npm - @kitsy/cnos - Versions diffs - 1.5.0 → 1.6.0 - Mend

@kitsy/cnos 1.5.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/dist/build/index.cjs +333 -117
package/dist/build/index.d.cts +3 -2
package/dist/build/index.d.ts +3 -2
package/dist/build/index.js +13 -8
package/dist/{chunk-HMM76UYZ.js → chunk-BMAD24KC.js} +1 -1
package/dist/{chunk-ZTPSFXWP.js → chunk-JYWQFMW5.js} +1 -1
package/dist/{chunk-FWJC4Y2D.js → chunk-MW4OVAT3.js} +1 -1
package/dist/chunk-QU5CXL47.js +577 -0
package/dist/{chunk-APIU4GTB.js → chunk-S7H2UULC.js} +315 -107
package/dist/{chunk-WCHX2QFY.js → chunk-UJBQS7CJ.js} +1 -1
package/dist/{chunk-RYGSG3GR.js → chunk-UOKVLCFL.js} +10 -10
package/dist/{chunk-T6Y57KTT.js → chunk-UR7CHHNN.js} +1 -1
package/dist/{chunk-J4K4JUJL.js → chunk-VGZREX5D.js} +1 -1
package/dist/{chunk-EQSKV3DP.js → chunk-XSUP7JKH.js} +23 -1
package/dist/configure/index.cjs +332 -122
package/dist/configure/index.d.cts +3 -3
package/dist/configure/index.d.ts +3 -3
package/dist/configure/index.js +8 -8
package/dist/{envNaming-Dvm_LP2D.d.ts → envNaming-B7Mztkcf.d.ts} +1 -1
package/dist/{envNaming-S4B-dHUx.d.cts → envNaming-gMVnPOfe.d.cts} +1 -1
package/dist/index.cjs +754 -143
package/dist/index.d.cts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +10 -10
package/dist/internal.cjs +229 -103
package/dist/internal.d.cts +16 -28
package/dist/internal.d.ts +16 -28
package/dist/internal.js +11 -3
package/dist/plugin/basic-schema.cjs +22 -15
package/dist/plugin/basic-schema.d.cts +1 -1
package/dist/plugin/basic-schema.d.ts +1 -1
package/dist/plugin/basic-schema.js +2 -2
package/dist/plugin/cli-args.cjs +27 -18
package/dist/plugin/cli-args.d.cts +1 -1
package/dist/plugin/cli-args.d.ts +1 -1
package/dist/plugin/cli-args.js +2 -2
package/dist/plugin/dotenv.cjs +35 -26
package/dist/plugin/dotenv.d.cts +2 -2
package/dist/plugin/dotenv.d.ts +2 -2
package/dist/plugin/dotenv.js +2 -2
package/dist/plugin/env-export.cjs +34 -22
package/dist/plugin/env-export.d.cts +2 -2
package/dist/plugin/env-export.d.ts +2 -2
package/dist/plugin/env-export.js +2 -2
package/dist/plugin/filesystem.cjs +42 -33
package/dist/plugin/filesystem.d.cts +1 -1
package/dist/plugin/filesystem.d.ts +1 -1
package/dist/plugin/filesystem.js +2 -2
package/dist/plugin/process-env.cjs +24 -17
package/dist/plugin/process-env.d.cts +2 -2
package/dist/plugin/process-env.d.ts +2 -2
package/dist/plugin/process-env.js +2 -2
package/dist/{plugin-B4xwySxw.d.cts → plugin-CKrBlWGI.d.cts} +52 -3
package/dist/{plugin-B4xwySxw.d.ts → plugin-CKrBlWGI.d.ts} +52 -3
package/dist/runtime/index.cjs +752 -143
package/dist/runtime/index.d.cts +19 -1
package/dist/runtime/index.d.ts +19 -1
package/dist/runtime/index.js +10 -10
package/dist/{toPublicEnv-ggmphZFs.d.cts → toPublicEnv-CmBsy53P.d.cts} +1 -1
package/dist/{toPublicEnv-CvhGAfsB.d.ts → toPublicEnv-q6VwWxXZ.d.ts} +1 -1
package/package.json +1 -1
package/dist/chunk-TO76YYS4.js +0 -189

package/dist/{chunk-APIU4GTB.js → chunk-S7H2UULC.js} RENAMED Viewed

@@ -12,6 +12,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosDiscoveryError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosSecurityError = class extends CnosError {
   constructor(message) {
     super(message);
@@ -169,29 +174,105 @@ async function writeKeychain(entry, value) {
   throw new CnosAuthenticationError(`OS keychain is not supported on platform "${process.platform}".`);
 }
+// ../core/src/utils/yaml.ts
+import { parse, stringify } from "yaml";
+function parseYaml(source) {
+  return parse(source);
+}
+function stringifyYaml(value) {
+  return stringify(value);
+}
 // ../core/src/utils/path.ts
-import { access } from "fs/promises";
+import { access as access2 } from "fs/promises";
 import os from "os";
+import path2 from "path";
+// ../core/src/discovery/findCnosrc.ts
+import { access, readFile } from "fs/promises";
 import path from "path";
+async function exists(targetPath) {
+  try {
+    await access(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateCnosrc(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError(".cnosrc.yml must be a YAML object", filePath);
+  }
+  const root = typeof value.root === "string" ? value.root.trim() : "";
+  const workspace = typeof value.workspace === "string" ? value.workspace.trim() : void 0;
+  if (!root) {
+    throw new CnosManifestError(".cnosrc.yml requires root", filePath);
+  }
+  return {
+    root,
+    ...workspace ? { workspace } : {}
