@kitsy/cnos-cli 1.2.0 → 1.4.0

package/dist/index.js

@@ -11,6 +11,7 @@ var COMMAND_OPTION_KEYS_WITH_VALUE = /* @__PURE__ */ new Set([
   "--format",
   "--framework",
   "--prefix",
+  "--scan",
   "--target",
   "--to",
   "--provider",
@@ -18,13 +19,42 @@ var COMMAND_OPTION_KEYS_WITH_VALUE = /* @__PURE__ */ new Set([
   "--vault",
   "--inherit",
   "--as",
-  "--set"
+  "--set",
+  "--debounce"
+]);
+var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set([
+  "--flatten",
+  "--public",
+  "--local",
+  "--remote",
+  "--ref",
+  "--no-passphrase",
+  "--stdin",
+  "--reveal",
+  "--auth",
+  "--all",
+  "--store-keychain",
+  "--watch",
+  "--dry-run",
+  "--apply",
+  "--rewrite",
+  "--signal"
 ]);
-var COMMAND_FLAG_KEYS = /* @__PURE__ */ new Set(["--flatten", "--public", "--local", "--remote", "--ref", "--no-passphrase"]);
 function normalizeCommand(argv) {
   const [command = "doctor", ...rest] = argv;
   const resource = rest[0];
   const remaining = rest.slice(1);
+  const dottedNamespace = resource?.includes(".") ? {
+    namespace: resource.slice(0, resource.indexOf(".")),
+    path: resource.slice(resource.indexOf(".") + 1)
+  } : void 0;
+  const normalizedVerb = command === "remove" || command === "delete" ? "delete" : command === "create" || command === "add" ? "set" : command === "set" || command === "get" ? command : void 0;
+  if ((command === "set" || command === "get") && (resource === "value" || resource === "secret")) {
+    return [resource, command, ...remaining];
+  }
+  if (normalizedVerb && dottedNamespace && dottedNamespace.namespace && dottedNamespace.path) {
+    return [dottedNamespace.namespace, normalizedVerb, dottedNamespace.path, ...remaining];
+  }
   if ((command === "create" || command === "add") && resource === "profile") {
     return ["profile", "create", ...remaining];
   }
@@ -37,6 +67,12 @@ function normalizeCommand(argv) {
   if ((command === "delete" || command === "remove") && resource === "vault") {
     return ["vault", "remove", ...remaining];
   }
+  if (command === "auth" && resource === "vault") {
+    return ["vault", "auth", ...remaining];
+  }
+  if (command === "logout" && resource === "vault") {
+    return ["vault", "logout", ...remaining];
+  }
   if (command === "list" && resource === "profile") {
     return ["profile", "list", ...remaining];
   }
@@ -58,6 +94,9 @@ function normalizeCommand(argv) {
   if ((command === "delete" || command === "remove") && resource === "value") {
     return ["value", "delete", ...remaining];
   }
+  if (normalizedVerb && resource && !["profile", "vault", "secret", "value"].includes(resource)) {
+    return [resource, normalizedVerb, ...remaining];
+  }
   if (command === "list" && resource === "value") {
     return ["value", "list", ...remaining];
   }
@@ -164,6 +203,9 @@ function parseArgs(argv) {
   };
 }
 
+// src/commands/define.ts
+import path3 from "path";
+
 // src/cli/commandOptions.ts
 function consumeFlag(args, flag) {
   const index = args.indexOf(flag);
@@ -191,172 +233,51 @@ function consumeOption(args, flag) {
   return void 0;
 }
 
+// src/format/displayPath.ts
+import path from "path";
+function displayPath(filePath, root = process.cwd()) {
+  const absoluteRoot = path.resolve(root);
+  const absoluteFile = path.resolve(filePath);
+  const relative = path.relative(absoluteRoot, absoluteFile);
+  if (!relative || relative === "") {
+    return ".";
+  }
+  if (relative.startsWith("..") || path.isAbsolute(relative)) {
+    return absoluteFile;
+  }
+  return relative;
+}
+
 // src/format/printJson.ts
 function printJson(value) {
   return JSON.stringify(value, null, 2);
 }
 
 // src/services/writes.ts
-import { mkdir, readFile as readFile2, rm as rm2, writeFile as writeFile2 } from "fs/promises";
+import { mkdir, readFile, writeFile } from "fs/promises";
 import path2 from "path";
 import {
-  getVaultPassphraseEnvVar,
+  getNamespaceDefinition,
+  createSecretVaultProvider,
   parseYaml,
   resolveConfigDocumentPath,
-  stringifyYaml as stringifyYaml2,
-  writeLocalSecret,
-  resolveConfiguredVaultPassphrase as resolveConfiguredVaultPassphrase2,
-  resolveSecretStoreRoot as resolveSecretStoreRoot2
+  resolveVaultAuth,
+  stringifyYaml
 } from "@kitsy/cnos/internal";
 
 // src/services/runtime.ts
-import { createCnos } from "@kitsy/cnos";
+import { createCnos } from "@kitsy/cnos/configure";
 async function createRuntimeService(options = {}) {
-  const createOptions = {
-    ...options.root ? {
-      root: options.root
-    } : {},
-    ...options.workspace ? {
-      workspace: options.workspace
-    } : {},
-    ...options.profile ? {
-      profile: options.profile
-    } : {},
-    ...options.globalRoot ? {
-      globalRoot: options.globalRoot
-    } : {},
-    ...options.cliArgs && options.cliArgs.length > 0 ? {
-      cliArgs: options.cliArgs
-    } : {},
-    ...options.processEnv ? {
-      processEnv: options.processEnv
-    } : {
-      processEnv: process.env
-    }
-  };
   return createCnos({
-    ...createOptions
-  });
-}
-
-// src/services/vaults.ts
-import { readFile, rm, writeFile } from "fs/promises";
-import path from "path";
-import {
-  createSecretVault,
-  loadManifest,
-  listSecretVaults,
-  resolveConfiguredVaultPassphrase,
-  resolveSecretStoreRoot,
-  resolveSecretVaultFile,
-  resolveVaultDefinition,
-  stringifyYaml
-} from "@kitsy/cnos/internal";
-function sortVaults(vaults) {
-  return Object.fromEntries(Object.entries(vaults).sort(([left], [right]) => left.localeCompare(right)));
-}
-async function createVaultDefinition(name, options = {}) {
-  const vault = name.trim() || "default";
-  const provider = options.provider?.trim() || "local";
-  const noPassphrase = options.noPassphrase ?? false;
-  if (provider === "local" && noPassphrase) {
-    throw new Error("Local vaults require a passphrase");
-  }
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
-  const processEnv = options.processEnv ?? process.env;
-  const passphraseEnvVar = "CNOS_SECRET_PASSPHRASE";
-  const rawManifest = {
-    ...loadedManifest.rawManifest,
-    vaults: {
-      ...loadedManifest.rawManifest.vaults ?? {},
-      [vault]: provider === "local" ? {
-        provider: "local",
-        passphrase: `env:${passphraseEnvVar}`
-      } : {
-        provider
-      }
-    }
-  };
-  let storePath;
-  if (provider === "local") {
-    const passphrase = options.passphrase ?? resolveConfiguredVaultPassphrase(
-      {
-        provider: "local",
-        passphrase: `env:${passphraseEnvVar}`
-      },
-      vault,
-      processEnv
-    );
-    if (!passphrase) {
-      throw new Error(`Vault "${vault}" requires --passphrase or ${passphraseEnvVar}`);
-    }
-    storePath = await createSecretVault(resolveSecretStoreRoot(processEnv), vault, passphrase);
-  }
-  await writeFile(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
-  return {
-    ...resolveVaultDefinition(
-      {
-        [vault]: rawManifest.vaults[vault]
-      },
-      vault
-    ),
-    passphrasePolicy: provider === "local" ? "required" : "none",
-    manifestPath: loadedManifest.manifestPath,
-    ...storePath ? { storePath } : {}
-  };
-}
-async function listVaultDefinitions(options = {}) {
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
-  return Object.keys(loadedManifest.manifest.vaults).sort((left, right) => left.localeCompare(right)).map((name) => {
-    const definition = resolveVaultDefinition(loadedManifest.manifest.vaults, name);
-    return {
-      ...definition,
-      passphrasePolicy: definition.requiresPassphrase ? "required" : "none"
-    };
+    ...options.root ? { root: options.root } : {},
+    ...options.workspace ? { workspace: options.workspace } : {},
+    ...options.profile ? { profile: options.profile } : {},
+    ...options.globalRoot ? { globalRoot: options.globalRoot } : {},
+    ...options.cliArgs && options.cliArgs.length > 0 ? { cliArgs: options.cliArgs } : {},
+    ...options.secretResolution ? { secretResolution: options.secretResolution } : {},
+    processEnv: options.processEnv ?? process.env
   });
 }
-async function removeVaultDefinition(name, options = {}) {
-  const vault = name.trim() || "default";
-  const loadedManifest = await loadManifest(options.root ? { root: options.root } : {});
-  if (!loadedManifest.rawManifest.vaults?.[vault]) {
-    return {
-      name: vault,
-      deleted: false,
-      manifestPath: loadedManifest.manifestPath
-    };
-  }
-  const nextVaults = { ...loadedManifest.rawManifest.vaults ?? {} };
-  delete nextVaults[vault];
-  const rawManifest = {
-    ...loadedManifest.rawManifest,
-    ...Object.keys(nextVaults).length > 0 ? { vaults: sortVaults(nextVaults) } : {}
-  };
-  if (Object.keys(nextVaults).length === 0) {
-    delete rawManifest.vaults;
-  }
-  await writeFile(loadedManifest.manifestPath, stringifyYaml(rawManifest), "utf8");
-  const storeRoot = resolveSecretStoreRoot(options.processEnv);
-  const vaultFile = resolveSecretVaultFile(storeRoot, vault);
-  const vaultStoreRoot = path.join(storeRoot, "vaults", vault);
-  let removedStore;
-  try {
-    await readFile(vaultFile, "utf8");
-    await rm(vaultFile, { force: true });
-    await rm(vaultStoreRoot, { recursive: true, force: true });
-    removedStore = vaultStoreRoot;
-  } catch {
-    removedStore = void 0;
-  }
-  return {
-    name: vault,
-    deleted: true,
-    manifestPath: loadedManifest.manifestPath,
-    ...removedStore ? { removedStore } : {}
-  };
-}
-async function listLocalStoreVaults(options = {}) {
-  return listSecretVaults(resolveSecretStoreRoot(options.processEnv));
-}
 
