@kitsy/cnos 1.5.1 → 1.6.0

package/dist/{chunk-BS33AW4Y.js → chunk-S7H2UULC.js}

@@ -12,6 +12,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosDiscoveryError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosSecurityError = class extends CnosError {
   constructor(message) {
     super(message);
@@ -169,29 +174,105 @@ async function writeKeychain(entry, value) {
   throw new CnosAuthenticationError(`OS keychain is not supported on platform "${process.platform}".`);
 }
 
+// ../core/src/utils/yaml.ts
+import { parse, stringify } from "yaml";
+function parseYaml(source) {
+  return parse(source);
+}
+function stringifyYaml(value) {
+  return stringify(value);
+}
+
 // ../core/src/utils/path.ts
-import { access } from "fs/promises";
+import { access as access2 } from "fs/promises";
 import os from "os";
+import path2 from "path";
+
+// ../core/src/discovery/findCnosrc.ts
+import { access, readFile } from "fs/promises";
 import path from "path";
+async function exists(targetPath) {
+  try {
+    await access(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateCnosrc(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError(".cnosrc.yml must be a YAML object", filePath);
+  }
+  const root = typeof value.root === "string" ? value.root.trim() : "";
+  const workspace = typeof value.workspace === "string" ? value.workspace.trim() : void 0;
+  if (!root) {
+    throw new CnosManifestError(".cnosrc.yml requires root", filePath);
+  }
+  return {
+    root,
+    ...workspace ? { workspace } : {}
+  };
+}
+async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
+  let current = path.resolve(startDir);
+  for (let depth = 0; depth <= maxLevels; depth += 1) {
+    const candidate = path.join(current, ".cnosrc.yml");
+    if (await exists(candidate)) {
+      return candidate;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+  const anchorPath = await findCnosrc(startDir, maxLevels);
+  if (!anchorPath) {
+    throw new CnosDiscoveryError(
+      "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
+    );
+  }
+  const source = await readFile(anchorPath, "utf8");
+  const parsed = validateCnosrc(parseYaml(source), anchorPath);
+  const consumerRoot = path.dirname(anchorPath);
+  const manifestRoot = path.resolve(consumerRoot, parsed.root);
+  const manifestPath = path.join(manifestRoot, "cnos.yml");
+  if (!await exists(manifestPath)) {
+    throw new CnosDiscoveryError(
+      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
+    );
+  }
+  return {
+    anchorPath,
+    consumerRoot,
+    manifestRoot,
+    ...parsed.workspace ? { workspace: parsed.workspace } : {}
+  };
+}
+
+// ../core/src/utils/path.ts
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
-async function exists(filePath) {
+async function exists2(filePath) {
   try {
-    await access(filePath);
+    await access2(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = path.resolve(root);
+  const basePath = path2.resolve(root);
   const candidates = [
-    path.join(basePath, PRIMARY_CNOS_DIR),
-    path.join(basePath, LEGACY_CNOS_DIR),
+    path2.join(basePath, PRIMARY_CNOS_DIR),
+    path2.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists(path.join(candidate, "cnos.yml"))) {
+    if (await exists2(path2.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -199,8 +280,23 @@ async function resolveCnosRoot(root = process.cwd()) {
     `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
   );
 }
-async function resolveManifestRoot(root = process.cwd()) {
-  return resolveCnosRoot(root);
+async function resolveManifestRoot(options = {}) {
+  if (options.root) {
+    const manifestRoot = await resolveCnosRoot(options.root);
+    const resolvedRoot = path2.resolve(options.root);
+    const consumerRoot = path2.basename(manifestRoot) === PRIMARY_CNOS_DIR || path2.basename(manifestRoot) === LEGACY_CNOS_DIR ? path2.dirname(manifestRoot) : resolvedRoot;
+    return {
+      manifestRoot,
+      consumerRoot
+    };
+  }
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  return {
+    manifestRoot: discovered.manifestRoot,
+    consumerRoot: discovered.consumerRoot,
+    anchorPath: discovered.anchorPath,
+    ...discovered.workspace ? { workspace: discovered.workspace } : {}
+  };
 }
 function interpolatePathTemplate(template, tokens) {
   return Object.entries(tokens).reduce(
@@ -213,7 +309,7 @@ function expandHomePath(targetPath) {
     return os.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return path.join(os.homedir(), targetPath.slice(2));
+    return path2.join(os.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
@@ -231,19 +327,19 @@ function stripWorkspaceTemplatePrefix(template) {
 function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
   const relativeTemplate = stripWorkspaceTemplatePrefix(template);
   const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
-  return path.resolve(workspaceRoot, interpolated);
+  return path2.resolve(workspaceRoot, interpolated);
 }
 function resolveNamespaceDirectory(workspaceRoot, namespace, profile) {
   const rootFolder = namespace === "value" ? "values" : namespace === "secret" ? "secrets" : namespace;
   if (profile && profile !== "base") {
-    return path.resolve(workspaceRoot, "profiles", profile, rootFolder);
+    return path2.resolve(workspaceRoot, "profiles", profile, rootFolder);
   }
-  return path.resolve(workspaceRoot, rootFolder);
+  return path2.resolve(workspaceRoot, rootFolder);
 }
 function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile) {
   const namespaceRoot = resolveNamespaceDirectory(workspaceRoot, namespace, profile);
   const fileName = `${configPath.split(".").shift() ?? "app"}.yml`;
-  return path.resolve(namespaceRoot, fileName);
+  return path2.resolve(namespaceRoot, fileName);
 }
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
@@ -258,18 +354,9 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
-// ../core/src/utils/yaml.ts
-import { parse, stringify } from "yaml";
-function parseYaml(source) {
-  return parse(source);
-}
-function stringifyYaml(value) {
-  return stringify(value);
-}
-
 // ../core/src/manifest/loadManifest.ts
-import { readFile } from "fs/promises";
-import path2 from "path";
+import { readFile as readFile2 } from "fs/promises";
+import path3 from "path";
 
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
@@ -540,11 +627,15 @@ function normalizeManifest(manifest) {
 
 // ../core/src/manifest/loadManifest.ts
 async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = path2.join(manifestRoot, "cnos.yml");
+  const resolved = await resolveManifestRoot({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
+  const manifestRoot = resolved.manifestRoot;
+  const manifestPath = path3.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await readFile(manifestPath, "utf8");
+    source = await readFile2(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -554,7 +645,10 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: path2.dirname(manifestRoot),
+    repoRoot: path3.dirname(manifestRoot),
+    consumerRoot: resolved.consumerRoot,
+    ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
+    ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -610,17 +704,17 @@ function validateProjectionIssue(manifest, key, target) {
 }
 
 // ../core/src/secrets/sessionStore.ts
-import { mkdir, readFile as readFile2, readdir, rm, writeFile } from "fs/promises";
-import path3 from "path";
+import { mkdir, readFile as readFile3, readdir, rm, writeFile } from "fs/promises";
+import path4 from "path";
 function buildSessionRoot(processEnv = process.env) {
-  return path3.join(path3.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return path4.join(path4.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return path3.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return path4.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function writeVaultSessionKey(vault, derivedKey, processEnv) {
   const filePath = buildSessionPath(vault, processEnv);
-  await mkdir(path3.dirname(filePath), { recursive: true });
+  await mkdir(path4.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     vault,
@@ -632,7 +726,7 @@ async function writeVaultSessionKey(vault, derivedKey, processEnv) {
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await readFile2(buildSessionPath(vault, processEnv), "utf8");
+    const source = await readFile3(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -650,15 +744,15 @@ async function clearAllVaultSessionKeys(processEnv) {
   const root = buildSessionRoot(processEnv);
   try {
     const entries = await readdir(root);
-    await Promise.all(entries.map((entry) => rm(path3.join(root, entry), { force: true })));
+    await Promise.all(entries.map((entry) => rm(path4.join(root, entry), { force: true })));
   } catch {
   }
 }
 
