: normalizeVaultAuth(name, fallbackProvider, entry.auth),
+          ...Object.keys(fallbackMapping).length > 0 ? { mapping: fallbackMapping } : {}
+        };
+      });
       return [
         name,
         {
@@ -1307,12 +1315,20 @@ function normalizeVaults(vaults) {
           auth: normalizedAuth,
           ...Object.keys(normalizedMapping).length > 0 ? {
             mapping: normalizedMapping
-          } : {}
+          } : {},
+          ...fallback.length > 0 ? { fallback } : {}
         }
       ];
     })
   );
 }
+function normalizeVaultMapping(mapping) {
+  return Object.fromEntries(
+    Object.entries(mapping ?? {}).filter(
+      (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+    ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+  );
+}
 function normalizeAuthSources(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return void 0;
@@ -1636,7 +1652,7 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path11.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
@@ -2138,7 +2154,7 @@ var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
 };
 
 // ../core/src/secrets/providers/registry.ts
-function createSecretVaultProvider(vaultId, definition, processEnv) {
+function createSecretVaultProvider(vaultId, definition, processEnv, factories = []) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
@@ -2148,9 +2164,16 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
+  const factory = factories.find((candidate) => candidate.provider === definition.provider);
+  if (factory) {
+    return factory.create(vaultId, definition, processEnv);
+  }
   throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
 }
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -2191,6 +2214,23 @@ function toAuthError(vaultId, sources) {
     `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
   );
 }
+async function resolveTokenFromSource(source, processEnv) {
+  if (source.startsWith("env:")) {
+    return processEnv[source.slice(4)] || void 0;
+  }
+  if (source.startsWith("file:")) {
+    try {
+      const value = await (0, import_promises12.readFile)(expandHomePath(source.slice("file:".length)), "utf8");
+      return value.trim() || void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  if (source.startsWith("keychain:")) {
+    return readKeychain(source.slice("keychain:".length));
+  }
+  return void 0;
+}
 async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
   if (sessionKey) {
@@ -2206,6 +2246,32 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
+  if (definition.auth?.method === "iam") {
+    return {
+      method: "iam",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.auth?.method === "environment") {
+    return {
+      method: "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const tokenSources = definition.auth?.token?.from ?? [];
+  for (const source of tokenSources) {
+    const token = await resolveTokenFromSource(source, processEnv);
+    if (token) {
+      return {
+        token,
+        method: "token",
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      };
+    }
+  }
+  if (definition.auth?.method === "token") {
+    throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...tokenSources]);
+  }
   const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
   for (const source of sources) {
     if (source.startsWith("env:")) {
@@ -2254,7 +2320,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -2656,7 +2722,7 @@ function generateCodegenContent(manifest, sourcePath, typeModuleImport = "./cnos
 }
 
 // src/codegen/writeOutput.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 function stripTsExtension(filePath) {
   return filePath.replace(/(\.d)?\.[cm]?tsx?$/i, "").replace(/\.[cm]?jsx?$/i, "");
@@ -2676,10 +2742,10 @@ async function writeCodegenOutput(options = {}) {
   const outputRoot = loadedManifest.rootResolution.remote ? loadedManifest.consumerRoot : loadedManifest.repoRoot;
   const paths = resolveCodegenPaths(outputRoot, options.out);
   const generated = generateCodegenContent(loadedManifest.manifest, loadedManifest.manifestPath, paths.typeImportPath);
-  await (0, import_promises13.mkdir)(import_node_path14.default.dirname(paths.typesPath), { recursive: true });
-  await (0, import_promises13.mkdir)(import_node_path14.default.dirname(paths.runtimePath), { recursive: true });
-  await (0, import_promises13.writeFile)(paths.typesPath, generated.typesContent, "utf8");
-  await (0, import_promises13.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
+  await (0, import_promises14.mkdir)(import_node_path14.default.dirname(paths.typesPath), { recursive: true });
+  await (0, import_promises14.mkdir)(import_node_path14.default.dirname(paths.runtimePath), { recursive: true });
+  await (0, import_promises14.writeFile)(paths.typesPath, generated.typesContent, "utf8");
+  await (0, import_promises14.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     typesPath: paths.typesPath,
@@ -2982,7 +3048,7 @@ function formatDriftReport(report) {
 }
 
