@kitsy/cnos 1.9.2 → 1.10.0

package/dist/build/index.cjs

@@ -1340,6 +1340,134 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1538,6 +1666,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1635,7 +1771,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -2269,6 +2405,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -2335,11 +2478,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }
@@ -2739,16 +2882,19 @@ function resolveVaultDefinition(vaults, vault = "default") {
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path12.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises11.appendFile)(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
+    await (0, import_promises11.appendFile)(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/secretCache.ts
@@ -3720,7 +3866,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.9.2",
+  version: "1.10.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -3925,9 +4071,30 @@ var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -3942,10 +4109,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }

package/dist/build/index.d.cts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.cjs';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-Ud1o2MBn.cjs';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});

package/dist/build/index.d.ts

@@ -1,4 +1,4 @@
-import { C as CnosCreateOptions, S as ServerProjection } from '../core-zDTUSVx9.js';
+import { C as CnosCreateOptions, S as ServerProjection } from '../core-Ud1o2MBn.js';
 
 type BrowserDataMap = Record<string, unknown>;
 type FrameworkEnvTarget = 'generic' | 'vite' | 'next' | 'webpack' | (string & {});

package/dist/build/index.js

@@ -1,17 +1,17 @@
 import {
   createCnos
-} from "../chunk-CPGRRZLP.js";
-import "../chunk-LURQ4LAK.js";
-import "../chunk-A2WG3ZKW.js";
-import "../chunk-L7JVECPE.js";
-import "../chunk-6QQPHDUI.js";
-import "../chunk-7JZO6XN3.js";
-import "../chunk-2JBA2LXU.js";
+} from "../chunk-CSA4L64V.js";
+import "../chunk-3EZGPQCE.js";
+import "../chunk-RTHKUGJV.js";
+import "../chunk-ESBHCFC6.js";
+import "../chunk-UGLATJJD.js";
+import "../chunk-A5U7EZCJ.js";
+import "../chunk-FHXLOWAB.js";
 import {
   CnosManifestError,
   createSecretVaultProvider,
   isSecretReference
-} from "../chunk-7KVM5PUW.js";
+} from "../chunk-MQ4WG3K6.js";
 
 // src/build/index.ts
 async function resolveBrowserData(options = {}) {

package/dist/{chunk-2JBA2LXU.js → chunk-3EZGPQCE.js}

@@ -2,7 +2,7 @@ import {
   envVarToLogicalKey,
   resolveWorkspaceScopedPath,
   toPortablePath
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/dotenv/src/index.ts
 import { readFile } from "fs/promises";
@@ -11,9 +11,30 @@ var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -28,10 +49,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }

package/dist/{chunk-6QQPHDUI.js → chunk-A5U7EZCJ.js}

@@ -1,6 +1,6 @@
 import {
   applySchemaRules
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/basic-schema/src/index.ts
 function createBasicSchemaPlugin() {

package/dist/{chunk-CPGRRZLP.js → chunk-CSA4L64V.js}

@@ -1,27 +1,27 @@
+import {
+  createDotenvPlugin
+} from "./chunk-3EZGPQCE.js";
 import {
   createEnvExportPlugin,
   createPublicEnvExportPlugin
-} from "./chunk-LURQ4LAK.js";
+} from "./chunk-RTHKUGJV.js";
 import {
   createFilesystemSecretsPlugin,
   createFilesystemValuesPlugin
-} from "./chunk-A2WG3ZKW.js";
+} from "./chunk-ESBHCFC6.js";
 import {
   createProcessEnvPlugin
-} from "./chunk-L7JVECPE.js";
+} from "./chunk-UGLATJJD.js";
 import {
   createBasicSchemaPlugin
-} from "./chunk-6QQPHDUI.js";
+} from "./chunk-A5U7EZCJ.js";
 import {
   createCliArgsPlugin
-} from "./chunk-7JZO6XN3.js";
-import {
-  createDotenvPlugin
-} from "./chunk-2JBA2LXU.js";
+} from "./chunk-FHXLOWAB.js";
 import {
   createCnos,
   createProvenanceInspector
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // src/defaultPlugins.ts
 function defaultPlugins() {
@@ -68,7 +68,7 @@ function setBootstrappedSecretHydrationRequired(value) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.9.2",
+  version: "1.10.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",

package/dist/{chunk-QK7BMU47.js → chunk-EIK7OUFP.js}

@@ -3,7 +3,7 @@ import {
   graphRequiresSecretHydration,
   readRuntimeGraphFromEnv,
   readServerProjectionFromEnv
-} from "./chunk-NVFACB64.js";
+} from "./chunk-UKNL2Y4N.js";
 import {
   createCnos,
   getBootstrappedSecretHydrationRequired,
@@ -12,7 +12,7 @@ import {
   setBootstrappedSecretHydrationRequired,
   setSingletonReady,
   setSingletonRuntime
-} from "./chunk-CPGRRZLP.js";
+} from "./chunk-CSA4L64V.js";
 import {
   createDefaultRuntimeProviders,
   createDerivedRuntimeSupport,
@@ -28,7 +28,7 @@ import {
   toLogicalKey,
   toNamespaceObject,
   toPublicEnv
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // src/runtime/index.ts
 import { existsSync, readFileSync } from "fs";

package/dist/{chunk-A2WG3ZKW.js → chunk-ESBHCFC6.js}

@@ -4,7 +4,7 @@ import {
   isSecretReference,
   parseYaml,
   toPortablePath
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/filesystem/src/helpers.ts
 import { readdir } from "fs/promises";

package/dist/{chunk-7JZO6XN3.js → chunk-FHXLOWAB.js}

@@ -1,6 +1,6 @@
 import {
   joinConfigPath
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-MQ4WG3K6.js";
 
 // ../../plugins/cli-args/src/index.ts
 var CLI_ARGS_PLUGIN_ID = "@kitsy/cnos/plugins/cli-args";