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "crypto";
-import { mkdir as mkdir2, readdir as readdir2, readFile as readFile3, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
-import path4 from "path";
+import { mkdir as mkdir2, readdir as readdir2, readFile as readFile4, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
+import path5 from "path";
 var KEY_LENGTH = 32;
 var SALT_LENGTH = 32;
 var IV_LENGTH = 12;
@@ -675,7 +769,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return path4.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return path5.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -710,19 +804,19 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return pbkdf2Sync(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, META_FILENAME);
+  return path5.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function resolveSecretVaultFile(storeRoot, vault = "default") {
   return buildMetaPath(storeRoot, vault);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return path5.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", `${vault}.json`);
+  return path5.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return path4.join(storeRoot, "vaults", vault, "store");
+  return path5.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -733,7 +827,7 @@ function assertVaultMetadata(value, filePath) {
   }
   return value;
 }
-async function exists2(targetPath) {
+async function exists3(targetPath) {
   try {
     await stat(targetPath);
     return true;
@@ -744,10 +838,10 @@ async function exists2(targetPath) {
 async function detectLegacyVaultFormat(storeRoot, vault = "default") {
   const legacyFile = buildLegacyVaultFile(storeRoot, vault);
   const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
-  if (await exists2(legacyFile)) {
+  if (await exists3(legacyFile)) {
     return legacyFile;
   }
-  if (await exists2(legacyStore)) {
+  if (await exists3(legacyStore)) {
     return legacyStore;
   }
   return void 0;
@@ -819,7 +913,7 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await mkdir2(path4.dirname(metaPath), { recursive: true });
+  await mkdir2(path5.dirname(metaPath), { recursive: true });
   await writeFile2(metaPath, stringifyYaml(meta), "utf8");
   await writeFile2(keystorePath, encryptPayload(payload, key));
 }
@@ -827,7 +921,7 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await readFile3(metaPath, "utf8");
+    const source = await readFile4(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -837,11 +931,11 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   }
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = path4.join(storeRoot, "vaults");
+  const vaultRoot = path5.join(storeRoot, "vaults");
   try {
     const entries = await readdir2(vaultRoot, { withFileTypes: true });
     const vaults = await Promise.all(
-      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists2(path4.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
+      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists3(path5.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
     );
     return vaults.filter((value) => Boolean(value)).sort((left, right) => left.localeCompare(right));
   } catch {
@@ -930,7 +1024,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await readFile3(buildKeystorePath(storeRoot, vault));
+  const buffer = await readFile4(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1003,7 +1097,7 @@ function resolveVaultDefinition(vaults, vault = "default") {
   };
 }
 async function removeLocalVaultFiles(storeRoot, vault = "default") {
-  await rm2(path4.join(storeRoot, "vaults", vault), { recursive: true, force: true });
+  await rm2(path5.join(storeRoot, "vaults", vault), { recursive: true, force: true });
 }
 
 // ../core/src/secrets/providers/github.ts
@@ -1063,10 +1157,10 @@ var GithubSecretsVaultProvider = class {
 
 // ../core/src/secrets/auditLog.ts
 import { appendFile, mkdir as mkdir3 } from "fs/promises";
-import path5 from "path";
+import path6 from "path";
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path5.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await mkdir3(path5.dirname(auditFile), { recursive: true });
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path6.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await mkdir3(path6.dirname(auditFile), { recursive: true });
   await appendFile(
     auditFile,
     `${JSON.stringify({
@@ -1413,22 +1507,22 @@ function toPublicEnv(graph, manifest, options = {}) {
 
 // ../core/src/runtime/dump.ts
 import { mkdir as mkdir4, writeFile as writeFile3 } from "fs/promises";
-import path6 from "path";
+import path7 from "path";
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path6.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : path7.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: path6.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: path7.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: path6.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: path7.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -1444,11 +1538,11 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = path6.resolve(options.to);
+  const root = path7.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = path6.join(root, file.path);
-    await mkdir4(path6.dirname(destination), { recursive: true });
+    const destination = path7.join(root, file.path);
+    await mkdir4(path7.dirname(destination), { recursive: true });
     await writeFile3(destination, file.content, "utf8");
   }
   return {
@@ -1480,11 +1574,11 @@ function normalizeMappingConfig(config = {}) {
 function toScreamingSnakeSegment(segment) {
   return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
-function toScreamingSnake(path10) {
-  return path10.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function toScreamingSnake(path11) {
+  return path11.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
 }
-function fromScreamingSnake(path10) {
-  return path10.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path11) {
+  return path11.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function logicalKeyToEnvVar(key, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -1636,12 +1730,12 @@ function createProvenanceInspector() {
 }
 
 // ../core/src/manifest/loadWorkspaceFile.ts
-import { readFile as readFile4 } from "fs/promises";
-import path7 from "path";
+import { readFile as readFile5 } from "fs/promises";
+import path8 from "path";
 async function loadWorkspaceFile(repoRoot) {
-  const workspaceFilePath = path7.join(repoRoot, ".cnos-workspace.yml");
+  const workspaceFilePath = path8.join(repoRoot, ".cnos-workspace.yml");
   try {
-    const source = await readFile4(workspaceFilePath, "utf8");
+    const source = await readFile5(workspaceFilePath, "utf8");
     const parsed = parseYaml(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
@@ -1664,11 +1758,11 @@ async function loadWorkspaceFile(repoRoot) {
 }
 
 // ../core/src/profiles/expandProfileChain.ts
-import { access as access2, readFile as readFile5 } from "fs/promises";
-import path8 from "path";
+import { access as access3, readFile as readFile6 } from "fs/promises";
+import path9 from "path";
 async function fileExists(targetPath) {
   try {
-    await access2(targetPath);
+    await access3(targetPath);
     return true;
   } catch {
     return false;
@@ -1702,11 +1796,11 @@ async function loadProfileDefinition(profileName, options) {
     return normalizeProfileDefinition(profileName, void 0);
   }
   for (const workspaceRoot of [...workspaceRoots].reverse()) {
-    const profilePath = path8.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    const profilePath = path9.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
     if (!await fileExists(profilePath)) {
       continue;
     }
-    const document = await readFile5(profilePath, "utf8");
+    const document = await readFile6(profilePath, "utf8");
     const parsed = parseYaml(document);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
@@ -1714,7 +1808,7 @@ async function loadProfileDefinition(profileName, options) {
     const definition = normalizeProfileDefinition(
       profileName,
       parsed,
-      options.manifestRoot ? toPortablePath(path8.relative(path8.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+      options.manifestRoot ? toPortablePath(path9.relative(path9.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
     );
     if (definition.name !== profileName) {
       throw new CnosManifestError(
@@ -1960,8 +2054,8 @@ function createProfileAwareResolver() {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-import { access as access3 } from "fs/promises";
-import path9 from "path";
+import { access as access4 } from "fs/promises";
+import path10 from "path";
 
 // ../core/src/workspaces/expandWorkspaceChain.ts
 function expandWorkspaceChain(workspaceId, items) {
@@ -1998,31 +2092,31 @@ function expandWorkspaceChain(workspaceId, items) {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-async function exists3(targetPath) {
+async function exists4(targetPath) {
   try {
-    await access3(targetPath);
+    await access4(targetPath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
-  const workspaceRoot = path9.join(manifestRoot, "workspaces", workspaceId);
-  if (await exists3(workspaceRoot)) {
+  const workspaceRoot = path10.join(manifestRoot, "workspaces", workspaceId);
+  if (await exists4(workspaceRoot)) {
     return workspaceRoot;
   }
   const customDataNamespaceRoots = Object.entries(manifest.namespaces).filter(
     ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
   ).map(([namespace]) => namespace);
   const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
-    (segment) => path9.join(manifestRoot, segment)
+    (segment) => path10.join(manifestRoot, segment)
   );
-  if ((await Promise.all(legacyMarkers.map((marker) => exists3(marker)))).some(Boolean)) {
+  if ((await Promise.all(legacyMarkers.map((marker) => exists4(marker)))).some(Boolean)) {
     return manifestRoot;
   }
   return workspaceRoot;
 }
-function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
+function resolveWorkspaceSelection(manifest, workspaceFile, anchoredWorkspace, workspaceOption) {
   if (workspaceOption) {
     return {
       workspaceId: workspaceOption,
@@ -2035,6 +2129,12 @@ function resolveWorkspaceSelection(manifest, workspaceFile, workspaceOption) {
       source: "workspace-file"
     };
   }
+  if (anchoredWorkspace) {
+    return {
+      workspaceId: anchoredWorkspace,
+      source: "anchor-file"
+    };
+  }
   if (manifest.workspaces.default) {
     return {
       workspaceId: manifest.workspaces.default,
@@ -2057,33 +2157,38 @@ function resolveGlobalRoot(manifest, workspaceFile, options) {
   }
   if (options.globalRoot) {
     return {
-      value: path9.resolve(expandHomePath(options.globalRoot)),
+      value: path10.resolve(expandHomePath(options.globalRoot)),
       source: "cli"
     };
   }
   if (workspaceFile?.globalRoot) {
     return {
-      value: path9.resolve(expandHomePath(workspaceFile.globalRoot)),
+      value: path10.resolve(expandHomePath(workspaceFile.globalRoot)),
       source: "workspace-file"
     };
   }
   if (manifest.workspaces.global.root) {
     return {
-      value: path9.resolve(expandHomePath(manifest.workspaces.global.root)),
+      value: path10.resolve(expandHomePath(manifest.workspaces.global.root)),
       source: "manifest"
     };
   }
   const cnosHome = options.processEnv?.CNOS_HOME;
   if (cnosHome) {
     return {
-      value: path9.resolve(expandHomePath(cnosHome)),
+      value: path10.resolve(expandHomePath(cnosHome)),
       source: "CNOS_HOME"
     };
   }
   return {};
 }
 async function resolveWorkspaceContext(manifest, options) {
-  const selectedWorkspace = resolveWorkspaceSelection(manifest, options.workspaceFile, options.workspace);
+  const selectedWorkspace = resolveWorkspaceSelection(
+    manifest,
+    options.workspaceFile,
+    options.anchoredWorkspace,
+    options.workspace
+  );
   const workspaceChain = expandWorkspaceChain(selectedWorkspace.workspaceId, manifest.workspaces.items);
   const globalRoot = resolveGlobalRoot(manifest, options.workspaceFile, options);
   const workspaceRoots = [];
@@ -2093,7 +2198,7 @@ async function resolveWorkspaceContext(manifest, options) {
       workspaceRoots.push({
         scope: "global",
         workspaceId: chainWorkspaceId,
-        path: path9.join(globalRoot.value, "workspaces", globalWorkspaceId)
+        path: path10.join(globalRoot.value, "workspaces", globalWorkspaceId)
       });
     }
   }
@@ -2361,8 +2466,92 @@ function resolveSecretEntryValue(key, value, cache) {
   return cache.get(vaultId, value.ref) ?? value;
 }
 
