@kitsy/cnos 1.2.0 → 1.4.0

package/dist/configure/index.cjs

@@ -0,0 +1,3021 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/configure/index.ts
+var configure_exports = {};
+__export(configure_exports, {
+  createCnos: () => createCnos2,
+  defaultPlugins: () => defaultPlugins,
+  planDump: () => planDump,
+  toEnv: () => toEnv,
+  toPublicEnv: () => toPublicEnv,
+  writeDump: () => writeDump
+});
+module.exports = __toCommonJS(configure_exports);
+
+// ../core/src/errors.ts
+var CnosError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
+  }
+};
+var CnosManifestError = class extends CnosError {
+  constructor(message, manifestPath) {
+    super(manifestPath ? `${message} (${manifestPath})` : message);
+    this.manifestPath = manifestPath;
+  }
+  manifestPath;
+};
+var CnosSecurityError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+var CnosAuthenticationError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+var CnosKeyNotFoundError = class extends CnosError {
+  constructor(key) {
+    super(`Missing required CNOS config key: ${key}`);
+    this.key = key;
+  }
+  key;
+};
+
+// ../core/src/runtime/inspect.ts
+function inspectValue(graph, key) {
+  const entry = graph.entries.get(key);
+  if (!entry) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return {
+    key: entry.key,
+    value: entry.value,
+    namespace: entry.namespace,
+    profile: graph.profile,
+    profileSource: graph.profileSource,
+    workspace: {
+      id: graph.workspace.workspaceId,
+      source: graph.workspace.workspaceSource,
+      chain: graph.workspace.workspaceChain
+    },
+    winner: {
+      sourceId: entry.winner.sourceId,
+      pluginId: entry.winner.pluginId,
+      workspaceId: entry.winner.workspaceId,
+      ...entry.winner.origin ? { origin: entry.winner.origin } : {}
+    },
+    overridden: entry.overridden.map((override) => ({
+      sourceId: override.sourceId,
+      pluginId: override.pluginId,
+      workspaceId: override.workspaceId,
+      value: override.value,
+      ...override.origin ? { origin: override.origin } : {}
+    }))
+  };
+}
+
+// ../core/src/inspectors/provenance.ts
+function createProvenanceInspector() {
+  return {
+    id: "provenance",
+    kind: "inspector",
+    async inspect(key, graph) {
+      return inspectValue(graph, key);
+    }
+  };
+}
+
+// ../core/src/keychain/linux.ts
+var import_node_child_process = require("child_process");
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+async function readLinuxKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync("secret-tool", ["lookup", "service", "cnos", "account", entry]);
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+
+// ../core/src/keychain/macos.ts
+var import_node_child_process2 = require("child_process");
+var import_node_util2 = require("util");
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process2.execFile);
+async function readMacosKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync2("security", ["find-generic-password", "-a", "cnos", "-s", entry, "-w"]);
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+
+// ../core/src/keychain/windows.ts
+var import_node_child_process3 = require("child_process");
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process3.execFile);
+function wrap(script) {
+  return ["-NoProfile", "-Command", script];
+}
+async function readWindowsKeychain(entry) {
+  try {
+    const { stdout } = await execFileAsync3(
+      "powershell",
+      wrap(`Add-Type -AssemblyName System.Runtime.WindowsRuntime; [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] > $null; $vault = New-Object Windows.Security.Credentials.PasswordVault; $credential = $vault.Retrieve('cnos','${entry}'); $credential.RetrievePassword(); Write-Output $credential.Password`)
+    );
+    const value = stdout.trim();
+    return value.length > 0 ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+
+// ../core/src/keychain/index.ts
+async function readKeychain(entry) {
+  if (process.platform === "win32") {
+    return readWindowsKeychain(entry);
+  }
+  if (process.platform === "darwin") {
+    return readMacosKeychain(entry);
+  }
+  if (process.platform === "linux") {
+    return readLinuxKeychain(entry);
+  }
+  return void 0;
+}
+
+// ../core/src/manifest/loadManifest.ts
+var import_promises2 = require("fs/promises");
+var import_node_path2 = __toESM(require("path"), 1);
+
+// ../core/src/utils/path.ts
+var import_promises = require("fs/promises");
+var import_node_os = __toESM(require("os"), 1);
+var import_node_path = __toESM(require("path"), 1);
+var PRIMARY_CNOS_DIR = ".cnos";
+var LEGACY_CNOS_DIR = "cnos";
+async function exists(filePath) {
+  try {
+    await (0, import_promises.access)(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveCnosRoot(root = process.cwd()) {
+  const basePath = import_node_path.default.resolve(root);
+  const candidates = [
+    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    basePath
+  ];
+  for (const candidate of candidates) {
+    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+      return candidate;
+    }
+  }
+  throw new CnosManifestError(
+    `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
+  );
+}
+async function resolveManifestRoot(root = process.cwd()) {
+  return resolveCnosRoot(root);
+}
+function interpolatePathTemplate(template, tokens) {
+  return Object.entries(tokens).reduce(
+    (result, [token, value]) => result.replaceAll(`{${token}}`, value),
+    template
+  );
+}
+function expandHomePath(targetPath) {
+  if (targetPath === "~") {
+    return import_node_os.default.homedir();
+  }
+  if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
+    return import_node_path.default.join(import_node_os.default.homedir(), targetPath.slice(2));
+  }
+  return targetPath;
+}
+function stripWorkspaceTemplatePrefix(template) {
+  const normalized = template.replace(/\\/g, "/").replace(/^\.\//, "");
+  const marker = "workspaces/{workspace}";
+  if (normalized === marker) {
+    return ".";
+  }
+  if (normalized.startsWith(`${marker}/`)) {
+    return normalized.slice(marker.length + 1);
+  }
+  return template;
+}
+function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
+  const relativeTemplate = stripWorkspaceTemplatePrefix(template);
+  const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
+  return import_node_path.default.resolve(workspaceRoot, interpolated);
+}
+function toPortablePath(targetPath) {
+  return targetPath.replace(/\\/g, "/");
+}
+function joinConfigPath(...parts) {
+  return parts.flatMap((part) => part.split(".")).map((part) => part.trim()).filter(Boolean).join(".");
+}
+function toLogicalKey(namespace, valuePath) {
+  return `${namespace}.${joinConfigPath(valuePath)}`;
+}
+function stripNamespace(key) {
+  return key.split(".").slice(1).join(".");
+}
+
+// ../core/src/utils/yaml.ts
+var import_yaml = require("yaml");
+function parseYaml(source) {
+  return (0, import_yaml.parse)(source);
+}
+function stringifyYaml(value) {
+  return (0, import_yaml.stringify)(value);
+}
+
+// ../core/src/manifest/normalizeManifest.ts
+var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
+var DEFAULT_LOADERS = [
+  "filesystem-values",
+  "filesystem-secrets",
+  "dotenv",
+  "process-env",
+  "cli-args"
+];
+var DEFAULT_VALIDATORS = ["basic-schema"];
+var DEFAULT_EXPORTERS = ["env", "public-env"];
+var DEFAULT_INSPECTORS = ["provenance"];
+var DEFAULT_FRAMEWORK_PREFIXES = {
+  next: "NEXT_PUBLIC_",
+  vite: "VITE_",
+  nuxt: "NUXT_PUBLIC_"
+};
+var DEFAULT_NAMESPACES = {
+  value: {
+    kind: "data",
+    shareable: true
+  },
+  secret: {
+    kind: "data",
+    shareable: false,
+    sensitive: true
+  },
+  meta: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  process: {
+    kind: "system",
+    shareable: false,
+    readonly: true
+  },
+  public: {
+    kind: "projection",
+    source: "promote",
+    shareable: true,
+    readonly: true
+  },
+  env: {
+    kind: "projection",
+    source: "envMapping",
+    shareable: true,
+    readonly: true
+  }
+};
+function validateResolveFrom(resolveFrom) {
+  const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
+  for (const entry of resolveFrom) {
+    if (!validValues.includes(entry)) {
+      throw new CnosManifestError(`Unsupported profiles.resolveFrom entry: ${entry}`);
+    }
+  }
+  return resolveFrom;
+}
+function normalizeWorkspaceItems(items) {
+  return Object.fromEntries(
+    Object.entries(items ?? {}).map(([workspaceId, item]) => [
+      workspaceId,
+      {
+        extends: Array.isArray(item?.extends) ? item.extends.map((entry) => entry.trim()).filter(Boolean) : item?.extends ? [item.extends.trim()].filter(Boolean) : [],
+        ...item?.globalId?.trim() ? { globalId: item.globalId.trim() } : {}
+      }
+    ])
+  );
+}
+function normalizeNamespaces(namespaces) {
+  const normalized = Object.fromEntries(
+    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+      namespace,
+      {
+        kind: definition.kind ?? "data",
+        shareable: definition.shareable ?? false,
+        ...definition.sensitive !== void 0 ? { sensitive: definition.sensitive } : {},
+        ...definition.readonly !== void 0 ? { readonly: definition.readonly } : {},
+        ...definition.source ? { source: definition.source } : {}
+      }
+    ])
+  );
+  return {
+    ...DEFAULT_NAMESPACES,
+    ...normalized
+  };
+}
+function normalizeVaults(vaults) {
+  return Object.fromEntries(
+    Object.entries(vaults ?? {}).map(([name, definition]) => {
+      const legacyPassphrase = definition.passphrase;
+      if (legacyPassphrase !== void 0) {
+        throw new CnosManifestError(
+          `Vault "${name}" uses legacy passphrase configuration. Use vaults.${name}.auth instead.`
+        );
+      }
+      const provider = definition.provider?.trim();
+      if (!provider) {
+        throw new CnosManifestError(`Vault "${name}" requires a provider`);
+      }
+      const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
+      const normalizedMapping = Object.fromEntries(
+        Object.entries(definition.mapping ?? {}).filter(
+          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+      );
+      return [
+        name,
+        {
+          provider,
+          auth: normalizedAuth,
+          ...Object.keys(normalizedMapping).length > 0 ? {
+            mapping: normalizedMapping
+          } : {}
+        }
+      ];
+    })
+  );
+}
+function normalizeAuthSources(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return void 0;
+  }
+  const sources = Array.isArray(value.from) ? value.from : void 0;
+  const normalized = (sources ?? []).map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
+  return normalized.length > 0 ? normalized : void 0;
+}
+function normalizeVaultAuth(vaultName, provider, auth) {
+  if (provider === "local") {
+    const passphraseSources = normalizeAuthSources(auth?.passphrase);
+    const defaultToken = vaultName.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+    const defaultSources = [
+      ...defaultToken ? [`env:CNOS_SECRET_PASSPHRASE_${defaultToken}`] : [],
+      "env:CNOS_SECRET_PASSPHRASE",
+      `keychain:cnos/${vaultName}`,
+      "prompt"
+    ];
+    return {
+      method: auth?.method ?? "passphrase",
+      passphrase: {
+        from: passphraseSources ?? defaultSources
+      },
+      ...auth?.config ? { config: auth.config } : {}
+    };
+  }
+  if (provider === "github-secrets") {
