@kitsy/cnos-cli 0.0.1 → 1.0.1

package/dist/index.js

@@ -7,8 +7,50 @@ var OPTION_KEYS = {
   "--profile": "profile",
   "--global-root": "globalRoot"
 };
-var COMMAND_OPTION_KEYS_WITH_VALUE = /* @__PURE__ */ new Set(["--format", "--framework", "--prefix", "--target", "--to"]);
-var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set(["--flatten", "--public"]);
+var COMMAND_OPTION_KEYS_WITH_VALUE = /* @__PURE__ */ new Set([
+  "--format",
+  "--framework",
+  "--prefix",
+  "--target",
+  "--to",
+  "--provider",
+  "--passphrase",
+  "--inherit"
+]);
+var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set(["--flatten", "--public", "--local", "--remote", "--ref"]);
+function normalizeCommand(argv) {
+  const [command = "doctor", ...rest] = argv;
+  const resource = rest[0];
+  const remaining = rest.slice(1);
+  if ((command === "create" || command === "add") && resource === "profile") {
+    return ["profile", "create", ...remaining];
+  }
+  if ((command === "delete" || command === "remove") && resource === "profile") {
+    return ["profile", "delete", ...remaining];
+  }
+  if (command === "list" && resource === "profile") {
+    return ["profile", "list", ...remaining];
+  }
+  if ((command === "create" || command === "add") && resource === "secret") {
+    return ["secret", "set", ...remaining];
+  }
+  if ((command === "delete" || command === "remove") && resource === "secret") {
+    return ["secret", "delete", ...remaining];
+  }
+  if (command === "list" && resource === "secret") {
+    return ["secret", "list", ...remaining];
+  }
+  if ((command === "create" || command === "add") && resource === "value") {
+    return ["value", "set", ...remaining];
+  }
+  if ((command === "delete" || command === "remove") && resource === "value") {
+    return ["value", "delete", ...remaining];
+  }
+  if (command === "list" && resource === "value") {
+    return ["value", "list", ...remaining];
+  }
+  return [command, ...rest];
+}
 function setOption(options, key, value) {
   options[key] = value;
 }
@@ -23,7 +65,18 @@ function parseArgs(argv) {
       passthrough: []
     };
   }
-  const [command = "doctor", ...rest] = argv;
+  if (argv[0] === "--version" || argv[0] === "-v") {
+    return {
+      command: "version",
+      args: [],
+      options: {
+        cliArgs: []
+      },
+      passthrough: []
+    };
+  }
+  const normalizedArgv = normalizeCommand(argv);
+  const [command = "doctor", ...rest] = normalizedArgv;
   const options = {};
   const args = [];
   const cliArgs = [];
@@ -128,15 +181,24 @@ function printJson(value) {
 }
 
 // src/services/writes.ts
-import { mkdir, readFile, writeFile } from "fs/promises";
+import { randomUUID } from "crypto";
+import { mkdir, readFile, rm, writeFile } from "fs/promises";
 import path from "path";
-import { parseYaml, resolveWorkspaceScopedPath, stringifyYaml } from "@kitsy/cnos-core";
+import {
+  parseYaml,
+  resolveConfigDocumentPath,
+  resolveSecretStoreRoot,
+  stringifyYaml,
+  writeLocalSecret
+} from "@kitsy/cnos/internal";
 
 // src/services/runtime.ts
 import { createCnos } from "@kitsy/cnos";
 async function createRuntimeService(options = {}) {
   const createOptions = {
-    root: options.root ?? process.cwd(),
+    ...options.root ? {
+      root: options.root
+    } : {},
     ...options.workspace ? {
       workspace: options.workspace
     } : {},
@@ -181,8 +243,38 @@ function parseScalarValue(rawValue) {
     return rawValue;
   }
 }
-async function defineValue(namespace, configPath, rawValue, options = {}) {
-  const runtime = await createRuntimeService(options);
+function unsetNestedValue(target, pathSegments) {
+  const [head, ...tail] = pathSegments;
+  if (!head || !(head in target)) {
+    return false;
+  }
+  if (tail.length === 0) {
+    delete target[head];
+    return true;
+  }
+  const nextValue = target[head];
+  if (!nextValue || typeof nextValue !== "object" || Array.isArray(nextValue)) {
+    return false;
+  }
+  const deleted = unsetNestedValue(nextValue, tail);
+  if (deleted && Object.keys(nextValue).length === 0) {
+    delete target[head];
+  }
+  return deleted;
+}
+function isSecretReference(value) {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && typeof value.provider === "string" && typeof value.ref === "string"
+  );
+}
+async function readYamlDocument(filePath) {
+  try {
+    return parseYaml(await readFile(filePath, "utf8")) ?? {};
+  } catch {
+    return {};
+  }
+}
+function getSelectedWorkspaceRoot(options, runtime) {
   const target = options.target ?? "local";
   const workspaceRoot = runtime.graph.workspace.workspaceRoots.find(
     (entry) => entry.scope === target && entry.workspaceId === runtime.graph.workspace.workspaceId
@@ -193,18 +285,27 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
   if (target === "global" && !runtime.manifest.workspaces.global.allowWrite) {
     throw new Error("Global writes require workspaces.global.allowWrite: true");
   }
-  const profile = options.profile ?? runtime.manifest.writePolicy.define.defaultProfile;
-  const template = runtime.manifest.writePolicy.define.targets[namespace];
-  const filePath = resolveWorkspaceScopedPath(workspaceRoot.path, template, {
-    workspace: runtime.graph.workspace.workspaceId,
-    profile
-  });
-  let document = {};
-  try {
-    document = parseYaml(await readFile(filePath, "utf8")) ?? {};
-  } catch {
-    document = {};
+  return workspaceRoot.path;
+}
+async function defineValue(namespace, configPath, rawValue, options = {}) {
+  if (namespace === "secret") {
+    const secret = await setSecret(configPath, rawValue, {
+      ...options,
+      mode: options.mode ?? "local"
+    });
+    return {
+      filePath: secret.filePath,
+      value: {
+        provider: secret.provider,
+        ref: secret.ref
+      }
+    };
   }
+  const runtime = await createRuntimeService(options);
+  const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
+  const profile = options.profile ?? runtime.graph.profile;
+  const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
+  const document = await readYamlDocument(filePath);
   const parsedValue = parseScalarValue(rawValue);
   setNestedValue(document, configPath.split("."), parsedValue);
   await mkdir(path.dirname(filePath), { recursive: true });
@@ -214,15 +315,118 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
     value: parsedValue
   };
 }
+async function setSecret(configPath, rawValue, options = {}) {
+  const runtime = await createRuntimeService(options);
+  const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
+  const profile = options.profile ?? runtime.graph.profile;
+  const filePath = resolveConfigDocumentPath(workspaceRoot, "secret", configPath, profile);
+  const document = await readYamlDocument(filePath);
+  const mode = options.mode ?? "local";
+  let reference;
+  let storePath;
+  if (mode === "local") {
+    const passphrase = options.passphrase ?? options.processEnv?.CNOS_SECRET_PASSPHRASE ?? process.env.CNOS_SECRET_PASSPHRASE;
+    if (!passphrase) {
+      throw new Error("Local secret writes require --passphrase or CNOS_SECRET_PASSPHRASE");
