@kitsy/cnos 1.5.1 → 1.6.0

package/dist/runtime/index.cjs

@@ -33,6 +33,8 @@ __export(runtime_exports, {
   default: () => runtime_default
 });
 module.exports = __toCommonJS(runtime_exports);
+var import_node_fs = require("fs");
+var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/errors.ts
 var CnosError = class extends Error {
@@ -48,6 +50,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosDiscoveryError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosSecurityError = class extends CnosError {
   constructor(message) {
     super(message);
@@ -173,32 +180,110 @@ async function readKeychain(entry) {
 }
 
 // ../core/src/manifest/loadManifest.ts
+var import_promises3 = require("fs/promises");
+var import_node_path3 = __toESM(require("path"), 1);
+
+// ../core/src/utils/path.ts
 var import_promises2 = require("fs/promises");
+var import_node_os = __toESM(require("os"), 1);
 var import_node_path2 = __toESM(require("path"), 1);
 
-// ../core/src/utils/path.ts
+// ../core/src/discovery/findCnosrc.ts
 var import_promises = require("fs/promises");
-var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+
+// ../core/src/utils/yaml.ts
+var import_yaml = require("yaml");
+function parseYaml(source) {
+  return (0, import_yaml.parse)(source);
+}
+function stringifyYaml(value) {
+  return (0, import_yaml.stringify)(value);
+}
+
+// ../core/src/discovery/findCnosrc.ts
+async function exists(targetPath) {
+  try {
+    await (0, import_promises.access)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateCnosrc(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError(".cnosrc.yml must be a YAML object", filePath);
+  }
+  const root = typeof value.root === "string" ? value.root.trim() : "";
+  const workspace = typeof value.workspace === "string" ? value.workspace.trim() : void 0;
+  if (!root) {
+    throw new CnosManifestError(".cnosrc.yml requires root", filePath);
+  }
+  return {
+    root,
+    ...workspace ? { workspace } : {}
+  };
+}
+async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
+  let current = import_node_path.default.resolve(startDir);
+  for (let depth = 0; depth <= maxLevels; depth += 1) {
+    const candidate = import_node_path.default.join(current, ".cnosrc.yml");
+    if (await exists(candidate)) {
+      return candidate;
+    }
+    const parent = import_node_path.default.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+  const anchorPath = await findCnosrc(startDir, maxLevels);
+  if (!anchorPath) {
+    throw new CnosDiscoveryError(
+      "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
+    );
+  }
+  const source = await (0, import_promises.readFile)(anchorPath, "utf8");
+  const parsed = validateCnosrc(parseYaml(source), anchorPath);
+  const consumerRoot = import_node_path.default.dirname(anchorPath);
+  const manifestRoot = import_node_path.default.resolve(consumerRoot, parsed.root);
+  const manifestPath = import_node_path.default.join(manifestRoot, "cnos.yml");
+  if (!await exists(manifestPath)) {
+    throw new CnosDiscoveryError(
+      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
+    );
+  }
+  return {
+    anchorPath,
+    consumerRoot,
+    manifestRoot,
+    ...parsed.workspace ? { workspace: parsed.workspace } : {}
+  };
+}
+
+// ../core/src/utils/path.ts
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
-async function exists(filePath) {
+async function exists2(filePath) {
   try {
-    await (0, import_promises.access)(filePath);
+    await (0, import_promises2.access)(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = import_node_path.default.resolve(root);
+  const basePath = import_node_path2.default.resolve(root);
   const candidates = [
-    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
-    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    import_node_path2.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path2.default.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+    if (await exists2(import_node_path2.default.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -206,8 +291,23 @@ async function resolveCnosRoot(root = process.cwd()) {
     `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
   );
 }
-async function resolveManifestRoot(root = process.cwd()) {
-  return resolveCnosRoot(root);
+async function resolveManifestRoot(options = {}) {
+  if (options.root) {
+    const manifestRoot = await resolveCnosRoot(options.root);
+    const resolvedRoot = import_node_path2.default.resolve(options.root);
+    const consumerRoot = import_node_path2.default.basename(manifestRoot) === PRIMARY_CNOS_DIR || import_node_path2.default.basename(manifestRoot) === LEGACY_CNOS_DIR ? import_node_path2.default.dirname(manifestRoot) : resolvedRoot;
+    return {
+      manifestRoot,
+      consumerRoot
+    };
+  }
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  return {
+    manifestRoot: discovered.manifestRoot,
+    consumerRoot: discovered.consumerRoot,
+    anchorPath: discovered.anchorPath,
+    ...discovered.workspace ? { workspace: discovered.workspace } : {}
+  };
 }
 function interpolatePathTemplate(template, tokens) {
   return Object.entries(tokens).reduce(
@@ -220,7 +320,7 @@ function expandHomePath(targetPath) {
     return import_node_os.default.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return import_node_path.default.join(import_node_os.default.homedir(), targetPath.slice(2));
+    return import_node_path2.default.join(import_node_os.default.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
@@ -238,7 +338,7 @@ function stripWorkspaceTemplatePrefix(template) {
 function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
   const relativeTemplate = stripWorkspaceTemplatePrefix(template);
   const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
-  return import_node_path.default.resolve(workspaceRoot, interpolated);
+  return import_node_path2.default.resolve(workspaceRoot, interpolated);
 }
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
@@ -253,15 +353,6 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
-// ../core/src/utils/yaml.ts
-var import_yaml = require("yaml");
-function parseYaml(source) {
-  return (0, import_yaml.parse)(source);
-}
-function stringifyYaml(value) {
-  return (0, import_yaml.stringify)(value);
-}
-
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -531,11 +622,15 @@ function normalizeManifest(manifest) {
 
