npm - @kitsy/cnos - Versions diffs - 1.2.0 → 1.3.0 - Mend

@kitsy/cnos 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/README.md +3 -3
package/dist/build/index.cjs +902 -113
package/dist/build/index.d.cts +1 -1
package/dist/build/index.d.ts +1 -1
package/dist/build/index.js +22 -10
package/dist/{chunk-WHUGFPE4.js → chunk-CDXJISGB.js} +1 -1
package/dist/{chunk-APCTXRUN.js → chunk-DRKDNY4I.js} +998 -191
package/dist/chunk-E7SE6N26.js +189 -0
package/dist/{chunk-SO5XREEU.js → chunk-EDCLLCNL.js} +32 -11
package/dist/{chunk-SXTMTACL.js → chunk-FC3IV6A7.js} +1 -31
package/dist/{chunk-MLQGYCO7.js → chunk-JDII6O72.js} +1 -1
package/dist/chunk-K6QYI2T4.js +105 -0
package/dist/{chunk-EIN55XXA.js → chunk-OOKFRWTN.js} +1 -1
package/dist/{chunk-ZA74BO47.js → chunk-OWUZQ4OH.js} +1 -1
package/dist/{chunk-RD5WMHPM.js → chunk-QTKXPY3N.js} +1 -1
package/dist/configure/index.cjs +2928 -0
package/dist/configure/index.d.cts +12 -0
package/dist/configure/index.d.ts +12 -0
package/dist/configure/index.js +24 -0
package/dist/{envNaming-BTJpH93W.d.cts → envNaming-D6k66myh.d.cts} +1 -1
package/dist/{envNaming-CcsqAel3.d.ts → envNaming-Dy3WYiGK.d.ts} +1 -1
package/dist/index.cjs +1142 -178
package/dist/index.d.cts +2 -13
package/dist/index.d.ts +2 -13
package/dist/index.js +13 -25
package/dist/internal.cjs +1512 -80
package/dist/internal.d.cts +170 -14
package/dist/internal.d.ts +170 -14
package/dist/internal.js +645 -5
package/dist/plugin/basic-schema.cjs +29 -2
package/dist/plugin/basic-schema.d.cts +1 -1
package/dist/plugin/basic-schema.d.ts +1 -1
package/dist/plugin/basic-schema.js +2 -2
package/dist/plugin/cli-args.cjs +29 -2
package/dist/plugin/cli-args.d.cts +1 -1
package/dist/plugin/cli-args.d.ts +1 -1
package/dist/plugin/cli-args.js +2 -2
package/dist/plugin/dotenv.cjs +36 -9
package/dist/plugin/dotenv.d.cts +2 -2
package/dist/plugin/dotenv.d.ts +2 -2
package/dist/plugin/dotenv.js +2 -2
package/dist/plugin/env-export.cjs +31 -2
package/dist/plugin/env-export.d.cts +2 -2
package/dist/plugin/env-export.d.ts +2 -2
package/dist/plugin/env-export.js +2 -2
package/dist/plugin/filesystem.cjs +46 -91
package/dist/plugin/filesystem.d.cts +1 -1
package/dist/plugin/filesystem.d.ts +1 -1
package/dist/plugin/filesystem.js +2 -2
package/dist/plugin/process-env.cjs +31 -4
package/dist/plugin/process-env.d.cts +2 -2
package/dist/plugin/process-env.d.ts +2 -2
package/dist/plugin/process-env.js +2 -2
package/dist/{plugin-DkOIT5uI.d.cts → plugin-CyNkf7Dm.d.cts} +14 -2
package/dist/{plugin-DkOIT5uI.d.ts → plugin-CyNkf7Dm.d.ts} +14 -2
package/dist/runtime/index.cjs +956 -128
package/dist/runtime/index.d.cts +1 -1
package/dist/runtime/index.d.ts +1 -1
package/dist/runtime/index.js +11 -186
package/dist/{toPublicEnv-DvFeV3qG.d.cts → toPublicEnv-Cz72m6y0.d.cts} +1 -1
package/dist/{toPublicEnv-C9clvXLo.d.ts → toPublicEnv-D2PZkaN-.d.ts} +1 -1
package/package.json +11 -1
package/dist/chunk-JUHPBAEH.js +0 -20
package/dist/chunk-PQ4KSV76.js +0 -50

package/dist/internal.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.cjs';
-export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.cjs';
+import { j as LoadManifestOptions, k as LoadedManifest, N as NormalizedManifest, b as LogicalKey, l as VaultDefinition, g as CnosRuntime, m as ValidationSummary, R as ResolvedGraph } from './plugin-CyNkf7Dm.cjs';
+export { n as ValidationIssue, o as WorkspaceFile } from './plugin-CyNkf7Dm.cjs';
 declare class CnosError extends Error {
     constructor(message: string);
@@ -7,36 +7,88 @@ declare class CnosError extends Error {
 declare class CnosSecurityError extends CnosError {
     constructor(message: string);
 }
+declare class CnosAuthenticationError extends CnosError {
+    constructor(message: string);
+}
+declare function readKeychain(entry: string): Promise<string | undefined>;
+declare function writeKeychain(entry: string, value: string): Promise<void>;
 declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
 type ProjectionTarget = 'public' | 'env';
 declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
-declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
-declare function resolveManifestRoot(root?: string): Promise<string>;
-declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 interface SecretReference {
     provider: string;
     ref: string;
     vault?: string;
