@kitsy/cnos 1.8.1 → 1.8.3

package/dist/{core-BJ8xewez.d.ts → core-zDTUSVx9.d.ts}

@@ -46,7 +46,7 @@ interface WorkspaceContext {
 type ResolutionArrayPolicy = 'replace' | 'append' | 'unique-append';
 type NamespaceKind = 'data' | 'projection' | 'system';
 type NamespaceProjectionSource = 'promote' | 'envMapping';
-type VaultProviderName = 'local' | 'github-secrets' | (string & {});
+type VaultProviderName = 'local' | 'environment' | 'github-secrets' | (string & {});
 type VaultAuthMethod = 'passphrase' | 'environment' | 'token' | 'iam' | 'keychain';
 interface RuntimeNamespaceDefinition {
     description?: string;
@@ -467,7 +467,9 @@ interface ServerProjection {
     configHash: string;
     values: Record<string, unknown>;
     derived: Record<string, DerivedFormula>;
-    secretRefs: Record<string, SecretReference>;
+    secretRefs: Record<string, SecretReference & {
+        envVar?: string;
+    }>;
     publicKeys: string[];
     runtimeNamespaces: string[];
     meta: {

package/dist/{envNaming-BRyiuPoI.d.ts → envNaming-BkorOKW_.d.ts}

@@ -1,4 +1,4 @@
-import { N as NormalizedManifest, b as LogicalKey } from './core-BJ8xewez.js';
+import { N as NormalizedManifest, b as LogicalKey } from './core-zDTUSVx9.js';
 
 interface EnvMappingConfig {
     convention?: NormalizedManifest['envMapping']['convention'];

package/dist/{envNaming-rx71gpi0.d.cts → envNaming-EFzezmB3.d.cts}

@@ -1,4 +1,4 @@
-import { N as NormalizedManifest, b as LogicalKey } from './core-BJ8xewez.cjs';
+import { N as NormalizedManifest, b as LogicalKey } from './core-zDTUSVx9.cjs';
 
 interface EnvMappingConfig {
     convention?: NormalizedManifest['envMapping']['convention'];

package/dist/index.cjs

@@ -1519,7 +1519,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
       ...auth?.config ? { config: auth.config } : {}
     };
   }
-  if (provider === "github-secrets") {
+  if (provider === "github-secrets" || provider === "environment") {
     return {
       method: auth?.method ?? "environment",
       ...auth?.config ? { config: auth.config } : {}
@@ -2623,7 +2623,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
 }
 async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
   if (definition?.provider !== "local") {
-    return definition?.provider === "github-secrets" ? {
+    return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
       method: definition.auth?.method ?? "environment",
       ...definition?.auth?.config ? { config: definition.auth.config } : {}
     } : void 0;
@@ -2781,8 +2781,8 @@ var SecretCache = class {
   }
 };
 
-// ../core/src/secrets/providers/github.ts
-var GithubSecretsVaultProvider = class {
+// ../core/src/secrets/providers/environment.ts
+var EnvironmentSecretsVaultProvider = class {
   constructor(vaultId, definition, processEnv = process.env) {
     this.vaultId = vaultId;
     this.definition = definition;
@@ -2836,6 +2836,10 @@ var GithubSecretsVaultProvider = class {
   }
 };
 
