@kitsy/cnos 1.9.2 → 1.11.0

package/dist/internal.d.cts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.cjs';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.cjs';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProviderFactory, t as SecretVaultProvider, u as ResolvedRoot, m as NamespaceName, v as RootResolution, w as SecretReference, g as CnosRuntime, x as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-BW8SLnRx.cjs';
+export { l as RuntimeProvider, y as ValidationIssue, z as WorkspaceFile } from './core-BW8SLnRx.cjs';
 
 declare class CnosError extends Error {
     constructor(message: string);
@@ -36,7 +36,7 @@ declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, process
 declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
 declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
 
-declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>, factories?: SecretVaultProviderFactory[]): SecretVaultProvider;
 
 interface ParsedGitUri {
     uri: string;
@@ -189,6 +189,34 @@ interface CnosWatchHandle {
 }
 declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
 
+type SpecComparisonStatus = 'missing_required' | 'undeclared' | 'type_mismatch' | 'enum_mismatch' | 'pattern_mismatch' | 'default_applied' | 'deprecated_in_use';
+interface SpecComparisonIssue {
+    key: string;
+    status: SpecComparisonStatus;
+    expectedType?: string;
+    actualType?: string;
+    value?: unknown;
+    sourceFile?: string;
+    summary?: string;
+    pattern?: string;
+}
+interface SpecComparisonSummary {
+    missingRequired: number;
+    undeclared: number;
+    typeMismatch: number;
+    enumMismatch: number;
+    patternMismatch: number;
+    defaultApplied: number;
+    deprecatedInUse: number;
+}
+interface SpecComparisonReport {
+    profile: string;
+    workspace: string;
+    summary: SpecComparisonSummary;
+    issues: SpecComparisonIssue[];
+}
+declare function compareSpecToGraph(runtime: CnosRuntime): SpecComparisonReport;
+
 interface DriftIssue {
     key: string;
     expectedType?: string;
@@ -249,4 +277,4 @@ interface WatchTargetSet {
 }
 declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
 
-export { CNOS_GRAPH_ENV_VAR, CNOS_PROJECTION_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, DerivedValue, ParsedDerivation, type RemoteRootCacheMetadata, type ResolvedVaultDefinition, RootResolution, SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createRemoteRootCacheKey, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, deserializeServerProjection, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getNamespaceDefinition, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isDerivedValue, isImmutableGitRef, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, normalizeDerivedValue, parseDerivation, parseGitUri, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRemoteRootCacheMetadata, readRuntimeGraphFromEnv, readServerProjectionFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCnosCacheRoot, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveRemoteRootCachePaths, resolveRootUri, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, serializeServerProjection, stringifyYaml, validateDerivedTargetNamespace, validateParsedDerivation, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeRemoteRootCacheMetadata, writeVaultSessionKey };
+export { CNOS_GRAPH_ENV_VAR, CNOS_PROJECTION_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, DerivedValue, ParsedDerivation, type RemoteRootCacheMetadata, type ResolvedVaultDefinition, RootResolution, SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, compareSpecToGraph, createRemoteRootCacheKey, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, deserializeServerProjection, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getNamespaceDefinition, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isDerivedValue, isImmutableGitRef, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, normalizeDerivedValue, parseDerivation, parseGitUri, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRemoteRootCacheMetadata, readRuntimeGraphFromEnv, readServerProjectionFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCnosCacheRoot, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveRemoteRootCachePaths, resolveRootUri, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, serializeServerProjection, stringifyYaml, validateDerivedTargetNamespace, validateParsedDerivation, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeRemoteRootCacheMetadata, writeVaultSessionKey };

package/dist/internal.d.ts

@@ -1,5 +1,5 @@
-import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProvider, t as ResolvedRoot, m as NamespaceName, u as RootResolution, v as SecretReference, g as CnosRuntime, w as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-zDTUSVx9.js';
-export { l as RuntimeProvider, x as ValidationIssue, y as WorkspaceFile } from './core-zDTUSVx9.js';
+import { j as DerivedValue, P as ParsedDerivation, N as NormalizedManifest, n as LoadManifestOptions, o as LoadedManifest, b as LogicalKey, p as NamespaceDefinition, q as VaultDefinition, r as VaultAuthConfig, s as SecretVaultProviderFactory, t as SecretVaultProvider, u as ResolvedRoot, m as NamespaceName, v as RootResolution, w as SecretReference, g as CnosRuntime, x as ValidationSummary, R as ResolvedGraph, S as ServerProjection } from './core-BW8SLnRx.js';
+export { l as RuntimeProvider, y as ValidationIssue, z as WorkspaceFile } from './core-BW8SLnRx.js';
 