 // src/services/writes.ts
 function setNestedValue(target, pathSegments, value) {
@@ -405,7 +326,7 @@ function isSecretReference(value) {
 }
 async function readYamlDocument(filePath) {
   try {
-    return parseYaml(await readFile2(filePath, "utf8")) ?? {};
+    return parseYaml(await readFile(filePath, "utf8")) ?? {};
   } catch {
     return {};
   }
@@ -433,11 +354,25 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
       filePath: secret.filePath,
       value: {
         provider: secret.provider,
-        ref: secret.ref
+        ref: secret.ref,
+        ...secret.vault ? { vault: secret.vault } : {}
       }
     };
   }
   const runtime = await createRuntimeService(options);
+  if (namespace !== "value" && namespace !== "secret" && !runtime.manifest.namespaces[namespace]) {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is not declared in .cnos/cnos.yml.`);
+  }
+  const namespaceDefinition = getNamespaceDefinition(runtime.manifest, namespace);
+  if (namespaceDefinition.kind !== "data") {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is not a data namespace.`);
+  }
+  if (namespaceDefinition.readonly) {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is readonly.`);
+  }
+  if (namespaceDefinition.sensitive) {
+    throw new Error(`Cannot write ${namespace}.${configPath} with the generic data writer because namespace "${namespace}" is sensitive.`);
+  }
   const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
   const profile = options.profile ?? runtime.graph.profile;
   const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
@@ -445,7 +380,7 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
   const parsedValue = parseScalarValue(rawValue);
   setNestedValue(document, configPath.split("."), parsedValue);
   await mkdir(path2.dirname(filePath), { recursive: true });
-  await writeFile2(filePath, stringifyYaml2(document), "utf8");
+  await writeFile(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     value: parsedValue
@@ -459,53 +394,36 @@ async function setSecret(configPath, rawValue, options = {}) {
   const document = await readYamlDocument(filePath);
   const vault = options.vault?.trim() || "default";
   const vaultDefinition = runtime.manifest.vaults[vault];
-  const inferredProvider = vaultDefinition?.provider ?? options.provider;
-  const mode = options.mode ?? (inferredProvider === "local" ? "local" : inferredProvider === "github-secrets" ? "ref" : "local");
+  if (!vaultDefinition) {
+    throw new Error(`Unknown vault "${vault}". Create it first with cnos vault create ${vault}.`);
+  }
+  const mode = options.mode ?? (vaultDefinition.provider === "local" ? "local" : vaultDefinition.provider === "github-secrets" ? "ref" : "remote");
   let reference;
-  let storePath;
   if (mode === "local") {
-    const provider = inferredProvider ?? "local";
-    if (provider !== "local") {
-      throw new Error(`Vault "${vault}" uses provider "${provider}" and cannot store local secret material`);
-    }
-    const passphrase = resolveConfiguredVaultPassphrase2(
-      vaultDefinition ? { provider: "local", ...vaultDefinition.passphrase ? { passphrase: vaultDefinition.passphrase } : {} } : { provider: "local" },
-      vault,
-      {
-        ...options.processEnv ?? process.env,
-        ...options.passphrase ? {
-          [getVaultPassphraseEnvVar(vault)]: options.passphrase
-        } : {}
-      }
-    ) ?? options.passphrase;
-    if (!passphrase) {
-      throw new Error(`Vault "${vault}" requires --passphrase or its configured passphrase env var`);
-    }
-    const ref = configPath;
-    storePath = await writeLocalSecret(resolveSecretStoreRoot2(options.processEnv), ref, rawValue, passphrase, vault);
+    const auth = await resolveVaultAuth(vault, vaultDefinition, options.processEnv ?? process.env);
+    const provider = createSecretVaultProvider(vault, vaultDefinition, options.processEnv ?? process.env);
+    await provider.authenticate(auth);
+    await provider.set(configPath, rawValue);
     reference = {
       provider: "local",
-      ref,
+      ref: configPath,
       vault
     };
   } else {
     reference = {
-      provider: inferredProvider ?? (mode === "ref" ? "ref" : "remote"),
+      provider: options.provider?.trim() || vaultDefinition.provider,
       ref: rawValue || configPath.replace(/[^A-Za-z0-9]+/g, "_").toUpperCase(),
-      ...vaultDefinition || vault !== "default" ? {
-        vault
-      } : {}
+      vault
     };
   }
   setNestedValue(document, configPath.split("."), reference);
   await mkdir(path2.dirname(filePath), { recursive: true });
-  await writeFile2(filePath, stringifyYaml2(document), "utf8");
+  await writeFile(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     provider: reference.provider,
     ref: reference.ref,
-    ...reference.vault ? { vault: reference.vault } : {},
-    ...storePath ? { storePath } : {}
+    ...reference.vault ? { vault: reference.vault } : {}
   };
 }
 async function deleteSecret(configPath, options = {}) {
@@ -522,24 +440,20 @@ async function deleteSecret(configPath, options = {}) {
       deleted: false
     };
   }
-  await writeFile2(filePath, stringifyYaml2(document), "utf8");
-  let removedStore;
+  await writeFile(filePath, stringifyYaml(document), "utf8");
   const secretRef = metadata?.secretRef;
   if (isSecretReference(secretRef) && secretRef.provider === "local") {
-    const storePath = path2.join(
-      resolveSecretStoreRoot2(options.processEnv),
-      "vaults",
-      secretRef.vault ?? "default",
-      "store",
-      ...secretRef.ref.split("/")
-    ).concat(".json");
-    await rm2(storePath, { force: true });
-    removedStore = storePath;
+    const definition = runtime.manifest.vaults[secretRef.vault ?? "default"];
+    if (definition) {
+      const auth = await resolveVaultAuth(secretRef.vault ?? "default", definition, options.processEnv ?? process.env);
+      const provider = createSecretVaultProvider(secretRef.vault ?? "default", definition, options.processEnv ?? process.env);
+      await provider.authenticate(auth);
+      await provider.delete(secretRef.ref);
+    }
   }
   return {
     filePath,
-    deleted: true,
-    ...removedStore ? { removedStore } : {}
+    deleted: true
   };
 }
 async function deleteValue(namespace, configPath, options = {}) {
@@ -547,6 +461,19 @@ async function deleteValue(namespace, configPath, options = {}) {
     return deleteSecret(configPath, options);
   }
   const runtime = await createRuntimeService(options);
+  if (namespace !== "value" && namespace !== "secret" && !runtime.manifest.namespaces[namespace]) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is not declared in .cnos/cnos.yml.`);
+  }
+  const namespaceDefinition = getNamespaceDefinition(runtime.manifest, namespace);
+  if (namespaceDefinition.kind !== "data") {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is not a data namespace.`);
+  }
+  if (namespaceDefinition.readonly) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is readonly.`);
+  }
+  if (namespaceDefinition.sensitive) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} with the generic data writer because namespace "${namespace}" is sensitive.`);
+  }
   const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
   const profile = options.profile ?? runtime.graph.profile;
   const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
@@ -558,7 +485,7 @@ async function deleteValue(namespace, configPath, options = {}) {
       deleted: false
     };
   }
-  await writeFile2(filePath, stringifyYaml2(document), "utf8");
+  await writeFile(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     deleted: true
@@ -568,6 +495,7 @@ async function deleteValue(namespace, configPath, options = {}) {
 // src/commands/define.ts
 async function runDefine(namespace, configPath, rawValue, options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path3.resolve(options.root ?? process.cwd());
   const target = consumeOption(cliArgs, "--target") ?? "local";
   const local = consumeFlag(cliArgs, "--local");
   const remote = consumeFlag(cliArgs, "--remote");
@@ -593,7 +521,18 @@ async function runDefine(namespace, configPath, rawValue, options = {}) {
       value: result.value
     });
   }
-  return `defined ${namespace}.${configPath} in ${result.filePath}`;
+  return `defined ${namespace}.${configPath} in ${displayPath(result.filePath, root)}`;
+}
+
+// src/commands/drift.ts
+import { compareSchemaToGraph, formatDriftReport } from "@kitsy/cnos/internal";
+async function runDrift(options = {}) {
+  const runtime = await createRuntimeService(options);
+  const report = compareSchemaToGraph(runtime);
+  if (options.json) {
+    return printJson(report);
+  }
+  return formatDriftReport(report);
 }
 