+// ../core/src/runtime/toServerProjection.ts
+import { createHash } from "crypto";
+function stableSortObject(value) {
+  return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
+}
+function stripValuePrefix(key) {
+  return key.startsWith("value.") ? key.slice("value.".length) : key;
+}
+function configHash(values) {
+  const serialized = JSON.stringify(stableSortObject(values));
+  return createHash("sha256").update(serialized).digest("hex");
+}
+function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
+  const values = {};
+  const secretRefs = {};
+  const namespaces = /* @__PURE__ */ new Set();
+  const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
+  for (const [key, entry] of graph.entries) {
+    if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      secretRefs[key.slice("secret.".length)] = {
+        provider: entry.value.provider,
+        vault: entry.value.vault ?? "default",
+        ref: entry.value.ref
+      };
+      continue;
+    }
+    if (entry.namespace === "value") {
+      values[stripValuePrefix(key)] = entry.value;
+      continue;
+    }
+    const namespaceDefinition = manifest.namespaces[entry.namespace];
+    if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      values[key] = entry.value;
+      namespaces.add(entry.namespace);
+    }
+  }
+  return {
+    version: 1,
+    workspace: graph.workspace.workspaceId,
+    profile: graph.profile,
+    resolvedAt: graph.resolvedAt,
+    configHash: configHash(values),
+    values: stableSortObject(values),
+    secretRefs: stableSortObject(secretRefs),
+    publicKeys,
+    meta: {
+      workspace: graph.workspace.workspaceId,
+      profile: graph.profile,
+      cnos_version: cnosVersion,
+      ...namespaces.size > 0 ? { namespaces: Array.from(namespaces).sort((left, right) => left.localeCompare(right)) } : {}
+    }
+  };
+}
+
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache) {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+  async function refreshSecretEntry(key) {
+    const entry = graph.entries.get(key);
+    if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      return;
+    }
+    if (!secretCache) {
+      return;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = manifest.vaults[vaultId] ?? {
+      provider: entry.value.provider,
+      auth: { passphrase: { from: [] } }
+    };
+    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
+    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
+    await provider.authenticate(auth);
+    const value = await provider.get(entry.value.ref);
+    if (value !== void 0) {
+      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    }
+  }
+  async function refreshAllSecrets() {
+    if (!secretCache) {
+      return;
+    }
+    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
+    for (const key of secretKeys) {
+      await refreshSecretEntry(key);
+    }
+  }
   function readLogicalKey(key) {
     const entry = graph.entries.get(key);
     if (!entry) {
@@ -2390,14 +2579,14 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     readOr(key, fallback) {
       return readOrValue(graph, key, fallback);
     },
-    value(path10) {
-      return readLogicalKey(toLogicalKey("value", path10));
+    value(path11) {
+      return readLogicalKey(toLogicalKey("value", path11));
     },
-    secret(path10) {
-      return readLogicalKey(toLogicalKey("secret", path10));
+    secret(path11) {
+      return readLogicalKey(toLogicalKey("secret", path11));
     },
-    meta(path10) {
-      return readLogicalKey(toLogicalKey("meta", path10));
+    meta(path11) {
+      return readLogicalKey(toLogicalKey("meta", path11));
     },
     inspect(key) {
       return inspectValue(graph, key);
@@ -2413,6 +2602,15 @@ function createRuntime(manifest, graph, plugins = [], secretCache) {
     },
     toPublicEnv(options) {
       return toPublicEnv(graph, manifest, options);
+    },
+    toServerProjection() {
+      return toServerProjection(graph, manifest, cnosVersion);
+    },
+    async refreshSecrets() {
+      await refreshAllSecrets();
+    },
+    async refreshSecret(key) {
+      await refreshSecretEntry(key);
     }
   };
 }
@@ -2511,14 +2709,18 @@ function appendMetaEntries(graph, cnosVersion) {
   };
 }
 async function createCnos(options = {}) {
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
+  const loadedManifest = await loadManifest({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
   for (const key of loadedManifest.manifest.public.promote) {
     ensureProjectionAllowed(loadedManifest.manifest, key, "public");
   }
-  const workspaceFile = await loadWorkspaceFile(loadedManifest.repoRoot);
+  const workspaceFile = await loadWorkspaceFile(loadedManifest.consumerRoot);
   const workspace = await resolveWorkspaceContext(loadedManifest.manifest, {
     manifestRoot: loadedManifest.manifestRoot,
     ...workspaceFile ? { workspaceFile: workspaceFile.config } : {},
+    ...loadedManifest.anchoredWorkspace ? { anchoredWorkspace: loadedManifest.anchoredWorkspace } : {},
     ...options.workspace ? { workspace: options.workspace } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
     ...options.processEnv ? { processEnv: options.processEnv } : {}
@@ -2563,7 +2765,9 @@ async function createCnos(options = {}) {
       profileSource: activeProfile.source
     }, options.cnosVersion),
     plugins,
-    secretCache
+    secretCache,
+    options.processEnv,
+    options.cnosVersion
   );
 }
 
@@ -2575,14 +2779,14 @@ export {
   createProvenanceInspector,
   readKeychain,
   writeKeychain,
+  parseYaml,
+  stringifyYaml,
   resolveManifestRoot,
   resolveWorkspaceScopedPath,
   resolveConfigDocumentPath,
   toPortablePath,
   joinConfigPath,
   toLogicalKey,
-  parseYaml,
-  stringifyYaml,
   loadManifest,
   getNamespaceDefinition,
   ensureProjectionAllowed,