@kitsy/cnos 1.9.1 → 1.10.0

package/dist/{chunk-7KVM5PUW.js → chunk-MQ4WG3K6.js}

@@ -1355,6 +1355,134 @@ function resolveRemoteRootCachePaths(uri, processEnv = process.env) {
 import { readFile as readFile3 } from "fs/promises";
 import path6 from "path";
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1553,6 +1681,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1650,7 +1786,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -2201,16 +2337,19 @@ import { appendFile, mkdir as mkdir5 } from "fs/promises";
 import path9 from "path";
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? path9.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await mkdir5(path9.dirname(auditFile), { recursive: true });
-  await appendFile(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await mkdir5(path9.dirname(auditFile), { recursive: true });
+    await appendFile(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/providers/local.ts
@@ -3380,6 +3519,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -3446,11 +3592,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }

package/dist/{chunk-LURQ4LAK.js → chunk-RTHKUGJV.js}

@@ -1,7 +1,7 @@
 import {
   toEnv,
   toPublicEnv
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/env-export/src/index.ts
 function createEnvExportPlugin() {

package/dist/{chunk-L7JVECPE.js → chunk-UGLATJJD.js}

@@ -1,6 +1,6 @@
 import {
   envVarToLogicalKey
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/process-env/src/index.ts
 var PROCESS_ENV_PLUGIN_ID = "@kitsy/cnos/plugins/process-env";

package/dist/{chunk-NVFACB64.js → chunk-UKNL2Y4N.js}

@@ -1,6 +1,6 @@
 import {
   isSecretReference
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // src/runtime/bootstrap.ts
 import { createCipheriv, createDecipheriv, randomBytes } from "crypto";

package/dist/configure/index.cjs

@@ -1342,6 +1342,134 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1540,6 +1668,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1637,7 +1773,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -2271,6 +2407,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -2337,11 +2480,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }
@@ -2741,16 +2884,19 @@ function resolveVaultDefinition(vaults, vault = "default") {
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path12.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises11.appendFile)(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
+    await (0, import_promises11.appendFile)(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/secretCache.ts
@@ -3764,7 +3910,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.9.1",
+  version: "1.10.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -3969,9 +4115,30 @@ var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -3986,10 +4153,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }

package/dist/configure/index.d.cts

@@ -1,6 +1,6 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.cjs';
-export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
+import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-Ud1o2MBn.cjs';
+export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-Ud1o2MBn.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-fUZMRUOz.cjs';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;

package/dist/configure/index.d.ts

@@ -1,6 +1,6 @@
-import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-zDTUSVx9.js';
-export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-zDTUSVx9.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
+import { R as ResolvedGraph, D as DumpPlanOptions, d as DumpPlan, e as DumpOptions, f as DumpResult, C as CnosCreateOptions, g as CnosRuntime, h as CnosPlugin } from '../core-Ud1o2MBn.js';
+export { a as ConfigEntry, i as DerivedFormula, j as DerivedValue, k as ExprNode, I as InspectResult, L as LoaderPlugin, b as LogicalKey, M as ManifestFile, N as NormalizedManifest, P as ParsedDerivation, l as RuntimeProvider, T as ToEnvOptions, c as ToPublicEnvOptions } from '../core-Ud1o2MBn.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-C9wPSpRo.js';
 
 declare function planDump(graph: ResolvedGraph, options?: DumpPlanOptions): DumpPlan;
 declare function writeDump(graph: ResolvedGraph, options: DumpOptions): Promise<DumpResult>;

package/dist/configure/index.js

@@ -1,19 +1,19 @@
 import {
   createCnos,
   defaultPlugins
-} from "../chunk-MYG6EPUX.js";
-import "../chunk-LURQ4LAK.js";
-import "../chunk-A2WG3ZKW.js";
-import "../chunk-L7JVECPE.js";
-import "../chunk-6QQPHDUI.js";
-import "../chunk-7JZO6XN3.js";
-import "../chunk-2JBA2LXU.js";
+} from "../chunk-CSA4L64V.js";
+import "../chunk-3EZGPQCE.js";
+import "../chunk-RTHKUGJV.js";
+import "../chunk-ESBHCFC6.js";
+import "../chunk-UGLATJJD.js";
+import "../chunk-A5U7EZCJ.js";
+import "../chunk-FHXLOWAB.js";
 import {
   planDump,
   toEnv,
   toPublicEnv,
   writeDump
-} from "../chunk-7KVM5PUW.js";
+} from "../chunk-MQ4WG3K6.js";
 export {
   createCnos,
   defaultPlugins,