+    return {
+      method: auth?.method ?? "environment",
+      ...auth?.config ? { config: auth.config } : {}
+    };
+  }
+  return {
+    ...auth?.method ? { method: auth.method } : {},
+    ...normalizeAuthSources(auth?.passphrase) ? {
+      passphrase: {
+        from: normalizeAuthSources(auth?.passphrase) ?? []
+      }
+    } : {},
+    ...normalizeAuthSources(auth?.token) ? {
+      token: {
+        from: normalizeAuthSources(auth?.token) ?? []
+      }
+    } : {},
+    ...auth?.config ? { config: auth.config } : {}
+  };
+}
+function normalizeManifest(manifest) {
+  const version = manifest.version ?? 1;
+  if (version !== 1) {
+    throw new CnosManifestError(`Unsupported CNOS manifest version: ${version}`);
+  }
+  const projectName = manifest.project?.name?.trim();
+  if (!projectName) {
+    throw new CnosManifestError("Manifest requires project.name");
+  }
+  const defaultProfile = manifest.profiles?.default?.trim() || "base";
+  const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
+  const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const filesystemValues = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-values"] ?? {}
+  };
+  const filesystemSecrets = {
+    root: "./",
+    format: "yaml",
+    ...manifest.sources?.["filesystem-secrets"] ?? {}
+  };
+  const dotenv = {
+    root: "./env",
+    ...manifest.sources?.dotenv ?? {}
+  };
+  return {
+    version: 1,
+    project: {
+      name: projectName
+    },
+    workspaces: {
+      ...manifest.workspaces?.default?.trim() ? {
+        default: manifest.workspaces.default.trim()
+      } : {},
+      global: {
+        enabled: manifest.workspaces?.global?.enabled ?? false,
+        ...manifest.workspaces?.global?.root?.trim() ? {
+          root: manifest.workspaces.global.root.trim()
+        } : {},
+        allowWrite: manifest.workspaces?.global?.allowWrite ?? false
+      },
+      items: workspaceItems
+    },
+    profiles: {
+      default: defaultProfile,
+      resolveFrom
+    },
+    plugins: {
+      loaders: manifest.plugins?.loaders ?? DEFAULT_LOADERS,
+      resolver: manifest.plugins?.resolver ?? "profile-aware",
+      validators: manifest.plugins?.validators ?? DEFAULT_VALIDATORS,
+      exporters: manifest.plugins?.exporters ?? DEFAULT_EXPORTERS,
+      inspectors: manifest.plugins?.inspectors ?? DEFAULT_INSPECTORS
+    },
+    sources: {
+      ...manifest.sources ?? {},
+      "filesystem-values": filesystemValues,
+      "filesystem-secrets": filesystemSecrets,
+      dotenv
+    },
+    resolution: {
+      precedence: manifest.resolution?.precedence ?? [
+        "filesystem-values",
+        "filesystem-secrets",
+        "dotenv",
+        "process-env",
+        "cli-args"
+      ],
+      arrayPolicy: manifest.resolution?.arrayPolicy ?? "replace"
+    },
+    envMapping: {
+      ...manifest.envMapping?.convention ? {
+        convention: manifest.envMapping.convention
+      } : {},
+      explicit: manifest.envMapping?.explicit ?? {}
+    },
+    public: {
+      promote: manifest.public?.promote ?? [],
+      frameworks: {
+        ...DEFAULT_FRAMEWORK_PREFIXES,
+        ...manifest.public?.frameworks ?? {}
+      }
+    },
+    namespaces: normalizeNamespaces(manifest.namespaces),
+    vaults: normalizeVaults(manifest.vaults),
+    writePolicy: {
+      define: {
+        defaultProfile: manifest.writePolicy?.define?.defaultProfile ?? defaultProfile,
+        targets: {
+          value: manifest.writePolicy?.define?.targets?.value ?? "./values/app.yml",
+          secret: manifest.writePolicy?.define?.targets?.secret ?? "./secrets/app.yml"
+        }
+      }
+    },
+    schema: manifest.schema ?? {}
+  };
+}
+
+// ../core/src/manifest/loadManifest.ts
+async function loadManifest(options = {}) {
+  const manifestRoot = await resolveManifestRoot(options.root);
+  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  let source;
+  try {
+    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+  } catch {
+    throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
+  }
+  const rawManifest = parseYaml(source);
+  if (!rawManifest || typeof rawManifest !== "object") {
+    throw new CnosManifestError("CNOS manifest must be a YAML object", manifestPath);
+  }
+  return {
+    manifestRoot,
+    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    manifestPath,
+    manifest: normalizeManifest(rawManifest),
+    rawManifest
+  };
+}
+
+// ../core/src/manifest/loadWorkspaceFile.ts
+var import_promises3 = require("fs/promises");
+var import_node_path3 = __toESM(require("path"), 1);
+async function loadWorkspaceFile(repoRoot) {
+  const workspaceFilePath = import_node_path3.default.join(repoRoot, ".cnos-workspace.yml");
+  try {
+    const source = await (0, import_promises3.readFile)(workspaceFilePath, "utf8");
+    const parsed = parseYaml(source);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
+    }
+    const config = parsed;
+    return {
+      path: workspaceFilePath,
+      config: {
+        ...config.workspace ? { workspace: config.workspace.trim() } : {},
+        ...config.profile ? { profile: config.profile.trim() } : {},
+        ...config.globalRoot ? { globalRoot: config.globalRoot.trim() } : {}
+      }
+    };
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  }
+}
+
+// ../core/src/profiles/expandProfileChain.ts
+var import_promises4 = require("fs/promises");
+var import_node_path4 = __toESM(require("path"), 1);
+async function fileExists(targetPath) {
+  try {
+    await (0, import_promises4.access)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function normalizeProfileDefinition(profileName, rawDefinition, filePath) {
+  const normalizeActivationLayer = (entry, namespace) => {
+    const normalized = entry.trim();
+    if (!normalized) {
+      return normalized;
+    }
+    if (normalized.includes("/") || normalized.includes("\\") || normalized.startsWith(".")) {
+      return normalized.replace(/\\/g, "/");
+    }
+    return `${namespace}/${normalized}`;
+  };
+  return {
+    name: rawDefinition?.name?.trim() || profileName,
+    extends: Array.isArray(rawDefinition?.extends) ? rawDefinition.extends.map((entry) => entry.trim()).filter(Boolean) : rawDefinition?.extends ? [rawDefinition.extends.trim()].filter(Boolean) : [],
+    activate: {
+      values: rawDefinition?.activate?.values?.map((entry) => normalizeActivationLayer(entry, "values")).filter(Boolean) ?? [],
+      secrets: rawDefinition?.activate?.secrets?.map((entry) => normalizeActivationLayer(entry, "secrets")).filter(Boolean) ?? [],
+      envFiles: rawDefinition?.activate?.envFiles?.map((entry) => entry.trim()).filter(Boolean) ?? []
+    },
+    ...filePath ? { filePath } : {}
+  };
+}
+async function loadProfileDefinition(profileName, options) {
+  const workspaceRoots = options.workspace?.workspaceRoots ?? [];
+  if (workspaceRoots.length === 0) {
+    return normalizeProfileDefinition(profileName, void 0);
+  }
+  for (const workspaceRoot of [...workspaceRoots].reverse()) {
+    const profilePath = import_node_path4.default.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    if (!await fileExists(profilePath)) {
+      continue;
+    }
+    const document = await (0, import_promises4.readFile)(profilePath, "utf8");
+    const parsed = parseYaml(document);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
+    }
+    const definition = normalizeProfileDefinition(
+      profileName,
+      parsed,
+      options.manifestRoot ? toPortablePath(import_node_path4.default.relative(import_node_path4.default.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+    );
+    if (definition.name !== profileName) {
+      throw new CnosManifestError(
+        `Profile file name mismatch: expected "${profileName}" but found "${definition.name}"`,
+        profilePath
+      );
+    }
+    return definition;
+  }
+  return normalizeProfileDefinition(profileName, void 0);
+}
+function pushUnique(target, values) {
+  for (const value of values) {
+    if (!target.includes(value)) {
+      target.push(value);
+    }
+  }
+}
+function buildFallbackActivation(activeProfile, orderedProfiles) {
+  const overlayProfiles = orderedProfiles.filter((profile) => profile !== "base");
+  return {
+    values: [
+      "values",
+      ...activeProfile !== "base" ? ["values/base"] : [],
+      ...overlayProfiles.flatMap((profile) => [`profiles/${profile}/values`, `values/${profile}`])
+    ],
+    secrets: [
+      "secrets",
+      ...overlayProfiles.flatMap((profile) => [`profiles/${profile}/secrets`, `secrets/${profile}`])
+    ],
+    envFiles: activeProfile === "base" ? [".env"] : [".env", `.env.${activeProfile}`]
+  };
+}
+async function expandProfileChain(activeProfile, options = {}) {
+  const visiting = /* @__PURE__ */ new Set();
+  const resolved = /* @__PURE__ */ new Set();
+  const orderedProfiles = [];
+  const definitions = /* @__PURE__ */ new Map();
+  const visit = async (profileName) => {
+    if (resolved.has(profileName)) {
+      return;
+    }
+    if (visiting.has(profileName)) {
+      throw new CnosManifestError(`Detected profile inheritance cycle involving "${profileName}"`);
+    }
+    visiting.add(profileName);
+    const definition = await loadProfileDefinition(profileName, options);
+    definitions.set(profileName, definition);
+    for (const parent of definition.extends) {
+      await visit(parent);
+    }
+    visiting.delete(profileName);
+    resolved.add(profileName);
+    orderedProfiles.push(profileName);
+  };
+  await visit(activeProfile);
+  const activation = {
+    values: [],
+    secrets: [],
+    envFiles: []
+  };
+  for (const profileName of orderedProfiles) {
+    const definition = definitions.get(profileName);
+    if (!definition) {
+      continue;
+    }
+    pushUnique(activation.values, definition.activate.values);
+    pushUnique(activation.secrets, definition.activate.secrets);
+    pushUnique(activation.envFiles, definition.activate.envFiles);
+  }
+  const fallback = buildFallbackActivation(activeProfile, orderedProfiles);
+  if (activation.values.length === 0) {
+    activation.values = fallback.values;
+  }
+  if (activation.secrets.length === 0) {
+    activation.secrets = fallback.secrets;
+  }
+  if (activation.envFiles.length === 0) {
+    activation.envFiles = fallback.envFiles;
+  }
+  return {
+    activeProfile,
+    profiles: orderedProfiles,
+    activation
+  };
+}
+
+// ../core/src/promotions/validatePromotion.ts
+var DEFAULT_DATA_NAMESPACE = {
+  kind: "data",
+  shareable: false
+};
+function getNamespaceNameForKey(key) {
+  const [namespace] = key.split(".");
+  if (!namespace || !key.includes(".")) {
+    throw new CnosManifestError(`Logical key must be namespace-qualified: ${key}`);
+  }
+  return namespace;
+}
+function getNamespaceDefinition(manifest, namespaceOrKey) {
+  const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
+  return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
+}
+function ensureProjectionAllowed(manifest, key, target) {
+  const namespace = getNamespaceNameForKey(key);
+  const definition = getNamespaceDefinition(manifest, namespace);
+  if (definition.kind !== "data") {
+    throw new CnosManifestError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not a data namespace.`
+    );
+  }
+  if (definition.sensitive) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
+    );
+  }
+  if (!definition.shareable) {
