@kitsy/cnos 1.5.0 → 1.6.0

package/dist/configure/index.cjs

@@ -53,6 +53,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosDiscoveryError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosSecurityError = class extends CnosError {
   constructor(message) {
     super(message);
@@ -178,32 +183,110 @@ async function readKeychain(entry) {
 }
 
 // ../core/src/manifest/loadManifest.ts
+var import_promises3 = require("fs/promises");
+var import_node_path3 = __toESM(require("path"), 1);
+
+// ../core/src/utils/path.ts
 var import_promises2 = require("fs/promises");
+var import_node_os = __toESM(require("os"), 1);
 var import_node_path2 = __toESM(require("path"), 1);
 
-// ../core/src/utils/path.ts
+// ../core/src/discovery/findCnosrc.ts
 var import_promises = require("fs/promises");
-var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+
+// ../core/src/utils/yaml.ts
+var import_yaml = require("yaml");
+function parseYaml(source) {
+  return (0, import_yaml.parse)(source);
+}
+function stringifyYaml(value) {
+  return (0, import_yaml.stringify)(value);
+}
+
+// ../core/src/discovery/findCnosrc.ts
+async function exists(targetPath) {
+  try {
+    await (0, import_promises.access)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateCnosrc(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError(".cnosrc.yml must be a YAML object", filePath);
+  }
+  const root = typeof value.root === "string" ? value.root.trim() : "";
+  const workspace = typeof value.workspace === "string" ? value.workspace.trim() : void 0;
+  if (!root) {
+    throw new CnosManifestError(".cnosrc.yml requires root", filePath);
+  }
+  return {
+    root,
+    ...workspace ? { workspace } : {}
+  };
+}
+async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
+  let current = import_node_path.default.resolve(startDir);
+  for (let depth = 0; depth <= maxLevels; depth += 1) {
+    const candidate = import_node_path.default.join(current, ".cnosrc.yml");
+    if (await exists(candidate)) {
+      return candidate;
+    }
+    const parent = import_node_path.default.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+  const anchorPath = await findCnosrc(startDir, maxLevels);
+  if (!anchorPath) {
+    throw new CnosDiscoveryError(
+      "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
+    );
+  }
+  const source = await (0, import_promises.readFile)(anchorPath, "utf8");
+  const parsed = validateCnosrc(parseYaml(source), anchorPath);
+  const consumerRoot = import_node_path.default.dirname(anchorPath);
+  const manifestRoot = import_node_path.default.resolve(consumerRoot, parsed.root);
+  const manifestPath = import_node_path.default.join(manifestRoot, "cnos.yml");
+  if (!await exists(manifestPath)) {
+    throw new CnosDiscoveryError(
+      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
+    );
+  }
+  return {
+    anchorPath,
+    consumerRoot,
+    manifestRoot,
+    ...parsed.workspace ? { workspace: parsed.workspace } : {}
+  };
+}
+
+// ../core/src/utils/path.ts
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
-async function exists(filePath) {
+async function exists2(filePath) {
   try {
-    await (0, import_promises.access)(filePath);
+    await (0, import_promises2.access)(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = import_node_path.default.resolve(root);
+  const basePath = import_node_path2.default.resolve(root);
   const candidates = [
-    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
-    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    import_node_path2.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path2.default.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+    if (await exists2(import_node_path2.default.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -211,8 +294,23 @@ async function resolveCnosRoot(root = process.cwd()) {
     `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
   );
 }
-async function resolveManifestRoot(root = process.cwd()) {
-  return resolveCnosRoot(root);
+async function resolveManifestRoot(options = {}) {
+  if (options.root) {
+    const manifestRoot = await resolveCnosRoot(options.root);
+    const resolvedRoot = import_node_path2.default.resolve(options.root);
+    const consumerRoot = import_node_path2.default.basename(manifestRoot) === PRIMARY_CNOS_DIR || import_node_path2.default.basename(manifestRoot) === LEGACY_CNOS_DIR ? import_node_path2.default.dirname(manifestRoot) : resolvedRoot;
+    return {
+      manifestRoot,
+      consumerRoot
+    };
+  }
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  return {
+    manifestRoot: discovered.manifestRoot,
+    consumerRoot: discovered.consumerRoot,
+    anchorPath: discovered.anchorPath,
+    ...discovered.workspace ? { workspace: discovered.workspace } : {}
+  };
 }
 function interpolatePathTemplate(template, tokens) {
   return Object.entries(tokens).reduce(
@@ -225,7 +323,7 @@ function expandHomePath(targetPath) {
     return import_node_os.default.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return import_node_path.default.join(import_node_os.default.homedir(), targetPath.slice(2));
+    return import_node_path2.default.join(import_node_os.default.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
@@ -243,7 +341,7 @@ function stripWorkspaceTemplatePrefix(template) {
 function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
   const relativeTemplate = stripWorkspaceTemplatePrefix(template);
   const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
-  return import_node_path.default.resolve(workspaceRoot, interpolated);
+  return import_node_path2.default.resolve(workspaceRoot, interpolated);
 }
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
@@ -258,15 +356,6 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
-// ../core/src/utils/yaml.ts
-var import_yaml = require("yaml");
-function parseYaml(source) {
-  return (0, import_yaml.parse)(source);
-}
-function stringifyYaml(value) {
-  return (0, import_yaml.stringify)(value);
-}
-
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -282,7 +371,8 @@ var DEFAULT_INSPECTORS = ["provenance"];
 var DEFAULT_FRAMEWORK_PREFIXES = {
   next: "NEXT_PUBLIC_",
   vite: "VITE_",
-  nuxt: "NUXT_PUBLIC_"
+  nuxt: "NUXT_PUBLIC_",
+  webpack: ""
 };
 var DEFAULT_NAMESPACES = {
   value: {
@@ -535,11 +625,15 @@ function normalizeManifest(manifest) {
 