+    }
+    const profileSegment = profile && profile !== "base" ? profile : "base";
+    const ref = [
+      runtime.manifest.project.name,
+      runtime.graph.workspace.workspaceId,
+      profileSegment,
+      ...configPath.split("."),
+      randomUUID()
+    ].map((segment) => segment.replace(/[^A-Za-z0-9._-]+/g, "-")).join("/");
+    storePath = await writeLocalSecret(resolveSecretStoreRoot(options.processEnv), ref, rawValue, passphrase);
+    reference = {
+      provider: "local",
+      ref
+    };
+  } else {
+    reference = {
+      provider: options.provider ?? (mode === "ref" ? "ref" : "remote"),
+      ref: rawValue
+    };
+  }
+  setNestedValue(document, configPath.split("."), reference);
+  await mkdir(path.dirname(filePath), { recursive: true });
+  await writeFile(filePath, stringifyYaml(document), "utf8");
+  return {
+    filePath,
+    provider: reference.provider,
+    ref: reference.ref,
+    ...storePath ? { storePath } : {}
+  };
+}
+async function deleteSecret(configPath, options = {}) {
+  const runtime = await createRuntimeService(options);
+  const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
+  const profile = options.profile ?? runtime.graph.profile;
+  const filePath = resolveConfigDocumentPath(workspaceRoot, "secret", configPath, profile);
+  const document = await readYamlDocument(filePath);
+  const metadata = runtime.graph.entries.get(`secret.${configPath}`)?.winner.metadata;
+  const deleted = unsetNestedValue(document, configPath.split("."));
+  if (!deleted) {
+    return {
+      filePath,
+      deleted: false
+    };
+  }
+  await writeFile(filePath, stringifyYaml(document), "utf8");
+  let removedStore;
+  const secretRef = metadata?.secretRef;
+  if (isSecretReference(secretRef) && secretRef.provider === "local") {
+    const storePath = path.join(resolveSecretStoreRoot(options.processEnv), "store", ...secretRef.ref.split("/")).concat(".json");
+    await rm(storePath, { force: true });
+    removedStore = storePath;
+  }
+  return {
+    filePath,
+    deleted: true,
+    ...removedStore ? { removedStore } : {}
+  };
+}
+async function deleteValue(namespace, configPath, options = {}) {
+  if (namespace === "secret") {
+    return deleteSecret(configPath, options);
+  }
+  const runtime = await createRuntimeService(options);
+  const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
+  const profile = options.profile ?? runtime.graph.profile;
+  const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
+  const document = await readYamlDocument(filePath);
+  const deleted = unsetNestedValue(document, configPath.split("."));
+  if (!deleted) {
+    return {
+      filePath,
+      deleted: false
+    };
+  }
+  await writeFile(filePath, stringifyYaml(document), "utf8");
+  return {
+    filePath,
+    deleted: true
+  };
+}
 
 // src/commands/define.ts
 async function runDefine(namespace, configPath, rawValue, options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
   const target = consumeOption(cliArgs, "--target") ?? "local";
+  const local = consumeFlag(cliArgs, "--local");
+  const remote = consumeFlag(cliArgs, "--remote");
+  const ref = consumeFlag(cliArgs, "--ref");
+  const provider = consumeOption(cliArgs, "--provider");
+  const passphrase = consumeOption(cliArgs, "--passphrase");
   const result = await defineValue(namespace, configPath, rawValue, {
     ...options,
     cliArgs,
-    target
+    target,
+    ...namespace === "secret" ? {
+      mode: local ? "local" : remote ? "remote" : ref ? "ref" : "local",
+      ...provider ? { provider } : {},
+      ...passphrase ? { passphrase } : {}
+    } : {}
   });
   if (options.json) {
     return printJson({
@@ -237,7 +441,7 @@ async function runDefine(namespace, configPath, rawValue, options = {}) {
 }
 
 // src/commands/diff.ts
-import { flattenObject } from "@kitsy/cnos-core";
+import { flattenObject } from "@kitsy/cnos/internal";
 function flattenRuntime(runtime) {
   return {
     ...Object.fromEntries(
@@ -278,7 +482,7 @@ import { readFile as readFile2 } from "fs/promises";
 import path2 from "path";
 
 // src/services/validation.ts
-import { validateRuntime } from "@kitsy/cnos-core";
+import { validateRuntime } from "@kitsy/cnos/internal";
 async function createValidationSummary(options = {}) {
   const runtime = await createRuntimeService(options);
   const summary = await validateRuntime(runtime);
@@ -292,11 +496,14 @@ async function createValidationSummary(options = {}) {
 async function checkGitignore(root) {
   const gitignorePath = path2.join(root, ".gitignore");
   const expected = [
-    "cnos/workspaces/*/secrets/",
-    "cnos/workspaces/*/env/.env",
-    "cnos/workspaces/*/env/.env.*",
-    "!cnos/workspaces/*/env/.env.example",
-    "!cnos/workspaces/*/env/.env.*.example"
+    ".cnos/env/.env",
+    ".cnos/env/.env.*",
+    "!.cnos/env/.env.example",
+    "!.cnos/env/.env.*.example",
+    ".cnos/workspaces/*/env/.env",
+    ".cnos/workspaces/*/env/.env.*",
+    "!.cnos/workspaces/*/env/.env.example",
+    "!.cnos/workspaces/*/env/.env.*.example"
   ];
   try {
     const content = await readFile2(gitignorePath, "utf8");
@@ -448,14 +655,14 @@ var COMMANDS = [
     id: "init",
     summary: "Scaffold a workspace-aware CNOS tree in the current project.",
     usage: "cnos init [--workspace <id>] [--root <path>] [--json]",
-    description: "Creates cnos/cnos.yml, .cnos-workspace.yml, workspace folders, and .gitignore entries without overwriting existing files.",
+    description: "Creates .cnos/cnos.yml, optional .cnos-workspace.yml, config folders, and .gitignore entries without overwriting existing files.",
     examples: ["cnos init", "cnos init --workspace api", "cnos init --root ./apps/api --workspace api --json"]
   },
   {
     id: "onboard",
     summary: "Onboard an existing repo into CNOS and import root dotenv files.",
     usage: "cnos onboard [--workspace <id>] [--root <path>] [--move] [--json]",
-    description: "Scaffolds the CNOS workspace tree and imports root-level .env, .env.<profile>, and .env.*.example files into cnos/workspaces/<workspace>/env.",
+    description: "Scaffolds the CNOS workspace tree and imports root-level .env, .env.<profile>, and .env.*.example files into .cnos/workspaces/<workspace>/env.",
     options: [
       {
         flag: "--move",
@@ -480,37 +687,98 @@ var COMMANDS = [
   },
   {
     id: "value",
-    summary: "Read a value namespace key without the value. prefix.",
-    usage: "cnos value <path> [global-options]",
-    description: "Reads value.<path> from the selected workspace and profile.",
+    summary: "Read, write, list, and delete values.",
+    usage: "cnos value [get <path> | set <path> <value> | list | delete <path>] [options] [global-options]",
+    description: "Reads and manages value.<path> entries from the selected workspace and profile.",
     arguments: [
       {
         name: "path",
-        description: "Value path without the value. namespace prefix.",
-        required: true
+        description: "Value path without the value. namespace prefix."