 }
+interface VaultAuthConfig {
+    passphrase?: string;
+    token?: string;
+    derivedKey?: Buffer;
+    method: 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
+    config?: Record<string, unknown>;
+}
+interface SecretVaultProvider {
+    readonly vaultId: string;
+    readonly definition: VaultDefinition;
+    authenticate(authConfig: VaultAuthConfig): Promise<void>;
+    isAuthenticated(): boolean;
+    batchGet(refs: string[]): Promise<Map<string, string>>;
+    get(ref: string): Promise<string | undefined>;
+    set(ref: string, value: string): Promise<void>;
+    delete(ref: string): Promise<void>;
+    list(): Promise<string[]>;
+}
+declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
+declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, processEnv?: Record<string, string | undefined>): Promise<string>;
+declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
+declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
+declare function resolveManifestRoot(root?: string): Promise<string>;
+declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 interface ResolvedVaultDefinition extends VaultDefinition {
     name: string;
-    requiresPassphrase: boolean;
+    requiresAuthentication: boolean;
+}
+interface VaultMetadata {
+    version: 1;
+    algorithm: 'aes-256-gcm';
+    kdf: 'pbkdf2-sha512';
+    iterations: number;
+    salt: string;
+    createdAt: string;
+    secretCount: number;
 }
+declare function isSecretReference(value: unknown): value is SecretReference;
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
-declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
 declare function getVaultPassphraseEnvVar(vault?: string): string;
 declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function getVaultSessionKeyEnvVar(vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function deriveVaultKey(passphrase: string, salt: Buffer, iterations?: number): Buffer;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function detectLegacyVaultFormat(storeRoot: string, vault?: string): Promise<string | undefined>;
+declare function readVaultMetadata(storeRoot: string, vault?: string): Promise<VaultMetadata | undefined>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultAccessKey(storeRoot: string, definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig | undefined>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, authOrPassphrase: VaultAuthConfig | string, vault?: string): Promise<string>;
+declare function deleteLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<boolean>;
+declare function readLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<string>;
+declare function listLocalSecrets(storeRoot: string, auth: VaultAuthConfig, vault?: string): Promise<string[]>;
 declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
-declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
-declare function listSecretVaults(storeRoot: string): Promise<string[]>;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
+declare function removeLocalVaultFiles(storeRoot: string, vault?: string): Promise<void>;
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
@@ -44,8 +96,112 @@ declare function stringifyYaml(value: unknown): string;
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare const CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
+declare const CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
 declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
 declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function serializeSecretPayload(values: Record<string, unknown>): {
+    payload: string;
+    sessionKey: string;
+};
 declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+declare function graphRequiresSecretHydration(graph: ResolvedGraph): boolean;
+interface GeneratedCodegenContent {
+    typesContent: string;
+    runtimeContent: string;
+    schemaEntryCount: number;
+    hasSchema: boolean;
+}
+declare function generateCodegenContent(manifest: NormalizedManifest, sourcePath: string, typeModuleImport?: string): GeneratedCodegenContent;
+interface WriteCodegenOutputOptions {
+    root?: string;
+    out?: string;
+}
+interface CodegenWriteResult {
+    manifestPath: string;
+    typesPath: string;
+    runtimePath: string;
+    schemaEntryCount: number;
+    hasSchema: boolean;
+}
+declare function resolveCodegenPaths(repoRoot: string, out?: string): {
+    typesPath: string;
+    runtimePath: string;
+    typeImportPath: string;
+};
+declare function writeCodegenOutput(options?: WriteCodegenOutputOptions): Promise<CodegenWriteResult>;
+interface WatchSchemaOptions extends WriteCodegenOutputOptions {
+    debounceMs?: number;
+    onWrite?: (result: CodegenWriteResult) => void | Promise<void>;
+    onError?: (error: unknown) => void | Promise<void>;
+}
+interface CnosWatchHandle {
+    close(): void;
+    on(event: 'close', listener: () => void): this;
+}
+declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
+interface DriftIssue {
+    key: string;
+    expectedType?: string;
+    actualType?: string;
+    value?: unknown;
+    sourceFile?: string;
+}
+interface DriftReport {
+    profile: string;
+    workspace: string;
+    missing: DriftIssue[];
+    undeclared: DriftIssue[];
+    mismatches: DriftIssue[];
+    defaultsApplied: DriftIssue[];
+}
+declare function compareSchemaToGraph(runtime: CnosRuntime): DriftReport;
+declare function formatDriftReport(report: DriftReport): string;
+interface EnvMappingProposal {
+    envVar: string;
+    namespace: 'value' | 'secret';
+    logicalPath: string;
+    logicalKey: string;
+    public: boolean;
+    framework?: 'vite' | 'next';
+}
+declare function proposeMapping(envVar: string): EnvMappingProposal;
+interface ApplyManifestResult {
+    manifestPath: string;
+    appliedMappings: number;
+    appliedPromotions: number;
+}
+declare function applyManifestMappings(proposals: EnvMappingProposal[], root?: string): Promise<ApplyManifestResult>;
+interface EnvUsage {
+    filePath: string;
+    envVar: string;
+    source: string;
+    kind: 'process-env' | 'import-meta-env';
+}
+declare function scanEnvUsage(scanRoot: string): Promise<EnvUsage[]>;
+interface RewriteSourceResult {
+    rewrittenFiles: string[];
+    backupFiles: string[];
+    skippedUsages: string[];
+}
+declare function rewriteSourceFiles(usages: EnvUsage[], proposals: Map<string, EnvMappingProposal>): Promise<RewriteSourceResult>;
+declare function diffGraphs(previous: ResolvedGraph, next: ResolvedGraph): string[];
+interface WatchTargetSet {
+    manifestPath: string;
+    roots: string[];
+    files: string[];
+}
+declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
-export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };
+export { CNOS_GRAPH_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRuntimeGraphFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, stringifyYaml, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeVaultSessionKey };

package/dist/internal.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { i as LoadManifestOptions, j as LoadedManifest, N as NormalizedManifest, g as LogicalKey, V as VaultDefinition, d as CnosRuntime, k as ValidationSummary, R as ResolvedGraph } from './plugin-DkOIT5uI.js';
-export { l as ValidationIssue, W as WorkspaceFile } from './plugin-DkOIT5uI.js';
+import { j as LoadManifestOptions, k as LoadedManifest, N as NormalizedManifest, b as LogicalKey, l as VaultDefinition, g as CnosRuntime, m as ValidationSummary, R as ResolvedGraph } from './plugin-CyNkf7Dm.js';
+export { n as ValidationIssue, o as WorkspaceFile } from './plugin-CyNkf7Dm.js';
 declare class CnosError extends Error {
     constructor(message: string);
@@ -7,36 +7,88 @@ declare class CnosError extends Error {
 declare class CnosSecurityError extends CnosError {
     constructor(message: string);
 }
+declare class CnosAuthenticationError extends CnosError {
+    constructor(message: string);
+}
+declare function readKeychain(entry: string): Promise<string | undefined>;
+declare function writeKeychain(entry: string, value: string): Promise<void>;
 declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
 type ProjectionTarget = 'public' | 'env';
 declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
-declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
-declare function resolveManifestRoot(root?: string): Promise<string>;
-declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 interface SecretReference {
     provider: string;
     ref: string;
     vault?: string;
 }
+interface VaultAuthConfig {
+    passphrase?: string;