 // ../core/src/manifest/loadManifest.ts
 async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  const resolved = await resolveManifestRoot({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
+  const manifestRoot = resolved.manifestRoot;
+  const manifestPath = import_node_path3.default.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+    source = await (0, import_promises3.readFile)(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -549,7 +643,10 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    repoRoot: import_node_path3.default.dirname(manifestRoot),
+    consumerRoot: resolved.consumerRoot,
+    ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
+    ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -557,12 +654,12 @@ async function loadManifest(options = {}) {
 }
 
 // ../core/src/manifest/loadWorkspaceFile.ts
-var import_promises3 = require("fs/promises");
-var import_node_path3 = __toESM(require("path"), 1);
+var import_promises4 = require("fs/promises");
+var import_node_path4 = __toESM(require("path"), 1);
 async function loadWorkspaceFile(repoRoot) {
-  const workspaceFilePath = import_node_path3.default.join(repoRoot, ".cnos-workspace.yml");
+  const workspaceFilePath = import_node_path4.default.join(repoRoot, ".cnos-workspace.yml");
   try {
-    const source = await (0, import_promises3.readFile)(workspaceFilePath, "utf8");
+    const source = await (0, import_promises4.readFile)(workspaceFilePath, "utf8");
     const parsed = parseYaml(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
@@ -585,11 +682,11 @@ async function loadWorkspaceFile(repoRoot) {
 }
 
 // ../core/src/profiles/expandProfileChain.ts
-var import_promises4 = require("fs/promises");
-var import_node_path4 = __toESM(require("path"), 1);
+var import_promises5 = require("fs/promises");
+var import_node_path5 = __toESM(require("path"), 1);
 async function fileExists(targetPath) {
   try {
-    await (0, import_promises4.access)(targetPath);
+    await (0, import_promises5.access)(targetPath);
     return true;
   } catch {
     return false;
@@ -623,11 +720,11 @@ async function loadProfileDefinition(profileName, options) {
     return normalizeProfileDefinition(profileName, void 0);
   }
   for (const workspaceRoot of [...workspaceRoots].reverse()) {
-    const profilePath = import_node_path4.default.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    const profilePath = import_node_path5.default.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
     if (!await fileExists(profilePath)) {
       continue;
     }
-    const document = await (0, import_promises4.readFile)(profilePath, "utf8");
+    const document = await (0, import_promises5.readFile)(profilePath, "utf8");
     const parsed = parseYaml(document);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
@@ -635,7 +732,7 @@ async function loadProfileDefinition(profileName, options) {
     const definition = normalizeProfileDefinition(
       profileName,
       parsed,
-      options.manifestRoot ? toPortablePath(import_node_path4.default.relative(import_node_path4.default.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+      options.manifestRoot ? toPortablePath(import_node_path5.default.relative(import_node_path5.default.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
     );
     if (definition.name !== profileName) {
       throw new CnosManifestError(
@@ -917,8 +1014,8 @@ function createProfileAwareResolver() {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-var import_promises5 = require("fs/promises");
-var import_node_path5 = __toESM(require("path"), 1);
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
 