+    throw new CnosSecurityError(
+      `Cannot promote ${key} to ${target} because namespace "${namespace}" is not shareable.`
+    );
+  }
+}
+
+// ../core/src/promotions/promoteToPublic.ts
+function toPublicKey(key) {
+  const namespace = getNamespaceNameForKey(key);
+  return namespace === "value" ? `public.${stripNamespace(key)}` : `public.${key}`;
+}
+function toPromotedConfigEntry(entry, key, promotedFrom) {
+  return {
+    ...entry,
+    key,
+    namespace: "public",
+    sourceId: "public-promote",
+    pluginId: "core",
+    metadata: {
+      ...entry.metadata ?? {},
+      promotedFrom
+    }
+  };
+}
+function toPromotedResolvedEntry(entry) {
+  const key = toPublicKey(entry.key);
+  return {
+    key,
+    value: entry.value,
+    namespace: "public",
+    winner: toPromotedConfigEntry(entry.winner, key, entry.key),
+    overridden: entry.overridden.map((override) => toPromotedConfigEntry(override, key, entry.key))
+  };
+}
+function promoteToPublic(graph, manifest) {
+  const entries = new Map(graph.entries);
+  for (const key of manifest.public.promote) {
+    ensureProjectionAllowed(manifest, key, "public");
+    const resolved = graph.entries.get(key);
+    if (!resolved) {
+      continue;
+    }
+    entries.set(toPublicKey(key), toPromotedResolvedEntry(resolved));
+  }
+  return {
+    ...graph,
+    entries
+  };
+}
+
+// ../core/src/profiles/resolveActiveProfile.ts
+function resolveActiveProfile(manifest, options = {}) {
+  for (const source of manifest.profiles.resolveFrom) {
+    if (source === "cli.profile" && options.profile) {
+      return {
+        profile: options.profile,
+        source: "cli"
+      };
+    }
+    if (source === "env.CNOS_PROFILE") {
+      if (options.workspaceFile?.profile) {
+        return {
+          profile: options.workspaceFile.profile,
+          source: "workspace-file"
+        };
+      }
+      const envProfile = options.processEnv?.CNOS_PROFILE;
+      if (envProfile) {
+        return {
+          profile: envProfile,
+          source: "env"
+        };
+      }
+    }
+    if (source === "default") {
+      return {
+        profile: manifest.profiles.default,
+        source: "manifest-default"
+      };
+    }
+  }
+  return {
+    profile: manifest.profiles.default,
+    source: "manifest-default"
+  };
+}
+
+// ../core/src/utils/deepMerge.ts
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function deepMerge(base, override) {
+  const merged = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    const currentValue = merged[key];
+    if (isPlainObject(currentValue) && isPlainObject(value)) {
+      merged[key] = deepMerge(currentValue, value);
+      continue;
+    }
+    merged[key] = value;
+  }
+  return merged;
+}
+
+// ../core/src/resolvers/profileAwareResolver.ts
+function mergeResolvedValue(currentValue, nextValue, arrayPolicy) {
+  if (Array.isArray(currentValue) && Array.isArray(nextValue)) {
+    if (arrayPolicy === "append") {
+      return [...currentValue, ...nextValue];
+    }
+    if (arrayPolicy === "unique-append") {
+      return [.../* @__PURE__ */ new Set([...currentValue, ...nextValue])];
+    }
+    return [...nextValue];
+  }
+  if (isPlainObject(currentValue) && isPlainObject(nextValue)) {
+    return deepMerge(currentValue, nextValue);
+  }
+  return nextValue;
+}
+function createProfileAwareResolver() {
+  return {
+    id: "profile-aware",
+    kind: "resolver",
+    async resolve(entries, context) {
+      const precedence = new Map(context.precedenceOrder.map((sourceId, index) => [sourceId, index]));
+      const sortedEntries = entries.map((entry, index) => ({
+        entry,
+        index,
+        precedence: precedence.get(entry.sourceId) ?? context.precedenceOrder.length
+      })).sort((left, right) => left.precedence - right.precedence || left.index - right.index);
+      const resolvedEntries = /* @__PURE__ */ new Map();
+      for (const { entry } of sortedEntries) {
+        const current = resolvedEntries.get(entry.key);
+        if (!current) {
+          resolvedEntries.set(entry.key, {
+            key: entry.key,
+            value: entry.value,
+            namespace: entry.namespace,
+            winner: entry,
+            overridden: []
+          });
+          continue;
+        }
+        resolvedEntries.set(entry.key, {
+          key: entry.key,
+          value: mergeResolvedValue(current.value, entry.value, context.manifest.resolution.arrayPolicy),
+          namespace: current.namespace,
+          winner: entry,
+          overridden: [...current.overridden, current.winner]
+        });
+      }
+      return {
+        entries: resolvedEntries,
+        profile: context.profile,
+        resolvedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        profileSource: "manifest-default",
+        workspace: context.workspace
+      };
+    }
+  };
+}
+
+// ../core/src/workspaces/resolveWorkspaceContext.ts
+var import_promises5 = require("fs/promises");
+var import_node_path5 = __toESM(require("path"), 1);
+
+// ../core/src/workspaces/expandWorkspaceChain.ts
+function expandWorkspaceChain(workspaceId, items) {
+  if (Object.keys(items).length === 0) {
+    return [workspaceId];
+  }
+  if (!items[workspaceId]) {
+    throw new CnosManifestError(`Unknown workspace "${workspaceId}"`);
+  }
+  const visiting = /* @__PURE__ */ new Set();
+  const resolved = /* @__PURE__ */ new Set();
+  const chain = [];
+  const visit = (currentWorkspaceId) => {
+    if (resolved.has(currentWorkspaceId)) {
+      return;
+    }
+    if (visiting.has(currentWorkspaceId)) {
+      throw new CnosManifestError(`Detected workspace inheritance cycle involving "${currentWorkspaceId}"`);
+    }
+    const item = items[currentWorkspaceId];
+    if (!item) {
+      throw new CnosManifestError(`Unknown workspace "${currentWorkspaceId}"`);
+    }
+    visiting.add(currentWorkspaceId);
+    for (const parentWorkspaceId of item.extends) {
+      visit(parentWorkspaceId);
+    }
+    visiting.delete(currentWorkspaceId);
+    resolved.add(currentWorkspaceId);
+    chain.push(currentWorkspaceId);
+  };
+  visit(workspaceId);
+  return chain;
+}
+
+// ../core/src/workspaces/resolveWorkspaceContext.ts
+async function exists2(targetPath) {
+  try {
+    await (0, import_promises5.access)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
+  const workspaceRoot = import_node_path5.default.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists2(workspaceRoot)) {
+    return workspaceRoot;
+  }
+  const customDataNamespaceRoots = Object.entries(manifest.namespaces).filter(
+    ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
+  ).map(([namespace]) => namespace);
+  const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
+    (segment) => import_node_path5.default.join(manifestRoot, segment)
+  );
+  if ((await Promise.all(legacyMarkers.map((marker) => exists2(marker)))).some(Boolean)) {
+    return manifestRoot;
+  }
+  return workspaceRoot;
+}
+function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+  if (workspaceOption) {
+    return {
+      workspaceId: workspaceOption,
+      source: "cli"
+    };
+  }
+  if (workspaceFile?.workspace) {
+    return {
+      workspaceId: workspaceFile.workspace,
+      source: "workspace-file"
+    };
+  }
+  if (manifest.workspaces.default) {
+    return {
+      workspaceId: manifest.workspaces.default,
+      source: "manifest-default"
+    };
+  }
+  if (Object.keys(manifest.workspaces.items).length === 0) {
+    return {
+      workspaceId: "default",
+      source: "implicit"
+    };
+  }
+  throw new CnosManifestError(
+    "Workspace selection requires --workspace, .cnos-workspace.yml, or workspaces.default when workspaces.items are defined"
+  );
+}
+function resolveGlobalRoot(manifest, workspaceFile, options) {
+  if (!manifest.workspaces.global.enabled) {
+    return {};
+  }
+  if (options.globalRoot) {
+    return {
+      value: import_node_path5.default.resolve(expandHomePath(options.globalRoot)),
+      source: "cli"
+    };
+  }
+  if (workspaceFile?.globalRoot) {
+    return {
+      value: import_node_path5.default.resolve(expandHomePath(workspaceFile.globalRoot)),
+      source: "workspace-file"
+    };
+  }
+  if (manifest.workspaces.global.root) {
+    return {
+      value: import_node_path5.default.resolve(expandHomePath(manifest.workspaces.global.root)),
+      source: "manifest"
+    };
+  }
+  const cnosHome = options.processEnv?.CNOS_HOME;
+  if (cnosHome) {
+    return {
+      value: import_node_path5.default.resolve(expandHomePath(cnosHome)),
+      source: "CNOS_HOME"
+    };
+  }
+  return {};
+}
+async function resolveWorkspaceContext(manifest, options) {
+  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
+  const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
+  const workspaceRoots = [];
+  if (globalRoot.value) {
+    for (const chainWorkspaceId of workspaceChain) {
+      const globalWorkspaceId = manifest.workspaces.items[chainWorkspaceId]?.globalId ?? chainWorkspaceId;
+      workspaceRoots.push({
+        scope: "global",
+        workspaceId: chainWorkspaceId,
+        path: import_node_path5.default.join(globalRoot.value, "workspaces", globalWorkspaceId)
+      });
+    }
+  }
+  for (const chainWorkspaceId of workspaceChain) {
+    workspaceRoots.push({
+      scope: "local",
+      workspaceId: chainWorkspaceId,
+      path: await resolveLocalWorkspaceRoot(options.manifestRoot, chainWorkspaceId, manifest)
+    });
+  }
+  return {
+    workspaceId: selectedWorkspace.workspaceId,
+    workspaceSource: selectedWorkspace.source,
+    ...globalRoot.value ? { globalRoot: globalRoot.value } : {},
+    ...globalRoot.source ? { globalRootSource: globalRoot.source } : {},
+    workspaceChain,
+    workspaceRoots
+  };
+}
+
+// ../core/src/validation/basicSchema.ts
+function describeValueType(value) {
+  if (Array.isArray(value)) {
+    return "array";
+  }
+  if (value === null) {
+    return "null";
+  }
+  return typeof value;
+}
+function coerceBoolean(value) {
+  if (value === "true") {
+    return true;
+  }
+  if (value === "false") {
+    return false;
+  }
+  return void 0;
+}
+function coerceValue(value, rule) {
+  if (typeof value !== "string" || !rule.type) {
+    return value;
+  }
+  switch (rule.type) {
+    case "number": {
+      const parsed = Number(value);
+      return Number.isNaN(parsed) ? value : parsed;
+    }
+    case "boolean":
+      return coerceBoolean(value) ?? value;
+    case "object":
+    case "array": {
+      try {
+        const parsed = JSON.parse(value);
+        if (rule.type === "array" && Array.isArray(parsed)) {
+          return parsed;
+        }
+        if (rule.type === "object" && parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+          return parsed;
+        }
+        return value;
+      } catch {
+        return value;
+      }
+    }
+    default:
+      return value;
+  }
+}
+function matchesType(value, type) {
+  if (!type) {
+    return true;
+  }
+  switch (type) {
+    case "array":
+      return Array.isArray(value);
+    case "object":
+      return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+    default:
+      return typeof value === type;
+  }
+}
+function enumMatches(value, allowed) {
+  const serialized = JSON.stringify(value);
+  return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
+}
+function applySchemaRules(graph, schema) {
+  const nextEntries = new Map(graph.entries);