package/dist/{core-zDTUSVx9.d.cts → core-Ud1o2MBn.d.cts}

@@ -6,12 +6,19 @@ interface ProfileActivation {
     envFiles: string[];
 }
 
-interface SchemaRule {
-    type?: 'string' | 'number' | 'boolean' | 'object' | 'array';
+type ConfigSpecValueType = 'string' | 'number' | 'boolean' | 'object' | 'array';
+interface ConfigSpecRule {
+    type?: ConfigSpecValueType;
     required?: boolean;
     enum?: unknown[];
     pattern?: string;
     default?: unknown;
+    summary?: string;
+    description?: string;
+    examples?: unknown[];
+    usedBy?: string[];
+    deprecated?: boolean;
+    deprecationMessage?: string;
 }
 
 type WorkspaceSource = 'cli' | 'workspace-file' | 'anchor-file' | 'manifest-default' | 'implicit' | 'directory-inferred';
@@ -143,7 +150,7 @@ interface ManifestFile {
             targets?: Partial<Record<'value' | 'secret', string>>;
         };
     };
-    schema?: Record<LogicalKey, SchemaRule>;
+    schema?: Record<LogicalKey, ConfigSpecRule>;
 }
 interface NormalizedManifest {
     version: 1;
@@ -192,7 +199,7 @@ interface NormalizedManifest {
             targets: Record<'value' | 'secret', string>;
         };
     };
-    schema: Record<LogicalKey, SchemaRule>;
+    schema: Record<LogicalKey, ConfigSpecRule>;
 }
 interface LoadManifestOptions {
     root?: string;
@@ -232,7 +239,7 @@ interface LoaderContext {
 }
 interface ValidationContext {
     manifest: NormalizedManifest;
-    schema?: Record<LogicalKey, SchemaRule>;
+    schema?: Record<LogicalKey, ConfigSpecRule>;
 }
 interface ExportContext {
     manifest: NormalizedManifest;

package/dist/{core-zDTUSVx9.d.ts → core-Ud1o2MBn.d.ts}

@@ -6,12 +6,19 @@ interface ProfileActivation {
     envFiles: string[];
 }
 
-interface SchemaRule {
-    type?: 'string' | 'number' | 'boolean' | 'object' | 'array';
+type ConfigSpecValueType = 'string' | 'number' | 'boolean' | 'object' | 'array';
+interface ConfigSpecRule {
+    type?: ConfigSpecValueType;
     required?: boolean;
     enum?: unknown[];
     pattern?: string;
     default?: unknown;
+    summary?: string;
+    description?: string;
+    examples?: unknown[];
+    usedBy?: string[];
+    deprecated?: boolean;
+    deprecationMessage?: string;
 }
 
 type WorkspaceSource = 'cli' | 'workspace-file' | 'anchor-file' | 'manifest-default' | 'implicit' | 'directory-inferred';
@@ -143,7 +150,7 @@ interface ManifestFile {
             targets?: Partial<Record<'value' | 'secret', string>>;
         };
     };
-    schema?: Record<LogicalKey, SchemaRule>;
+    schema?: Record<LogicalKey, ConfigSpecRule>;
 }
 interface NormalizedManifest {
     version: 1;
@@ -192,7 +199,7 @@ interface NormalizedManifest {
             targets: Record<'value' | 'secret', string>;
         };
     };
-    schema: Record<LogicalKey, SchemaRule>;
+    schema: Record<LogicalKey, ConfigSpecRule>;
 }
 interface LoadManifestOptions {
     root?: string;
@@ -232,7 +239,7 @@ interface LoaderContext {
 }
 interface ValidationContext {
     manifest: NormalizedManifest;
-    schema?: Record<LogicalKey, SchemaRule>;
+    schema?: Record<LogicalKey, ConfigSpecRule>;
 }
 interface ExportContext {
     manifest: NormalizedManifest;

package/dist/{envNaming-BkorOKW_.d.ts → envNaming-CPwXl4I6.d.ts}

@@ -1,4 +1,4 @@
-import { N as NormalizedManifest, b as LogicalKey } from './core-zDTUSVx9.js';
+import { N as NormalizedManifest, b as LogicalKey } from './core-Ud1o2MBn.js';
 
 interface EnvMappingConfig {
     convention?: NormalizedManifest['envMapping']['convention'];