 // src/migrate/applyManifest.ts
-var import_promises14 = require("fs/promises");
+var import_promises15 = require("fs/promises");
 function sortRecord(record) {
   return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
 }
@@ -3017,7 +3083,7 @@ async function applyManifestMappings(proposals, root) {
       promote: Array.from(promoted).sort((left, right) => left.localeCompare(right))
     };
   }
-  await (0, import_promises14.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
+  await (0, import_promises15.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     appliedMappings,
@@ -3052,7 +3118,7 @@ function proposeMapping(envVar) {
 }
 
 // src/migrate/rewriteSource.ts
-var import_promises15 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 function importStatementFor(kind) {
   return kind === "import-meta-env" ? "import cnos from '@kitsy/cnos/browser';" : "import cnos from '@kitsy/cnos';";
 }
@@ -3073,7 +3139,7 @@ async function rewriteSourceFiles(usages, proposals) {
   const backupFiles = [];
   const skippedUsages = [];
   for (const [filePath, fileUsages] of fileGroups.entries()) {
-    const original = await (0, import_promises15.readFile)(filePath, "utf8");
+    const original = await (0, import_promises16.readFile)(filePath, "utf8");
     let nextSource = original;
     let changed = false;
     const importKinds = /* @__PURE__ */ new Set();
@@ -3100,7 +3166,7 @@ async function rewriteSourceFiles(usages, proposals) {
       continue;
     }
     const backupPath = `${filePath}.bak`;
-    await (0, import_promises15.copyFile)(filePath, backupPath);
+    await (0, import_promises16.copyFile)(filePath, backupPath);
     backupFiles.push(backupPath);
     for (const kind of Array.from(importKinds)) {
       const importStatement = importStatementFor(kind);
@@ -3109,7 +3175,7 @@ async function rewriteSourceFiles(usages, proposals) {
 ${nextSource}`;
       }
     }
-    await (0, import_promises15.writeFile)(filePath, nextSource, "utf8");
+    await (0, import_promises16.writeFile)(filePath, nextSource, "utf8");
     rewrittenFiles.push(filePath);
   }
   return {
@@ -3120,7 +3186,7 @@ ${nextSource}`;
 }
 
 // src/migrate/scanEnvUsage.ts
-var import_promises16 = require("fs/promises");
+var import_promises17 = require("fs/promises");
 var import_node_path15 = __toESM(require("path"), 1);
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts", ".mjs", ".cjs"]);
 var PROCESS_ENV_DOT = /process\.env\.([A-Z][A-Z0-9_]*)/g;
@@ -3128,7 +3194,7 @@ var PROCESS_ENV_BRACKET = /process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 var IMPORT_META_ENV_DOT = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
 var IMPORT_META_ENV_BRACKET = /import\.meta\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 async function collectFiles(root) {
-  const entries = await (0, import_promises16.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises17.readdir)(root, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
     const filePath = import_node_path15.default.join(root, entry.name);
@@ -3165,7 +3231,7 @@ async function scanEnvUsage(scanRoot) {
   const files = await collectFiles(scanRoot);
   const usages = [];
   for (const filePath of files) {
-    const source = await (0, import_promises16.readFile)(filePath, "utf8");
+    const source = await (0, import_promises17.readFile)(filePath, "utf8");
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_DOT, "process-env"));
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_BRACKET, "process-env"));
     usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_DOT, "import-meta-env"));

package/dist/internal.d.cts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-Ud1o2MBn.cjs';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-Ud1o2MBn.cjs';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProviderFactory, t as SecretVaultProvider, u as ResolvedRoot, m as NamespaceName, v as RootResolution, w as SecretReference, g as CnosRuntime, x as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-CGJObpyy.cjs';
+export { l as RuntimeProvider, y as ValidationIssue, z as WorkspaceFile } from './core-CGJObpyy.cjs';
 
 declare class CnosError extends Error {
     constructor(message: string);
@@ -36,7 +36,7 @@ declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, process
 declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
 declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
 
-declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>, factories?: SecretVaultProviderFactory[]): SecretVaultProvider;
 
 interface ParsedGitUri {
     uri: string;

package/dist/internal.d.ts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-Ud1o2MBn.js';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-Ud1o2MBn.js';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProviderFactory, t as SecretVaultProvider, u as ResolvedRoot, m as NamespaceName, v as RootResolution, w as SecretReference, g as CnosRuntime, x as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-CGJObpyy.js';
+export { l as RuntimeProvider, y as ValidationIssue, z as WorkspaceFile } from './core-CGJObpyy.js';
 
 declare class CnosError extends Error {
     constructor(message: string);
@@ -36,7 +36,7 @@ declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, process
 declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
 declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
 
-declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>, factories?: SecretVaultProviderFactory[]): SecretVaultProvider;
 
 interface ParsedGitUri {
     uri: string;

package/dist/internal.js

@@ -11,7 +11,7 @@ import {
   serializeRuntimeGraph,
   serializeSecretPayload,
   serializeServerProjection
-} from "./chunk-UKNL2Y4N.js";
+} from "./chunk-T3E57MSQ.js";
 import {
   CnosAuthenticationError,
   CnosSecurityError,
@@ -64,7 +64,7 @@ import {
   writeLocalSecret,
   writeRemoteRootCacheMetadata,
   writeVaultSessionKey
-} from "./chunk-MQ4WG3K6.js";
+} from "./chunk-WPB4HB2K.js";
 
 // src/codegen/generateTypes.ts
 function toPascalCase(value) {

package/dist/plugin/basic-schema.cjs

@@ -270,6 +270,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -278,7 +281,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/basic-schema/src/index.ts

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-Ud1o2MBn.cjs';
+import { V as ValidatorPlugin } from '../core-CGJObpyy.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.d.ts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-Ud1o2MBn.js';
+import { V as ValidatorPlugin } from '../core-CGJObpyy.js';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-A5U7EZCJ.js";
-import "../chunk-MQ4WG3K6.js";
+} from "../chunk-2DMCB3PK.js";
+import "../chunk-WPB4HB2K.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.cjs

@@ -112,6 +112,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -120,7 +123,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/cli-args/src/index.ts

package/dist/plugin/cli-args.d.cts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-Ud1o2MBn.cjs';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-CGJObpyy.cjs';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.d.ts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-Ud1o2MBn.js';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-CGJObpyy.js';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-FHXLOWAB.js";
-import "../chunk-MQ4WG3K6.js";
+} from "../chunk-KJ57PF47.js";
+import "../chunk-WPB4HB2K.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.cjs

@@ -37,7 +37,7 @@ __export(dotenv_exports, {
 module.exports = __toCommonJS(dotenv_exports);
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 
 // ../core/src/keychain/linux.ts
@@ -138,6 +138,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -146,7 +149,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -267,7 +270,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises13.readFile)(filePath, "utf8");
+    return await (0, import_promises14.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }

package/dist/plugin/dotenv.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-Ud1o2MBn.cjs';
-import { E as EnvMappingConfig } from '../envNaming-DxxqiGKN.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-CGJObpyy.cjs';
+import { E as EnvMappingConfig } from '../envNaming-DIaBgT6E.cjs';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-Ud1o2MBn.js';
-import { E as EnvMappingConfig } from '../envNaming-CPwXl4I6.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-CGJObpyy.js';
+import { E as EnvMappingConfig } from '../envNaming-_WD9sLZI.js';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-3EZGPQCE.js";
-import "../chunk-MQ4WG3K6.js";
+} from "../chunk-DPC2BV3S.js";
+import "../chunk-WPB4HB2K.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.cjs

@@ -150,9 +150,12 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -263,7 +266,7 @@ function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/env-export/src/index.ts

package/dist/plugin/env-export.d.cts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-Ud1o2MBn.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-fUZMRUOz.cjs';
+import { E as ExporterPlugin } from '../core-CGJObpyy.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C3A8aLjo.cjs';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.d.ts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-Ud1o2MBn.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C9wPSpRo.js';
+import { E as ExporterPlugin } from '../core-CGJObpyy.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-DLNNcEso.js';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-RTHKUGJV.js";
+} from "../chunk-5JGNRADB.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-MQ4WG3K6.js";
+} from "../chunk-WPB4HB2K.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,