+  const issues = [];
+  for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
+    const resolvedEntry = nextEntries.get(key);
+    if (!resolvedEntry) {
+      if (rule.default !== void 0) {
+        const defaultEntry = {
+          key,
+          value: rule.default,
+          namespace: key.startsWith("secret.") ? "secret" : key.startsWith("meta.") ? "meta" : "value",
+          sourceId: "schema-default",
+          pluginId: "basic-schema",
+          workspaceId: graph.workspace.workspaceId,
+          metadata: {
+            schemaDefault: true
+          }
+        };
+        nextEntries.set(key, {
+          key,
+          value: rule.default,
+          namespace: defaultEntry.namespace,
+          winner: defaultEntry,
+          overridden: []
+        });
+        continue;
+      }
+      if (rule.required) {
+        issues.push({
+          code: "schema.required",
+          key,
+          message: `Missing required config key: ${key}`
+        });
+      }
+      continue;
+    }
+    const coercedValue = coerceValue(resolvedEntry.value, rule);
+    const nextResolvedEntry = coercedValue === resolvedEntry.value ? resolvedEntry : {
+      ...resolvedEntry,
+      value: coercedValue
+    };
+    if (!matchesType(coercedValue, rule.type)) {
+      issues.push({
+        code: "schema.type",
+        key,
+        message: `Config key ${key} expected type ${rule.type} but got ${describeValueType(coercedValue)}`
+      });
+    }
+    if (rule.enum && !enumMatches(coercedValue, rule.enum)) {
+      issues.push({
+        code: "schema.enum",
+        key,
+        message: `Config key ${key} must be one of ${rule.enum.map((entry) => JSON.stringify(entry)).join(", ")}`
+      });
+    }
+    if (rule.pattern) {
+      if (typeof coercedValue !== "string") {
+        issues.push({
+          code: "schema.pattern",
+          key,
+          message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
+        });
+      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+        issues.push({
+          code: "schema.pattern",
+          key,
+          message: `Config key ${key} does not match pattern ${rule.pattern}`
+        });
+      }
+    }
+    nextEntries.set(key, nextResolvedEntry);
+  }
+  return {
+    graph: {
+      ...graph,
+      entries: nextEntries
+    },
+    issues
+  };
+}
+
+// ../core/src/orchestrator/pipeline.ts
+async function runPipeline(options) {
+  const collectedEntries = await Promise.all(
+    options.plugins.map(
+      (plugin) => plugin.load({
+        manifest: options.manifest,
+        manifestConfig: {
+          ...options.manifest.sources[plugin.id] ?? {},
+          envMapping: options.manifest.envMapping
+        },
+        profile: options.profile,
+        profileChain: options.profileChain,
+        profileActivation: options.profileActivation,
+        manifestRoot: options.manifestRoot,
+        workspace: options.workspace,
+        ...options.cliArgs ? { cliArgs: options.cliArgs } : {},
+        ...options.processEnv ? { processEnv: options.processEnv } : {}
+      })
+    )
+  );
+  return collectedEntries.flat();
+}
+
+// ../core/src/secrets/auditLog.ts
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
+
+// ../core/src/utils/secretStore.ts
+var import_node_crypto = require("crypto");
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
+
+// ../core/src/secrets/sessionStore.ts
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
+function buildSessionRoot(processEnv = process.env) {
+  return import_node_path6.default.join(import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+}
+function buildSessionPath(vault, processEnv) {
+  return import_node_path6.default.join(buildSessionRoot(processEnv), `${vault}.json`);
+}
+async function readVaultSessionKey(vault, processEnv) {
+  try {
+    const source = await (0, import_promises6.readFile)(buildSessionPath(vault, processEnv), "utf8");
+    const document = JSON.parse(source);
+    if (document.version !== 1 || typeof document.derivedKey !== "string") {
+      return void 0;
+    }
+    const key = Buffer.from(document.derivedKey, "hex");
+    return key.length > 0 ? key : void 0;
+  } catch {
+    return void 0;
+  }
+}
+
+// ../core/src/utils/secretStore.ts
+var KEY_LENGTH = 32;
+var SALT_LENGTH = 32;
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var PBKDF2_ITERATIONS = 6e5;
+var KEYSTORE_VERSION = 1;
+var METADATA_VERSION = 1;
+var META_FILENAME = "meta.yml";
+var KEYSTORE_FILENAME = "keystore.enc";
+function isObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretReference(value) {
+  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+}
+function resolveSecretStoreRoot(processEnv = process.env) {
+  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+}
+function normalizeVaultToken(vault = "default") {
+  return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function getVaultPassphraseEnvVar(vault = "default") {
+  const vaultToken = normalizeVaultToken(vault);
+  return vaultToken && vaultToken !== "DEFAULT" ? `CNOS_SECRET_PASSPHRASE_${vaultToken}` : "CNOS_SECRET_PASSPHRASE";
+}
+function getVaultSessionKeyEnvVar(vault = "default") {
+  const vaultToken = normalizeVaultToken(vault);
+  return `__CNOS_VAULT_KEY_${vaultToken || "DEFAULT"}__`;
+}
+function resolveSecretPassphrase(vault = "default", processEnv = process.env) {
+  return processEnv[getVaultPassphraseEnvVar(vault)] ?? processEnv.CNOS_SECRET_PASSPHRASE;
+}
+function resolveVaultSessionKey(vault = "default", processEnv = process.env) {
+  const encoded = processEnv[getVaultSessionKeyEnvVar(vault)];
+  if (!encoded) {
+    return readVaultSessionKey(vault, processEnv);
+  }
+  try {
+    const key = Buffer.from(encoded, "hex");
+    return key.length === KEY_LENGTH ? key : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
+  return (0, import_node_crypto.pbkdf2Sync)(passphrase, salt, iterations, KEY_LENGTH, "sha512");
+}
+function buildMetaPath(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, META_FILENAME);
+}
+function buildKeystorePath(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+}
+function buildLegacyVaultFile(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+}
+function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
+  return import_node_path7.default.join(storeRoot, "vaults", vault, "store");
+}
+function assertVaultMetadata(value, filePath) {
+  if (!isObject(value)) {
+    throw new CnosManifestError("Invalid CNOS vault metadata", filePath);
+  }
+  if (value.version !== METADATA_VERSION || value.algorithm !== "aes-256-gcm" || value.kdf !== "pbkdf2-sha512" || typeof value.iterations !== "number" || typeof value.salt !== "string" || typeof value.createdAt !== "string" || typeof value.secretCount !== "number") {
+    throw new CnosManifestError("Invalid CNOS vault metadata", filePath);
+  }
+  return value;
+}
+async function exists3(targetPath) {
+  try {
+    await (0, import_promises7.stat)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function detectLegacyVaultFormat(storeRoot, vault = "default") {
+  const legacyFile = buildLegacyVaultFile(storeRoot, vault);
+  const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
+  if (await exists3(legacyFile)) {
+    return legacyFile;
+  }
+  if (await exists3(legacyStore)) {
+    return legacyStore;
+  }
+  return void 0;
+}
+async function assertNoLegacyVaultFormat(storeRoot, vault = "default") {
+  const legacyPath = await detectLegacyVaultFormat(storeRoot, vault);
+  if (!legacyPath) {
+    return;
+  }
+  throw new CnosSecurityError(
+    `Legacy CNOS local vault format detected for vault "${vault}" at ${legacyPath}. CNOS 1.4 requires the new keystore format. Remove and recreate the vault.`
+  );
+}
+function encryptPayload(payload, key) {
+  const iv = (0, import_node_crypto.randomBytes)(IV_LENGTH);
+  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([
+    Buffer.from(Uint32Array.of(KEYSTORE_VERSION).buffer),
+    iv,
+    tag,
+    ciphertext
+  ]);
+}
+function decryptPayload(buffer, key) {
+  if (buffer.length < 4 + IV_LENGTH + AUTH_TAG_LENGTH) {
+    throw new CnosSecurityError("Invalid CNOS local vault keystore");
+  }
+  const version = buffer.readUInt32LE(0);
+  if (version !== KEYSTORE_VERSION) {
+    throw new CnosSecurityError(`Unsupported CNOS local vault keystore version: ${version}`);
+  }
+  const ivOffset = 4;
+  const tagOffset = ivOffset + IV_LENGTH;
+  const cipherOffset = tagOffset + AUTH_TAG_LENGTH;
+  const iv = buffer.subarray(ivOffset, tagOffset);
+  const tag = buffer.subarray(tagOffset, cipherOffset);
+  const ciphertext = buffer.subarray(cipherOffset);
+  const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  try {
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+    const payload = JSON.parse(plaintext);
+    if (!payload || !isObject(payload.secrets) || !isObject(payload.metadata)) {
+      throw new Error("invalid");
+    }
+    return {
+      secrets: Object.fromEntries(
+        Object.entries(payload.secrets).filter((entry) => typeof entry[1] === "string")
+      ),
+      metadata: Object.fromEntries(
+        Object.entries(payload.metadata).filter(
+          (entry) => isObject(entry[1]) && typeof entry[1].createdAt === "string" && typeof entry[1].updatedAt === "string"
+        )
+      )
+    };
+  } catch {
+    throw new CnosAuthenticationError("Failed to decrypt CNOS local vault. Check vault authentication.");
+  }
+}
+function buildInitialPayload() {
+  return {
+    secrets: {},
+    metadata: {}
+  };
+}
+async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
+  const metaPath = buildMetaPath(storeRoot, vault);
+  const keystorePath = buildKeystorePath(storeRoot, vault);
+  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(metaPath), { recursive: true });
+  await (0, import_promises7.writeFile)(metaPath, stringifyYaml(meta), "utf8");
+  await (0, import_promises7.writeFile)(keystorePath, encryptPayload(payload, key));
+}
+async function readVaultMetadata(storeRoot, vault = "default") {
+  await assertNoLegacyVaultFormat(storeRoot, vault);
+  const metaPath = buildMetaPath(storeRoot, vault);
+  try {
+    const source = await (0, import_promises7.readFile)(metaPath, "utf8");
+    return assertVaultMetadata(parseYaml(source), metaPath);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  }
+}
+async function createSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  await assertNoLegacyVaultFormat(storeRoot, normalizedVault);
+  const salt = (0, import_node_crypto.randomBytes)(SALT_LENGTH);
+  const key = deriveVaultKey(passphrase, salt, PBKDF2_ITERATIONS);
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const meta = {
+    version: METADATA_VERSION,
+    algorithm: "aes-256-gcm",
+    kdf: "pbkdf2-sha512",
+    iterations: PBKDF2_ITERATIONS,
+    salt: salt.toString("base64"),
+    createdAt,
+    secretCount: 0
+  };
+  await writeVaultFiles(storeRoot, normalizedVault, meta, buildInitialPayload(), key);
+  return buildMetaPath(storeRoot, normalizedVault);
+}
+async function ensureSecretVault(storeRoot, vault, passphrase) {
+  const normalizedVault = vault.trim() || "default";
+  const meta = await readVaultMetadata(storeRoot, normalizedVault);
+  if (meta) {
+    return buildMetaPath(storeRoot, normalizedVault);
+  }
+  return createSecretVault(storeRoot, normalizedVault, passphrase);
+}
+function resolveConfiguredVaultPassphrase(definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return void 0;
+  }
+  const configuredSources = definition.auth?.passphrase?.from ?? [];
+  for (const source of configuredSources) {
+    if (source.startsWith("env:")) {
+      const value = processEnv[source.slice(4)];
+      if (value) {
+        return value;
+      }
+    }
+  }
+  return resolveSecretPassphrase(vault, processEnv);
+}
+async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
+  if (definition?.provider !== "local") {
+    return definition?.provider === "github-secrets" ? {
+      method: definition.auth?.method ?? "environment",
+      ...definition?.auth?.config ? { config: definition.auth.config } : {}
+    } : void 0;
+  }
+  const sessionKey = await resolveVaultSessionKey(vault, processEnv);
+  if (sessionKey) {
+    return {
+      derivedKey: sessionKey,
+      method: "keychain",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const passphrase = resolveConfiguredVaultPassphrase(definition, vault, processEnv);
+  if (passphrase) {
+    return {
+      passphrase,
+      method: "passphrase",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const metadata = await readVaultMetadata(storeRoot, vault);
+  if (!metadata) {
+    return void 0;
+  }
+  throw new CnosAuthenticationError(
+    `Cannot authenticate to vault "${vault}". Set ${getVaultPassphraseEnvVar(vault)} or run cnos vault auth ${vault}.`
+  );
+}
+async function loadVaultPayload(storeRoot, vault, auth) {
+  const meta = await readVaultMetadata(storeRoot, vault);
+  if (!meta) {
+    throw new CnosManifestError(`Missing CNOS vault metadata for "${vault}"`);
+  }
+  const salt = Buffer.from(meta.salt, "base64");
+  const key = auth.derivedKey ?? (auth.passphrase ? deriveVaultKey(auth.passphrase, salt, meta.iterations) : void 0);
+  if (!key) {
+    throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
+  }
+  const buffer = await (0, import_promises7.readFile)(buildKeystorePath(storeRoot, vault));
+  return {
+    meta,
+    payload: decryptPayload(buffer, key),
+    key
+  };
+}
+async function writeLocalSecret(storeRoot, ref, value, authOrPassphrase, vault = "default") {
+  const auth = typeof authOrPassphrase === "string" ? {
+    passphrase: authOrPassphrase,
+    method: "passphrase"
+  } : authOrPassphrase;
+  if (auth.passphrase) {
+    await ensureSecretVault(storeRoot, vault, auth.passphrase);
+  } else {
+    const meta2 = await readVaultMetadata(storeRoot, vault);
+    if (!meta2) {
+      throw new CnosAuthenticationError(`Vault "${vault}" requires passphrase-based authentication for initial creation.`);
+    }
+  }
+  const { meta, payload, key } = await loadVaultPayload(storeRoot, vault, auth);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const existing = payload.metadata[ref];
+  payload.secrets[ref] = value;
+  payload.metadata[ref] = {
+    createdAt: existing?.createdAt ?? now,
+    updatedAt: now
+  };
+  const nextMeta = {
+    ...meta,
+    secretCount: Object.keys(payload.secrets).length
+  };
+  await writeVaultFiles(storeRoot, vault, nextMeta, payload, key);
+  return buildKeystorePath(storeRoot, vault);
+}
+async function deleteLocalSecret(storeRoot, ref, auth, vault = "default") {
+  const { meta, payload, key } = await loadVaultPayload(storeRoot, vault, auth);
+  if (!(ref in payload.secrets)) {
+    return false;
+  }
+  delete payload.secrets[ref];
+  delete payload.metadata[ref];
+  const nextMeta = {
+    ...meta,
+    secretCount: Object.keys(payload.secrets).length
+  };
+  await writeVaultFiles(storeRoot, vault, nextMeta, payload, key);
+  return true;
+}
+async function readLocalSecret(storeRoot, ref, auth, vault = "default") {
+  const { payload } = await loadVaultPayload(storeRoot, vault, auth);
+  const value = payload.secrets[ref];
+  if (value === void 0) {
+    throw new CnosManifestError(`Missing local secret ref "${ref}" in vault "${vault}"`);
+  }
+  return value;
+}
+async function listLocalSecrets(storeRoot, auth, vault = "default") {
+  const { payload } = await loadVaultPayload(storeRoot, vault, auth);
+  return Object.keys(payload.secrets).sort((left, right) => left.localeCompare(right));
+}
+function resolveVaultDefinition(vaults, vault = "default") {
+  const definition = vaults?.[vault];
+  const provider = definition?.provider ?? "local";
+  return {
+    name: vault,
+    provider,
+    ...definition?.auth ? { auth: definition.auth } : {},
+    ...definition?.mapping ? { mapping: definition.mapping } : {},
+    requiresAuthentication: provider === "local"
+  };
+}
+
+// ../core/src/secrets/auditLog.ts
+async function appendAuditEvent(event, processEnv = process.env) {
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path8.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(auditFile), { recursive: true });
+  await (0, import_promises8.appendFile)(
+    auditFile,
+    `${JSON.stringify({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      ...event
+    })}
+`,
+    "utf8"
+  );
+}
+
+// ../core/src/secrets/secretCache.ts
+var SecretCache = class {
+  cache = /* @__PURE__ */ new Map();
+  authenticated = /* @__PURE__ */ new Set();
+  load(vaultId, secrets) {
+    this.authenticated.add(vaultId);
+    for (const [ref, value] of secrets) {
+      this.cache.set(`${vaultId}:${ref}`, value);
+    }
+  }
+  isVaultAuthenticated(vaultId) {
+    return this.authenticated.has(vaultId);
+  }
+  get(vaultId, ref) {
+    return this.cache.get(`${vaultId}:${ref}`);
+  }
+  clear(vaultId) {
+    if (!vaultId) {
+      this.cache.clear();
+      this.authenticated.clear();
+      return;
+    }
+    this.authenticated.delete(vaultId);
+    for (const key of Array.from(this.cache.keys())) {
+      if (key.startsWith(`${vaultId}:`)) {
+        this.cache.delete(key);
+      }
+    }
+  }
+};
+
+// ../core/src/secrets/providers/github.ts
+var GithubSecretsVaultProvider = class {
+  constructor(vaultId, definition, processEnv = process.env) {
+    this.vaultId = vaultId;
+    this.definition = definition;
+    this.processEnv = processEnv;
+  }
+  vaultId;
+  definition;
+  processEnv;
+  authenticated = false;
+  async authenticate(_authConfig) {
+    void _authConfig;
+    this.authenticated = true;
+  }
+  isAuthenticated() {
+    return this.authenticated;
+  }
+  resolveEnvVar(ref) {
+    if (this.processEnv[ref] !== void 0) {
+      return ref;
+    }
+    return Object.entries(this.definition.mapping ?? {}).find(([, logicalRef]) => logicalRef === ref)?.[0];
+  }
+  async batchGet(refs) {
+    this.authenticated = true;
+    const resolved = /* @__PURE__ */ new Map();
+    for (const ref of Array.from(new Set(refs)).sort((left, right) => left.localeCompare(right))) {
+      const envVar = this.resolveEnvVar(ref);
+      const value = envVar ? this.processEnv[envVar] : void 0;
+      if (value !== void 0) {
+        resolved.set(ref, value);
+      }
+    }
+    return resolved;
+  }
+  async get(ref) {
+    const envVar = this.resolveEnvVar(ref);
+    this.authenticated = true;
+    return envVar ? this.processEnv[envVar] : void 0;
+  }
+  async set(ref, value) {
+    void ref;
+    void value;
+    throw new Error(`Vault "${this.vaultId}" is environment-backed and cannot be written by CNOS.`);
+  }
+  async delete(ref) {
+    void ref;
+    throw new Error(`Vault "${this.vaultId}" is environment-backed and cannot be mutated by CNOS.`);
+  }
+  async list() {
+    return Object.values(this.definition.mapping ?? {}).sort((left, right) => left.localeCompare(right));
+  }
+};
+
+// ../core/src/secrets/providers/local.ts
+var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
+  constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
+    this.vaultId = vaultId;
+    this.processEnv = processEnv;
+    this.storeRoot = storeRoot;
+    this.definition = definition;
+  }
+  vaultId;
+  processEnv;
+  storeRoot;
+  authConfig;
+  definition;
+  static fromVaults(vaults, vaultId, processEnv) {
+    const definition = resolveVaultDefinition(vaults, vaultId);
+    return new _LocalSecretVaultProvider(vaultId, definition, processEnv);
+  }
+  async authenticate(authConfig) {
+    this.authConfig = authConfig;
+    await this.list();
+  }
+  isAuthenticated() {
+    return Boolean(this.authConfig);
+  }
+  async requireAuth() {
+    if (this.authConfig) {
+      return this.authConfig;
+    }
+    const resolved = await resolveVaultAccessKey(this.storeRoot, this.definition, this.vaultId, this.processEnv);
+    if (!resolved) {
+      throw new CnosAuthenticationError(
+        `Cannot authenticate to vault "${this.vaultId}". Set the configured passphrase env var or run cnos vault auth ${this.vaultId}.`
+      );
+    }
+    this.authConfig = resolved;
+    return resolved;
+  }
+  async batchGet(refs) {
+    const auth = await this.requireAuth();
+    const entries = await Promise.all(
+      Array.from(new Set(refs)).sort((left, right) => left.localeCompare(right)).map(async (ref) => [ref, await readLocalSecret(this.storeRoot, ref, auth, this.vaultId)])
+    );
+    return new Map(entries);
+  }
+  async get(ref) {
+    const auth = await this.requireAuth();
+    try {
+      return await readLocalSecret(this.storeRoot, ref, auth, this.vaultId);
+    } catch {
+      return void 0;
+    }
+  }
+  async set(ref, value) {
+    const auth = await this.requireAuth();
+    await writeLocalSecret(this.storeRoot, ref, value, auth, this.vaultId);
+    await appendAuditEvent(
+      {
+        action: "write",
+        vault: this.vaultId,
+        ref,
+        caller: "cli"
+      },
+      this.processEnv
+    );
+  }
+  async delete(ref) {
+    const auth = await this.requireAuth();
+    await deleteLocalSecret(this.storeRoot, ref, auth, this.vaultId);
+    await appendAuditEvent(
+      {
+        action: "delete",
+        vault: this.vaultId,
+        ref,
+        caller: "cli"
+      },
+      this.processEnv
+    );
+  }
+  async list() {
+    const auth = this.authConfig ?? await resolveVaultAccessKey(this.storeRoot, this.definition, this.vaultId, this.processEnv);
+    if (!auth) {
+      throw new CnosAuthenticationError(
+        `Cannot authenticate to vault "${this.vaultId}". Set the configured passphrase env var or run cnos vault auth ${this.vaultId}.`
+      );
+    }
+    this.authConfig = auth;
+    return listLocalSecrets(this.storeRoot, auth, this.vaultId);
+  }
+};
+
+// ../core/src/secrets/providers/registry.ts
+function createSecretVaultProvider(vaultId, definition, processEnv) {
+  if (definition.provider === "local") {
+    return new LocalSecretVaultProvider(vaultId, definition, processEnv);
+  }
+  if (definition.provider === "github-secrets") {
+    return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
+  }
+  throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
+}
+
+// ../core/src/secrets/prompt.ts
+var import_node_readline = __toESM(require("readline"), 1);
+var import_node_stream = require("stream");
+async function promptHidden(message) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    return void 0;
+  }
+  const mutableStdout = new WritableMask();
+  const rl = import_node_readline.default.createInterface({
+    input: process.stdin,
+    output: mutableStdout,
+    terminal: true
+  });
+  try {
+    mutableStdout.muted = true;
+    const value = await new Promise((resolve) => {
+      rl.question(message, resolve);
+    });
+    process.stdout.write("\n");
+    return value;
+  } finally {
+    rl.close();
+  }
+}
+var WritableMask = class extends import_node_stream.Writable {
+  muted = false;
+  _write(chunk, _encoding, callback) {
+    if (!this.muted) {
+      process.stdout.write(chunk);
+    }
+    callback();
+  }
+};
+
+// ../core/src/secrets/resolveAuth.ts
+function toAuthError(vaultId, sources) {
+  return new CnosAuthenticationError(
+    `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
+  );
+}
+async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
+  const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
+  if (sessionKey) {
+    return {
+      derivedKey: sessionKey,
+      method: "keychain",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.provider === "github-secrets") {
+    return {
+      method: definition.auth?.method ?? "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
+  for (const source of sources) {
+    if (source.startsWith("env:")) {
+      const value = processEnv[source.slice(4)];
+      if (value) {
+        return {
+          passphrase: value,
+          method: "passphrase",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+    if (source.startsWith("keychain:")) {
+      const value = await readKeychain(source.slice("keychain:".length));
+      if (value) {
+        return {
+          derivedKey: Buffer.from(value, "hex"),
+          method: "keychain",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+    if (source === "prompt") {
+      const value = await promptHidden(`Enter passphrase for vault "${vaultId}": `);
+      if (value) {
+        return {
+          passphrase: value,
+          method: "passphrase",
+          ...definition.auth?.config ? { config: definition.auth.config } : {}
+        };
+      }
+    }
+  }
+  const fallback = resolveSecretPassphrase(vaultId, processEnv);
+  if (fallback) {
+    return {
+      passphrase: fallback,
+      method: "passphrase",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...sources]);
+}
+
+// ../core/src/secrets/batchResolve.ts
+function collectSecretDescriptors(graph) {
+  return Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => ({
+    logicalKey: entry.key,
+    ref: entry.value
+  }));
+}
+async function batchResolveSecrets(graph, manifest, processEnv = process.env) {
+  const cache = new SecretCache();
+  const descriptors = collectSecretDescriptors(graph);
+  const grouped = descriptors.reduce((accumulator, descriptor) => {
+    const vaultId = descriptor.ref.vault ?? "default";
+    const bucket = accumulator.get(vaultId) ?? [];
+    bucket.push(descriptor);
+    accumulator.set(vaultId, bucket);
+    return accumulator;
+  }, /* @__PURE__ */ new Map());
+  for (const [vaultId, refs] of grouped) {
+    const definition = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
+    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
+    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
+    await provider.authenticate(auth);
+    const resolved = await provider.batchGet(refs.map((entry) => entry.ref.ref));
+    cache.load(vaultId, resolved);
+    await appendAuditEvent(
+      {
+        action: "batch_read",
+        vault: vaultId,
+        refs: Array.from(resolved.keys()).sort((left, right) => left.localeCompare(right)),
+        caller: "runtime",
+        workspace: graph.workspace.workspaceId,
+        profile: graph.profile
+      },
+      processEnv
+    );
+  }
+  return cache;
+}
+function resolveSecretEntryValue(key, value, cache) {
+  if (!key.startsWith("secret.") || !isSecretReference(value)) {
+    return value;
+  }
+  const vaultId = value.vault ?? "default";
+  return cache.get(vaultId, value.ref) ?? value;
+}
+
+// ../core/src/runtime/projection.ts
+function setNestedValue(target, pathSegments, value) {
+  const [head, ...tail] = pathSegments;
+  if (!head) {
+    return;
+  }
+  if (tail.length === 0) {
+    target[head] = value;
+    return;
+  }
+  const current = target[head];
+  const nextTarget = current && typeof current === "object" && !Array.isArray(current) ? current : {};
+  target[head] = nextTarget;
+  setNestedValue(nextTarget, tail, value);
+}
+function toNamespaceObject(graph, namespace) {
+  const output = {};
+  const resolvedEntries = Array.from(graph.entries.values()).sort(
+    (left, right) => left.key.localeCompare(right.key)
+  );
+  for (const entry of resolvedEntries) {
+    if (namespace && entry.namespace !== namespace) {
+      continue;
+    }
+    const valuePath = namespace ? stripNamespace(entry.key) : entry.key;
+    setNestedValue(output, valuePath.split("."), entry.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/read.ts
+function readValue(graph, key) {
+  return graph.entries.get(key)?.value;
+}
+
+// ../core/src/runtime/readOr.ts
+function readOrValue(graph, key, fallback) {
+  const value = readValue(graph, key);
+  return value === void 0 ? fallback : value;
+}
+
+// ../core/src/runtime/require.ts
+function requireValue(graph, key) {
+  const value = readValue(graph, key);
+  if (value === void 0) {
+    throw new CnosKeyNotFoundError(key);
+  }
+  return value;
+}
+
+// ../core/src/runtime/toEnv.ts
+function normalizeEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function toEnv(graph, manifest, options = {}) {
+  const includeSecrets = options.includeSecrets ?? true;
+  const output = {};
+  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
+    ([left], [right]) => left.localeCompare(right)
+  );
+  for (const [envVar, logicalKey] of mappedEntries) {
+    const entry = graph.entries.get(logicalKey);
+    if (!entry) {
+      continue;
+    }
+    const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
+    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+      continue;
+    }
+    if (entry.namespace === "secret" && !includeSecrets) {
+      continue;
+    }
+    if (isSecretReference(entry.value)) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue(entry.value);
+  }
+  return output;
+}
+
+// ../core/src/runtime/toPublicEnv.ts
+function fallbackPublicEnvVar(valuePath) {
+  return valuePath.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
+}
+function normalizeEnvValue2(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function resolvePublicPrefix(manifest, options) {
+  if (options.prefix) {
+    return options.prefix;
+  }
+  if (!options.framework) {
+    return "";
+  }
+  const configuredPrefix = manifest.public.frameworks[options.framework];
+  if (!configuredPrefix) {
+    throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
+  }
+  return configuredPrefix;
+}
+function toPublicEnv(graph, manifest, options = {}) {
+  const prefix = resolvePublicPrefix(manifest, options);
+  const output = {};
+  const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
+  for (const resolved of promotions) {
+    const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
+    const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
+    output[envVar] = normalizeEnvValue2(resolved.value);
+  }
+  return output;
+}
+
+// ../core/src/orchestrator/runtime.ts
+function createRuntime(manifest, graph, plugins = [], secretCache) {
+  function readLogicalKey(key) {
+    const entry = graph.entries.get(key);
+    if (!entry) {
+      return void 0;
+    }
+    if (!secretCache) {
+      return entry.value;
+    }
+    return resolveSecretEntryValue(key, entry.value, secretCache);
+  }
+  return {
+    manifest,
+    plugins,
+    graph,
+    read(key) {
+      return readLogicalKey(key);
+    },
+    require(key) {
+      const value = readLogicalKey(key);
+      if (value === void 0) {
+        return requireValue(graph, key);
+      }
+      return value;
+    },
+    readOr(key, fallback) {
+      return readOrValue(graph, key, fallback);
+    },
+    value(path12) {
+      return readLogicalKey(toLogicalKey("value", path12));
+    },
+    secret(path12) {
+      return readLogicalKey(toLogicalKey("secret", path12));
+    },
+    meta(path12) {
+      return readLogicalKey(toLogicalKey("meta", path12));
+    },
+    inspect(key) {
+      return inspectValue(graph, key);
+    },
+    toObject() {
+      return toNamespaceObject(graph);
+    },
+    toNamespace(namespace) {
+      return toNamespaceObject(graph, namespace);
+    },
+    toEnv(options) {
+      return toEnv(graph, manifest, options);
+    },
+    toPublicEnv(options) {
+      return toPublicEnv(graph, manifest, options);
+    }
+  };
+}
+
+// ../core/src/orchestrator/createCnos.ts
+function buildMetaEntries(graph, cnosVersion) {
+  return [
+    {
+      key: "meta.profile",
+      value: graph.profile,
+      namespace: "meta",
+      sourceId: "profile-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.cnos.version",
+      value: cnosVersion ?? "0.0.0-dev",
+      namespace: "meta",
+      sourceId: "core",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.resolved.at",
+      value: graph.resolvedAt,
+      namespace: "meta",
+      sourceId: "core",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.resolved.from",
+      value: graph.profileSource,
+      namespace: "meta",
+      sourceId: "profile-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace",
+      value: graph.workspace.workspaceId,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace.source",
+      value: graph.workspace.workspaceSource,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.workspace.chain",
+      value: graph.workspace.workspaceChain,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.globalRoot",
+      value: graph.workspace.globalRoot ?? null,
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    },
+    {
+      key: "meta.global.enabled",
+      value: Boolean(graph.workspace.globalRoot),
+      namespace: "meta",
+      sourceId: "workspace-resolver",
+      pluginId: "core",
+      workspaceId: graph.workspace.workspaceId
+    }
+  ];
+}
+function appendMetaEntries(graph, cnosVersion) {
+  const nextEntries = new Map(graph.entries);
+  for (const entry of buildMetaEntries(graph, cnosVersion)) {
+    nextEntries.set(entry.key, {
+      key: entry.key,
+      value: entry.value,
+      namespace: entry.namespace,
+      winner: entry,
+      overridden: []
+    });
+  }
+  return {
+    ...graph,
+    entries: nextEntries
+  };
+}
+async function createCnos(options = {}) {
+  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  for (const key of loadedManifest.manifest.public.promote) {
+    ensureProjectionAllowed(loadedManifest.manifest, key, "public");
+  }
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
+    manifestRoot: loadedManifest.manifestRoot,
+    ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...options.workspace ? { workspace: options.workspace } : {},
+    ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const activeProfile = resolveActiveProfile(loadedManifest.manifest, {
+    ...options.profile ? { profile: options.profile } : {},
+    ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const profileChain = await expandProfileChain(activeProfile.profile, {
+    manifestRoot: loadedManifest.manifestRoot,
+    workspace
+  });
+  const plugins = options.plugins ?? [];
+  const loaderPlugins = plugins.filter((plugin) => plugin.kind === "loader");
+  const resolverPlugin = plugins.find((plugin) => plugin.kind === "resolver") ?? createProfileAwareResolver();
+  const entries = await runPipeline({
+    manifestRoot: loadedManifest.manifestRoot,
+    manifest: loadedManifest.manifest,
+    profile: activeProfile.profile,
+    profileChain: profileChain.profiles,