+// ../core/src/secrets/providers/github.ts
+var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
+};
+
 // ../core/src/secrets/providers/local.ts
 var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
   constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
@@ -2931,6 +2935,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
+  if (definition.provider === "environment") {
+    return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
+  }
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
@@ -2986,7 +2993,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
-  if (definition.provider === "github-secrets") {
+  if (definition.provider === "github-secrets" || definition.provider === "environment") {
     return {
       method: definition.auth?.method ?? "environment",
       ...definition.auth?.config ? { config: definition.auth.config } : {}
@@ -3168,10 +3175,20 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
 }
+function shouldProjectResolvedValue(sourceId) {
+  return sourceId !== "process-env";
+}
 function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
   const derived = {};
@@ -3181,14 +3198,22 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
     if (entry.namespace === "value") {
+      if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
+        continue;
+      }
       if (helpers.isRuntimeDependent?.(key)) {
         const formula = helpers.toServerFormula?.(key);
         if (formula) {
@@ -3205,6 +3230,9 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
     }
     const namespaceDefinition = manifest.namespaces[entry.namespace];
     if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
+        continue;
+      }
       if (helpers.isRuntimeDependent?.(key)) {
         const formula = helpers.toServerFormula?.(key);
         if (formula) {
@@ -3633,7 +3661,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3686,7 +3714,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.1",
+  version: "1.8.3",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4876,7 +4904,14 @@ function attachBootstrappedProjection(projection, force = false) {
     if (!ref) {
       return void 0;
     }
-    const definition = { provider: ref.provider };
+    const definition = {
+      provider: ref.provider,
+      ...ref.envVar ? {
+        mapping: {
+          [ref.envVar]: ref.ref
+        }
+      } : {}
+    };
     const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
     const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
     await provider.authenticate(auth);

package/dist/index.d.cts

@@ -1,2 +1,2 @@
 export { CnosSingleton, default as cnos, default } from './runtime/index.cjs';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-BJ8xewez.cjs';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-zDTUSVx9.cjs';

package/dist/index.d.ts

@@ -1,2 +1,2 @@
 export { CnosSingleton, default as cnos, default } from './runtime/index.js';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-BJ8xewez.js';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-zDTUSVx9.js';

package/dist/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "./chunk-6IYR3LVA.js";
-import "./chunk-GHGJFRDL.js";
-import "./chunk-FJOOJGUD.js";
-import "./chunk-OA7FQGAG.js";
-import "./chunk-RYIARE4M.js";
-import "./chunk-TT4NV56Z.js";
-import "./chunk-UL63DFLS.js";
-import "./chunk-5KIQCYFH.js";
-import "./chunk-2DGT7N7E.js";
-import "./chunk-2TL42I6M.js";
+} from "./chunk-SUMWGMRA.js";
+import "./chunk-DL5G3QSZ.js";
+import "./chunk-7MUDEJSP.js";
+import "./chunk-JQLV4OQU.js";
+import "./chunk-4AAA2RHV.js";
+import "./chunk-UMVFSHP2.js";
+import "./chunk-N5DX5QEB.js";
+import "./chunk-36AR262B.js";
+import "./chunk-EJT2VJTM.js";
+import "./chunk-ZH5QZQ7C.js";
 export {
   runtime_default as cnos,
   runtime_default as default

package/dist/internal.cjs

@@ -1210,7 +1210,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
       ...auth?.config ? { config: auth.config } : {}
     };
   }
-  if (provider === "github-secrets") {
+  if (provider === "github-secrets" || provider === "environment") {
     return {
       method: auth?.method ?? "environment",
       ...auth?.config ? { config: auth.config } : {}
@@ -1715,7 +1715,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
 }
 async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
   if (definition?.provider !== "local") {
-    return definition?.provider === "github-secrets" ? {
+    return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
       method: definition.auth?.method ?? "environment",
       ...definition?.auth?.config ? { config: definition.auth.config } : {}
     } : void 0;
@@ -1845,8 +1845,8 @@ async function appendAuditEvent(event, processEnv = process.env) {
   );
 }
 
-// ../core/src/secrets/providers/github.ts
-var GithubSecretsVaultProvider = class {
+// ../core/src/secrets/providers/environment.ts
+var EnvironmentSecretsVaultProvider = class {
   constructor(vaultId, definition, processEnv = process.env) {
     this.vaultId = vaultId;
     this.definition = definition;
@@ -1900,6 +1900,10 @@ var GithubSecretsVaultProvider = class {
   }
 };
 
+// ../core/src/secrets/providers/github.ts
+var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
+};
+
 // ../core/src/secrets/providers/local.ts
 var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
   constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
@@ -1995,6 +1999,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
+  if (definition.provider === "environment") {
+    return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
+  }
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
@@ -2050,7 +2057,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
-  if (definition.provider === "github-secrets") {
+  if (definition.provider === "github-secrets" || definition.provider === "environment") {
     return {
       method: definition.auth?.method ?? "environment",
       ...definition.auth?.config ? { config: definition.auth.config } : {}

package/dist/internal.d.cts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-BJ8xewez.cjs';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-BJ8xewez.cjs';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.cjs';
+export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.cjs';
 
 declare class CnosError extends Error {
     constructor(message: string);

package/dist/internal.d.ts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-BJ8xewez.js';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-BJ8xewez.js';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.js';
+export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.js';
 
 declare class CnosError extends Error {
     constructor(message: string);

package/dist/internal.js

@@ -11,7 +11,7 @@ import {
   serializeRuntimeGraph,
   serializeSecretPayload,
   serializeServerProjection
-} from "./chunk-GHGJFRDL.js";
+} from "./chunk-DL5G3QSZ.js";
 import {
   CnosAuthenticationError,
   CnosSecurityError,
@@ -64,7 +64,7 @@ import {
   writeLocalSecret,
   writeRemoteRootCacheMetadata,
   writeVaultSessionKey
-} from "./chunk-2TL42I6M.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // src/codegen/generateTypes.ts
 function toPascalCase(value) {

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-BJ8xewez.cjs';
+import { V as ValidatorPlugin } from '../core-zDTUSVx9.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.d.ts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-BJ8xewez.js';
+import { V as ValidatorPlugin } from '../core-zDTUSVx9.js';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-5KIQCYFH.js";
-import "../chunk-2TL42I6M.js";
+} from "../chunk-N5DX5QEB.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.d.cts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-BJ8xewez.cjs';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.cjs';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.d.ts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-BJ8xewez.js';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.js';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-2DGT7N7E.js";
-import "../chunk-2TL42I6M.js";
+} from "../chunk-36AR262B.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-BJ8xewez.cjs';
-import { E as EnvMappingConfig } from '../envNaming-rx71gpi0.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.cjs';
+import { E as EnvMappingConfig } from '../envNaming-EFzezmB3.cjs';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-BJ8xewez.js';
-import { E as EnvMappingConfig } from '../envNaming-BRyiuPoI.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.js';
+import { E as EnvMappingConfig } from '../envNaming-BkorOKW_.js';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-OA7FQGAG.js";
-import "../chunk-2TL42I6M.js";
+} from "../chunk-EJT2VJTM.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.d.cts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-BJ8xewez.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-ivRtLjcw.cjs';
+import { E as ExporterPlugin } from '../core-zDTUSVx9.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.d.ts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-BJ8xewez.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CCSgdvI9.js';
+import { E as ExporterPlugin } from '../core-zDTUSVx9.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-RYIARE4M.js";
+} from "../chunk-JQLV4OQU.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-2TL42I6M.js";
+} from "../chunk-ZH5QZQ7C.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,

package/dist/plugin/filesystem.d.cts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-BJ8xewez.cjs';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-zDTUSVx9.cjs';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.d.ts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-BJ8xewez.js';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-zDTUSVx9.js';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-TT4NV56Z.js";
-import "../chunk-2TL42I6M.js";
+} from "../chunk-4AAA2RHV.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-BJ8xewez.cjs';
-import { E as EnvMappingConfig } from '../envNaming-rx71gpi0.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.cjs';
+import { E as EnvMappingConfig } from '../envNaming-EFzezmB3.cjs';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function processNamespaceEntriesFromContext(env: Record<string, string | undefined>, workspaceId?: string): ConfigEntry[];

package/dist/plugin/process-env.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-BJ8xewez.js';
-import { E as EnvMappingConfig } from '../envNaming-BRyiuPoI.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.js';
+import { E as EnvMappingConfig } from '../envNaming-BkorOKW_.js';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function processNamespaceEntriesFromContext(env: Record<string, string | undefined>, workspaceId?: string): ConfigEntry[];

package/dist/plugin/process-env.js

@@ -2,8 +2,8 @@ import {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,
   processNamespaceEntriesFromContext
-} from "../chunk-UL63DFLS.js";
-import "../chunk-2TL42I6M.js";
+} from "../chunk-UMVFSHP2.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,

package/dist/runtime/index.cjs

@@ -1516,7 +1516,7 @@ function normalizeVaultAuth(vaultName, provider, auth) {
       ...auth?.config ? { config: auth.config } : {}
     };
   }
-  if (provider === "github-secrets") {
+  if (provider === "github-secrets" || provider === "environment") {
     return {
       method: auth?.method ?? "environment",
       ...auth?.config ? { config: auth.config } : {}
@@ -2620,7 +2620,7 @@ function resolveConfiguredVaultPassphrase(definition, vault = "default", process
 }
 async function resolveVaultAccessKey(storeRoot, definition, vault = "default", processEnv = process.env) {
   if (definition?.provider !== "local") {
-    return definition?.provider === "github-secrets" ? {
+    return definition?.provider === "github-secrets" || definition?.provider === "environment" ? {
       method: definition.auth?.method ?? "environment",
       ...definition?.auth?.config ? { config: definition.auth.config } : {}
     } : void 0;
@@ -2778,8 +2778,8 @@ var SecretCache = class {
   }
 };
 
-// ../core/src/secrets/providers/github.ts
-var GithubSecretsVaultProvider = class {
+// ../core/src/secrets/providers/environment.ts
+var EnvironmentSecretsVaultProvider = class {
   constructor(vaultId, definition, processEnv = process.env) {
     this.vaultId = vaultId;
     this.definition = definition;
@@ -2833,6 +2833,10 @@ var GithubSecretsVaultProvider = class {
   }
 };
 
+// ../core/src/secrets/providers/github.ts
+var GithubSecretsVaultProvider = class extends EnvironmentSecretsVaultProvider {
+};
+
 // ../core/src/secrets/providers/local.ts
 var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
   constructor(vaultId, definition, processEnv = process.env, storeRoot = resolveSecretStoreRoot(processEnv)) {
@@ -2928,6 +2932,9 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
+  if (definition.provider === "environment") {
+    return new EnvironmentSecretsVaultProvider(vaultId, definition, processEnv);
+  }
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
@@ -2983,7 +2990,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
-  if (definition.provider === "github-secrets") {
+  if (definition.provider === "github-secrets" || definition.provider === "environment") {
     return {
       method: definition.auth?.method ?? "environment",
       ...definition.auth?.config ? { config: definition.auth.config } : {}
@@ -3165,10 +3172,20 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
 }
+function shouldProjectResolvedValue(sourceId) {
+  return sourceId !== "process-env";
+}
 function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
   const derived = {};
@@ -3178,14 +3195,22 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
     if (entry.namespace === "value") {
+      if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
+        continue;
+      }
       if (helpers.isRuntimeDependent?.(key)) {
         const formula = helpers.toServerFormula?.(key);
         if (formula) {
@@ -3202,6 +3227,9 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
     }
     const namespaceDefinition = manifest.namespaces[entry.namespace];
     if (namespaceDefinition && namespaceDefinition.kind === "data" && !namespaceDefinition.sensitive && entry.namespace !== "public") {
+      if (!shouldProjectResolvedValue(entry.winner.sourceId)) {
+        continue;
+      }
       if (helpers.isRuntimeDependent?.(key)) {
         const formula = helpers.toServerFormula?.(key);
         if (formula) {
@@ -3630,7 +3658,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3683,7 +3711,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.1",
+  version: "1.8.3",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4873,7 +4901,14 @@ function attachBootstrappedProjection(projection, force = false) {
     if (!ref) {
       return void 0;
     }
-    const definition = { provider: ref.provider };
+    const definition = {
+      provider: ref.provider,
+      ...ref.envVar ? {
+        mapping: {
+          [ref.envVar]: ref.ref
+        }
+      } : {}
+    };
     const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
     const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
     await provider.authenticate(auth);

package/dist/runtime/index.d.cts

@@ -1,4 +1,4 @@
-import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-BJ8xewez.cjs';
+import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-zDTUSVx9.cjs';
 
 interface CnosSingleton {
     <T = unknown>(key: LogicalKey): T | undefined;