+      }
+    ],
+    options: [
+      {
+        flag: "--target <local|global>",
+        description: "Choose whether writes land in the local project workspace or the configured global root."
+      },
+      {
+        flag: "--prefix <path>",
+        description: "Filter value list output to keys that begin with this logical path or key prefix."
       }
     ],
-    examples: ["cnos value app.name", "cnos value server.port --profile stage --workspace api"]
+    examples: [
+      "cnos value app.name",
+      "cnos value set server.port 3000",
+      "cnos add value app.name demo",
+      "cnos value list --prefix app."
+    ]
+  },
+  {
+    id: "value set",
+    summary: "Write a value.",
+    usage: "cnos value set <path> <value> [--target <local|global>] [global-options]",
+    description: "Writes a deterministic value document into the selected workspace or explicit global target.",
+    examples: ["cnos value set app.name demo", "cnos add value server.port 3000 --target global"]
+  },
+  {
+    id: "value list",
+    summary: "List resolved values.",
+    usage: "cnos value list [--prefix <path>] [global-options]",
+    description: "Lists resolved value keys for the selected workspace and profile.",
+    examples: ["cnos value list", "cnos value list --prefix app."]
+  },
+  {
+    id: "value delete",
+    summary: "Delete a value entry.",
+    usage: "cnos value delete <path> [--target <local|global>] [global-options]",
+    description: "Deletes a value from the selected workspace or explicit global target.",
+    examples: ["cnos value delete app.name", "cnos remove value server.port"]
   },
   {
     id: "secret",
-    summary: "Read a secret namespace key without the secret. prefix.",
-    usage: "cnos secret <path> [global-options]",
-    description: "Reads secret.<path> from the selected workspace and profile.",
+    summary: "Read, write, list, and delete secrets.",
+    usage: "cnos secret [get <path> | set <path> <value> | list | delete <path>] [options] [global-options]",
+    description: "Reads resolved secrets, writes secret refs plus external local-secret material, and manages secret entries for the selected workspace and profile.",
     arguments: [
       {
         name: "path",
-        description: "Secret path without the secret. namespace prefix.",
-        required: true
+        description: "Secret path without the secret. namespace prefix."
+      }
+    ],
+    options: [
+      {
+        flag: "--local",
+        description: "Store encrypted secret material under ~/.cnos/secrets and write a local ref into the repo."
+      },
+      {
+        flag: "--remote",
+        description: "Write a remote secret reference into the repo."
+      },
+      {
+        flag: "--ref",
+        description: "Write a generic secret reference into the repo."
+      },
+      {
+        flag: "--provider <name>",
+        description: "Provider name for --remote or --ref secret writes."
+      },
+      {
+        flag: "--passphrase <value>",
+        description: "Passphrase used to encrypt local secret material when --local is selected."
       }
     ],
-    examples: ["cnos secret app.token", "cnos secret service.apiKey --workspace agents"]
+    examples: [
+      "cnos secret app.token",
+      "cnos secret set app.token super-secret --local --passphrase dev-pass",
+      "cnos add secret app.token APP_TOKEN --ref --provider env",
+      "cnos secret list --workspace agents"
+    ]
   },
   {
     id: "define",
     summary: "Write a value or secret into the selected workspace.",
     usage: "cnos define <value|secret> <path> <rawValue> [--target <local|global>] [global-options]",
-    description: "Writes deterministic YAML into the selected workspace. Global writes require allowWrite and an explicit --target global flag.",
+    description: "Writes deterministic YAML into the selected workspace. Secret writes default to secure local-secret storage plus a repo ref. Global writes require allowWrite and an explicit --target global flag.",
     arguments: [
       {
         name: "namespace",
@@ -536,9 +804,99 @@ var COMMANDS = [
     ],
     examples: [
       "cnos define value server.port 3000 --workspace api",
-      "cnos define secret app.token super-secret --workspace api --target global"
+      "cnos define secret app.token super-secret --workspace api"
     ]
   },
+  {
+    id: "use",
+    summary: "Persist repo-local CLI defaults such as workspace and profile.",
+    usage: "cnos use [--workspace <id>] [--profile <name>] [--global-root <path>] [--root <path>] [--json]",
+    description: "Writes .cnos-workspace.yml so future CLI invocations can omit repeated workspace/profile/global-root flags.",
+    examples: ["cnos use --workspace api --profile stage", "cnos use --global-root ~/.cnos"]
+  },
+  {
+    id: "list",
+    summary: "List resolved config entries.",
+    usage: "cnos list [value|secret|meta|all] [--prefix <path>] [global-options]",
+    description: "Lists resolved config entries across one namespace or the full effective graph, with optional key-prefix filtering.",
+    options: [
+      {
+        flag: "--namespace <value|secret|meta|all>",
+        description: "Explicit namespace selector when not using a positional namespace argument."
+      },
+      {
+        flag: "--prefix <path>",
+        description: "Filter list output to entries whose logical keys begin with this prefix."
+      }
+    ],
+    examples: ["cnos list", "cnos list value --prefix app.", "cnos list --namespace secret"]
+  },
+  {
+    id: "profile",
+    summary: "Manage CNOS profiles.",
+    usage: "cnos profile [create <name> | list | use <name> | delete <name>] [options] [global-options]",
+    description: "Creates and lists explicit profiles and stores the active repo-local profile selection for CLI usage.",
+    options: [
+      {
+        flag: "--inherit <name>",
+        description: "Parent profile to extend when creating a profile."
+      }
+    ],
+    examples: [
+      "cnos profile create stage --inherit base",
+      "cnos profile list",
+      "cnos profile use stage"
+    ]
+  },
+  {
+    id: "profile create",
+    summary: "Create a profile definition.",
+    usage: "cnos profile create <name> [--inherit <name>] [--root <path>] [--json]",
+    description: "Creates .cnos/profiles/<name>.yml for an explicit profile overlay.",
+    examples: ["cnos profile create stage --inherit base"]
+  },
+  {
+    id: "profile list",
+    summary: "List available profiles.",
+    usage: "cnos profile list [--root <path>] [--json]",
+    description: "Lists the base profile plus any explicit profile definition files in .cnos/profiles.",
+    examples: ["cnos profile list"]
+  },
+  {
+    id: "profile use",
+    summary: "Persist the active profile for this repo.",
+    usage: "cnos profile use <name> [--root <path>] [--json]",
+    description: "Writes the selected profile into .cnos-workspace.yml.",
+    examples: ["cnos profile use stage"]
+  },
+  {
+    id: "profile delete",
+    summary: "Delete a profile definition.",
+    usage: "cnos profile delete <name> [--root <path>] [--json]",
+    description: "Deletes .cnos/profiles/<name>.yml.",
+    examples: ["cnos profile delete stage"]
+  },
+  {
+    id: "secret set",
+    summary: "Write a secret securely.",
+    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--provider <name>] [--passphrase <value>] [global-options]",
+    description: "Writes a secret reference into the repo and, when --local is used, stores encrypted secret material outside the repo under ~/.cnos/secrets.",
+    examples: ["cnos secret set app.token super-secret --local --passphrase dev-pass"]
+  },
+  {
+    id: "secret list",
+    summary: "List resolved secrets.",
+    usage: "cnos secret list [global-options]",
+    description: "Lists resolved secret keys for the selected workspace and profile.",
+    examples: ["cnos secret list --workspace api"]
+  },
+  {
+    id: "secret delete",
+    summary: "Delete a secret reference.",
+    usage: "cnos secret delete <path> [--target <local|global>] [global-options]",
+    description: "Deletes the secret reference from the repo and removes local encrypted material when the secret used the local provider.",
+    examples: ["cnos secret delete app.token"]
+  },
   {
     id: "inspect",
     summary: "Inspect the winning value and provenance for a key.",
@@ -572,7 +930,11 @@ var COMMANDS = [
         required: true
       }
     ],
-    examples: ["cnos export env", "cnos export env --public --framework vite --workspace api"]
+    examples: [
+      "cnos export env",
+      "cnos export env --public --framework vite --workspace api",
+      "cnos export env --public --framework next --workspace webapp"
+    ]
   },
   {
     id: "export env",
@@ -586,7 +948,7 @@ var COMMANDS = [
       },
       {
         flag: "--framework <name>",
-        description: "Apply framework-specific public env conventions such as vite or nextjs."
+        description: "Apply framework-specific public env conventions such as vite, next, or nuxt."
       },
       {
         flag: "--prefix <prefix>",
@@ -676,6 +1038,31 @@ var COMMANDS = [
       }
     ],
     examples: ["cnos help-ai --format json", "cnos help-ai export env --format json"]
+  },
+  {
+    id: "version",
+    summary: "Print the installed CNOS CLI version.",
+    usage: "cnos version",
+    description: "Prints the installed @kitsy/cnos-cli version string.",
+    examples: ["cnos version", "cnos --version"]
+  }
+];
+var INTEGRATIONS = [
+  {
+    id: "vite",
+    packageName: "@kitsy/cnos-vite",
+    entrypoint: "@kitsy/cnos-vite",
+    summary: "Inject CNOS public env into Vite define replacements and import.meta.env.",
+    usage: 'import { createCnosVitePlugin } from "@kitsy/cnos-vite"',
+    examples: ["cnos export env --public --framework vite", "vite.config.ts -> plugins: [createCnosVitePlugin()]"]
+  },
+  {
+    id: "next",
+    packageName: "@kitsy/cnos-next",
+    entrypoint: "@kitsy/cnos-next",
+    summary: "Merge CNOS public env into next.config.* using the NEXT_PUBLIC_ convention.",
+    usage: 'import { withCnosNext } from "@kitsy/cnos-next"',
+    examples: ["cnos export env --public --framework next", "next.config.mjs -> export default withCnosNext({})"]
   }
 ];
 var HELP_DOCUMENT = {
@@ -685,7 +1072,14 @@ var HELP_DOCUMENT = {
   description: "CNOS resolves one active workspace per invocation, layers local and optional global config roots, and exposes read, write, export, dump, validation, and diagnostics commands.",
   globalOptions: GLOBAL_OPTIONS,
   commands: COMMANDS,
-  examples: ["cnos doctor --workspace api", "cnos export env --public --framework vite", "cnos help-ai --format json"]
+  integrations: INTEGRATIONS,
+  examples: [
+    "cnos use --profile stage",
+    "cnos doctor --workspace api",
+    "cnos export env --public --framework vite",
+    "cnos export env --public --framework next",
+    "cnos help-ai --format json"
+  ]
 };
 function normalizeHelpTopic(parts) {
   const cleaned = parts.filter((part) => part.length > 0);
@@ -739,6 +1133,11 @@ function formatRootHelp() {
     "Commands",
     ...HELP_DOCUMENT.commands.filter((command) => !command.id.includes(" ")).map((command) => `  ${command.id.padEnd(12, " ")} ${command.summary}`),
     "",
+    "Framework integrations",
+    ...HELP_DOCUMENT.integrations.map(
