@kitsy/cnos 1.6.1 → 1.7.0

package/dist/{chunk-S7H2UULC.js → chunk-2TL42I6M.js}

@@ -34,16 +34,682 @@ var CnosKeyNotFoundError = class extends CnosError {
   }
   key;
 };
+var CnosDerivedExpressionError = class extends CnosError {
+  constructor(message, expression) {
+    super(expression ? `${message} (${expression})` : message);
+    this.expression = expression;
+  }
+  expression;
+};
+var CnosDerivedCycleError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+var CnosDerivedResolutionError = class extends CnosError {
+  constructor(key, message) {
+    super(message);
+    this.key = key;
+  }
+  key;
+};
+var CnosRuntimeProviderError = class extends CnosError {
+  constructor(message) {
+    super(message);
+  }
+};
+
+// ../core/src/derive/builtins.ts
+function stringify(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+var DERIVE_BUILTINS = {
+  concat: (...args) => args.map((value) => stringify(value)).join(""),
+  coalesce: (...args) => args.find((value) => value !== void 0 && value !== null),
+  when: (condition, whenTrue, whenFalse) => condition ? whenTrue : whenFalse,
+  exists: (value) => value !== void 0 && value !== null,
+  eq: (left, right) => left === right,
+  ne: (left, right) => left !== right
+};
+
+// ../core/src/derive/parser.ts
+function isWhitespace(value) {
+  return value === " " || value === "\n" || value === "\r" || value === "	";
+}
+function skipWhitespace(state) {
+  while (isWhitespace(state.source[state.index])) {
+    state.index += 1;
+  }
+}
+function isIdentifierStart(value) {
+  return typeof value === "string" && /[A-Za-z_]/.test(value);
+}
+function isIdentifierPart(value) {
+  return typeof value === "string" && /[A-Za-z0-9_.-]/.test(value);
+}
+function errorAt(state, message) {
+  throw new CnosDerivedExpressionError(`${message} at position ${state.index + 1}`, state.source);
+}
+function parseStringLiteral(state) {
+  const quote = state.source[state.index];
+  if (quote !== "'") {
+    errorAt(state, "Expected string literal");
+  }
+  state.index += 1;
+  let value = "";
+  while (state.index < state.source.length) {
+    const current = state.source[state.index];
+    if (current === "\\") {
+      const next = state.source[state.index + 1];
+      if (next === void 0) {
+        errorAt(state, "Unterminated escape sequence");
+      }
+      value += next;
+      state.index += 2;
+      continue;
+    }
+    if (current === "'") {
+      state.index += 1;
+      return {
+        type: "literal",
+        value
+      };
+    }
+    value += current;
+    state.index += 1;
+  }
+  errorAt(state, "Unterminated string literal");
+}
+function parseNumberLiteral(state) {
+  const start = state.index;
+  while (/[0-9]/.test(state.source[state.index] ?? "")) {
+    state.index += 1;
+  }
+  if (state.source[state.index] === ".") {
+    state.index += 1;
+    while (/[0-9]/.test(state.source[state.index] ?? "")) {
+      state.index += 1;
+    }
+  }
+  return {
+    type: "literal",
+    value: Number(state.source.slice(start, state.index))
+  };
+}
+function parseIdentifier(state) {
+  if (!isIdentifierStart(state.source[state.index])) {
+    errorAt(state, "Expected identifier");
+  }
+  const start = state.index;
+  state.index += 1;
+  while (isIdentifierPart(state.source[state.index])) {
+    state.index += 1;
+  }
+  return state.source.slice(start, state.index);
+}
+function parseArguments(state) {
+  const args = [];
+  skipWhitespace(state);
+  if (state.source[state.index] === ")") {
+    state.index += 1;
+    return args;
+  }
+  while (state.index < state.source.length) {
+    args.push(parseExpressionNode(state));
+    skipWhitespace(state);
+    const current = state.source[state.index];
+    if (current === ",") {
+      state.index += 1;
+      skipWhitespace(state);
+      continue;
+    }
+    if (current === ")") {
+      state.index += 1;
+      return args;
+    }
+    errorAt(state, 'Expected "," or ")"');
+  }
+  errorAt(state, "Unterminated function call");
+}
+function parseIdentifierOrCall(state) {
+  const identifier = parseIdentifier(state);
+  skipWhitespace(state);
+  if (state.source[state.index] === "(") {
+    if (!(identifier in DERIVE_BUILTINS)) {
+      throw new CnosDerivedExpressionError(`Unknown derive function: ${identifier}`, state.source);
+    }
+    state.index += 1;
+    return {
+      type: "call",
+      name: identifier,
+      args: parseArguments(state)
+    };
+  }
+  if (identifier === "true" || identifier === "false") {
+    return {
+      type: "literal",
+      value: identifier === "true"
+    };
+  }
+  if (identifier === "null") {
+    return {
+      type: "literal",
+      value: null
+    };
+  }
+  return {
+    type: "ref",
+    path: identifier
+  };
+}
+function parseExpressionNode(state) {
+  skipWhitespace(state);
+  const current = state.source[state.index];
+  if (current === "'") {
+    return parseStringLiteral(state);
+  }
+  if (/[0-9]/.test(current ?? "")) {
+    return parseNumberLiteral(state);
+  }
+  if (isIdentifierStart(current)) {
+    return parseIdentifierOrCall(state);
+  }
+  errorAt(state, "Unexpected token");
+}
+function parseExpression(source) {
+  const state = {
+    source,
+    index: 0
+  };
+  const ast = parseExpressionNode(state);
+  skipWhitespace(state);
+  if (state.index !== source.length) {
+    errorAt(state, "Unexpected trailing input");
+  }
+  return ast;
+}
+
+// ../core/src/derive/templateParser.ts
+function toLiteral(value) {
+  return {
+    type: "literal",
+    value
+  };
+}
+function toRef(path14) {
+  return {
+    type: "ref",
+    path: path14
+  };
+}
+function parseTemplate(source) {
+  const parts = [];
+  let cursor = 0;
+  while (cursor < source.length) {
+    const start = source.indexOf("${", cursor);
+    if (start < 0) {
+      if (cursor < source.length) {
+        parts.push(toLiteral(source.slice(cursor)));
+      }
+      break;
+    }
+    if (start > cursor) {
+      parts.push(toLiteral(source.slice(cursor, start)));
+    }
+    const end = source.indexOf("}", start + 2);
+    if (end < 0) {
+      throw new CnosDerivedExpressionError(`Invalid derivation template: unclosed \${...} at position ${start + 1}`, source);
+    }
+    const ref = source.slice(start + 2, end).trim();
+    if (!ref) {
+      throw new CnosDerivedExpressionError(`Invalid derivation template: empty reference at position ${start + 1}`, source);
+    }
+    if (!/^[A-Za-z_][A-Za-z0-9_.-]*$/.test(ref)) {
+      throw new CnosDerivedExpressionError(`Invalid derivation template reference "${ref}"`, source);
+    }
+    parts.push(toRef(ref));
+    cursor = end + 1;
+  }
+  if (parts.length === 0) {
+    return toLiteral("");
+  }
+  if (parts.length === 1) {
+    return parts[0];
+  }
+  return {
+    type: "call",
+    name: "concat",
+    args: parts
+  };
+}
+
+// ../core/src/derive/evaluator.ts
+function isDerivedValue(value) {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && "$derive" in value
+  );
+}
+function extractRefs(node, refs = /* @__PURE__ */ new Set()) {
+  if (node.type === "ref") {
+    refs.add(node.path);
+    return refs;
+  }
+  if (node.type === "call") {
+    for (const arg of node.args) {
+      extractRefs(arg, refs);
+    }
+  }
+  return refs;
+}
+function parseDerivation(value) {
+  const source = typeof value.$derive === "string" ? value.$derive : value.$derive?.expr;
+  if (typeof source !== "string") {
+    throw new CnosDerivedExpressionError("Derived value requires either a template string or { expr } object");
+  }
+  const type = typeof value.$derive === "string" ? "template" : "expression";
+  const ast = type === "template" ? parseTemplate(source) : parseExpression(source);
+  const refs = Array.from(extractRefs(ast)).sort((left, right) => left.localeCompare(right));
+  return {
+    type,
+    raw: source,
+    ast,
+    refs,
+    runtimeRefs: [],
+    isRuntimeDependent: false
+  };
+}
+function normalizeConcatValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function evaluateNode(node, resolveRef) {
+  switch (node.type) {
+    case "literal":
+      return node.value;
+    case "ref":
+      return resolveRef(node.path);
+    case "call": {
+      const args = node.args.map((arg) => evaluateNode(arg, resolveRef));
+      switch (node.name) {
+        case "concat":
+          return args.map((value) => normalizeConcatValue(value)).join("");
+        case "coalesce":
+          return DERIVE_BUILTINS.coalesce(...args);
+        case "when":
+          return DERIVE_BUILTINS.when(args[0], args[1], args[2]);
+        case "exists":
+          return DERIVE_BUILTINS.exists(args[0]);
+        case "eq":
+          return DERIVE_BUILTINS.eq(args[0], args[1]);
+        case "ne":
+          return DERIVE_BUILTINS.ne(args[0], args[1]);
+        default:
+          throw new CnosDerivedExpressionError(`Unknown derive function: ${String(node.name)}`);
+      }
+    }
+    default:
+      throw new CnosDerivedExpressionError(`Unsupported derive AST node ${node.type ?? "unknown"}`);
+  }
+}
+function evaluateDerivation(options) {
+  const missingRefs = /* @__PURE__ */ new Set();
+  const value = evaluateNode(options.parsed.ast, (ref) => {
+    const resolved = options.resolveRef(ref);
+    if (resolved === void 0) {
+      missingRefs.add(ref);
+      options.onMissing?.(ref);
+    }
+    return resolved;
+  });
+  if (missingRefs.size > 0 && options.parsed.ast.type === "ref") {
+    throw new CnosDerivedResolutionError(
+      options.key,
+      `Unable to resolve derived config key ${options.key} because ${Array.from(missingRefs).join(", ")} is missing.`
+    );
+  }
+  return value;
+}
+
+// ../core/src/derive/validate.ts
+var FORBIDDEN_TARGET_NAMESPACES = /* @__PURE__ */ new Set(["public", "meta", "secret"]);
+var FORBIDDEN_REF_NAMESPACES = /* @__PURE__ */ new Set(["public", "secret"]);
+function validateDerivedTargetNamespace(manifest, namespace) {
+  if (FORBIDDEN_TARGET_NAMESPACES.has(namespace)) {
+    throw new CnosManifestError(`Cannot define derived values under namespace "${namespace}".`);
+  }
+  if (manifest.runtimeNamespaces[namespace]) {
+    throw new CnosManifestError(`Cannot define derived values under runtime namespace "${namespace}".`);
+  }
+}
+function validateParsedDerivation(manifest, parsed) {
+  for (const ref of parsed.refs) {
+    const namespace = ref.split(".")[0] ?? "";
+    if (FORBIDDEN_REF_NAMESPACES.has(namespace)) {
+      throw new CnosDerivedExpressionError(`Derived expressions cannot reference ${namespace}.* keys.`, parsed.raw);
+    }
+    if (manifest.runtimeNamespaces[namespace]) {
+      continue;
+    }
+    if (!manifest.namespaces[namespace] && namespace !== "value" && namespace !== "meta") {
+      throw new CnosDerivedExpressionError(`Unknown derive reference namespace: ${namespace}`, parsed.raw);
+    }
+  }
+}
+function normalizeDerivedValue(templateOrExpr, expr = false) {
+  return expr ? {
+    $derive: {
+      expr: templateOrExpr
+    }
+  } : {
+    $derive: templateOrExpr
+  };
+}
+
+// ../core/src/derive/depGraph.ts
+function detectDerivationCycles(dependencyMap) {
+  const visiting = /* @__PURE__ */ new Set();
+  const visited = /* @__PURE__ */ new Set();
+  const stack = [];
+  const visit = (key) => {
+    if (visited.has(key)) {
+      return;
+    }
+    if (visiting.has(key)) {
+      const start = stack.indexOf(key);
+      const cycle = [...stack.slice(start), key].join(" -> ");
+      throw new CnosDerivedCycleError(`Derivation cycle detected: ${cycle}`);
+    }
+    visiting.add(key);
+    stack.push(key);
+    for (const dependency of dependencyMap.get(key) ?? []) {
+      visit(dependency);
+    }
+    stack.pop();
+    visiting.delete(key);
+    visited.add(key);
+  };
+  for (const key of dependencyMap.keys()) {
+    visit(key);
+  }
+}
+
+// ../core/src/derive/runtime.ts
+function namespaceForKey(key) {
+  return key.split(".")[0] ?? "";
+}
+function dependencyNamespaces(key, entries, memo) {
+  if (memo.has(key)) {
+    return memo.get(key);
+  }
+  const entry = entries.get(key);
+  if (!entry) {
+    memo.set(key, []);
+    return [];
+  }
+  const namespaces = /* @__PURE__ */ new Set();
+  for (const ref of entry.parsed.refs) {
+    const namespace = namespaceForKey(ref);
+    if (!entries.has(ref)) {
+      namespaces.add(namespace);
+      continue;
+    }
+    for (const dependencyNamespace of dependencyNamespaces(ref, entries, memo)) {
+      namespaces.add(dependencyNamespace);
+    }
+  }
+  const result = Array.from(namespaces).sort((left, right) => left.localeCompare(right));
+  memo.set(key, result);
+  return result;
+}
+function isRuntimeDependentKey(key, entries, manifest, memo) {
+  if (memo.has(key)) {
+    return memo.get(key);
+  }
+  const entry = entries.get(key);
+  if (!entry) {
+    memo.set(key, false);
+    return false;
+  }
+  for (const ref of entry.parsed.refs) {
+    const namespace = namespaceForKey(ref);
+    if (manifest.runtimeNamespaces[namespace]) {
+      memo.set(key, true);
+      return true;
+    }
+    if (entries.has(ref) && isRuntimeDependentKey(ref, entries, manifest, memo)) {
+      memo.set(key, true);
+      return true;
+    }
+  }
+  memo.set(key, false);
+  return false;
+}
+function prepareEntries(graph, manifest) {
+  const entries = /* @__PURE__ */ new Map();
+  for (const [key, entry] of graph.entries) {
+    if (!isDerivedValue(entry.value)) {
+      continue;
+    }
+    const namespaceDefinition = manifest.namespaces[entry.namespace];
+    if (!namespaceDefinition || namespaceDefinition.kind === "data") {
+      validateDerivedTargetNamespace(manifest, entry.namespace);
+    }
+    const parsed = parseDerivation(entry.value);
+    validateParsedDerivation(manifest, parsed);
+    entries.set(key, {
+      key,
+      namespace: entry.namespace,
+      value: entry.value,
+      parsed
+    });
+  }
+  detectDerivationCycles(
+    new Map(
+      Array.from(entries.values()).map((entry) => [
+        entry.key,
+        entry.parsed.refs.filter((ref) => entries.has(ref))
+      ])
+    )
+  );
+  const runtimeMemo = /* @__PURE__ */ new Map();
+  const namespaceMemo = /* @__PURE__ */ new Map();
+  for (const entry of entries.values()) {
+    entry.parsed.isRuntimeDependent = isRuntimeDependentKey(entry.key, entries, manifest, runtimeMemo);
+    entry.parsed.runtimeRefs = entry.parsed.refs.filter((ref) => manifest.runtimeNamespaces[namespaceForKey(ref)]);
+    if (entry.parsed.runtimeRefs.length === 0 && entry.parsed.isRuntimeDependent) {
+      entry.parsed.runtimeRefs = dependencyNamespaces(entry.key, entries, namespaceMemo).filter((namespace) => manifest.runtimeNamespaces[namespace]).map((namespace) => `${namespace}.*`);
+    }
+  }
+  return entries;
+}
+function createDerivedRuntimeSupport(graph, manifest, runtimeProviders) {
+  const entries = prepareEntries(graph, manifest);
+  const configCache = /* @__PURE__ */ new Map();
+  const runtimeDependencyMemo = /* @__PURE__ */ new Map();
+  const support = {};
+  Object.assign(support, {
+    runtimeProviders,
+    read(key, readBase) {
+      const namespace = namespaceForKey(key);
+      if (runtimeProviders.has(namespace)) {
+        const provider = runtimeProviders.get(namespace);
+        return provider(key.slice(namespace.length + 1));
+      }
+      if (entries.has(key)) {
+        return readDerived(key, readBase);
+      }
+      return readBase(key);
+    },
+    describe(key, readBase) {
+      const entry = entries.get(key);
+      if (!entry) {
+        return void 0;
+      }
+      const runtimeNamespaces = Array.from(
+        new Set(
+          entry.parsed.refs.map((ref) => namespaceForKey(ref)).filter((namespace) => manifest.runtimeNamespaces[namespace])
+        )
+      ).sort((left, right) => left.localeCompare(right));
+      return {
+        key,
+        type: entry.parsed.type,
+        expression: entry.parsed.raw,
+        dependencies: entry.parsed.refs.map((ref) => {
+          const namespace = namespaceForKey(ref);
+          return {
+            key: ref,
+            value: support.read(ref, readBase),
+            ...manifest.runtimeNamespaces[namespace] ? {
+              runtimeNamespace: namespace
+            } : {}
+          };
+        }),
+        runtimeDependent: entry.parsed.isRuntimeDependent,
+        runtimeNamespaces,
+        ...entry.parsed.isRuntimeDependent ? {
+          promotionWarning: "Cannot be promoted to browser/public."
+        } : {}
+      };
+    },
+    isDerivedKey(key) {
+      return entries.has(key);
+    },
+    isRuntimeDependentKey(key) {
+      if (runtimeDependencyMemo.has(key)) {
+        return runtimeDependencyMemo.get(key);
+      }
+      const value = entries.get(key)?.parsed.isRuntimeDependent ?? false;
+      runtimeDependencyMemo.set(key, value);
+      return value;
+    },
+    toConcreteValue(key, readBase, mode) {
+      const entry = entries.get(key);
+      if (!entry) {
+        return support.read(key, readBase);
+      }
+      if (!entry.parsed.isRuntimeDependent) {
+        return support.read(key, readBase);
+      }
+      if (mode === "server" || mode === "runtime") {
+        return support.read(key, readBase);
+      }
+      for (const ref of entry.parsed.refs) {
+        const namespace = namespaceForKey(ref);
+        const runtimeNamespace = manifest.runtimeNamespaces[namespace];
+        if (!runtimeNamespace) {
+          continue;
+        }
+        if (runtimeNamespace.serverOnly) {
+          throw new CnosDerivedResolutionError(
+            key,
+            `Cannot resolve ${key} for ${mode} output because it depends on runtime namespace ${namespace}.`
+          );
+        }
+        if (!runtimeProviders.has(namespace)) {
+          if (mode === "env") {
+            return void 0;
+          }
+          throw new CnosDerivedResolutionError(
+            key,
+            `Cannot resolve ${key} for ${mode} output because runtime namespace ${namespace} has no registered provider.`
+          );
+        }
+      }
+      return support.read(key, readBase);
+    },
+    toServerFormula(key) {
+      const entry = entries.get(key);
+      if (!entry || !entry.parsed.isRuntimeDependent) {
+        return void 0;
+      }
+      return {
+        expr: entry.parsed.raw,
+        deps: entry.parsed.refs.filter((ref) => !manifest.runtimeNamespaces[namespaceForKey(ref)]),
+        runtimeRefs: entry.parsed.refs.filter((ref) => manifest.runtimeNamespaces[namespaceForKey(ref)])
+      };
+    },
+    derivedKeys: Array.from(entries.keys()).sort((left, right) => left.localeCompare(right))
+  });
+  const readDerived = (key, readBase, evaluationStack = /* @__PURE__ */ new Set()) => {
+    const entry = entries.get(key);
+    if (!entry) {
+      return readBase(key);
+    }
+    if (!entry.parsed.isRuntimeDependent && configCache.has(key)) {
+      return configCache.get(key);
+    }
+    const value = evaluateDerivation({
+      key,
+      parsed: entry.parsed,
+      resolveRef: (ref) => {
+        const namespace = namespaceForKey(ref);
+        if (runtimeProviders.has(namespace)) {
+          const provider = runtimeProviders.get(namespace);
+          return provider(ref.slice(namespace.length + 1));
+        }
+        if (entries.has(ref)) {
+          if (evaluationStack.has(ref)) {
+            throw new CnosDerivedResolutionError(key, `Unable to resolve derived config key ${key} because of a recursive dependency on ${ref}.`);
+          }
+          evaluationStack.add(ref);
+          const resolved = readDerived(ref, readBase, evaluationStack);
+          evaluationStack.delete(ref);
+          return resolved;
+        }
+        return readBase(ref);
+      }
+    });
+    if (!entry.parsed.isRuntimeDependent) {
+      configCache.set(key, value);
+    }
+    return value;
+  };
+  for (const key of Array.from(entries.keys()).sort((left, right) => left.localeCompare(right))) {
+    const entry = entries.get(key);
+    if (!entry.parsed.isRuntimeDependent) {
+      readDerived(key, (ref) => graph.entries.get(ref)?.value);
+    }
+  }
+  return support;
+}
+function registerRuntimeProvider(manifest, runtimeProviders, namespace, provider) {
+  const definition = manifest.runtimeNamespaces[namespace];
+  if (!definition) {
+    throw new CnosRuntimeProviderError(`Cannot register runtime provider for undeclared namespace "${namespace}".`);
+  }
+  if (definition.builtIn) {
+    throw new CnosRuntimeProviderError(`Cannot override built-in runtime namespace "${namespace}".`);
+  }
+  runtimeProviders.set(namespace, provider);
+}
 
 // ../core/src/runtime/inspect.ts
-function inspectValue(graph, key) {
+function inspectValue(graph, key, helpers = {}) {
   const entry = graph.entries.get(key);
   if (!entry) {
     throw new CnosKeyNotFoundError(key);
   }
+  const derived = helpers.describeDerived?.(key);
   return {
     key: entry.key,
-    value: entry.value,
+    value: helpers.read ? helpers.read(entry.key) : entry.value,
     namespace: entry.namespace,
     profile: graph.profile,
     profileSource: graph.profileSource,
@@ -64,7 +730,10 @@ function inspectValue(graph, key) {
       workspaceId: override.workspaceId,
       value: override.value,
       ...override.origin ? { origin: override.origin } : {}
-    }))
+    })),
+    ...derived ? {
+      derived
+    } : {}
   };
 }
 
@@ -175,25 +844,312 @@ async function writeKeychain(entry, value) {
 }
 
 // ../core/src/utils/yaml.ts
-import { parse, stringify } from "yaml";
+import { parse, stringify as stringify2 } from "yaml";
 function parseYaml(source) {
   return parse(source);
 }
 function stringifyYaml(value) {
-  return stringify(value);
+  return stringify2(value);
+}
+
+// ../core/src/discovery/parseGitUri.ts
+function isGitRootUri(uri) {
+  return /^git\+[a-z]+:\/\//i.test(uri);
+}
+function parseGitUri(uri) {
+  if (!isGitRootUri(uri)) {
+    throw new CnosDiscoveryError(`Unsupported git root URI: ${uri}`);
+  }
+  const withoutPrefix = uri.slice("git+".length);
+  const hashIndex = withoutPrefix.indexOf("#");
+  if (hashIndex < 0) {
+    throw new CnosDiscoveryError(
+      `Git root URI must include a #ref (tag, branch, or commit). Got: ${uri}`
+    );
+  }
+  const cloneUrl = withoutPrefix.slice(0, hashIndex);
+  const fragment = withoutPrefix.slice(hashIndex + 1);
+  const separatorIndex = fragment.indexOf(":");
+  const ref = (separatorIndex >= 0 ? fragment.slice(0, separatorIndex) : fragment).trim();
+  const subpath = (separatorIndex >= 0 ? fragment.slice(separatorIndex + 1) : ".cnos").trim() || ".cnos";
+  const protocol = cloneUrl.slice(0, cloneUrl.indexOf("://"));
+  if (!cloneUrl || !ref) {
+    throw new CnosDiscoveryError(
+      `Git root URI must include both a clone URL and #ref. Got: ${uri}`
+    );
+  }
+  return {
+    uri,
+    cloneUrl,
+    ref,
+    subpath,
+    transport: protocol === "https" ? "https" : protocol === "ssh" ? "ssh" : protocol === "file" ? "file" : "custom"
+  };
 }
 
+// ../core/src/discovery/cache/cacheManager.ts
+var SEMVER_TAG_RE = /^v?\d+\.\d+(?:\.\d+)?(?:[-+][A-Za-z0-9.-]+)?$/;
+var COMMIT_SHA_RE = /^[0-9a-f]{40}$/i;
+function isImmutableGitRef(ref) {
+  return SEMVER_TAG_RE.test(ref) || COMMIT_SHA_RE.test(ref);
+}
+function resolveRemoteRootCacheTtlSeconds(mode = "runtime", processEnv = process.env, override) {
+  if (typeof override === "number" && Number.isFinite(override) && override >= 0) {
+    return override;
+  }
+  const fromEnv = Number(processEnv.CNOS_CACHE_TTL ?? "");
+  if (Number.isFinite(fromEnv) && fromEnv >= 0) {
+    return fromEnv;
+  }
+  switch (mode) {
+    case "build":
+      return 0;
+    case "dev":
+      return 30;
+    case "runtime":
+    default:
+      return 300;
+  }
+}
+function isRemoteRootCacheFresh(metadata, options) {
+  if (!metadata || options.forceRefresh) {
+    return false;
+  }
+  if (metadata.uri !== options.uri || metadata.ref !== options.ref) {
+    return false;
+  }
+  if (metadata.isImmutable) {
+    return true;
+  }
+  const ttlSeconds = resolveRemoteRootCacheTtlSeconds(
+    options.mode,
+    options.processEnv,
+    options.ttlSeconds
+  );
+  if (ttlSeconds <= 0) {
+    return false;
+  }
+  const cachedAtMs = Date.parse(metadata.cachedAt);
+  if (Number.isNaN(cachedAtMs)) {
+    return false;
+  }
+  return Date.now() - cachedAtMs <= ttlSeconds * 1e3;
+}
+
+// ../core/src/discovery/cache/cacheMetadata.ts
+import { mkdir, readFile, writeFile } from "fs/promises";
+import path from "path";
+async function readRemoteRootCacheMetadata(metaPath) {
+  try {
+    const source = await readFile(metaPath, "utf8");
+    const parsed = JSON.parse(source);
+    if (!parsed || typeof parsed.uri !== "string" || typeof parsed.cloneUrl !== "string" || typeof parsed.ref !== "string" || typeof parsed.subpath !== "string" || typeof parsed.resolvedCommit !== "string" || typeof parsed.cachedAt !== "string" || typeof parsed.isImmutable !== "boolean") {
+      return void 0;
+    }
+    return parsed;
+  } catch {
+    return void 0;
+  }
+}
+async function writeRemoteRootCacheMetadata(metaPath, metadata) {
+  await mkdir(path.dirname(metaPath), { recursive: true });
+  await writeFile(metaPath, `${JSON.stringify(metadata, null, 2)}
+`, "utf8");
+}
+
+// ../core/src/discovery/cache/cachePaths.ts
+import { createHash } from "crypto";
+import os3 from "os";
+import path5 from "path";
+
 // ../core/src/utils/path.ts
-import { access as access2 } from "fs/promises";
-import os from "os";
+import { access as access3 } from "fs/promises";
+import os2 from "os";
+import path4 from "path";
+
+// ../core/src/discovery/findCnosrc.ts
+import { access as access2, readFile as readFile2 } from "fs/promises";
+import path3 from "path";
+
+// ../core/src/discovery/resolveRoot.ts
+import { access, mkdir as mkdir2 } from "fs/promises";
 import path2 from "path";
+import { spawn as spawn2 } from "child_process";
+import os from "os";
+async function pathExists(targetPath) {
+  try {
+    await access(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function expandHomePath(targetPath) {
+  if (targetPath === "~") {
+    return os.homedir();
+  }
+  if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
+    return path2.join(os.homedir(), targetPath.slice(2));
+  }
+  return targetPath;
+}
+function isLocalRootUri(rootUri) {
+  return !isGitRootUri2(rootUri) && !isCnosHostedRootUri(rootUri);
+}
+function isCnosHostedRootUri(rootUri) {
+  return rootUri.startsWith("cnos://");
+}
+function isGitRootUri2(rootUri) {
+  return rootUri.startsWith("git+");
+}
+async function runGitCommand(args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn2("git", args, {
+      cwd: options.cwd,
+      env: options.processEnv ?? process.env,
+      shell: process.platform === "win32",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      reject(
+        new CnosDiscoveryError(
+          `Failed to run git. Make sure git is installed and available on PATH. ${error.message}`
+        )
+      );
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve(stdout.trim());
+        return;
+      }
+      const details = stderr.trim() || stdout.trim();
+      reject(
+        new CnosDiscoveryError(
+          details ? `Git command failed: ${details}` : `Git command failed with exit code ${code ?? 1}`
+        )
+      );
+    });
+  });
+}
+async function resolveLocalRoot(rootUri, cnosrcDir) {
+  const candidateRoot = rootUri.startsWith("~") ? expandHomePath(rootUri) : rootUri;
+  const manifestRoot = path2.resolve(cnosrcDir, candidateRoot);
+  const manifestPath = path2.join(manifestRoot, "cnos.yml");
+  if (!await pathExists(manifestPath)) {
+    throw new CnosDiscoveryError(`.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`);
+  }
+  return {
+    manifestRoot,
+    resolution: {
+      rootUri,
+      protocol: "local",
+      remote: false,
+      readOnly: false
+    }
+  };
+}
+async function ensureGitCheckout(parsed, repoDir, processEnv) {
+  const hasRepo = await pathExists(path2.join(repoDir, ".git"));
+  if (!hasRepo) {
+    await mkdir2(path2.dirname(repoDir), { recursive: true });
+    await runGitCommand(["clone", "--no-checkout", parsed.cloneUrl, repoDir], { processEnv });
+  } else {
+    await runGitCommand(["-C", repoDir, "remote", "set-url", "origin", parsed.cloneUrl], {
+      processEnv
+    });
+  }
+  await runGitCommand(["-C", repoDir, "fetch", "--tags", "--force", "origin"], { processEnv });
+  await runGitCommand(["-C", repoDir, "checkout", "--force", parsed.ref], { processEnv });
+  await runGitCommand(["-C", repoDir, "clean", "-fdx"], { processEnv });
+}
+async function resolveGitRoot(rootUri, options = {}) {
+  const processEnv = options.processEnv ?? process.env;
+  const parsed = parseGitUri(rootUri);
+  const cachePaths = resolveRemoteRootCachePaths(rootUri, processEnv);
+  const metadata = await readRemoteRootCacheMetadata(cachePaths.metaPath);
+  const immutable = isImmutableGitRef(parsed.ref);
+  const cacheFresh = isRemoteRootCacheFresh(metadata, {
+    uri: rootUri,
+    ref: parsed.ref,
+    ...options.cacheMode ? { mode: options.cacheMode } : {},
+    processEnv,
+    ...typeof options.cacheTtlSeconds === "number" ? { ttlSeconds: options.cacheTtlSeconds } : {},
+    ...options.forceRefresh ? { forceRefresh: true } : {}
+  });
+  if (!cacheFresh) {
+    try {
+      await ensureGitCheckout(parsed, cachePaths.repoDir, processEnv);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const authHint = parsed.transport === "ssh" ? " Check your SSH key and git access." : " Check the URL and your git credential helper or token setup.";
+      throw new CnosDiscoveryError(`Failed to resolve remote git root ${rootUri}. ${message}${authHint}`);
+    }
+    const resolvedCommit = await runGitCommand(["-C", cachePaths.repoDir, "rev-parse", "HEAD"], {
+      processEnv
+    });
+    await writeRemoteRootCacheMetadata(cachePaths.metaPath, {
+      uri: rootUri,
+      cloneUrl: parsed.cloneUrl,
+      ref: parsed.ref,
+      subpath: parsed.subpath,
+      resolvedCommit,
+      cachedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      isImmutable: immutable
+    });
+  }
+  const nextMetadata = metadata && cacheFresh ? metadata : await readRemoteRootCacheMetadata(cachePaths.metaPath);
+  const manifestRoot = path2.join(cachePaths.repoDir, parsed.subpath);
+  if (!await pathExists(path2.join(manifestRoot, "cnos.yml"))) {
+    throw new CnosDiscoveryError(
+      `Git root ${rootUri} resolved to ${manifestRoot} but no cnos.yml was found there. Check the :subpath segment.`
+    );
+  }
+  return {
+    manifestRoot,
+    resolution: {
+      rootUri,
+      protocol: "git",
+      remote: true,
+      readOnly: true,
+      cacheDir: cachePaths.cacheDir,
+      cacheMetaPath: cachePaths.metaPath,
+      ref: parsed.ref,
+      subpath: parsed.subpath,
+      immutable,
+      ...nextMetadata?.resolvedCommit ? { resolvedCommit: nextMetadata.resolvedCommit } : {},
+      ...nextMetadata?.cachedAt ? { cachedAt: nextMetadata.cachedAt } : {}
+    }
+  };
+}
+async function resolveRootUri(rootUri, cnosrcDir, options = {}) {
+  if (isLocalRootUri(rootUri)) {
+    return resolveLocalRoot(rootUri, cnosrcDir);
+  }
+  if (isGitRootUri2(rootUri)) {
+    return resolveGitRoot(rootUri, options);
+  }
+  if (isCnosHostedRootUri(rootUri)) {
+    throw new CnosDiscoveryError(
+      `The cnos:// remote root protocol is reserved but not implemented yet. Use git+https:// or git+ssh:// for now.`
+    );
+  }
+  throw new CnosDiscoveryError(
+    `Unknown root protocol: ${rootUri}. Supported root protocols are local paths, git+https://..., and git+ssh://....`
+  );
+}
 
 // ../core/src/discovery/findCnosrc.ts
-import { access, readFile } from "fs/promises";
-import path from "path";
 async function exists(targetPath) {
   try {
-    await access(targetPath);
+    await access2(targetPath);
     return true;
   } catch {
     return false;
@@ -214,13 +1170,13 @@ function validateCnosrc(value, filePath) {
   };
 }
 async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
-  let current = path.resolve(startDir);
+  let current = path3.resolve(startDir);
   for (let depth = 0; depth <= maxLevels; depth += 1) {
-    const candidate = path.join(current, ".cnosrc.yml");
+    const candidate = path3.join(current, ".cnosrc.yml");
     if (await exists(candidate)) {
       return candidate;
     }
-    const parent = path.dirname(current);
+    const parent = path3.dirname(current);
     if (parent === current) {
       break;
     }
@@ -228,27 +1184,22 @@ async function findCnosrc(startDir = process.cwd(), maxLevels = 3) {
   }
   return void 0;
 }
-async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3) {
+async function discoverCnosAnchor(startDir = process.cwd(), maxLevels = 3, options = {}) {
   const anchorPath = await findCnosrc(startDir, maxLevels);
   if (!anchorPath) {
     throw new CnosDiscoveryError(
       "No .cnosrc.yml found. Run cnos init or create .cnosrc.yml in your package root."
     );
   }
-  const source = await readFile(anchorPath, "utf8");
+  const source = await readFile2(anchorPath, "utf8");
   const parsed = validateCnosrc(parseYaml(source), anchorPath);
-  const consumerRoot = path.dirname(anchorPath);
-  const manifestRoot = path.resolve(consumerRoot, parsed.root);
-  const manifestPath = path.join(manifestRoot, "cnos.yml");
-  if (!await exists(manifestPath)) {
-    throw new CnosDiscoveryError(
-      `.cnosrc.yml points to ${manifestRoot} but no cnos.yml found there.`
-    );
-  }
+  const consumerRoot = path3.dirname(anchorPath);
+  const resolvedRoot = await resolveRootUri(parsed.root, consumerRoot, options);
   return {
     anchorPath,
     consumerRoot,
-    manifestRoot,
+    manifestRoot: resolvedRoot.manifestRoot,
+    rootResolution: resolvedRoot.resolution,
     ...parsed.workspace ? { workspace: parsed.workspace } : {}
   };
 }
@@ -258,21 +1209,21 @@ var PRIMARY_CNOS_DIR = ".cnos";
 var LEGACY_CNOS_DIR = "cnos";
 async function exists2(filePath) {
   try {
-    await access2(filePath);
+    await access3(filePath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveCnosRoot(root = process.cwd()) {
-  const basePath = path2.resolve(root);
+  const basePath = path4.resolve(root);
   const candidates = [
-    path2.join(basePath, PRIMARY_CNOS_DIR),
-    path2.join(basePath, LEGACY_CNOS_DIR),
+    path4.join(basePath, PRIMARY_CNOS_DIR),
+    path4.join(basePath, LEGACY_CNOS_DIR),
     basePath
   ];
   for (const candidate of candidates) {
-    if (await exists2(path2.join(candidate, "cnos.yml"))) {
+    if (await exists2(path4.join(candidate, "cnos.yml"))) {
       return candidate;
     }
   }
@@ -282,18 +1233,44 @@ async function resolveCnosRoot(root = process.cwd()) {
 }
 async function resolveManifestRoot(options = {}) {
   if (options.root) {
+    if (options.root.startsWith("git+") || options.root.startsWith("cnos://")) {
+      const consumerRoot2 = path4.resolve(options.cwd ?? process.cwd());
+      const resolvedRoot2 = await resolveRootUri(options.root, consumerRoot2, {
+        ...options.processEnv ? { processEnv: options.processEnv } : {},
+        ...options.cacheMode ? { cacheMode: options.cacheMode } : {},
+        ...typeof options.cacheTtlSeconds === "number" ? { cacheTtlSeconds: options.cacheTtlSeconds } : {},
+        ...options.forceRefresh ? { forceRefresh: true } : {}
+      });
+      return {
+        manifestRoot: resolvedRoot2.manifestRoot,
+        consumerRoot: consumerRoot2,
+        rootResolution: resolvedRoot2.resolution
+      };
+    }
     const manifestRoot = await resolveCnosRoot(options.root);
-    const resolvedRoot = path2.resolve(options.root);
-    const consumerRoot = path2.basename(manifestRoot) === PRIMARY_CNOS_DIR || path2.basename(manifestRoot) === LEGACY_CNOS_DIR ? path2.dirname(manifestRoot) : resolvedRoot;
+    const resolvedRoot = path4.resolve(options.root);
+    const consumerRoot = path4.basename(manifestRoot) === PRIMARY_CNOS_DIR || path4.basename(manifestRoot) === LEGACY_CNOS_DIR ? path4.dirname(manifestRoot) : resolvedRoot;
     return {
       manifestRoot,
-      consumerRoot
+      consumerRoot,
+      rootResolution: {
+        rootUri: manifestRoot,
+        protocol: "local",
+        remote: false,
+        readOnly: false
+      }
     };
   }
-  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd());
+  const discovered = await discoverCnosAnchor(options.cwd ?? process.cwd(), 3, {
+    ...options.processEnv ? { processEnv: options.processEnv } : {},
+    ...options.cacheMode ? { cacheMode: options.cacheMode } : {},
+    ...typeof options.cacheTtlSeconds === "number" ? { cacheTtlSeconds: options.cacheTtlSeconds } : {},
+    ...options.forceRefresh ? { forceRefresh: true } : {}
+  });
   return {
     manifestRoot: discovered.manifestRoot,
     consumerRoot: discovered.consumerRoot,
+    rootResolution: discovered.rootResolution,
     anchorPath: discovered.anchorPath,
     ...discovered.workspace ? { workspace: discovered.workspace } : {}
   };
@@ -304,12 +1281,12 @@ function interpolatePathTemplate(template, tokens) {
     template
   );
 }
-function expandHomePath(targetPath) {
+function expandHomePath2(targetPath) {
   if (targetPath === "~") {
-    return os.homedir();
+    return os2.homedir();
   }
   if (targetPath.startsWith("~/") || targetPath.startsWith("~\\")) {
-    return path2.join(os.homedir(), targetPath.slice(2));
+    return path4.join(os2.homedir(), targetPath.slice(2));
   }
   return targetPath;
 }
@@ -327,19 +1304,19 @@ function stripWorkspaceTemplatePrefix(template) {
 function resolveWorkspaceScopedPath(workspaceRoot, template, tokens) {
   const relativeTemplate = stripWorkspaceTemplatePrefix(template);
   const interpolated = interpolatePathTemplate(relativeTemplate, tokens);
-  return path2.resolve(workspaceRoot, interpolated);
+  return path4.resolve(workspaceRoot, interpolated);
 }
 function resolveNamespaceDirectory(workspaceRoot, namespace, profile) {
   const rootFolder = namespace === "value" ? "values" : namespace === "secret" ? "secrets" : namespace;
   if (profile && profile !== "base") {
-    return path2.resolve(workspaceRoot, "profiles", profile, rootFolder);
+    return path4.resolve(workspaceRoot, "profiles", profile, rootFolder);
   }
-  return path2.resolve(workspaceRoot, rootFolder);
+  return path4.resolve(workspaceRoot, rootFolder);
 }
 function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile) {
   const namespaceRoot = resolveNamespaceDirectory(workspaceRoot, namespace, profile);
   const fileName = `${configPath.split(".").shift() ?? "app"}.yml`;
-  return path2.resolve(namespaceRoot, fileName);
+  return path4.resolve(namespaceRoot, fileName);
 }
 function toPortablePath(targetPath) {
   return targetPath.replace(/\\/g, "/");
@@ -354,9 +1331,29 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
+// ../core/src/discovery/cache/cachePaths.ts
+function resolveCnosCacheRoot(processEnv = process.env) {
+  return path5.resolve(
+    expandHomePath2(processEnv.CNOS_CACHE_DIR ?? path5.join(os3.homedir(), ".cnos", "cache"))
+  );
+}
+function createRemoteRootCacheKey(uri) {
+  return createHash("sha256").update(uri).digest("hex");
+}
+function resolveRemoteRootCachePaths(uri, processEnv = process.env) {
+  const cacheRoot = resolveCnosCacheRoot(processEnv);
+  const cacheDir = path5.join(cacheRoot, "roots", createRemoteRootCacheKey(uri));
+  return {
+    cacheRoot,
+    cacheDir,
+    repoDir: path5.join(cacheDir, "repo"),
+    metaPath: path5.join(cacheDir, ".cnos-cache-meta.json")
+  };
+}
+
 // ../core/src/manifest/loadManifest.ts
-import { readFile as readFile2 } from "fs/promises";
-import path3 from "path";
+import { readFile as readFile3 } from "fs/promises";
+import path6 from "path";
 
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
@@ -409,6 +1406,13 @@ var DEFAULT_NAMESPACES = {
     readonly: true
   }
 };
+var DEFAULT_RUNTIME_NAMESPACES = {
+  process: {
+    description: "Live process runtime values.",
+    serverOnly: true,
+    builtIn: true
+  }
+};
 function validateResolveFrom(resolveFrom) {
   const validValues = ["cli.profile", "env.CNOS_PROFILE", "default"];
   for (const entry of resolveFrom) {
@@ -431,7 +1435,7 @@ function normalizeWorkspaceItems(items) {
 }
 function normalizeNamespaces(namespaces) {
   const normalized = Object.fromEntries(
-    Object.entries(namespaces ?? {}).map(([namespace, definition]) => [
+    Object.entries(namespaces ?? {}).filter(([namespace]) => namespace !== "runtime").map(([namespace, definition]) => [
       namespace,
       {
         kind: definition.kind ?? "data",
@@ -447,6 +1451,29 @@ function normalizeNamespaces(namespaces) {
     ...normalized
   };
 }
+function normalizeRuntimeNamespaces(namespaces) {
+  const runtimeEntries = namespaces?.runtime ?? {};
+  const normalized = Object.fromEntries(
+    Object.entries(runtimeEntries).map(([namespace, definition]) => [
+      namespace,
+      {
+        ...definition.description?.trim() ? {
+          description: definition.description.trim()
+        } : {},
+        serverOnly: definition.server_only ?? true
+      }
+    ])
+  );
+  for (const namespace of Object.keys(normalized)) {
+    if (DEFAULT_NAMESPACES[namespace] || namespace === "runtime") {
+      throw new CnosManifestError(`Runtime namespace "${namespace}" conflicts with a built-in or reserved namespace.`);
+    }
+  }
+  return {
+    ...DEFAULT_RUNTIME_NAMESPACES,
+    ...normalized
+  };
+}
 function normalizeVaults(vaults) {
   return Object.fromEntries(
     Object.entries(vaults ?? {}).map(([name, definition]) => {
@@ -538,6 +1565,7 @@ function normalizeManifest(manifest) {
   const defaultProfile = manifest.profiles?.default?.trim() || "base";
   const workspaceItems = normalizeWorkspaceItems(manifest.workspaces?.items);
   const resolveFrom = validateResolveFrom(manifest.profiles?.resolveFrom ?? DEFAULT_RESOLVE_FROM);
+  const runtimeNamespaces = normalizeRuntimeNamespaces(manifest.namespaces);
   const filesystemValues = {
     root: "./",
     format: "yaml",
@@ -611,6 +1639,7 @@ function normalizeManifest(manifest) {
       }
     },
     namespaces: normalizeNamespaces(manifest.namespaces),
+    runtimeNamespaces,
     vaults: normalizeVaults(manifest.vaults),
     writePolicy: {
       define: {
@@ -629,13 +1658,17 @@ function normalizeManifest(manifest) {
 async function loadManifest(options = {}) {
   const resolved = await resolveManifestRoot({
     ...options.root ? { root: options.root } : {},
-    ...options.cwd ? { cwd: options.cwd } : {}
+    ...options.cwd ? { cwd: options.cwd } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {},
+    ...options.cacheMode ? { cacheMode: options.cacheMode } : {},
+    ...typeof options.cacheTtlSeconds === "number" ? { cacheTtlSeconds: options.cacheTtlSeconds } : {},
+    ...options.forceRefresh ? { forceRefresh: true } : {}
   });
   const manifestRoot = resolved.manifestRoot;
-  const manifestPath = path3.join(manifestRoot, "cnos.yml");
+  const manifestPath = path6.join(manifestRoot, "cnos.yml");
   let source;
   try {
-    source = await readFile2(manifestPath, "utf8");
+    source = await readFile3(manifestPath, "utf8");
   } catch {
     throw new CnosManifestError("Unable to read CNOS manifest", manifestPath);
   }
@@ -645,10 +1678,11 @@ async function loadManifest(options = {}) {
   }
   return {
     manifestRoot,
-    repoRoot: path3.dirname(manifestRoot),
+    repoRoot: path6.dirname(manifestRoot),
     consumerRoot: resolved.consumerRoot,
     ...resolved.anchorPath ? { anchorPath: resolved.anchorPath } : {},
     ...resolved.workspace ? { anchoredWorkspace: resolved.workspace } : {},
+    rootResolution: resolved.rootResolution,
     manifestPath,
     manifest: normalizeManifest(rawManifest),
     rawManifest
@@ -704,29 +1738,29 @@ function validateProjectionIssue(manifest, key, target) {
 }
 
 // ../core/src/secrets/sessionStore.ts
-import { mkdir, readFile as readFile3, readdir, rm, writeFile } from "fs/promises";
-import path4 from "path";
+import { mkdir as mkdir3, readFile as readFile4, readdir, rm, writeFile as writeFile2 } from "fs/promises";
+import path7 from "path";
 function buildSessionRoot(processEnv = process.env) {
-  return path4.join(path4.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
+  return path7.join(path7.resolve(expandHomePath2(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets")), "sessions");
 }
 function buildSessionPath(vault, processEnv) {
-  return path4.join(buildSessionRoot(processEnv), `${vault}.json`);
+  return path7.join(buildSessionRoot(processEnv), `${vault}.json`);
 }
 async function writeVaultSessionKey(vault, derivedKey, processEnv) {
   const filePath = buildSessionPath(vault, processEnv);
-  await mkdir(path4.dirname(filePath), { recursive: true });
+  await mkdir3(path7.dirname(filePath), { recursive: true });
   const document = {
     version: 1,
     vault,
     derivedKey: derivedKey.toString("hex"),
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await writeFile(filePath, JSON.stringify(document, null, 2), "utf8");
+  await writeFile2(filePath, JSON.stringify(document, null, 2), "utf8");
   return filePath;
 }
 async function readVaultSessionKey(vault, processEnv) {
   try {
-    const source = await readFile3(buildSessionPath(vault, processEnv), "utf8");
+    const source = await readFile4(buildSessionPath(vault, processEnv), "utf8");
     const document = JSON.parse(source);
     if (document.version !== 1 || typeof document.derivedKey !== "string") {
       return void 0;
@@ -744,15 +1778,15 @@ async function clearAllVaultSessionKeys(processEnv) {
   const root = buildSessionRoot(processEnv);
   try {
     const entries = await readdir(root);
-    await Promise.all(entries.map((entry) => rm(path4.join(root, entry), { force: true })));
+    await Promise.all(entries.map((entry) => rm(path7.join(root, entry), { force: true })));
   } catch {
   }
 }
 
 // ../core/src/utils/secretStore.ts
 import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "crypto";
-import { mkdir as mkdir2, readdir as readdir2, readFile as readFile4, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
-import path5 from "path";
+import { mkdir as mkdir4, readdir as readdir2, readFile as readFile5, rm as rm2, stat, writeFile as writeFile3 } from "fs/promises";
+import path8 from "path";
 var KEY_LENGTH = 32;
 var SALT_LENGTH = 32;
 var IV_LENGTH = 12;
@@ -769,7 +1803,7 @@ function isSecretReference(value) {
   return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
-  return path5.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
+  return path8.resolve(expandHomePath2(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
 }
 function normalizeVaultToken(vault = "default") {
   return vault.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
@@ -804,19 +1838,19 @@ function deriveVaultKey(passphrase, salt, iterations = PBKDF2_ITERATIONS) {
   return pbkdf2Sync(passphrase, salt, iterations, KEY_LENGTH, "sha512");
 }
 function buildMetaPath(storeRoot, vault = "default") {
-  return path5.join(storeRoot, "vaults", vault, META_FILENAME);
+  return path8.join(storeRoot, "vaults", vault, META_FILENAME);
 }
 function resolveSecretVaultFile(storeRoot, vault = "default") {
   return buildMetaPath(storeRoot, vault);
 }
 function buildKeystorePath(storeRoot, vault = "default") {
-  return path5.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
+  return path8.join(storeRoot, "vaults", vault, KEYSTORE_FILENAME);
 }
 function buildLegacyVaultFile(storeRoot, vault = "default") {
-  return path5.join(storeRoot, "vaults", `${vault}.json`);
+  return path8.join(storeRoot, "vaults", `${vault}.json`);
 }
 function buildLegacyVaultStoreRoot(storeRoot, vault = "default") {
-  return path5.join(storeRoot, "vaults", vault, "store");
+  return path8.join(storeRoot, "vaults", vault, "store");
 }
 function assertVaultMetadata(value, filePath) {
   if (!isObject(value)) {
@@ -913,15 +1947,15 @@ function buildInitialPayload() {
 async function writeVaultFiles(storeRoot, vault, meta, payload, key) {
   const metaPath = buildMetaPath(storeRoot, vault);
   const keystorePath = buildKeystorePath(storeRoot, vault);
-  await mkdir2(path5.dirname(metaPath), { recursive: true });
-  await writeFile2(metaPath, stringifyYaml(meta), "utf8");
-  await writeFile2(keystorePath, encryptPayload(payload, key));
+  await mkdir4(path8.dirname(metaPath), { recursive: true });
+  await writeFile3(metaPath, stringifyYaml(meta), "utf8");
+  await writeFile3(keystorePath, encryptPayload(payload, key));
 }
 async function readVaultMetadata(storeRoot, vault = "default") {
   await assertNoLegacyVaultFormat(storeRoot, vault);
   const metaPath = buildMetaPath(storeRoot, vault);
   try {
-    const source = await readFile4(metaPath, "utf8");
+    const source = await readFile5(metaPath, "utf8");
     return assertVaultMetadata(parseYaml(source), metaPath);
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -931,11 +1965,11 @@ async function readVaultMetadata(storeRoot, vault = "default") {
   }
 }
 async function listSecretVaults(storeRoot) {
-  const vaultRoot = path5.join(storeRoot, "vaults");
+  const vaultRoot = path8.join(storeRoot, "vaults");
   try {
     const entries = await readdir2(vaultRoot, { withFileTypes: true });
     const vaults = await Promise.all(
-      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists3(path5.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
+      entries.filter((entry) => entry.isDirectory()).map(async (entry) => await exists3(path8.join(vaultRoot, entry.name, META_FILENAME)) ? entry.name : void 0)
     );
     return vaults.filter((value) => Boolean(value)).sort((left, right) => left.localeCompare(right));
   } catch {
@@ -1024,7 +2058,7 @@ async function loadVaultPayload(storeRoot, vault, auth) {
   if (!key) {
     throw new CnosAuthenticationError(`Vault "${vault}" requires authentication before access.`);
   }
-  const buffer = await readFile4(buildKeystorePath(storeRoot, vault));
+  const buffer = await readFile5(buildKeystorePath(storeRoot, vault));
   return {
     meta,
     payload: decryptPayload(buffer, key),
@@ -1097,7 +2131,7 @@ function resolveVaultDefinition(vaults, vault = "default") {
   };
 }
 async function removeLocalVaultFiles(storeRoot, vault = "default") {
-  await rm2(path5.join(storeRoot, "vaults", vault), { recursive: true, force: true });
+  await rm2(path8.join(storeRoot, "vaults", vault), { recursive: true, force: true });
 }
 
 // ../core/src/secrets/providers/github.ts
@@ -1156,11 +2190,11 @@ var GithubSecretsVaultProvider = class {
 };
 
 // ../core/src/secrets/auditLog.ts
-import { appendFile, mkdir as mkdir3 } from "fs/promises";
-import path6 from "path";
+import { appendFile, mkdir as mkdir5 } from "fs/promises";
+import path9 from "path";
 async function appendAuditEvent(event, processEnv = process.env) {
-  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path6.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await mkdir3(path6.dirname(auditFile), { recursive: true });
+  const auditFile = processEnv.CNOS_AUDIT_FILE ?? path9.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
+  await mkdir5(path9.dirname(auditFile), { recursive: true });
   await appendFile(
     auditFile,
     `${JSON.stringify({
@@ -1387,7 +2421,7 @@ function setNestedValue(target, pathSegments, value) {
   target[head] = nextTarget;
   setNestedValue(nextTarget, tail, value);
 }
-function toNamespaceObject(graph, namespace) {
+function toNamespaceObject(graph, namespace, readValueForKey = (key) => graph.entries.get(key)?.value) {
   const output = {};
   const resolvedEntries = Array.from(graph.entries.values()).sort(
     (left, right) => left.key.localeCompare(right.key)
@@ -1397,7 +2431,11 @@ function toNamespaceObject(graph, namespace) {
       continue;
     }
     const valuePath = namespace ? stripNamespace(entry.key) : entry.key;
-    setNestedValue(output, valuePath.split("."), entry.value);
+    const value = readValueForKey(entry.key);
+    if (value === void 0) {
+      continue;
+    }
+    setNestedValue(output, valuePath.split("."), value);
   }
   return output;
 }
@@ -1407,12 +2445,6 @@ function readValue(graph, key) {
   return graph.entries.get(key)?.value;
 }
 
-// ../core/src/runtime/readOr.ts
-function readOrValue(graph, key, fallback) {
-  const value = readValue(graph, key);
-  return value === void 0 ? fallback : value;
-}
-
 // ../core/src/runtime/require.ts
 function requireValue(graph, key) {
   const value = readValue(graph, key);
@@ -1422,6 +2454,36 @@ function requireValue(graph, key) {
   return value;
 }
 
+// ../core/src/runtime/runtimeProviders.ts
+function createDefaultRuntimeProviders(manifest, processEnv) {
+  const providers = /* @__PURE__ */ new Map();
+  if (manifest.runtimeNamespaces.process) {
+    providers.set("process", (key) => {
+      const segments = key.split(".");
+      if (segments[0] === "env") {
+        return processEnv[segments.slice(1).join(".")];
+      }
+      if (key === "cwd") {
+        return process.cwd();
+      }
+      if (key === "platform") {
+        return process.platform;
+      }
+      if (key === "arch") {
+        return process.arch;
+      }
+      if (key === "pid") {
+        return process.pid;
+      }
+      if (key === "node.version") {
+        return process.version;
+      }
+      return void 0;
+    });
+  }
+  return providers;
+}
+
 // ../core/src/runtime/toEnv.ts
 function normalizeEnvValue(value) {
   if (value === void 0 || value === null) {
@@ -1435,7 +2497,7 @@ function normalizeEnvValue(value) {
   }
   return JSON.stringify(value);
 }
-function toEnv(graph, manifest, options = {}) {
+function toEnv(graph, manifest, options = {}, helpers = {}) {
   const includeSecrets = options.includeSecrets ?? true;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
@@ -1456,7 +2518,11 @@ function toEnv(graph, manifest, options = {}) {
     if (isSecretReference(entry.value)) {
       continue;
     }
-    output[envVar] = normalizeEnvValue(entry.value);
+    const value = helpers.read ? helpers.read(logicalKey) : entry.value;
+    if (value === void 0) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue(value);
   }
   return output;
 }
@@ -1493,36 +2559,46 @@ function resolvePublicPrefix(manifest, options) {
   }
   return manifest.public.frameworks[options.framework] ?? "";
 }
-function toPublicEnv(graph, manifest, options = {}) {
+function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
   const prefix = resolvePublicPrefix(manifest, options);
   const output = {};
   const promotions = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").sort((left, right) => left.key.localeCompare(right.key));
   for (const resolved of promotions) {
+    if (helpers.isRuntimeDependent?.(resolved.key)) {
+      const value2 = helpers.read?.(resolved.key);
+      if (value2 === void 0) {
+        throw new CnosManifestError(`Cannot build public output for ${resolved.key} because it depends on runtime-only values.`);
+      }
+    }
     const baseEnvVar = fallbackPublicEnvVar(stripNamespace(resolved.key));
     const envVar = prefix && !baseEnvVar.startsWith(prefix) ? `${prefix}${baseEnvVar}` : baseEnvVar;
-    output[envVar] = normalizeEnvValue2(resolved.value);
+    const value = helpers.read ? helpers.read(resolved.key) : resolved.value;
+    if (value === void 0) {
+      continue;
+    }
+    output[envVar] = normalizeEnvValue2(value);
   }
   return output;
 }
 
 // ../core/src/runtime/dump.ts
-import { mkdir as mkdir4, writeFile as writeFile3 } from "fs/promises";
-import path7 from "path";
+import { mkdir as mkdir6, writeFile as writeFile4 } from "fs/promises";
+import path10 from "path";
 function buildDumpFiles(graph, options = {}) {
-  const basePath = options.flatten ? "" : path7.posix.join("workspaces", graph.workspace.workspaceId);
+  const basePath = options.flatten ? "" : path10.posix.join("workspaces", graph.workspace.workspaceId);
   const values = toNamespaceObject(graph, "value");
   const secrets = toNamespaceObject(graph, "secret");
   const files = [];
   if (Object.keys(values).length > 0) {
     files.push({
-      path: path7.posix.join(basePath, "values", graph.profile, "app.yml"),
+      path: path10.posix.join(basePath, "values", graph.profile, "app.yml"),
       namespace: "value",
       content: stringifyYaml(values)
     });
   }
   if (Object.keys(secrets).length > 0) {
     files.push({
-      path: path7.posix.join(basePath, "secrets", graph.profile, "app.yml"),
+      path: path10.posix.join(basePath, "secrets", graph.profile, "app.yml"),
       namespace: "secret",
       content: stringifyYaml(secrets)
     });
@@ -1538,12 +2614,12 @@ function planDump(graph, options = {}) {
   };
 }
 async function writeDump(graph, options) {
-  const root = path7.resolve(options.to);
+  const root = path10.resolve(options.to);
   const plan = planDump(graph, options);
   for (const file of plan.files) {
-    const destination = path7.join(root, file.path);
-    await mkdir4(path7.dirname(destination), { recursive: true });
-    await writeFile3(destination, file.content, "utf8");
+    const destination = path10.join(root, file.path);
+    await mkdir6(path10.dirname(destination), { recursive: true });
+    await writeFile4(destination, file.content, "utf8");
   }
   return {
     ...plan,
@@ -1555,6 +2631,10 @@ async function writeDump(graph, options) {
 function flattenObject(value, prefix = "") {
   return Object.entries(value).reduce((accumulator, [key, nestedValue]) => {
     const nextKey = prefix ? `${prefix}.${key}` : key;
+    if (isDerivedValue(nestedValue) || isSecretReference(nestedValue)) {
+      accumulator[nextKey] = nestedValue;
+      return accumulator;
+    }
     if (nestedValue && typeof nestedValue === "object" && !Array.isArray(nestedValue)) {
       Object.assign(accumulator, flattenObject(nestedValue, nextKey));
       return accumulator;
@@ -1574,11 +2654,11 @@ function normalizeMappingConfig(config = {}) {
 function toScreamingSnakeSegment(segment) {
   return segment.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^A-Za-z0-9]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toUpperCase();
 }
-function toScreamingSnake(path11) {
-  return path11.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
+function toScreamingSnake(path14) {
+  return path14.split(".").map((segment) => toScreamingSnakeSegment(segment)).filter(Boolean).join("_");
 }
-function fromScreamingSnake(path11) {
-  return path11.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
+function fromScreamingSnake(path14) {
+  return path14.split("_").map((segment) => segment.trim().toLowerCase()).filter(Boolean).join(".");
 }
 function logicalKeyToEnvVar(key, config = {}) {
   const normalized = normalizeMappingConfig(config);
@@ -1730,12 +2810,12 @@ function createProvenanceInspector() {
 }
 
 // ../core/src/manifest/loadWorkspaceFile.ts
-import { readFile as readFile5 } from "fs/promises";
-import path8 from "path";
+import { readFile as readFile6 } from "fs/promises";
+import path11 from "path";
 async function loadWorkspaceFile(repoRoot) {
-  const workspaceFilePath = path8.join(repoRoot, ".cnos-workspace.yml");
+  const workspaceFilePath = path11.join(repoRoot, ".cnos-workspace.yml");
   try {
-    const source = await readFile5(workspaceFilePath, "utf8");
+    const source = await readFile6(workspaceFilePath, "utf8");
     const parsed = parseYaml(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError(".cnos-workspace.yml must be a YAML object", workspaceFilePath);
@@ -1758,11 +2838,11 @@ async function loadWorkspaceFile(repoRoot) {
 }
 
 // ../core/src/profiles/expandProfileChain.ts
-import { access as access3, readFile as readFile6 } from "fs/promises";
-import path9 from "path";
+import { access as access4, readFile as readFile7 } from "fs/promises";
+import path12 from "path";
 async function fileExists(targetPath) {
   try {
-    await access3(targetPath);
+    await access4(targetPath);
     return true;
   } catch {
     return false;
@@ -1796,11 +2876,11 @@ async function loadProfileDefinition(profileName, options) {
     return normalizeProfileDefinition(profileName, void 0);
   }
   for (const workspaceRoot of [...workspaceRoots].reverse()) {
-    const profilePath = path9.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
+    const profilePath = path12.join(workspaceRoot.path, "profiles", `${profileName}.yml`);
     if (!await fileExists(profilePath)) {
       continue;
     }
-    const document = await readFile6(profilePath, "utf8");
+    const document = await readFile7(profilePath, "utf8");
     const parsed = parseYaml(document);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new CnosManifestError("Profile definition must be a YAML object", profilePath);
@@ -1808,7 +2888,7 @@ async function loadProfileDefinition(profileName, options) {
     const definition = normalizeProfileDefinition(
       profileName,
       parsed,
-      options.manifestRoot ? toPortablePath(path9.relative(path9.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
+      options.manifestRoot ? toPortablePath(path12.relative(path12.dirname(options.manifestRoot), profilePath)) : toPortablePath(profilePath)
     );
     if (definition.name !== profileName) {
       throw new CnosManifestError(
@@ -2054,8 +3134,8 @@ function createProfileAwareResolver() {
 }
 
 // ../core/src/workspaces/resolveWorkspaceContext.ts
-import { access as access4 } from "fs/promises";
-import path10 from "path";
+import { access as access5 } from "fs/promises";
+import path13 from "path";
 
 // ../core/src/workspaces/expandWorkspaceChain.ts
 function expandWorkspaceChain(workspaceId, items) {
@@ -2094,14 +3174,14 @@ function expandWorkspaceChain(workspaceId, items) {
 // ../core/src/workspaces/resolveWorkspaceContext.ts
 async function exists4(targetPath) {
   try {
-    await access4(targetPath);
+    await access5(targetPath);
     return true;
   } catch {
     return false;
   }
 }
 async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
-  const workspaceRoot = path10.join(manifestRoot, "workspaces", workspaceId);
+  const workspaceRoot = path13.join(manifestRoot, "workspaces", workspaceId);
   if (await exists4(workspaceRoot)) {
     return workspaceRoot;
   }
@@ -2109,7 +3189,7 @@ async function resolveLocalWorkspaceRoot(manifestRoot, workspaceId, manifest) {
     ([namespace, definition]) => namespace !== "value" && namespace !== "secret" && definition.kind === "data" && !definition.sensitive
   ).map(([namespace]) => namespace);
   const legacyMarkers = ["values", "secrets", "env", "profiles", ...customDataNamespaceRoots].map(
-    (segment) => path10.join(manifestRoot, segment)
+    (segment) => path13.join(manifestRoot, segment)
   );
   if ((await Promise.all(legacyMarkers.map((marker) => exists4(marker)))).some(Boolean)) {
     return manifestRoot;
@@ -2157,26 +3237,26 @@ function resolveGlobalRoot(manifest, workspaceFile, options) {
   }
   if (options.globalRoot) {
     return {
-      value: path10.resolve(expandHomePath(options.globalRoot)),
+      value: path13.resolve(expandHomePath2(options.globalRoot)),
       source: "cli"
     };
   }
   if (workspaceFile?.globalRoot) {
     return {
-      value: path10.resolve(expandHomePath(workspaceFile.globalRoot)),
+      value: path13.resolve(expandHomePath2(workspaceFile.globalRoot)),
       source: "workspace-file"
     };
   }
   if (manifest.workspaces.global.root) {
     return {
-      value: path10.resolve(expandHomePath(manifest.workspaces.global.root)),
+      value: path13.resolve(expandHomePath2(manifest.workspaces.global.root)),
       source: "manifest"
     };
   }
   const cnosHome = options.processEnv?.CNOS_HOME;
   if (cnosHome) {
     return {
-      value: path10.resolve(expandHomePath(cnosHome)),
+      value: path13.resolve(expandHomePath2(cnosHome)),
       source: "CNOS_HOME"
     };
   }
@@ -2198,7 +3278,7 @@ async function resolveWorkspaceContext(manifest, options) {
       workspaceRoots.push({
         scope: "global",
         workspaceId: chainWorkspaceId,
-        path: path10.join(globalRoot.value, "workspaces", globalWorkspaceId)
+        path: path13.join(globalRoot.value, "workspaces", globalWorkspaceId)
       });
     }
   }
@@ -2321,6 +3401,10 @@ function applySchemaRules(graph, schema) {
       }
       continue;
     }
+    if (isDerivedValue(resolvedEntry.value)) {
+      nextEntries.set(key, resolvedEntry);
+      continue;
+    }
     const coercedValue = coerceValue(resolvedEntry.value, rule);
     const nextResolvedEntry = coercedValue === resolvedEntry.value ? resolvedEntry : {
       ...resolvedEntry,
@@ -2467,7 +3551,7 @@ function resolveSecretEntryValue(key, value, cache) {
 }
 
 // ../core/src/runtime/toServerProjection.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 function stableSortObject(value) {
   return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
 }
@@ -2476,12 +3560,14 @@ function stripValuePrefix(key) {
 }
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
-  return createHash("sha256").update(serialized).digest("hex");
+  return createHash2("sha256").update(serialized).digest("hex");
 }
-function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
+function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
+  const derived = {};
   const secretRefs = {};
   const namespaces = /* @__PURE__ */ new Set();
+  const runtimeNamespaces = /* @__PURE__ */ new Set();
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
@@ -2493,12 +3579,33 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
       continue;
     }
     if (entry.namespace === "value") {
-      values[stripValuePrefix(key)] = entry.value;
+      if (helpers.isRuntimeDependent?.(key)) {
+        const formula = helpers.toServerFormula?.(key);
+        if (formula) {
+          derived[stripValuePrefix(key)] = formula;
+          for (const ref of formula.runtimeRefs) {
+            runtimeNamespaces.add(ref.split(".")[0] ?? "");
+          }
+        }
+        continue;
+      }
+      const value = helpers.read ? helpers.read(key) : entry.value;
+      values[stripValuePrefix(key)] = value;
       continue;
     }
     const namespaceDefinition = manifest.namespaces[entry.namespace];
     if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
-      values[key] = entry.value;
+      if (helpers.isRuntimeDependent?.(key)) {
+        const formula = helpers.toServerFormula?.(key);
+        if (formula) {
+          derived[key] = formula;
+          for (const ref of formula.runtimeRefs) {
+            runtimeNamespaces.add(ref.split(".")[0] ?? "");
+          }
+        }
+        continue;
+      }
+      values[key] = helpers.read ? helpers.read(key) : entry.value;
       namespaces.add(entry.namespace);
     }
   }
@@ -2509,8 +3616,10 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
     resolvedAt: graph.resolvedAt,
     configHash: configHash(values),
     values: stableSortObject(values),
+    derived: stableSortObject(derived),
     secretRefs: stableSortObject(secretRefs),
     publicKeys,
+    runtimeNamespaces: Array.from(runtimeNamespaces).sort((left, right) => left.localeCompare(right)),
     meta: {
       workspace: graph.workspace.workspaceId,
       profile: graph.profile,
@@ -2522,6 +3631,19 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev") {
 
 // ../core/src/orchestrator/runtime.ts
 function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+  const runtimeProviders = createDefaultRuntimeProviders(manifest, processEnv);
+  const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
+  function resolveProjectedSourceKey(key) {
+    if (!key.startsWith("public.")) {
+      return key;
+    }
+    const promotedFrom = graph.entries.get(key)?.winner.metadata?.promotedFrom;
+    if (typeof promotedFrom === "string") {
+      return promotedFrom;
+    }
+    const fallback = `value.${key.slice("public.".length)}`;
+    return graph.entries.has(fallback) ? fallback : key;
+  }
   async function refreshSecretEntry(key) {
     const entry = graph.entries.get(key);
     if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
@@ -2553,6 +3675,19 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     }
   }
   function readLogicalKey(key) {
+    const resolved = derivedSupport.read(key, (ref) => {
+      const entry2 = graph.entries.get(ref);
+      if (!entry2) {
+        return void 0;
+      }
+      if (!secretCache) {
+        return entry2.value;
+      }
+      return resolveSecretEntryValue(ref, entry2.value, secretCache);
+    });
+    if (resolved !== void 0 || graph.entries.has(key) || manifest.runtimeNamespaces[key.split(".")[0] ?? ""]) {
+      return resolved;
+    }
     const entry = graph.entries.get(key);
     if (!entry) {
       return void 0;
@@ -2577,34 +3712,64 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
       return value;
     },
     readOr(key, fallback) {
-      return readOrValue(graph, key, fallback);
+      const value = readLogicalKey(key);
+      return value === void 0 ? fallback : value;
     },
-    value(path11) {
-      return readLogicalKey(toLogicalKey("value", path11));
+    value(path14) {
+      return readLogicalKey(toLogicalKey("value", path14));
     },
-    secret(path11) {
-      return readLogicalKey(toLogicalKey("secret", path11));
+    secret(path14) {
+      return readLogicalKey(toLogicalKey("secret", path14));
     },
-    meta(path11) {
-      return readLogicalKey(toLogicalKey("meta", path11));
+    meta(path14) {
+      return readLogicalKey(toLogicalKey("meta", path14));
     },
     inspect(key) {
-      return inspectValue(graph, key);
+      return inspectValue(graph, key, {
+        read: (ref) => readLogicalKey(ref),
+        describeDerived: (ref) => derivedSupport.describe(ref, (candidate) => {
+          const entry = graph.entries.get(candidate);
+          if (!entry) {
+            return void 0;
+          }
+          if (!secretCache) {
+            return entry.value;
+          }
+          return resolveSecretEntryValue(candidate, entry.value, secretCache);
+        })
+      });
     },
     toObject() {
-      return toNamespaceObject(graph);
+      return toNamespaceObject(graph, void 0, (key) => readLogicalKey(key));
     },
     toNamespace(namespace) {
-      return toNamespaceObject(graph, namespace);
+      return toNamespaceObject(graph, namespace, (key) => readLogicalKey(key));
     },
     toEnv(options) {
-      return toEnv(graph, manifest, options);
+      return toEnv(graph, manifest, options, {
+        read: (key) => readLogicalKey(key),
+        isRuntimeDependent: (key) => derivedSupport.isRuntimeDependentKey(key)
+      });
     },
     toPublicEnv(options) {
-      return toPublicEnv(graph, manifest, options);
+      return toPublicEnv(graph, manifest, options, {
+        read: (key) => derivedSupport.toConcreteValue(
+          resolveProjectedSourceKey(key),
+          (candidate) => readLogicalKey(candidate),
+          "public"
+        ),
+        isRuntimeDependent: (key) => derivedSupport.isRuntimeDependentKey(resolveProjectedSourceKey(key))
+      });
     },
     toServerProjection() {
-      return toServerProjection(graph, manifest, cnosVersion);
+      return toServerProjection(graph, manifest, cnosVersion, {
+        read: (key) => derivedSupport.toConcreteValue(key, (candidate) => readLogicalKey(candidate), "server"),
+        isRuntimeDependent: (key) => derivedSupport.isRuntimeDependentKey(key),
+        toServerFormula: (key) => derivedSupport.toServerFormula(key)
+      });
+    },
+    registerRuntimeProvider(namespace, provider) {
+      registerRuntimeProvider(manifest, runtimeProviders, namespace, provider);
     },
     async refreshSecrets() {
       await refreshAllSecrets();
@@ -2711,7 +3876,11 @@ function appendMetaEntries(graph, cnosVersion) {
 async function createCnos(options = {}) {
   const loadedManifest = await loadManifest({
     ...options.root ? { root: options.root } : {},
-    ...options.cwd ? { cwd: options.cwd } : {}
+    ...options.cwd ? { cwd: options.cwd } : {},
+    ...options.processEnv ? { processEnv: options.processEnv } : {},
+    ...options.cacheMode ? { cacheMode: options.cacheMode } : {},
+    ...typeof options.cacheTtlSeconds === "number" ? { cacheTtlSeconds: options.cacheTtlSeconds } : {},
+    ...options.forceRefresh ? { forceRefresh: true } : {}
   });
   for (const key of loadedManifest.manifest.public.promote) {
     ensureProjectionAllowed(loadedManifest.manifest, key, "public");
@@ -2775,12 +3944,27 @@ export {
   CnosManifestError,
   CnosSecurityError,
   CnosAuthenticationError,
+  isDerivedValue,
+  parseDerivation,
+  validateDerivedTargetNamespace,
+  validateParsedDerivation,
+  normalizeDerivedValue,
+  createDerivedRuntimeSupport,
+  registerRuntimeProvider,
   inspectValue,
   createProvenanceInspector,
   readKeychain,
   writeKeychain,
   parseYaml,
   stringifyYaml,
+  parseGitUri,
+  isImmutableGitRef,
+  readRemoteRootCacheMetadata,
+  writeRemoteRootCacheMetadata,
+  resolveCnosCacheRoot,
+  createRemoteRootCacheKey,
+  resolveRemoteRootCachePaths,
+  resolveRootUri,
   resolveManifestRoot,
   resolveWorkspaceScopedPath,
   resolveConfigDocumentPath,
@@ -2818,8 +4002,8 @@ export {
   resolveVaultAuth,
   toNamespaceObject,
   readValue,
-  readOrValue,
   requireValue,
+  createDefaultRuntimeProviders,
   toEnv,
   toPublicEnv,
   createCnos,