@kitsy/cnos 1.9.2 → 1.11.0

package/dist/internal.cjs

@@ -40,6 +40,7 @@ __export(internal_exports, {
   clearAllVaultSessionKeys: () => clearAllVaultSessionKeys,
   clearVaultSessionKey: () => clearVaultSessionKey,
   compareSchemaToGraph: () => compareSchemaToGraph,
+  compareSpecToGraph: () => compareSpecToGraph,
   createRemoteRootCacheKey: () => createRemoteRootCacheKey,
   createSecretVault: () => createSecretVault,
   createSecretVaultProvider: () => createSecretVaultProvider,
@@ -1033,6 +1034,134 @@ function resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile
   return import_node_path5.default.resolve(namespaceRoot, fileName);
 }
 
+// ../core/src/spec/normalizeSpecRule.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["string", "number", "boolean", "object", "array"]);
+var SECRET_FORBIDDEN_FIELDS = ["default", "examples", "enum"];
+function hasOwn(target, key) {
+  return Object.prototype.hasOwnProperty.call(target, key);
+}
+function normalizeOptionalString(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be a string.`);
+  }
+  const nextValue = value.trim();
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeStringArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  const nextValue = value.map((entry) => {
+    if (typeof entry !== "string") {
+      throw new CnosManifestError(
+        `Invalid schema rule for ${logicalKey}: "${fieldName}" entries must be strings.`
+      );
+    }
+    return entry.trim();
+  }).filter(Boolean);
+  return nextValue.length > 0 ? nextValue : void 0;
+}
+function normalizeUnknownArray(value, fieldName, logicalKey) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (!Array.isArray(value)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "${fieldName}" must be an array.`);
+  }
+  return value.length > 0 ? value : void 0;
+}
+function assertValidPatternRegex(pattern, logicalKey) {
+  try {
+    void new RegExp(pattern);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new CnosManifestError(
+      `Invalid schema rule for ${logicalKey}: "pattern" must be a valid regex (${reason}).`
+    );
+  }
+}
+function assertSecretRuleSafety(logicalKey, rule) {
+  if (!logicalKey.startsWith("secret.")) {
+    return;
+  }
+  const offendingFields = SECRET_FORBIDDEN_FIELDS.filter((field) => hasOwn(rule, field));
+  if (offendingFields.length === 0) {
+    return;
+  }
+  throw new CnosManifestError(
+    `Invalid schema rule for ${logicalKey}: secret specs cannot include ${offendingFields.join(", ")}. Store secret values in the vault, not schema metadata. Remove ${offendingFields.map((field) => `schema.${logicalKey}.${field}`).join(", ")} to continue.`
+  );
+}
+function normalizeSpecRule(logicalKey, rule) {
+  if (!rule || typeof rule !== "object" || Array.isArray(rule)) {
+    throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: expected an object.`);
+  }
+  const candidate = rule;
+  assertSecretRuleSafety(logicalKey, candidate);
+  const normalized = {};
+  if (candidate.type !== void 0) {
+    if (typeof candidate.type !== "string" || !ALLOWED_TYPES.has(candidate.type)) {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: unsupported type "${String(candidate.type)}".`);
+    }
+    normalized.type = candidate.type;
+  }
+  if (candidate.required !== void 0) {
+    if (typeof candidate.required !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "required" must be a boolean.`);
+    }
+    normalized.required = candidate.required;
+  }
+  if (hasOwn(candidate, "default")) {
+    normalized.default = candidate.default;
+  }
+  const normalizedEnum = normalizeUnknownArray(candidate.enum, "enum", logicalKey);
+  if (normalizedEnum !== void 0) {
+    normalized.enum = normalizedEnum;
+  }
+  const normalizedPattern = normalizeOptionalString(candidate.pattern, "pattern", logicalKey);
+  if (normalizedPattern !== void 0) {
+    assertValidPatternRegex(normalizedPattern, logicalKey);
+    normalized.pattern = normalizedPattern;
+  }
+  const normalizedSummary = normalizeOptionalString(candidate.summary, "summary", logicalKey);
