@kitsy/cnos 1.2.0 → 1.3.0

package/dist/internal.js

@@ -1,52 +1,692 @@
 import {
   CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
   deserializeRuntimeGraph,
+  graphRequiresSecretHydration,
   readRuntimeGraphFromEnv,
-  serializeRuntimeGraph
-} from "./chunk-PQ4KSV76.js";
+  serializeRuntimeGraph,
+  serializeSecretPayload
+} from "./chunk-K6QYI2T4.js";
 import {
+  CnosAuthenticationError,
   CnosSecurityError,
+  clearAllVaultSessionKeys,
+  clearVaultSessionKey,
   createSecretVault,
+  createSecretVaultProvider,
+  deleteLocalSecret,
+  deriveVaultKey,
+  detectLegacyVaultFormat,
   ensureProjectionAllowed,
   flattenObject,
   getVaultPassphraseEnvVar,
+  getVaultSessionKeyEnvVar,
   isPassphraseEnvRef,
+  isSecretReference,
+  listLocalSecrets,
   listSecretVaults,
   loadManifest,
   parseYaml,
+  readKeychain,
+  readLocalSecret,
+  readVaultMetadata,
+  removeLocalVaultFiles,
   resolveConfigDocumentPath,
   resolveConfiguredVaultPassphrase,
   resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultAccessKey,
+  resolveVaultAuth,
   resolveVaultDefinition,
   stringifyYaml,
   validateRuntime,
-  writeLocalSecret
-} from "./chunk-APCTXRUN.js";
+  writeKeychain,
+  writeLocalSecret,
+  writeVaultSessionKey
+} from "./chunk-DRKDNY4I.js";
+
+// src/codegen/generateTypes.ts
+function toPascalCase(value) {
+  return value.split(/[^A-Za-z0-9]+/).filter((segment) => segment.length > 0).map((segment) => segment.charAt(0).toUpperCase() + segment.slice(1)).join("");
+}
+function mapSchemaType(rule) {
+  switch (rule?.type) {
+    case "number":
+      return "number";
+    case "string":
+      return "string";
+    case "boolean":
+      return "boolean";
+    case "object":
+      return "Record<string, unknown>";
+    case "array":
+      return "unknown[]";
+    default:
+      return "unknown";
+  }
+}
+function isOptional(rule) {
+  return !(rule?.required ?? false) && rule?.default === void 0;
+}
+function buildNamespaceInterfaces(schema) {
+  const namespaceGroups = /* @__PURE__ */ new Map();
+  for (const [logicalKey, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const separatorIndex = logicalKey.indexOf(".");
+    if (separatorIndex <= 0 || separatorIndex >= logicalKey.length - 1) {
+      continue;
+    }
+    const namespace = logicalKey.slice(0, separatorIndex);
+    const path4 = logicalKey.slice(separatorIndex + 1);
+    const existing = namespaceGroups.get(namespace) ?? [];
+    existing.push({
+      key: path4,
+      rule
+    });
+    namespaceGroups.set(namespace, existing);
+  }
+  const orderedNamespaces = Array.from(namespaceGroups.keys()).sort((left, right) => {
+    if (left === "value") {
+      return -1;
+    }
+    if (right === "value") {
+      return 1;
+    }
+    if (left === "secret") {
+      return -1;
+    }
+    if (right === "secret") {
+      return 1;
+    }
+    return left.localeCompare(right);
+  });
+  if (orderedNamespaces.length === 0) {
+    return [
+      "export interface CnosValueConfig {}",
+      "export interface CnosSecretConfig {}",
+      "",
+      "export interface CnosConfig {",
+      "  value: CnosValueConfig;",
+      "  secret: CnosSecretConfig;",
+      "}"
+    ];
+  }
+  const blocks = [];
+  for (const namespace of orderedNamespaces) {
+    const entries = namespaceGroups.get(namespace) ?? [];
+    const interfaceName = namespace === "value" ? "CnosValueConfig" : namespace === "secret" ? "CnosSecretConfig" : `Cnos${toPascalCase(namespace)}Config`;
+    blocks.push(`export interface ${interfaceName} {`);
+    for (const entry of entries) {
+      const optional = isOptional(entry.rule) ? "?" : "";
+      blocks.push(`  "${entry.key}"${optional}: ${mapSchemaType(entry.rule)};`);
+    }
+    blocks.push("}");
