@kitsy/cnos 1.9.2 → 1.11.0

package/dist/build/index.cjs

@@ -1340,6 +1340,134 @@ function stripNamespace(key) {
   return key.split(".").slice(1).join(".");
 }
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1473,11 +1601,19 @@ function normalizeVaults(vaults) {
         throw new CnosManifestError(`Vault "${name}" requires a provider`);
       }
       const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
-      const normalizedMapping = Object.fromEntries(
-        Object.entries(definition.mapping ?? {}).filter(
-          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
-        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
-      );
+      const normalizedMapping = normalizeVaultMapping(definition.mapping);
+      const fallback = (definition.fallback ?? []).map((entry, index) => {
+        const fallbackProvider = entry.provider?.trim();
+        if (!fallbackProvider) {
+          throw new CnosManifestError(`Vault "${name}" fallback ${index + 1} requires a provider`);
+        }
+        const fallbackMapping = normalizeVaultMapping(entry.mapping);
+        return {
+          provider: fallbackProvider,
+          auth: normalizeVaultAuth(name, fallbackProvider, entry.auth),
+          ...Object.keys(fallbackMapping).length > 0 ? { mapping: fallbackMapping } : {}
+        };
+      });
       return [
         name,
         {
@@ -1485,12 +1621,20 @@ function normalizeVaults(vaults) {
           auth: normalizedAuth,
           ...Object.keys(normalizedMapping).length > 0 ? {
             mapping: normalizedMapping
-          } : {}
+          } : {},
+          ...fallback.length > 0 ? { fallback } : {}
         }
       ];
     })
   );
 }
+function normalizeVaultMapping(mapping) {
+  return Object.fromEntries(
+    Object.entries(mapping ?? {}).filter(
+      (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+    ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+  );
+}
 function normalizeAuthSources(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return void 0;
@@ -1538,6 +1682,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1635,7 +1787,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -2269,6 +2421,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -2335,11 +2494,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }
@@ -2423,7 +2582,7 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path11.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
@@ -2739,16 +2898,19 @@ function resolveVaultDefinition(vaults, vault = "default") {
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path12.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises11.appendFile)(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
+    await (0, import_promises11.appendFile)(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/secretCache.ts
@@ -2767,6 +2929,23 @@ var SecretCache = class {
   get(vaultId, ref) {
     return this.cache.get(`${vaultId}:${ref}`);
   }
+  delete(vaultId, ref) {
+    this.cache.delete(`${vaultId}:${ref}`);
+  }
+  replace(vaultId, secrets) {
+    this.clear(vaultId);
+    this.load(vaultId, secrets);
+  }
+  entriesForVault(vaultId) {
+    const entries = /* @__PURE__ */ new Map();
+    for (const [key, value] of this.cache) {
+      const prefix = `${vaultId}:`;
+      if (key.startsWith(prefix)) {
+        entries.set(key.slice(prefix.length), value);
+      }
+    }
+    return entries;
+  }
   clear(vaultId) {
     if (!vaultId) {
       this.cache.clear();
@@ -2932,7 +3111,7 @@ var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
 };
 
 // ../core/src/secrets/providers/registry.ts
-function createSecretVaultProvider(vaultId, definition, processEnv) {
+function createSecretVaultProvider(vaultId, definition, processEnv, factories = []) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
@@ -2942,9 +3121,30 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
+  const factory = factories.find((candidate) => candidate.provider === definition.provider);
+  if (factory) {
+    return factory.create(vaultId, definition, processEnv);
+  }
   throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
 }
 
+// ../core/src/secrets/providerCompatibility.ts
+function assertSecretRefVaultProviderCompatible(manifest, ref, logicalKey = "secret ref") {
+  if (!ref.vault || !ref.provider) {
+    return;
+  }
+  const definition = manifest.vaults[ref.vault];
+  if (!definition || definition.provider === ref.provider) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Secret ref "${logicalKey}" declares provider "${ref.provider}" but vault "${ref.vault}" uses provider "${definition.provider}". Remove the ref provider or use a matching vault.`
+  );
+}
+
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -2985,6 +3185,23 @@ function toAuthError(vaultId, sources) {
     `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
   );
 }
+async function resolveTokenFromSource(source, processEnv) {
+  if (source.startsWith("env:")) {
+    return processEnv[source.slice(4)] || void 0;
+  }
+  if (source.startsWith("file:")) {
+    try {
+      const value = await (0, import_promises12.readFile)(expandHomePath(source.slice("file:".length)), "utf8");
+      return value.trim() || void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  if (source.startsWith("keychain:")) {
+    return readKeychain(source.slice("keychain:".length));
+  }
+  return void 0;
+}
 async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
   if (sessionKey) {
@@ -3000,6 +3217,32 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
+  if (definition.auth?.method === "iam") {
+    return {
+      method: "iam",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.auth?.method === "environment") {
+    return {
+      method: "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const tokenSources = definition.auth?.token?.from ?? [];
+  for (const source of tokenSources) {
+    const token = await resolveTokenFromSource(source, processEnv);
+    if (token) {
+      return {
+        token,
+        method: "token",
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      };
+    }
+  }
+  if (definition.auth?.method === "token") {
+    throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...tokenSources]);
+  }
   const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
   for (const source of sources) {
     if (source.startsWith("env:")) {
@@ -3051,22 +3294,76 @@ function collectSecretDescriptors(graph) {
     ref: entry.value
   }));
 }
-async function batchResolveSecrets(graph, manifest, processEnv = process.env) {
+function secretGroupKey(manifest, descriptor) {
+  assertSecretRefVaultProviderCompatible(manifest, descriptor.ref, descriptor.logicalKey);
+  const vaultId = descriptor.ref.vault ?? "default";
+  const provider = descriptor.ref.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
+  return `${vaultId}\0${provider}`;
+}
+function vaultDefinitionForRef(manifest, ref) {
+  assertSecretRefVaultProviderCompatible(manifest, ref);
+  const vaultId = ref.vault ?? "default";
+  const base = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
+  if (!ref.provider || ref.provider === base.provider) {
+    return base;
+  }
+  return {
+    ...base,
+    provider: ref.provider
+  };
+}
+async function resolveFromDefinition(vaultId, definition, refs, processEnv, factories) {
+  const runtimeDefinition = {
+    provider: definition.provider,
+    ...definition.auth ? { auth: definition.auth } : {},
+    ...definition.mapping ? { mapping: definition.mapping } : {}
+  };
+  const provider = createSecretVaultProvider(vaultId, runtimeDefinition, processEnv, factories);
+  const auth = await resolveVaultAuth(vaultId, runtimeDefinition, processEnv);
+  await provider.authenticate(auth);
+  return provider.batchGet(refs.map((entry) => entry.ref.ref));
+}
+async function batchResolveSecrets(graph, manifest, processEnv = process.env, factories = []) {
   const cache = new SecretCache();
   const descriptors = collectSecretDescriptors(graph);
   const grouped = descriptors.reduce((accumulator, descriptor) => {
-    const vaultId = descriptor.ref.vault ?? "default";
-    const bucket = accumulator.get(vaultId) ?? [];