+    profileActivation: profileChain.activation,
+    workspace,
+    plugins: loaderPlugins,
+    ...options.cliArgs ? { cliArgs: options.cliArgs } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {}
+  });
+  const graph = await resolverPlugin.resolve(entries, {
+    manifest: loadedManifest.manifest,
+    profile: activeProfile.profile,
+    profileChain: profileChain.profiles,
+    precedenceOrder: loadedManifest.manifest.resolution.precedence,
+    workspace
+  });
+  const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
+  const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
+  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  return createRuntime(
+    loadedManifest.manifest,
+    appendMetaEntries({
+      ...promotedGraph,
+      profileSource: activeProfile.source
+    }, options.cnosVersion),
+    plugins,
+    secretCache
+  );
+}
+
+// ../core/src/runtime/dump.ts
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
+function buildDumpFiles(graph, options = {}) {
+  const basePath = options.flatten ? "" : import_node_path9.default.posix.join("workspaces", graph.workspace.workspaceId);
+  const values = toNamespaceObject(graph, "value");
+  const secrets = toNamespaceObject(graph, "secret");
+  const files = [];
+  if (Object.keys(values).length > 0) {
+    files.push({
+      path: import_node_path9.default.posix.join(basePath, "values", graph.profile, "app.yml"),
+      namespace: "value",
+      content: stringifyYaml(values)
+    });
+  }
+  if (Object.keys(secrets).length > 0) {
+    files.push({
+      path: import_node_path9.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      namespace: "secret",
+      content: stringifyYaml(secrets)
+    });
+  }
+  return files.sort((left, right) => left.path.localeCompare(right.path));
+}
+function planDump(graph, options = {}) {
+  return {
+    workspaceId: graph.workspace.workspaceId,
+    profile: graph.profile,
+    flatten: options.flatten ?? false,
+    files: buildDumpFiles(graph, options)
+  };
+}
+async function writeDump(graph, options) {
+  const root = import_node_path9.default.resolve(options.to);
+  const plan = planDump(graph, options);
+  for (const file of plan.files) {
+    const destination = import_node_path9.default.join(root, file.path);
+    await (0, import_promises9.mkdir)(import_node_path9.default.dirname(destination), { recursive: true });
+    await (0, import_promises9.writeFile)(destination, file.content, "utf8");
+  }
+  return {
+    ...plan,
+    root
+  };
+}
+
+// ../core/src/utils/envNaming.ts
+function normalizeMappingConfig(config = {}) {
+  return {
+    convention: config.convention,
+    explicit: config.explicit ?? {}
+  };
+}
+function fromScreamingSnake(path12) {
+  return path12.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+}
+function envVarToLogicalKey(envVar, config = {}) {
+  const normalized = normalizeMappingConfig(config);
+  const explicitMatch = normalized.explicit[envVar];
+  if (explicitMatch) {
+    return explicitMatch;
+  }
+  if (normalized.convention !== "SCREAMING_SNAKE") {
+    return void 0;
+  }
+  if (envVar.startsWith("SECRET_")) {
+    const stripped = envVar.slice("SECRET_".length);
+    if (!stripped) {
+      return void 0;
+    }
+    return `secret.${fromScreamingSnake(stripped)}`;
+  }
+  if (!/^[A-Z][A-Z0-9_]*$/.test(envVar)) {
+    return void 0;
+  }
+  return `value.${fromScreamingSnake(envVar)}`;
+}
+
+// package.json
+var package_default = {
+  name: "@kitsy/cnos",
+  version: "1.4.0",
+  description: "Batteries-included CNOS runtime package wired with the official plugins.",
+  type: "module",
+  main: "./dist/index.cjs",
+  module: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js",
+      require: "./dist/index.cjs"
+    },
+    "./configure": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
+    "./create": {
+      types: "./dist/configure/index.d.ts",
+      import: "./dist/configure/index.js",
+      require: "./dist/configure/index.cjs"
+    },
+    "./internal": {
+      types: "./dist/internal.d.ts",
+      import: "./dist/internal.js",
+      require: "./dist/internal.cjs"
+    },
+    "./runtime": {
+      types: "./dist/runtime/index.d.ts",
+      import: "./dist/runtime/index.js",
+      require: "./dist/runtime/index.cjs"
+    },
+    "./browser": {
+      types: "./dist/browser/index.d.ts",
+      import: "./dist/browser/index.js",
+      require: "./dist/browser/index.cjs"
+    },
+    "./build": {
+      types: "./dist/build/index.d.ts",
+      import: "./dist/build/index.js",
+      require: "./dist/build/index.cjs"
+    },
+    "./plugins/filesystem": {
+      types: "./dist/plugin/filesystem.d.ts",
+      import: "./dist/plugin/filesystem.js",
+      require: "./dist/plugin/filesystem.cjs"
+    },
+    "./plugins/dotenv": {
+      types: "./dist/plugin/dotenv.d.ts",
+      import: "./dist/plugin/dotenv.js",
+      require: "./dist/plugin/dotenv.cjs"
+    },
+    "./plugins/process-env": {
+      types: "./dist/plugin/process-env.d.ts",
+      import: "./dist/plugin/process-env.js",
+      require: "./dist/plugin/process-env.cjs"
+    },
+    "./plugins/cli-args": {
+      types: "./dist/plugin/cli-args.d.ts",
+      import: "./dist/plugin/cli-args.js",
+      require: "./dist/plugin/cli-args.cjs"
+    },
+    "./plugins/basic-schema": {
+      types: "./dist/plugin/basic-schema.d.ts",
+      import: "./dist/plugin/basic-schema.js",
+      require: "./dist/plugin/basic-schema.cjs"
+    },
+    "./plugins/env-export": {
+      types: "./dist/plugin/env-export.d.ts",
+      import: "./dist/plugin/env-export.js",
+      require: "./dist/plugin/env-export.cjs"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  license: "MIT",
+  repository: {
+    type: "git",
+    url: "https://github.com/kitsyai/cnos.git",
+    directory: "packages/cnos"
+  },
+  homepage: "https://github.com/kitsyai/cnos/tree/main/packages/cnos",
+  bugs: {
+    url: "https://github.com/kitsyai/cnos/issues"
+  },
+  keywords: [
+    "cnos",
+    "config",
+    "runtime"
+  ],
+  publishConfig: {
+    access: "public"
+  },
+  dependencies: {
+    yaml: "^2.8.3"
+  },
+  scripts: {
+    build: "rimraf dist && tsup --config tsup.config.ts",
+    clean: "rimraf dist",
+    dev: "tsup --config tsup.config.ts --watch",
+    lint: "eslint src test",
+    prepack: "pnpm build",
+    test: "vitest run",
+    typecheck: "tsc -p tsconfig.json --noEmit"
+  }
+};
+
+// ../../plugins/basic-schema/src/index.ts
+function createBasicSchemaPlugin() {
+  return {
+    id: "@kitsy/cnos/plugins/basic-schema",
+    kind: "validator",
+    async validate(graph, context) {
+      const result = applySchemaRules(graph, context.schema ?? {});
+      return {
+        pluginId: "@kitsy/cnos/plugins/basic-schema",
+        valid: result.issues.length === 0,
+        issues: result.issues
+      };
+    }
+  };
+}
+
+// ../../plugins/cli-args/src/index.ts
+var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";
+function isNamespaceName(value) {
+  return value === "value" || value === "secret";
+}
+function parseCliArgs(args) {
+  const parsed = [];
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (!arg?.startsWith("--")) {
+      continue;
+    }
+    if (arg === "--profile") {
+      index += 1;
+      continue;
+    }
+    if (arg.startsWith("--profile=")) {
+      continue;
+    }
+    const body = arg.slice(2);
+    const separatorIndex = body.indexOf("=");
+    if (separatorIndex >= 0) {
+      parsed.push({
+        key: body.slice(0, separatorIndex),
+        value: body.slice(separatorIndex + 1),
+        raw: arg
+      });
+      continue;
+    }
+    const nextValue = args[index + 1];
+    if (nextValue && !nextValue.startsWith("--")) {
+      parsed.push({
+        key: body,
+        value: nextValue,
+        raw: `${arg} ${nextValue}`
+      });
+      index += 1;
+    }
+  }
+  return parsed;
+}
+function cliArgEntriesFromArgs(args, workspaceId = "default") {
+  return parseCliArgs(args).flatMap(({ key, value, raw }) => {
+    const [candidateNamespace = "", ...pathSegments] = key.split(".");
+    if (!isNamespaceName(candidateNamespace) || pathSegments.length === 0) {
+      return [];
+    }
+    const namespace = candidateNamespace;
+    const logicalKey = `${namespace}.${joinConfigPath(pathSegments.join("."))}`;
+    return [
+      {
+        key: logicalKey,
+        value,
+        namespace,
+        sourceId: "cli-args",
+        pluginId: CLI_ARGS_PLUGIN_ID,
+        workspaceId,
+        origin: {
+          cliArg: raw
+        }
+      }
+    ];
+  });
+}
+function createCliArgsPlugin() {
+  return {
+    id: "cli-args",
+    kind: "loader",
+    async load(context) {
+      return cliArgEntriesFromArgs(context.cliArgs ?? [], context.workspace.workspaceId);
+    }
+  };
+}
+
+// ../../plugins/dotenv/src/index.ts
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
+var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
+function parseDoubleQuoted(value) {
+  return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+}
+function parseDotenv(document) {
+  const parsed = {};
+  for (const rawLine of document.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+    const withoutExport = line.startsWith("export ") ? line.slice("export ".length).trim() : line;
+    const separatorIndex = withoutExport.indexOf("=");
+    if (separatorIndex <= 0) {
+      continue;
+    }
+    const envVar = withoutExport.slice(0, separatorIndex).trim();
+    let value = withoutExport.slice(separatorIndex + 1).trim();
+    if (!envVar) {
+      continue;
+    }
+    if (value.startsWith('"') && value.endsWith('"')) {
+      value = parseDoubleQuoted(value.slice(1, -1));
+    } else if (value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    } else {
+      value = value.replace(/\s+#.*$/, "").trim();
+    }
+    parsed[envVar] = value;
+  }
+  return parsed;
+}
+function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId = "default") {
+  return Object.entries(values).flatMap(([envVar, value]) => {
+    const logicalKey = envVarToLogicalKey(envVar, mapping);
+    if (!logicalKey) {
+      return [];
+    }
+    return [
+      {
+        key: logicalKey,
+        value,
+        namespace: logicalKey.startsWith("secret.") ? "secret" : "value",
+        sourceId: "dotenv",
+        pluginId: DOTENV_PLUGIN_ID,
+        workspaceId,
+        origin: {
+          envVar,
+          ...originFile ? { file: originFile } : {}
+        }
+      }
+    ];
+  });
+}
+async function readIfPresent(filePath) {
+  try {
+    return await (0, import_promises10.readFile)(filePath, "utf8");
+  } catch {
+    return void 0;
+  }
+}
+function createDotenvPlugin() {
+  return {
+    id: "dotenv",
+    kind: "loader",
+    async load(context) {
+      const config = context.manifestConfig;
+      const rootTemplate = config.root ?? "./env";
+      const fileNames = context.profileActivation.envFiles;
+      const entries = [];
+      for (const workspaceRoot of context.workspace.workspaceRoots) {
+        const envRoot = resolveWorkspaceScopedPath(workspaceRoot.path, rootTemplate, {
+          workspace: workspaceRoot.workspaceId
+        });
+        for (const fileName of fileNames) {
+          const absolutePath = import_node_path10.default.join(envRoot, fileName);
+          const document = await readIfPresent(absolutePath);
+          if (!document) {
+            continue;
+          }
+          entries.push(