 // ../core/src/manifest/loadManifest.ts
 async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  const resolved = await resolveManifestRoot({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
+  const manifestRoot = resolved.manifestRoot;
+  const manifestPath = import_node_path3.default.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+    source = await (0, import_promises3.readFile)(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -545,7 +640,10 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    repoRoot: import_node_path3.default.dirname(manifestRoot),
+    consumerRoot: resolved.consumerRoot,
+    ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
+    ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -553,12 +651,12 @@ async function loadManifest(options = {}) {
 }
 
 // ../core/src/manifest/loadWorkspaceFile.ts
-var import_promises3 = require("fs/promises");
-var import_node_path3 = __toESM(require("path"), 1);
+var import_promises4 = require("fs/promises");
+var import_node_path4 = __toESM(require("path"), 1);
 async function loadWorkspaceFile(repoRoot) {
-  const workspaceFilePath = import_node_path3.default.join(repoRoot, ".cnos-workspace.yml");
+  const workspaceFilePath = import_node_path4.default.join(repoRoot, ".cnos-workspace.yml");
   try {
-    const source = await (0, import_promises3.readFile)(workspaceFilePath, "utf8");
+    const source = await (0, import_promises4.readFile)(workspaceFilePath, "utf8");
     const parsed = parseYaml(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
@@ -581,11 +679,11 @@ async function loadWorkspaceFile(repoRoot) {
 }
 
 // ../core/src/profiles/expandProfileChain.ts
-var import_promises4 = require("fs/promises");
-var import_node_path4 = __toESM(require("path"), 1);
+var import_promises5 = require("fs/promises");
+var import_node_path5 = __toESM(require("path"), 1);
 async function fileExists(targetPath) {
   try {
-    await (0, import_promises4.access)(targetPath);
+    await (0, import_promises5.access)(targetPath);
     return true;
   } catch {
     return false;
@@ -619,11 +717,11 @@ async function loadProfileDefinition(profileName, options) {
     return normalizeProfileDefinition(profileName, void 0);
   }
   for (const workspaceRoot of [...workspaceRoots].reverse()) {
-    const profilePath = import_node_path4.default.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    const profilePath = import_node_path5.default.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
     if (!await fileExists(profilePath)) {
       continue;
     }
-    const document = await (0, import_promises4.readFile)(profilePath, "utf8");
+    const document = await (0, import_promises5.readFile)(profilePath, "utf8");
     const parsed = parseYaml(document);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
@@ -631,7 +729,7 @@ async function loadProfileDefinition(profileName, options) {
     const definition = normalizeProfileDefinition(
       profileName,
       parsed,
-      options.manifestRoot ? toPortablePath(import_node_path4.default.relative(import_node_path4.default.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+      options.manifestRoot ? toPortablePath(import_node_path5.default.relative(import_node_path5.default.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
     );
     if (definition.name !== profileName) {
       throw new CnosManifestError(
@@ -913,8 +1011,8 @@ function createProfileAwareResolver() {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-var import_promises5 = require("fs/promises");
-var import_node_path5 = __toESM(require("path"), 1);
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
 