+    const key = secretGroupKey(manifest, descriptor);
+    const bucket = accumulator.get(key) ?? [];
     bucket.push(descriptor);
-    accumulator.set(vaultId, bucket);
+    accumulator.set(key, bucket);
     return accumulator;
   }, /* @__PURE__ */ new Map());
-  for (const [vaultId, refs] of grouped) {
-    const definition = manifest.vaults[vaultId] ?? { provider: "local", auth: { passphrase: { from: [] } } };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const resolved = await provider.batchGet(refs.map((entry) => entry.ref.ref));
+  for (const refs of grouped.values()) {
+    const first = refs[0];
+    if (!first) {
+      continue;
+    }
+    const vaultId = first.ref.vault ?? "default";
+    const definition = vaultDefinitionForRef(manifest, first.ref);
+    const definitions = [definition, ...definition.fallback ?? []];
+    const resolved = /* @__PURE__ */ new Map();
+    let remaining = refs;
+    let lastError;
+    for (const candidate of definitions) {
+      try {
+        const candidateValues = await resolveFromDefinition(vaultId, candidate, remaining, processEnv, factories);
+        for (const descriptor of remaining) {
+          const value = candidateValues.get(descriptor.ref.ref);
+          if (value !== void 0) {
+            resolved.set(descriptor.ref.ref, value);
+          }
+        }
+        remaining = remaining.filter((descriptor) => !resolved.has(descriptor.ref.ref));
+        if (remaining.length === 0) {
+          break;
+        }
+      } catch (error) {
+        lastError = error;
+      }
+    }
+    if (resolved.size === 0 && lastError) {
+      throw lastError;
+    }
     cache.load(vaultId, resolved);
     await appendAuditEvent(
       {
@@ -3087,7 +3384,11 @@ function resolveSecretEntryValue(key, value, cache) {
     return value;
   }
   const vaultId = value.vault ?? "default";
-  return cache.get(vaultId, value.ref) ?? value;
+  const resolved = cache.get(vaultId, value.ref);
+  if (resolved !== void 0 || cache.isVaultAuthenticated(vaultId)) {
+    return resolved;
+  }
+  return value;
 }
 
 // ../core/src/runtime/projection.ts
@@ -3190,19 +3491,117 @@ function configHash(values) {
 function shouldProjectResolvedValue(sourceId) {
   return sourceId !== "process-env";
 }
+var SAFE_PROJECTED_CONFIG_KEYS = /* @__PURE__ */ new Set([
+  "address",
+  "audience",
+  "clientid",
+  "endpoint",
+  "mount",
+  "namespace",
+  "path",
+  "projectid",
+  "region",
+  "scope",
+  "scopes",
+  "serviceaccountemail",
+  "tenant",
+  "tenantid",
+  "url",
+  "version",
+  "vaulturl"
+]);
+function isSafeProjectedConfigKey(key) {
+  return SAFE_PROJECTED_CONFIG_KEYS.has(key.replace(/[^A-Za-z0-9]/g, "").toLowerCase());
+}
+function sanitizeProjectedConfigValue(value) {
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeProjectedConfigValue(item));
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  return stableSortObject(
+    Object.fromEntries(
+      Object.entries(value).map(([key, item]) => [key, sanitizeProjectedConfigValue(item)]).filter(([key, item]) => {
+        if (item && typeof item === "object" && !Array.isArray(item)) {
+          return Object.keys(item).length > 0;
+        }
+        return isSafeProjectedConfigKey(key);
+      })
+    )
+  );
+}
+function sanitizeProjectedConfig(config) {
+  const sanitized = sanitizeProjectedConfigValue(config);
+  if (!sanitized || typeof sanitized !== "object" || Array.isArray(sanitized)) {
+    return void 0;
+  }
+  return Object.keys(sanitized).length > 0 ? sanitized : void 0;
+}
+function projectVaultAuth(definition) {
+  const auth = definition.auth;
+  if (!auth) {
+    return void 0;
+  }
+  const config = auth.config ? sanitizeProjectedConfig(auth.config) : void 0;
+  const projected = {
+    ...auth.method ? { method: auth.method } : {},
+    ...auth.passphrase?.from ? {
+      passphrase: {
+        from: [...auth.passphrase.from]
+      }
+    } : {},
+    ...auth.token?.from ? {
+      token: {
+        from: [...auth.token.from]
+      }
+    } : {},
+    ...config ? { config } : {}
+  };
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