+  if (normalizedSummary !== void 0) {
+    normalized.summary = normalizedSummary;
+  }
+  const normalizedDescription = normalizeOptionalString(candidate.description, "description", logicalKey);
+  if (normalizedDescription !== void 0) {
+    normalized.description = normalizedDescription;
+  }
+  const normalizedExamples = normalizeUnknownArray(candidate.examples, "examples", logicalKey);
+  if (normalizedExamples !== void 0) {
+    normalized.examples = normalizedExamples;
+  }
+  const normalizedUsedBy = normalizeStringArray(candidate.usedBy, "usedBy", logicalKey);
+  if (normalizedUsedBy !== void 0) {
+    normalized.usedBy = normalizedUsedBy;
+  }
+  if (candidate.deprecated !== void 0) {
+    if (typeof candidate.deprecated !== "boolean") {
+      throw new CnosManifestError(`Invalid schema rule for ${logicalKey}: "deprecated" must be a boolean.`);
+    }
+    normalized.deprecated = candidate.deprecated;
+  }
+  const normalizedDeprecationMessage = normalizeOptionalString(
+    candidate.deprecationMessage,
+    "deprecationMessage",
+    logicalKey
+  );
+  if (normalizedDeprecationMessage !== void 0) {
+    normalized.deprecationMessage = normalizedDeprecationMessage;
+  }
+  return normalized;
+}
+
 // ../core/src/manifest/normalizeManifest.ts
 var DEFAULT_RESOLVE_FROM = ["cli.profile", "env.CNOS_PROFILE", "default"];
 var DEFAULT_LOADERS = [
@@ -1166,11 +1295,19 @@ function normalizeVaults(vaults) {
         throw new CnosManifestError(`Vault "${name}" requires a provider`);
       }
       const normalizedAuth = normalizeVaultAuth(name, provider, definition.auth);
-      const normalizedMapping = Object.fromEntries(
-        Object.entries(definition.mapping ?? {}).filter(
-          (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
-        ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
-      );
+      const normalizedMapping = normalizeVaultMapping(definition.mapping);
+      const fallback = (definition.fallback ?? []).map((entry, index) => {
+        const fallbackProvider = entry.provider?.trim();
+        if (!fallbackProvider) {
+          throw new CnosManifestError(`Vault "${name}" fallback ${index + 1} requires a provider`);
+        }
+        const fallbackMapping = normalizeVaultMapping(entry.mapping);
+        return {
+          provider: fallbackProvider,
+          auth: normalizeVaultAuth(name, fallbackProvider, entry.auth),
+          ...Object.keys(fallbackMapping).length > 0 ? { mapping: fallbackMapping } : {}
+        };
+      });
       return [
         name,
         {
@@ -1178,12 +1315,20 @@ function normalizeVaults(vaults) {
           auth: normalizedAuth,
           ...Object.keys(normalizedMapping).length > 0 ? {
             mapping: normalizedMapping
-          } : {}
+          } : {},
+          ...fallback.length > 0 ? { fallback } : {}
         }
       ];
     })
   );
 }
+function normalizeVaultMapping(mapping) {
+  return Object.fromEntries(
+    Object.entries(mapping ?? {}).filter(
+      (entry) => typeof entry[0] === "string" && typeof entry[1] === "string"
+    ).map(([envVar, logicalRef]) => [envVar.trim(), logicalRef.trim()]).filter(([envVar, logicalRef]) => envVar.length > 0 && logicalRef.length > 0)
+  );
+}
 function normalizeAuthSources(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return void 0;
@@ -1231,6 +1376,14 @@ function normalizeVaultAuth(vaultName, provider, auth) {
     ...auth?.config ? { config: auth.config } : {}
   };
 }
+function normalizeSchema(schema) {
+  return Object.fromEntries(
+    Object.entries(schema ?? {}).map(([logicalKey, rule]) => [
+      logicalKey,
+      normalizeSpecRule(logicalKey, rule)
+    ])
+  );
+}
 function normalizeManifest(manifest) {
   const version = manifest.version ?? 1;
   if (version !== 1) {
@@ -1328,7 +1481,7 @@ function normalizeManifest(manifest) {
         }
       }
     },
-    schema: manifest.schema ?? {}
+    schema: normalizeSchema(manifest.schema)
   };
 }
 
@@ -1499,7 +1652,7 @@ function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function isSecretReference(value) {
-  return isObject(value) && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
+  return isObject(value) && (value.provider === void 0 || typeof value.provider === "string" && value.provider.trim().length > 0) && typeof value.ref === "string" && value.ref.trim().length > 0 && (value.vault === void 0 && true || typeof value.vault === "string" && value.vault.trim().length > 0) && Object.keys(value).every((key) => ["provider", "ref", "vault"].includes(key));
 }
 function resolveSecretStoreRoot(processEnv = process.env) {
   return import_node_path11.default.resolve(expandHomePath(processEnv.CNOS_SECRET_HOME ?? "~/.cnos/secrets"));
@@ -1836,16 +1989,19 @@ async function removeLocalVaultFiles(storeRoot, vault = "default") {
 // ../core/src/secrets/auditLog.ts
 async function appendAuditEvent(event, processEnv = process.env) {
   const auditFile = processEnv.CNOS_AUDIT_FILE ?? import_node_path12.default.join(resolveSecretStoreRoot(processEnv), "audit", "access.log");
-  await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
-  await (0, import_promises11.appendFile)(
-    auditFile,
-    `${JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      ...event
-    })}
+  try {
+    await (0, import_promises11.mkdir)(import_node_path12.default.dirname(auditFile), { recursive: true });
+    await (0, import_promises11.appendFile)(
+      auditFile,
+      `${JSON.stringify({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        ...event
+      })}
 `,
-    "utf8"
-  );
+      "utf8"
+    );
+  } catch {
+  }
 }
 
 // ../core/src/secrets/providers/environment.ts
@@ -1998,7 +2154,7 @@ var LocalSecretVaultProvider = class _LocalSecretVaultProvider {
 };
 
 // ../core/src/secrets/providers/registry.ts
-function createSecretVaultProvider(vaultId, definition, processEnv) {
+function createSecretVaultProvider(vaultId, definition, processEnv, factories = []) {
   if (definition.provider === "local") {
     return new LocalSecretVaultProvider(vaultId, definition, processEnv);
   }
@@ -2008,9 +2164,16 @@ function createSecretVaultProvider(vaultId, definition, processEnv) {
   if (definition.provider === "github-secrets") {
     return new GithubSecretsVaultProvider(vaultId, definition, processEnv);
   }
+  const factory = factories.find((candidate) => candidate.provider === definition.provider);
+  if (factory) {
+    return factory.create(vaultId, definition, processEnv);
+  }
   throw new CnosManifestError(`Unsupported vault provider: ${definition.provider}`);
 }
 
+// ../core/src/secrets/resolveAuth.ts
+var import_promises12 = require("fs/promises");
+
 // ../core/src/secrets/prompt.ts
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_stream = require("stream");
@@ -2051,6 +2214,23 @@ function toAuthError(vaultId, sources) {
     `Cannot authenticate to vault "${vaultId}". Tried: ${sources.join(", ")}. Set ${getVaultPassphraseEnvVar(vaultId)} or run cnos vault auth ${vaultId}.`
   );
 }
+async function resolveTokenFromSource(source, processEnv) {
+  if (source.startsWith("env:")) {
+    return processEnv[source.slice(4)] || void 0;
+  }
+  if (source.startsWith("file:")) {
+    try {
+      const value = await (0, import_promises12.readFile)(expandHomePath(source.slice("file:".length)), "utf8");
+      return value.trim() || void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  if (source.startsWith("keychain:")) {
+    return readKeychain(source.slice("keychain:".length));
+  }
+  return void 0;
+}
 async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
   const sessionKey = await resolveVaultSessionKey(vaultId, processEnv);
   if (sessionKey) {
@@ -2066,6 +2246,32 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
       ...definition.auth?.config ? { config: definition.auth.config } : {}
     };
   }
+  if (definition.auth?.method === "iam") {
+    return {
+      method: "iam",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  if (definition.auth?.method === "environment") {
+    return {
+      method: "environment",
+      ...definition.auth?.config ? { config: definition.auth.config } : {}
+    };
+  }
+  const tokenSources = definition.auth?.token?.from ?? [];
+  for (const source of tokenSources) {
+    const token = await resolveTokenFromSource(source, processEnv);
+    if (token) {
+      return {
+        token,
+        method: "token",
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      };
+    }
+  }
+  if (definition.auth?.method === "token") {
+    throw toAuthError(vaultId, [getVaultSessionKeyEnvVar(vaultId), ...tokenSources]);
+  }
   const sources = definition.auth?.passphrase?.from ?? [getVaultPassphraseEnvVar(vaultId)];
   for (const source of sources) {
     if (source.startsWith("env:")) {
@@ -2114,7 +2320,7 @@ async function resolveVaultAuth(vaultId, definition, processEnv = process.env) {
 var import_node_crypto3 = require("crypto");
 
 // ../core/src/runtime/dump.ts
-var import_promises12 = require("fs/promises");
+var import_promises13 = require("fs/promises");
 var import_node_path13 = __toESM(require("path"), 1);
 
 // ../core/src/utils/envNaming.ts
@@ -2516,7 +2722,7 @@ function generateCodegenContent(manifest, sourcePath, typeModuleImport = "./cnos
 }
 
 // src/codegen/writeOutput.ts
-var import_promises13 = require("fs/promises");
+var import_promises14 = require("fs/promises");
 var import_node_path14 = __toESM(require("path"), 1);
 function stripTsExtension(filePath) {
   return filePath.replace(/(\.d)?\.[cm]?tsx?$/i, "").replace(/\.[cm]?jsx?$/i, "");
@@ -2536,10 +2742,10 @@ async function writeCodegenOutput(options = {}) {
   const outputRoot = loadedManifest.rootResolution.remote ? loadedManifest.consumerRoot : loadedManifest.repoRoot;
   const paths = resolveCodegenPaths(outputRoot, options.out);
   const generated = generateCodegenContent(loadedManifest.manifest, loadedManifest.manifestPath, paths.typeImportPath);
-  await (0, import_promises13.mkdir)(import_node_path14.default.dirname(paths.typesPath), { recursive: true });
-  await (0, import_promises13.mkdir)(import_node_path14.default.dirname(paths.runtimePath), { recursive: true });
-  await (0, import_promises13.writeFile)(paths.typesPath, generated.typesContent, "utf8");
-  await (0, import_promises13.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
+  await (0, import_promises14.mkdir)(import_node_path14.default.dirname(paths.typesPath), { recursive: true });
+  await (0, import_promises14.mkdir)(import_node_path14.default.dirname(paths.runtimePath), { recursive: true });
+  await (0, import_promises14.writeFile)(paths.typesPath, generated.typesContent, "utf8");
+  await (0, import_promises14.writeFile)(paths.runtimePath, generated.runtimeContent, "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     typesPath: paths.typesPath,
@@ -2580,7 +2786,7 @@ async function watchSchema(options = {}) {
   return watcher;
 }
 
-// src/drift/compareSchemaToGraph.ts
+// src/spec/compareSpecToGraph.ts
 function describeValueType(value) {
   if (Array.isArray(value)) {
     return "array";
@@ -2603,6 +2809,17 @@ function matchesType(value, type) {
       return typeof value === type;
   }
 }
+function enumMatches(value, allowed) {
+  const serialized = JSON.stringify(value);
+  return allowed.some((candidate) => JSON.stringify(candidate) === serialized);
+}
+function matchesPattern(pattern, value) {
+  try {
+    return new RegExp(pattern).test(value);
+  } catch {
+    return false;
+  }
+}
 function isSchemaDefault(entry) {
   return entry.winner.metadata?.schemaDefault === true;
 }
@@ -2612,34 +2829,53 @@ function shouldTrackKey(key) {
 function isTransientRuntimeSource(entry) {
   return entry.winner.sourceId === "process-env" || entry.winner.sourceId === "cli-args";
 }
-function compareSchemaToGraph(runtime) {
+function buildSummary(issues) {
+  return {
+    missingRequired: issues.filter((issue) => issue.status === "missing_required").length,
+    undeclared: issues.filter((issue) => issue.status === "undeclared").length,
+    typeMismatch: issues.filter((issue) => issue.status === "type_mismatch").length,
+    enumMismatch: issues.filter((issue) => issue.status === "enum_mismatch").length,
+    patternMismatch: issues.filter((issue) => issue.status === "pattern_mismatch").length,
+    defaultApplied: issues.filter((issue) => issue.status === "default_applied").length,
+    deprecatedInUse: issues.filter((issue) => issue.status === "deprecated_in_use").length
+  };
+}
+function compareSpecToGraph(runtime) {
   const schema = runtime.manifest.schema;
-  const missing = [];
-  const mismatches = [];
-  const defaultsApplied = [];
+  const issues = [];
   for (const [key, rule] of Object.entries(schema).sort(([left], [right]) => left.localeCompare(right))) {
     const entry = runtime.graph.entries.get(key);
+    const summary = rule.summary;
     if (!entry) {
       if (rule.required && rule.default === void 0) {
-        missing.push({
+        issues.push({
           key,
+          status: "missing_required",
           ...rule.type ? {
             expectedType: rule.type
+          } : {},
+          ...summary ? {
+            summary
           } : {}
         });
       }
       continue;
     }
     if (isSchemaDefault(entry)) {
-      defaultsApplied.push({
+      issues.push({
         key,
-        value: entry.value
+        status: "default_applied",
+        value: entry.value,
+        ...summary ? {
+          summary
+        } : {}
       });
     }
     const actualValue = entry.winner.value;
     if (!matchesType(actualValue, rule.type)) {
-      mismatches.push({
+      issues.push({
         key,
+        status: "type_mismatch",
         ...rule.type ? {
           expectedType: rule.type
         } : {},
@@ -2647,26 +2883,113 @@ function compareSchemaToGraph(runtime) {
         value: actualValue,
         ...entry.winner.origin?.file ? {
           sourceFile: entry.winner.origin.file
+        } : {},
+        ...summary ? {
+          summary
+        } : {}
+      });
+    }
+    if (rule.enum && !enumMatches(actualValue, rule.enum)) {
+      issues.push({
+        key,
+        status: "enum_mismatch",
+        value: actualValue,
+        ...summary ? {
+          summary
+        } : {}
+      });
+    }
+    if (rule.pattern) {
+      if (typeof actualValue !== "string" || !matchesPattern(rule.pattern, actualValue)) {
+        issues.push({
+          key,
+          status: "pattern_mismatch",
+          value: actualValue,
+          pattern: rule.pattern,
+          ...summary ? {
+            summary
+          } : {}
+        });
+      }
+    }
+    if (rule.deprecated) {
+      issues.push({
+        key,
+        status: "deprecated_in_use",
+        value: actualValue,
+        ...summary ? {
+          summary
         } : {}
       });
     }
   }
-  const undeclared = Array.from(runtime.graph.entries.values()).filter(
+  const undeclaredIssues = Array.from(runtime.graph.entries.values()).filter(
     (entry) => shouldTrackKey(entry.key) && !schema[entry.key] && !isSchemaDefault(entry) && !isTransientRuntimeSource(entry)
-  ).map((entry) => {
-    const issue = {
-      key: entry.key,
-      value: entry.winner.value,
-      actualType: describeValueType(entry.winner.value)
-    };
-    if (entry.winner.origin?.file) {
-      issue.sourceFile = entry.winner.origin.file;
-    }
-    return issue;
-  }).sort((left, right) => left.key.localeCompare(right.key));
+  ).map((entry) => ({
+    key: entry.key,
+    status: "undeclared",
+    value: entry.winner.value,
+    actualType: describeValueType(entry.winner.value),
+    ...entry.winner.origin?.file ? {
+      sourceFile: entry.winner.origin.file
+    } : {}
+  })).sort((left, right) => left.key.localeCompare(right.key));
+  const allIssues = [...issues, ...undeclaredIssues].sort((left, right) => left.key.localeCompare(right.key));
   return {
     profile: runtime.graph.profile,
     workspace: runtime.graph.workspace.workspaceId,
+    summary: buildSummary(allIssues),
+    issues: allIssues
+  };
+}
+
+// src/drift/compareSchemaToGraph.ts
+function compareSchemaToGraph(runtime) {
+  const report = compareSpecToGraph(runtime);
+  const missing = report.issues.filter((issue) => issue.status === "missing_required").map(
+    (issue) => ({
+      key: issue.key,
+      ...issue.expectedType ? {
+        expectedType: issue.expectedType
+      } : {}
+    })
+  );
+  const undeclared = report.issues.filter((issue) => issue.status === "undeclared").map(
+    (issue) => ({
+      key: issue.key,
+      value: issue.value,
+      ...issue.actualType ? {
+        actualType: issue.actualType
+      } : {},
+      ...issue.sourceFile ? {
+        sourceFile: issue.sourceFile
+      } : {}
+    })
+  );
+  const mismatches = report.issues.filter((issue) => issue.status === "type_mismatch").map(
+    (issue) => ({
+      key: issue.key,
+      ...issue.expectedType ? {
+        expectedType: issue.expectedType
+      } : {},
+      ...issue.actualType ? {
+        actualType: issue.actualType
+      } : {},
+      value: issue.value,
+      ...issue.sourceFile ? {
+        sourceFile: issue.sourceFile
+      } : {}
+    })
+  );
+  const defaultsApplied = report.issues.filter((issue) => issue.status === "default_applied").map(
+    (issue) => ({
+      key: issue.key,
+      value: issue.value
+    })
+  );
+  return {
+    profile: report.profile,
+    workspace: report.workspace,
     missing,
     undeclared,
     mismatches,
@@ -2725,7 +3048,7 @@ function formatDriftReport(report) {
 }
 
 // src/migrate/applyManifest.ts
-var import_promises14 = require("fs/promises");
+var import_promises15 = require("fs/promises");
 function sortRecord(record) {
   return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
 }
@@ -2760,7 +3083,7 @@ async function applyManifestMappings(proposals, root) {
       promote: Array.from(promoted).sort((left, right) => left.localeCompare(right))
     };
   }
-  await (0, import_promises14.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
+  await (0, import_promises15.writeFile)(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
   return {
     manifestPath: loadedManifest.manifestPath,
     appliedMappings,
@@ -2795,7 +3118,7 @@ function proposeMapping(envVar) {
 }
 
 // src/migrate/rewriteSource.ts
-var import_promises15 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 function importStatementFor(kind) {
   return kind === "import-meta-env" ? "import cnos from '@kitsy/cnos/browser';" : "import cnos from '@kitsy/cnos';";
 }
@@ -2816,7 +3139,7 @@ async function rewriteSourceFiles(usages, proposals) {
   const backupFiles = [];
   const skippedUsages = [];
   for (const [filePath, fileUsages] of fileGroups.entries()) {
-    const original = await (0, import_promises15.readFile)(filePath, "utf8");
+    const original = await (0, import_promises16.readFile)(filePath, "utf8");
     let nextSource = original;
     let changed = false;
     const importKinds = /* @__PURE__ */ new Set();
@@ -2843,7 +3166,7 @@ async function rewriteSourceFiles(usages, proposals) {
       continue;
     }
     const backupPath = `${filePath}.bak`;
-    await (0, import_promises15.copyFile)(filePath, backupPath);
+    await (0, import_promises16.copyFile)(filePath, backupPath);
     backupFiles.push(backupPath);
     for (const kind of Array.from(importKinds)) {
       const importStatement = importStatementFor(kind);
@@ -2852,7 +3175,7 @@ async function rewriteSourceFiles(usages, proposals) {
 ${nextSource}`;
       }
     }
-    await (0, import_promises15.writeFile)(filePath, nextSource, "utf8");
+    await (0, import_promises16.writeFile)(filePath, nextSource, "utf8");
     rewrittenFiles.push(filePath);
   }
   return {
@@ -2863,7 +3186,7 @@ ${nextSource}`;
 }
 
 // src/migrate/scanEnvUsage.ts
-var import_promises16 = require("fs/promises");
+var import_promises17 = require("fs/promises");
 var import_node_path15 = __toESM(require("path"), 1);
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts", ".mjs", ".cjs"]);
 var PROCESS_ENV_DOT = /process\.env\.([A-Z][A-Z0-9_]*)/g;
@@ -2871,7 +3194,7 @@ var PROCESS_ENV_BRACKET = /process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 var IMPORT_META_ENV_DOT = /import\.meta\.env\.([A-Z][A-Z0-9_]*)/g;
 var IMPORT_META_ENV_BRACKET = /import\.meta\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/g;
 async function collectFiles(root) {
-  const entries = await (0, import_promises16.readdir)(root, { withFileTypes: true });
+  const entries = await (0, import_promises17.readdir)(root, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
     const filePath = import_node_path15.default.join(root, entry.name);
@@ -2908,7 +3231,7 @@ async function scanEnvUsage(scanRoot) {
   const files = await collectFiles(scanRoot);
   const usages = [];
   for (const filePath of files) {
-    const source = await (0, import_promises16.readFile)(filePath, "utf8");
+    const source = await (0, import_promises17.readFile)(filePath, "utf8");
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_DOT, "process-env"));
     usages.push(...collectMatches(filePath, source, PROCESS_ENV_BRACKET, "process-env"));
     usages.push(...collectMatches(filePath, source, IMPORT_META_ENV_DOT, "import-meta-env"));
@@ -2978,6 +3301,7 @@ async function watchFiles(runtime, root) {
   clearAllVaultSessionKeys,
   clearVaultSessionKey,
   compareSchemaToGraph,
+  compareSpecToGraph,
   createRemoteRootCacheKey,
   createSecretVault,
   createSecretVaultProvider,