 // ../core/src/workspaces/expandWorkspaceChain.ts
 function expandWorkspaceChain(workspaceId, items) {
@@ -955,31 +1052,31 @@ function expandWorkspaceChain(workspaceId, items) {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-async function exists2(targetPath) {
+async function exists3(targetPath) {
   try {
-    await (0, import_promises5.access)(targetPath);
+    await (0, import_promises6.access)(targetPath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
-  const workspaceRoot = import_node_path5.default.join(manifestRoot, "workspaces", workspaceId);
-  if (await exists2(workspaceRoot)) {
+  const workspaceRoot = import_node_path6.default.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists3(workspaceRoot)) {
     return workspaceRoot;
   }
   const customDataNamespaceRoots = Object.entries(manifest.namespaces).filter(
     ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
   ).map(([namespace]) => namespace);
   const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
-    (segment) => import_node_path5.default.join(manifestRoot, segment)
+    (segment) => import_node_path6.default.join(manifestRoot, segment)
   );
-  if ((await Promise.all(legacyMarkers.map((marker) => exists2(marker)))).some(Boolean)) {
+  if ((await Promise.all(legacyMarkers.map((marker) => exists3(marker)))).some(Boolean)) {
     return manifestRoot;
   }
   return workspaceRoot;
 }
-function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+function resolveWorkspaceSelection(manifest, workspaceFile, anchoredWorkspace, workspaceOption) {
   if (workspaceOption) {
     return {
       workspaceId: workspaceOption,
@@ -992,6 +1089,12 @@ function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
       source: "workspace-file"
     };
   }
+  if (anchoredWorkspace) {
+    return {
+      workspaceId: anchoredWorkspace,
+      source: "anchor-file"
+    };
+  }
   if (manifest.workspaces.default) {
     return {
       workspaceId: manifest.workspaces.default,
@@ -1014,33 +1117,38 @@ function resolveGlobalRoot(manifest, workspaceFile, options) {
   }
   if (options.globalRoot) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(options.globalRoot)),
+      value: import_node_path6.default.resolve(expandHomePath(options.globalRoot)),
       source: "cli"
     };
   }
   if (workspaceFile?.globalRoot) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(workspaceFile.globalRoot)),
+      value: import_node_path6.default.resolve(expandHomePath(workspaceFile.globalRoot)),
       source: "workspace-file"
     };
   }
   if (manifest.workspaces.global.root) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(manifest.workspaces.global.root)),
+      value: import_node_path6.default.resolve(expandHomePath(manifest.workspaces.global.root)),
       source: "manifest"
     };
   }
   const cnosHome = options.processEnv?.CNOS_HOME;
   if (cnosHome) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(cnosHome)),
+      value: import_node_path6.default.resolve(expandHomePath(cnosHome)),
       source: "CNOS_HOME"
     };
   }
   return {};
 }
 async function resolveWorkspaceContext(manifest, options) {
-  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const selectedWorkspace = resolveWorkspaceSelection(
+    manifest,
+    options.workspaceFile,
+    options.anchoredWorkspace,
+    options.workspace
+  );
   const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
   const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
   const workspaceRoots = [];
@@ -1050,7 +1158,7 @@ async function resolveWorkspaceContext(manifest, options) {
       workspaceRoots.push({
         scope: "global",
         workspaceId: chainWorkspaceId,
-        path: import_node_path5.default.join(globalRoot.value, "workspaces", globalWorkspaceId)
+        path: import_node_path6.default.join(globalRoot.value, "workspaces", globalWorkspaceId)
       });
     }
   }
@@ -1242,26 +1350,26 @@ async function runPipeline(options) {
 }
 
 // ../core/src/secrets/auditLog.ts
-var import_promises8 = require("fs/promises");
-var import_node_path8 = __toESM(require("path"), 1);
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
 
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
 
 // ../core/src/secrets/sessionStore.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 function buildSessionRoot(processEnv = process.env) {
-  return import_node_path6.default.join(import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return import_node_path7.default.join(import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return import_node_path6.default.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return import_node_path7.default.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await (0, import_promises6.readFile)(buildSessionPath(vault, processEnv), "utf8");
+    const source = await (0, import_promises7.readFile)(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -1290,7 +1398,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return import_node_path8.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -1322,16 +1430,16 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return (0, import_node_crypto.pbkdf2Sync)(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, META_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+  return import_node_path8.default.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, "store");
+  return import_node_path8.default.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -1342,9 +1450,9 @@ function assertVaultMetadata(value, filePath) {
   }
   return value;
 }
-async function exists3(targetPath) {
+async function exists4(targetPath) {
   try {
-    await (0, import_promises7.stat)(targetPath);
+    await (0, import_promises8.stat)(targetPath);
     return true;
   } catch {
     return false;
@@ -1353,10 +1461,10 @@ async function exists3(targetPath) {
 async function detectLegacyVaultFormat(storeRoot, vault = "default") {
   const legacyFile = buildLegacyVaultFile(storeRoot, vault);
   const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
-  if (await exists3(legacyFile)) {
+  if (await exists4(legacyFile)) {
     return legacyFile;
   }
-  if (await exists3(legacyStore)) {
+  if (await exists4(legacyStore)) {
     return legacyStore;
   }
   return void 0;
@@ -1428,15 +1536,15 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(metaPath), { recursive: true });
-  await (0, import_promises7.writeFile)(metaPath, stringifyYaml(meta), "utf8");
-  await (0, import_promises7.writeFile)(keystorePath, encryptPayload(payload, key));
+  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(metaPath), { recursive: true });
+  await (0, import_promises8.writeFile)(metaPath, stringifyYaml(meta), "utf8");
+  await (0, import_promises8.writeFile)(keystorePath, encryptPayload(payload, key));
 }
 async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await (0, import_promises7.readFile)(metaPath, "utf8");
+    const source = await (0, import_promises8.readFile)(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -1527,7 +1635,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await (0, import_promises7.readFile)(buildKeystorePath(storeRoot, vault));
+  const buffer = await (0, import_promises8.readFile)(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1602,9 +1710,9 @@ function resolveVaultDefinition(vaults, vault = "default") {
 
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path8.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises8.appendFile)(
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path9.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await (0, import_promises9.mkdir)(import_node_path9.default.dirname(auditFile), { recursive: true });
+  await (0, import_promises9.appendFile)(
     auditFile,
     `${JSON.stringify({
       ts: (/* @__PURE__ */ new Date()).toISOString(),
@@ -1997,6 +2105,60 @@ function requireValue(graph, key) {
   return value;
 }
 
+// ../core/src/runtime/toServerProjection.ts
+var import_node_crypto2 = require("crypto");
+function stableSortObject(value) {
+  return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
+}
+function stripValuePrefix(key) {
+  return key.startsWith("value.") ? key.slice("value.".length) : key;
+}
+function configHash(values) {
+  const serialized = JSON.stringify(stableSortObject(values));
+  return (0, import_node_crypto2.createHash)("sha256").update(serialized).digest("hex");
+}
+function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
+  const values = {};
+  const secretRefs = {};
+  const namespaces = /* @__PURE__ */ new Set();
+  const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
+  for (const [key, entry] of graph.entries) {
+    if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      secretRefs[key.slice("secret.".length)] = {
+        provider: entry.value.provider,
+        vault: entry.value.vault ?? "default",
+        ref: entry.value.ref
+      };
+      continue;
+    }
+    if (entry.namespace === "value") {
+      values[stripValuePrefix(key)] = entry.value;
+      continue;
+    }
+    const namespaceDefinition = manifest.namespaces[entry.namespace];
+    if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      values[key] = entry.value;
+      namespaces.add(entry.namespace);
+    }
+  }
+  return {
+    version: 1,
+    workspace: graph.workspace.workspaceId,
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    configHash: configHash(values),
+    values: stableSortObject(values),
+    secretRefs: stableSortObject(secretRefs),
+    publicKeys,
+    meta: {
+      workspace: graph.workspace.workspaceId,
+      profile: graph.profile,
+      cnos_version: cnosVersion,
+      ...namespaces.size > 0 ? { namespaces: Array.from(namespaces).sort((left, right) => left.localeCompare(right)) } : {}
+    }
+  };
+}
+
 // ../core/src/runtime/toEnv.ts
 function normalizeEnvValue(value) {
   if (value === void 0 || value === null) {
@@ -2059,11 +2221,14 @@ function resolvePublicPrefix(manifest, options) {
   if (!options.framework) {
     return "";
   }
-  const configuredPrefix = manifest.public.frameworks[options.framework];
-  if (!configuredPrefix) {
+  const hasConfiguredPrefix = Object.prototype.hasOwnProperty.call(
+    manifest.public.frameworks,
+    options.framework
+  );
+  if (!hasConfiguredPrefix) {
     throw new CnosManifestError(`Unknown public framework prefix: ${options.framework}`);
   }
-  return configuredPrefix;
+  return manifest.public.frameworks[options.framework] ?? "";
 }
 function toPublicEnv(graph, manifest, options = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
@@ -2078,7 +2243,37 @@ function toPublicEnv(graph, manifest, options = {}) {
 }
 