+  };
+}
+async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
+  let current = path.resolve(startDir);
+  for (let depth = 0; depth <= maxLevels; depth += 1) {
+    const candidate = path.join(current, ".cnosrc.yml");
+    if (await exists(candidate)) {
+      return candidate;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+  const anchorPath = await findCnosrc(startDir, maxLevels);
+  if (!anchorPath) {
+    throw new CnosDiscoveryError(
+      "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
+    );
+  }
+  const source = await readFile(anchorPath, "utf8");
+  const parsed = validateCnosrc(parseYaml(source), anchorPath);
+  const consumerRoot = path.dirname(anchorPath);
+  const manifestRoot = path.resolve(consumerRoot, parsed.root);
+  const manifestPath = path.join(manifestRoot, "cnos.yml");
+  if (!await exists(manifestPath)) {
+    throw new CnosDiscoveryError(
+      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
+    );
+  }
+  return {
+    anchorPath,
+    consumerRoot,
+    manifestRoot,
+    ...parsed.workspace ? { workspace: parsed.workspace } : {}
+  };
+}
+// ../core/src/utils/path.ts
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
-async function exists(filePath) {
+async function exists2(filePath) {
   try {
-    await access(filePath);
+    await access2(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = path.resolve(root);
+  const basePath = path2.resolve(root);
   const candidates = [
-    path.join(basePath, PRIMARY_CNOS_DIR),
-    path.join(basePath, LEGACY_CNOS_DIR),
+    path2.join(basePath, PRIMARY_CNOS_DIR),
+    path2.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists(path.join(candidate, "cnos.yml"))) {
+    if (await exists2(path2.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -199,8 +280,23 @@ async function resolveCnosRoot(root = process.cwd()) {
     `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
   );
 }
-async function resolveManifestRoot(root = process.cwd()) {
-  return resolveCnosRoot(root);
+async function resolveManifestRoot(options = {}) {
+  if (options.root) {
+    const manifestRoot = await resolveCnosRoot(options.root);
+    const resolvedRoot = path2.resolve(options.root);
+    const consumerRoot = path2.basename(manifestRoot) === PRIMARY_CNOS_DIR || path2.basename(manifestRoot) === LEGACY_CNOS_DIR ? path2.dirname(manifestRoot) : resolvedRoot;
+    return {
+      manifestRoot,
+      consumerRoot
+    };
+  }
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  return {
+    manifestRoot: discovered.manifestRoot,
+    consumerRoot: discovered.consumerRoot,
+    anchorPath: discovered.anchorPath,
+    ...discovered.workspace ? { workspace: discovered.workspace } : {}
+  };
 }
 function interpolatePathTemplate(template, tokens) {
   return Object.entries(tokens).reduce(
@@ -213,7 +309,7 @@ function expandHomePath(targetPath) {
     return os.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return path.join(os.homedir(), targetPath.slice(2));
+    return path2.join(os.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
@@ -231,19 +327,19 @@ function stripWorkspaceTemplatePrefix(template) {
 function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
   const relativeTemplate = stripWorkspaceTemplatePrefix(template);
   const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
-  return path.resolve(workspaceRoot, interpolated);
+  return path2.resolve(workspaceRoot, interpolated);
 }
 function resolveNamespaceDirectory(workspaceRoot, namespace, profile) {
   const rootFolder = namespace === "value" ? "values" : namespace === "secret" ? "secrets" : namespace;
   if (profile && profile !== "base") {
-    return path.resolve(workspaceRoot, "profiles", profile, rootFolder);
+    return path2.resolve(workspaceRoot, "profiles", profile, rootFolder);
   }
-  return path.resolve(workspaceRoot, rootFolder);
+  return path2.resolve(workspaceRoot, rootFolder);
 }
 function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile) {
   const namespaceRoot = resolveNamespaceDirectory(workspaceRoot, namespace, profile);
   const fileName = `${configPath.split(".").shift() ?? "app"}.yml`;
-  return path.resolve(namespaceRoot, fileName);
+  return path2.resolve(namespaceRoot, fileName);
 }
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
@@ -258,18 +354,9 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