+      (integration) => `  ${integration.id.padEnd(12, " ")} ${integration.packageName} via ${integration.entrypoint}`
+    ),
+    "",
     ...formatOptions("Global options", HELP_DOCUMENT.globalOptions),
     "",
     "Examples",
@@ -766,6 +1165,7 @@ function runHelpAi(topic, cliArgs = []) {
     cli: HELP_DOCUMENT.name,
     summary: HELP_DOCUMENT.summary,
     globalOptions: HELP_DOCUMENT.globalOptions,
+    integrations: HELP_DOCUMENT.integrations,
     command
   } : {
     cli: HELP_DOCUMENT.name,
@@ -773,7 +1173,8 @@ function runHelpAi(topic, cliArgs = []) {
     usage: HELP_DOCUMENT.usage,
     description: HELP_DOCUMENT.description,
     globalOptions: HELP_DOCUMENT.globalOptions,
-    commands: HELP_DOCUMENT.commands
+    commands: HELP_DOCUMENT.commands,
+    integrations: HELP_DOCUMENT.integrations
   };
   if (topic && !command) {
     throw new Error(`Unknown help topic: ${topic}`);
@@ -794,25 +1195,32 @@ import path4 from "path";
 import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
 import path3 from "path";
 function scaffoldManifest(projectName, workspace) {
-  return [
+  const lines = [
     "version: 1",
     "project:",
     `  name: ${projectName}`,
-    "workspaces:",
-    `  default: ${workspace}`,
-    "  global:",
-    "    enabled: false",
-    "    allowWrite: false",
-    "  items:",
-    `    ${workspace}: {}`,
     "profiles:",
-    "  default: local",
+    "  default: base",
     "envMapping:",
     "  convention: SCREAMING_SNAKE",
     "public:",
     "  promote: []",
     ""
-  ].join("\n");
+  ];
+  if (workspace) {
+    lines.splice(
+      4,
+      0,
+      "workspaces:",
+      `  default: ${workspace}`,
+      "  global:",
+      "    enabled: false",
+      "    allowWrite: false",
+      "  items:",
+      `    ${workspace}: {}`
+    );
+  }
+  return lines.join("\n");
 }
 async function ensureFile(filePath, content) {
   try {
@@ -826,11 +1234,14 @@ async function ensureFile(filePath, content) {
 async function ensureGitignore(root) {
   const gitignorePath = path3.join(root, ".gitignore");
   const requiredEntries = [
-    "cnos/workspaces/*/secrets/",
-    "cnos/workspaces/*/env/.env",
-    "cnos/workspaces/*/env/.env.*",
-    "!cnos/workspaces/*/env/.env.example",
-    "!cnos/workspaces/*/env/.env.*.example"
+    ".cnos/env/.env",
+    ".cnos/env/.env.*",
+    "!.cnos/env/.env.example",
+    "!.cnos/env/.env.*.example",
+    ".cnos/workspaces/*/env/.env",
+    ".cnos/workspaces/*/env/.env.*",
+    "!.cnos/workspaces/*/env/.env.example",
+    "!.cnos/workspaces/*/env/.env.*.example"
   ];
   let current = "";
   try {
@@ -849,28 +1260,34 @@ async function ensureGitignore(root) {
   return true;
 }
 async function scaffoldWorkspace(root, workspace) {
-  const cnosRoot = path3.join(root, "cnos");
-  const workspaceRoot = path3.join(cnosRoot, "workspaces", workspace);
+  const cnosRoot = path3.join(root, ".cnos");
+  const workspaceRoot = workspace ? path3.join(cnosRoot, "workspaces", workspace) : cnosRoot;
   const createdPaths = [];
   await mkdir2(path3.join(workspaceRoot, "profiles"), { recursive: true });
-  await mkdir2(path3.join(workspaceRoot, "values", "local"), { recursive: true });
-  await mkdir2(path3.join(workspaceRoot, "secrets", "local"), { recursive: true });
+  await mkdir2(path3.join(workspaceRoot, "values"), { recursive: true });
+  await mkdir2(path3.join(workspaceRoot, "secrets"), { recursive: true });
   await mkdir2(path3.join(workspaceRoot, "env"), { recursive: true });
-  for (const relativePath of [
+  const relativePaths = workspace ? [
     ["workspaces", workspace, "profiles", ".gitkeep"],
-    ["workspaces", workspace, "values", "local", ".gitkeep"],
-    ["workspaces", workspace, "secrets", "local", ".gitkeep"],
+    ["workspaces", workspace, "values", ".gitkeep"],
+    ["workspaces", workspace, "secrets", ".gitkeep"],
     ["workspaces", workspace, "env", ".gitkeep"]
-  ]) {
+  ] : [
+    ["profiles", ".gitkeep"],
+    ["values", ".gitkeep"],
+    ["secrets", ".gitkeep"],
+    ["env", ".gitkeep"]
+  ];
+  for (const relativePath of relativePaths) {
     const filePath = path3.join(cnosRoot, ...relativePath);
     if (await ensureFile(filePath, "")) {
       createdPaths.push(path3.relative(root, filePath).replace(/\\/g, "/"));
     }
   }
   if (await ensureFile(path3.join(cnosRoot, "cnos.yml"), scaffoldManifest(path3.basename(root), workspace))) {
-    createdPaths.push("cnos/cnos.yml");
+    createdPaths.push(".cnos/cnos.yml");
   }
-  if (await ensureFile(path3.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
+  if (workspace && await ensureFile(path3.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
 globalRoot: ~/.cnos
 `)) {
     createdPaths.push(".cnos-workspace.yml");
@@ -880,7 +1297,7 @@ globalRoot: ~/.cnos
   }
   return {
     root,
-    workspace,
+    ...workspace ? { workspace } : {},
     created: createdPaths
   };
 }
@@ -888,12 +1305,14 @@ globalRoot: ~/.cnos
 // src/commands/init.ts
 async function runInit(options = {}) {
   const root = path4.resolve(options.root ?? process.cwd());
-  const workspace = options.workspace ?? path4.basename(root);
-  const result = await scaffoldWorkspace(root, workspace);
+  const result = await scaffoldWorkspace(root, options.workspace);
   if (options.json) {
     return printJson(result);
   }
-  return `initialized CNOS workspace ${workspace} at ${root}`;
+  if (result.workspace) {
+    return `initialized CNOS workspace ${result.workspace} at ${root}`;
+  }
+  return `initialized CNOS project at ${root}`;
 }
 
 // src/format/printInspect.ts
@@ -928,8 +1347,76 @@ async function runInspect(key, options = {}) {
   return printInspect(inspectResult);
 }
 
+// src/format/printValue.ts
+function printValue(value, json = false) {
+  if (json) {
+    return printJson(value);
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value === void 0 || value === null || typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return printJson(value);
+}
+
+// src/services/listing.ts
+import { flattenObject as flattenObject2 } from "@kitsy/cnos/internal";
+async function listConfigEntries(namespace, options = {}) {
+  const runtime = await createRuntimeService(options);
