@kitsy/cnos 1.5.1 → 1.6.1

package/dist/internal.cjs

@@ -31,6 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var internal_exports = {};
 __export(internal_exports, {
   CNOS_GRAPH_ENV_VAR: () => CNOS_GRAPH_ENV_VAR,
+  CNOS_PROJECTION_ENV_VAR: () => CNOS_PROJECTION_ENV_VAR,
   CNOS_SECRET_PAYLOAD_ENV_VAR: () => CNOS_SECRET_PAYLOAD_ENV_VAR,
   CNOS_SESSION_KEY_ENV_VAR: () => CNOS_SESSION_KEY_ENV_VAR,
   CnosAuthenticationError: () => CnosAuthenticationError,
@@ -44,6 +45,7 @@ __export(internal_exports, {
   deleteLocalSecret: () => deleteLocalSecret,
   deriveVaultKey: () => deriveVaultKey,
   deserializeRuntimeGraph: () => deserializeRuntimeGraph,
+  deserializeServerProjection: () => deserializeServerProjection,
   detectLegacyVaultFormat: () => detectLegacyVaultFormat,
   diffGraphs: () => diffGraphs,
   ensureProjectionAllowed: () => ensureProjectionAllowed,
@@ -64,6 +66,7 @@ __export(internal_exports, {
   readKeychain: () => readKeychain,
   readLocalSecret: () => readLocalSecret,
   readRuntimeGraphFromEnv: () => readRuntimeGraphFromEnv,
+  readServerProjectionFromEnv: () => readServerProjectionFromEnv,
   readVaultMetadata: () => readVaultMetadata,
   removeLocalVaultFiles: () => removeLocalVaultFiles,
   resolveCodegenPaths: () => resolveCodegenPaths,
@@ -80,6 +83,7 @@ __export(internal_exports, {
   scanEnvUsage: () => scanEnvUsage,
   serializeRuntimeGraph: () => serializeRuntimeGraph,
   serializeSecretPayload: () => serializeSecretPayload,
+  serializeServerProjection: () => serializeServerProjection,
   stringifyYaml: () => stringifyYaml,
   validateRuntime: () => validateRuntime,
   watchFiles: () => watchFiles,
@@ -105,6 +109,11 @@ var CnosManifestError = class extends CnosError {
   }
   manifestPath;
 };
+var CnosDiscoveryError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
 var CnosSecurityError = class extends CnosError {
   constructor(message) {
     super(message);
@@ -223,32 +232,110 @@ async function writeKeychain(entry, value) {
 }
 
 // ../core/src/manifest/loadManifest.ts
+var import_promises3 = require("fs/promises");
+var import_node_path3 = __toESM(require("path"), 1);
+
+// ../core/src/utils/path.ts
 var import_promises2 = require("fs/promises");
+var import_node_os = __toESM(require("os"), 1);
 var import_node_path2 = __toESM(require("path"), 1);
 