 // ../core/src/workspaces/expandWorkspaceChain.ts
 function expandWorkspaceChain(workspaceId, items) {
@@ -951,31 +1049,31 @@ function expandWorkspaceChain(workspaceId, items) {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-async function exists2(targetPath) {
+async function exists3(targetPath) {
   try {
-    await (0, import_promises5.access)(targetPath);
+    await (0, import_promises6.access)(targetPath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
-  const workspaceRoot = import_node_path5.default.join(manifestRoot, "workspaces", workspaceId);
-  if (await exists2(workspaceRoot)) {
+  const workspaceRoot = import_node_path6.default.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists3(workspaceRoot)) {
     return workspaceRoot;
   }
   const customDataNamespaceRoots = Object.entries(manifest.namespaces).filter(
     ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
   ).map(([namespace]) => namespace);
   const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
-    (segment) => import_node_path5.default.join(manifestRoot, segment)
+    (segment) => import_node_path6.default.join(manifestRoot, segment)
   );
-  if ((await Promise.all(legacyMarkers.map((marker) => exists2(marker)))).some(Boolean)) {
+  if ((await Promise.all(legacyMarkers.map((marker) => exists3(marker)))).some(Boolean)) {
     return manifestRoot;
   }
   return workspaceRoot;
 }
-function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+function resolveWorkspaceSelection(manifest, workspaceFile, anchoredWorkspace, workspaceOption) {
   if (workspaceOption) {
     return {
       workspaceId: workspaceOption,
@@ -988,6 +1086,12 @@ function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
       source: "workspace-file"
     };
   }
+  if (anchoredWorkspace) {
+    return {
+      workspaceId: anchoredWorkspace,
+      source: "anchor-file"
+    };
+  }
   if (manifest.workspaces.default) {
     return {
       workspaceId: manifest.workspaces.default,
@@ -1010,33 +1114,38 @@ function resolveGlobalRoot(manifest, workspaceFile, options) {
   }
   if (options.globalRoot) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(options.globalRoot)),
+      value: import_node_path6.default.resolve(expandHomePath(options.globalRoot)),
       source: "cli"
     };
   }
   if (workspaceFile?.globalRoot) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(workspaceFile.globalRoot)),
+      value: import_node_path6.default.resolve(expandHomePath(workspaceFile.globalRoot)),
       source: "workspace-file"
     };
   }
   if (manifest.workspaces.global.root) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(manifest.workspaces.global.root)),
+      value: import_node_path6.default.resolve(expandHomePath(manifest.workspaces.global.root)),
       source: "manifest"
     };
   }
   const cnosHome = options.processEnv?.CNOS_HOME;
   if (cnosHome) {
     return {
-      value: import_node_path5.default.resolve(expandHomePath(cnosHome)),
+      value: import_node_path6.default.resolve(expandHomePath(cnosHome)),
       source: "CNOS_HOME"
     };
   }
   return {};
 }
 async function resolveWorkspaceContext(manifest, options) {
-  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const selectedWorkspace = resolveWorkspaceSelection(
+    manifest,
+    options.workspaceFile,
+    options.anchoredWorkspace,
+    options.workspace
+  );
   const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
   const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
   const workspaceRoots = [];
@@ -1046,7 +1155,7 @@ async function resolveWorkspaceContext(manifest, options) {
       workspaceRoots.push({
         scope: "global",
         workspaceId: chainWorkspaceId,
-        path: import_node_path5.default.join(globalRoot.value, "workspaces", globalWorkspaceId)
+        path: import_node_path6.default.join(globalRoot.value, "workspaces", globalWorkspaceId)
       });
     }
   }
@@ -1238,26 +1347,26 @@ async function runPipeline(options) {
 }
 
 // ../core/src/secrets/auditLog.ts
-var import_promises8 = require("fs/promises");
-var import_node_path8 = __toESM(require("path"), 1);
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
 
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
 
 // ../core/src/secrets/sessionStore.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 function buildSessionRoot(processEnv = process.env) {
-  return import_node_path6.default.join(import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return import_node_path7.default.join(import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return import_node_path6.default.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return import_node_path7.default.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await (0, import_promises6.readFile)(buildSessionPath(vault, processEnv), "utf8");
+    const source = await (0, import_promises7.readFile)(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -1286,7 +1395,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return import_node_path8.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -1318,16 +1427,16 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return (0, import_node_crypto.pbkdf2Sync)(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, META_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+  return import_node_path8.default.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, "store");
+  return import_node_path8.default.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -1338,9 +1447,9 @@ function assertVaultMetadata(value, filePath) {
   }
   return value;
 }
-async function exists3(targetPath) {
+async function exists4(targetPath) {
   try {
-    await (0, import_promises7.stat)(targetPath);
+    await (0, import_promises8.stat)(targetPath);
     return true;
   } catch {
     return false;
@@ -1349,10 +1458,10 @@ async function exists3(targetPath) {
 async function detectLegacyVaultFormat(storeRoot, vault = "default") {
   const legacyFile = buildLegacyVaultFile(storeRoot, vault);
   const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
-  if (await exists3(legacyFile)) {
+  if (await exists4(legacyFile)) {
     return legacyFile;
   }
-  if (await exists3(legacyStore)) {
+  if (await exists4(legacyStore)) {
     return legacyStore;
   }
   return void 0;
@@ -1424,15 +1533,15 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(metaPath), { recursive: true });
-  await (0, import_promises7.writeFile)(metaPath, stringifyYaml(meta), "utf8");
-  await (0, import_promises7.writeFile)(keystorePath, encryptPayload(payload, key));
+  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(metaPath), { recursive: true });
+  await (0, import_promises8.writeFile)(metaPath, stringifyYaml(meta), "utf8");
+  await (0, import_promises8.writeFile)(keystorePath, encryptPayload(payload, key));
 }
 async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await (0, import_promises7.readFile)(metaPath, "utf8");
+    const source = await (0, import_promises8.readFile)(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -1523,7 +1632,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await (0, import_promises7.readFile)(buildKeystorePath(storeRoot, vault));
+  const buffer = await (0, import_promises8.readFile)(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1598,9 +1707,9 @@ function resolveVaultDefinition(vaults, vault = "default") {
 
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path8.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises8.appendFile)(
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path9.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await (0, import_promises9.mkdir)(import_node_path9.default.dirname(auditFile), { recursive: true });
+  await (0, import_promises9.appendFile)(
     auditFile,
     `${JSON.stringify({
       ts: (/* @__PURE__ */ new Date()).toISOString(),
@@ -1993,6 +2102,60 @@ function requireValue(graph, key) {
   return value;
 }
 