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache) {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+  async function refreshSecretEntry(key) {
+    const entry = graph.entries.get(key);
+    if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      return;
+    }
+    if (!secretCache) {
+      return;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = manifest.vaults[vaultId] ?? {
+      provider: entry.value.provider,
+      auth: { passphrase: { from: [] } }
+    };
+    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
+    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
+    await provider.authenticate(auth);
+    const value = await provider.get(entry.value.ref);
+    if (value !== void 0) {
+      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    }
+  }
+  async function refreshAllSecrets() {
+    if (!secretCache) {
+      return;
+    }
+    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
+    for (const key of secretKeys) {
+      await refreshSecretEntry(key);
+    }
+  }
   function readLogicalKey(key) {
     const entry = graph.entries.get(key);
     if (!entry) {
@@ -2106,14 +2301,14 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     readOr(key, fallback) {
       return readOrValue(graph, key, fallback);
     },
-    value(path12) {
-      return readLogicalKey(toLogicalKey("value", path12));
+    value(path13) {
+      return readLogicalKey(toLogicalKey("value", path13));
     },
-    secret(path12) {
-      return readLogicalKey(toLogicalKey("secret", path12));
+    secret(path13) {
+      return readLogicalKey(toLogicalKey("secret", path13));
     },
-    meta(path12) {
-      return readLogicalKey(toLogicalKey("meta", path12));
+    meta(path13) {
+      return readLogicalKey(toLogicalKey("meta", path13));
     },
     inspect(key) {
       return inspectValue(graph, key);
@@ -2129,6 +2324,15 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     },
     toPublicEnv(options) {
       return toPublicEnv(graph, manifest, options);
+    },
+    toServerProjection() {
+      return toServerProjection(graph, manifest, cnosVersion);
+    },
+    async refreshSecrets() {
+      await refreshAllSecrets();
+    },
+    async refreshSecret(key) {
+      await refreshSecretEntry(key);
     }
   };
 }
@@ -2227,14 +2431,18 @@ function appendMetaEntries(graph, cnosVersion) {
   };
 }
 async function createCnos(options = {}) {
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const loadedManifest = await loadManifest({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
   for (const key of loadedManifest.manifest.public.promote) {
     ensureProjectionAllowed(loadedManifest.manifest, key, "public");
   }
-  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.consumerRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
     ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...loadedManifest.anchoredWorkspace ? { anchoredWorkspace: loadedManifest.anchoredWorkspace } : {},
     ...options.workspace ? { workspace: options.workspace } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
     ...options.processEnv ? { processEnv: options.processEnv } : {}
@@ -2279,28 +2487,30 @@ async function createCnos(options = {}) {
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins,
-    secretCache
+    secretCache,
+    options.processEnv,
+    options.cnosVersion
   );
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises9 = require("fs/promises");
-var import_node_path9 = __toESM(require("path"), 1);
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : import_node_path9.default.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : import_node_path10.default.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: import_node_path9.default.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: import_node_path10.default.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: import_node_path9.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: import_node_path10.default.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -2316,12 +2526,12 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = import_node_path9.default.resolve(options.to);
+  const root = import_node_path10.default.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = import_node_path9.default.join(root, file.path);
-    await (0, import_promises9.mkdir)(import_node_path9.default.dirname(destination), { recursive: true });
-    await (0, import_promises9.writeFile)(destination, file.content, "utf8");
+    const destination = import_node_path10.default.join(root, file.path);
+    await (0, import_promises10.mkdir)(import_node_path10.default.dirname(destination), { recursive: true });
+    await (0, import_promises10.writeFile)(destination, file.content, "utf8");
   }
   return {
     ...plan,
@@ -2336,8 +2546,8 @@ function normalizeMappingConfig(config = {}) {
     explicit: config.explicit ?? {}
   };
 }
-function fromScreamingSnake(path12) {
-  return path12.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path13) {