-// ../core/src/utils/path.ts
+// ../core/src/discovery/findCnosrc.ts
 var import_promises = require("fs/promises");
-var import_node_os = __toESM(require("os"), 1);
 var import_node_path = __toESM(require("path"), 1);
+
+// ../core/src/utils/yaml.ts
+var import_yaml = require("yaml");
+function parseYaml(source) {
+  return (0, import_yaml.parse)(source);
+}
+function stringifyYaml(value) {
+  return (0, import_yaml.stringify)(value);
+}
+
+// ../core/src/discovery/findCnosrc.ts
+async function exists(targetPath) {
+  try {
+    await (0, import_promises.access)(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateCnosrc(value, filePath) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new CnosManifestError(".cnosrc.yml must be a YAML object", filePath);
+  }
+  const root = typeof value.root === "string" ? value.root.trim() : "";
+  const workspace = typeof value.workspace === "string" ? value.workspace.trim() : void 0;
+  if (!root) {
+    throw new CnosManifestError(".cnosrc.yml requires root", filePath);
+  }
+  return {
+    root,
+    ...workspace ? { workspace } : {}
+  };
+}
+async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
+  let current = import_node_path.default.resolve(startDir);
+  for (let depth = 0; depth <= maxLevels; depth += 1) {
+    const candidate = import_node_path.default.join(current, ".cnosrc.yml");
+    if (await exists(candidate)) {
+      return candidate;
+    }
+    const parent = import_node_path.default.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+  return void 0;
+}
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+  const anchorPath = await findCnosrc(startDir, maxLevels);
+  if (!anchorPath) {
+    throw new CnosDiscoveryError(
+      "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
+    );
+  }
+  const source = await (0, import_promises.readFile)(anchorPath, "utf8");
+  const parsed = validateCnosrc(parseYaml(source), anchorPath);
+  const consumerRoot = import_node_path.default.dirname(anchorPath);
+  const manifestRoot = import_node_path.default.resolve(consumerRoot, parsed.root);
+  const manifestPath = import_node_path.default.join(manifestRoot, "cnos.yml");
+  if (!await exists(manifestPath)) {
+    throw new CnosDiscoveryError(
+      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
+    );
+  }
+  return {
+    anchorPath,
+    consumerRoot,
+    manifestRoot,
+    ...parsed.workspace ? { workspace: parsed.workspace } : {}
+  };
+}
+
+// ../core/src/utils/path.ts
 var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
-async function exists(filePath) {
+async function exists2(filePath) {
   try {
-    await (0, import_promises.access)(filePath);
+    await (0, import_promises2.access)(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = import_node_path.default.resolve(root);
+  const basePath = import_node_path2.default.resolve(root);
   const candidates = [
-    import_node_path.default.join(basePath, PRIMARY_CNOS_DIR),
-    import_node_path.default.join(basePath, LEGACY_CNOS_DIR),
+    import_node_path2.default.join(basePath, PRIMARY_CNOS_DIR),
+    import_node_path2.default.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists(import_node_path.default.join(candidate, "cnos.yml"))) {
+    if (await exists2(import_node_path2.default.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -256,38 +343,44 @@ async function resolveCnosRoot(root = process.cwd()) {
     `Could not locate .cnos/cnos.yml or cnos/cnos.yml from root: ${basePath}`
   );
 }
-async function resolveManifestRoot(root = process.cwd()) {
-  return resolveCnosRoot(root);
+async function resolveManifestRoot(options = {}) {
+  if (options.root) {
+    const manifestRoot = await resolveCnosRoot(options.root);
+    const resolvedRoot = import_node_path2.default.resolve(options.root);
+    const consumerRoot = import_node_path2.default.basename(manifestRoot) === PRIMARY_CNOS_DIR || import_node_path2.default.basename(manifestRoot) === LEGACY_CNOS_DIR ? import_node_path2.default.dirname(manifestRoot) : resolvedRoot;
+    return {
+      manifestRoot,
+      consumerRoot
+    };
+  }
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  return {
+    manifestRoot: discovered.manifestRoot,
+    consumerRoot: discovered.consumerRoot,
+    anchorPath: discovered.anchorPath,
+    ...discovered.workspace ? { workspace: discovered.workspace } : {}
+  };
 }
 function expandHomePath(targetPath) {
   if (targetPath === "~") {
     return import_node_os.default.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return import_node_path.default.join(import_node_os.default.homedir(), targetPath.slice(2));
+    return import_node_path2.default.join(import_node_os.default.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
 function resolveNamespaceDirectory(workspaceRoot, namespace, profile) {
   const rootFolder = namespace === "value" ? "values" : namespace === "secret" ? "secrets" : namespace;
   if (profile && profile !== "base") {
-    return import_node_path.default.resolve(workspaceRoot, "profiles", profile, rootFolder);
+    return import_node_path2.default.resolve(workspaceRoot, "profiles", profile, rootFolder);
   }
-  return import_node_path.default.resolve(workspaceRoot, rootFolder);
+  return import_node_path2.default.resolve(workspaceRoot, rootFolder);
 }
 function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile) {
   const namespaceRoot = resolveNamespaceDirectory(workspaceRoot, namespace, profile);
   const fileName = `${configPath.split(".").shift() ?? "app"}.yml`;
-  return import_node_path.default.resolve(namespaceRoot, fileName);
-}
-
-// ../core/src/utils/yaml.ts
-var import_yaml = require("yaml");
-function parseYaml(source) {
-  return (0, import_yaml.parse)(source);
-}
-function stringifyYaml(value) {
-  return (0, import_yaml.stringify)(value);
+  return import_node_path2.default.resolve(namespaceRoot, fileName);
 }
 
 // ../core/src/manifest/normalizeManifest.ts
@@ -559,11 +652,15 @@ function normalizeManifest(manifest) {
 
