@kitsy/cnos 1.8.3 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/dist/build/index.cjs +34 -8
  2. package/dist/build/index.js +34 -9
  3. package/dist/{chunk-UMVFSHP2.js → chunk-4JFSS3DN.js} +1 -1
  4. package/dist/{chunk-EJT2VJTM.js → chunk-4WT5RCA6.js} +1 -1
  5. package/dist/{chunk-SUMWGMRA.js → chunk-6YY3U7WB.js} +3 -3
  6. package/dist/{chunk-DL5G3QSZ.js → chunk-DKHI52KZ.js} +1 -1
  7. package/dist/{chunk-7MUDEJSP.js → chunk-FSGSOF5Q.js} +8 -8
  8. package/dist/{chunk-N5DX5QEB.js → chunk-HZYH2DQ4.js} +1 -1
  9. package/dist/{chunk-ZH5QZQ7C.js → chunk-O4YQMDFY.js} +11 -6
  10. package/dist/{chunk-36AR262B.js → chunk-PC5C3CBB.js} +1 -1
  11. package/dist/{chunk-4AAA2RHV.js → chunk-YLFA2KTF.js} +1 -1
  12. package/dist/{chunk-JQLV4OQU.js → chunk-ZTDPBZ7R.js} +1 -1
  13. package/dist/configure/index.cjs +12 -7
  14. package/dist/configure/index.js +8 -8
  15. package/dist/index.cjs +12 -7
  16. package/dist/index.js +10 -10
  17. package/dist/internal.js +2 -2
  18. package/dist/plugin/basic-schema.js +2 -2
  19. package/dist/plugin/cli-args.js +2 -2
  20. package/dist/plugin/dotenv.js +2 -2
  21. package/dist/plugin/env-export.cjs +11 -6
  22. package/dist/plugin/env-export.js +2 -2
  23. package/dist/plugin/filesystem.js +2 -2
  24. package/dist/plugin/process-env.js +2 -2
  25. package/dist/runtime/index.cjs +12 -7
  26. package/dist/runtime/index.js +10 -10
  27. package/package.json +1 -1
package/dist/build/index.cjs CHANGED
@@ -3279,7 +3279,7 @@ function normalizeEnvValue(value) {
3279
3279
  return JSON.stringify(value);
3280
3280
  }
3281
3281
  function toEnv(graph, manifest, options = {}, helpers = {}) {
3282
- const includeSecrets = options.includeSecrets ?? true;
3282
+ const includeSecrets = options.includeSecrets ?? false;
3283
3283
  const output = {};
3284
3284
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
3285
3285
  ([left], [right]) => left.localeCompare(right)
@@ -3290,19 +3290,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
3290
3290
  continue;
3291
3291
  }
3292
3292
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
3293
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3293
+ const isSecretNamespace = entry.namespace === "secret";
3294
+ if (namespaceDefinition.kind !== "data") {
3294
3295
  continue;
3295
3296
  }
3296
- if (entry.namespace === "secret" && !includeSecrets) {
3297
- continue;
3298
- }
3299
- if (isSecretReference(entry.value)) {
3297
+ if (isSecretNamespace) {
3298
+ if (!includeSecrets) {
3299
+ continue;
3300
+ }
3301
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3300
3302
  continue;
3301
3303
  }
3302
3304
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
3303
3305
  if (value === void 0) {
3304
3306
  continue;
3305
3307
  }
3308
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
3309
+ continue;
3310
+ }
3306
3311
  output[envVar] = normalizeEnvValue(value);
3307
3312
  }
3308
3313
  return output;
@@ -3712,7 +3717,7 @@ function envVarToLogicalKey(envVar, config = {}) {
3712
3717
  // package.json
3713
3718
  var package_default = {
3714
3719
  name: "@kitsy/cnos",
3715
- version: "1.8.3",
3720
+ version: "1.9.0",
3716
3721
  description: "Batteries-included CNOS runtime package wired with the official plugins.",
3717
3722
  type: "module",
3718
3723
  main: "./dist/index.cjs",
@@ -4436,12 +4441,33 @@ async function resolveFrameworkEnv(options = {}, framework = "generic", envOptio
4436
4441
  });
4437
4442
  }
4438
4443
  async function resolveServerProjection(options = {}) {
4444
+ const secretResolution = options.secretResolution ?? "lazy";
4439
4445
  const runtime = await createCnos2({
4440
4446
  ...options,
4441
- cacheMode: options.cacheMode ?? "build"
4447
+ cacheMode: options.cacheMode ?? "build",
4448
+ secretResolution
4442
4449
  });
4450
+ validateServerProjectionSecretRefs(runtime);
4443
4451
  return runtime.toServerProjection();
4444
4452
  }
4453
+ function validateServerProjectionSecretRefs(runtime) {
4454
+ for (const entry of runtime.graph.entries.values()) {
4455
+ if (entry.namespace !== "secret" || !isSecretReference(entry.value)) {
4456
+ continue;
4457
+ }
4458
+ const vaultId = entry.value.vault ?? "default";
4459
+ const definition = runtime.manifest.vaults[vaultId];
4460
+ if (!definition) {
4461
+ throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
4462
+ }
4463
+ if (entry.value.provider !== definition.provider) {
4464
+ throw new CnosManifestError(
4465
+ `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
4466
+ );
4467
+ }
4468
+ createSecretVaultProvider(vaultId, definition);
4469
+ }
4470
+ }
4445
4471
  // Annotate the CommonJS export names for ESM import in node:
4446
4472
  0 && (module.exports = {
4447
4473
  resolveBrowserData,
package/dist/build/index.js CHANGED
@@ -1,13 +1,17 @@
1
1
  import {
2
2
  createCnos
3
- } from "../chunk-7MUDEJSP.js";
4
- import "../chunk-JQLV4OQU.js";
5
- import "../chunk-4AAA2RHV.js";
6
- import "../chunk-UMVFSHP2.js";
7
- import "../chunk-N5DX5QEB.js";
8
- import "../chunk-36AR262B.js";
9
- import "../chunk-EJT2VJTM.js";
10
- import "../chunk-ZH5QZQ7C.js";
3
+ } from "../chunk-FSGSOF5Q.js";
4
+ import "../chunk-ZTDPBZ7R.js";
5
+ import "../chunk-YLFA2KTF.js";
6
+ import "../chunk-4JFSS3DN.js";
7
+ import "../chunk-HZYH2DQ4.js";
8
+ import "../chunk-PC5C3CBB.js";
9
+ import "../chunk-4WT5RCA6.js";
10
+ import {
11
+ CnosManifestError,
12
+ createSecretVaultProvider,
13
+ isSecretReference
14
+ } from "../chunk-O4YQMDFY.js";
11
15
 
12
16
  // src/build/index.ts
13
17
  async function resolveBrowserData(options = {}) {
@@ -86,12 +90,33 @@ async function resolveFrameworkEnv(options = {}, framework = "generic", envOptio
86
90
  });
87
91
  }
88
92
  async function resolveServerProjection(options = {}) {
93
+ const secretResolution = options.secretResolution ?? "lazy";
89
94
  const runtime = await createCnos({
90
95
  ...options,
91
- cacheMode: options.cacheMode ?? "build"
96
+ cacheMode: options.cacheMode ?? "build",
97
+ secretResolution
92
98
  });
99
+ validateServerProjectionSecretRefs(runtime);
93
100
  return runtime.toServerProjection();
94
101
  }
102
+ function validateServerProjectionSecretRefs(runtime) {
103
+ for (const entry of runtime.graph.entries.values()) {
104
+ if (entry.namespace !== "secret" || !isSecretReference(entry.value)) {
105
+ continue;
106
+ }
107
+ const vaultId = entry.value.vault ?? "default";
108
+ const definition = runtime.manifest.vaults[vaultId];
109
+ if (!definition) {
110
+ throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
111
+ }
112
+ if (entry.value.provider !== definition.provider) {
113
+ throw new CnosManifestError(
114
+ `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
115
+ );
116
+ }
117
+ createSecretVaultProvider(vaultId, definition);
118
+ }
119
+ }
95
120
  export {
96
121
  resolveBrowserData,
97
122
  resolveFrameworkEnv,
package/dist/{chunk-UMVFSHP2.js → chunk-4JFSS3DN.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  envVarToLogicalKey
3
- } from "./chunk-ZH5QZQ7C.js";
3
+ } from "./chunk-O4YQMDFY.js";
4
4
 
5
5
  // ../../plugins/process-env/src/index.ts
6
6
  var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";
package/dist/{chunk-EJT2VJTM.js → chunk-4WT5RCA6.js} RENAMED
@@ -2,7 +2,7 @@ import {
2
2
  envVarToLogicalKey,
3
3
  resolveWorkspaceScopedPath,
4
4
  toPortablePath
5
- } from "./chunk-ZH5QZQ7C.js";
5
+ } from "./chunk-O4YQMDFY.js";
6
6
 
7
7
  // ../../plugins/dotenv/src/index.ts
8
8
  import { readFile } from "fs/promises";
package/dist/{chunk-SUMWGMRA.js → chunk-6YY3U7WB.js} RENAMED
@@ -3,7 +3,7 @@ import {
3
3
  graphRequiresSecretHydration,
4
4
  readRuntimeGraphFromEnv,
5
5
  readServerProjectionFromEnv
6
- } from "./chunk-DL5G3QSZ.js";
6
+ } from "./chunk-DKHI52KZ.js";
7
7
  import {
8
8
  createCnos,
9
9
  getBootstrappedSecretHydrationRequired,
@@ -12,7 +12,7 @@ import {
12
12
  setBootstrappedSecretHydrationRequired,
13
13
  setSingletonReady,
14
14
  setSingletonRuntime
15
- } from "./chunk-7MUDEJSP.js";
15
+ } from "./chunk-FSGSOF5Q.js";
16
16
  import {
17
17
  createDefaultRuntimeProviders,
18
18
  createDerivedRuntimeSupport,
@@ -28,7 +28,7 @@ import {
28
28
  toLogicalKey,
29
29
  toNamespaceObject,
30
30
  toPublicEnv
31
- } from "./chunk-ZH5QZQ7C.js";
31
+ } from "./chunk-O4YQMDFY.js";
32
32
 
33
33
  // src/runtime/index.ts
34
34
  import { existsSync, readFileSync } from "fs";
package/dist/{chunk-DL5G3QSZ.js → chunk-DKHI52KZ.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  isSecretReference
3
- } from "./chunk-ZH5QZQ7C.js";
3
+ } from "./chunk-O4YQMDFY.js";
4
4
 
5
5
  // src/runtime/bootstrap.ts
6
6
  import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
package/dist/{chunk-7MUDEJSP.js → chunk-FSGSOF5Q.js} RENAMED
@@ -1,27 +1,27 @@
1
1
  import {
2
2
  createEnvExportPlugin,
3
3
  createPublicEnvExportPlugin
4
- } from "./chunk-JQLV4OQU.js";
4
+ } from "./chunk-ZTDPBZ7R.js";
5
5
  import {
6
6
  createFilesystemSecretsPlugin,
7
7
  createFilesystemValuesPlugin
8
- } from "./chunk-4AAA2RHV.js";
8
+ } from "./chunk-YLFA2KTF.js";
9
9
  import {
10
10
  createProcessEnvPlugin
11
- } from "./chunk-UMVFSHP2.js";
11
+ } from "./chunk-4JFSS3DN.js";
12
12
  import {
13
13
  createBasicSchemaPlugin
14
- } from "./chunk-N5DX5QEB.js";
14
+ } from "./chunk-HZYH2DQ4.js";
15
15
  import {
16
16
  createCliArgsPlugin
17
- } from "./chunk-36AR262B.js";
17
+ } from "./chunk-PC5C3CBB.js";
18
18
  import {
19
19
  createDotenvPlugin
20
- } from "./chunk-EJT2VJTM.js";
20
+ } from "./chunk-4WT5RCA6.js";
21
21
  import {
22
22
  createCnos,
23
23
  createProvenanceInspector
24
- } from "./chunk-ZH5QZQ7C.js";
24
+ } from "./chunk-O4YQMDFY.js";
25
25
 
26
26
  // src/defaultPlugins.ts
27
27
  function defaultPlugins() {
@@ -68,7 +68,7 @@ function setBootstrappedSecretHydrationRequired(value) {
68
68
  // package.json
69
69
  var package_default = {
70
70
  name: "@kitsy/cnos",
71
- version: "1.8.3",
71
+ version: "1.9.0",
72
72
  description: "Batteries-included CNOS runtime package wired with the official plugins.",
73
73
  type: "module",
74
74
  main: "./dist/index.cjs",
package/dist/{chunk-N5DX5QEB.js → chunk-HZYH2DQ4.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  applySchemaRules
3
- } from "./chunk-ZH5QZQ7C.js";
3
+ } from "./chunk-O4YQMDFY.js";
4
4
 
5
5
  // ../../plugins/basic-schema/src/index.ts
6
6
  function createBasicSchemaPlugin() {
package/dist/{chunk-ZH5QZQ7C.js → chunk-O4YQMDFY.js} RENAMED
@@ -2505,7 +2505,7 @@ function normalizeEnvValue(value) {
2505
2505
  return JSON.stringify(value);
2506
2506
  }
2507
2507
  function toEnv(graph, manifest, options = {}, helpers = {}) {
2508
- const includeSecrets = options.includeSecrets ?? true;
2508
+ const includeSecrets = options.includeSecrets ?? false;
2509
2509
  const output = {};
2510
2510
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
2511
2511
  ([left], [right]) => left.localeCompare(right)
@@ -2516,19 +2516,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
2516
2516
  continue;
2517
2517
  }
2518
2518
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
2519
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
2519
+ const isSecretNamespace = entry.namespace === "secret";
2520
+ if (namespaceDefinition.kind !== "data") {
2520
2521
  continue;
2521
2522
  }
2522
- if (entry.namespace === "secret" && !includeSecrets) {
2523
- continue;
2524
- }
2525
- if (isSecretReference(entry.value)) {
2523
+ if (isSecretNamespace) {
2524
+ if (!includeSecrets) {
2525
+ continue;
2526
+ }
2527
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
2526
2528
  continue;
2527
2529
  }
2528
2530
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
2529
2531
  if (value === void 0) {
2530
2532
  continue;
2531
2533
  }
2534
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
2535
+ continue;
2536
+ }
2532
2537
  output[envVar] = normalizeEnvValue(value);
2533
2538
  }
2534
2539
  return output;
package/dist/{chunk-36AR262B.js → chunk-PC5C3CBB.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  joinConfigPath
3
- } from "./chunk-ZH5QZQ7C.js";
3
+ } from "./chunk-O4YQMDFY.js";
4
4
 
5
5
  // ../../plugins/cli-args/src/index.ts
6
6
  var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";
package/dist/{chunk-4AAA2RHV.js → chunk-YLFA2KTF.js} RENAMED
@@ -4,7 +4,7 @@ import {
4
4
  isSecretReference,
5
5
  parseYaml,
6
6
  toPortablePath
7
- } from "./chunk-ZH5QZQ7C.js";
7
+ } from "./chunk-O4YQMDFY.js";
8
8
 
9
9
  // ../../plugins/filesystem/src/helpers.ts
10
10
  import { readdir } from "fs/promises";
package/dist/{chunk-JQLV4OQU.js → chunk-ZTDPBZ7R.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  toEnv,
3
3
  toPublicEnv
4
- } from "./chunk-ZH5QZQ7C.js";
4
+ } from "./chunk-O4YQMDFY.js";
5
5
 
6
6
  // ../../plugins/env-export/src/index.ts
7
7
  function createEnvExportPlugin() {
package/dist/configure/index.cjs CHANGED
@@ -3281,7 +3281,7 @@ function normalizeEnvValue(value) {
3281
3281
  return JSON.stringify(value);
3282
3282
  }
3283
3283
  function toEnv(graph, manifest, options = {}, helpers = {}) {
3284
- const includeSecrets = options.includeSecrets ?? true;
3284
+ const includeSecrets = options.includeSecrets ?? false;
3285
3285
  const output = {};
3286
3286
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
3287
3287
  ([left], [right]) => left.localeCompare(right)
@@ -3292,19 +3292,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
3292
3292
  continue;
3293
3293
  }
3294
3294
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
3295
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3295
+ const isSecretNamespace = entry.namespace === "secret";
3296
+ if (namespaceDefinition.kind !== "data") {
3296
3297
  continue;
3297
3298
  }
3298
- if (entry.namespace === "secret" && !includeSecrets) {
3299
- continue;
3300
- }
3301
- if (isSecretReference(entry.value)) {
3299
+ if (isSecretNamespace) {
3300
+ if (!includeSecrets) {
3301
+ continue;
3302
+ }
3303
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3302
3304
  continue;
3303
3305
  }
3304
3306
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
3305
3307
  if (value === void 0) {
3306
3308
  continue;
3307
3309
  }
3310
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
3311
+ continue;
3312
+ }
3308
3313
  output[envVar] = normalizeEnvValue(value);
3309
3314
  }
3310
3315
  return output;
@@ -3756,7 +3761,7 @@ function envVarToLogicalKey(envVar, config = {}) {
3756
3761
  // package.json
3757
3762
  var package_default = {
3758
3763
  name: "@kitsy/cnos",
3759
- version: "1.8.3",
3764
+ version: "1.9.0",
3760
3765
  description: "Batteries-included CNOS runtime package wired with the official plugins.",
3761
3766
  type: "module",
3762
3767
  main: "./dist/index.cjs",
package/dist/configure/index.js CHANGED
@@ -1,19 +1,19 @@
1
1
  import {
2
2
  createCnos,
3
3
  defaultPlugins
4
- } from "../chunk-7MUDEJSP.js";
5
- import "../chunk-JQLV4OQU.js";
6
- import "../chunk-4AAA2RHV.js";
7
- import "../chunk-UMVFSHP2.js";
8
- import "../chunk-N5DX5QEB.js";
9
- import "../chunk-36AR262B.js";
10
- import "../chunk-EJT2VJTM.js";
4
+ } from "../chunk-FSGSOF5Q.js";
5
+ import "../chunk-ZTDPBZ7R.js";
6
+ import "../chunk-YLFA2KTF.js";
7
+ import "../chunk-4JFSS3DN.js";
8
+ import "../chunk-HZYH2DQ4.js";
9
+ import "../chunk-PC5C3CBB.js";
10
+ import "../chunk-4WT5RCA6.js";
11
11
  import {
12
12
  planDump,
13
13
  toEnv,
14
14
  toPublicEnv,
15
15
  writeDump
16
- } from "../chunk-ZH5QZQ7C.js";
16
+ } from "../chunk-O4YQMDFY.js";
17
17
  export {
18
18
  createCnos,
19
19
  defaultPlugins,
package/dist/index.cjs CHANGED
@@ -3281,7 +3281,7 @@ function normalizeEnvValue(value) {
3281
3281
  return JSON.stringify(value);
3282
3282
  }
3283
3283
  function toEnv(graph, manifest, options = {}, helpers = {}) {
3284
- const includeSecrets = options.includeSecrets ?? true;
3284
+ const includeSecrets = options.includeSecrets ?? false;
3285
3285
  const output = {};
3286
3286
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
3287
3287
  ([left], [right]) => left.localeCompare(right)
@@ -3292,19 +3292,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
3292
3292
  continue;
3293
3293
  }
3294
3294
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
3295
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3295
+ const isSecretNamespace = entry.namespace === "secret";
3296
+ if (namespaceDefinition.kind !== "data") {
3296
3297
  continue;
3297
3298
  }
3298
- if (entry.namespace === "secret" && !includeSecrets) {
3299
- continue;
3300
- }
3301
- if (isSecretReference(entry.value)) {
3299
+ if (isSecretNamespace) {
3300
+ if (!includeSecrets) {
3301
+ continue;
3302
+ }
3303
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3302
3304
  continue;
3303
3305
  }
3304
3306
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
3305
3307
  if (value === void 0) {
3306
3308
  continue;
3307
3309
  }
3310
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
3311
+ continue;
3312
+ }
3308
3313
  output[envVar] = normalizeEnvValue(value);
3309
3314
  }
3310
3315
  return output;
@@ -3714,7 +3719,7 @@ function envVarToLogicalKey(envVar, config = {}) {
3714
3719
  // package.json
3715
3720
  var package_default = {
3716
3721
  name: "@kitsy/cnos",
3717
- version: "1.8.3",
3722
+ version: "1.9.0",
3718
3723
  description: "Batteries-included CNOS runtime package wired with the official plugins.",
3719
3724
  type: "module",
3720
3725
  main: "./dist/index.cjs",
package/dist/index.js CHANGED
@@ -1,15 +1,15 @@
1
1
  import {
2
2
  runtime_default
3
- } from "./chunk-SUMWGMRA.js";
4
- import "./chunk-DL5G3QSZ.js";
5
- import "./chunk-7MUDEJSP.js";
6
- import "./chunk-JQLV4OQU.js";
7
- import "./chunk-4AAA2RHV.js";
8
- import "./chunk-UMVFSHP2.js";
9
- import "./chunk-N5DX5QEB.js";
10
- import "./chunk-36AR262B.js";
11
- import "./chunk-EJT2VJTM.js";
12
- import "./chunk-ZH5QZQ7C.js";
3
+ } from "./chunk-6YY3U7WB.js";
4
+ import "./chunk-DKHI52KZ.js";
5
+ import "./chunk-FSGSOF5Q.js";
6
+ import "./chunk-ZTDPBZ7R.js";
7
+ import "./chunk-YLFA2KTF.js";
8
+ import "./chunk-4JFSS3DN.js";
9
+ import "./chunk-HZYH2DQ4.js";
10
+ import "./chunk-PC5C3CBB.js";
11
+ import "./chunk-4WT5RCA6.js";
12
+ import "./chunk-O4YQMDFY.js";
13
13
  export {
14
14
  runtime_default as cnos,
15
15
  runtime_default as default
package/dist/internal.js CHANGED
@@ -11,7 +11,7 @@ import {
11
11
  serializeRuntimeGraph,
12
12
  serializeSecretPayload,
13
13
  serializeServerProjection
14
- } from "./chunk-DL5G3QSZ.js";
14
+ } from "./chunk-DKHI52KZ.js";
15
15
  import {
16
16
  CnosAuthenticationError,
17
17
  CnosSecurityError,
@@ -64,7 +64,7 @@ import {
64
64
  writeLocalSecret,
65
65
  writeRemoteRootCacheMetadata,
66
66
  writeVaultSessionKey
67
- } from "./chunk-ZH5QZQ7C.js";
67
+ } from "./chunk-O4YQMDFY.js";
68
68
 
69
69
  // src/codegen/generateTypes.ts
70
70
  function toPascalCase(value) {
package/dist/plugin/basic-schema.js CHANGED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  createBasicSchemaPlugin
3
- } from "../chunk-N5DX5QEB.js";
4
- import "../chunk-ZH5QZQ7C.js";
3
+ } from "../chunk-HZYH2DQ4.js";
4
+ import "../chunk-O4YQMDFY.js";
5
5
  export {
6
6
  createBasicSchemaPlugin
7
7
  };
package/dist/plugin/cli-args.js CHANGED
@@ -2,8 +2,8 @@ import {
2
2
  cliArgEntriesFromArgs,
3
3
  createCliArgsPlugin,
4
4
  parseCliArgs
5
- } from "../chunk-36AR262B.js";
6
- import "../chunk-ZH5QZQ7C.js";
5
+ } from "../chunk-PC5C3CBB.js";
6
+ import "../chunk-O4YQMDFY.js";
7
7
  export {
8
8
  cliArgEntriesFromArgs,
9
9
  createCliArgsPlugin,
package/dist/plugin/dotenv.js CHANGED
@@ -2,8 +2,8 @@ import {
2
2
  createDotenvPlugin,
3
3
  dotenvEntriesFromObject,
4
4
  parseDotenv
5
- } from "../chunk-EJT2VJTM.js";
6
- import "../chunk-ZH5QZQ7C.js";
5
+ } from "../chunk-4WT5RCA6.js";
6
+ import "../chunk-O4YQMDFY.js";
7
7
  export {
8
8
  createDotenvPlugin,
9
9
  dotenvEntriesFromObject,
package/dist/plugin/env-export.cjs CHANGED
@@ -174,7 +174,7 @@ function normalizeEnvValue(value) {
174
174
  return JSON.stringify(value);
175
175
  }
176
176
  function toEnv(graph, manifest, options = {}, helpers = {}) {
177
- const includeSecrets = options.includeSecrets ?? true;
177
+ const includeSecrets = options.includeSecrets ?? false;
178
178
  const output = {};
179
179
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
180
180
  ([left], [right]) => left.localeCompare(right)
@@ -185,19 +185,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
185
185
  continue;
186
186
  }
187
187
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
188
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
188
+ const isSecretNamespace = entry.namespace === "secret";
189
+ if (namespaceDefinition.kind !== "data") {
189
190
  continue;
190
191
  }
191
- if (entry.namespace === "secret" && !includeSecrets) {
192
- continue;
193
- }
194
- if (isSecretReference(entry.value)) {
192
+ if (isSecretNamespace) {
193
+ if (!includeSecrets) {
194
+ continue;
195
+ }
196
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
195
197
  continue;
196
198
  }
197
199
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
198
200
  if (value === void 0) {
199
201
  continue;
200
202
  }
203
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
204
+ continue;
205
+ }
201
206
  output[envVar] = normalizeEnvValue(value);
202
207
  }
203
208
  return output;
package/dist/plugin/env-export.js CHANGED
@@ -1,11 +1,11 @@
1
1
  import {
2
2
  createEnvExportPlugin,
3
3
  createPublicEnvExportPlugin
4
- } from "../chunk-JQLV4OQU.js";
4
+ } from "../chunk-ZTDPBZ7R.js";
5
5
  import {
6
6
  toEnv,
7
7
  toPublicEnv
8
- } from "../chunk-ZH5QZQ7C.js";
8
+ } from "../chunk-O4YQMDFY.js";
9
9
  export {
10
10
  createEnvExportPlugin,
11
11
  createPublicEnvExportPlugin,
package/dist/plugin/filesystem.js CHANGED
@@ -5,8 +5,8 @@ import {
5
5
  filesystemSecretsReader,
6
6
  filesystemValuesReader,
7
7
  yamlObjectToEntries
8
- } from "../chunk-4AAA2RHV.js";
9
- import "../chunk-ZH5QZQ7C.js";
8
+ } from "../chunk-YLFA2KTF.js";
9
+ import "../chunk-O4YQMDFY.js";
10
10
  export {
11
11
  collectFilesystemLayerFiles,
12
12
  createFilesystemSecretsPlugin,
package/dist/plugin/process-env.js CHANGED
@@ -2,8 +2,8 @@ import {
2
2
  createProcessEnvPlugin,
3
3
  processEnvEntriesFromObject,
4
4
  processNamespaceEntriesFromContext
5
- } from "../chunk-UMVFSHP2.js";
6
- import "../chunk-ZH5QZQ7C.js";
5
+ } from "../chunk-4JFSS3DN.js";
6
+ import "../chunk-O4YQMDFY.js";
7
7
  export {
8
8
  createProcessEnvPlugin,
9
9
  processEnvEntriesFromObject,
package/dist/runtime/index.cjs CHANGED
@@ -3278,7 +3278,7 @@ function normalizeEnvValue(value) {
3278
3278
  return JSON.stringify(value);
3279
3279
  }
3280
3280
  function toEnv(graph, manifest, options = {}, helpers = {}) {
3281
- const includeSecrets = options.includeSecrets ?? true;
3281
+ const includeSecrets = options.includeSecrets ?? false;
3282
3282
  const output = {};
3283
3283
  const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
3284
3284
  ([left], [right]) => left.localeCompare(right)
@@ -3289,19 +3289,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
3289
3289
  continue;
3290
3290
  }
3291
3291
  const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
3292
- if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3292
+ const isSecretNamespace = entry.namespace === "secret";
3293
+ if (namespaceDefinition.kind !== "data") {
3293
3294
  continue;
3294
3295
  }
3295
- if (entry.namespace === "secret" && !includeSecrets) {
3296
- continue;
3297
- }
3298
- if (isSecretReference(entry.value)) {
3296
+ if (isSecretNamespace) {
3297
+ if (!includeSecrets) {
3298
+ continue;
3299
+ }
3300
+ } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
3299
3301
  continue;
3300
3302
  }
3301
3303
  const value = helpers.read ? helpers.read(logicalKey) : entry.value;
3302
3304
  if (value === void 0) {
3303
3305
  continue;
3304
3306
  }
3307
+ if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
3308
+ continue;
3309
+ }
3305
3310
  output[envVar] = normalizeEnvValue(value);
3306
3311
  }
3307
3312
  return output;
@@ -3711,7 +3716,7 @@ function envVarToLogicalKey(envVar, config = {}) {
3711
3716
  // package.json
3712
3717
  var package_default = {
3713
3718
  name: "@kitsy/cnos",
3714
- version: "1.8.3",
3719
+ version: "1.9.0",
3715
3720
  description: "Batteries-included CNOS runtime package wired with the official plugins.",
3716
3721
  type: "module",
3717
3722
  main: "./dist/index.cjs",
package/dist/runtime/index.js CHANGED
@@ -1,15 +1,15 @@
1
1
  import {
2
2
  runtime_default
3
- } from "../chunk-SUMWGMRA.js";
4
- import "../chunk-DL5G3QSZ.js";
5
- import "../chunk-7MUDEJSP.js";
6
- import "../chunk-JQLV4OQU.js";
7
- import "../chunk-4AAA2RHV.js";
8
- import "../chunk-UMVFSHP2.js";
9
- import "../chunk-N5DX5QEB.js";
10
- import "../chunk-36AR262B.js";
11
- import "../chunk-EJT2VJTM.js";
12
- import "../chunk-ZH5QZQ7C.js";
3
+ } from "../chunk-6YY3U7WB.js";
4
+ import "../chunk-DKHI52KZ.js";
5
+ import "../chunk-FSGSOF5Q.js";
6
+ import "../chunk-ZTDPBZ7R.js";
7
+ import "../chunk-YLFA2KTF.js";
8
+ import "../chunk-4JFSS3DN.js";
9
+ import "../chunk-HZYH2DQ4.js";
10
+ import "../chunk-PC5C3CBB.js";
11
+ import "../chunk-4WT5RCA6.js";
12
+ import "../chunk-O4YQMDFY.js";
13
13
  export {
14
14
  runtime_default as default
15
15
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kitsy/cnos",
3
- "version": "1.8.3",
3
+ "version": "1.9.0",
4
4
  "description": "Batteries-included CNOS runtime package wired with the official plugins.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",