+  const namespaces = namespace === "all" ? ["value", "secret", "meta"] : [namespace];
+  const entries = [];
+  const prefix = options.prefix?.trim();
+  for (const currentNamespace of namespaces) {
+    const projected = flattenObject2(runtime.toNamespace(currentNamespace));
+    for (const [path10, value] of Object.entries(projected)) {
+      const key = `${currentNamespace}.${path10}`;
+      if (prefix && !key.startsWith(prefix) && !path10.startsWith(prefix)) {
+        continue;
+      }
+      entries.push({
+        key,
+        value
+      });
+    }
+  }
+  return entries.sort((left, right) => left.key.localeCompare(right.key));
+}
+
+// src/commands/list.ts
+function normalizeNamespace(value) {
+  if (!value || value === "all") {
+    return "all";
+  }
+  if (value === "values" || value === "value") {
+    return "value";
+  }
+  if (value === "secrets" || value === "secret") {
+    return "secret";
+  }
+  if (value === "meta") {
+    return "meta";
+  }
+  throw new Error(`Unsupported list namespace: ${value}`);
+}
+async function runList(args = [], options = {}) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const namespace = normalizeNamespace(args[0] ?? consumeOption(cliArgs, "--namespace"));
+  const prefix = consumeOption(cliArgs, "--prefix");
+  const entries = await listConfigEntries(namespace, {
+    ...options,
+    cliArgs,
+    ...prefix ? { prefix } : {}
+  });
+  if (options.json) {
+    return printJson(entries);
+  }
+  return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
+}
+
 // src/commands/onboard.ts
-import { copyFile, readdir, rm } from "fs/promises";
+import { copyFile, readdir, rm as rm2 } from "fs/promises";
 import path5 from "path";
 var ROOT_ENV_FILE_PATTERN = /^\.env(?:\.[A-Za-z0-9_-]+)*(?:\.example)?$/;
 async function listRootEnvFiles(root) {
@@ -945,7 +1432,7 @@ async function runOnboard(options = {}) {
     throw new Error(`Unsupported onboard arguments: ${cliArgs.join(" ")}`);
   }
   const scaffold = await scaffoldWorkspace(root, workspace);
-  const envRoot = path5.join(root, "cnos", "workspaces", workspace, "env");
+  const envRoot = path5.join(root, ".cnos", "workspaces", workspace, "env");
   const rootFiles = await listRootEnvFiles(root);
   const imported = [];
   const skipped = [];
@@ -956,7 +1443,7 @@ async function runOnboard(options = {}) {
       await copyFile(sourcePath, targetPath);
       imported.push(path5.relative(root, targetPath).replace(/\\/g, "/"));
       if (move) {
-        await rm(sourcePath);
+        await rm2(sourcePath);
       }
     } catch {
       skipped.push(fileName);
@@ -975,21 +1462,169 @@ async function runOnboard(options = {}) {
   }
   const importedCount = imported.length;
   const skippedSuffix = skipped.length > 0 ? ` (${skipped.length} skipped)` : "";
-  return `onboarded ${workspace} at ${root}; imported ${importedCount} root env files into cnos/workspaces/${workspace}/env using ${result.mode}${skippedSuffix}`;
+  return `onboarded ${workspace} at ${root}; imported ${importedCount} root env files into .cnos/workspaces/${workspace}/env using ${result.mode}${skippedSuffix}`;
 }
 
-// src/format/printValue.ts
-function printValue(value, json = false) {
-  if (json) {
-    return printJson(value);
+// src/commands/profile.ts
+import path8 from "path";
+
+// src/services/context.ts
+import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
+import path6 from "path";
+import { parseYaml as parseYaml2, stringifyYaml as stringifyYaml2 } from "@kitsy/cnos/internal";
+async function loadCliContext(root = process.cwd()) {
+  const filePath = path6.join(path6.resolve(root), ".cnos-workspace.yml");
+  try {
+    const source = await readFile4(filePath, "utf8");
+    const parsed = parseYaml2(source);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return {};
+    }
+    return parsed;
+  } catch {
+    return {};
   }
-  if (typeof value === "string") {
-    return value;
+}
+async function saveCliContext(options = {}) {
+  const root = path6.resolve(options.root ?? process.cwd());
+  const filePath = path6.join(root, ".cnos-workspace.yml");
+  const current = await loadCliContext(root);
+  const next = {
+    ...current.workspace ? { workspace: current.workspace } : {},
+    ...current.profile ? { profile: current.profile } : {},
+    ...current.globalRoot ? { globalRoot: current.globalRoot } : {},
+    ...options.workspace ? { workspace: options.workspace } : {},
+    ...options.profile ? { profile: options.profile } : {},
+    ...options.globalRoot ? { globalRoot: options.globalRoot } : {}
+  };
+  await writeFile3(filePath, stringifyYaml2(next), "utf8");
+  return {
+    filePath,
+    context: next
+  };
+}
+
+// src/services/profiles.ts
+import { mkdir as mkdir3, readdir as readdir2, readFile as readFile5, rm as rm3, writeFile as writeFile4 } from "fs/promises";
+import path7 from "path";
+import { parseYaml as parseYaml3, stringifyYaml as stringifyYaml3 } from "@kitsy/cnos/internal";
+async function createProfileDefinition(root = process.cwd(), profile, inherit) {
+  const filePath = path7.join(path7.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  await mkdir3(path7.dirname(filePath), { recursive: true });
+  const document = inherit && inherit !== "base" ? {
+    name: profile,
+    extends: [inherit]
+  } : {
+    name: profile
+  };
+  await writeFile4(filePath, stringifyYaml3(document), "utf8");
+  return {
+    filePath,
+    profile,
+    ...inherit ? { inherit } : {}
+  };
+}
+async function listProfiles(root = process.cwd()) {
+  const profilesRoot = path7.join(path7.resolve(root), ".cnos", "profiles");
+  try {
+    const entries = await readdir2(profilesRoot, { withFileTypes: true });
+    const discovered = /* @__PURE__ */ new Set(["base"]);
+    for (const entry of entries) {
+      if (entry.isFile() && entry.name.endsWith(".yml")) {
+        discovered.add(entry.name.replace(/\.yml$/, ""));
+      }
+    }
+    return [...discovered].sort((left, right) => left.localeCompare(right));
+  } catch {
+    return ["base"];
   }
-  if (value === void 0 || value === null || typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
-    return String(value);
+}
+async function deleteProfileDefinition(root = process.cwd(), profile) {
+  const filePath = path7.join(path7.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  try {
+    await rm3(filePath);
+    return {
+      filePath,
+      deleted: true
+    };
+  } catch {
+    return {
+      filePath,
+      deleted: false
+    };
+  }
+}
+async function readProfileDefinition(root = process.cwd(), profile = "base") {
+  if (profile === "base") {
+    return {
+      name: "base"
+    };
+  }
+  const filePath = path7.join(path7.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  try {
+    return parseYaml3(await readFile5(filePath, "utf8")) ?? void 0;
+  } catch {
+    return void 0;
   }
-  return printJson(value);
+}
+
+// src/commands/profile.ts
+function normalizeProfileAction(args) {
+  const [action = "list", ...tail] = args;
+  if (["create", "list", "use", "delete", "remove"].includes(action)) {
+    return {
+      action: action === "remove" ? "delete" : action,
+      tail
+    };
+  }
+  return {
+    action: "list",
+    tail: args
+  };
+}
+async function runProfile(args, options = {}) {
+  const { action, tail } = normalizeProfileAction(args);
+  const root = path8.resolve(options.root ?? process.cwd());
+  const cliArgs = [...options.cliArgs ?? []];
+  if (action === "create") {
+    const profile = tail[0] ?? "stage";
+    const inherit = consumeOption(cliArgs, "--inherit");
+    const result = await createProfileDefinition(root, profile, inherit);
+    if (options.json) {
+      return printJson(result);
+    }
+    return `created profile ${profile} at ${result.filePath}`;
+  }
+  if (action === "use") {
+    const profile = tail[0] ?? "base";
+    const result = await saveCliContext({
+      root,
+      profile
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return `active profile set to ${profile} in ${result.filePath}`;
+  }
+  if (action === "delete") {
+    const profile = tail[0] ?? "base";
+    const result = await deleteProfileDefinition(root, profile);
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.deleted ? `deleted profile ${profile}` : `profile ${profile} was not found`;
+  }
+  const profiles = await listProfiles(root);
+  if (options.json) {
+    const details = await Promise.all(
+      profiles.map(async (profile) => ({
+        profile,
+        definition: await readProfileDefinition(root, profile)
+      }))
+    );
+    return printJson(details);
+  }
+  return profiles.join("\n");
 }
 
 // src/commands/read.ts
@@ -1050,21 +1685,113 @@ async function runCommand(command, options = {}) {
 }
 
 // src/commands/secret.ts
-async function runSecret(path6, options = {}) {
+function isSecretRef(value) {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && typeof value.provider === "string" && typeof value.ref === "string"
+  );
+}
+function normalizeSecretCommand(args) {
+  const [actionOrPath, ...tail] = args;
+  if (!actionOrPath) {
+    return {
+      action: "list",
+      tail: []
+    };
+  }
+  if (["get", "set", "create", "add", "list", "delete", "remove"].includes(actionOrPath)) {
+    return {
+      action: actionOrPath === "remove" ? "delete" : actionOrPath === "create" || actionOrPath === "add" ? "set" : actionOrPath,
+      tail
+    };
+  }
+  return {
+    action: "get",
+    tail: args
+  };
+}
+async function runSecret(argsOrPath, options = {}) {
+  const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
+  const { action, tail } = normalizeSecretCommand(args);
+  const cliArgs = [...options.cliArgs ?? []];
+  if (action === "list") {
+    const runtime2 = await createRuntimeService(options);
+    const secrets = runtime2.toNamespace("secret");
+    if (options.json) {
+      return printJson(secrets);
+    }
+    return Object.entries(secrets).sort(([left], [right]) => left.localeCompare(right)).map(([key, value2]) => `${key}=${printValue(value2)}`).join("\n");
+  }
+  if (action === "set") {
+    const secretPath = tail[0];
+    const rawValue = tail[1] ?? "";
+    const local = consumeFlag(cliArgs, "--local");
+    const remote = consumeFlag(cliArgs, "--remote");
+    const ref = consumeFlag(cliArgs, "--ref");
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const provider = consumeOption(cliArgs, "--provider");
+    const passphrase = consumeOption(cliArgs, "--passphrase");
+    const mode = local ? "local" : remote ? "remote" : ref ? "ref" : "local";
+    const result = await setSecret(secretPath ?? "app.token", rawValue, {
+      ...options,
+      cliArgs,
+      target,
+      mode,
+      ...provider ? { provider } : {},
+      ...passphrase ? { passphrase } : {}
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return `set secret.${secretPath} via ${result.provider} in ${result.filePath}`;
+  }
+  if (action === "delete") {
+    const secretPath = tail[0];
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await deleteSecret(secretPath ?? "app.token", {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.deleted ? `deleted secret.${secretPath} from ${result.filePath}` : `no secret.${secretPath} found in ${result.filePath}`;
+  }
   const runtime = await createRuntimeService(options);
-  const value = runtime.secret(path6);
+  const value = runtime.secret(tail[0] ?? "app.token");
   if (value === void 0) {
-    throw new Error(`Missing CNOS secret path: ${path6}`);
+    throw new Error(`Missing CNOS secret path: ${tail[0] ?? "app.token"}`);
+  }
+  if (isSecretRef(value)) {
+    throw new Error(
+      `Secret ${tail[0] ?? "app.token"} is stored as an unresolved ${value.provider} reference. Provide the required provider context to resolve it.`
+    );
   }
   if (options.json) {
     return printJson({
-      key: `secret.${path6}`,
+      key: `secret.${tail[0] ?? "app.token"}`,
       value
     });
   }
   return printValue(value);
 }
 
+// src/commands/use.ts
+import path9 from "path";
+async function runUse(options = {}) {
+  const root = path9.resolve(options.root ?? process.cwd());
+  const result = await saveCliContext({
+    root,
+    ...options.workspace ? { workspace: options.workspace } : {},
+    ...options.profile ? { profile: options.profile } : {},
+    ...options.globalRoot ? { globalRoot: options.globalRoot } : {}
+  });
+  if (options.json) {
+    return printJson(result);
+  }
+  return `updated CLI context in ${result.filePath}`;
+}
+
 // src/commands/validate.ts
 async function runValidate(options = {}) {
   const { summary } = await createValidationSummary(options);
@@ -1077,16 +1804,139 @@ async function runValidate(options = {}) {
   return summary.valid ? "validation passed" : summary.issues.map((issue) => `${issue.code}: ${issue.message}`).join("\n");
 }
 
+// package.json
+var package_default = {
+  name: "@kitsy/cnos-cli",
+  version: "1.0.1",
+  description: "CLI entry point and developer tooling for CNOS.",
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  bin: {
+    cnos: "./dist/index.js"
+  },
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  license: "MIT",
+  repository: {
+    type: "git",
+    url: "https://github.com/kitsyai/cnos.git",
+    directory: "packages/cli"
+  },
+  homepage: "https://github.com/kitsyai/cnos/tree/main/packages/cli",
+  bugs: {
+    url: "https://github.com/kitsyai/cnos/issues"
+  },
+  keywords: [
+    "cnos",
+    "cli",
+    "config"
+  ],
+  publishConfig: {
+    access: "public"
+  },
+  dependencies: {
+    "@kitsy/cnos": "workspace:*"
+  },
+  scripts: {
+    build: "tsup src/index.ts --format esm --dts",
+    clean: "rimraf dist",
+    dev: "tsup src/index.ts --watch --format esm --dts",
+    lint: "eslint src test",
+    test: "vitest run",
+    typecheck: "tsc -p tsconfig.json --noEmit"
+  }
+};
+
+// src/commands/version.ts
+function runVersion() {
+  return package_default.version;
+}
+
 // src/commands/value.ts
-async function runValue(path6, options = {}) {
+function normalizeValueCommand(args) {
+  const [actionOrPath, ...tail] = args;
+  if (!actionOrPath) {
+    return {
+      action: "list",
+      tail: []
+    };
+  }
+  if (["get", "set", "create", "add", "list", "delete", "remove"].includes(actionOrPath)) {
+    return {
+      action: actionOrPath === "remove" ? "delete" : actionOrPath === "create" || actionOrPath === "add" ? "set" : actionOrPath,
+      tail
+    };
+  }
+  return {
+    action: "get",
+    tail: args
+  };
+}
+async function runValue(argsOrPath, options = {}) {
+  const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
+  const { action, tail } = normalizeValueCommand(args);
+  const cliArgs = [...options.cliArgs ?? []];
+  if (action === "list") {
+    const prefix = consumeOption(cliArgs, "--prefix");
+    const entries = await listConfigEntries("value", {
+      ...options,
+      cliArgs,
+      ...prefix ? { prefix } : {}
+    });
+    if (options.json) {
+      return printJson(entries);
+    }
+    return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
+  }
+  if (action === "set") {
+    const valuePath = tail[0] ?? "app.name";
+    const rawValue = tail[1] ?? "";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await defineValue("value", valuePath, rawValue, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson({
+        namespace: "value",
+        path: valuePath,
+        target,
+        filePath: result.filePath,
+        value: result.value
+      });
+    }
+    return `set value.${valuePath} in ${result.filePath}`;
+  }
+  if (action === "delete") {
+    const valuePath = tail[0] ?? "app.name";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await deleteValue("value", valuePath, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.deleted ? `deleted value.${valuePath} from ${result.filePath}` : `no value.${valuePath} found in ${result.filePath}`;
+  }
   const runtime = await createRuntimeService(options);
-  const value = runtime.value(path6);
+  const value = runtime.value(tail[0] ?? "app.name");
   if (value === void 0) {
-    throw new Error(`Missing CNOS value path: ${path6}`);
+    throw new Error(`Missing CNOS value path: ${tail[0] ?? "app.name"}`);
   }
   if (options.json) {
     return printJson({
-      key: `value.${path6}`,
+      key: `value.${tail[0] ?? "app.name"}`,
       value
     });
   }
@@ -1101,6 +1951,21 @@ function resolveHelpTopic(command, args) {
   if (command === "export" && args[0] === "env") {
     return normalizeHelpTopic([command, args[0]]);
   }
+  if (command === "secret" && args[0] && ["set", "create", "add", "list", "delete", "remove"].includes(args[0])) {
+    return normalizeHelpTopic([
+      command,
+      args[0] === "remove" ? "delete" : args[0] === "create" || args[0] === "add" ? "set" : args[0]
+    ]);
+  }
+  if (command === "value" && args[0] && ["set", "create", "add", "list", "delete", "remove"].includes(args[0])) {
+    return normalizeHelpTopic([
+      command,
+      args[0] === "remove" ? "delete" : args[0] === "create" || args[0] === "add" ? "set" : args[0]
+    ]);
+  }
+  if (command === "profile" && args[0] && ["create", "list", "use", "delete", "remove"].includes(args[0])) {
+    return normalizeHelpTopic([command, args[0] === "remove" ? "delete" : args[0]]);
+  }
   return normalizeHelpTopic([command]);
 }
 async function main(argv) {
@@ -1137,6 +2002,10 @@ async function main(argv) {
       return;
     case "help-ai":
       process.stdout.write(`${runHelpAi(resolveHelpTopic(command, args), options.cliArgs)}
+`);
+      return;
+    case "version":
+      process.stdout.write(`${runVersion()}
 `);
       return;
     case "init":
@@ -1152,11 +2021,23 @@ async function main(argv) {
 `);
       return;
     case "value":
-      process.stdout.write(`${await runValue(args[0] ?? "app.name", runtimeOptions)}
+      process.stdout.write(`${await runValue(args.length > 0 ? args : ["app.name"], runtimeOptions)}
 `);
       return;
     case "secret":
-      process.stdout.write(`${await runSecret(args[0] ?? "app.token", runtimeOptions)}
+      process.stdout.write(`${await runSecret(args.length > 0 ? args : ["app.token"], runtimeOptions)}
+`);
+      return;
+    case "use":
+      process.stdout.write(`${await runUse(runtimeOptions)}
+`);
+      return;
+    case "profile":
+      process.stdout.write(`${await runProfile(args, runtimeOptions)}
+`);
+      return;
+    case "list":
+      process.stdout.write(`${await runList(args, runtimeOptions)}
 `);
       return;
     case "define":