-// ../core/src/utils/yaml.ts
-import { parse, stringify } from "yaml";
-function parseYaml(source) {
-  return parse(source);
-}
-function stringifyYaml(value) {
-  return stringify(value);
-}
 // ../core/src/manifest/loadManifest.ts
-import { readFile } from "fs/promises";
-import path2 from "path";
+import { readFile as readFile2 } from "fs/promises";
+import path3 from "path";
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
@@ -286,7 +373,8 @@ var DEFAULT_INSPECTORS = ["provenance"];
 var DEFAULT_FRAMEWORK_PREFIXES = {
   next: "NEXT_PUBLIC_",
   vite: "VITE_",
-  nuxt: "NUXT_PUBLIC_"
+  nuxt: "NUXT_PUBLIC_",
+  webpack: ""
 };
 var DEFAULT_NAMESPACES = {
   value: {
@@ -539,11 +627,15 @@ function normalizeManifest(manifest) {
 // ../core/src/manifest/loadManifest.ts
 async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = path2.join(manifestRoot, "cnos.yml");
+  const resolved = await resolveManifestRoot({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
+  const manifestRoot = resolved.manifestRoot;
+  const manifestPath = path3.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await readFile(manifestPath, "utf8");
+    source = await readFile2(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -553,7 +645,10 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: path2.dirname(manifestRoot),
+    repoRoot: path3.dirname(manifestRoot),
+    consumerRoot: resolved.consumerRoot,
+    ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
+    ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -609,17 +704,17 @@ function validateProjectionIssue(manifest, key, target) {
 }
 // ../core/src/secrets/sessionStore.ts
-import { mkdir, readFile as readFile2, readdir, rm, writeFile } from "fs/promises";
-import path3 from "path";
+import { mkdir, readFile as readFile3, readdir, rm, writeFile } from "fs/promises";
+import path4 from "path";
 function buildSessionRoot(processEnv = process.env) {
-  return path3.join(path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return path4.join(path4.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return path3.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return path4.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function writeVaultSessionKey(vault, derivedKey, processEnv) {
   const filePath = buildSessionPath(vault, processEnv);
-  await mkdir(path3.dirname(filePath), { recursive: true });
+  await mkdir(path4.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     vault,
@@ -631,7 +726,7 @@ async function writeVaultSessionKey(vault, derivedKey, processEnv) {
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await readFile2(buildSessionPath(vault, processEnv), "utf8");
+    const source = await readFile3(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -649,15 +744,15 @@ async function clearAllVaultSessionKeys(processEnv) {
   const root = buildSessionRoot(processEnv);
   try {
     const entries = await readdir(root);
-    await Promise.all(entries.map((entry) => rm(path3.join(root, entry), { force: true })));
+    await Promise.all(entries.map((entry) => rm(path4.join(root, entry), { force: true })));
   } catch {
   }
 }
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "crypto";
-import { mkdir as mkdir2, readdir as readdir2, readFile as readFile3, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
-import path4 from "path";
+import { mkdir as mkdir2, readdir as readdir2, readFile as readFile4, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
+import path5 from "path";
 var KEY_LENGTH = 32;
 var SALT_LENGTH = 32;
 var IV_LENGTH = 12;
@@ -674,7 +769,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return path4.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return path5.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -709,19 +804,19 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return pbkdf2Sync(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, META_FILENAME);
+  return path5.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function resolveSecretVaultFile(storeRoot, vault = "default") {
   return buildMetaPath(storeRoot, vault);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return path5.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", `${vault}.json`);
+  return path5.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, "store");
+  return path5.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -732,7 +827,7 @@ function assertVaultMetadata(value, filePath) {
