@kitsy/cnos 1.8.1 → 1.8.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/build/index.cjs +37 -9
- package/dist/build/index.d.cts +1 -1
- package/dist/build/index.d.ts +1 -1
- package/dist/build/index.js +8 -8
- package/dist/{chunk-2DGT7N7E.js → chunk-36AR262B.js} +1 -1
- package/dist/{chunk-TT4NV56Z.js → chunk-4AAA2RHV.js} +1 -1
- package/dist/{chunk-FJOOJGUD.js → chunk-7MUDEJSP.js} +10 -10
- package/dist/{chunk-GHGJFRDL.js → chunk-DL5G3QSZ.js} +1 -1
- package/dist/{chunk-OA7FQGAG.js → chunk-EJT2VJTM.js} +1 -1
- package/dist/{chunk-RYIARE4M.js → chunk-JQLV4OQU.js} +1 -1
- package/dist/{chunk-5KIQCYFH.js → chunk-N5DX5QEB.js} +1 -1
- package/dist/{chunk-6IYR3LVA.js → chunk-SUMWGMRA.js} +11 -4
- package/dist/{chunk-UL63DFLS.js → chunk-UMVFSHP2.js} +1 -1
- package/dist/{chunk-2TL42I6M.js → chunk-ZH5QZQ7C.js} +36 -8
- package/dist/configure/index.cjs +37 -9
- package/dist/configure/index.d.cts +3 -3
- package/dist/configure/index.d.ts +3 -3
- package/dist/configure/index.js +8 -8
- package/dist/{core-BJ8xewez.d.cts → core-zDTUSVx9.d.cts} +4 -2
- package/dist/{core-BJ8xewez.d.ts → core-zDTUSVx9.d.ts} +4 -2
- package/dist/{envNaming-BRyiuPoI.d.ts → envNaming-BkorOKW_.d.ts} +1 -1
- package/dist/{envNaming-rx71gpi0.d.cts → envNaming-EFzezmB3.d.cts} +1 -1
- package/dist/index.cjs +45 -10
- package/dist/index.d.cts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +10 -10
- package/dist/internal.cjs +12 -5
- package/dist/internal.d.cts +2 -2
- package/dist/internal.d.ts +2 -2
- package/dist/internal.js +2 -2
- package/dist/plugin/basic-schema.d.cts +1 -1
- package/dist/plugin/basic-schema.d.ts +1 -1
- package/dist/plugin/basic-schema.js +2 -2
- package/dist/plugin/cli-args.d.cts +1 -1
- package/dist/plugin/cli-args.d.ts +1 -1
- package/dist/plugin/cli-args.js +2 -2
- package/dist/plugin/dotenv.d.cts +2 -2
- package/dist/plugin/dotenv.d.ts +2 -2
- package/dist/plugin/dotenv.js +2 -2
- package/dist/plugin/env-export.d.cts +2 -2
- package/dist/plugin/env-export.d.ts +2 -2
- package/dist/plugin/env-export.js +2 -2
- package/dist/plugin/filesystem.d.cts +1 -1
- package/dist/plugin/filesystem.d.ts +1 -1
- package/dist/plugin/filesystem.js +2 -2
- package/dist/plugin/process-env.d.cts +2 -2
- package/dist/plugin/process-env.d.ts +2 -2
- package/dist/plugin/process-env.js +2 -2
- package/dist/runtime/index.cjs +45 -10
- package/dist/runtime/index.d.cts +1 -1
- package/dist/runtime/index.d.ts +1 -1
- package/dist/runtime/index.js +10 -10
- package/dist/{toPublicEnv-CCSgdvI9.d.ts → toPublicEnv-CT265rzS.d.ts} +1 -1
- package/dist/{toPublicEnv-ivRtLjcw.d.cts → toPublicEnv-Ds1DRwCX.d.cts} +1 -1
- package/package.json +1 -1
package/dist/build/index.cjs
CHANGED
|
@@ -1517,7 +1517,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
|
|
|
1517
1517
|
...auth?.config ? { config: auth.config } : {}
|
|
1518
1518
|
};
|
|
1519
1519
|
}
|
|
1520
|
-
if (provider === "github-secrets") {
|
|
1520
|
+
if (provider === "github-secrets" || provider === "environment") {
|
|
1521
1521
|
return {
|
|
1522
1522
|
method: auth?.method ?? "environment",
|
|
1523
1523
|
...auth?.config ? { config: auth.config } : {}
|
|
@@ -2621,7 +2621,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
|
|
|
2621
2621
|
}
|
|
2622
2622
|
async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
|
|
2623
2623
|
if (definition?.provider !== "local") {
|
|
2624
|
-
return definition?.provider === "github-secrets" ? {
|
|
2624
|
+
return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
|
|
2625
2625
|
method: definition.auth?.method ?? "environment",
|
|
2626
2626
|
...definition?.auth?.config ? { config: definition.auth.config } : {}
|
|
2627
2627
|
} : void 0;