 // ../core/src/manifest/loadManifest.ts
 async function loadManifest(options = {}) {
-  const manifestRoot = await resolveManifestRoot(options.root);
-  const manifestPath = import_node_path2.default.join(manifestRoot, "cnos.yml");
+  const resolved = await resolveManifestRoot({
+    ...options.root ? { root: options.root } : {},
+    ...options.cwd ? { cwd: options.cwd } : {}
+  });
+  const manifestRoot = resolved.manifestRoot;
+  const manifestPath = import_node_path3.default.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await (0, import_promises2.readFile)(manifestPath, "utf8");
+    source = await (0, import_promises3.readFile)(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -573,7 +670,10 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: import_node_path2.default.dirname(manifestRoot),
+    repoRoot: import_node_path3.default.dirname(manifestRoot),
+    consumerRoot: resolved.consumerRoot,
+    ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
+    ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -581,13 +681,13 @@ async function loadManifest(options = {}) {
 }
 
 // ../core/src/manifest/loadWorkspaceFile.ts
-var import_promises3 = require("fs/promises");
-var import_node_path3 = __toESM(require("path"), 1);
-
-// ../core/src/profiles/expandProfileChain.ts
 var import_promises4 = require("fs/promises");
 var import_node_path4 = __toESM(require("path"), 1);
 
+// ../core/src/profiles/expandProfileChain.ts
+var import_promises5 = require("fs/promises");
+var import_node_path5 = __toESM(require("path"), 1);
+
 // ../core/src/promotions/validatePromotion.ts
 var DEFAULT_DATA_NAMESPACE = {
   kind: "data",
@@ -637,42 +737,42 @@ function validateProjectionIssue(manifest, key, target) {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-var import_promises5 = require("fs/promises");
-var import_node_path5 = __toESM(require("path"), 1);
+var import_promises6 = require("fs/promises");
+var import_node_path6 = __toESM(require("path"), 1);
 
 // ../core/src/secrets/auditLog.ts
-var import_promises8 = require("fs/promises");
-var import_node_path8 = __toESM(require("path"), 1);
+var import_promises9 = require("fs/promises");
+var import_node_path9 = __toESM(require("path"), 1);
 
 // ../core/src/utils/secretStore.ts
 var import_node_crypto = require("crypto");
-var import_promises7 = require("fs/promises");
-var import_node_path7 = __toESM(require("path"), 1);
+var import_promises8 = require("fs/promises");
+var import_node_path8 = __toESM(require("path"), 1);
 