+    blocks.push("");
+  }
+  const configEntries = orderedNamespaces.map((namespace) => {
+    const interfaceName = namespace === "value" ? "CnosValueConfig" : namespace === "secret" ? "CnosSecretConfig" : `Cnos${toPascalCase(namespace)}Config`;
+    return `  ${namespace}: ${interfaceName};`;
+  });
+  blocks.push("export interface CnosConfig {");
+  blocks.push(...configEntries);
+  blocks.push("}");
+  if (!orderedNamespaces.includes("value")) {
+    blocks.push("");
+    blocks.push("export interface CnosValueConfig {}");
+  }
+  if (!orderedNamespaces.includes("secret")) {
+    blocks.push("");
+    blocks.push("export interface CnosSecretConfig {}");
+  }
+  return blocks;
+}
+function generateCodegenContent(manifest, sourcePath, typeModuleImport = "./cnos") {
+  const schema = manifest.schema ?? {};
+  const hasSchema = Object.keys(schema).length > 0;
+  const interfaceBlocks = buildNamespaceInterfaces(schema);
+  const typesLines = [
+    "// Auto-generated by cnos codegen. Do not edit.",
+    `// Source: ${sourcePath}`,
+    "",
+    ...interfaceBlocks,
+    "",
+    'import type { CnosRuntime } from "@kitsy/cnos";',
+    "",
+    "export interface TypedCnosRuntime extends CnosRuntime {",
+    "  value<K extends keyof CnosValueConfig>(path: K): CnosValueConfig[K] | undefined;",
+    "  secret<K extends keyof CnosSecretConfig>(path: K): CnosSecretConfig[K] | undefined;",
+    "  require(key: `value.${keyof CnosValueConfig}`): CnosValueConfig[keyof CnosValueConfig];",
+    "  require(key: `secret.${keyof CnosSecretConfig}`): CnosSecretConfig[keyof CnosSecretConfig];",
+    "}",
+    ""
+  ];
+  if (!hasSchema) {
+    typesLines.push("// Hint: add a schema section to .cnos/cnos.yml for typed key generation.");
+    typesLines.push("");
+  }
+  const runtimeLines = [
+    "// Auto-generated by cnos codegen. Do not edit.",
+    `// Source: ${sourcePath}`,
+    "",
+    'import { createCnos as _createCnos, type CnosCreateOptions } from "@kitsy/cnos/configure";',
+    `import type { TypedCnosRuntime } from "${typeModuleImport}";`,
+    "",
+    "export async function createCnos(options: CnosCreateOptions = {}): Promise<TypedCnosRuntime> {",
+    "  return (await _createCnos(options)) as TypedCnosRuntime;",
+    "}",
+    ""
+  ];
+  return {
+    typesContent: typesLines.join("\n"),
+    runtimeContent: runtimeLines.join("\n"),
+    schemaEntryCount: Object.keys(schema).length,
+    hasSchema
+  };
+}
+
+// src/codegen/writeOutput.ts
+import { mkdir, writeFile } from "fs/promises";
+import path from "path";
+function stripTsExtension(filePath) {
+  return filePath.replace(/(\.d)?\.[cm]?tsx?$/i, "").replace(/\.[cm]?jsx?$/i, "");
+}
+function resolveCodegenPaths(repoRoot, out) {
+  const typesPath = out ? path.resolve(repoRoot, out) : path.join(repoRoot, ".cnos", "types", "cnos.d.ts");
+  const runtimePath = path.join(path.dirname(typesPath), "runtime.ts");
+  const typeImportPath = `./${path.basename(stripTsExtension(typesPath))}`;
+  return {
+    typesPath,
+    runtimePath,
+    typeImportPath
+  };
+}
+async function writeCodegenOutput(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const paths = resolveCodegenPaths(loadedManifest.repoRoot, options.out);
+  const generated = generateCodegenContent(loadedManifest.manifest, loadedManifest.manifestPath, paths.typeImportPath);
+  await mkdir(path.dirname(paths.typesPath), { recursive: true });
+  await mkdir(path.dirname(paths.runtimePath), { recursive: true });
+  await writeFile(paths.typesPath, generated.typesContent, "utf8");
+  await writeFile(paths.runtimePath, generated.runtimeContent, "utf8");
+  return {
+    manifestPath: loadedManifest.manifestPath,
+    typesPath: paths.typesPath,
+    runtimePath: paths.runtimePath,