|
|
@@ -2779,8 +2779,8 @@ var SecretCache = class {
|
|
|
2779
2779
|
}
|
|
2780
2780
|
};
|
|
2781
2781
|
|
|
2782
|
-
// ../core/src/secrets/providers/
|
|
2783
|
-
var
|
|
2782
|
+
// ../core/src/secrets/providers/environment.ts
|
|
2783
|
+
var EnvironmentSecretsVaultProvider = class {
|
|
2784
2784
|
constructor(vaultId, definition, processEnv = process.env) {
|
|
2785
2785
|
this.vaultId = vaultId;
|
|
2786
2786
|
this.definition = definition;
|
|
@@ -2834,6 +2834,10 @@ var GithubSecretsVaultProvider = class {
|
|
|
2834
2834
|
}
|
|
2835
2835
|
};
|
|
2836
2836
|
|
|
2837
|
+
// ../core/src/secrets/providers/github.ts
|
|
2838
|
+
var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
|
|
2839
|
+
};
|
|
2840
|
+
|
|
2837
2841
|
// ../core/src/secrets/providers/local.ts
|
|
2838
2842
|
var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
|
|
2839
2843
|
constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
|
|
@@ -2929,6 +2933,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
|
|
|
2929
2933
|
if (definition.provider === "local") {
|
|
2930
2934
|
return new LocalSecretVaultProvider(vaultId, definition, processEnv);
|
|
2931
2935
|
}
|
|
2936
|
+
if (definition.provider === "environment") {
|
|
2937
|
+
return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2938
|
+
}
|
|
2932
2939
|
if (definition.provider === "github-secrets") {
|
|
2933
2940
|
return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2934
2941
|
}
|
|
@@ -2984,7 +2991,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
|
|
|
2984
2991
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
2985
2992
|
};
|
|
2986
2993
|
}
|
|
2987
|
-
if (definition.provider === "github-secrets") {
|
|
2994
|
+
if (definition.provider === "github-secrets" || definition.provider === "environment") {
|
|
2988
2995
|
return {
|
|
2989
2996
|
method: definition.auth?.method ?? "environment",
|
|
2990
2997
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
@@ -3166,10 +3173,20 @@ function stableSortObject(value) {
|
|
|
3166
3173
|
function stripValuePrefix(key) {
|
|
3167
3174
|
return key.startsWith("value.") ? key.slice("value.".length) : key;
|
|
3168
3175
|
}
|
|
3176
|
+
function resolveProjectedEnvVar(manifest, vaultId, ref) {
|
|
3177
|
+
const mapping = manifest.vaults[vaultId]?.mapping;
|
|
3178
|
+
if (!mapping) {
|
|
3179
|
+
return void 0;
|
|
3180
|
+
}
|
|
3181
|
+
return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
|
|
3182
|
+
}
|
|
3169
3183
|
function configHash(values) {
|
|
3170
3184
|
const serialized = JSON.stringify(stableSortObject(values));
|
|
3171
3185
|
return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
|
|
3172
3186
|
}
|
|
3187
|
+
function shouldProjectResolvedValue(sourceId) {
|
|
3188
|
+
return sourceId !== "process-env";
|
|
3189
|
+
}
|
|
3173
3190
|
function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
|
|
3174
3191
|
const values = {};
|
|
3175
3192
|
const derived = {};
|
|
@@ -3179,14 +3196,22 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3179
3196
|
const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
|
|
3180
3197
|
for (const [key, entry] of graph.entries) {
|
|
3181
3198
|
if (entry.namespace === "secret" && isSecretReference(entry.value)) {
|
|
3199
|
+
const vaultId = entry.value.vault ?? "default";
|
|
3200
|
+
const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
|
|
3182
3201
|
secretRefs[key.slice("secret.".length)] = {
|
|
3183
3202
|
provider: entry.value.provider,
|
|
3184
|
-
vault:
|
|
3185
|
-
ref: entry.value.ref
|
|
3203
|
+
vault: vaultId,
|
|
3204
|
+
ref: entry.value.ref,
|
|
3205
|
+
...envVar ? {
|
|
3206
|
+
envVar
|
|
3207
|
+
} : {}
|
|
3186
3208
|
};
|
|
3187
3209
|
continue;
|
|
3188
3210
|
}
|
|
3189
3211
|
if (entry.namespace === "value") {
|
|
3212
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3213
|
+
continue;
|
|
3214
|
+
}
|
|
3190
3215
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3191
3216
|
const formula = helpers.toServerFormula?.(key);
|
|
3192
3217
|
if (formula) {
|
|
@@ -3203,6 +3228,9 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3203
3228
|
}
|
|
3204
3229
|
const namespaceDefinition = manifest.namespaces[entry.namespace];
|
|
3205
3230
|
if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
|
|
3231
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3232
|
+
continue;
|
|
3233
|
+
}
|
|
3206
3234
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3207
3235
|
const formula = helpers.toServerFormula?.(key);
|
|
3208
3236
|
if (formula) {
|
|
@@ -3631,7 +3659,7 @@ async function createCnos(options = {}) {
|
|
|
3631
3659
|
});
|
|
3632
3660
|
const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
|
|
3633
3661
|
const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
|
|
3634
|
-
const secretCache = options.secretResolution === "lazy" ?
|
|
3662
|
+
const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
|
|
3635
3663
|
return createRuntime(
|
|
3636
3664
|
loadedManifest.manifest,
|
|
3637
3665
|
appendMetaEntries({
|
|
@@ -3684,7 +3712,7 @@ function envVarToLogicalKey(envVar, config = {}) {
|
|
|
3684
3712
|
// package.json
|
|
3685
3713
|
var package_default = {
|
|
3686
3714
|
name: "@kitsy/cnos",
|
|
3687
|
-
version: "1.8.
|
|
3715
|
+
version: "1.8.3",
|
|
3688
3716
|
description: "Batteries-included CNOS runtime package wired with the official plugins.",
|
|
3689
3717
|
type: "module",
|
|
3690
3718
|
main: "./dist/index.cjs",
|
package/dist/build/index.d.cts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { C as CnosCreateOptions, S as ServerProjection } from '../core-
|
|
1
|
+
import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.cjs';
|
|
2
2
|
|
|
3
3
|
type BrowserDataMap = Record<string, unknown>;
|
|
4
4
|
type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});
|
package/dist/build/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { C as CnosCreateOptions, S as ServerProjection } from '../core-
|
|
1
|
+
import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.js';
|
|
2
2
|
|
|
3
3
|
type BrowserDataMap = Record<string, unknown>;
|
|
4
4
|
type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});
|
package/dist/build/index.js
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
import {
|
|
2
2
|
createCnos
|
|
3
|
-
} from "../chunk-
|
|
4
|
-
import "../chunk-
|
|
5
|
-
import "../chunk-
|
|
6
|
-
import "../chunk-
|
|
7
|
-
import "../chunk-
|
|
8
|
-
import "../chunk-
|
|
9
|
-
import "../chunk-
|
|
10
|
-
import "../chunk-
|
|
3
|
+
} from "../chunk-7MUDEJSP.js";
|
|
4
|
+
import "../chunk-JQLV4OQU.js";
|
|
5
|
+
import "../chunk-4AAA2RHV.js";
|
|
6
|
+
import "../chunk-UMVFSHP2.js";
|
|
7
|
+
import "../chunk-N5DX5QEB.js";
|
|
8
|
+
import "../chunk-36AR262B.js";
|
|
9
|
+
import "../chunk-EJT2VJTM.js";
|
|
10
|
+
import "../chunk-ZH5QZQ7C.js";
|
|
11
11
|
|
|
12
12
|
// src/build/index.ts
|
|
13
13
|
async function resolveBrowserData(options = {}) {
|
|
@@ -1,27 +1,27 @@
|
|
|
1
|
-
import {
|
|
2
|
-
createDotenvPlugin
|
|
3
|
-
} from "./chunk-OA7FQGAG.js";
|
|
4
1
|
import {
|
|
5
2
|
createEnvExportPlugin,
|
|
6
3
|
createPublicEnvExportPlugin
|
|
7
|
-
} from "./chunk-
|
|
4
|
+
} from "./chunk-JQLV4OQU.js";
|
|
8
5
|
import {
|
|
9
6
|
createFilesystemSecretsPlugin,
|
|
10
7
|
createFilesystemValuesPlugin
|
|
11
|
-
} from "./chunk-
|
|
8
|
+
} from "./chunk-4AAA2RHV.js";
|
|
12
9
|
import {
|
|
13
10
|
createProcessEnvPlugin
|
|
14
|
-
} from "./chunk-
|
|
11
|
+
} from "./chunk-UMVFSHP2.js";
|
|
15
12
|
import {
|
|
16
13
|
createBasicSchemaPlugin
|
|
17
|
-
} from "./chunk-
|
|
14
|
+
} from "./chunk-N5DX5QEB.js";
|
|
18
15
|
import {
|
|
19
16
|
createCliArgsPlugin
|
|
20
|
-
} from "./chunk-
|
|
17
|
+
} from "./chunk-36AR262B.js";
|
|
18
|
+
import {
|
|
19
|
+
createDotenvPlugin
|
|
20
|
+
} from "./chunk-EJT2VJTM.js";
|
|
21
21
|
import {
|
|
22
22
|
createCnos,
|
|
23
23
|
createProvenanceInspector
|
|
24
|
-
} from "./chunk-
|
|
24
|
+
} from "./chunk-ZH5QZQ7C.js";
|
|
25
25
|
|
|
26
26
|
// src/defaultPlugins.ts
|
|
27
27
|
function defaultPlugins() {
|
|
@@ -68,7 +68,7 @@ function setBootstrappedSecretHydrationRequired(value) {
|
|
|
68
68
|
// package.json
|
|
69
69
|
var package_default = {
|
|
70
70
|
name: "@kitsy/cnos",
|
|
71
|
-
version: "1.8.
|
|
71
|
+
version: "1.8.3",
|
|
72
72
|
description: "Batteries-included CNOS runtime package wired with the official plugins.",
|
|
73
73
|
type: "module",
|
|
74
74
|
main: "./dist/index.cjs",
|
|
@@ -3,7 +3,7 @@ import {
|
|
|
3
3
|
graphRequiresSecretHydration,
|
|
4
4
|
readRuntimeGraphFromEnv,
|
|
5
5
|
readServerProjectionFromEnv
|
|
6
|
-
} from "./chunk-
|
|
6
|
+
} from "./chunk-DL5G3QSZ.js";
|
|
7
7
|
import {
|
|
8
8
|
createCnos,
|
|
9
9
|
getBootstrappedSecretHydrationRequired,
|
|
@@ -12,7 +12,7 @@ import {
|
|
|
12
12
|
setBootstrappedSecretHydrationRequired,
|
|
13
13
|
setSingletonReady,
|
|
14
14
|
setSingletonRuntime
|
|
15
|
-
} from "./chunk-
|
|
15
|
+
} from "./chunk-7MUDEJSP.js";
|
|
16
16
|
import {
|
|
17
17
|
createDefaultRuntimeProviders,
|
|
18
18
|
createDerivedRuntimeSupport,
|
|
@@ -28,7 +28,7 @@ import {
|
|
|
28
28
|
toLogicalKey,
|
|
29
29
|
toNamespaceObject,
|
|
30
30
|
toPublicEnv
|
|
31
|
-
} from "./chunk-
|
|
31
|
+
} from "./chunk-ZH5QZQ7C.js";
|
|
32
32
|
|
|
33
33
|
// src/runtime/index.ts
|
|
34
34
|
import { existsSync, readFileSync } from "fs";
|
|
@@ -474,7 +474,14 @@ function attachBootstrappedProjection(projection, force = false) {
|
|
|
474
474
|
if (!ref) {
|
|
475
475
|
return void 0;
|
|
476
476
|
}
|
|
477
|
-
const definition = {
|
|
477
|
+
const definition = {
|
|
478
|
+
provider: ref.provider,
|
|
479
|
+
...ref.envVar ? {
|
|
480
|
+
mapping: {
|
|
481
|
+
[ref.envVar]: ref.ref
|
|
482
|
+
}
|
|
483
|
+
} : {}
|
|
484
|
+
};
|
|
478
485
|
const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
|
|
479
486
|
const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
|
|
480
487
|
await provider.authenticate(auth);
|
|
@@ -1532,7 +1532,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
|
|
|
1532
1532
|
...auth?.config ? { config: auth.config } : {}
|
|
1533
1533
|
};
|
|
1534
1534
|
}
|
|
1535
|
-
if (provider === "github-secrets") {
|
|
1535
|
+
if (provider === "github-secrets" || provider === "environment") {
|
|
1536
1536
|
return {
|
|
1537
1537
|
method: auth?.method ?? "environment",
|
|
1538
1538
|
...auth?.config ? { config: auth.config } : {}
|
|
@@ -2019,7 +2019,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
|
|
|
2019
2019
|
}
|
|
2020
2020
|
async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
|
|
2021
2021
|
if (definition?.provider !== "local") {
|
|
2022
|
-
return definition?.provider === "github-secrets" ? {
|
|
2022
|
+
return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
|
|
2023
2023
|
method: definition.auth?.method ?? "environment",
|
|
2024
2024
|
...definition?.auth?.config ? { config: definition.auth.config } : {}
|
|
2025
2025
|
} : void 0;
|
|
@@ -2134,8 +2134,8 @@ async function removeLocalVaultFiles(storeRoot, vault = "default") {
|
|
|
2134
2134
|
await rm2(path8.join(storeRoot, "vaults", vault), { recursive: true, force: true });
|
|
2135
2135
|
}
|
|
2136
2136
|
|
|
2137
|
-
// ../core/src/secrets/providers/
|
|
2138
|
-
var
|
|
2137
|
+
// ../core/src/secrets/providers/environment.ts
|
|
2138
|
+
var EnvironmentSecretsVaultProvider = class {
|
|
2139
2139
|
constructor(vaultId, definition, processEnv = process.env) {
|
|
2140
2140
|
this.vaultId = vaultId;
|
|
2141
2141
|
this.definition = definition;
|
|
@@ -2189,6 +2189,10 @@ var GithubSecretsVaultProvider = class {
|
|
|
2189
2189
|
}
|
|
2190
2190
|
};
|
|
2191
2191
|
|
|
2192
|
+
// ../core/src/secrets/providers/github.ts
|
|
2193
|
+
var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
|
|
2194
|
+
};
|
|
2195
|
+
|
|
2192
2196
|
// ../core/src/secrets/auditLog.ts
|
|
2193
2197
|
import { appendFile, mkdir as mkdir5 } from "fs/promises";
|
|
2194
2198
|
import path9 from "path";
|
|
@@ -2301,6 +2305,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
|
|
|
2301
2305
|
if (definition.provider === "local") {
|
|
2302
2306
|
return new LocalSecretVaultProvider(vaultId, definition, processEnv);
|
|
2303
2307
|
}
|
|
2308
|
+
if (definition.provider === "environment") {
|
|
2309
|
+
return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2310
|
+
}
|
|
2304
2311
|
if (definition.provider === "github-secrets") {
|
|
2305
2312
|
return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2306
2313
|
}
|
|
@@ -2356,7 +2363,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
|
|
|
2356
2363
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
2357
2364
|
};
|
|
2358
2365
|
}
|
|
2359
|
-
if (definition.provider === "github-secrets") {
|
|
2366
|
+
if (definition.provider === "github-secrets" || definition.provider === "environment") {
|
|
2360
2367
|
return {
|
|
2361
2368
|
method: definition.auth?.method ?? "environment",
|
|
2362
2369
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
@@ -3558,10 +3565,20 @@ function stableSortObject(value) {
|
|
|
3558
3565
|
function stripValuePrefix(key) {
|
|
3559
3566
|
return key.startsWith("value.") ? key.slice("value.".length) : key;
|
|
3560
3567
|
}
|
|
3568
|
+
function resolveProjectedEnvVar(manifest, vaultId, ref) {
|
|
3569
|
+
const mapping = manifest.vaults[vaultId]?.mapping;
|
|
3570
|
+
if (!mapping) {
|
|
3571
|
+
return void 0;
|
|
3572
|
+
}
|
|
3573
|
+
return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
|
|
3574
|
+
}
|
|
3561
3575
|
function configHash(values) {
|
|
3562
3576
|
const serialized = JSON.stringify(stableSortObject(values));
|
|
3563
3577
|
return createHash2("sha256").update(serialized).digest("hex");
|
|
3564
3578
|
}
|
|
3579
|
+
function shouldProjectResolvedValue(sourceId) {
|
|
3580
|
+
return sourceId !== "process-env";
|
|
3581
|
+
}
|
|
3565
3582
|
function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
|
|
3566
3583
|
const values = {};
|
|
3567
3584
|
const derived = {};
|
|
@@ -3571,14 +3588,22 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3571
3588
|
const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
|
|
3572
3589
|
for (const [key, entry] of graph.entries) {
|
|
3573
3590
|
if (entry.namespace === "secret" && isSecretReference(entry.value)) {
|
|
3591
|
+
const vaultId = entry.value.vault ?? "default";
|
|
3592
|
+
const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
|
|
3574
3593
|
secretRefs[key.slice("secret.".length)] = {
|
|
3575
3594
|
provider: entry.value.provider,
|
|
3576
|
-
vault:
|
|
3577
|
-
ref: entry.value.ref
|
|
3595
|
+
vault: vaultId,
|
|
3596
|
+
ref: entry.value.ref,
|
|
3597
|
+
...envVar ? {
|
|
3598
|
+
envVar
|
|
3599
|
+
} : {}
|
|
3578
3600
|
};
|
|
3579
3601
|
continue;
|
|
3580
3602
|
}
|
|
3581
3603
|
if (entry.namespace === "value") {
|
|
3604
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3605
|
+
continue;
|
|
3606
|
+
}
|
|
3582
3607
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3583
3608
|
const formula = helpers.toServerFormula?.(key);
|
|
3584
3609
|
if (formula) {
|
|
@@ -3595,6 +3620,9 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3595
3620
|
}
|
|
3596
3621
|
const namespaceDefinition = manifest.namespaces[entry.namespace];
|
|
3597
3622
|
if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
|
|
3623
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3624
|
+
continue;
|
|
3625
|
+
}
|
|
3598
3626
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3599
3627
|
const formula = helpers.toServerFormula?.(key);
|
|
3600
3628
|
if (formula) {
|
|
@@ -3926,7 +3954,7 @@ async function createCnos(options = {}) {
|
|
|
3926
3954
|
});
|
|
3927
3955
|
const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
|
|
3928
3956
|
const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
|
|
3929
|
-
const secretCache = options.secretResolution === "lazy" ?
|
|
3957
|
+
const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
|
|
3930
3958
|
return createRuntime(
|
|
3931
3959
|
loadedManifest.manifest,
|
|
3932
3960
|
appendMetaEntries({
|
package/dist/configure/index.cjs
CHANGED
|
@@ -1519,7 +1519,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
|
|
|
1519
1519
|
...auth?.config ? { config: auth.config } : {}
|
|
1520
1520
|
};
|
|
1521
1521
|
}
|
|
1522
|
-
if (provider === "github-secrets") {
|
|
1522
|
+
if (provider === "github-secrets" || provider === "environment") {
|
|
1523
1523
|
return {
|
|
1524
1524
|
method: auth?.method ?? "environment",
|
|
1525
1525
|
...auth?.config ? { config: auth.config } : {}
|
|
@@ -2623,7 +2623,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
|
|
|
2623
2623
|
}
|
|
2624
2624
|
async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
|
|
2625
2625
|
if (definition?.provider !== "local") {
|
|
2626
|
-
return definition?.provider === "github-secrets" ? {
|
|
2626
|
+
return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
|
|
2627
2627
|
method: definition.auth?.method ?? "environment",
|
|
2628
2628
|
...definition?.auth?.config ? { config: definition.auth.config } : {}
|
|
2629
2629
|
} : void 0;
|
|
@@ -2781,8 +2781,8 @@ var SecretCache = class {
|
|
|
2781
2781
|
}
|
|
2782
2782
|
};
|
|
2783
2783
|
|
|
2784
|
-
// ../core/src/secrets/providers/
|
|
2785
|
-
var
|
|
2784
|
+
// ../core/src/secrets/providers/environment.ts
|
|
2785
|
+
var EnvironmentSecretsVaultProvider = class {
|
|
2786
2786
|
constructor(vaultId, definition, processEnv = process.env) {
|
|
2787
2787
|
this.vaultId = vaultId;
|
|
2788
2788
|
this.definition = definition;
|
|
@@ -2836,6 +2836,10 @@ var GithubSecretsVaultProvider = class {
|
|
|
2836
2836
|
}
|
|
2837
2837
|
};
|
|
2838
2838
|
|
|
2839
|
+
// ../core/src/secrets/providers/github.ts
|
|
2840
|
+
var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
|
|
2841
|
+
};
|
|
2842
|
+
|
|
2839
2843
|
// ../core/src/secrets/providers/local.ts
|
|
2840
2844
|
var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
|
|
2841
2845
|
constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
|
|
@@ -2931,6 +2935,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
|
|
|
2931
2935
|
if (definition.provider === "local") {
|
|
2932
2936
|
return new LocalSecretVaultProvider(vaultId, definition, processEnv);
|
|
2933
2937
|
}
|
|
2938
|
+
if (definition.provider === "environment") {
|
|
2939
|
+
return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2940
|
+
}
|
|
2934
2941
|
if (definition.provider === "github-secrets") {
|
|
2935
2942
|
return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
|
|
2936
2943
|
}
|
|
@@ -2986,7 +2993,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
|
|
|
2986
2993
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
2987
2994
|
};
|
|
2988
2995
|
}
|
|
2989
|
-
if (definition.provider === "github-secrets") {
|
|
2996
|
+
if (definition.provider === "github-secrets" || definition.provider === "environment") {
|
|
2990
2997
|
return {
|
|
2991
2998
|
method: definition.auth?.method ?? "environment",
|
|
2992
2999
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
@@ -3168,10 +3175,20 @@ function stableSortObject(value) {
|
|
|
3168
3175
|
function stripValuePrefix(key) {
|
|
3169
3176
|
return key.startsWith("value.") ? key.slice("value.".length) : key;
|
|
3170
3177
|
}
|
|
3178
|
+
function resolveProjectedEnvVar(manifest, vaultId, ref) {
|
|
3179
|
+
const mapping = manifest.vaults[vaultId]?.mapping;
|
|
3180
|
+
if (!mapping) {
|
|
3181
|
+
return void 0;
|
|
3182
|
+
}
|
|
3183
|
+
return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
|
|
3184
|
+
}
|
|
3171
3185
|
function configHash(values) {
|
|
3172
3186
|
const serialized = JSON.stringify(stableSortObject(values));
|
|
3173
3187
|
return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
|
|
3174
3188
|
}
|
|
3189
|
+
function shouldProjectResolvedValue(sourceId) {
|
|
3190
|
+
return sourceId !== "process-env";
|
|
3191
|
+
}
|
|
3175
3192
|
function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
|
|
3176
3193
|
const values = {};
|
|
3177
3194
|
const derived = {};
|
|
@@ -3181,14 +3198,22 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3181
3198
|
const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
|
|
3182
3199
|
for (const [key, entry] of graph.entries) {
|
|
3183
3200
|
if (entry.namespace === "secret" && isSecretReference(entry.value)) {
|
|
3201
|
+
const vaultId = entry.value.vault ?? "default";
|
|
3202
|
+
const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
|
|
3184
3203
|
secretRefs[key.slice("secret.".length)] = {
|
|
3185
3204
|
provider: entry.value.provider,
|
|
3186
|
-
vault:
|
|
3187
|
-
ref: entry.value.ref
|
|
3205
|
+
vault: vaultId,
|
|
3206
|
+
ref: entry.value.ref,
|
|
3207
|
+
...envVar ? {
|
|
3208
|
+
envVar
|
|
3209
|
+
} : {}
|
|
3188
3210
|
};
|
|
3189
3211
|
continue;
|
|
3190
3212
|
}
|
|
3191
3213
|
if (entry.namespace === "value") {
|
|
3214
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3215
|
+
continue;
|
|
3216
|
+
}
|
|
3192
3217
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3193
3218
|
const formula = helpers.toServerFormula?.(key);
|
|
3194
3219
|
if (formula) {
|
|
@@ -3205,6 +3230,9 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
|
|
|
3205
3230
|
}
|
|
3206
3231
|
const namespaceDefinition = manifest.namespaces[entry.namespace];
|
|
3207
3232
|
if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
|
|
3233
|
+
if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
|
|
3234
|
+
continue;
|
|
3235
|
+
}
|
|
3208
3236
|
if (helpers.isRuntimeDependent?.(key)) {
|
|
3209
3237
|
const formula = helpers.toServerFormula?.(key);
|
|
3210
3238
|
if (formula) {
|
|
@@ -3633,7 +3661,7 @@ async function createCnos(options = {}) {
|
|
|
3633
3661
|
});
|
|
3634
3662
|
const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
|
|
3635
3663
|
const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
|
|
3636
|
-
const secretCache = options.secretResolution === "lazy" ?
|
|
3664
|
+
const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
|
|
3637
3665
|
return createRuntime(
|
|
3638
3666
|
loadedManifest.manifest,
|
|
3639
3667
|
appendMetaEntries({
|
|
@@ -3728,7 +3756,7 @@ function envVarToLogicalKey(envVar, config = {}) {
|
|
|
3728
3756
|
// package.json
|
|
3729
3757
|
var package_default = {
|
|
3730
3758
|
name: "@kitsy/cnos",
|
|
3731
|
-
version: "1.8.
|
|
3759
|
+
version: "1.8.3",
|
|
3732
3760
|
description: "Batteries-included CNOS runtime package wired with the official plugins.",
|
|
3733
3761
|
type: "module",
|
|
3734
3762
|
main: "./dist/index.cjs",
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-
|
|
2
|
-
export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-
|
|
3
|
-
export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-
|
|
1
|
+
import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.cjs';
|
|
2
|
+
export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.cjs';
|
|
3
|
+
export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
|
|
4
4
|
|
|
5
5
|
declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
|
|
6
6
|
declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-
|
|
2
|
-
export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-
|
|
3
|
-
export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-
|
|
1
|
+
import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.js';
|
|
2
|
+
export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.js';
|
|
3
|
+
export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
|
|
4
4
|
|
|
5
5
|
declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
|
|
6
6
|
declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;
|
package/dist/configure/index.js
CHANGED
|
@@ -1,19 +1,19 @@
|
|
|
1
1
|
import {
|
|
2
2
|
createCnos,
|
|
3
3
|
defaultPlugins
|
|
4
|
-
} from "../chunk-
|
|
5
|
-
import "../chunk-
|
|
6
|
-
import "../chunk-
|
|
7
|
-
import "../chunk-
|
|
8
|
-
import "../chunk-
|
|
9
|
-
import "../chunk-
|
|
10
|
-
import "../chunk-
|
|
4
|
+
} from "../chunk-7MUDEJSP.js";
|
|
5
|
+
import "../chunk-JQLV4OQU.js";
|
|
6
|
+
import "../chunk-4AAA2RHV.js";
|
|
7
|
+
import "../chunk-UMVFSHP2.js";
|
|
8
|
+
import "../chunk-N5DX5QEB.js";
|
|
9
|
+
import "../chunk-36AR262B.js";
|
|
10
|
+
import "../chunk-EJT2VJTM.js";
|
|
11
11
|
import {
|
|
12
12
|
planDump,
|
|
13
13
|
toEnv,
|
|
14
14
|
toPublicEnv,
|
|
15
15
|
writeDump
|
|
16
|
-
} from "../chunk-
|
|
16
|
+
} from "../chunk-ZH5QZQ7C.js";
|
|
17
17
|
export {
|
|
18
18
|
createCnos,
|
|
19
19
|
defaultPlugins,
|
|
@@ -46,7 +46,7 @@ interface WorkspaceContext {
|
|
|
46
46
|
type ResolutionArrayPolicy = 'replace' | 'append' | 'unique-append';
|
|
47
47
|
type NamespaceKind = 'data' | 'projection' | 'system';
|
|
48
48
|
type NamespaceProjectionSource = 'promote' | 'envMapping';
|
|
49
|
-
type VaultProviderName = 'local' | 'github-secrets' | (string & {});
|
|
49
|
+
type VaultProviderName = 'local' | 'environment' | 'github-secrets' | (string & {});
|
|
50
50
|
type VaultAuthMethod = 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
|
|
51
51
|
interface RuntimeNamespaceDefinition {
|
|
52
52
|
description?: string;
|
|
@@ -467,7 +467,9 @@ interface ServerProjection {
|
|
|
467
467
|
configHash: string;
|
|
468
468
|
values: Record<string, unknown>;
|
|
469
469
|
derived: Record<string, DerivedFormula>;
|
|
470
|
-
secretRefs: Record<string, SecretReference
|
|
470
|
+
secretRefs: Record<string, SecretReference & {
|
|
471
|
+
envVar?: string;
|
|
472
|
+
}>;
|
|
471
473
|
publicKeys: string[];
|
|
472
474
|
runtimeNamespaces: string[];
|
|
473
475
|
meta: {
|