+  return path13.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function envVarToLogicalKey(envVar, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -2364,7 +2574,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.5.0",
+  version: "1.6.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -2563,8 +2773,8 @@ function createCliArgsPlugin() {
 }
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises10 = require("fs/promises");
-var import_node_path10 = __toESM(require("path"), 1);
+var import_promises11 = require("fs/promises");
+var import_node_path11 = __toESM(require("path"), 1);
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
@@ -2621,7 +2831,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises10.readFile)(filePath, "utf8");
+    return await (0, import_promises11.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }
@@ -2640,7 +2850,7 @@ function createDotenvPlugin() {
           workspace: workspaceRoot.workspaceId
         });
         for (const fileName of fileNames) {
-          const absolutePath = import_node_path10.default.join(envRoot, fileName);
+          const absolutePath = import_node_path11.default.join(envRoot, fileName);
           const document = await readIfPresent(absolutePath);
           if (!document) {
             continue;
@@ -2649,7 +2859,7 @@ function createDotenvPlugin() {
             ...dotenvEntriesFromObject(
               parseDotenv(document),
               config.envMapping,
-              toPortablePath(import_node_path10.default.relative(import_node_path10.default.dirname(context.manifestRoot), absolutePath)),
+              toPortablePath(import_node_path11.default.relative(import_node_path11.default.dirname(context.manifestRoot), absolutePath)),
               workspaceRoot.workspaceId
             )
           );
@@ -2687,16 +2897,16 @@ function createPublicEnvExportPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises11 = require("fs/promises");
-var import_node_path11 = __toESM(require("path"), 1);
+var import_promises12 = require("fs/promises");
+var import_node_path12 = __toESM(require("path"), 1);
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat2 = await (0, import_promises11.readdir)(targetPath);
+    const stat2 = await (0, import_promises12.readdir)(targetPath);
     void stat2;
     return true;
   } catch {
@@ -2704,15 +2914,15 @@ async function existsDirectory(targetPath) {
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises11.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises12.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
-    const absolutePath = import_node_path11.default.join(root, entry.name);
+    const absolutePath = import_node_path12.default.join(root, entry.name);
     if (entry.isDirectory()) {
       results.push(...await collectYamlFiles(absolutePath));
       continue;
     }
-    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path11.default.extname(entry.name).toLowerCase())) {
+    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path12.default.extname(entry.name).toLowerCase())) {
       results.push(absolutePath);
     }
   }
@@ -2720,16 +2930,16 @@ async function collectYamlFiles(root) {
 }
 async function collectFilesystemLayerFiles(manifestRoot, workspaceRoots, sourceRoot, activeLayers) {
   const files = [];
-  const repoRoot = import_node_path11.default.dirname(manifestRoot);
+  const repoRoot = import_node_path12.default.dirname(manifestRoot);
   for (const workspaceRoot of workspaceRoots) {
-    const resolvedRoot = import_node_path11.default.resolve(workspaceRoot.path, sourceRoot);
+    const resolvedRoot = import_node_path12.default.resolve(workspaceRoot.path, sourceRoot);
     for (const layer of activeLayers) {
-      const layerRoot = import_node_path11.default.join(resolvedRoot, layer);
+      const layerRoot = import_node_path12.default.join(resolvedRoot, layer);
       if (!await existsDirectory(layerRoot)) {
         continue;
       }
       for (const absolutePath of await collectYamlFiles(layerRoot)) {
-        const relativePath = import_node_path11.default.relative(repoRoot, absolutePath);
+        const relativePath = import_node_path12.default.relative(repoRoot, absolutePath);
         files.push({
           absolutePath,
           relativePath: toPortablePath(relativePath.startsWith("..") ? absolutePath : relativePath),
@@ -2806,7 +3016,7 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises12.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
@@ -2822,7 +3032,7 @@ function createFilesystemSecretsPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -2843,7 +3053,7 @@ function createFilesystemValuesPlugin() {
       ).map(([namespace]) => namespace);
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises14.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       for (const namespace of customNamespaces) {
@@ -2858,7 +3068,7 @@ function createFilesystemValuesPlugin() {
           layers
         );
         for (const file of namespaceFiles) {
-          const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+          const document = await (0, import_promises14.readFile)(file.absolutePath, "utf8");
           entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
         }
       }