+function projectVaultDefinition(definition) {
+  const auth = projectVaultAuth(definition);
+  const mapping = definition.mapping ? stableSortObject(definition.mapping) : void 0;
+  const fallback = definition.fallback?.map((entry) => projectVaultDefinition({
+    provider: entry.provider,
+    ...entry.auth ? { auth: entry.auth } : {},
+    ...entry.mapping ? { mapping: entry.mapping } : {}
+  }));
+  return {
+    provider: definition.provider,
+    ...auth ? { auth } : {},
+    ...mapping && Object.keys(mapping).length > 0 ? { mapping } : {},
+    ...fallback && fallback.length > 0 ? { fallback } : {}
+  };
+}
+function projectReferencedVaults(manifest, vaultIds) {
+  const projected = {};
+  for (const vaultId of Array.from(vaultIds).sort((left, right) => left.localeCompare(right))) {
+    const definition = manifest.vaults[vaultId];
+    if (definition) {
+      projected[vaultId] = projectVaultDefinition(definition);
+    }
+  }
+  return Object.keys(projected).length > 0 ? projected : void 0;
+}
 function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers = {}) {
   const values = {};
   const derived = {};
   const secretRefs = {};
+  const referencedVaultIds = /* @__PURE__ */ new Set();
   const namespaces = /* @__PURE__ */ new Set();
   const runtimeNamespaces = /* @__PURE__ */ new Set();
   const publicKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "public").map((entry) => entry.key.slice("public.".length)).sort((left, right) => left.localeCompare(right));
   for (const [key, entry] of graph.entries) {
     if (entry.namespace === "secret" && isSecretReference(entry.value)) {
+      assertSecretRefVaultProviderCompatible(manifest, entry.value, key);
       const vaultId = entry.value.vault ?? "default";
+      const provider = entry.value.provider ?? manifest.vaults[vaultId]?.provider ?? "local";
       const envVar = resolveProjectedEnvVar(manifest, vaultId, entry.value.ref);
+      referencedVaultIds.add(vaultId);
       secretRefs[key.slice("secret.".length)] = {
-        provider: entry.value.provider,
+        provider,
         vault: vaultId,
         ref: entry.value.ref,
         ...envVar ? {
@@ -3248,6 +3647,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
       namespaces.add(entry.namespace);
     }
   }
+  const vaults = projectReferencedVaults(manifest, referencedVaultIds);
   return {
     version: 1,
     workspace: graph.workspace.workspaceId,
@@ -3257,6 +3657,7 @@ function toServerProjection(graph, manifest, cnosVersion = "0.0.0-dev", helpers
     values: stableSortObject(values),
     derived: stableSortObject(derived),
     secretRefs: stableSortObject(secretRefs),
+    ...vaults ? { vaults } : {},
     publicKeys,
     runtimeNamespaces: Array.from(runtimeNamespaces).sort((left, right) => left.localeCompare(right)),
     meta: {
@@ -3371,9 +3772,10 @@ function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
 }
 
 // ../core/src/orchestrator/runtime.ts
-function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev") {
+function createRuntime(manifest, graph, plugins = [], secretCache, processEnv = process.env, cnosVersion = "0.0.0-dev", secretVaultProviders = []) {
   const runtimeProviders = createDefaultRuntimeProviders(manifest, processEnv);
   const derivedSupport = createDerivedRuntimeSupport(graph, manifest, runtimeProviders);
+  let activeSecretCache = secretCache;
   function resolveProjectedSourceKey(key) {
     if (!key.startsWith("public.")) {
       return key;
@@ -3390,30 +3792,38 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry || entry.namespace !== "secret" || !isSecretReference(entry.value)) {
       return;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
     const vaultId = entry.value.vault ?? "default";
-    const definition = manifest.vaults[vaultId] ?? {
-      provider: entry.value.provider,
-      auth: { passphrase: { from: [] } }
-    };
-    const provider = createSecretVaultProvider(vaultId, definition, processEnv);
-    const auth = await resolveVaultAuth(vaultId, definition, processEnv);
-    await provider.authenticate(auth);