+    token?: string;
+    derivedKey?: Buffer;
+    method: 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
+    config?: Record<string, unknown>;
+}
+interface SecretVaultProvider {
+    readonly vaultId: string;
+    readonly definition: VaultDefinition;
+    authenticate(authConfig: VaultAuthConfig): Promise<void>;
+    isAuthenticated(): boolean;
+    batchGet(refs: string[]): Promise<Map<string, string>>;
+    get(ref: string): Promise<string | undefined>;
+    set(ref: string, value: string): Promise<void>;
+    delete(ref: string): Promise<void>;
+    list(): Promise<string[]>;
+}
+declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
+declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, processEnv?: Record<string, string | undefined>): Promise<string>;
+declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
+declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function flattenObject(value: Record<string, unknown>, prefix?: string): Record<string, unknown>;
+declare function resolveManifestRoot(root?: string): Promise<string>;
+declare function resolveConfigDocumentPath(workspaceRoot: string, namespace: 'value' | 'secret', configPath: string, profile?: string): string;
 interface ResolvedVaultDefinition extends VaultDefinition {
     name: string;
-    requiresPassphrase: boolean;
+    requiresAuthentication: boolean;
+}
+interface VaultMetadata {
+    version: 1;
+    algorithm: 'aes-256-gcm';
+    kdf: 'pbkdf2-sha512';
+    iterations: number;
+    salt: string;
+    createdAt: string;
+    secretCount: number;
 }
+declare function isSecretReference(value: unknown): value is SecretReference;
 declare function resolveSecretStoreRoot(processEnv?: Record<string, string | undefined>): string;
-declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
-declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
 declare function getVaultPassphraseEnvVar(vault?: string): string;
 declare function isPassphraseEnvRef(value: string | undefined): boolean;
+declare function getVaultSessionKeyEnvVar(vault?: string): string;
+declare function resolveSecretPassphrase(vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function deriveVaultKey(passphrase: string, salt: Buffer, iterations?: number): Buffer;
+declare function resolveSecretVaultFile(storeRoot: string, vault?: string): string;
+declare function detectLegacyVaultFormat(storeRoot: string, vault?: string): Promise<string | undefined>;
+declare function readVaultMetadata(storeRoot: string, vault?: string): Promise<VaultMetadata | undefined>;
+declare function listSecretVaults(storeRoot: string): Promise<string[]>;
+declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
 declare function resolveConfiguredVaultPassphrase(definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): string | undefined;
+declare function resolveVaultAccessKey(storeRoot: string, definition: VaultDefinition | undefined, vault?: string, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig | undefined>;
+declare function writeLocalSecret(storeRoot: string, ref: string, value: string, authOrPassphrase: VaultAuthConfig | string, vault?: string): Promise<string>;
+declare function deleteLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<boolean>;
+declare function readLocalSecret(storeRoot: string, ref: string, auth: VaultAuthConfig, vault?: string): Promise<string>;
+declare function listLocalSecrets(storeRoot: string, auth: VaultAuthConfig, vault?: string): Promise<string[]>;
 declare function resolveVaultDefinition(vaults: Record<string, VaultDefinition> | undefined, vault?: string): ResolvedVaultDefinition;
-declare function createSecretVault(storeRoot: string, vault: string, passphrase: string): Promise<string>;
-declare function listSecretVaults(storeRoot: string): Promise<string[]>;
-declare function writeLocalSecret(storeRoot: string, ref: string, value: string, passphrase: string, vault?: string): Promise<string>;
+declare function removeLocalVaultFiles(storeRoot: string, vault?: string): Promise<void>;
 declare function parseYaml<T>(source: string): T;
 declare function stringifyYaml(value: unknown): string;
@@ -44,8 +96,112 @@ declare function stringifyYaml(value: unknown): string;
 declare function validateRuntime(runtime: CnosRuntime): Promise<ValidationSummary>;