+    schemaEntryCount: generated.schemaEntryCount,
+    hasSchema: generated.hasSchema
+  };
+}
+
+// src/codegen/watchSchema.ts
+import { watch } from "fs";
+async function watchSchema(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  let timeout;
+  const debounceMs = options.debounceMs ?? 300;
+  const runWrite = async () => {
+    try {
+      const result = await writeCodegenOutput(options);
+      await options.onWrite?.(result);
+    } catch (error) {
+      await options.onError?.(error);
+    }
+  };
+  await runWrite();
+  const watcher = watch(loadedManifest.manifestPath, () => {
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    timeout = setTimeout(() => {
+      void runWrite();
+    }, debounceMs);
+  });
+  watcher.on("close", () => {
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+  });
+  return watcher;
+}
+
+// src/drift/compareSchemaToGraph.ts
+function describeValueType(value) {
+  if (Array.isArray(value)) {
+    return "array";
+  }
+  if (value === null) {
+    return "null";
+  }
+  return typeof value;
+}
+function matchesType(value, type) {
+  if (!type) {
+    return true;
+  }
+  switch (type) {
+    case "array":
+      return Array.isArray(value);
+    case "object":
+      return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+    default:
+      return typeof value === type;
+  }
+}
+function isSchemaDefault(entry) {
+  return entry.winner.metadata?.schemaDefault === true;
+}
+function shouldTrackKey(key) {
+  return key.startsWith("value.") || key.startsWith("secret.");
+}
+function compareSchemaToGraph(runtime) {
+  const schema = runtime.manifest.schema;
+  const missing = [];
+  const mismatches = [];
+  const defaultsApplied = [];
+  for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const entry = runtime.graph.entries.get(key);
+    if (!entry) {
+      if (rule.required && rule.default === void 0) {
+        missing.push({
+          key,
+          ...rule.type ? {
+            expectedType: rule.type
+          } : {}
+        });
+      }
+      continue;
+    }
+    if (isSchemaDefault(entry)) {
+      defaultsApplied.push({
+        key,
+        value: entry.value
+      });
+    }
+    const actualValue = entry.winner.value;
+    if (!matchesType(actualValue, rule.type)) {
+      mismatches.push({
+        key,
+        ...rule.type ? {
+          expectedType: rule.type
+        } : {},
+        actualType: describeValueType(actualValue),
+        value: actualValue,
+        ...entry.winner.origin?.file ? {
+          sourceFile: entry.winner.origin.file
+        } : {}
+      });
+    }
+  }
+  const undeclared = Array.from(runtime.graph.entries.values()).filter((entry) => shouldTrackKey(entry.key) && !schema[entry.key] && !isSchemaDefault(entry)).map((entry) => {
+    const issue = {
+      key: entry.key,
+      value: entry.winner.value,
+      actualType: describeValueType(entry.winner.value)
+    };
+    if (entry.winner.origin?.file) {
+      issue.sourceFile = entry.winner.origin.file;
+    }
+    return issue;
+  }).sort((left, right) => left.key.localeCompare(right.key));
+  return {
+    profile: runtime.graph.profile,
+    workspace: runtime.graph.workspace.workspaceId,
+    missing,
+    undeclared,
+    mismatches,
+    defaultsApplied
+  };
+}
+
+// src/drift/formatDriftReport.ts
+function formatIssueList(title, marker, issues, formatter) {
+  if (issues.length === 0) {
+    return [];
+  }
+  return [
+    `${title}:`,
+    ...issues.map((issue) => `  ${marker} ${formatter(issue)}`),
+    ""
+  ];
+}
+function formatDriftReport(report) {
+  const lines = [
+    `Schema vs resolved config (${report.workspace} / ${report.profile}):`,
+    ""
+  ];
+  lines.push(
+    ...formatIssueList("Missing (required, not defined)", "x", report.missing, (issue) => issue.key)