-    const value = await provider.get(entry.value.ref);
-    if (value !== void 0) {
-      secretCache.load(vaultId, /* @__PURE__ */ new Map([[entry.value.ref, value]]));
+    const refreshed = await batchResolveSecrets(
+      {
+        ...graph,
+        entries: /* @__PURE__ */ new Map([[key, entry]])
+      },
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    const resolved = refreshed.get(vaultId, entry.value.ref);
+    const existing = activeSecretCache.entriesForVault(vaultId);
+    existing.delete(entry.value.ref);
+    if (resolved !== void 0) {
+      existing.set(entry.value.ref, resolved);
     }
+    activeSecretCache.replace(vaultId, existing);
   }
   async function refreshAllSecrets() {
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return;
     }
-    const secretKeys = Array.from(graph.entries.values()).filter((entry) => entry.namespace === "secret" && isSecretReference(entry.value)).map((entry) => entry.key);
-    for (const key of secretKeys) {
-      await refreshSecretEntry(key);
-    }
+    const refreshed = await batchResolveSecrets(
+      graph,
+      manifest,
+      processEnv,
+      secretVaultProviders
+    );
+    activeSecretCache = refreshed;
   }
   function readLogicalKey(key) {
     const resolved = derivedSupport.read(key, (ref) => {
@@ -3421,10 +3831,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
       if (!entry2) {
         return void 0;
       }
-      if (!secretCache) {
+      if (!activeSecretCache) {
         return entry2.value;
       }
-      return resolveSecretEntryValue(ref, entry2.value, secretCache);
+      return resolveSecretEntryValue(ref, entry2.value, activeSecretCache);
     });
     if (resolved !== void 0 || graph.entries.has(key) || manifest.runtimeNamespaces[key.split(".")[0] ?? ""]) {
       return resolved;
@@ -3433,10 +3843,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
     if (!entry) {
       return void 0;
     }
-    if (!secretCache) {
+    if (!activeSecretCache) {
       return entry.value;
     }
-    return resolveSecretEntryValue(key, entry.value, secretCache);
+    return resolveSecretEntryValue(key, entry.value, activeSecretCache);
   }
   return {
     manifest,
@@ -3473,10 +3883,10 @@ function createRuntime(manifest, graph, plugins = [], secretCache, processEnv =
           if (!entry) {
             return void 0;
           }
-          if (!secretCache) {
+          if (!activeSecretCache) {
             return entry.value;
           }
-          return resolveSecretEntryValue(candidate, entry.value, secretCache);
+          return resolveSecretEntryValue(candidate, entry.value, activeSecretCache);
         })
       });
     },
@@ -3667,7 +4077,12 @@ async function createCnos(options = {}) {
   });
   const schemaApplied = applySchemaRules(graph, loadedManifest.manifest.schema);
   const promotedGraph = promoteToPublic(schemaApplied.graph, loadedManifest.manifest);
-  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(promotedGraph, loadedManifest.manifest, options.processEnv);
+  const secretCache = options.secretResolution === "lazy" ? new SecretCache() : await batchResolveSecrets(
+    promotedGraph,
+    loadedManifest.manifest,
+    options.processEnv,
+    options.secretVaultProviders
+  );
   return createRuntime(
     loadedManifest.manifest,
     appendMetaEntries({
@@ -3677,12 +4092,13 @@ async function createCnos(options = {}) {
     plugins,
     secretCache,
     options.processEnv,
-    options.cnosVersion
+    options.cnosVersion,
+    options.secretVaultProviders
   );
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -3720,7 +4136,7 @@ function envVarToLogicalKey(envVar, config = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos",
-  version: "1.9.2",
+  version: "1.11.0",
   description: "Batteries-included CNOS runtime package wired with the official plugins.",
   type: "module",
   main: "./dist/index.cjs",
@@ -3919,15 +4335,36 @@ function createCliArgsPlugin() {
 }
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -3942,10 +4379,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }
@@ -3977,7 +4422,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises13.readFile)(filePath, "utf8");
+    return await (0, import_promises14.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }
@@ -4043,16 +4488,16 @@ function createPublicEnvExportPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemSecretsReader.ts
-var import_promises15 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 
 // ../../plugins/filesystem/src/helpers.ts
-var import_promises14 = require("fs/promises");
+var import_promises15 = require("fs/promises");
 var import_node_path15 = __toESM(require("path"), 1);
 var YAML_EXTENSIONS = /* @__PURE__ */ new Set([".yml", ".yaml"]);
 var FILESYSTEM_PLUGIN_ID = "@kitsy/cnos/plugins/filesystem";
 async function existsDirectory(targetPath) {
   try {
-    const stat2 = await (0, import_promises14.readdir)(targetPath);
+    const stat2 = await (0, import_promises15.readdir)(targetPath);
     void stat2;
     return true;
   } catch {
@@ -4060,7 +4505,7 @@ async function existsDirectory(targetPath) {
   }
 }
 async function collectYamlFiles(root) {
-  const entries = await (0, import_promises14.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises15.readdir)(root, { withFileTypes: true });
   const results = [];
   for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
     const absolutePath = import_node_path15.default.join(root, entry.name);
@@ -4162,7 +4607,7 @@ function createFilesystemSecretsPlugin() {
       );
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises15.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
         const fileEntries = filesystemSecretsReader(file.relativePath, document, file.workspaceId);
         for (const entry of fileEntries) {
           const metadata = toSecretReferenceMetadata(entry.value);
@@ -4178,7 +4623,7 @@ function createFilesystemSecretsPlugin() {
 }
 
 // ../../plugins/filesystem/src/filesystemValuesReader.ts
-var import_promises16 = require("fs/promises");
+var import_promises17 = require("fs/promises");
 function filesystemValuesReader(filePath, document, workspaceId = "default") {
   return yamlObjectToEntries(document, filePath, "value", "filesystem-values", workspaceId);
 }
@@ -4199,7 +4644,7 @@ function createFilesystemValuesPlugin() {
       ).map(([namespace]) => namespace);
       const entries = [];
       for (const file of files) {
-        const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+        const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
         entries.push(...filesystemValuesReader(file.relativePath, document, file.workspaceId));
       }
       for (const namespace of customNamespaces) {
@@ -4214,7 +4659,7 @@ function createFilesystemValuesPlugin() {
           layers
         );
         for (const file of namespaceFiles) {
-          const document = await (0, import_promises16.readFile)(file.absolutePath, "utf8");
+          const document = await (0, import_promises17.readFile)(file.absolutePath, "utf8");
           entries.push(...yamlObjectToEntries(document, file.relativePath, namespace, "filesystem-values", file.workspaceId));
         }
       }
@@ -4460,15 +4905,13 @@ function validateServerProjectionSecretRefs(runtime) {
     }
     const vaultId = entry.value.vault ?? "default";
     const definition = runtime.manifest.vaults[vaultId];
-    if (!definition) {
+    if (!definition && entry.value.vault) {
       throw new CnosManifestError(`Unknown vault "${vaultId}" for secret ref "${entry.key}"`);
     }
-    if (entry.value.provider !== definition.provider) {
-      throw new CnosManifestError(
-        `Secret ref "${entry.key}" declares provider "${entry.value.provider}" but vault "${vaultId}" uses provider "${definition.provider}"`
-      );
+    if (!definition && !entry.value.provider) {
+      throw new CnosManifestError(`Secret ref "${entry.key}" must declare a provider or reference a configured vault`);
     }
-    createSecretVaultProvider(vaultId, definition);
+    assertSecretRefVaultProviderCompatible(runtime.manifest, entry.value, entry.key);
   }
 }
 // Annotate the CommonJS export names for ESM import in node: