@kitsy/cnos 1.8.2 → 1.8.4

package/dist/build/index.cjs

@@ -3173,6 +3173,13 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
@@ -3189,10 +3196,15 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
@@ -3647,7 +3659,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3700,7 +3712,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.2",
+  version: "1.8.4",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4424,12 +4436,33 @@ async function resolveFrameworkEnv(options = {}, framework = "generic", envOptio
   });
 }
 async function resolveServerProjection(options = {}) {
+  const secretResolution = options.secretResolution ?? "lazy";
   const runtime = await createCnos2({
     ...options,
-    cacheMode: options.cacheMode ?? "build"
+    cacheMode: options.cacheMode ?? "build",
+    secretResolution
   });
+  validateServerProjectionSecretRefs(runtime);
   return runtime.toServerProjection();
 }
+function validateServerProjectionSecretRefs(runtime) {
+  for (const entry of runtime.graph.entries.values()) {
+    if (entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      continue;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = runtime.manifest.vaults[vaultId];
+    if (!definition) {
+      throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
+    }
+    if (entry.value.provider !== definition.provider) {
+      throw new CnosManifestError(
+        `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
+      );
+    }
+    createSecretVaultProvider(vaultId, definition);
+  }
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   resolveBrowserData,

package/dist/build/index.d.cts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-CXgtC4VL.cjs';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.cjs';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});

package/dist/build/index.d.ts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-CXgtC4VL.js';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.js';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});

package/dist/build/index.js

@@ -1,13 +1,17 @@
 import {
   createCnos
-} from "../chunk-J7VEEREE.js";
-import "../chunk-DQGLBF6G.js";
-import "../chunk-B5TV5O6O.js";
-import "../chunk-DAFUP7EQ.js";
-import "../chunk-4MQBH4AY.js";
-import "../chunk-FWW7F52D.js";
-import "../chunk-KU73PJSQ.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-O2KTQ6PB.js";
+import "../chunk-JQLV4OQU.js";
+import "../chunk-4AAA2RHV.js";
+import "../chunk-UMVFSHP2.js";
+import "../chunk-N5DX5QEB.js";
+import "../chunk-36AR262B.js";
+import "../chunk-EJT2VJTM.js";
+import {
+  CnosManifestError,
+  createSecretVaultProvider,
+  isSecretReference
+} from "../chunk-ZH5QZQ7C.js";
 
 // src/build/index.ts
 async function resolveBrowserData(options = {}) {
@@ -86,12 +90,33 @@ async function resolveFrameworkEnv(options = {}, framework = "generic", envOptio
   });
 }
 async function resolveServerProjection(options = {}) {
+  const secretResolution = options.secretResolution ?? "lazy";
   const runtime = await createCnos({
     ...options,
-    cacheMode: options.cacheMode ?? "build"
+    cacheMode: options.cacheMode ?? "build",
+    secretResolution
   });
+  validateServerProjectionSecretRefs(runtime);
   return runtime.toServerProjection();
 }
+function validateServerProjectionSecretRefs(runtime) {
+  for (const entry of runtime.graph.entries.values()) {
+    if (entry.namespace !== "secret" || !isSecretReference(entry.value)) {
+      continue;
+    }
+    const vaultId = entry.value.vault ?? "default";
+    const definition = runtime.manifest.vaults[vaultId];
+    if (!definition) {
+      throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
+    }
+    if (entry.value.provider !== definition.provider) {
+      throw new CnosManifestError(
+        `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
+      );
+    }
+    createSecretVaultProvider(vaultId, definition);
+  }
+}
 export {
   resolveBrowserData,
   resolveFrameworkEnv,

package/dist/{chunk-KU73PJSQ.js → chunk-36AR262B.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-DAFUP7EQ.js → chunk-4AAA2RHV.js}

@@ -4,7 +4,7 @@ import {
   isSecretReference,
   parseYaml,
   toPortablePath
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";

package/dist/{chunk-VTUOWV3S.js → chunk-DL5G3QSZ.js}

@@ -1,6 +1,6 @@
 import {
   isSecretReference
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // src/runtime/bootstrap.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";

package/dist/{chunk-DQGLBF6G.js → chunk-EJT2VJTM.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-B5TV5O6O.js → chunk-JQLV4OQU.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-CP6K2DB3.js → chunk-LDFKY65G.js}

@@ -3,7 +3,7 @@ import {
   graphRequiresSecretHydration,
   readRuntimeGraphFromEnv,
   readServerProjectionFromEnv
-} from "./chunk-VTUOWV3S.js";
+} from "./chunk-DL5G3QSZ.js";
 import {
   createCnos,
   getBootstrappedSecretHydrationRequired,
@@ -12,7 +12,7 @@ import {
   setBootstrappedSecretHydrationRequired,
   setSingletonReady,
   setSingletonRuntime
-} from "./chunk-J7VEEREE.js";
+} from "./chunk-O2KTQ6PB.js";
 import {
   createDefaultRuntimeProviders,
   createDerivedRuntimeSupport,
@@ -28,7 +28,7 @@ import {
   toLogicalKey,
   toNamespaceObject,
   toPublicEnv
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // src/runtime/index.ts
 import { existsSync, readFileSync } from "fs";
@@ -474,7 +474,14 @@ function attachBootstrappedProjection(projection, force = false) {
     if (!ref) {
       return void 0;
     }
-    const definition = { provider: ref.provider };
+    const definition = {
+      provider: ref.provider,
+      ...ref.envVar ? {
+        mapping: {
+          [ref.envVar]: ref.ref
+        }
+      } : {}
+    };
     const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
     const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
     await provider.authenticate(auth);

package/dist/{chunk-FWW7F52D.js → chunk-N5DX5QEB.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/{chunk-J7VEEREE.js → chunk-O2KTQ6PB.js}

@@ -1,27 +1,27 @@
-import {
-  createDotenvPlugin
-} from "./chunk-DQGLBF6G.js";
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "./chunk-B5TV5O6O.js";
+} from "./chunk-JQLV4OQU.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-DAFUP7EQ.js";
+} from "./chunk-4AAA2RHV.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-4MQBH4AY.js";
+} from "./chunk-UMVFSHP2.js";
 import {
   createBasicSchemaPlugin
-} from "./chunk-FWW7F52D.js";
+} from "./chunk-N5DX5QEB.js";
 import {
   createCliArgsPlugin
-} from "./chunk-KU73PJSQ.js";
+} from "./chunk-36AR262B.js";
+import {
+  createDotenvPlugin
+} from "./chunk-EJT2VJTM.js";
 import {
   createCnos,
   createProvenanceInspector
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // src/defaultPlugins.ts
 function defaultPlugins() {
@@ -68,7 +68,7 @@ function setBootstrappedSecretHydrationRequired(value) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.2",
+  version: "1.8.4",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/{chunk-4MQBH4AY.js → chunk-UMVFSHP2.js}

@@ -1,6 +1,6 @@
 import {
   envVarToLogicalKey
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";

package/dist/{chunk-5XOGTE42.js → chunk-ZH5QZQ7C.js}

@@ -3565,6 +3565,13 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return createHash2("sha256").update(serialized).digest("hex");
@@ -3581,10 +3588,15 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
@@ -3942,7 +3954,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({

package/dist/configure/index.cjs

@@ -3175,6 +3175,13 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
@@ -3191,10 +3198,15 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
@@ -3649,7 +3661,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3744,7 +3756,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.2",
+  version: "1.8.4",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/configure/index.d.cts

@@ -1,6 +1,6 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-CXgtC4VL.cjs';
-export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-CXgtC4VL.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C_MbUTdV.cjs';
+import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.cjs';
+export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;

package/dist/configure/index.d.ts

@@ -1,6 +1,6 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-CXgtC4VL.js';
-export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-CXgtC4VL.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-B_dZDXDv.js';
+import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.js';
+export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;

package/dist/configure/index.js

@@ -1,19 +1,19 @@
 import {
   createCnos,
   defaultPlugins
-} from "../chunk-J7VEEREE.js";
-import "../chunk-DQGLBF6G.js";
-import "../chunk-B5TV5O6O.js";
-import "../chunk-DAFUP7EQ.js";
-import "../chunk-4MQBH4AY.js";
-import "../chunk-FWW7F52D.js";
-import "../chunk-KU73PJSQ.js";
+} from "../chunk-O2KTQ6PB.js";
+import "../chunk-JQLV4OQU.js";
+import "../chunk-4AAA2RHV.js";
+import "../chunk-UMVFSHP2.js";
+import "../chunk-N5DX5QEB.js";
+import "../chunk-36AR262B.js";
+import "../chunk-EJT2VJTM.js";
 import {
   planDump,
   toEnv,
   toPublicEnv,
   writeDump
-} from "../chunk-5XOGTE42.js";
+} from "../chunk-ZH5QZQ7C.js";
 export {
   createCnos,
   defaultPlugins,