 // ../core/src/secrets/sessionStore.ts
-var import_promises6 = require("fs/promises");
-var import_node_path6 = __toESM(require("path"), 1);
+var import_promises7 = require("fs/promises");
+var import_node_path7 = __toESM(require("path"), 1);
 function buildSessionRoot(processEnv = process.env) {
-  return import_node_path6.default.join(import_node_path6.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return import_node_path7.default.join(import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return import_node_path6.default.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return import_node_path7.default.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function writeVaultSessionKey(vault, derivedKey, processEnv) {
   const filePath = buildSessionPath(vault, processEnv);
-  await (0, import_promises6.mkdir)(import_node_path6.default.dirname(filePath), { recursive: true });
+  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     vault,
     derivedKey: derivedKey.toString("hex"),
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await (0, import_promises6.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
+  await (0, import_promises7.writeFile)(filePath, JSON.stringify(document, null, 2), "utf8");
   return filePath;
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await (0, import_promises6.readFile)(buildSessionPath(vault, processEnv), "utf8");
+    const source = await (0, import_promises7.readFile)(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -684,13 +784,13 @@ async function readVaultSessionKey(vault, processEnv) {
   }
 }
 async function clearVaultSessionKey(vault, processEnv) {
-  await (0, import_promises6.rm)(buildSessionPath(vault, processEnv), { force: true });
+  await (0, import_promises7.rm)(buildSessionPath(vault, processEnv), { force: true });
 }
 async function clearAllVaultSessionKeys(processEnv) {
   const root = buildSessionRoot(processEnv);
   try {
-    const entries = await (0, import_promises6.readdir)(root);
-    await Promise.all(entries.map((entry) => (0, import_promises6.rm)(import_node_path6.default.join(root, entry), { force: true })));
+    const entries = await (0, import_promises7.readdir)(root);
+    await Promise.all(entries.map((entry) => (0, import_promises7.rm)(import_node_path7.default.join(root, entry), { force: true })));
   } catch {
   }
 }
@@ -712,7 +812,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return import_node_path7.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return import_node_path8.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -747,19 +847,19 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return (0, import_node_crypto.pbkdf2Sync)(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, META_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function resolveSecretVaultFile(storeRoot, vault = "default") {
   return buildMetaPath(storeRoot, vault);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return import_node_path8.default.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", `${vault}.json`);
+  return import_node_path8.default.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return import_node_path7.default.join(storeRoot, "vaults", vault, "store");
+  return import_node_path8.default.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -770,9 +870,9 @@ function assertVaultMetadata(value, filePath) {
   }
   return value;
 }
-async function exists2(targetPath) {
+async function exists3(targetPath) {
   try {
-    await (0, import_promises7.stat)(targetPath);
+    await (0, import_promises8.stat)(targetPath);
     return true;
   } catch {
     return false;
@@ -781,10 +881,10 @@ async function exists2(targetPath) {
 async function detectLegacyVaultFormat(storeRoot, vault = "default") {
   const legacyFile = buildLegacyVaultFile(storeRoot, vault);
   const legacyStore = buildLegacyVaultStoreRoot(storeRoot, vault);
-  if (await exists2(legacyFile)) {
+  if (await exists3(legacyFile)) {
     return legacyFile;
   }
-  if (await exists2(legacyStore)) {
+  if (await exists3(legacyStore)) {
     return legacyStore;
   }
   return void 0;
@@ -856,15 +956,15 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await (0, import_promises7.mkdir)(import_node_path7.default.dirname(metaPath), { recursive: true });
-  await (0, import_promises7.writeFile)(metaPath, stringifyYaml(meta), "utf8");
-  await (0, import_promises7.writeFile)(keystorePath, encryptPayload(payload, key));
+  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(metaPath), { recursive: true });
+  await (0, import_promises8.writeFile)(metaPath, stringifyYaml(meta), "utf8");
+  await (0, import_promises8.writeFile)(keystorePath, encryptPayload(payload, key));
 }
 async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await (0, import_promises7.readFile)(metaPath, "utf8");
+    const source = await (0, import_promises8.readFile)(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -874,11 +974,11 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   }
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = import_node_path7.default.join(storeRoot, "vaults");
+  const vaultRoot = import_node_path8.default.join(storeRoot, "vaults");
   try {
-    const entries = await (0, import_promises7.readdir)(vaultRoot, { withFileTypes: true });
+    const entries = await (0, import_promises8.readdir)(vaultRoot, { withFileTypes: true });
     const vaults = await Promise.all(
-      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists2(import_node_path7.default.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
+      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists3(import_node_path8.default.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
     );
     return vaults.filter((value) => Boolean(value)).sort((left, right) => left.localeCompare(right));
   } catch {
@@ -967,7 +1067,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await (0, import_promises7.readFile)(buildKeystorePath(storeRoot, vault));
+  const buffer = await (0, import_promises8.readFile)(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1040,14 +1140,14 @@ function resolveVaultDefinition(vaults, vault = "default") {
   };
 }
 async function removeLocalVaultFiles(storeRoot, vault = "default") {
-  await (0, import_promises7.rm)(import_node_path7.default.join(storeRoot, "vaults", vault), { recursive: true, force: true });
+  await (0, import_promises8.rm)(import_node_path8.default.join(storeRoot, "vaults", vault), { recursive: true, force: true });
 }
 
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path8.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises8.mkdir)(import_node_path8.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises8.appendFile)(
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path9.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await (0, import_promises9.mkdir)(import_node_path9.default.dirname(auditFile), { recursive: true });
+  await (0, import_promises9.appendFile)(
     auditFile,
     `${JSON.stringify({
       ts: (/* @__PURE__ */ new Date()).toISOString(),
@@ -1313,9 +1413,12 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...sources]);
 }
 
+// ../core/src/runtime/toServerProjection.ts
+var import_node_crypto2 = require("crypto");
+
 // ../core/src/runtime/dump.ts
-var import_promises9 = require("fs/promises");
-var import_node_path9 = __toESM(require("path"), 1);
+var import_promises10 = require("fs/promises");
+var import_node_path10 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
 function normalizeMappingConfig(config = {}) {
@@ -1327,8 +1430,8 @@ function normalizeMappingConfig(config = {}) {
 function toScreamingSnakeSegment(segment) {
   return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
-function toScreamingSnake(path13) {
-  return path13.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function toScreamingSnake(path14) {
+  return path14.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
 }
 function logicalKeyToEnvVar(key, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -1461,10 +1564,21 @@ async function validateRuntime(runtime) {
 }
 
 // src/runtime/bootstrap.ts
-var import_node_crypto2 = require("crypto");
+var import_node_crypto3 = require("crypto");
 var CNOS_GRAPH_ENV_VAR = "__CNOS_GRAPH__";
+var CNOS_PROJECTION_ENV_VAR = "__CNOS_PROJECTION__";
 var CNOS_SECRET_PAYLOAD_ENV_VAR = "__CNOS_SECRET_PAYLOAD__";
 var CNOS_SESSION_KEY_ENV_VAR = "__CNOS_SESSION_KEY__";
+function serializeServerProjection(projection) {
+  return JSON.stringify(projection);
+}
+function deserializeServerProjection(source) {
+  const payload = JSON.parse(source);
+  if (!payload || payload.version !== 1 || typeof payload.workspace !== "string" || typeof payload.profile !== "string" || typeof payload.resolvedAt !== "string" || typeof payload.configHash !== "string" || !payload.values || typeof payload.values !== "object" || Array.isArray(payload.values) || !payload.secretRefs || typeof payload.secretRefs !== "object" || Array.isArray(payload.secretRefs) || !Array.isArray(payload.publicKeys) || !payload.meta || typeof payload.meta !== "object") {
+    throw new Error("Invalid CNOS server projection payload");
+  }
+  return payload;
+}
 function serializeRuntimeGraph(graph) {
   const payload = {
     entries: Array.from(graph.entries.values()),
@@ -1508,15 +1622,15 @@ function decryptSecretPayload(serialized, sessionKey) {
   const iv = Buffer.from(payload.iv, "base64");
   const tag = Buffer.from(payload.tag, "base64");
   const ciphertext = Buffer.from(payload.ciphertext, "base64");
-  const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", key, iv);
+  const decipher = (0, import_node_crypto3.createDecipheriv)("aes-256-gcm", key, iv);
   decipher.setAuthTag(tag);
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
   return JSON.parse(plaintext);
 }
 function serializeSecretPayload(values) {
-  const key = (0, import_node_crypto2.randomBytes)(32);
-  const iv = (0, import_node_crypto2.randomBytes)(12);
-  const cipher = (0, import_node_crypto2.createCipheriv)("aes-256-gcm", key, iv);
+  const key = (0, import_node_crypto3.randomBytes)(32);
+  const iv = (0, import_node_crypto3.randomBytes)(12);
+  const cipher = (0, import_node_crypto3.createCipheriv)("aes-256-gcm", key, iv);
   const ciphertext = Buffer.concat([cipher.update(JSON.stringify(values), "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
   return {
@@ -1547,6 +1661,13 @@ function readRuntimeGraphFromEnv(processEnv = process.env) {
   }
   return graph;
 }
+function readServerProjectionFromEnv(processEnv = process.env) {
+  const serialized = processEnv[CNOS_PROJECTION_ENV_VAR];
+  if (!serialized) {
+    return void 0;
+  }
+  return deserializeServerProjection(serialized);
+}
 function graphRequiresSecretHydration(graph) {
   return Array.from(graph.entries.values()).some((entry) => entry.namespace === "secret" && isSecretReference(entry.value));
 }
@@ -1582,10 +1703,10 @@ function buildNamespaceInterfaces(schema) {
       continue;
     }
     const namespace = logicalKey.slice(0, separatorIndex);
-    const path13 = logicalKey.slice(separatorIndex + 1);
+    const path14 = logicalKey.slice(separatorIndex + 1);
     const existing = namespaceGroups.get(namespace) ?? [];
     existing.push({
-      key: path13,
+      key: path14,
       rule
     });
     namespaceGroups.set(namespace, existing);
@@ -1690,15 +1811,15 @@ function generateCodegenContent(manifest, sourcePath, typeModuleImport = "./cnos
 }
 
 // src/codegen/writeOutput.ts
-var import_promises10 = require("fs/promises");
-var import_node_path10 = __toESM(require("path"), 1);
+var import_promises11 = require("fs/promises");
+var import_node_path11 = __toESM(require("path"), 1);
 function stripTsExtension(filePath) {
   return filePath.replace(/(\.d)?\.[cm]?tsx?$/i, "").replace(/\.[cm]?jsx?$/i, "");
 }
 function resolveCodegenPaths(repoRoot, out) {
-  const typesPath = out ? import_node_path10.default.resolve(repoRoot, out) : import_node_path10.default.join(repoRoot, ".cnos", "types", "cnos.d.ts");
-  const runtimePath = import_node_path10.default.join(import_node_path10.default.dirname(typesPath), "runtime.ts");
-  const typeImportPath = `./${import_node_path10.default.basename(stripTsExtension(typesPath))}`;
+  const typesPath = out ? import_node_path11.default.resolve(repoRoot, out) : import_node_path11.default.join(repoRoot, ".cnos", "types", "cnos.d.ts");
+  const runtimePath = import_node_path11.default.join(import_node_path11.default.dirname(typesPath), "runtime.ts");
+  const typeImportPath = `./${import_node_path11.default.basename(stripTsExtension(typesPath))}`;
   return {
     typesPath,
     runtimePath,
@@ -1709,10 +1830,10 @@ async function writeCodegenOutput(options = {}) {
   const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
   const paths = resolveCodegenPaths(loadedManifest.repoRoot, options.out);
   const generated = generateCodegenContent(loadedManifest.manifest, loadedManifest.manifestPath, paths.typeImportPath);
-  await (0, import_promises10.mkdir)(import_node_path10.default.dirname(paths.typesPath), { recursive: true });
-  await (0, import_promises10.mkdir)(import_node_path10.default.dirname(paths.runtimePath), { recursive: true });
-  await (0, import_promises10.writeFile)(paths.typesPath, generated.typesContent, "utf8");
-  await (0, import_promises10.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
+  await (0, import_promises11.mkdir)(import_node_path11.default.dirname(paths.typesPath), { recursive: true });
+  await (0, import_promises11.mkdir)(import_node_path11.default.dirname(paths.runtimePath), { recursive: true });
+  await (0, import_promises11.writeFile)(paths.typesPath, generated.typesContent, "utf8");
+  await (0, import_promises11.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     typesPath: paths.typesPath,
@@ -1898,7 +2019,7 @@ function formatDriftReport(report) {
 }
 
 // src/migrate/applyManifest.ts
-var import_promises11 = require("fs/promises");
+var import_promises12 = require("fs/promises");
 function sortRecord(record) {
   return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
 }
@@ -1933,7 +2054,7 @@ async function applyManifestMappings(proposals, root) {
       promote: Array.from(promoted).sort((left, right) => left.localeCompare(right))
     };
   }
-  await (0, import_promises11.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
+  await (0, import_promises12.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     appliedMappings,
@@ -1968,7 +2089,7 @@ function proposeMapping(envVar) {
 }
 
 // src/migrate/rewriteSource.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 function importStatementFor(kind) {
   return kind === "import-meta-env" ? "import cnos from '@kitsy/cnos/browser';" : "import cnos from '@kitsy/cnos';";
 }
@@ -1989,7 +2110,7 @@ async function rewriteSourceFiles(usages, proposals) {
   const backupFiles = [];
   const skippedUsages = [];
   for (const [filePath, fileUsages] of fileGroups.entries()) {
-    const original = await (0, import_promises12.readFile)(filePath, "utf8");
+    const original = await (0, import_promises13.readFile)(filePath, "utf8");
     let nextSource = original;
     let changed = false;
     const importKinds = /* @__PURE__ */ new Set();
@@ -2016,7 +2137,7 @@ async function rewriteSourceFiles(usages, proposals) {
       continue;
     }
     const backupPath = `${filePath}.bak`;
-    await (0, import_promises12.copyFile)(filePath, backupPath);
+    await (0, import_promises13.copyFile)(filePath, backupPath);
     backupFiles.push(backupPath);
     for (const kind of Array.from(importKinds)) {
       const importStatement = importStatementFor(kind);
@@ -2025,7 +2146,7 @@ async function rewriteSourceFiles(usages, proposals) {
 ${nextSource}`;
       }
     }
-    await (0, import_promises12.writeFile)(filePath, nextSource, "utf8");
+    await (0, import_promises13.writeFile)(filePath, nextSource, "utf8");
     rewrittenFiles.push(filePath);
   }
   return {
@@ -2036,18 +2157,18 @@ ${nextSource}`;
 }
 
 // src/migrate/scanEnvUsage.ts
-var import_promises13 = require("fs/promises");
-var import_node_path11 = __toESM(require("path"), 1);
+var import_promises14 = require("fs/promises");
+var import_node_path12 = __toESM(require("path"), 1);
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts", ".mjs", ".cjs"]);
 var PROCESS_ENV_DOT = /process\.env\.([A-Z][A-Z0-9_]*)/g;
 var PROCESS_ENV_BRACKET = /process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 var IMPORT_META_ENV_DOT = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
 var IMPORT_META_ENV_BRACKET = /import\.meta\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 async function collectFiles(root) {
-  const entries = await (0, import_promises13.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises14.readdir)(root, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
-    const filePath = import_node_path11.default.join(root, entry.name);
+    const filePath = import_node_path12.default.join(root, entry.name);
     if (entry.isDirectory()) {
       if (entry.name === "node_modules" || entry.name === "dist" || entry.name === ".git") {
         continue;
@@ -2055,7 +2176,7 @@ async function collectFiles(root) {
       files.push(...await collectFiles(filePath));
       continue;
     }
-    if (SOURCE_EXTENSIONS.has(import_node_path11.default.extname(entry.name))) {
+    if (SOURCE_EXTENSIONS.has(import_node_path12.default.extname(entry.name))) {
       files.push(filePath);
     }
   }
@@ -2081,7 +2202,7 @@ async function scanEnvUsage(scanRoot) {
   const files = await collectFiles(scanRoot);
   const usages = [];
   for (const filePath of files) {
-    const source = await (0, import_promises13.readFile)(filePath, "utf8");
+    const source = await (0, import_promises14.readFile)(filePath, "utf8");
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_DOT, "process-env"));
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_BRACKET, "process-env"));
     usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_DOT, "import-meta-env"));
@@ -2122,7 +2243,7 @@ function diffGraphs(previous, next) {
 }
 
 // src/watch/watchFiles.ts
-var import_node_path12 = __toESM(require("path"), 1);
+var import_node_path13 = __toESM(require("path"), 1);
 async function watchFiles(runtime, root) {
   const manifest = await loadManifest(root ? { root } : {});
   const roots = Array.from(
@@ -2130,7 +2251,7 @@ async function watchFiles(runtime, root) {
   ).sort((left, right) => left.localeCompare(right));
   const files = Array.from(
     new Set(
-      Array.from(runtime.graph.entries.values()).map((entry) => entry.winner.origin?.file).filter((file) => Boolean(file)).map((file) => import_node_path12.default.resolve(manifest.repoRoot, file))
+      Array.from(runtime.graph.entries.values()).map((entry) => entry.winner.origin?.file).filter((file) => Boolean(file)).map((file) => import_node_path13.default.resolve(manifest.repoRoot, file))
     )
   ).sort((left, right) => left.localeCompare(right));
   return {
@@ -2142,6 +2263,7 @@ async function watchFiles(runtime, root) {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   CNOS_GRAPH_ENV_VAR,
+  CNOS_PROJECTION_ENV_VAR,
   CNOS_SECRET_PAYLOAD_ENV_VAR,
   CNOS_SESSION_KEY_ENV_VAR,
   CnosAuthenticationError,
@@ -2155,6 +2277,7 @@ async function watchFiles(runtime, root) {
   deleteLocalSecret,
   deriveVaultKey,
   deserializeRuntimeGraph,
+  deserializeServerProjection,
   detectLegacyVaultFormat,
   diffGraphs,
   ensureProjectionAllowed,
@@ -2175,6 +2298,7 @@ async function watchFiles(runtime, root) {
   readKeychain,
   readLocalSecret,
   readRuntimeGraphFromEnv,
+  readServerProjectionFromEnv,
   readVaultMetadata,
   removeLocalVaultFiles,
   resolveCodegenPaths,
@@ -2191,6 +2315,7 @@ async function watchFiles(runtime, root) {
   scanEnvUsage,
   serializeRuntimeGraph,
   serializeSecretPayload,
+  serializeServerProjection,
   stringifyYaml,
   validateRuntime,
   watchFiles,