+            ...dotenvEntriesFromObject(
+              parseDotenv(document),
+              config.envMapping,
+              toPortablePath(import_node_path10.default.relative(import_node_path10.default.dirname(context.manifestRoot), absolutePath)),
+              workspaceRoot.workspaceId
+            )
+          );
+        }
+      }
+      return entries;
+    }
+  };
+}
+
+// ../../plugins/env-export/src/index.ts
+function createEnvExportPlugin() {
+  return {
+    id: "@kitsy/cnos/plugins/env-export",
+    kind: "exporter",
+    async export(graph, context) {
+      return {
+        pluginId: "@kitsy/cnos/plugins/env-export",
+        value: toEnv(graph, context.manifest)
+      };
+    }
+  };
+}
+function createPublicEnvExportPlugin() {
+  return {
+    id: "@kitsy/cnos/plugins/public-env-export",
+    kind: "exporter",
+    async export(graph, context) {
+      return {
+        pluginId: "@kitsy/cnos/plugins/public-env-export",
+        value: toPublicEnv(graph, context.manifest)
+      };
+    }
+  };
+}
+
+// ../../plugins/filesystem/src/filesystemSecretsReader.ts
+var import_promises12 = require("fs/promises");
+
+// ../../plugins/filesystem/src/helpers.ts
+var import_promises11 = require("fs/promises");
+var import_node_path11 = __toESM(require("path"), 1);
+var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
+var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
+async function existsDirectory(targetPath) {
+  try {
+    const stat2 = await (0, import_promises11.readdir)(targetPath);
+    void stat2;
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function collectYamlFiles(root) {
+  const entries = await (0, import_promises11.readdir)(root, { withFileTypes: true });
+  const results = [];
+  for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
+    const absolutePath = import_node_path11.default.join(root, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...await collectYamlFiles(absolutePath));
+      continue;
+    }
+    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path11.default.extname(entry.name).toLowerCase())) {
+      results.push(absolutePath);
+    }
+  }
+  return results;
+}
+async function collectFilesystemLayerFiles(manifestRoot, workspaceRoots, sourceRoot, activeLayers) {
+  const files = [];
+  const repoRoot = import_node_path11.default.dirname(manifestRoot);
+  for (const workspaceRoot of workspaceRoots) {
+    const resolvedRoot = import_node_path11.default.resolve(workspaceRoot.path, sourceRoot);
+    for (const layer of activeLayers) {
+      const layerRoot = import_node_path11.default.join(resolvedRoot, layer);
+      if (!await existsDirectory(layerRoot)) {
+        continue;
+      }
+      for (const absolutePath of await collectYamlFiles(layerRoot)) {
+        const relativePath = import_node_path11.default.relative(repoRoot, absolutePath);
+        files.push({
+          absolutePath,
+          relativePath: toPortablePath(relativePath.startsWith("..") ? absolutePath : relativePath),
+          workspaceId: workspaceRoot.workspaceId
+        });
+      }
+    }
+  }
+  return files;
+}
+function assertObjectDocument(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError("Filesystem loader expected a YAML object document", filePath);
+  }
+  return value;
+}
+function flattenConfigObject(value, options = {}, prefix = "") {
+  return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
+    const nextKey = prefix ? `${prefix}.${key}` : key;
+    if (nestedValue && typeof nestedValue === "object" && !Array.isArray(nestedValue) && !options.stopAtLeaf?.(nestedValue)) {
+      Object.assign(
+        accumulator,
+        flattenConfigObject(nestedValue, options, nextKey)
+      );
+      return accumulator;
+    }
+    accumulator[nextKey] = nestedValue;
+    return accumulator;
+  }, {});
+}
+function yamlObjectToEntries(document, filePath, namespace, sourceId, workspaceId = "default") {
+  const parsed = assertObjectDocument(parseYaml(document), filePath);
+  const flattened = flattenConfigObject(parsed, {
+    ...namespace === "secret" ? {
+      stopAtLeaf: isSecretReference
+    } : {}
+  });
+  return Object.entries(flattened).map(([key, value]) => ({
+    key: `${namespace}.${key}`,
+    value,
+    namespace,
+    sourceId,
+    pluginId: FILESYSTEM_PLUGIN_ID,
+    workspaceId,
+    origin: {
+      file: filePath
+    }
+  }));
+}
+function toSecretReferenceMetadata(value) {
+  if (!isSecretReference(value)) {
+    return void 0;
+  }
+  return {
+    secretRef: value
+  };
+}
+
+// ../../plugins/filesystem/src/filesystemSecretsReader.ts
+function filesystemSecretsReader(filePath, document, workspaceId = "default") {
+  return yamlObjectToEntries(document, filePath, "secret", "filesystem-secrets", workspaceId);
+}
+function createFilesystemSecretsPlugin() {
+  return {
+    id: "filesystem-secrets",
+    kind: "loader",
+    async load(context) {
+      const sourceRoot = String(context.manifestConfig.root ?? "./");
+      const files = await collectFilesystemLayerFiles(
+        context.manifestRoot,
+        context.workspace.workspaceRoots,
+        sourceRoot,
+        context.profileActivation.secrets
+      );
+      const entries = [];
+      for (const file of files) {
+        const document = await (0, import_promises12.readFile)(file.absolutePath, "utf8");
+        const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
+        for (const entry of fileEntries) {
+          const metadata = toSecretReferenceMetadata(entry.value);
+          entries.push({
+            ...entry,
+            ...metadata ? { metadata } : {}
+          });
+        }
+      }
+      return entries;
+    }
+  };
+}
+
+// ../../plugins/filesystem/src/filesystemValuesReader.ts
+var import_promises13 = require("fs/promises");
+function filesystemValuesReader(filePath, document, workspaceId = "default") {
+  return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
+}
+function createFilesystemValuesPlugin() {
+  return {
+    id: "filesystem-values",
+    kind: "loader",
+    async load(context) {
+      const sourceRoot = String(context.manifestConfig.root ?? "./");
+      const files = await collectFilesystemLayerFiles(
+        context.manifestRoot,
+        context.workspace.workspaceRoots,
+        sourceRoot,
+        context.profileActivation.values
+      );
+      const customNamespaces = Object.entries(context.manifest.namespaces).filter(
+        ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
+      ).map(([namespace]) => namespace);
+      const entries = [];
+      for (const file of files) {
+        const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+        entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
+      }
+      for (const namespace of customNamespaces) {
+        const layers = [
+          namespace,
+          ...context.profileChain.filter((profile) => profile !== "base").map((profile) => `profiles/${profile}/${namespace}`)
+        ];
+        const namespaceFiles = await collectFilesystemLayerFiles(
+          context.manifestRoot,
+          context.workspace.workspaceRoots,
+          sourceRoot,
+          layers
+        );
+        for (const file of namespaceFiles) {
+          const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+          entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
+        }
+      }
+      return entries;
+    }
+  };
+}
+
+// ../../plugins/process-env/src/index.ts
+var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";
+var PROCESS_GRAPH_OMIT = /* @__PURE__ */ new Set([
+  "__CNOS_GRAPH__",
+  "__CNOS_SECRET_PAYLOAD__",
+  "__CNOS_SESSION_KEY__"
+]);
+function processEnvEntriesFromObject(env, mapping = {}, workspaceId = "default") {
+  return Object.entries(env).flatMap(([envVar, value]) => {
+    if (typeof value !== "string") {
+      return [];
+    }
+    const logicalKey = envVarToLogicalKey(envVar, mapping);
+    if (!logicalKey) {
+      return [];
+    }
+    return [
+      {
+        key: logicalKey,
+        value,
+        namespace: logicalKey.startsWith("secret.") ? "secret" : "value",
+        sourceId: "process-env",
+        pluginId: PROCESS_ENV_PLUGIN_ID,
+        workspaceId,
+        origin: {
+          envVar
+        }
+      }
+    ];
+  });
+}
+function processNamespaceEntriesFromContext(env, workspaceId = "default") {
+  const envEntries = Object.entries(env).filter((entry) => typeof entry[1] === "string").filter(([envVar]) => !PROCESS_GRAPH_OMIT.has(envVar)).map(([envVar, value]) => ({
+    key: `process.env.${envVar}`,
+    value,
+    namespace: "process",
+    sourceId: "process-runtime",
+    pluginId: PROCESS_ENV_PLUGIN_ID,
+    workspaceId,
+    origin: {
+      envVar
+    }
+  }));
+  const runtimeEntries = [
+    {
+      key: "process.cwd",
+      value: process.cwd(),
+      namespace: "process",
+      sourceId: "process-runtime",
+      pluginId: PROCESS_ENV_PLUGIN_ID,
+      workspaceId
+    },
+    {
+      key: "process.platform",
+      value: process.platform,
+      namespace: "process",
+      sourceId: "process-runtime",
+      pluginId: PROCESS_ENV_PLUGIN_ID,
+      workspaceId
+    },
+    {
+      key: "process.arch",
+      value: process.arch,
+      namespace: "process",
+      sourceId: "process-runtime",
+      pluginId: PROCESS_ENV_PLUGIN_ID,
+      workspaceId
+    },
+    {
+      key: "process.node.version",
+      value: process.version,
+      namespace: "process",
+      sourceId: "process-runtime",
+      pluginId: PROCESS_ENV_PLUGIN_ID,
+      workspaceId
+    },
+    {
+      key: "process.args.raw",
+      value: process.argv.slice(2),
+      namespace: "process",
+      sourceId: "process-runtime",
+      pluginId: PROCESS_ENV_PLUGIN_ID,
+      workspaceId
+    }
+  ];
+  return [...runtimeEntries, ...envEntries];
+}
+function createProcessEnvPlugin() {
+  return {
+    id: "process-env",
+    kind: "loader",
+    async load(context) {
+      const config = context.manifestConfig;
+      const env = context.processEnv ?? process.env;
+      return [
+        ...processEnvEntriesFromObject(
+          env,
+          config.envMapping,
+          context.workspace.workspaceId
+        ),
+        ...processNamespaceEntriesFromContext(env, context.workspace.workspaceId)
+      ];
+    }
+  };
+}
+
+// src/defaultPlugins.ts
+function defaultPlugins() {
+  return [
+    createFilesystemValuesPlugin(),
+    createFilesystemSecretsPlugin(),
+    createDotenvPlugin(),
+    createProcessEnvPlugin(),
+    createCliArgsPlugin(),
+    createBasicSchemaPlugin(),
+    createEnvExportPlugin(),
+    createPublicEnvExportPlugin(),
+    createProvenanceInspector()
+  ];
+}
+
+// src/runtime/state.ts
+var singletonRuntime;
+var singletonReady;
+var bootstrappedSecretHydrationRequired = false;
+function setSingletonRuntime(runtime) {
+  singletonRuntime = runtime;
+  singletonReady = Promise.resolve(runtime);
+  bootstrappedSecretHydrationRequired = false;
+  return runtime;
+}
+
+// src/createCnos.ts
+async function createCnos2(options = {}) {
+  const runtime = await createCnos({
+    ...options,
+    processEnv: options.processEnv ?? process.env,
+    cnosVersion: package_default.version,
+    plugins: [...defaultPlugins(), ...options.plugins ?? []]
+  });
+  setSingletonRuntime(runtime);
+  return runtime;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createCnos,
+  defaultPlugins,
+  planDump,
+  toEnv,
+  toPublicEnv,
+  writeDump
+});