package/dist/{core-CXgtC4VL.d.cts → core-zDTUSVx9.d.cts}

@@ -467,7 +467,9 @@ interface ServerProjection {
     configHash: string;
     values: Record<string, unknown>;
     derived: Record<string, DerivedFormula>;
-    secretRefs: Record<string, SecretReference>;
+    secretRefs: Record<string, SecretReference & {
+        envVar?: string;
+    }>;
     publicKeys: string[];
     runtimeNamespaces: string[];
     meta: {

package/dist/{core-CXgtC4VL.d.ts → core-zDTUSVx9.d.ts}

@@ -467,7 +467,9 @@ interface ServerProjection {
     configHash: string;
     values: Record<string, unknown>;
     derived: Record<string, DerivedFormula>;
-    secretRefs: Record<string, SecretReference>;
+    secretRefs: Record<string, SecretReference & {
+        envVar?: string;
+    }>;
     publicKeys: string[];
     runtimeNamespaces: string[];
     meta: {

package/dist/{envNaming-CA6OluSg.d.ts → envNaming-BkorOKW_.d.ts}

@@ -1,4 +1,4 @@
-import { N as NormalizedManifest, b as LogicalKey } from './core-CXgtC4VL.js';
+import { N as NormalizedManifest, b as LogicalKey } from './core-zDTUSVx9.js';
 
 interface EnvMappingConfig {
     convention?: NormalizedManifest['envMapping']['convention'];

package/dist/{envNaming-BDtISWCK.d.cts → envNaming-EFzezmB3.d.cts}

@@ -1,4 +1,4 @@
-import { N as NormalizedManifest, b as LogicalKey } from './core-CXgtC4VL.cjs';
+import { N as NormalizedManifest, b as LogicalKey } from './core-zDTUSVx9.cjs';
 
 interface EnvMappingConfig {
     convention?: NormalizedManifest['envMapping']['convention'];

package/dist/index.cjs

@@ -3175,6 +3175,13 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
@@ -3191,10 +3198,15 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
@@ -3649,7 +3661,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3702,7 +3714,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.2",
+  version: "1.8.4",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4892,7 +4904,14 @@ function attachBootstrappedProjection(projection, force = false) {
     if (!ref) {
       return void 0;
     }
-    const definition = { provider: ref.provider };
+    const definition = {
+      provider: ref.provider,
+      ...ref.envVar ? {
+        mapping: {
+          [ref.envVar]: ref.ref
+        }
+      } : {}
+    };
     const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
     const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
     await provider.authenticate(auth);

package/dist/index.d.cts

@@ -1,2 +1,2 @@
 export { CnosSingleton, default as cnos, default } from './runtime/index.cjs';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-CXgtC4VL.cjs';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-zDTUSVx9.cjs';

package/dist/index.d.ts

@@ -1,2 +1,2 @@
 export { CnosSingleton, default as cnos, default } from './runtime/index.js';
-export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-CXgtC4VL.js';
+export { h as CnosPlugin, g as CnosRuntime, a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider } from './core-zDTUSVx9.js';

package/dist/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "./chunk-CP6K2DB3.js";
-import "./chunk-VTUOWV3S.js";
-import "./chunk-J7VEEREE.js";
-import "./chunk-DQGLBF6G.js";
-import "./chunk-B5TV5O6O.js";
-import "./chunk-DAFUP7EQ.js";
-import "./chunk-4MQBH4AY.js";
-import "./chunk-FWW7F52D.js";
-import "./chunk-KU73PJSQ.js";
-import "./chunk-5XOGTE42.js";
+} from "./chunk-LDFKY65G.js";
+import "./chunk-DL5G3QSZ.js";
+import "./chunk-O2KTQ6PB.js";
+import "./chunk-JQLV4OQU.js";
+import "./chunk-4AAA2RHV.js";
+import "./chunk-UMVFSHP2.js";
+import "./chunk-N5DX5QEB.js";
+import "./chunk-36AR262B.js";
+import "./chunk-EJT2VJTM.js";
+import "./chunk-ZH5QZQ7C.js";
 export {
   runtime_default as cnos,
   runtime_default as default

package/dist/internal.d.cts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-CXgtC4VL.cjs';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-CXgtC4VL.cjs';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.cjs';
+export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.cjs';
 
 declare class CnosError extends Error {
     constructor(message: string);

package/dist/internal.d.ts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-CXgtC4VL.js';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-CXgtC4VL.js';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.js';
+export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.js';
 
 declare class CnosError extends Error {
     constructor(message: string);

package/dist/internal.js

@@ -11,7 +11,7 @@ import {
   serializeRuntimeGraph,
   serializeSecretPayload,
   serializeServerProjection
-} from "./chunk-VTUOWV3S.js";
+} from "./chunk-DL5G3QSZ.js";
 import {
   CnosAuthenticationError,
   CnosSecurityError,
@@ -64,7 +64,7 @@ import {
   writeLocalSecret,
   writeRemoteRootCacheMetadata,
   writeVaultSessionKey
-} from "./chunk-5XOGTE42.js";
+} from "./chunk-ZH5QZQ7C.js";
 
 // src/codegen/generateTypes.ts
 function toPascalCase(value) {

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-CXgtC4VL.cjs';
+import { V as ValidatorPlugin } from '../core-zDTUSVx9.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.d.ts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-CXgtC4VL.js';
+import { V as ValidatorPlugin } from '../core-zDTUSVx9.js';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-FWW7F52D.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-N5DX5QEB.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.d.cts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-CXgtC4VL.cjs';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.cjs';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.d.ts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-CXgtC4VL.js';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.js';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-KU73PJSQ.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-36AR262B.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-CXgtC4VL.cjs';
-import { E as EnvMappingConfig } from '../envNaming-BDtISWCK.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.cjs';
+import { E as EnvMappingConfig } from '../envNaming-EFzezmB3.cjs';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-CXgtC4VL.js';
-import { E as EnvMappingConfig } from '../envNaming-CA6OluSg.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.js';
+import { E as EnvMappingConfig } from '../envNaming-BkorOKW_.js';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-DQGLBF6G.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-EJT2VJTM.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.d.cts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-CXgtC4VL.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C_MbUTdV.cjs';
+import { E as ExporterPlugin } from '../core-zDTUSVx9.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.d.ts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-CXgtC4VL.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-B_dZDXDv.js';
+import { E as ExporterPlugin } from '../core-zDTUSVx9.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-B5TV5O6O.js";
+} from "../chunk-JQLV4OQU.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-5XOGTE42.js";
+} from "../chunk-ZH5QZQ7C.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,

package/dist/plugin/filesystem.d.cts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-CXgtC4VL.cjs';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-zDTUSVx9.cjs';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.d.ts

@@ -1,4 +1,4 @@
-import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-CXgtC4VL.js';
+import { L as LoaderPlugin, a as ConfigEntry, W as WorkspaceRoot, m as NamespaceName } from '../core-zDTUSVx9.js';
 
 declare function filesystemSecretsReader(filePath: string, document: string, workspaceId?: string): ConfigEntry[];
 declare function createFilesystemSecretsPlugin(): LoaderPlugin;

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-DAFUP7EQ.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-4AAA2RHV.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-CXgtC4VL.cjs';
-import { E as EnvMappingConfig } from '../envNaming-BDtISWCK.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.cjs';
+import { E as EnvMappingConfig } from '../envNaming-EFzezmB3.cjs';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function processNamespaceEntriesFromContext(env: Record<string, string | undefined>, workspaceId?: string): ConfigEntry[];

package/dist/plugin/process-env.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-CXgtC4VL.js';
-import { E as EnvMappingConfig } from '../envNaming-CA6OluSg.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.js';
+import { E as EnvMappingConfig } from '../envNaming-BkorOKW_.js';
 
 declare function processEnvEntriesFromObject(env: Record<string, string | undefined>, mapping?: EnvMappingConfig, workspaceId?: string): ConfigEntry[];
 declare function processNamespaceEntriesFromContext(env: Record<string, string | undefined>, workspaceId?: string): ConfigEntry[];

package/dist/plugin/process-env.js

@@ -2,8 +2,8 @@ import {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,
   processNamespaceEntriesFromContext
-} from "../chunk-4MQBH4AY.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-UMVFSHP2.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,

package/dist/runtime/index.cjs

@@ -3172,6 +3172,13 @@ function stableSortObject(value) {
 function stripValuePrefix(key) {
   return key.startsWith("value.") ? key.slice("value.".length) : key;
 }
+function resolveProjectedEnvVar(manifest, vaultId, ref) {
+  const mapping = manifest.vaults[vaultId]?.mapping;
+  if (!mapping) {
+    return void 0;
+  }
+  return Object.entries(mapping).find(([, logicalRef]) => logicalRef === ref)?.[0];
+}
 function configHash(values) {
   const serialized = JSON.stringify(stableSortObject(values));
   return (0, import_node_crypto3.createHash)("sha256").update(serialized).digest("hex");
@@ -3188,10 +3195,15 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      const vaultId = entry.value.vault ?? "default";
+      const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
       secretRefs[key.slice("secret.".length)] = {
         provider: entry.value.provider,
-        vault: entry.value.vault ?? "default",
-        ref: entry.value.ref
+        vault: vaultId,
+        ref: entry.value.ref,
+        ...envVar ? {
+          envVar
+        } : {}
       };
       continue;
     }
@@ -3646,7 +3658,7 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? void 0 : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3699,7 +3711,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.2",
+  version: "1.8.4",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -4889,7 +4901,14 @@ function attachBootstrappedProjection(projection, force = false) {
     if (!ref) {
       return void 0;
     }
-    const definition = { provider: ref.provider };
+    const definition = {
+      provider: ref.provider,
+      ...ref.envVar ? {
+        mapping: {
+          [ref.envVar]: ref.ref
+        }
+      } : {}
+    };
     const provider = createSecretVaultProvider(ref.vault ?? "default", definition, process.env);
     const auth = await resolveVaultAuth(ref.vault ?? "default", definition, process.env);
     await provider.authenticate(auth);

package/dist/runtime/index.d.cts

@@ -1,4 +1,4 @@
-import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-CXgtC4VL.cjs';
+import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-zDTUSVx9.cjs';
 
 interface CnosSingleton {
     <T = unknown>(key: LogicalKey): T | undefined;

package/dist/runtime/index.d.ts

@@ -1,4 +1,4 @@
-import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-CXgtC4VL.js';
+import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-zDTUSVx9.js';
 
 interface CnosSingleton {
     <T = unknown>(key: LogicalKey): T | undefined;

package/dist/runtime/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "../chunk-CP6K2DB3.js";
-import "../chunk-VTUOWV3S.js";
-import "../chunk-J7VEEREE.js";
-import "../chunk-DQGLBF6G.js";
-import "../chunk-B5TV5O6O.js";
-import "../chunk-DAFUP7EQ.js";
-import "../chunk-4MQBH4AY.js";
-import "../chunk-FWW7F52D.js";
-import "../chunk-KU73PJSQ.js";
-import "../chunk-5XOGTE42.js";
+} from "../chunk-LDFKY65G.js";
+import "../chunk-DL5G3QSZ.js";
+import "../chunk-O2KTQ6PB.js";
+import "../chunk-JQLV4OQU.js";
+import "../chunk-4AAA2RHV.js";
+import "../chunk-UMVFSHP2.js";
+import "../chunk-N5DX5QEB.js";
+import "../chunk-36AR262B.js";
+import "../chunk-EJT2VJTM.js";
+import "../chunk-ZH5QZQ7C.js";
 export {
   runtime_default as default
 };

package/dist/{toPublicEnv-B_dZDXDv.d.ts → toPublicEnv-CT265rzS.d.ts}

@@ -1,4 +1,4 @@
-import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-CXgtC4VL.js';
+import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-zDTUSVx9.js';
 
 declare function toEnv(graph: ResolvedGraph, manifest: NormalizedManifest, options?: ToEnvOptions, helpers?: {
     read?: (key: string) => unknown;

package/dist/{toPublicEnv-C_MbUTdV.d.cts → toPublicEnv-Ds1DRwCX.d.cts}

@@ -1,4 +1,4 @@
-import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-CXgtC4VL.cjs';
+import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-zDTUSVx9.cjs';
 
 declare function toEnv(graph: ResolvedGraph, manifest: NormalizedManifest, options?: ToEnvOptions, helpers?: {
     read?: (key: string) => unknown;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos",
-  "version": "1.8.2",
+  "version": "1.8.4",
   "description": "Batteries-included CNOS runtime package wired with the official plugins.",
   "type": "module",
   "main": "./dist/index.cjs",