@kitsy/cnos 1.9.1 → 1.10.0

package/dist/runtime/index.cjs

@@ -1339,6 +1339,134 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1537,6 +1665,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1634,7 +1770,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -2268,6 +2404,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -2334,11 +2477,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }
@@ -2738,16 +2881,19 @@ function resolveVaultDefinition(vaults, vault = "default") {
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path12.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises11.appendFile)(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
+    await (0, import_promises11.appendFile)(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/secretCache.ts
@@ -3719,7 +3865,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.9.1",
+  version: "1.10.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -3924,9 +4070,30 @@ var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -3941,10 +4108,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }

package/dist/runtime/index.d.cts

@@ -1,4 +1,4 @@
-import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-zDTUSVx9.cjs';
+import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-Ud1o2MBn.cjs';
 
 interface CnosSingleton {
     <T = unknown>(key: LogicalKey): T | undefined;

package/dist/runtime/index.d.ts

@@ -1,4 +1,4 @@
-import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-zDTUSVx9.js';
+import { b as LogicalKey, g as CnosRuntime, I as InspectResult } from '../core-Ud1o2MBn.js';
 
 interface CnosSingleton {
     <T = unknown>(key: LogicalKey): T | undefined;

package/dist/runtime/index.js

@@ -1,15 +1,15 @@
 import {
   runtime_default
-} from "../chunk-L6ZMJPA6.js";
-import "../chunk-NVFACB64.js";
-import "../chunk-MYG6EPUX.js";
-import "../chunk-LURQ4LAK.js";
-import "../chunk-A2WG3ZKW.js";
-import "../chunk-L7JVECPE.js";
-import "../chunk-6QQPHDUI.js";
-import "../chunk-7JZO6XN3.js";
-import "../chunk-2JBA2LXU.js";
-import "../chunk-7KVM5PUW.js";
+} from "../chunk-EIK7OUFP.js";
+import "../chunk-UKNL2Y4N.js";
+import "../chunk-CSA4L64V.js";
+import "../chunk-3EZGPQCE.js";
+import "../chunk-RTHKUGJV.js";
+import "../chunk-ESBHCFC6.js";
+import "../chunk-UGLATJJD.js";
+import "../chunk-A5U7EZCJ.js";
+import "../chunk-FHXLOWAB.js";
+import "../chunk-MQ4WG3K6.js";
 export {
   runtime_default as default
 };

package/dist/{toPublicEnv-CT265rzS.d.ts → toPublicEnv-C9wPSpRo.d.ts}

@@ -1,4 +1,4 @@
-import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-zDTUSVx9.js';
+import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-Ud1o2MBn.js';
 
 declare function toEnv(graph: ResolvedGraph, manifest: NormalizedManifest, options?: ToEnvOptions, helpers?: {
     read?: (key: string) => unknown;

package/dist/{toPublicEnv-Ds1DRwCX.d.cts → toPublicEnv-fUZMRUOz.d.cts}

@@ -1,4 +1,4 @@
-import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-zDTUSVx9.cjs';
+import { R as ResolvedGraph, N as NormalizedManifest, T as ToEnvOptions, c as ToPublicEnvOptions } from './core-Ud1o2MBn.cjs';
 
 declare function toEnv(graph: ResolvedGraph, manifest: NormalizedManifest, options?: ToEnvOptions, helpers?: {
     read?: (key: string) => unknown;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kitsy/cnos",
-  "version": "1.9.1",
+  "version": "1.10.0",
   "description": "Batteries-included CNOS runtime package wired with the official plugins.",
   "type": "module",
   "main": "./dist/index.cjs",