 declare class CnosError extends Error {
     constructor(message: string);
@@ -36,7 +36,7 @@ declare function writeVaultSessionKey(vault: string, derivedKey: Buffer, process
 declare function clearVaultSessionKey(vault: string, processEnv?: Record<string, string | undefined>): Promise<void>;
 declare function clearAllVaultSessionKeys(processEnv?: Record<string, string | undefined>): Promise<void>;
 
-declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>): SecretVaultProvider;
+declare function createSecretVaultProvider(vaultId: string, definition: VaultDefinition, processEnv?: Record<string, string | undefined>, factories?: SecretVaultProviderFactory[]): SecretVaultProvider;
 
 interface ParsedGitUri {
     uri: string;
@@ -189,6 +189,34 @@ interface CnosWatchHandle {
 }
 declare function watchSchema(options?: WatchSchemaOptions): Promise<CnosWatchHandle>;
 
+type SpecComparisonStatus = 'missing_required' | 'undeclared' | 'type_mismatch' | 'enum_mismatch' | 'pattern_mismatch' | 'default_applied' | 'deprecated_in_use';
+interface SpecComparisonIssue {
+    key: string;
+    status: SpecComparisonStatus;
+    expectedType?: string;
+    actualType?: string;
+    value?: unknown;
+    sourceFile?: string;
+    summary?: string;
+    pattern?: string;
+}
+interface SpecComparisonSummary {
+    missingRequired: number;
+    undeclared: number;
+    typeMismatch: number;
+    enumMismatch: number;
+    patternMismatch: number;
+    defaultApplied: number;
+    deprecatedInUse: number;
+}
+interface SpecComparisonReport {
+    profile: string;
+    workspace: string;
+    summary: SpecComparisonSummary;
+    issues: SpecComparisonIssue[];
+}
+declare function compareSpecToGraph(runtime: CnosRuntime): SpecComparisonReport;
+
 interface DriftIssue {
     key: string;
     expectedType?: string;
@@ -249,4 +277,4 @@ interface WatchTargetSet {
 }
 declare function watchFiles(runtime: CnosRuntime, root?: string): Promise<WatchTargetSet>;
 
-export { CNOS_GRAPH_ENV_VAR, CNOS_PROJECTION_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, DerivedValue, ParsedDerivation, type RemoteRootCacheMetadata, type ResolvedVaultDefinition, RootResolution, SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, createRemoteRootCacheKey, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, deserializeServerProjection, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getNamespaceDefinition, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isDerivedValue, isImmutableGitRef, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, normalizeDerivedValue, parseDerivation, parseGitUri, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRemoteRootCacheMetadata, readRuntimeGraphFromEnv, readServerProjectionFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCnosCacheRoot, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveRemoteRootCachePaths, resolveRootUri, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, serializeServerProjection, stringifyYaml, validateDerivedTargetNamespace, validateParsedDerivation, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeRemoteRootCacheMetadata, writeVaultSessionKey };
+export { CNOS_GRAPH_ENV_VAR, CNOS_PROJECTION_ENV_VAR, CNOS_SECRET_PAYLOAD_ENV_VAR, CNOS_SESSION_KEY_ENV_VAR, CnosAuthenticationError, CnosSecurityError, DerivedValue, ParsedDerivation, type RemoteRootCacheMetadata, type ResolvedVaultDefinition, RootResolution, SecretReference, ValidationSummary, VaultDefinition, applyManifestMappings, clearAllVaultSessionKeys, clearVaultSessionKey, compareSchemaToGraph, compareSpecToGraph, createRemoteRootCacheKey, createSecretVault, createSecretVaultProvider, deleteLocalSecret, deriveVaultKey, deserializeRuntimeGraph, deserializeServerProjection, detectLegacyVaultFormat, diffGraphs, ensureProjectionAllowed, flattenObject, formatDriftReport, generateCodegenContent, getNamespaceDefinition, getVaultPassphraseEnvVar, getVaultSessionKeyEnvVar, graphRequiresSecretHydration, isDerivedValue, isImmutableGitRef, isPassphraseEnvRef, isSecretReference, listLocalSecrets, listSecretVaults, loadManifest, normalizeDerivedValue, parseDerivation, parseGitUri, parseYaml, proposeMapping, readKeychain, readLocalSecret, readRemoteRootCacheMetadata, readRuntimeGraphFromEnv, readServerProjectionFromEnv, readVaultMetadata, removeLocalVaultFiles, resolveCnosCacheRoot, resolveCodegenPaths, resolveConfigDocumentPath, resolveConfiguredVaultPassphrase, resolveManifestRoot, resolveRemoteRootCachePaths, resolveRootUri, resolveSecretPassphrase, resolveSecretStoreRoot, resolveSecretVaultFile, resolveVaultAccessKey, resolveVaultAuth, resolveVaultDefinition, rewriteSourceFiles, scanEnvUsage, serializeRuntimeGraph, serializeSecretPayload, serializeServerProjection, stringifyYaml, validateDerivedTargetNamespace, validateParsedDerivation, validateRuntime, watchFiles, watchSchema, writeCodegenOutput, writeKeychain, writeLocalSecret, writeRemoteRootCacheMetadata, writeVaultSessionKey };

package/dist/internal.js

@@ -11,7 +11,7 @@ import {
   serializeRuntimeGraph,
   serializeSecretPayload,
   serializeServerProjection
-} from "./chunk-NVFACB64.js";
+} from "./chunk-T3E57MSQ.js";
 import {
   CnosAuthenticationError,
   CnosSecurityError,
@@ -64,7 +64,7 @@ import {
   writeLocalSecret,
   writeRemoteRootCacheMetadata,
   writeVaultSessionKey
-} from "./chunk-7KVM5PUW.js";
+} from "./chunk-WPB4HB2K.js";
 
 // src/codegen/generateTypes.ts
 function toPascalCase(value) {
@@ -269,7 +269,7 @@ async function watchSchema(options = {}) {
   return watcher;
 }
 
-// src/drift/compareSchemaToGraph.ts
+// src/spec/compareSpecToGraph.ts
 function describeValueType(value) {
   if (Array.isArray(value)) {
     return "array";
@@ -292,6 +292,17 @@ function matchesType(value, type) {
       return typeof value === type;
   }
 }
+function enumMatches(value, allowed) {
+  const serialized = JSON.stringify(value);
+  return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
+}
+function matchesPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function isSchemaDefault(entry) {
   return entry.winner.metadata?.schemaDefault === true;
 }
@@ -301,34 +312,53 @@ function shouldTrackKey(key) {
 function isTransientRuntimeSource(entry) {
   return entry.winner.sourceId === "process-env" || entry.winner.sourceId === "cli-args";
 }
-function compareSchemaToGraph(runtime) {
+function buildSummary(issues) {
+  return {
+    missingRequired: issues.filter((issue) => issue.status === "missing_required").length,
+    undeclared: issues.filter((issue) => issue.status === "undeclared").length,
+    typeMismatch: issues.filter((issue) => issue.status === "type_mismatch").length,
+    enumMismatch: issues.filter((issue) => issue.status === "enum_mismatch").length,
+    patternMismatch: issues.filter((issue) => issue.status === "pattern_mismatch").length,
+    defaultApplied: issues.filter((issue) => issue.status === "default_applied").length,
+    deprecatedInUse: issues.filter((issue) => issue.status === "deprecated_in_use").length
+  };
+}
+function compareSpecToGraph(runtime) {
   const schema = runtime.manifest.schema;
-  const missing = [];
-  const mismatches = [];
-  const defaultsApplied = [];
+  const issues = [];
   for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
     const entry = runtime.graph.entries.get(key);
+    const summary = rule.summary;
     if (!entry) {
       if (rule.required && rule.default === void 0) {
-        missing.push({
+        issues.push({
           key,
+          status: "missing_required",
           ...rule.type ? {
             expectedType: rule.type
+          } : {},
+          ...summary ? {
+            summary
           } : {}
         });
       }
       continue;
     }
     if (isSchemaDefault(entry)) {
-      defaultsApplied.push({
+      issues.push({
         key,
-        value: entry.value
+        status: "default_applied",
+        value: entry.value,
+        ...summary ? {
+          summary
+        } : {}
       });
     }
     const actualValue = entry.winner.value;
     if (!matchesType(actualValue, rule.type)) {
-      mismatches.push({
+      issues.push({
         key,
+        status: "type_mismatch",
         ...rule.type ? {
           expectedType: rule.type
         } : {},
@@ -336,26 +366,113 @@ function compareSchemaToGraph(runtime) {
         value: actualValue,
         ...entry.winner.origin?.file ? {
           sourceFile: entry.winner.origin.file
+        } : {},
+        ...summary ? {
+          summary
+        } : {}
+      });
+    }
+    if (rule.enum && !enumMatches(actualValue, rule.enum)) {
+      issues.push({
+        key,
+        status: "enum_mismatch",
+        value: actualValue,
+        ...summary ? {
+          summary
+        } : {}
+      });
+    }
+    if (rule.pattern) {
+      if (typeof actualValue !== "string" || !matchesPattern(rule.pattern, actualValue)) {
+        issues.push({
+          key,
+          status: "pattern_mismatch",
+          value: actualValue,
+          pattern: rule.pattern,
+          ...summary ? {
+            summary
+          } : {}
+        });
+      }
+    }
+    if (rule.deprecated) {
+      issues.push({
+        key,
+        status: "deprecated_in_use",
+        value: actualValue,
+        ...summary ? {
+          summary
         } : {}
       });
     }
   }
-  const undeclared = Array.from(runtime.graph.entries.values()).filter(
+  const undeclaredIssues = Array.from(runtime.graph.entries.values()).filter(
     (entry) => shouldTrackKey(entry.key) && !schema[entry.key] && !isSchemaDefault(entry) && !isTransientRuntimeSource(entry)
-  ).map((entry) => {
-    const issue = {
-      key: entry.key,
-      value: entry.winner.value,
-      actualType: describeValueType(entry.winner.value)
-    };
-    if (entry.winner.origin?.file) {
-      issue.sourceFile = entry.winner.origin.file;
-    }
-    return issue;
-  }).sort((left, right) => left.key.localeCompare(right.key));
+  ).map((entry) => ({
+    key: entry.key,
+    status: "undeclared",
+    value: entry.winner.value,
+    actualType: describeValueType(entry.winner.value),
+    ...entry.winner.origin?.file ? {
+      sourceFile: entry.winner.origin.file
+    } : {}
+  })).sort((left, right) => left.key.localeCompare(right.key));
+  const allIssues = [...issues, ...undeclaredIssues].sort((left, right) => left.key.localeCompare(right.key));
   return {
     profile: runtime.graph.profile,
     workspace: runtime.graph.workspace.workspaceId,
+    summary: buildSummary(allIssues),
+    issues: allIssues
+  };
+}
+
+// src/drift/compareSchemaToGraph.ts
+function compareSchemaToGraph(runtime) {
+  const report = compareSpecToGraph(runtime);
+  const missing = report.issues.filter((issue) => issue.status === "missing_required").map(
+    (issue) => ({
+      key: issue.key,
+      ...issue.expectedType ? {
+        expectedType: issue.expectedType
+      } : {}
+    })
+  );
+  const undeclared = report.issues.filter((issue) => issue.status === "undeclared").map(
+    (issue) => ({
+      key: issue.key,
+      value: issue.value,
+      ...issue.actualType ? {
+        actualType: issue.actualType
+      } : {},
+      ...issue.sourceFile ? {
+        sourceFile: issue.sourceFile
+      } : {}
+    })
+  );
+  const mismatches = report.issues.filter((issue) => issue.status === "type_mismatch").map(
+    (issue) => ({
+      key: issue.key,
+      ...issue.expectedType ? {
+        expectedType: issue.expectedType
+      } : {},
+      ...issue.actualType ? {
+        actualType: issue.actualType
+      } : {},
+      value: issue.value,
+      ...issue.sourceFile ? {
+        sourceFile: issue.sourceFile
+      } : {}
+    })
+  );
+  const defaultsApplied = report.issues.filter((issue) => issue.status === "default_applied").map(
+    (issue) => ({
+      key: issue.key,
+      value: issue.value
+    })
+  );
+  return {
+    profile: report.profile,
+    workspace: report.workspace,
     missing,
     undeclared,
     mismatches,
@@ -666,6 +783,7 @@ export {
   clearAllVaultSessionKeys,
   clearVaultSessionKey,
   compareSchemaToGraph,
+  compareSpecToGraph,
   createRemoteRootCacheKey,
   createSecretVault,
   createSecretVaultProvider,

package/dist/plugin/basic-schema.cjs

@@ -165,6 +165,13 @@ function enumMatches(value, allowed) {
   const serialized = JSON.stringify(value);
   return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
 }
+function testPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function applySchemaRules(graph, schema) {
   const nextEntries = new Map(graph.entries);
   const issues = [];
@@ -231,11 +238,11 @@ function applySchemaRules(graph, schema) {
           key,
           message: `Config key ${key} must be a string to match pattern ${rule.pattern}`
         });
-      } else if (!new RegExp(rule.pattern).test(coercedValue)) {
+      } else if (!testPattern(rule.pattern, coercedValue)) {
         issues.push({
           code: "schema.pattern",
           key,
-          message: `Config key ${key} does not match pattern ${rule.pattern}`
+          message: `Config key ${key} does not match pattern ${rule.pattern} (or the pattern is invalid).`
         });
       }
     }
@@ -263,6 +270,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -271,7 +281,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/basic-schema/src/index.ts

package/dist/plugin/basic-schema.d.cts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-zDTUSVx9.cjs';
+import { V as ValidatorPlugin } from '../core-BW8SLnRx.cjs';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.d.ts

@@ -1,4 +1,4 @@
-import { V as ValidatorPlugin } from '../core-zDTUSVx9.js';
+import { V as ValidatorPlugin } from '../core-BW8SLnRx.js';
 
 declare function createBasicSchemaPlugin(): ValidatorPlugin;
 

package/dist/plugin/basic-schema.js

@@ -1,7 +1,7 @@
 import {
   createBasicSchemaPlugin
-} from "../chunk-6QQPHDUI.js";
-import "../chunk-7KVM5PUW.js";
+} from "../chunk-2DMCB3PK.js";
+import "../chunk-WPB4HB2K.js";
 export {
   createBasicSchemaPlugin
 };

package/dist/plugin/cli-args.cjs

@@ -112,6 +112,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -120,7 +123,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/cli-args/src/index.ts

package/dist/plugin/cli-args.d.cts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.cjs';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-BW8SLnRx.cjs';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.d.ts

@@ -1,4 +1,4 @@
-import { a as ConfigEntry, L as LoaderPlugin } from '../core-zDTUSVx9.js';
+import { a as ConfigEntry, L as LoaderPlugin } from '../core-BW8SLnRx.js';
 
 interface ParsedCliArg {
     key: string;

package/dist/plugin/cli-args.js

@@ -2,8 +2,8 @@ import {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,
   parseCliArgs
-} from "../chunk-7JZO6XN3.js";
-import "../chunk-7KVM5PUW.js";
+} from "../chunk-KJ57PF47.js";
+import "../chunk-WPB4HB2K.js";
 export {
   cliArgEntriesFromArgs,
   createCliArgsPlugin,

package/dist/plugin/dotenv.cjs

@@ -37,7 +37,7 @@ __export(dotenv_exports, {
 module.exports = __toCommonJS(dotenv_exports);
 
 // ../../plugins/dotenv/src/index.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 
 // ../core/src/keychain/linux.ts
@@ -138,6 +138,9 @@ var import_node_path11 = __toESM(require("path"), 1);
 var import_promises9 = require("fs/promises");
 var import_node_path10 = __toESM(require("path"), 1);
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -146,7 +149,7 @@ var import_node_stream = require("stream");
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -186,9 +189,30 @@ var DOTENV_PLUGIN_ID = "@kitsy/cnos/plugins/dotenv";
 function parseDoubleQuoted(value) {
   return value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
 }
+function isEscapedCharacter(value, index) {
+  let slashCount = 0;
+  for (let cursor = index - 1; cursor >= 0 && value[cursor] === "\\"; cursor -= 1) {
+    slashCount += 1;
+  }
+  return slashCount % 2 === 1;
+}
+function findClosingQuote(value, quote) {
+  for (let index = 0; index < value.length; index += 1) {
+    if (value[index] !== quote) {
+      continue;
+    }
+    if (quote === '"' && isEscapedCharacter(value, index)) {
+      continue;
+    }
+    return index;
+  }
+  return -1;
+}
 function parseDotenv(document) {
   const parsed = {};
-  for (const rawLine of document.split(/\r?\n/)) {
+  const lines = document.split(/\r?\n/);
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+    const rawLine = lines[lineIndex] ?? "";
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
@@ -203,10 +227,18 @@ function parseDotenv(document) {
     if (!envVar) {
       continue;
     }
-    if (value.startsWith('"') && value.endsWith('"')) {
-      value = parseDoubleQuoted(value.slice(1, -1));
-    } else if (value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    if (value.startsWith('"') || value.startsWith("'")) {
+      const quote = value.startsWith('"') ? '"' : "'";
+      let quotedContent = value.slice(1);
+      let closingIndex = findClosingQuote(quotedContent, quote);
+      while (closingIndex === -1 && lineIndex < lines.length - 1) {
+        lineIndex += 1;
+        quotedContent = `${quotedContent}
+${lines[lineIndex] ?? ""}`;
+        closingIndex = findClosingQuote(quotedContent, quote);
+      }
+      const rawQuotedValue = closingIndex === -1 ? quotedContent : quotedContent.slice(0, closingIndex);
+      value = quote === '"' ? parseDoubleQuoted(rawQuotedValue) : rawQuotedValue;
     } else {
       value = value.replace(/\s+#.*$/, "").trim();
     }
@@ -238,7 +270,7 @@ function dotenvEntriesFromObject(values, mapping = {}, originFile, workspaceId =
 }
 async function readIfPresent(filePath) {
   try {
-    return await (0, import_promises13.readFile)(filePath, "utf8");
+    return await (0, import_promises14.readFile)(filePath, "utf8");
   } catch {
     return void 0;
   }

package/dist/plugin/dotenv.d.cts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.cjs';
-import { E as EnvMappingConfig } from '../envNaming-EFzezmB3.cjs';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-BW8SLnRx.cjs';
+import { E as EnvMappingConfig } from '../envNaming-1rk7BR0e.cjs';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.d.ts

@@ -1,5 +1,5 @@
-import { L as LoaderPlugin, a as ConfigEntry } from '../core-zDTUSVx9.js';
-import { E as EnvMappingConfig } from '../envNaming-BkorOKW_.js';
+import { L as LoaderPlugin, a as ConfigEntry } from '../core-BW8SLnRx.js';
+import { E as EnvMappingConfig } from '../envNaming-CjL28IeH.js';
 
 declare function parseDotenv(document: string): Record<string, string>;
 declare function dotenvEntriesFromObject(values: Record<string, string>, mapping?: EnvMappingConfig, originFile?: string, workspaceId?: string): ConfigEntry[];

package/dist/plugin/dotenv.js

@@ -2,8 +2,8 @@ import {
   createDotenvPlugin,
   dotenvEntriesFromObject,
   parseDotenv
-} from "../chunk-2JBA2LXU.js";
-import "../chunk-7KVM5PUW.js";
+} from "../chunk-DPC2BV3S.js";
+import "../chunk-WPB4HB2K.js";
 export {
   createDotenvPlugin,
   dotenvEntriesFromObject,

package/dist/plugin/env-export.cjs

@@ -150,9 +150,12 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -263,7 +266,7 @@ function toPublicEnv(graph, manifest, options = {}, helpers = {}) {
 }
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../plugins/env-export/src/index.ts

package/dist/plugin/env-export.d.cts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-zDTUSVx9.cjs';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-Ds1DRwCX.cjs';
+import { E as ExporterPlugin } from '../core-BW8SLnRx.cjs';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CZzpvhGg.cjs';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;

package/dist/plugin/env-export.d.ts

@@ -1,5 +1,5 @@
-import { E as ExporterPlugin } from '../core-zDTUSVx9.js';
-export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CT265rzS.js';
+import { E as ExporterPlugin } from '../core-BW8SLnRx.js';
+export { t as toEnv, a as toPublicEnv } from '../toPublicEnv-CmydGcxg.js';
 
 declare function createEnvExportPlugin(): ExporterPlugin;
 declare function createPublicEnvExportPlugin(): ExporterPlugin;