@kitsy/cnos 1.2.0 → 1.3.0

package/dist/chunk-E7SE6N26.js

@@ -0,0 +1,189 @@
+import {
+  graphRequiresSecretHydration,
+  readRuntimeGraphFromEnv
+} from "./chunk-K6QYI2T4.js";
+import {
+  createCnos,
+  getBootstrappedSecretHydrationRequired,
+  getSingletonReady,
+  getSingletonRuntime,
+  setBootstrappedSecretHydrationRequired,
+  setSingletonReady,
+  setSingletonRuntime
+} from "./chunk-EDCLLCNL.js";
+import {
+  inspectValue,
+  readOrValue,
+  readValue,
+  requireValue,
+  toEnv,
+  toLogicalKey,
+  toNamespaceObject,
+  toPublicEnv
+} from "./chunk-DRKDNY4I.js";
+
+// src/runtime/index.ts
+var NOT_READY_MESSAGE = "CNOS not initialized. Call await cnos.ready() or use cnos run.";
+function getRuntimeOrThrow() {
+  const runtime = getSingletonRuntime();
+  if (!runtime) {
+    throw new Error(NOT_READY_MESSAGE);
+  }
+  return runtime;
+}
+function attachBootstrappedGraph(graph) {
+  if (getSingletonRuntime()) {
+    return;
+  }
+  const bootstrappedManifest = {
+    version: 1,
+    project: {
+      name: "bootstrapped"
+    },
+    workspaces: {
+      global: {
+        enabled: Boolean(graph.workspace.globalRoot),
+        ...graph.workspace.globalRoot ? {
+          root: graph.workspace.globalRoot
+        } : {},
+        allowWrite: false
+      },
+      items: {},
+      ...graph.workspace.workspaceSource === "implicit" ? {} : {
+        default: graph.workspace.workspaceId
+      }
+    },
+    profiles: {
+      default: graph.profile,
+      resolveFrom: ["default"]
+    },
+    plugins: {
+      loaders: [],
+      resolver: "profile-aware",
+      validators: [],
+      exporters: [],
+      inspectors: []
+    },
+    sources: {},
+    resolution: {
+      precedence: [],
+      arrayPolicy: "replace"
+    },
+    envMapping: {
+      explicit: {}
+    },
+    public: {
+      promote: [],
+      frameworks: {}
+    },
+    namespaces: {},
+    vaults: {},
+    writePolicy: {
+      define: {
+        defaultProfile: graph.profile,
+        targets: {
+          value: "./values/app.yml",
+          secret: "./secrets/app.yml"
+        }
+      }
+    },
+    schema: {}
+  };
+  const runtime = {
+    manifest: bootstrappedManifest,
+    plugins: [],
+    graph,
+    read(key) {
+      return readValue(graph, key);
+    },
+    require(key) {
+      return requireValue(graph, key);
+    },
+    readOr(key, fallback) {
+      return readOrValue(graph, key, fallback);
+    },
+    value(path) {
+      return readValue(graph, toLogicalKey("value", path));
+    },
+    secret(path) {
+      return readValue(graph, toLogicalKey("secret", path));
+    },
+    meta(path) {
+      return readValue(graph, toLogicalKey("meta", path));
+    },
+    inspect(key) {
+      return inspectValue(graph, key);
+    },
+    toObject() {
+      return toNamespaceObject(graph);
+    },
+    toNamespace(namespace) {
+      return toNamespaceObject(graph, namespace);
+    },
+    toEnv(options) {
+      return toEnv(graph, bootstrappedManifest, options);
+    },
+    toPublicEnv(options) {
+      return toPublicEnv(graph, bootstrappedManifest, options);
+    }
+  };
+  setSingletonRuntime(runtime);
+  setBootstrappedSecretHydrationRequired(graphRequiresSecretHydration(graph));
+}
+function bootstrapFromProcessEnv() {
+  if (typeof process === "undefined") {
+    return;
+  }
+  try {
+    const graph = readRuntimeGraphFromEnv(process.env);
+    if (graph) {
+      attachBootstrappedGraph(graph);
+    }
+  } catch {
+  }
+}
+bootstrapFromProcessEnv();
+var cnos = Object.assign(
+  ((key) => readValue(getRuntimeOrThrow().graph, key)),
+  {
+    read(key) {
+      return readValue(getRuntimeOrThrow().graph, key);
+    },
+    require(key) {
+      return requireValue(getRuntimeOrThrow().graph, key);
+    },
+    readOr(key, fallback) {
+      return readOrValue(getRuntimeOrThrow().graph, key, fallback);
+    },
+    value(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("value", path));
+    },
+    secret(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("secret", path));
+    },
+    meta(path) {
+      return readValue(getRuntimeOrThrow().graph, toLogicalKey("meta", path));
+    },
+    async ready() {
+      if (getSingletonRuntime() && !getBootstrappedSecretHydrationRequired()) {
+        return;
+      }
+      const existing = getSingletonReady();
+      if (existing && !getBootstrappedSecretHydrationRequired()) {
+        await existing;
+        return;
+      }
+      const readyPromise = createCnos().then((runtime) => {
+        setSingletonRuntime(runtime);
+        return runtime;
+      });
+      setSingletonReady(readyPromise);
+      await readyPromise;
+    }
+  }
+);
+var runtime_default = cnos;
+
+export {
+  runtime_default
+};