+  );
+  lines.push(
+    ...formatIssueList(
+      "Undeclared (defined, not in schema)",
+      "?",
+      report.undeclared,
+      (issue) => issue.sourceFile ? `${issue.key} (found in ${issue.sourceFile})` : issue.key
+    )
+  );
+  lines.push(
+    ...formatIssueList("Type mismatches", "x", report.mismatches, (issue) => {
+      const actual = issue.value === void 0 ? issue.actualType : `${issue.actualType} ${JSON.stringify(issue.value)}`;
+      return `${issue.key} (schema: ${issue.expectedType}, actual: ${actual})`;
+    })
+  );
+  lines.push(
+    ...formatIssueList(
+      "Defaults applied",
+      "i",
+      report.defaultsApplied,
+      (issue) => `${issue.key} (using default: ${JSON.stringify(issue.value)})`
+    )
+  );
+  if (lines[lines.length - 1] === "") {
+    lines.pop();
+  }
+  if (lines.length === 2) {
+    lines.push("No drift detected.");
+  }
+  return lines.join("\n");
+}
+
+// src/migrate/applyManifest.ts
+import { writeFile as writeFile2 } from "fs/promises";
+function sortRecord(record) {
+  return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
+}
+async function applyManifestMappings(proposals, root) {
+  const loadedManifest = await loadManifest(root ? { root } : {});
+  const rawManifest = {
+    ...loadedManifest.rawManifest
+  };
+  const explicit = {
+    ...rawManifest.envMapping?.explicit ?? {}
+  };
+  const promoted = new Set(rawManifest.public?.promote ?? []);
+  let appliedMappings = 0;
+  let appliedPromotions = 0;
+  for (const proposal of proposals) {
+    if (explicit[proposal.envVar] !== proposal.logicalKey) {
+      explicit[proposal.envVar] = proposal.logicalKey;
+      appliedMappings += 1;
+    }
+    if (proposal.public && !promoted.has(proposal.logicalKey)) {
+      promoted.add(proposal.logicalKey);
+      appliedPromotions += 1;
+    }
+  }
+  rawManifest.envMapping = {
+    ...rawManifest.envMapping ?? {},
+    explicit: sortRecord(explicit)
+  };
+  if (promoted.size > 0) {
+    rawManifest.public = {
+      ...rawManifest.public ?? {},
+      promote: Array.from(promoted).sort((left, right) => left.localeCompare(right))
+    };
+  }
+  await writeFile2(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
+  return {
+    manifestPath: loadedManifest.manifestPath,
+    appliedMappings,
+    appliedPromotions
+  };
+}
+
+// src/migrate/proposeMapping.ts
+var SECRET_TOKENS = ["PASSWORD", "SECRET", "KEY", "TOKEN"];
+function normalizeSegments(value) {
+  return value.split("_").map((segment) => segment.trim().toLowerCase()).filter((segment) => segment.length > 0);
+}
+function isSecretEnvVar(value) {
+  return SECRET_TOKENS.some((token) => value.includes(`_${token}`) || value.endsWith(token));
+}
+function proposeMapping(envVar) {
+  const framework = envVar.startsWith("VITE_") ? "vite" : envVar.startsWith("NEXT_PUBLIC_") ? "next" : void 0;
+  const strippedEnvVar = framework === "vite" ? envVar.slice("VITE_".length) : framework === "next" ? envVar.slice("NEXT_PUBLIC_".length) : envVar;
+  const namespace = isSecretEnvVar(strippedEnvVar) && !framework ? "secret" : "value";
+  const segments = normalizeSegments(strippedEnvVar);
+  const logicalPath = segments.join(".");
+  return {
+    envVar,
+    namespace,
+    logicalPath,
+    logicalKey: `${namespace}.${logicalPath}`,
+    public: Boolean(framework),
+    ...framework ? {
+      framework
+    } : {}
+  };
+}
+
+// src/migrate/rewriteSource.ts
+import { copyFile, readFile, writeFile as writeFile3 } from "fs/promises";
+function importStatementFor(kind) {
+  return kind === "import-meta-env" ? "import cnos from '@kitsy/cnos/browser';" : "import cnos from '@kitsy/cnos';";
+}
+function replacementFor(proposal) {
+  if (proposal.public) {
+    return `cnos.read(${JSON.stringify(`public.${proposal.logicalPath}`)})`;
+  }
+  return proposal.namespace === "secret" ? `cnos.secret(${JSON.stringify(proposal.logicalPath)})` : `cnos.value(${JSON.stringify(proposal.logicalPath)})`;
+}
+async function rewriteSourceFiles(usages, proposals) {
+  const fileGroups = /* @__PURE__ */ new Map();
+  for (const usage of usages) {
+    const existing = fileGroups.get(usage.filePath) ?? [];
+    existing.push(usage);
+    fileGroups.set(usage.filePath, existing);
+  }
+  const rewrittenFiles = [];
+  const backupFiles = [];
+  const skippedUsages = [];
+  for (const [filePath, fileUsages] of fileGroups.entries()) {
+    const original = await readFile(filePath, "utf8");
+    let nextSource = original;
+    let changed = false;
+    const importKinds = /* @__PURE__ */ new Set();
+    for (const usage of fileUsages) {
+      const proposal = proposals.get(usage.envVar);
+      if (!proposal) {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      if (usage.kind === "import-meta-env" && proposal.namespace === "secret") {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      const replacement = replacementFor(proposal);
+      if (!nextSource.includes(usage.source)) {
+        skippedUsages.push(`${filePath}:${usage.source}`);
+        continue;
+      }
+      nextSource = nextSource.split(usage.source).join(replacement);
+      changed = true;
+      importKinds.add(usage.kind);
+    }
+    if (!changed) {
+      continue;
+    }
+    const backupPath = `${filePath}.bak`;
+    await copyFile(filePath, backupPath);
+    backupFiles.push(backupPath);
+    for (const kind of Array.from(importKinds)) {
+      const importStatement = importStatementFor(kind);
+      if (!nextSource.includes(importStatement)) {
+        nextSource = `${importStatement}
+${nextSource}`;
+      }
+    }
+    await writeFile3(filePath, nextSource, "utf8");
+    rewrittenFiles.push(filePath);
+  }
+  return {
+    rewrittenFiles: rewrittenFiles.sort((left, right) => left.localeCompare(right)),
+    backupFiles: backupFiles.sort((left, right) => left.localeCompare(right)),
+    skippedUsages: skippedUsages.sort((left, right) => left.localeCompare(right))
+  };
+}
+
+// src/migrate/scanEnvUsage.ts
+import { readdir, readFile as readFile2 } from "fs/promises";
+import path2 from "path";
+var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts", ".mjs", ".cjs"]);
+var PROCESS_ENV_DOT = /process\.env\.([A-Z][A-Z0-9_]*)/g;
+var PROCESS_ENV_BRACKET = /process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
+var IMPORT_META_ENV_DOT = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
+var IMPORT_META_ENV_BRACKET = /import\.meta\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
+async function collectFiles(root) {
+  const entries = await readdir(root, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const filePath = path2.join(root, entry.name);
+    if (entry.isDirectory()) {
+      if (entry.name === "node_modules" || entry.name === "dist" || entry.name === ".git") {
+        continue;
+      }
+      files.push(...await collectFiles(filePath));
+      continue;
+    }
+    if (SOURCE_EXTENSIONS.has(path2.extname(entry.name))) {
+      files.push(filePath);
+    }
+  }
+  return files;
+}
+function collectMatches(filePath, source, pattern, kind) {
+  const matches = [];
+  for (const match of source.matchAll(pattern)) {
+    const envVar = match[1];
+    if (!envVar) {
+      continue;
+    }
+    matches.push({
+      filePath,
+      envVar,
+      source: match[0],
+      kind
+    });
+  }
+  return matches;
+}
+async function scanEnvUsage(scanRoot) {
+  const files = await collectFiles(scanRoot);
+  const usages = [];
+  for (const filePath of files) {
+    const source = await readFile2(filePath, "utf8");
+    usages.push(...collectMatches(filePath, source, PROCESS_ENV_DOT, "process-env"));
+    usages.push(...collectMatches(filePath, source, PROCESS_ENV_BRACKET, "process-env"));
+    usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_DOT, "import-meta-env"));
+    usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_BRACKET, "import-meta-env"));
+  }
+  return usages.sort((left, right) => {
+    const byFile = left.filePath.localeCompare(right.filePath);
+    if (byFile !== 0) {
+      return byFile;
+    }
+    return left.envVar.localeCompare(right.envVar);
+  });
+}
+
+// src/watch/diffGraphs.ts
+function stableStringify(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((entry) => stableStringify(entry)).join(",")}]`;
+  }
+  if (value && typeof value === "object") {
+    return `{${Object.entries(value).sort(([left], [right]) => left.localeCompare(right)).map(([key, entry]) => `${JSON.stringify(key)}:${stableStringify(entry)}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+function diffGraphs(previous, next) {
+  const keys = /* @__PURE__ */ new Set([
+    ...Array.from(previous.entries.keys()),
+    ...Array.from(next.entries.keys())
+  ]);
+  return Array.from(keys).filter((key) => !key.startsWith("meta.")).filter((key) => {
+    const previousEntry = previous.entries.get(key);
+    const nextEntry = next.entries.get(key);
+    if (!previousEntry || !nextEntry) {
+      return previousEntry?.namespace !== "meta" && nextEntry?.namespace !== "meta";
+    }
+    return stableStringify(previousEntry.value) !== stableStringify(nextEntry.value);
+  }).sort((left, right) => left.localeCompare(right));
+}
+
+// src/watch/watchFiles.ts
+import path3 from "path";
+async function watchFiles(runtime, root) {
+  const manifest = await loadManifest(root ? { root } : {});
+  const roots = Array.from(
+    new Set(runtime.graph.workspace.workspaceRoots.map((workspaceRoot) => workspaceRoot.path))
+  ).sort((left, right) => left.localeCompare(right));
+  const files = Array.from(
+    new Set(
+      Array.from(runtime.graph.entries.values()).map((entry) => entry.winner.origin?.file).filter((file) => Boolean(file)).map((file) => path3.resolve(manifest.repoRoot, file))
+    )
+  ).sort((left, right) => left.localeCompare(right));
+  return {
+    manifestPath: manifest.manifestPath,
+    roots,
+    files
+  };
+}
 export {
   CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
+  CnosAuthenticationError,
   CnosSecurityError,
+  applyManifestMappings,
+  clearAllVaultSessionKeys,
+  clearVaultSessionKey,
+  compareSchemaToGraph,
   createSecretVault,
+  createSecretVaultProvider,
+  deleteLocalSecret,
+  deriveVaultKey,
   deserializeRuntimeGraph,
+  detectLegacyVaultFormat,
+  diffGraphs,
   ensureProjectionAllowed,
   flattenObject,
+  formatDriftReport,
+  generateCodegenContent,
   getVaultPassphraseEnvVar,
+  getVaultSessionKeyEnvVar,
+  graphRequiresSecretHydration,
   isPassphraseEnvRef,
+  isSecretReference,
+  listLocalSecrets,
   listSecretVaults,
   loadManifest,
   parseYaml,
+  proposeMapping,
+  readKeychain,
+  readLocalSecret,
   readRuntimeGraphFromEnv,
+  readVaultMetadata,
+  removeLocalVaultFiles,
+  resolveCodegenPaths,
   resolveConfigDocumentPath,
   resolveConfiguredVaultPassphrase,
   resolveManifestRoot,
   resolveSecretPassphrase,
   resolveSecretStoreRoot,
   resolveSecretVaultFile,
+  resolveVaultAccessKey,
+  resolveVaultAuth,
   resolveVaultDefinition,
+  rewriteSourceFiles,
+  scanEnvUsage,
   serializeRuntimeGraph,
+  serializeSecretPayload,
   stringifyYaml,
   validateRuntime,
-  writeLocalSecret
+  watchFiles,
+  watchSchema,
+  writeCodegenOutput,
+  writeKeychain,
+  writeLocalSecret,
+  writeVaultSessionKey
 };