   }
   return value;
 }
-async function exists2(targetPath) {
+async function exists3(targetPath) {
   try {
     await stat(targetPath);
     return true;
@@ -743,10 +838,10 @@ async function exists2(targetPath) {
 async function detectLegacyVaultFormat(storeRoot, vault = "default") {
   const legacyFile = buildLegacyVaultFile(storeRoot, vault);
   const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
-  if (await exists2(legacyFile)) {
+  if (await exists3(legacyFile)) {
     return legacyFile;
   }
-  if (await exists2(legacyStore)) {
+  if (await exists3(legacyStore)) {
     return legacyStore;
   }
   return void 0;
@@ -818,7 +913,7 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await mkdir2(path4.dirname(metaPath), { recursive: true });
+  await mkdir2(path5.dirname(metaPath), { recursive: true });
   await writeFile2(metaPath, stringifyYaml(meta), "utf8");
   await writeFile2(keystorePath, encryptPayload(payload, key));
 }
@@ -826,7 +921,7 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await readFile3(metaPath, "utf8");
+    const source = await readFile4(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -836,11 +931,11 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   }
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = path4.join(storeRoot, "vaults");
+  const vaultRoot = path5.join(storeRoot, "vaults");
   try {
     const entries = await readdir2(vaultRoot, { withFileTypes: true });
     const vaults = await Promise.all(
-      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists2(path4.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
+      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists3(path5.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
     );
     return vaults.filter((value) => Boolean(value)).sort((left, right) => left.localeCompare(right));
   } catch {
@@ -929,7 +1024,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await readFile3(buildKeystorePath(storeRoot, vault));
+  const buffer = await readFile4(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1002,7 +1097,7 @@ function resolveVaultDefinition(vaults, vault = "default") {
   };
 }
 async function removeLocalVaultFiles(storeRoot, vault = "default") {
-  await rm2(path4.join(storeRoot, "vaults", vault), { recursive: true, force: true });
+  await rm2(path5.join(storeRoot, "vaults", vault), { recursive: true, force: true });
 }
 // ../core/src/secrets/providers/github.ts
@@ -1062,10 +1157,10 @@ var GithubSecretsVaultProvider = class {
 // ../core/src/secrets/auditLog.ts
 import { appendFile, mkdir as mkdir3 } from "fs/promises";
-import path5 from "path";
+import path6 from "path";
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path5.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await mkdir3(path5.dirname(auditFile), { recursive: true });
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path6.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await mkdir3(path6.dirname(auditFile), { recursive: true });
   await appendFile(
     auditFile,
     `${JSON.stringify({
@@ -1389,11 +1484,14 @@ function resolvePublicPrefix(manifest, options) {
   if (!options.framework) {
     return "";
   }
-  const configuredPrefix = manifest.public.frameworks[options.framework];
-  if (!configuredPrefix) {
+  const hasConfiguredPrefix = Object.prototype.hasOwnProperty.call(
+    manifest.public.frameworks,
+    options.framework
+  );
+  if (!hasConfiguredPrefix) {
     throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
   }
-  return configuredPrefix;
+  return manifest.public.frameworks[options.framework] ?? "";
 }
 function toPublicEnv(graph, manifest, options = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
@@ -1409,22 +1507,22 @@ function toPublicEnv(graph, manifest, options = {}) {
 // ../core/src/runtime/dump.ts
 import { mkdir as mkdir4, writeFile as writeFile3 } from "fs/promises";
-import path6 from "path";
+import path7 from "path";
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path6.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : path7.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: path6.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: path7.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: path6.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: path7.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -1440,11 +1538,11 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = path6.resolve(options.to);