 declare const CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+declare const CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
+declare const CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
 declare function serializeRuntimeGraph(graph: ResolvedGraph): string;
 declare function deserializeRuntimeGraph(source: string): ResolvedGraph;
+declare function serializeSecretPayload(values: Record<string, unknown>): {
+    payload: string;
+    sessionKey: string;
+};
 declare function readRuntimeGraphFromEnv(processEnv?: Record<string, string | undefined>): ResolvedGraph | undefined;
+declare function graphRequiresSecretHydration(graph: ResolvedGraph): boolean;
+interface GeneratedCodegenContent {
+    typesContent: string;
+    runtimeContent: string;
+    schemaEntryCount: number;
+    hasSchema: boolean;
+}
+declare function generateCodegenContent(manifest: NormalizedManifest, sourcePath: string, typeModuleImport?: string): GeneratedCodegenContent;
+interface WriteCodegenOutputOptions {
+    root?: string;
+    out?: string;
+}
+interface CodegenWriteResult {
+    manifestPath: string;
+    typesPath: string;
+    runtimePath: string;
+    schemaEntryCount: number;
+    hasSchema: boolean;
+}
+declare function resolveCodegenPaths(repoRoot: string, out?: string): {
+    typesPath: string;
+    runtimePath: string;
+    typeImportPath: string;
+};
+declare function writeCodegenOutput(options?: WriteCodegenOutputOptions): Promise<CodegenWriteResult>;
+interface WatchSchemaOptions extends WriteCodegenOutputOptions {
+    debounceMs?: number;
+    onWrite?: (result: CodegenWriteResult) => void | Promise<void>;
+    onError?: (error: unknown) => void | Promise<void>;
+}
+interface CnosWatchHandle {
+    close(): void;
+    on(event: 'close', listener: () => void): this;
+}
+declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
+interface DriftIssue {
+    key: string;
+    expectedType?: string;
+    actualType?: string;
+    value?: unknown;
+    sourceFile?: string;
+}
+interface DriftReport {
+    profile: string;
+    workspace: string;
+    missing: DriftIssue[];
+    undeclared: DriftIssue[];
+    mismatches: DriftIssue[];
+    defaultsApplied: DriftIssue[];
+}
+declare function compareSchemaToGraph(runtime: CnosRuntime): DriftReport;
+declare function formatDriftReport(report: DriftReport): string;
+interface EnvMappingProposal {
+    envVar: string;
+    namespace: 'value' | 'secret';
+    logicalPath: string;
+    logicalKey: string;
+    public: boolean;
+    framework?: 'vite' | 'next';
+}
+declare function proposeMapping(envVar: string): EnvMappingProposal;
+interface ApplyManifestResult {
+    manifestPath: string;
+    appliedMappings: number;
+    appliedPromotions: number;
+}
+declare function applyManifestMappings(proposals: EnvMappingProposal[], root?: string): Promise<ApplyManifestResult>;
+interface EnvUsage {
+    filePath: string;
+    envVar: string;
+    source: string;
+    kind: 'process-env' | 'import-meta-env';
+}
+declare function scanEnvUsage(scanRoot: string): Promise<EnvUsage[]>;
+interface RewriteSourceResult {
+    rewrittenFiles: string[];
+    backupFiles: string[];
+    skippedUsages: string[];
+}
+declare function rewriteSourceFiles(usages: EnvUsage[], proposals: Map<string, EnvMappingProposal>): Promise<RewriteSourceResult>;
+declare function diffGraphs(previous: ResolvedGraph, next: ResolvedGraph): string[];
+interface WatchTargetSet {
+    manifestPath: string;
+    roots: string[];
+    files: string[];
+}
+declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
-export { CNOS_GRAPH_ENV_VAR, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, createSecretVault, deserializeRuntimeGraph, ensureProjectionAllowed, flattenObject, getVaultPassphraseEnvVar, isPassphraseEnvRef, listSecretVaults, loadManifest, parseYaml, readRuntimeGraphFromEnv, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultDefinition, serializeRuntimeGraph, stringifyYaml, validateRuntime, writeLocalSecret };
+export { CNOS_GRAPH_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, type ResolvedVaultDefinition, type SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRuntimeGraphFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, stringifyYaml, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeVaultSessionKey };