@kitsy/cnos 1.8.4 → 1.9.1

package/dist/build/index.cjs

@@ -1857,7 +1857,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1866,6 +1866,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );
@@ -3279,7 +3282,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -3290,19 +3293,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
-      continue;
-    }
-    if (entry.namespace === "secret" && !includeSecrets) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;
@@ -3712,7 +3720,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.4",
+  version: "1.9.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/build/index.js

@@ -1,17 +1,17 @@
 import {
   createCnos
-} from "../chunk-O2KTQ6PB.js";
-import "../chunk-JQLV4OQU.js";
-import "../chunk-4AAA2RHV.js";
-import "../chunk-UMVFSHP2.js";
-import "../chunk-N5DX5QEB.js";
-import "../chunk-36AR262B.js";
-import "../chunk-EJT2VJTM.js";
+} from "../chunk-MYG6EPUX.js";
+import "../chunk-LURQ4LAK.js";
+import "../chunk-A2WG3ZKW.js";
+import "../chunk-L7JVECPE.js";
+import "../chunk-6QQPHDUI.js";
+import "../chunk-7JZO6XN3.js";
+import "../chunk-2JBA2LXU.js";
 import {
   CnosManifestError,
   createSecretVaultProvider,
   isSecretReference
-} from "../chunk-ZH5QZQ7C.js";
+} from "../chunk-7KVM5PUW.js";
 
 // src/build/index.ts
 async function resolveBrowserData(options = {}) {

package/dist/{chunk-EJT2VJTM.js → chunk-2JBA2LXU.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-N5DX5QEB.js → chunk-6QQPHDUI.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/{chunk-36AR262B.js → chunk-7JZO6XN3.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";

package/dist/{chunk-ZH5QZQ7C.js → chunk-7KVM5PUW.js}

@@ -1705,7 +1705,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1714,6 +1714,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );
@@ -2505,7 +2508,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -2516,19 +2519,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
-      continue;
-    }
-    if (entry.namespace === "secret" && !includeSecrets) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;

package/dist/{chunk-4AAA2RHV.js → chunk-A2WG3ZKW.js}

@@ -4,7 +4,7 @@ import {
   isSecretReference,
   parseYaml,
   toPortablePath
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";

package/dist/{chunk-LDFKY65G.js → chunk-L6ZMJPA6.js}

@@ -3,7 +3,7 @@ import {
   graphRequiresSecretHydration,
   readRuntimeGraphFromEnv,
   readServerProjectionFromEnv
-} from "./chunk-DL5G3QSZ.js";
+} from "./chunk-NVFACB64.js";
 import {
   createCnos,
   getBootstrappedSecretHydrationRequired,
@@ -12,7 +12,7 @@ import {
   setBootstrappedSecretHydrationRequired,
   setSingletonReady,
   setSingletonRuntime
-} from "./chunk-O2KTQ6PB.js";
+} from "./chunk-MYG6EPUX.js";
 import {
   createDefaultRuntimeProviders,
   createDerivedRuntimeSupport,
@@ -28,7 +28,7 @@ import {
   toLogicalKey,
   toNamespaceObject,
   toPublicEnv
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // src/runtime/index.ts
 import { existsSync, readFileSync } from "fs";

package/dist/{chunk-UMVFSHP2.js → chunk-L7JVECPE.js}

@@ -1,6 +1,6 @@
 import {
   envVarToLogicalKey
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";

package/dist/{chunk-JQLV4OQU.js → chunk-LURQ4LAK.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-O2KTQ6PB.js → chunk-MYG6EPUX.js}

@@ -1,27 +1,27 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "./chunk-JQLV4OQU.js";
+} from "./chunk-LURQ4LAK.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-4AAA2RHV.js";
+} from "./chunk-A2WG3ZKW.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-UMVFSHP2.js";
+} from "./chunk-L7JVECPE.js";
 import {
   createBasicSchemaPlugin
-} from "./chunk-N5DX5QEB.js";
+} from "./chunk-6QQPHDUI.js";
 import {
   createCliArgsPlugin
-} from "./chunk-36AR262B.js";
+} from "./chunk-7JZO6XN3.js";
 import {
   createDotenvPlugin
-} from "./chunk-EJT2VJTM.js";
+} from "./chunk-2JBA2LXU.js";
 import {
   createCnos,
   createProvenanceInspector
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // src/defaultPlugins.ts
 function defaultPlugins() {
@@ -68,7 +68,7 @@ function setBootstrappedSecretHydrationRequired(value) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.4",
+  version: "1.9.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/{chunk-DL5G3QSZ.js → chunk-NVFACB64.js}

@@ -1,6 +1,6 @@
 import {
   isSecretReference
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // src/runtime/bootstrap.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";

package/dist/configure/index.cjs

@@ -1859,7 +1859,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1868,6 +1868,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );
@@ -3281,7 +3284,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -3292,19 +3295,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
-      continue;
-    }
-    if (entry.namespace === "secret" && !includeSecrets) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;
@@ -3756,7 +3764,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.4",
+  version: "1.9.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/configure/index.js

@@ -1,19 +1,19 @@
 import {
   createCnos,
   defaultPlugins
-} from "../chunk-O2KTQ6PB.js";
-import "../chunk-JQLV4OQU.js";
-import "../chunk-4AAA2RHV.js";
-import "../chunk-UMVFSHP2.js";
-import "../chunk-N5DX5QEB.js";
-import "../chunk-36AR262B.js";
-import "../chunk-EJT2VJTM.js";
+} from "../chunk-MYG6EPUX.js";
+import "../chunk-LURQ4LAK.js";
+import "../chunk-A2WG3ZKW.js";
+import "../chunk-L7JVECPE.js";
+import "../chunk-6QQPHDUI.js";
+import "../chunk-7JZO6XN3.js";
+import "../chunk-2JBA2LXU.js";
 import {
   planDump,
   toEnv,
   toPublicEnv,
   writeDump
-} from "../chunk-ZH5QZQ7C.js";
+} from "../chunk-7KVM5PUW.js";
 export {
   createCnos,
   defaultPlugins,

package/dist/index.cjs

@@ -1859,7 +1859,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1868,6 +1868,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );
@@ -3281,7 +3284,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -3292,19 +3295,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
-      continue;
-    }
-    if (entry.namespace === "secret" && !includeSecrets) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;
@@ -3714,7 +3722,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.4",
+  version: "1.9.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "./chunk-LDFKY65G.js";
-import "./chunk-DL5G3QSZ.js";
-import "./chunk-O2KTQ6PB.js";
-import "./chunk-JQLV4OQU.js";
-import "./chunk-4AAA2RHV.js";
-import "./chunk-UMVFSHP2.js";
-import "./chunk-N5DX5QEB.js";
-import "./chunk-36AR262B.js";
-import "./chunk-EJT2VJTM.js";
-import "./chunk-ZH5QZQ7C.js";
+} from "./chunk-L6ZMJPA6.js";
+import "./chunk-NVFACB64.js";
+import "./chunk-MYG6EPUX.js";
+import "./chunk-LURQ4LAK.js";
+import "./chunk-A2WG3ZKW.js";
+import "./chunk-L7JVECPE.js";
+import "./chunk-6QQPHDUI.js";
+import "./chunk-7JZO6XN3.js";
+import "./chunk-2JBA2LXU.js";
+import "./chunk-7KVM5PUW.js";
 export {
   runtime_default as cnos,
   runtime_default as default

package/dist/internal.cjs

@@ -1391,7 +1391,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1400,6 +1400,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );

package/dist/internal.d.cts

@@ -24,8 +24,11 @@ declare function writeKeychain(entry: string, value: string): Promise<void>;
 declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
 
 type ProjectionTarget = 'public' | 'env';
+interface ProjectionPolicyOptions {
+    allowSecretForEnv?: boolean;
+}
 declare function getNamespaceDefinition(manifest: NormalizedManifest, namespaceOrKey: string): NamespaceDefinition;
-declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget, options?: ProjectionPolicyOptions): void;
 
 declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
 

package/dist/internal.d.ts

@@ -24,8 +24,11 @@ declare function writeKeychain(entry: string, value: string): Promise<void>;
 declare function loadManifest(options?: LoadManifestOptions): Promise<LoadedManifest>;
 
 type ProjectionTarget = 'public' | 'env';
+interface ProjectionPolicyOptions {
+    allowSecretForEnv?: boolean;
+}
 declare function getNamespaceDefinition(manifest: NormalizedManifest, namespaceOrKey: string): NamespaceDefinition;
-declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget): void;
+declare function ensureProjectionAllowed(manifest: NormalizedManifest, key: LogicalKey, target: ProjectionTarget, options?: ProjectionPolicyOptions): void;
 
 declare function resolveVaultAuth(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): Promise<VaultAuthConfig>;
 

package/dist/internal.js

@@ -11,7 +11,7 @@ import {
   serializeRuntimeGraph,
   serializeSecretPayload,
   serializeServerProjection
-} from "./chunk-DL5G3QSZ.js";
+} from "./chunk-NVFACB64.js";
 import {
   CnosAuthenticationError,
   CnosSecurityError,
@@ -64,7 +64,7 @@ import {
   writeLocalSecret,
   writeRemoteRootCacheMetadata,
   writeVaultSessionKey
-} from "./chunk-ZH5QZQ7C.js";
+} from "./chunk-7KVM5PUW.js";
 
 // src/codegen/generateTypes.ts
 function toPascalCase(value) {

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-N5DX5QEB.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-6QQPHDUI.js";
+import "../chunk-7KVM5PUW.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-36AR262B.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-7JZO6XN3.js";
+import "../chunk-7KVM5PUW.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-EJT2VJTM.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-2JBA2LXU.js";
+import "../chunk-7KVM5PUW.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.cjs

@@ -174,7 +174,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -185,19 +185,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (entry.namespace === "secret" && !includeSecrets) {
-      continue;
-    }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;

package/dist/plugin/env-export.js

@@ -1,11 +1,11 @@
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "../chunk-JQLV4OQU.js";
+} from "../chunk-LURQ4LAK.js";
 import {
   toEnv,
   toPublicEnv
-} from "../chunk-ZH5QZQ7C.js";
+} from "../chunk-7KVM5PUW.js";
 export {
   createEnvExportPlugin,
   createPublicEnvExportPlugin,

package/dist/plugin/filesystem.js

@@ -5,8 +5,8 @@ import {
   filesystemSecretsReader,
   filesystemValuesReader,
   yamlObjectToEntries
-} from "../chunk-4AAA2RHV.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-A2WG3ZKW.js";
+import "../chunk-7KVM5PUW.js";
 export {
   collectFilesystemLayerFiles,
   createFilesystemSecretsPlugin,

package/dist/plugin/process-env.js

@@ -2,8 +2,8 @@ import {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,
   processNamespaceEntriesFromContext
-} from "../chunk-UMVFSHP2.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-L7JVECPE.js";
+import "../chunk-7KVM5PUW.js";
 export {
   createProcessEnvPlugin,
   processEnvEntriesFromObject,

package/dist/runtime/index.cjs

@@ -1856,7 +1856,7 @@ function getNamespaceDefinition(manifest, namespaceOrKey) {
   const namespace = namespaceOrKey.includes(".") ? getNamespaceNameForKey(namespaceOrKey) : namespaceOrKey;
   return manifest.namespaces[namespace] ?? DEFAULT_DATA_NAMESPACE;
 }
-function ensureProjectionAllowed(manifest, key, target) {
+function ensureProjectionAllowed(manifest, key, target, options = {}) {
   const namespace = getNamespaceNameForKey(key);
   const definition = getNamespaceDefinition(manifest, namespace);
   if (definition.kind !== "data") {
@@ -1865,6 +1865,9 @@ function ensureProjectionAllowed(manifest, key, target) {
     );
   }
   if (definition.sensitive) {
+    if (target === "env" && namespace === "secret" && options.allowSecretForEnv) {
+      return;
+    }
     throw new CnosSecurityError(
       `Cannot promote ${key} to ${target} because namespace "${namespace}" is sensitive.`
     );
@@ -3278,7 +3281,7 @@ function normalizeEnvValue(value) {
   return JSON.stringify(value);
 }
 function toEnv(graph, manifest, options = {}, helpers = {}) {
-  const includeSecrets = options.includeSecrets ?? true;
+  const includeSecrets = options.includeSecrets ?? false;
   const output = {};
   const mappedEntries = Object.entries(manifest.envMapping.explicit).sort(
     ([left], [right]) => left.localeCompare(right)
@@ -3289,19 +3292,24 @@ function toEnv(graph, manifest, options = {}, helpers = {}) {
       continue;
     }
     const namespaceDefinition = getNamespaceDefinition(manifest, entry.namespace);
-    if (namespaceDefinition.kind !== "data" || !namespaceDefinition.shareable || namespaceDefinition.sensitive) {
-      continue;
-    }
-    if (entry.namespace === "secret" && !includeSecrets) {
+    const isSecretNamespace = entry.namespace === "secret";
+    if (namespaceDefinition.kind !== "data") {
       continue;
     }
-    if (isSecretReference(entry.value)) {
+    if (isSecretNamespace) {
+      if (!includeSecrets) {
+        continue;
+      }
+    } else if (!namespaceDefinition.shareable || namespaceDefinition.sensitive) {
       continue;
     }
     const value = helpers.read ? helpers.read(logicalKey) : entry.value;
     if (value === void 0) {
       continue;
     }
+    if (isSecretReference(value) || !isSecretNamespace && isSecretReference(entry.value)) {
+      continue;
+    }
     output[envVar] = normalizeEnvValue(value);
   }
   return output;
@@ -3711,7 +3719,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.8.4",
+  version: "1.9.1",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/runtime/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "../chunk-LDFKY65G.js";
-import "../chunk-DL5G3QSZ.js";
-import "../chunk-O2KTQ6PB.js";
-import "../chunk-JQLV4OQU.js";
-import "../chunk-4AAA2RHV.js";
-import "../chunk-UMVFSHP2.js";
-import "../chunk-N5DX5QEB.js";
-import "../chunk-36AR262B.js";
-import "../chunk-EJT2VJTM.js";
-import "../chunk-ZH5QZQ7C.js";
+} from "../chunk-L6ZMJPA6.js";
+import "../chunk-NVFACB64.js";
+import "../chunk-MYG6EPUX.js";
+import "../chunk-LURQ4LAK.js";
+import "../chunk-A2WG3ZKW.js";
+import "../chunk-L7JVECPE.js";
+import "../chunk-6QQPHDUI.js";
+import "../chunk-7JZO6XN3.js";
+import "../chunk-2JBA2LXU.js";
+import "../chunk-7KVM5PUW.js";
 export {
   runtime_default as default
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos",
-  "version": "1.8.4",
+  "version": "1.9.1",
   "description": "Batteries-included CNOS runtime package wired with the official plugins.",
   "type": "module",
   "main": "./dist/index.cjs",