+// ../core/src/runtime/toServerProjection.ts
+var import_node_crypto2 = require("crypto");
+function stableSortObject(value) {
+  return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
+}
+function stripValuePrefix(key) {
+  return key.startsWith("value.") ? key.slice("value.".length) : key;
+}
+function configHash(values) {
+  const serialized = JSON.stringify(stableSortObject(values));
+  return (0, import_node_crypto2.createHash)("sha256").update(serialized).digest("hex");
+}
+function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
+  const values = {};
+  const secretRefs = {};
+  const namespaces = /* @__PURE__ */ new Set();
+  const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
+  for (const [key, entry] of graph.entries) {
+    if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      secretRefs[key.slice("secret.".length)] = {
+        provider: entry.value.provider,
+        vault: entry.value.vault ?? "default",
+        ref: entry.value.ref
+      };
+      continue;
+    }
+    if (entry.namespace === "value") {
+      values[stripValuePrefix(key)] = entry.value;
+      continue;
+    }
+    const namespaceDefinition = manifest.namespaces[entry.namespace];
+    if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      values[key] = entry.value;
+      namespaces.add(entry.namespace);
+    }
+  }
+  return {
+    version: 1,
+    workspace: graph.workspace.workspaceId,
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    configHash: configHash(values),
+    values: stableSortObject(values),
+    secretRefs: stableSortObject(secretRefs),
+    publicKeys,
+    meta: {
+      workspace: graph.workspace.workspaceId,
+      profile: graph.profile,
+      cnos_version: cnosVersion,
+      ...namespaces.size > 0 ? { namespaces: Array.from(namespaces).sort((left, right) => left.localeCompare(right)) } : {}
+    }
+  };
+}
+
 // ../core/src/runtime/toEnv.ts
 function normalizeEnvValue(value) {
   if (value === void 0 || value === null) {
@@ -2077,8 +2240,38 @@ function toPublicEnv(graph, manifest, options = {}) {
 }
 
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache) {
-  function readLogicalKey(key) {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+  async function refreshSecretEntry(key) {
+    const entry = graph.entries.get(key);
+    if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      return;
+    }
+    if (!secretCache) {
+      return;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = manifest.vaults[vaultId] ?? {
+      provider: entry.value.provider,
+      auth: { passphrase: { from: [] } }
+    };
+    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
+    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
+    await provider.authenticate(auth);
+    const value = await provider.get(entry.value.ref);
+    if (value !== void 0) {
+      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    }
+  }
+  async function refreshAllSecrets() {
+    if (!secretCache) {
+      return;
+    }
+    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
+    for (const key of secretKeys) {
+      await refreshSecretEntry(key);
+    }
+  }
+  function readLogicalKey2(key) {
     const entry = graph.entries.get(key);
     if (!entry) {
       return void 0;
@@ -2093,10 +2286,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     plugins,
     graph,
     read(key) {
-      return readLogicalKey(key);
+      return readLogicalKey2(key);
     },
     require(key) {
-      const value = readLogicalKey(key);
+      const value = readLogicalKey2(key);
       if (value === void 0) {
         return requireValue(graph, key);
       }
@@ -2105,14 +2298,14 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     readOr(key, fallback) {
       return readOrValue(graph, key, fallback);
     },
-    value(path12) {
-      return readLogicalKey(toLogicalKey("value", path12));
+    value(path14) {
+      return readLogicalKey2(toLogicalKey("value", path14));
     },
-    secret(path12) {
-      return readLogicalKey(toLogicalKey("secret", path12));
+    secret(path14) {
+      return readLogicalKey2(toLogicalKey("secret", path14));
     },
-    meta(path12) {
-      return readLogicalKey(toLogicalKey("meta", path12));
+    meta(path14) {
+      return readLogicalKey2(toLogicalKey("meta", path14));
     },
     inspect(key) {
       return inspectValue(graph, key);
@@ -2128,6 +2321,15 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     },
     toPublicEnv(options) {
       return toPublicEnv(graph, manifest, options);
+    },
+    toServerProjection() {
+      return toServerProjection(graph, manifest, cnosVersion);
+    },
+    async refreshSecrets() {
+      await refreshAllSecrets();
+    },
+    async refreshSecret(key) {
+      await refreshSecretEntry(key);
     }
   };
 }
@@ -2226,14 +2428,18 @@ function appendMetaEntries(graph, cnosVersion) {
   };
 }
 async function createCnos(options = {}) {
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const loadedManifest = await loadManifest({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
   for (const key of loadedManifest.manifest.public.promote) {
     ensureProjectionAllowed(loadedManifest.manifest, key, "public");
   }
-  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.consumerRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
     ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...loadedManifest.anchoredWorkspace ? { anchoredWorkspace: loadedManifest.anchoredWorkspace } : {},
     ...options.workspace ? { workspace: options.workspace } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
     ...options.processEnv ? { processEnv: options.processEnv } : {}
@@ -2278,13 +2484,15 @@ async function createCnos(options = {}) {
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins,
-    secretCache
+    secretCache,
+    options.processEnv,
+    options.cnosVersion
   );
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises9 = require("fs/promises");
-var import_node_path9 = __toESM(require("path"), 1);
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
@@ -2293,8 +2501,8 @@ function normalizeMappingConfig(config = {}) {
     explicit: config.explicit ?? {}
   };
 }
-function fromScreamingSnake(path12) {
-  return path12.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path14) {
+  return path14.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function envVarToLogicalKey(envVar, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -2321,7 +2529,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.5.1",
+  version: "1.6.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -2520,8 +2728,8 @@ function createCliArgsPlugin() {
 }
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises10 = require("fs/promises");
-var import_node_path10 = __toESM(require("path"), 1);
+var import_promises11 = require("fs/promises");
+var import_node_path11 = __toESM(require("path"), 1);
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
@@ -2578,7 +2786,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises10.readFile)(filePath, "utf8");
+    return await (0, import_promises11.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }
@@ -2597,7 +2805,7 @@ function createDotenvPlugin() {
           workspace: workspaceRoot.workspaceId
         });
         for (const fileName of fileNames) {
-          const absolutePath = import_node_path10.default.join(envRoot, fileName);
+          const absolutePath = import_node_path11.default.join(envRoot, fileName);
           const document = await readIfPresent(absolutePath);
           if (!document) {
             continue;
@@ -2606,7 +2814,7 @@ function createDotenvPlugin() {
             ...dotenvEntriesFromObject(
               parseDotenv(document),
               config.envMapping,
-              toPortablePath(import_node_path10.default.relative(import_node_path10.default.dirname(context.manifestRoot), absolutePath)),
+              toPortablePath(import_node_path11.default.relative(import_node_path11.default.dirname(context.manifestRoot), absolutePath)),
               workspaceRoot.workspaceId
             )
           );
@@ -2644,16 +2852,16 @@ function createPublicEnvExportPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises11 = require("fs/promises");
-var import_node_path11 = __toESM(require("path"), 1);
+var import_promises12 = require("fs/promises");
+var import_node_path12 = __toESM(require("path"), 1);
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat2 = await (0, import_promises11.readdir)(targetPath);
+    const stat2 = await (0, import_promises12.readdir)(targetPath);
     void stat2;
     return true;
   } catch {
@@ -2661,15 +2869,15 @@ async function existsDirectory(targetPath) {
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises11.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises12.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
-    const absolutePath = import_node_path11.default.join(root, entry.name);
+    const absolutePath = import_node_path12.default.join(root, entry.name);
     if (entry.isDirectory()) {
       results.push(...await collectYamlFiles(absolutePath));
       continue;
     }
-    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path11.default.extname(entry.name).toLowerCase())) {
+    if (entry.isFile() && YAML_EXTENSIONS.has(import_node_path12.default.extname(entry.name).toLowerCase())) {
       results.push(absolutePath);
     }
   }
@@ -2677,16 +2885,16 @@ async function collectYamlFiles(root) {
 }
 async function collectFilesystemLayerFiles(manifestRoot, workspaceRoots, sourceRoot, activeLayers) {
   const files = [];
-  const repoRoot = import_node_path11.default.dirname(manifestRoot);
+  const repoRoot = import_node_path12.default.dirname(manifestRoot);
   for (const workspaceRoot of workspaceRoots) {
-    const resolvedRoot = import_node_path11.default.resolve(workspaceRoot.path, sourceRoot);
+    const resolvedRoot = import_node_path12.default.resolve(workspaceRoot.path, sourceRoot);
     for (const layer of activeLayers) {
-      const layerRoot = import_node_path11.default.join(resolvedRoot, layer);
+      const layerRoot = import_node_path12.default.join(resolvedRoot, layer);
       if (!await existsDirectory(layerRoot)) {
         continue;
       }
       for (const absolutePath of await collectYamlFiles(layerRoot)) {
-        const relativePath = import_node_path11.default.relative(repoRoot, absolutePath);
+        const relativePath = import_node_path12.default.relative(repoRoot, absolutePath);
         files.push({
           absolutePath,
           relativePath: toPortablePath(relativePath.startsWith("..") ? absolutePath : relativePath),
@@ -2763,7 +2971,7 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises12.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
@@ -2779,7 +2987,7 @@ function createFilesystemSecretsPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -2800,7 +3008,7 @@ function createFilesystemValuesPlugin() {
       ).map(([namespace]) => namespace);
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises14.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       for (const namespace of customNamespaces) {
@@ -2815,7 +3023,7 @@ function createFilesystemValuesPlugin() {
           layers
         );
         for (const file of namespaceFiles) {
-          const document = await (0, import_promises13.readFile)(file.absolutePath, "utf8");
+          const document = await (0, import_promises14.readFile)(file.absolutePath, "utf8");
           entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
         }
       }
@@ -2985,10 +3193,18 @@ async function createCnos2(options = {}) {
 }
 
 // src/runtime/bootstrap.ts
-var import_node_crypto2 = require("crypto");
+var import_node_crypto3 = require("crypto");
 var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+var CNOS_PROJECTION_ENV_VAR = "__CNOS_PROJECTION__";
 var CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
 var CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
+function deserializeServerProjection(source) {
+  const payload = JSON.parse(source);
+  if (!payload || payload.version !== 1 || typeof payload.workspace !== "string" || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || typeof payload.configHash !== "string" || !payload.values || typeof payload.values !== "object" || Array.isArray(payload.values) || !payload.secretRefs || typeof payload.secretRefs !== "object" || Array.isArray(payload.secretRefs) || !Array.isArray(payload.publicKeys) || !payload.meta || typeof payload.meta !== "object") {
+    throw new Error("Invalid CNOS server projection payload");
+  }
+  return payload;
+}
 function deserializeRuntimeGraph(source) {
   const payload = JSON.parse(source);
   if (!payload || !Array.isArray(payload.entries) || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || !payload.profileSource || !payload.workspace || typeof payload.workspace.workspaceId !== "string" || !Array.isArray(payload.workspace.workspaceChain) || !Array.isArray(payload.workspace.workspaceRoots)) {
@@ -3022,7 +3238,7 @@ function decryptSecretPayload(serialized, sessionKey) {
   const iv = Buffer.from(payload.iv, "base64");
   const tag = Buffer.from(payload.tag, "base64");
   const ciphertext = Buffer.from(payload.ciphertext, "base64");
-  const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", key, iv);
+  const decipher = (0, import_node_crypto3.createDecipheriv)("aes-256-gcm", key, iv);
   decipher.setAuthTag(tag);
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
   return JSON.parse(plaintext);
@@ -3046,6 +3262,13 @@ function readRuntimeGraphFromEnv(processEnv = process.env) {
   }
   return graph;
 }
+function readServerProjectionFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_PROJECTION_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  return deserializeServerProjection(serialized);
+}
 function graphRequiresSecretHydration(graph) {
   return Array.from(graph.entries.values()).some((entry) => entry.namespace === "secret" && isSecretReference(entry.value));
 }
@@ -3059,6 +3282,12 @@ function getRuntimeOrThrow() {
   }
   return runtime;
 }
+function requireLogicalKey(runtime, key) {
+  return runtime.require(key);
+}
+function readLogicalKey(runtime, key) {
+  return runtime.read(key);
+}
 function stringifyLogValue(value) {
   if (value === void 0) {
     return "";
@@ -3155,14 +3384,14 @@ function attachBootstrappedGraph(graph) {
     readOr(key, fallback) {
       return readOrValue(graph, key, fallback);
     },
-    value(path12) {
-      return readValue(graph, toLogicalKey("value", path12));
+    value(path14) {
+      return readValue(graph, toLogicalKey("value", path14));
     },
-    secret(path12) {
-      return readValue(graph, toLogicalKey("secret", path12));
+    secret(path14) {
+      return readValue(graph, toLogicalKey("secret", path14));
     },
-    meta(path12) {
-      return readValue(graph, toLogicalKey("meta", path12));
+    meta(path14) {
+      return readValue(graph, toLogicalKey("meta", path14));
     },
     toNamespace(namespace) {
       return toNamespaceObject(graph, namespace);
@@ -3178,11 +3407,275 @@ function attachBootstrappedGraph(graph) {
     },
     toObject() {
       return toNamespaceObject(graph);
+    },
+    toServerProjection() {
+      throw new Error("CNOS graph bootstrap payload does not support server projection export.");
+    },
+    async refreshSecrets() {
+      return;
+    },
+    async refreshSecret() {
+      return;
     }
   };
   setSingletonRuntime(runtime);
   setBootstrappedSecretHydrationRequired(graphRequiresSecretHydration(graph));
 }
+function toBootstrappedManifest(graph) {
+  return {
+    version: 1,
+    project: {
+      name: "bootstrapped"
+    },
+    workspaces: {
+      global: {
+        enabled: false,
+        allowWrite: false
+      },
+      items: {},
+      ...graph.workspace.workspaceSource === "implicit" ? {} : {
+        default: graph.workspace.workspaceId
+      }
+    },
+    profiles: {
+      default: graph.profile,
+      resolveFrom: ["default"]
+    },
+    plugins: {
+      loaders: [],
+      resolver: "profile-aware",
+      validators: [],
+      exporters: [],
+      inspectors: []
+    },
+    sources: {},
+    resolution: {
+      precedence: [],
+      arrayPolicy: "replace"
+    },
+    envMapping: {
+      explicit: {}
+    },
+    public: {
+      promote: [],
+      frameworks: {}
+    },
+    namespaces: {
+      value: { kind: "data", shareable: true },
+      secret: { kind: "data", shareable: false, sensitive: true },
+      meta: { kind: "system", shareable: false, readonly: true },
+      public: { kind: "projection", shareable: true, readonly: true, source: "promote" }
+    },
+    vaults: {},
+    writePolicy: {
+      define: {
+        defaultProfile: graph.profile,
+        targets: {
+          value: "./values/app.yml",
+          secret: "./secrets/app.yml"
+        }
+      }
+    },
+    schema: {}
+  };
+}
+function graphFromProjection(projection) {
+  const entries = /* @__PURE__ */ new Map();
+  const now = projection.resolvedAt;
+  const explicitNamespaces = /* @__PURE__ */ new Set(["flags", "config", "process", ...projection.meta.namespaces ?? []]);
+  for (const [key, value] of Object.entries(projection.values)) {
+    const firstSegment = key.split(".")[0] ?? "";
+    const logicalKey = key.startsWith("value.") || key.startsWith("public.") || explicitNamespaces.has(firstSegment) ? key : `value.${key}`;
+    const namespace = logicalKey.slice(0, logicalKey.indexOf("."));
+    const winner = {
+      key: logicalKey,
+      value,
+      namespace,
+      sourceId: "server-projection",
+      pluginId: "cnos",
+      workspaceId: projection.workspace,
+      profile: projection.profile
+    };
+    entries.set(logicalKey, {
+      key: logicalKey,
+      value,
+      namespace,
+      winner,
+      overridden: []
+    });
+  }
+  for (const [key, ref] of Object.entries(projection.secretRefs)) {
+    const logicalKey = `secret.${key}`;
+    entries.set(logicalKey, {
+      key: logicalKey,
+      value: ref,
+      namespace: "secret",
+      winner: {
+        key: logicalKey,
+        value: ref,
+        namespace: "secret",
+        sourceId: "server-projection",
+        pluginId: "cnos",
+        workspaceId: projection.workspace,
+        profile: projection.profile
+      },
+      overridden: []
+    });
+  }
+  for (const key of projection.publicKeys) {
+    const valueKey = Object.prototype.hasOwnProperty.call(projection.values, key) ? key : `value.${key}`;
+    const publicKey = `public.${key}`;
+    const sourceEntry = entries.get(valueKey);
+    if (!sourceEntry) {
+      continue;
+    }
+    entries.set(publicKey, {
+      key: publicKey,
+      value: sourceEntry.value,
+      namespace: "public",
+      winner: {
+        key: publicKey,
+        value: sourceEntry.value,
+        namespace: "public",
+        sourceId: "server-projection",
+        pluginId: "cnos",
+        workspaceId: projection.workspace,
+        profile: projection.profile
+      },
+      overridden: []
+    });
+  }
+  entries.set("meta.profile", {
+    key: "meta.profile",
+    value: projection.profile,
+    namespace: "meta",
+    winner: {
+      key: "meta.profile",
+      value: projection.profile,
+      namespace: "meta",
+      sourceId: "server-projection",
+      pluginId: "cnos",
+      workspaceId: projection.workspace,
+      profile: projection.profile
+    },
+    overridden: []
+  });
+  return {
+    entries,
+    profile: projection.profile,
+    resolvedAt: now,
+    profileSource: "manifest-default",
+    workspace: {
+      workspaceId: projection.workspace,
+      workspaceSource: "implicit",
+      workspaceChain: [projection.workspace],
+      workspaceRoots: []
+    }
+  };
+}
+function attachBootstrappedProjection(projection, force = false) {
+  if (getSingletonRuntime() && !force) {
+    return;
+  }
+  const graph = graphFromProjection(projection);
+  const manifest = toBootstrappedManifest(graph);
+  const hydratedSecrets = /* @__PURE__ */ new Map();
+  const resolveSecretValue = async (key) => {
+    const entry = graph.entries.get(key);
+    if (!entry || entry.namespace !== "secret") {
+      return entry?.value;
+    }
+    if (hydratedSecrets.has(key)) {
+      return hydratedSecrets.get(key);
+    }
+    const ref = projection.secretRefs[key.slice("secret.".length)];
+    if (!ref) {
+      return void 0;
+    }
+    const definition = { provider: ref.provider };
+    const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
+    const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
+    await provider.authenticate(auth);
+    const value = await provider.get(ref.ref);
+    hydratedSecrets.set(key, value);
+    return value;
+  };
+  const runtime = {
+    manifest,
+    plugins: [],
+    graph,
+    read(key) {
+      const entry = graph.entries.get(key);
+      if (!entry) {
+        return void 0;
+      }
+      if (entry.namespace === "secret") {
+        return hydratedSecrets.get(key);
+      }
+      return entry.value;
+    },
+    require(key) {
+      const value = this.read(key);
+      if (value === void 0) {
+        throw new Error(`Missing required CNOS config key: ${key}`);
+      }
+      return value;
+    },
+    readOr(key, fallback) {
+      return this.read(key) ?? fallback;
+    },
+    value(segment) {
+      return this.read(toLogicalKey("value", segment));
+    },
+    secret(segment) {
+      return this.read(toLogicalKey("secret", segment));
+    },
+    meta(segment) {
+      return this.read(toLogicalKey("meta", segment));
+    },
+    inspect(key) {
+      return inspectValue(
+        {
+          ...graph,
+          entries: new Map(
+            Array.from(graph.entries.entries()).map(([entryKey, existing]) => [
+              entryKey,
+              entryKey === key && existing.namespace === "secret" && hydratedSecrets.has(entryKey) ? { ...existing, value: hydratedSecrets.get(entryKey) } : existing
+            ])
+          )
+        },
+        key
+      );
+    },
+    toObject() {
+      return toNamespaceObject(graph);
+    },
+    toNamespace(namespace) {
+      return toNamespaceObject(graph, namespace);
+    },
+    toEnv(options) {
+      return toEnv(graph, manifest, options);
+    },
+    toPublicEnv(options) {
+      return toPublicEnv(graph, manifest, options);
+    },
+    toServerProjection() {
+      return projection;
+    },
+    async refreshSecrets() {
+      for (const key of Object.keys(projection.secretRefs).map((segment) => `secret.${segment}`)) {
+        hydratedSecrets.delete(key);
+        await resolveSecretValue(key);
+      }
+    },
+    async refreshSecret(key) {
+      hydratedSecrets.delete(key);
+      await resolveSecretValue(key);
+    }
+  };
+  setSingletonRuntime(runtime);
+  setBootstrappedSecretHydrationRequired(Object.keys(projection.secretRefs).length > 0);
+}
 function bootstrapFromProcessEnv() {
   if (typeof process === "undefined") {
     return;
@@ -3191,31 +3684,78 @@ function bootstrapFromProcessEnv() {
     const graph = readRuntimeGraphFromEnv(process.env);
     if (graph) {
       attachBootstrappedGraph(graph);
+      return;
+    }
+    const projection = readServerProjectionFromEnv(process.env);
+    if (projection) {
+      attachBootstrappedProjection(projection);
+    }
+  } catch {
+  }
+}
+function discoverProjectionPathSync() {
+  const cwd = process.cwd();
+  const directCandidates = [
+    import_node_path13.default.join(cwd, ".cnos-server.json")
+  ];
+  for (const candidate of directCandidates) {
+    if ((0, import_node_fs.existsSync)(candidate)) {
+      return candidate;
+    }
+  }
+  let current = cwd;
+  for (let depth = 0; depth <= 3; depth += 1) {
+    const rcCandidate = import_node_path13.default.join(current, ".cnosrc.yml");
+    if ((0, import_node_fs.existsSync)(rcCandidate)) {
+      const projectionCandidate = import_node_path13.default.join(current, ".cnos-server.json");
+      if ((0, import_node_fs.existsSync)(projectionCandidate)) {
+        return projectionCandidate;
+      }
+    }
+    const parent = import_node_path13.default.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+function bootstrapFromProjectionFile() {
+  if (getSingletonRuntime()) {
+    return;
+  }
+  try {
+    const projectionPath = discoverProjectionPathSync();
+    if (!projectionPath) {
+      return;
     }
+    const projection = deserializeServerProjection((0, import_node_fs.readFileSync)(projectionPath, "utf8"));
+    attachBootstrappedProjection(projection);
   } catch {
   }
 }
 bootstrapFromProcessEnv();
+bootstrapFromProjectionFile();
 var cnos = Object.assign(
-  ((key) => readValue(getRuntimeOrThrow().graph, key)),
+  ((key) => readLogicalKey(getRuntimeOrThrow(), key)),
   {
     read(key) {
-      return readValue(getRuntimeOrThrow().graph, key);
+      return readLogicalKey(getRuntimeOrThrow(), key);
     },
     require(key) {
-      return requireValue(getRuntimeOrThrow().graph, key);
+      return requireLogicalKey(getRuntimeOrThrow(), key);
     },
     readOr(key, fallback) {
-      return readOrValue(getRuntimeOrThrow().graph, key, fallback);
+      return getRuntimeOrThrow().readOr(key, fallback);
     },
-    value(path12) {
-      return readValue(getRuntimeOrThrow().graph, toLogicalKey("value", path12));
+    value(path14) {
+      return getRuntimeOrThrow().value(path14);
     },
-    secret(path12) {
-      return readValue(getRuntimeOrThrow().graph, toLogicalKey("secret", path12));
+    secret(path14) {
+      return getRuntimeOrThrow().secret(path14);
     },
-    meta(path12) {
-      return readValue(getRuntimeOrThrow().graph, toLogicalKey("meta", path12));
+    meta(path14) {
+      return getRuntimeOrThrow().meta(path14);
     },
     inspect(key) {
       return getRuntimeOrThrow().inspect(key);
@@ -3237,8 +3777,27 @@ var cnos = Object.assign(
       console.log(formatted);
       return formatted;
     },
+    async loadProjection(source) {
+      const resolvedSource = import_node_path13.default.resolve(source);
+      const projection = deserializeServerProjection((0, import_node_fs.readFileSync)(resolvedSource, "utf8"));
+      attachBootstrappedProjection(projection, true);
+      setBootstrappedSecretHydrationRequired(Object.keys(projection.secretRefs).length > 0);
+    },
+    async refreshSecrets() {
+      await getRuntimeOrThrow().refreshSecrets();
+      setBootstrappedSecretHydrationRequired(false);
+    },
+    async refreshSecret(key) {
+      await getRuntimeOrThrow().refreshSecret(key);
+    },
     async ready() {
-      if (getSingletonRuntime() && !getBootstrappedSecretHydrationRequired()) {
+      const runtime = getSingletonRuntime();
+      if (runtime && getBootstrappedSecretHydrationRequired()) {
+        await runtime.refreshSecrets();
+        setBootstrappedSecretHydrationRequired(false);
+        return;
+      }
+      if (runtime && !getBootstrappedSecretHydrationRequired()) {
         return;
       }
       const existing = getSingletonReady();
@@ -3246,9 +3805,10 @@ var cnos = Object.assign(
         await existing;
         return;
       }
-      const readyPromise = createCnos2().then((runtime) => {
-        setSingletonRuntime(runtime);
-        return runtime;
+      const readyPromise = createCnos2().then((runtime2) => {
+        setSingletonRuntime(runtime2);
+        setBootstrappedSecretHydrationRequired(false);
+        return runtime2;
       });
       setSingletonReady(readyPromise);
       await readyPromise;