+  const root = path7.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = path6.join(root, file.path);
-    await mkdir4(path6.dirname(destination), { recursive: true });
+    const destination = path7.join(root, file.path);
+    await mkdir4(path7.dirname(destination), { recursive: true });
     await writeFile3(destination, file.content, "utf8");
   }
   return {
@@ -1476,11 +1574,11 @@ function normalizeMappingConfig(config = {}) {
 function toScreamingSnakeSegment(segment) {
   return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
-function toScreamingSnake(path10) {
-  return path10.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function toScreamingSnake(path11) {
+  return path11.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
 }
-function fromScreamingSnake(path10) {
-  return path10.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path11) {
+  return path11.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function logicalKeyToEnvVar(key, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -1632,12 +1730,12 @@ function createProvenanceInspector() {
 }
 // ../core/src/manifest/loadWorkspaceFile.ts
-import { readFile as readFile4 } from "fs/promises";
-import path7 from "path";
+import { readFile as readFile5 } from "fs/promises";
+import path8 from "path";
 async function loadWorkspaceFile(repoRoot) {
-  const workspaceFilePath = path7.join(repoRoot, ".cnos-workspace.yml");
+  const workspaceFilePath = path8.join(repoRoot, ".cnos-workspace.yml");
   try {
-    const source = await readFile4(workspaceFilePath, "utf8");
+    const source = await readFile5(workspaceFilePath, "utf8");
     const parsed = parseYaml(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
@@ -1660,11 +1758,11 @@ async function loadWorkspaceFile(repoRoot) {
 }
 // ../core/src/profiles/expandProfileChain.ts
-import { access as access2, readFile as readFile5 } from "fs/promises";
-import path8 from "path";
+import { access as access3, readFile as readFile6 } from "fs/promises";
+import path9 from "path";
 async function fileExists(targetPath) {
   try {
-    await access2(targetPath);
+    await access3(targetPath);
     return true;
   } catch {
     return false;
@@ -1698,11 +1796,11 @@ async function loadProfileDefinition(profileName, options) {
     return normalizeProfileDefinition(profileName, void 0);
   }
   for (const workspaceRoot of [...workspaceRoots].reverse()) {
-    const profilePath = path8.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    const profilePath = path9.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
     if (!await fileExists(profilePath)) {
       continue;
     }
-    const document = await readFile5(profilePath, "utf8");
+    const document = await readFile6(profilePath, "utf8");
     const parsed = parseYaml(document);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
@@ -1710,7 +1808,7 @@ async function loadProfileDefinition(profileName, options) {
     const definition = normalizeProfileDefinition(
       profileName,
       parsed,
-      options.manifestRoot ? toPortablePath(path8.relative(path8.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+      options.manifestRoot ? toPortablePath(path9.relative(path9.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
     );
     if (definition.name !== profileName) {
       throw new CnosManifestError(
@@ -1956,8 +2054,8 @@ function createProfileAwareResolver() {
 }
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-import { access as access3 } from "fs/promises";
-import path9 from "path";
+import { access as access4 } from "fs/promises";
+import path10 from "path";
 // ../core/src/workspaces/expandWorkspaceChain.ts
 function expandWorkspaceChain(workspaceId, items) {
@@ -1994,31 +2092,31 @@ function expandWorkspaceChain(workspaceId, items) {
 }
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-async function exists3(targetPath) {
+async function exists4(targetPath) {
   try {
-    await access3(targetPath);
+    await access4(targetPath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
-  const workspaceRoot = path9.join(manifestRoot, "workspaces", workspaceId);
-  if (await exists3(workspaceRoot)) {
+  const workspaceRoot = path10.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists4(workspaceRoot)) {
     return workspaceRoot;
   }
   const customDataNamespaceRoots = Object.entries(manifest.namespaces).filter(
     ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
   ).map(([namespace]) => namespace);
   const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
-    (segment) => path9.join(manifestRoot, segment)
+    (segment) => path10.join(manifestRoot, segment)
   );
-  if ((await Promise.all(legacyMarkers.map((marker) => exists3(marker)))).some(Boolean)) {
+  if ((await Promise.all(legacyMarkers.map((marker) => exists4(marker)))).some(Boolean)) {
     return manifestRoot;
   }
   return workspaceRoot;
 }
-function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+function resolveWorkspaceSelection(manifest, workspaceFile, anchoredWorkspace, workspaceOption) {
   if (workspaceOption) {
     return {
       workspaceId: workspaceOption,
@@ -2031,6 +2129,12 @@ function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
       source: "workspace-file"
     };
   }
+  if (anchoredWorkspace) {
+    return {
+      workspaceId: anchoredWorkspace,
+      source: "anchor-file"
+    };
+  }
   if (manifest.workspaces.default) {
     return {
       workspaceId: manifest.workspaces.default,
@@ -2053,33 +2157,38 @@ function resolveGlobalRoot(manifest, workspaceFile, options) {
   }
   if (options.globalRoot) {
     return {
-      value: path9.resolve(expandHomePath(options.globalRoot)),
+      value: path10.resolve(expandHomePath(options.globalRoot)),
       source: "cli"
     };
   }
   if (workspaceFile?.globalRoot) {
     return {
-      value: path9.resolve(expandHomePath(workspaceFile.globalRoot)),
+      value: path10.resolve(expandHomePath(workspaceFile.globalRoot)),
       source: "workspace-file"
     };
   }
   if (manifest.workspaces.global.root) {
     return {
-      value: path9.resolve(expandHomePath(manifest.workspaces.global.root)),
+      value: path10.resolve(expandHomePath(manifest.workspaces.global.root)),
       source: "manifest"
     };
   }
   const cnosHome = options.processEnv?.CNOS_HOME;
   if (cnosHome) {
     return {
-      value: path9.resolve(expandHomePath(cnosHome)),
+      value: path10.resolve(expandHomePath(cnosHome)),
       source: "CNOS_HOME"
     };
   }
   return {};
 }
 async function resolveWorkspaceContext(manifest, options) {
-  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const selectedWorkspace = resolveWorkspaceSelection(
+    manifest,
+    options.workspaceFile,
+    options.anchoredWorkspace,
+    options.workspace
+  );
   const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
   const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
   const workspaceRoots = [];
@@ -2089,7 +2198,7 @@ async function resolveWorkspaceContext(manifest, options) {
       workspaceRoots.push({
         scope: "global",
         workspaceId: chainWorkspaceId,
-        path: path9.join(globalRoot.value, "workspaces", globalWorkspaceId)
+        path: path10.join(globalRoot.value, "workspaces", globalWorkspaceId)
       });
     }
   }
@@ -2357,8 +2466,92 @@ function resolveSecretEntryValue(key, value, cache) {
   return cache.get(vaultId, value.ref) ?? value;
 }
+// ../core/src/runtime/toServerProjection.ts
+import { createHash } from "crypto";
+function stableSortObject(value) {
+  return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
+}
+function stripValuePrefix(key) {
+  return key.startsWith("value.") ? key.slice("value.".length) : key;
+}
+function configHash(values) {
+  const serialized = JSON.stringify(stableSortObject(values));
+  return createHash("sha256").update(serialized).digest("hex");
+}
+function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
+  const values = {};
+  const secretRefs = {};
+  const namespaces = /* @__PURE__ */ new Set();
+  const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
+  for (const [key, entry] of graph.entries) {
+    if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      secretRefs[key.slice("secret.".length)] = {
+        provider: entry.value.provider,
+        vault: entry.value.vault ?? "default",
+        ref: entry.value.ref
+      };
+      continue;
+    }
+    if (entry.namespace === "value") {
+      values[stripValuePrefix(key)] = entry.value;
+      continue;
+    }
+    const namespaceDefinition = manifest.namespaces[entry.namespace];
+    if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      values[key] = entry.value;
+      namespaces.add(entry.namespace);
+    }
+  }
+  return {
+    version: 1,
+    workspace: graph.workspace.workspaceId,
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    configHash: configHash(values),
+    values: stableSortObject(values),
+    secretRefs: stableSortObject(secretRefs),
+    publicKeys,
+    meta: {
+      workspace: graph.workspace.workspaceId,
+      profile: graph.profile,
+      cnos_version: cnosVersion,
+      ...namespaces.size > 0 ? { namespaces: Array.from(namespaces).sort((left, right) => left.localeCompare(right)) } : {}
+    }
+  };
+}
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache) {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+  async function refreshSecretEntry(key) {
+    const entry = graph.entries.get(key);
+    if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      return;
+    }
+    if (!secretCache) {
+      return;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = manifest.vaults[vaultId] ?? {
+      provider: entry.value.provider,
+      auth: { passphrase: { from: [] } }
+    };
+    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
+    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
+    await provider.authenticate(auth);
+    const value = await provider.get(entry.value.ref);
+    if (value !== void 0) {
+      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    }
+  }
+  async function refreshAllSecrets() {
+    if (!secretCache) {
+      return;
+    }
+    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
+    for (const key of secretKeys) {
+      await refreshSecretEntry(key);
+    }
+  }
   function readLogicalKey(key) {
     const entry = graph.entries.get(key);
     if (!entry) {
@@ -2386,14 +2579,14 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     readOr(key, fallback) {
       return readOrValue(graph, key, fallback);
     },
-    value(path10) {
-      return readLogicalKey(toLogicalKey("value", path10));
+    value(path11) {
+      return readLogicalKey(toLogicalKey("value", path11));
     },
-    secret(path10) {
-      return readLogicalKey(toLogicalKey("secret", path10));
+    secret(path11) {
+      return readLogicalKey(toLogicalKey("secret", path11));
     },
-    meta(path10) {
-      return readLogicalKey(toLogicalKey("meta", path10));
+    meta(path11) {
+      return readLogicalKey(toLogicalKey("meta", path11));
     },
     inspect(key) {
       return inspectValue(graph, key);
@@ -2409,6 +2602,15 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     },
     toPublicEnv(options) {
       return toPublicEnv(graph, manifest, options);
+    },
+    toServerProjection() {
+      return toServerProjection(graph, manifest, cnosVersion);
+    },
+    async refreshSecrets() {
+      await refreshAllSecrets();
+    },
+    async refreshSecret(key) {
+      await refreshSecretEntry(key);
     }
   };
 }
@@ -2507,14 +2709,18 @@ function appendMetaEntries(graph, cnosVersion) {
   };
 }
 async function createCnos(options = {}) {
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const loadedManifest = await loadManifest({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
   for (const key of loadedManifest.manifest.public.promote) {
     ensureProjectionAllowed(loadedManifest.manifest, key, "public");
   }
-  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.consumerRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
     ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...loadedManifest.anchoredWorkspace ? { anchoredWorkspace: loadedManifest.anchoredWorkspace } : {},
     ...options.workspace ? { workspace: options.workspace } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
     ...options.processEnv ? { processEnv: options.processEnv } : {}
@@ -2559,7 +2765,9 @@ async function createCnos(options = {}) {
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins,
-    secretCache
+    secretCache,
+    options.processEnv,
+    options.cnosVersion
   );
 }
@@ -2571,14 +2779,14 @@ export {
   createProvenanceInspector,
   readKeychain,
   writeKeychain,
+  parseYaml,
+  stringifyYaml,
   resolveManifestRoot,
   resolveWorkspaceScopedPath,
   resolveConfigDocumentPath,
   toPortablePath,
   joinConfigPath,
   toLogicalKey,
-  parseYaml,
-  stringifyYaml,
   loadManifest,
   getNamespaceDefinition,
   ensureProjectionAllowed,