package/dist/{chunk-SO5XREEU.js → chunk-EDCLLCNL.js}

@@ -1,27 +1,27 @@
+import {
+  createEnvExportPlugin,
+  createPublicEnvExportPlugin
+} from "./chunk-OOKFRWTN.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-SXTMTACL.js";
+} from "./chunk-FC3IV6A7.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-WHUGFPE4.js";
+} from "./chunk-CDXJISGB.js";
 import {
   createBasicSchemaPlugin
-} from "./chunk-MLQGYCO7.js";
+} from "./chunk-JDII6O72.js";
 import {
   createCliArgsPlugin
-} from "./chunk-ZA74BO47.js";
+} from "./chunk-OWUZQ4OH.js";
 import {
   createDotenvPlugin
-} from "./chunk-RD5WMHPM.js";
-import {
-  createEnvExportPlugin,
-  createPublicEnvExportPlugin
-} from "./chunk-EIN55XXA.js";
+} from "./chunk-QTKXPY3N.js";
 import {
   createCnos,
   createProvenanceInspector
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // src/defaultPlugins.ts
 function defaultPlugins() {
@@ -41,12 +41,14 @@ function defaultPlugins() {
 // src/runtime/state.ts
 var singletonRuntime;
 var singletonReady;
+var bootstrappedSecretHydrationRequired = false;
 function getSingletonRuntime() {
   return singletonRuntime;
 }
 function setSingletonRuntime(runtime) {
   singletonRuntime = runtime;
   singletonReady = Promise.resolve(runtime);
+  bootstrappedSecretHydrationRequired = false;
   return runtime;
 }
 function getSingletonReady() {
@@ -56,11 +58,17 @@ function setSingletonReady(promise) {
   singletonReady = promise;
   return promise;
 }
+function getBootstrappedSecretHydrationRequired() {
+  return bootstrappedSecretHydrationRequired;
+}
+function setBootstrappedSecretHydrationRequired(value) {
+  bootstrappedSecretHydrationRequired = value;
+}
 
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.2.0",
+  version: "1.3.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -72,6 +80,16 @@ var package_default = {
       import: "./dist/index.js",
       require: "./dist/index.cjs"
     },
+    "./configure": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
+    "./create": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
     "./internal": {
       types: "./dist/internal.d.ts",
       import: "./dist/internal.js",
@@ -162,6 +180,7 @@ var package_default = {
 async function createCnos2(options = {}) {
   const runtime = await createCnos({
     ...options,
+    processEnv: options.processEnv ?? process.env,
     cnosVersion: package_default.version,
     plugins: [...defaultPlugins(), ...options.plugins ?? []]
   });
@@ -175,5 +194,7 @@ export {
   setSingletonRuntime,
   getSingletonReady,
   setSingletonReady,
+  getBootstrappedSecretHydrationRequired,
+  setBootstrappedSecretHydrationRequired,
   createCnos2 as createCnos
 };

package/dist/{chunk-SXTMTACL.js → chunk-FC3IV6A7.js}

@@ -2,11 +2,8 @@ import {
   CnosManifestError,
   isSecretReference,
   parseYaml,
-  readLocalSecret,
-  resolveSecretPassphrase,
-  resolveSecretStoreRoot,
   toPortablePath
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";
@@ -98,31 +95,6 @@ function yamlObjectToEntries(document, filePath, namespace, sourceId, workspaceI
     }
   }));
 }
-async function resolveSecretValue(value, processEnv) {
-  if (!isSecretReference(value)) {
-    return value;
-  }
-  if (value.provider === "local") {
-    const passphrase = resolveSecretPassphrase(value.vault, processEnv);
-    if (!passphrase) {
-      return value;
-    }
-    return readLocalSecret(
-      resolveSecretStoreRoot(processEnv),
-      value.ref,
-      passphrase,
-      value.vault
-    );
-  }
-  if (value.provider === "env" || value.provider === "github-secrets") {
-    const resolved = processEnv?.[value.ref];
-    if (resolved === void 0) {
-      return value;
-    }
-    return resolved;
-  }
-  return value;
-}
 function toSecretReferenceMetadata(value) {
   if (!isSecretReference(value)) {
     return void 0;
@@ -155,10 +127,8 @@ function createFilesystemSecretsPlugin() {
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
-          const resolvedValue = await resolveSecretValue(entry.value, context.processEnv);
           entries.push({
             ...entry,
-            value: resolvedValue,
             ...metadata ? { metadata } : {}
           });
         }

package/dist/{chunk-MLQGYCO7.js → chunk-JDII6O72.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/chunk-K6QYI2T4.js

@@ -0,0 +1,105 @@
+import {
+  isSecretReference
+} from "./chunk-DRKDNY4I.js";
+
+// src/runtime/bootstrap.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+var CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
+var CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
+function serializeRuntimeGraph(graph) {
+  const payload = {
+    entries: Array.from(graph.entries.values()),
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    profileSource: graph.profileSource,
+    workspace: graph.workspace
+  };
+  return JSON.stringify(payload);
+}
+function deserializeRuntimeGraph(source) {
+  const payload = JSON.parse(source);
+  if (!payload || !Array.isArray(payload.entries) || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || !payload.profileSource || !payload.workspace || typeof payload.workspace.workspaceId !== "string" || !Array.isArray(payload.workspace.workspaceChain) || !Array.isArray(payload.workspace.workspaceRoots)) {
+    throw new Error("Invalid CNOS runtime bootstrap payload");
+  }
+  return {
+    entries: new Map(
+      payload.entries.map((entry) => [
+        entry.key,
+        {
+          key: entry.key,
+          value: entry.value,
+          namespace: entry.namespace,
+          winner: entry.winner,
+          overridden: entry.overridden ?? []
+        }
+      ])
+    ),
+    profile: payload.profile,
+    resolvedAt: payload.resolvedAt,
+    profileSource: payload.profileSource,
+    workspace: payload.workspace
+  };
+}
+function decryptSecretPayload(serialized, sessionKey) {
+  const payload = JSON.parse(serialized);
+  if (!payload || typeof payload.iv !== "string" || typeof payload.tag !== "string" || typeof payload.ciphertext !== "string") {
+    throw new Error("Invalid CNOS secret payload");
+  }
+  const key = Buffer.from(sessionKey, "hex");
+  const iv = Buffer.from(payload.iv, "base64");
+  const tag = Buffer.from(payload.tag, "base64");
+  const ciphertext = Buffer.from(payload.ciphertext, "base64");
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+  return JSON.parse(plaintext);
+}
+function serializeSecretPayload(values) {
+  const key = randomBytes(32);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(JSON.stringify(values), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    payload: JSON.stringify({
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      ciphertext: ciphertext.toString("base64")
+    }),
+    sessionKey: key.toString("hex")
+  };
+}
+function readRuntimeGraphFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_GRAPH_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  const graph = deserializeRuntimeGraph(serialized);
+  const secretPayload = processEnv[CNOS_SECRET_PAYLOAD_ENV_VAR];
+  const sessionKey = processEnv[CNOS_SESSION_KEY_ENV_VAR];
+  if (secretPayload && sessionKey) {
+    const decrypted = decryptSecretPayload(secretPayload, sessionKey);
+    for (const [key, value] of Object.entries(decrypted)) {
+      const entry = graph.entries.get(key);
+      if (entry) {
+        entry.value = value;
+      }
+    }
+  }
+  return graph;
+}
+function graphRequiresSecretHydration(graph) {
+  return Array.from(graph.entries.values()).some((entry) => entry.namespace === "secret" && isSecretReference(entry.value));
+}
+
+export {
+  CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
+  serializeRuntimeGraph,
+  deserializeRuntimeGraph,
+  serializeSecretPayload,
+  readRuntimeGraphFromEnv,
+  graphRequiresSecretHydration
+};

package/dist/{chunk-EIN55XXA.js → chunk-OOKFRWTN.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-ZA74BO47.js → chunk-OWUZQ4OH.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-RD5WMHPM.js → chunk-QTKXPY3N.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-APCTXRUN.js";
+} from "./chunk-DRKDNY4I.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";