 // src/commands/diff.ts
@@ -634,8 +573,15 @@ async function runDiff(leftProfile, rightProfile, options = {}) {
 }
 
 // src/services/doctor.ts
-import { readFile as readFile3 } from "fs/promises";
-import path3 from "path";
+import { readdir, readFile as readFile2 } from "fs/promises";
+import path4 from "path";
+import {
+  detectLegacyVaultFormat,
+  isSecretReference as isSecretReference2,
+  parseYaml as parseYaml2,
+  readKeychain,
+  resolveSecretStoreRoot
+} from "@kitsy/cnos/internal";
 
 // src/services/validation.ts
 import { validateRuntime } from "@kitsy/cnos/internal";
@@ -650,7 +596,7 @@ async function createValidationSummary(options = {}) {
 
 // src/services/doctor.ts
 async function checkGitignore(root) {
-  const gitignorePath = path3.join(root, ".gitignore");
+  const gitignorePath = path4.join(root, ".gitignore");
   const expected = [
     ".cnos/env/.env",
     ".cnos/env/.env.*",
@@ -662,7 +608,7 @@ async function checkGitignore(root) {
     "!.cnos/workspaces/*/env/.env.*.example"
   ];
   try {
-    const content = await readFile3(gitignorePath, "utf8");
+    const content = await readFile2(gitignorePath, "utf8");
     const missing = expected.filter((entry) => !content.includes(entry));
     return {
       name: "gitignore",
@@ -680,11 +626,76 @@ async function checkGitignore(root) {
 function issueSummary(issues) {
   return issues.length === 0 ? "no issues" : issues.map((issue) => issue.message).join("; ");
 }
+async function collectYamlFiles(root) {
+  try {
+    const entries = await readdir(root, { withFileTypes: true });
+    const results = [];
+    for (const entry of entries) {
+      const target = path4.join(root, entry.name);
+      if (entry.isDirectory()) {
+        results.push(...await collectYamlFiles(target));
+        continue;
+      }
+      if (entry.isFile() && [".yml", ".yaml"].includes(path4.extname(entry.name).toLowerCase())) {
+        results.push(target);
+      }
+    }
+    return results;
+  } catch {
+    return [];
+  }
+}
+function hasPlaintextSecret(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return typeof value === "string" || typeof value === "number" || typeof value === "boolean";
+  }
+  if (isSecretReference2(value)) {
+    return false;
+  }
+  return Object.values(value).some((entry) => hasPlaintextSecret(entry));
+}
+async function checkSecretSecurity(options, runtime) {
+  const storeRoot = resolveSecretStoreRoot(options.processEnv);
+  const legacyPaths = await Promise.all(
+    Object.entries(runtime.manifest.vaults).filter(([, definition]) => definition.provider === "local").map(async ([vault]) => ({ vault, path: await detectLegacyVaultFormat(storeRoot, vault) }))
+  );
+  const legacyDetected = legacyPaths.filter((entry) => Boolean(entry.path));
+  const secretFiles = await Promise.all(
+    runtime.graph.workspace.workspaceRoots.filter((root) => root.scope === "local").map((root) => collectYamlFiles(path4.join(root.path, "secrets")))
+  );
+  const plaintextFiles = [];
+  for (const file of secretFiles.flat()) {
+    try {
+      const parsed = parseYaml2(await readFile2(file, "utf8"));
+      if (hasPlaintextSecret(parsed)) {
+        plaintextFiles.push(file);
+      }
+    } catch {
+      plaintextFiles.push(file);
+    }
+  }
+  const keychainWarnings = await Promise.all(
+    Object.entries(runtime.manifest.vaults).filter(([, definition]) => definition.provider === "local").flatMap(
+      ([vault, definition]) => (definition.auth?.passphrase?.from ?? []).filter((source) => source.startsWith("keychain:")).map(async (source) => ({ vault, source, value: await readKeychain(source.slice("keychain:".length)) }))
+    )
+  );
+  const warnings = [
+    ...legacyDetected.map((entry) => `legacy vault ${entry.vault}: ${entry.path}`),
+    ...plaintextFiles.map((file) => `plaintext secret file: ${file}`),
+    ...keychainWarnings.filter((entry) => !entry.value).map((entry) => `no keychain entry for vault ${entry.vault} (${entry.source})`)
+  ];
+  return {
+    name: "security",
+    ok: warnings.length === 0,
+    details: warnings.length === 0 ? "no legacy vaults, plaintext secret files, or missing keychain entries" : warnings.join("; ")
+  };
+}
 async function evaluateDoctor(options = {}) {
-  const root = path3.resolve(options.root ?? process.cwd());
+  const root = path4.resolve(options.root ?? process.cwd());
   const { runtime, summary } = await createValidationSummary(options);
   const localRoot = runtime.graph.workspace.workspaceRoots.find((entry) => entry.scope === "local");
   const globalRoot = runtime.graph.workspace.workspaceRoots.find((entry) => entry.scope === "global");
+  const declaredCustomNamespaces = Object.entries(runtime.manifest.namespaces).filter(([namespace]) => !["value", "secret", "meta", "process", "public", "env"].includes(namespace)).map(([namespace, definition]) => `${namespace}(${definition.kind}${definition.shareable ? ",shareable" : ""}${definition.readonly ? ",readonly" : ""})`).sort((left, right) => left.localeCompare(right));
   return [
     {
       name: "manifest",
@@ -696,6 +707,11 @@ async function evaluateDoctor(options = {}) {
       ok: true,
       details: `${runtime.graph.workspace.workspaceId} via ${runtime.graph.workspace.workspaceSource}`
     },
+    {
+      name: "namespaces",
+      ok: true,
+      details: declaredCustomNamespaces.length === 0 ? "built-ins: value, secret, meta, process, public, env" : `built-ins: value, secret, meta, process, public, env | custom: ${declaredCustomNamespaces.join(", ")}`
+    },
     {
       name: "source-roots",
       ok: Boolean(localRoot),
@@ -711,6 +727,7 @@ async function evaluateDoctor(options = {}) {
       ok: !runtime.manifest.workspaces.global.enabled || Boolean(runtime.graph.workspace.globalRoot),
       details: runtime.manifest.workspaces.global.enabled ? runtime.graph.workspace.globalRoot ? `enabled at ${runtime.graph.workspace.globalRoot}` : "enabled but no global root resolved" : "disabled"
     },
+    await checkSecretSecurity(options, runtime),
     await checkGitignore(root)
   ];
 }
@@ -729,7 +746,7 @@ async function runDoctor(options = {}) {
 }
 
 // src/commands/dump.ts
-import { writeDump } from "@kitsy/cnos";
+import { writeDump } from "@kitsy/cnos/configure";
 async function runDump(options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
   const flatten = consumeFlag(cliArgs, "--flatten");
@@ -751,9 +768,51 @@ async function runDump(options = {}) {
   return `dumped ${result.files.length} files to ${result.root}`;
 }
 
+// src/commands/codegen.ts
+import { watchSchema, writeCodegenOutput } from "@kitsy/cnos/internal";
+async function runCodegen(options = {}) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const out = consumeOption(cliArgs, "--out");
+  const watch2 = consumeFlag(cliArgs, "--watch");
+  if (cliArgs.length > 0) {
+    throw new Error(`Unknown codegen options: ${cliArgs.join(" ")}`);
+  }
+  if (watch2) {
+    const watcher = await watchSchema({
+      ...options.root ? {
+        root: options.root
+      } : {},
+      ...out ? {
+        out
+      } : {},
+      onError(error) {
+        const message = error instanceof Error ? error.message : String(error);
+        process.stderr.write(`${message}
+`);
+      }
+    });
+    const closeWatcher = () => {
+      watcher.close();
+    };
+    process.once("SIGINT", closeWatcher);
+    process.once("SIGTERM", closeWatcher);
+    return `watching schema changes -> ${out ?? ".cnos/types/cnos.d.ts"}`;
+  }
+  const result = await writeCodegenOutput({
+    ...options.root ? {
+      root: options.root
+    } : {},
+    ...out ? {
+      out
+    } : {}
+  });
+  const summary = result.hasSchema ? `generated types from ${result.schemaEntryCount} schema entr${result.schemaEntryCount === 1 ? "y" : "ies"}` : "generated empty types (no schema section found)";
+  return `${summary} -> ${result.typesPath} and ${result.runtimePath}`;
+}
+
 // src/commands/exportEnv.ts
-import { mkdir as mkdir2, writeFile as writeFile3 } from "fs/promises";
-import path4 from "path";
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import path5 from "path";
 function formatEnvOutput(env) {
   return Object.entries(env).sort(([left], [right]) => left.localeCompare(right)).map(([key, value]) => `${key}=${value}`).join("\n");
 }
@@ -773,9 +832,9 @@ async function runExportEnv(options = {}) {
   }) : runtime.toEnv();
   const output = formatEnvOutput(env);
   if (to) {
-    const targetPath = path4.resolve(options.root ?? process.cwd(), to);
-    await mkdir2(path4.dirname(targetPath), { recursive: true });
-    await writeFile3(targetPath, output, "utf8");
+    const targetPath = path5.resolve(options.root ?? process.cwd(), to);
+    await mkdir2(path5.dirname(targetPath), { recursive: true });
+    await writeFile2(targetPath, output, "utf8");
     if (options.json) {
       return printJson({
         to: targetPath,
@@ -852,6 +911,23 @@ var COMMANDS = [
     ],
     examples: ["cnos onboard", "cnos onboard --workspace webapp", "cnos onboard --root ../my-app --workspace app --move"]
   },
+  {
+    id: "codegen",
+    summary: "Generate typed CNOS access wrappers from schema.",
+    usage: "cnos codegen [--out <path>] [--watch] [--root <path>]",
+    description: "Reads schema from .cnos/cnos.yml and generates typed CNOS declaration output plus a typed createCnos wrapper.",
+    options: [
+      {
+        flag: "--out <path>",
+        description: "Custom path for the generated type declaration file. runtime.ts is emitted beside it."
+      },
+      {
+        flag: "--watch",
+        description: "Watch the manifest schema and regenerate output when it changes."
+      }
+    ],
+    examples: ["cnos codegen", "cnos codegen --out src/cnos-config.d.ts", "cnos codegen --watch"]
+  },
   {
     id: "read",
     summary: "Read any fully-qualified CNOS key.",
@@ -943,18 +1019,19 @@ var COMMANDS = [
         flag: "--provider <name>",
         description: "Provider name for --remote or --ref secret writes."
       },
-      {
-        flag: "--passphrase <value>",
-        description: "Passphrase used to encrypt local secret material when --local is selected."
-      },
       {
         flag: "--vault <name>",
         description: "Use a manifest-defined vault. Provider behavior is inferred from the vault definition."
+      },
+      {
+        flag: "--reveal",
+        description: "Reveal the resolved secret value for get-style reads. Output is masked by default."
       }
     ],
     examples: [
       "cnos secret app.token",
-      "cnos vault create local-dev --passphrase dev-pass",
+      "cnos vault create local-dev",
+      "cnos vault auth local-dev",
       "cnos secret set app.token super-secret --vault local-dev",
       "cnos vault create github-ci --provider github-secrets --no-passphrase",
       "cnos secret set app.token APP_TOKEN --vault github-ci"
@@ -970,17 +1047,14 @@ var COMMANDS = [
         flag: "--provider <local|github-secrets>",
         description: "Vault provider. Defaults to local."
       },
-      {
-        flag: "--passphrase <value>",
-        description: "Required for local vault creation unless already available in the configured passphrase env var."
-      },
       {
         flag: "--no-passphrase",
         description: "Allowed for passwordless providers such as github-secrets."
       }
     ],
     examples: [
-      "cnos vault create local-dev --passphrase dev-pass",
+      "cnos vault create local-dev",
+      "cnos vault auth local-dev",
       "cnos vault create github-ci --provider github-secrets --no-passphrase",
       "cnos vault list",
       "cnos vault remove local-dev"
@@ -989,13 +1063,33 @@ var COMMANDS = [
   {
     id: "vault create",
     summary: "Create a manifest-defined vault.",
-    usage: "cnos vault create <name> [--provider <local|github-secrets>] [--passphrase <value>] [--no-passphrase] [global-options]",
-    description: "Creates a vault definition in .cnos/cnos.yml and, for local vaults, initializes the encrypted store under ~/.cnos/secrets.",
+    usage: "cnos vault create <name> [--provider <local|github-secrets>] [--no-passphrase] [global-options]",
+    description: "Creates a vault definition in .cnos/cnos.yml and, for local vaults, initializes the encrypted store under ~/.cnos/secrets. CNOS prompts for a passphrase when one is not already available from env or keychain.",
     examples: [
-      "cnos vault create local-dev --passphrase dev-pass",
+      "cnos vault create local-dev",
       "cnos vault create github-ci --provider github-secrets --no-passphrase"
     ]
   },
+  {
+    id: "vault auth",
+    summary: "Authenticate a vault for the current shell session.",
+    usage: "cnos vault auth <name> [--store-keychain] [global-options]",
+    description: "Authenticates an existing local vault using env, keychain, or prompt-based auth and stores a derived session key for later CNOS commands in the same shell. Wrong passphrases fail authentication.",
+    examples: ["cnos vault auth local-dev", "cnos vault auth local-dev --store-keychain"]
+  },
+  {
+    id: "vault logout",
+    summary: "Clear vault auth state for the current shell session.",
+    usage: "cnos vault logout <name> [global-options]",
+    description: "Removes active vault session auth for the selected vault or all vaults when used with --all.",
+    options: [
+      {
+        flag: "--all",
+        description: "Clear all active vault auth sessions for the current shell context."
+      }
+    ],
+    examples: ["cnos vault logout local-dev", "cnos vault logout --all"]
+  },
   {
     id: "vault list",
     summary: "List manifest-defined vaults.",
@@ -1053,11 +1147,11 @@ var COMMANDS = [
   {
     id: "list",
     summary: "List resolved config entries.",
-    usage: "cnos list [value|secret|meta|env|public|all] [--prefix <path>] [--framework <name>] [global-options]",
-    description: "Lists stored config or derived projections across one namespace or the full effective graph, with optional prefix filtering.",
+    usage: "cnos list [<namespace>|all] [--prefix <path>] [--framework <name>] [global-options]",
+    description: "Lists stored config or derived projections across one namespace or the full effective graph, with optional prefix filtering. Custom data namespaces such as flags are supported, and process exposes server-only ambient runtime state.",
     options: [
       {
-        flag: "--namespace <value|secret|meta|env|public|all>",
+        flag: "--namespace <name>",
         description: "Explicit namespace selector when not using a positional namespace argument."
       },
       {
@@ -1069,7 +1163,7 @@ var COMMANDS = [
         description: "When listing public output, apply framework-specific prefixes such as vite or next."
       }
     ],
-    examples: ["cnos list", "cnos list value --prefix app.", "cnos list env", "cnos list public --framework vite"]
+    examples: ["cnos list", "cnos list value --prefix app.", "cnos list flags", "cnos list process --prefix env.PATH", "cnos list env", "cnos list public --framework vite"]
   },
   {
     id: "profile",
@@ -1079,11 +1173,16 @@ var COMMANDS = [
     options: [
       {
         flag: "--inherit <name>",
-        description: "Parent profile to extend when creating a profile."
+        description: "Parent profile to extend when creating a profile. Base inheritance is implicit by default."
+      },
+      {
+        flag: "--no-inherit",
+        description: "Create a clean profile that does not inherit base fallback layers."
       }
     ],
     examples: [
-      "cnos profile create stage --inherit base",
+      "cnos profile create stage",
+      "cnos profile create isolated --no-inherit",
       "cnos profile list",
       "cnos profile use stage"
     ]
@@ -1091,9 +1190,9 @@ var COMMANDS = [
   {
     id: "profile create",
     summary: "Create a profile definition.",
-    usage: "cnos profile create <name> [--inherit <name>] [--root <path>] [--json]",
-    description: "Creates .cnos/profiles/<name>.yml for an explicit profile overlay.",
-    examples: ["cnos profile create stage --inherit base"]
+    usage: "cnos profile create <name> [--inherit <name> | --no-inherit] [--root <path>] [--json]",
+    description: "Creates .cnos/profiles/<name>.yml for an explicit profile overlay. New profiles inherit base by default unless --no-inherit is set.",
+    examples: ["cnos profile create stage", "cnos profile create isolated --no-inherit"]
   },
   {
     id: "profile list",
@@ -1120,7 +1219,7 @@ var COMMANDS = [
     id: "promote",
     summary: "Promote shareable config into public or env projection surfaces.",
     usage: "cnos promote <key...> --to <public|env> [--as <ENV_VAR>] [global-options]",
-    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected.",
+    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected, but declared shareable data namespaces such as flags are allowed.",
     options: [
       {
         flag: "--to <public|env>",
@@ -1133,16 +1232,18 @@ var COMMANDS = [
     ],
     examples: [
       "cnos promote value.flag.auth.upi_enabled --to public",
+      "cnos promote flags.upi_enabled --to public",
       "cnos promote value.server.port --to env --as PORT"
     ]
   },
   {
     id: "secret set",
     summary: "Write a secret securely.",
-    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--vault <name>] [--provider <name>] [--passphrase <value>] [global-options]",
+    usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--vault <name>] [--provider <name>] [global-options]",
     description: "Writes a secret reference into the repo. When a local vault is selected, CNOS stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>; when a github-secrets vault is selected, CNOS writes a CI env-backed ref.",
     examples: [
-      "cnos vault create db --passphrase dev-pass",
+      "cnos vault create db",
+      "cnos vault auth db",
       "cnos secret set app.token super-secret --vault db",
       "cnos vault create github-ci --provider github-secrets --no-passphrase",
       "cnos secret set app.token APP_TOKEN --vault github-ci"
@@ -1151,9 +1252,9 @@ var COMMANDS = [
   {
     id: "secret create vault",
     summary: "Create a local secret vault.",
-    usage: "cnos secret create vault <name> --passphrase <value> [global-options]",
+    usage: "cnos secret create vault <name> [global-options]",
     description: "Alias for cnos vault create <name>.",
-    examples: ["cnos secret create vault db --passphrase dev-pass"]
+    examples: ["cnos secret create vault db"]
   },
   {
     id: "secret list",
@@ -1310,6 +1411,60 @@ var COMMANDS = [
     description: "Checks manifest/workspace setup, gitignore coverage, and related diagnostics for the selected workspace.",
     examples: ["cnos doctor", "cnos doctor --workspace api --json"]
   },
+  {
+    id: "drift",
+    summary: "Compare resolved config against schema and report drift.",
+    usage: "cnos drift [--workspace <id>] [--profile <name>] [--json]",
+    description: "Reports missing required keys, undeclared keys, type mismatches, and defaults applied for the selected workspace/profile.",
+    examples: ["cnos drift", "cnos drift --workspace api --profile stage", "cnos drift --json"]
+  },
+  {
+    id: "watch",
+    summary: "Watch CNOS inputs and either restart a process or emit changed keys.",
+    usage: "cnos watch [--signal] [--debounce <ms>] [global-options] -- <command...>",
+    description: "Watches the active manifest, workspace roots, env files, and config documents. In restart mode it respawns the child command after changes; in signal mode it prints changed keys as JSON.",
+    options: [
+      {
+        flag: "--signal",
+        description: "Emit changed keys as JSON instead of restarting a child process."
+      },
+      {
+        flag: "--debounce <ms>",
+        description: "Debounce change handling before re-resolving the graph. Defaults to 300ms."
+      }
+    ],
+    examples: ["cnos watch -- node server.js", "cnos watch --signal", "cnos watch --debounce 100 -- node server.js"]
+  },
+  {
+    id: "migrate",
+    summary: "Scan env usage and propose CNOS manifest mappings.",
+    usage: "cnos migrate [--scan <path>] [--dry-run] [--apply] [--rewrite] [global-options]",
+    description: "Scans JS/TS source for process.env and import.meta.env usage, proposes logical CNOS mappings, updates envMapping/public promote entries, and can rewrite supported source files with backups.",
+    options: [
+      {
+        flag: "--scan <path>",
+        description: "Directory to scan. Defaults to ./src relative to the repo root."
+      },
+      {
+        flag: "--dry-run",
+        description: "Preview the proposed mappings without changing the manifest."
+      },
+      {
+        flag: "--apply",
+        description: "Write proposed env mappings and public promotions into .cnos/cnos.yml."
+      },
+      {
+        flag: "--rewrite",
+        description: "With --apply, rewrite supported process.env usages in source files and create .bak backups."
+      }
+    ],
+    examples: [
+      "cnos migrate",
+      "cnos migrate --scan src --dry-run",
+      "cnos migrate --scan apps/api/src --apply",
+      "cnos migrate --apply --rewrite"
+    ]
+  },
   {
     id: "help",
     summary: "Show human-readable CLI help.",
@@ -1500,11 +1655,11 @@ function runHelpAi(topic, cliArgs = []) {
 }
 
 // src/commands/init.ts
-import path6 from "path";
+import path7 from "path";
 
 // src/services/scaffold.ts
-import { mkdir as mkdir3, readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
-import path5 from "path";
+import { mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
+import path6 from "path";
 function scaffoldManifest(projectName, workspace) {
   const lines = [
     "version: 1",
@@ -1535,15 +1690,15 @@ function scaffoldManifest(projectName, workspace) {
 }
 async function ensureFile(filePath, content) {
   try {
-    await readFile4(filePath, "utf8");
+    await readFile3(filePath, "utf8");
     return false;
   } catch {
-    await writeFile4(filePath, content, "utf8");
+    await writeFile3(filePath, content, "utf8");
     return true;
   }
 }
 async function ensureGitignore(root) {
-  const gitignorePath = path5.join(root, ".gitignore");
+  const gitignorePath = path6.join(root, ".gitignore");
   const requiredEntries = [
     ".cnos/env/.env",
     ".cnos/env/.env.*",
@@ -1556,7 +1711,7 @@ async function ensureGitignore(root) {
   ];
   let current = "";
   try {
-    current = await readFile4(gitignorePath, "utf8");
+    current = await readFile3(gitignorePath, "utf8");
   } catch {
     current = "";
   }
@@ -1566,18 +1721,18 @@ async function ensureGitignore(root) {
   }
   const prefix = current.trim().length > 0 ? `${current.trimEnd()}
 ` : "";
-  await writeFile4(gitignorePath, `${prefix}${missingEntries.join("\n")}
+  await writeFile3(gitignorePath, `${prefix}${missingEntries.join("\n")}
 `, "utf8");
   return true;
 }
 async function scaffoldWorkspace(root, workspace) {
-  const cnosRoot = path5.join(root, ".cnos");
-  const workspaceRoot = workspace ? path5.join(cnosRoot, "workspaces", workspace) : cnosRoot;
+  const cnosRoot = path6.join(root, ".cnos");
+  const workspaceRoot = workspace ? path6.join(cnosRoot, "workspaces", workspace) : cnosRoot;
   const createdPaths = [];
-  await mkdir3(path5.join(workspaceRoot, "profiles"), { recursive: true });
-  await mkdir3(path5.join(workspaceRoot, "values"), { recursive: true });
-  await mkdir3(path5.join(workspaceRoot, "secrets"), { recursive: true });
-  await mkdir3(path5.join(workspaceRoot, "env"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "profiles"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "values"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "secrets"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "env"), { recursive: true });
   const relativePaths = workspace ? [
     ["workspaces", workspace, "profiles", ".gitkeep"],
     ["workspaces", workspace, "values", ".gitkeep"],
@@ -1590,15 +1745,15 @@ async function scaffoldWorkspace(root, workspace) {
     ["env", ".gitkeep"]
   ];
   for (const relativePath of relativePaths) {
-    const filePath = path5.join(cnosRoot, ...relativePath);
+    const filePath = path6.join(cnosRoot, ...relativePath);
     if (await ensureFile(filePath, "")) {
-      createdPaths.push(path5.relative(root, filePath).replace(/\\/g, "/"));
+      createdPaths.push(path6.relative(root, filePath).replace(/\\/g, "/"));
     }
   }
-  if (await ensureFile(path5.join(cnosRoot, "cnos.yml"), scaffoldManifest(path5.basename(root), workspace))) {
+  if (await ensureFile(path6.join(cnosRoot, "cnos.yml"), scaffoldManifest(path6.basename(root), workspace))) {
     createdPaths.push(".cnos/cnos.yml");
   }
-  if (workspace && await ensureFile(path5.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
+  if (workspace && await ensureFile(path6.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
 globalRoot: ~/.cnos
 `)) {
     createdPaths.push(".cnos-workspace.yml");
@@ -1615,7 +1770,7 @@ globalRoot: ~/.cnos
 
 // src/commands/init.ts
 async function runInit(options = {}) {
-  const root = path6.resolve(options.root ?? process.cwd());
+  const root = path7.resolve(options.root ?? process.cwd());
   const result = await scaffoldWorkspace(root, options.workspace);
   if (options.json) {
     return printJson(result);
@@ -1626,6 +1781,12 @@ async function runInit(options = {}) {
   return `initialized CNOS project at ${root}`;
 }
 
+// src/format/maskSecret.ts
+var MASKED_SECRET_VALUE = "****";
+function maskSecretValue(value) {
+  return value === void 0 ? "" : MASKED_SECRET_VALUE;
+}
+
 // src/format/printInspect.ts
 function printInspect(record) {
   const lines = [
@@ -1650,12 +1811,22 @@ function printInspect(record) {
 
 // src/commands/inspect.ts
 async function runInspect(key, options = {}) {
+  const reveal = options.cliArgs?.includes("--reveal") ?? false;
   const runtime = await createRuntimeService(options);
   const inspectResult = runtime.inspect(key);
+  const value = key.startsWith("secret.") && !reveal ? maskSecretValue(inspectResult.value) : inspectResult.value;
+  const printable = {
+    ...inspectResult,
+    value,
+    overridden: inspectResult.overridden.map((entry) => ({
+      ...entry,
+      value: key.startsWith("secret.") && !reveal ? maskSecretValue(entry.value) : entry.value
+    }))
+  };
   if (options.json) {
-    return printJson(inspectResult);
+    return printJson(printable);
   }
-  return printInspect(inspectResult);
+  return printInspect(printable);
 }
 
 // src/format/printValue.ts
@@ -1691,7 +1862,7 @@ function matchesPrefix(key, prefix) {
   return key.startsWith(prefix) || key.split(".").slice(1).join(".").startsWith(prefix);
 }
 function toStoredEntry(namespace, entry, filter = {}) {
-  const sourceId = namespace === "value" ? "filesystem-values" : "filesystem-secrets";
+  const sourceId = namespace === "secret" ? "filesystem-secrets" : "filesystem-values";
   const candidates = [entry.winner, ...entry.overridden].filter((candidate) => candidate.sourceId === sourceId);
   if (candidates.length === 0) {
     return void 0;
@@ -1712,16 +1883,16 @@ function listStoredNamespace(namespace, options) {
 }
 function listProjectedNamespace(namespace, options) {
   return createRuntimeService(options).then((runtime) => {
-    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.toEnv() : runtime.toPublicEnv({
+    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.toEnv() : namespace === "public" ? runtime.toPublicEnv({
       ...options.framework ? {
         framework: options.framework
       } : {}
-    });
+    }) : flattenObject2(runtime.toNamespace(namespace));
     const entries = namespace === "env" ? Object.entries(projected).map(([envVar, value]) => ({
       key: envVar,
       value
     })) : Object.entries(projected).map(([key, value]) => ({
-      key: namespace === "meta" ? `meta.${key}` : key,
+      key: namespace === "meta" || namespace === "process" ? `${namespace}.${key}` : key,
       value
     }));
     return entries.filter((entry) => entry.value !== void 0).filter((entry) => matchesPrefix(entry.key, options.prefix)).sort((left, right) => left.key.localeCompare(right.key));
@@ -1731,15 +1902,21 @@ async function listConfigEntries(namespace, options = {}) {
   if (namespace === "value" || namespace === "secret") {
     return listStoredNamespace(namespace, options);
   }
-  if (namespace === "meta" || namespace === "env" || namespace === "public") {
+  if (namespace === "meta" || namespace === "env" || namespace === "public" || namespace === "process") {
     return listProjectedNamespace(namespace, options);
   }
-  const [values, secrets, meta] = await Promise.all([
-    listStoredNamespace("value", options),
-    listStoredNamespace("secret", options),
-    listProjectedNamespace("meta", options)
-  ]);
-  return [...values, ...secrets, ...meta].sort((left, right) => left.key.localeCompare(right.key));
+  if (namespace !== "all") {
+    return listStoredNamespace(namespace, options);
+  }
+  const runtime = await createRuntimeService(options);
+  const namespaces = Array.from(
+    new Set(
+      Array.from(runtime.graph.entries.values()).map((entry) => entry.namespace).filter((entry) => entry !== "meta" && entry !== "env" && entry !== "public")
+    )
+  ).sort((left, right) => left.localeCompare(right));
+  const stored = await Promise.all(namespaces.map((entry) => listStoredNamespace(entry, options)));
+  const meta = await listProjectedNamespace("meta", options);
+  return [...stored.flat(), ...meta].sort((left, right) => left.key.localeCompare(right.key));
 }
 
 // src/commands/list.ts
@@ -1756,13 +1933,16 @@ function normalizeNamespace(value) {
   if (value === "meta") {
     return "meta";
   }
+  if (value === "process") {
+    return "process";
+  }
   if (value === "env") {
     return "env";
   }
   if (value === "public") {
     return "public";
   }
-  throw new Error(`Unsupported list namespace: ${value}`);
+  return value;
 }
 async function runList(args = [], options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
@@ -1784,35 +1964,200 @@ async function runList(args = [], options = {}) {
   return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
 }
 
-// src/commands/onboard.ts
-import { copyFile, readdir, rm as rm3 } from "fs/promises";
-import path7 from "path";
+// src/commands/migrate.ts
+import path8 from "path";
+import {
+  applyManifestMappings,
+  loadManifest,
+  proposeMapping,
+  rewriteSourceFiles,
+  scanEnvUsage
+} from "@kitsy/cnos/internal";
+async function runMigrate(options = {}) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const scan = consumeOption(cliArgs, "--scan");
+  const apply = consumeFlag(cliArgs, "--apply");
+  const dryRun = consumeFlag(cliArgs, "--dry-run") || !apply;
+  const rewrite = consumeFlag(cliArgs, "--rewrite");
+  if (cliArgs.length > 0) {
+    throw new Error(`Unknown migrate options: ${cliArgs.join(" ")}`);
+  }
+  const manifest = await loadManifest(options.root ? { root: options.root } : {});
+  const scanRoot = path8.resolve(manifest.repoRoot, scan ?? "src");
+  const usages = await scanEnvUsage(scanRoot);
+  const uniqueProposals = new Map(usages.map((usage) => [usage.envVar, proposeMapping(usage.envVar)]));
+  const proposals = Array.from(uniqueProposals.values()).sort((left, right) => left.envVar.localeCompare(right.envVar));
+  let manifestResult;
+  let rewriteResult;
+  if (apply) {
+    manifestResult = await applyManifestMappings(proposals, options.root);
+    if (rewrite) {
+      rewriteResult = await rewriteSourceFiles(usages.filter((usage) => usage.kind === "process-env"), uniqueProposals);
+    }
+  }
+  if (options.json) {
+    return printJson({
+      scanRoot,
+      dryRun,
+      apply,
+      rewrite,
+      usages,
+      proposals,
+      ...manifestResult ? { manifest: manifestResult } : {},
+      ...rewriteResult ? { rewriteResult } : {}
+    });
+  }
+  const lines = [
+    `Scanned ${usages.length} env usage${usages.length === 1 ? "" : "s"} in ${scanRoot}`,
+    "",
+    "Proposed mappings:",
+    ...proposals.map(
+      (proposal) => `  ${proposal.envVar} -> ${proposal.logicalKey}${proposal.public ? " (promote to public)" : ""}`
+    )
+  ];
+  if (proposals.length === 0) {
+    lines.push("  none");
+  }
+  if (dryRun) {
+    lines.push("", "Dry run only. Re-run with --apply to update the manifest.");
+  }
+  if (manifestResult) {
+    lines.push(
+      "",
+      `Updated ${manifestResult.manifestPath} with ${manifestResult.appliedMappings} env mapping${manifestResult.appliedMappings === 1 ? "" : "s"} and ${manifestResult.appliedPromotions} public promotion${manifestResult.appliedPromotions === 1 ? "" : "s"}.`
+    );
+  }
+  if (rewrite) {
+    if (!apply) {
+      lines.push("", "Source rewrite requested but skipped because --apply was not set.");
+    } else if (rewriteResult) {
+      lines.push(
+        "",
+        `Rewrote ${rewriteResult.rewrittenFiles.length} file${rewriteResult.rewrittenFiles.length === 1 ? "" : "s"} and created ${rewriteResult.backupFiles.length} backup${rewriteResult.backupFiles.length === 1 ? "" : "s"}.`
+      );
+      if (rewriteResult.skippedUsages.length > 0) {
+        lines.push("Skipped usages:");
+        lines.push(...rewriteResult.skippedUsages.map((entry) => `  ${entry}`));
+      }
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/commands/namespace.ts
+import path9 from "path";
+function normalizeCommand2(args) {
+  const [actionOrPath, ...tail] = args;
+  if (!actionOrPath) {
+    return {
+      action: "list",
+      tail: []
+    };
+  }
+  if (["get", "set", "create", "add", "list", "delete", "remove"].includes(actionOrPath)) {
+    return {
+      action: actionOrPath === "remove" ? "delete" : actionOrPath === "create" || actionOrPath === "add" ? "set" : actionOrPath,
+      tail
+    };
+  }
+  return {
+    action: "get",
+    tail: args
+  };
+}
+async function runNamespace(namespace, args = [], options = {}) {
+  const { action, tail } = normalizeCommand2(args);
+  const cliArgs = [...options.cliArgs ?? []];
+  const root = path9.resolve(options.root ?? process.cwd());
+  if (action === "list") {
+    const prefix = consumeOption(cliArgs, "--prefix");
+    const entries = await listConfigEntries(namespace, {
+      ...options,
+      cliArgs,
+      ...prefix ? { prefix } : {}
+    });
+    if (options.json) {
+      return printJson(entries);
+    }
+    return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
+  }
+  if (action === "set") {
+    const configPath2 = tail[0] ?? "app.name";
+    const rawValue = tail[1] ?? "";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await defineValue(namespace, configPath2, rawValue, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson({
+        namespace,
+        path: configPath2,
+        target,
+        filePath: result.filePath,
+        value: result.value
+      });
+    }
+    return `set ${namespace}.${configPath2} in ${displayPath(result.filePath, root)}`;
+  }
+  if (action === "delete") {
+    const configPath2 = tail[0] ?? "app.name";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await deleteValue(namespace, configPath2, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.deleted ? `deleted ${namespace}.${configPath2} from ${displayPath(result.filePath, root)}` : `no ${namespace}.${configPath2} found in ${displayPath(result.filePath, root)}`;
+  }
+  const runtime = await createRuntimeService(options);
+  const configPath = tail[0] ?? "app.name";
+  const value = runtime.read(`${namespace}.${configPath}`);
+  if (value === void 0) {
+    throw new Error(`Missing CNOS ${namespace} path: ${configPath}`);
+  }
+  if (options.json) {
+    return printJson({
+      key: `${namespace}.${configPath}`,
+      value
+    });
+  }
+  return printValue(value);
+}
+
+// src/commands/onboard.ts
+import { copyFile, readdir as readdir2, rm } from "fs/promises";
+import path10 from "path";
 var ROOT_ENV_FILE_PATTERN = /^\.env(?:\.[A-Za-z0-9_-]+)*(?:\.example)?$/;
 async function listRootEnvFiles(root) {
-  const entries = await readdir(root, { withFileTypes: true });
+  const entries = await readdir2(root, { withFileTypes: true });
   return entries.filter((entry) => entry.isFile() && ROOT_ENV_FILE_PATTERN.test(entry.name)).map((entry) => entry.name).sort((left, right) => left.localeCompare(right));
 }
 async function runOnboard(options = {}) {
-  const root = path7.resolve(options.root ?? process.cwd());
-  const workspace = options.workspace ?? path7.basename(root);
+  const root = path10.resolve(options.root ?? process.cwd());
+  const workspace = options.workspace ?? path10.basename(root);
   const cliArgs = [...options.cliArgs ?? []];
   const move = consumeFlag(cliArgs, "--move");
   if (cliArgs.length > 0) {
     throw new Error(`Unsupported onboard arguments: ${cliArgs.join(" ")}`);
   }
   const scaffold = await scaffoldWorkspace(root, workspace);
-  const envRoot = path7.join(root, ".cnos", "workspaces", workspace, "env");
+  const envRoot = path10.join(root, ".cnos", "workspaces", workspace, "env");
   const rootFiles = await listRootEnvFiles(root);
   const imported = [];
   const skipped = [];
   for (const fileName of rootFiles) {
-    const sourcePath = path7.join(root, fileName);
-    const targetPath = path7.join(envRoot, fileName);
+    const sourcePath = path10.join(root, fileName);
+    const targetPath = path10.join(envRoot, fileName);
     try {
       await copyFile(sourcePath, targetPath);
-      imported.push(path7.relative(root, targetPath).replace(/\\/g, "/"));
+      imported.push(path10.relative(root, targetPath).replace(/\\/g, "/"));
       if (move) {
-        await rm3(sourcePath);
+        await rm(sourcePath);
       }
     } catch {
       skipped.push(fileName);
@@ -1835,17 +2180,17 @@ async function runOnboard(options = {}) {
 }
 
 // src/commands/profile.ts
-import path10 from "path";
+import path13 from "path";
 
 // src/services/context.ts
-import { readFile as readFile5, writeFile as writeFile5 } from "fs/promises";
-import path8 from "path";
-import { parseYaml as parseYaml2, stringifyYaml as stringifyYaml3 } from "@kitsy/cnos/internal";
+import { readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import path11 from "path";
+import { parseYaml as parseYaml3, stringifyYaml as stringifyYaml2 } from "@kitsy/cnos/internal";
 async function loadCliContext(root = process.cwd()) {
-  const filePath = path8.join(path8.resolve(root), ".cnos-workspace.yml");
+  const filePath = path11.join(path11.resolve(root), ".cnos-workspace.yml");
   try {
-    const source = await readFile5(filePath, "utf8");
-    const parsed = parseYaml2(source);
+    const source = await readFile4(filePath, "utf8");
+    const parsed = parseYaml3(source);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       return {};
     }
@@ -1855,8 +2200,8 @@ async function loadCliContext(root = process.cwd()) {
   }
 }
 async function saveCliContext(options = {}) {
-  const root = path8.resolve(options.root ?? process.cwd());
-  const filePath = path8.join(root, ".cnos-workspace.yml");
+  const root = path11.resolve(options.root ?? process.cwd());
+  const filePath = path11.join(root, ".cnos-workspace.yml");
   const current = await loadCliContext(root);
   const next = {
     ...current.workspace ? { workspace: current.workspace } : {},
@@ -1866,7 +2211,7 @@ async function saveCliContext(options = {}) {
     ...options.profile ? { profile: options.profile } : {},
     ...options.globalRoot ? { globalRoot: options.globalRoot } : {}
   };
-  await writeFile5(filePath, stringifyYaml3(next), "utf8");
+  await writeFile4(filePath, stringifyYaml2(next), "utf8");
   return {
     filePath,
     context: next
@@ -1874,29 +2219,37 @@ async function saveCliContext(options = {}) {
 }
 
 // src/services/profiles.ts
-import { mkdir as mkdir4, readdir as readdir2, readFile as readFile6, rm as rm4, writeFile as writeFile6 } from "fs/promises";
-import path9 from "path";
-import { parseYaml as parseYaml3, stringifyYaml as stringifyYaml4 } from "@kitsy/cnos/internal";
-async function createProfileDefinition(root = process.cwd(), profile, inherit) {
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
-  await mkdir4(path9.dirname(filePath), { recursive: true });
-  const document = inherit && inherit !== "base" ? {
+import { mkdir as mkdir4, readdir as readdir3, readFile as readFile5, rm as rm2, writeFile as writeFile5 } from "fs/promises";
+import path12 from "path";
+import { parseYaml as parseYaml4, stringifyYaml as stringifyYaml3 } from "@kitsy/cnos/internal";
+async function createProfileDefinition(root = process.cwd(), profile, inherit, options = {}) {
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  await mkdir4(path12.dirname(filePath), { recursive: true });
+  const document = options.noInherit ? {
+    name: profile,
+    activate: {
+      values: [`profiles/${profile}/values`, `values/${profile}`],
+      secrets: [`profiles/${profile}/secrets`, `secrets/${profile}`],
+      envFiles: [`.env.${profile}`]
+    }
+  } : inherit && inherit !== "base" ? {
     name: profile,
     extends: [inherit]
   } : {
     name: profile
   };
-  await writeFile6(filePath, stringifyYaml4(document), "utf8");
+  await writeFile5(filePath, stringifyYaml3(document), "utf8");
   return {
     filePath,
     profile,
-    ...inherit ? { inherit } : {}
+    ...inherit ? { inherit } : {},
+    ...options.noInherit ? { noInherit: true } : {}
   };
 }
 async function listProfiles(root = process.cwd()) {
-  const profilesRoot = path9.join(path9.resolve(root), ".cnos", "profiles");
+  const profilesRoot = path12.join(path12.resolve(root), ".cnos", "profiles");
   try {
-    const entries = await readdir2(profilesRoot, { withFileTypes: true });
+    const entries = await readdir3(profilesRoot, { withFileTypes: true });
     const discovered = /* @__PURE__ */ new Set(["base"]);
     for (const entry of entries) {
       if (entry.isFile() && entry.name.endsWith(".yml")) {
@@ -1909,9 +2262,9 @@ async function listProfiles(root = process.cwd()) {
   }
 }
 async function deleteProfileDefinition(root = process.cwd(), profile) {
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
   try {
-    await rm4(filePath);
+    await rm2(filePath);
     return {
       filePath,
       deleted: true
@@ -1929,9 +2282,9 @@ async function readProfileDefinition(root = process.cwd(), profile = "base") {
       name: "base"
     };
   }
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
   try {
-    return parseYaml3(await readFile6(filePath, "utf8")) ?? void 0;
+    return parseYaml4(await readFile5(filePath, "utf8")) ?? void 0;
   } catch {
     return void 0;
   }
@@ -1953,16 +2306,23 @@ function normalizeProfileAction(args) {
 }
 async function runProfile(args, options = {}) {
   const { action, tail } = normalizeProfileAction(args);
-  const root = path10.resolve(options.root ?? process.cwd());
+  const root = path13.resolve(options.root ?? process.cwd());
   const cliArgs = [...options.cliArgs ?? []];
   if (action === "create") {
     const profile = tail[0] ?? "stage";
     const inherit = consumeOption(cliArgs, "--inherit");
-    const result = await createProfileDefinition(root, profile, inherit);
+    const noInherit = consumeFlag(cliArgs, "--no-inherit");
+    if (inherit && noInherit) {
+      throw new Error("profile create accepts either --inherit <name> or --no-inherit, not both");
+    }
+    const result = await createProfileDefinition(root, profile, inherit, { noInherit });
     if (options.json) {
       return printJson(result);
     }
-    return `created profile ${profile} at ${result.filePath}`;
+    if (noInherit) {
+      return `created profile ${profile} at ${displayPath(result.filePath, root)} without inheriting base`;
+    }
+    return `created profile ${profile} at ${displayPath(result.filePath, root)}; inherits values from base by default`;
   }
   if (action === "use") {
     const profile = tail[0] ?? "base";
@@ -1973,7 +2333,7 @@ async function runProfile(args, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return `active profile set to ${profile} in ${result.filePath}`;
+    return `active profile set to ${profile} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const profile = tail[0] ?? "base";
@@ -1997,11 +2357,12 @@ async function runProfile(args, options = {}) {
 }
 
 // src/commands/promote.ts
-import { writeFile as writeFile7 } from "fs/promises";
+import path14 from "path";
+import { writeFile as writeFile6 } from "fs/promises";
 import {
   ensureProjectionAllowed,
   loadManifest as loadManifest2,
-  stringifyYaml as stringifyYaml5
+  stringifyYaml as stringifyYaml4
 } from "@kitsy/cnos/internal";
 function normalizeTarget(value) {
   if (value === "public" || value === "env") {
@@ -2013,6 +2374,7 @@ function sortRecord(record) {
   return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
 }
 async function runPromote(args = [], options = {}) {
+  const root = path14.resolve(options.root ?? process.cwd());
   const cliArgs = [...options.cliArgs ?? []];
   const target = normalizeTarget(consumeOption(cliArgs, "--to"));
   const alias = consumeOption(cliArgs, "--as");
@@ -2051,7 +2413,7 @@ async function runPromote(args = [], options = {}) {
       })
     };
   }
-  await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
+  await writeFile6(loadedManifest.manifestPath, stringifyYaml4(rawManifest), "utf8");
   if (options.json) {
     return printJson({
       target,
@@ -2060,7 +2422,7 @@ async function runPromote(args = [], options = {}) {
       manifestPath: loadedManifest.manifestPath
     });
   }
-  return target === "public" ? `promoted ${keys.join(", ")} to public in ${loadedManifest.manifestPath}` : `promoted ${keys[0]} to env as ${alias} in ${loadedManifest.manifestPath}`;
+  return target === "public" ? `promoted ${keys.join(", ")} to public in ${displayPath(loadedManifest.manifestPath, root)}` : `promoted ${keys[0]} to env as ${alias} in ${displayPath(loadedManifest.manifestPath, root)}`;
 }
 
 // src/commands/read.ts
@@ -2070,16 +2432,23 @@ async function runRead(key, options = {}) {
   if (value === void 0) {
     throw new Error(`Missing CNOS config key: ${key}`);
   }
+  const isSecret = key.startsWith("secret.");
+  const cliArgs = [...options.cliArgs ?? []];
+  const reveal = consumeFlag(cliArgs, "--reveal");
+  const valueForOutput = isSecret && !reveal ? maskSecretValue(value) : value;
   if (options.json) {
-    return printJson({ key, value });
+    return printJson({ key, value: valueForOutput });
   }
-  return printValue(value);
+  return printValue(valueForOutput);
 }
 
 // src/commands/run.ts
 import { spawn } from "child_process";
 import {
   CNOS_GRAPH_ENV_VAR,
+  CNOS_SECRET_PAYLOAD_ENV_VAR,
+  CNOS_SESSION_KEY_ENV_VAR,
+  serializeSecretPayload,
   serializeRuntimeGraph
 } from "@kitsy/cnos/internal";
 function consumeOptions(args, flag) {
@@ -2118,6 +2487,7 @@ async function runCommand(command, options = {}) {
   }
   const cliArgs = [...options.cliArgs ?? []];
   const isPublic = consumeFlag(cliArgs, "--public");
+  const isAuthenticated = consumeFlag(cliArgs, "--auth");
   const framework = consumeOption(cliArgs, "--framework");
   const prefix = consumeOption(cliArgs, "--prefix");
   const setOverrides = normalizeSetOverrides(consumeOptions(cliArgs, "--set"));
@@ -2125,13 +2495,21 @@ async function runCommand(command, options = {}) {
     ...options,
     cliArgs: [...cliArgs, ...setOverrides]
   });
+  const authenticatedSecrets = isAuthenticated ? Object.fromEntries(
+    Array.from(runtime.graph.entries.values()).filter((entry) => entry.namespace === "secret").map((entry) => [entry.key, runtime.read(entry.key)])
+  ) : void 0;
+  const secretPayload = authenticatedSecrets ? serializeSecretPayload(authenticatedSecrets) : void 0;
   const env = {
     ...process.env,
     ...isPublic ? runtime.toPublicEnv({
       ...framework ? { framework } : {},
       ...prefix ? { prefix } : {}
     }) : runtime.toEnv(),
-    [CNOS_GRAPH_ENV_VAR]: serializeRuntimeGraph(runtime.graph)
+    [CNOS_GRAPH_ENV_VAR]: serializeRuntimeGraph(runtime.graph),
+    ...secretPayload ? {
+      [CNOS_SECRET_PAYLOAD_ENV_VAR]: secretPayload.payload,
+      [CNOS_SESSION_KEY_ENV_VAR]: secretPayload.sessionKey
+    } : {}
   };
   return new Promise((resolve, reject) => {
     const executable = command[0];
@@ -2166,12 +2544,203 @@ async function runCommand(command, options = {}) {
   });
 }
 
+// src/commands/secret.ts
+import path17 from "path";
+
+// src/commands/vault.ts
+import path16 from "path";
+
+// src/services/vaults.ts
+import { rm as rm3, writeFile as writeFile7 } from "fs/promises";
+import path15 from "path";
+import {
+  clearAllVaultSessionKeys,
+  clearVaultSessionKey,
+  createSecretVault,
+  deriveVaultKey,
+  listLocalSecrets,
+  loadManifest as loadManifest3,
+  listSecretVaults,
+  readVaultMetadata,
+  resolveSecretStoreRoot as resolveSecretStoreRoot2,
+  resolveVaultAuth as resolveVaultAuth2,
+  resolveVaultDefinition,
+  stringifyYaml as stringifyYaml5,
+  writeKeychain,
+  writeVaultSessionKey
+} from "@kitsy/cnos/internal";
+function buildVaultDefinition(vault, provider) {
+  return provider === "local" ? {
+    provider: "local",
+    auth: {
+      passphrase: {
+        from: defaultLocalAuthSources(vault)
+      }
+    }
+  } : {
+    provider,
+    auth: {
+      method: "environment"
+    }
+  };
+}
+function sortVaults(vaults) {
+  return Object.fromEntries(Object.entries(vaults).sort(([left], [right]) => left.localeCompare(right)));
+}
+function defaultLocalAuthSources(vault) {
+  const token = vault.replace(/[^A-Za-z0-9]+/g, "_").toUpperCase();
+  return [`env:CNOS_SECRET_PASSPHRASE_${token}`, "env:CNOS_SECRET_PASSPHRASE", `keychain:cnos/${vault}`, "prompt"];
+}
+async function createVaultDefinition(name, options = {}) {
+  const vault = name.trim() || "default";
+  const provider = options.provider?.trim() || "local";
+  if (provider === "local" && (options.noPassphrase ?? false)) {
+    throw new Error("Local vaults cannot be passwordless.");
+  }
+  const loadedManifest = await loadManifest3(options.root ? { root: options.root } : {});
+  const vaultDefinition = buildVaultDefinition(vault, provider);
+  const rawManifest = {
+    ...loadedManifest.rawManifest,
+    vaults: {
+      ...loadedManifest.rawManifest.vaults ?? {},
+      [vault]: vaultDefinition
+    }
+  };
+  await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
+  const definition = resolveVaultDefinition({ [vault]: vaultDefinition }, vault);
+  if (provider === "local") {
+    const auth = await resolveVaultAuth2(vault, vaultDefinition, options.processEnv ?? process.env);
+    if (!auth.passphrase) {
+      throw new Error(`Vault "${vault}" requires passphrase-based authentication during creation.`);
+    }
+    const storeRoot = resolveSecretStoreRoot2(options.processEnv);
+    const existing = await readVaultMetadata(storeRoot, vault);
+    if (!existing) {
+      await createSecretVault(storeRoot, vault, auth.passphrase);
+    }
+  }
+  return {
+    ...definition,
+    authMethod: definition.auth?.method ?? (provider === "local" ? "passphrase" : "environment"),
+    localStore: provider === "local",
+    manifestPath: loadedManifest.manifestPath
+  };
+}
+async function listVaultDefinitions(options = {}) {
+  const loadedManifest = await loadManifest3(options.root ? { root: options.root } : {});
+  const localStoreVaults = await listSecretVaults(resolveSecretStoreRoot2(options.processEnv));
+  return Object.keys(loadedManifest.manifest.vaults).sort((left, right) => left.localeCompare(right)).map((name) => {
+    const definition = resolveVaultDefinition(loadedManifest.manifest.vaults, name);
+    return {
+      ...definition,
+      authMethod: definition.auth?.method ?? (definition.provider === "local" ? "passphrase" : "environment"),
+      localStore: localStoreVaults.includes(name)
+    };
+  });
+}
+async function removeVaultDefinition(name, options = {}) {
+  const vault = name.trim() || "default";
+  const loadedManifest = await loadManifest3(options.root ? { root: options.root } : {});
+  if (!loadedManifest.rawManifest.vaults?.[vault]) {
+    return {
+      name: vault,
+      deleted: false,
+      manifestPath: loadedManifest.manifestPath
+    };
+  }
+  const nextVaults = { ...loadedManifest.rawManifest.vaults ?? {} };
+  delete nextVaults[vault];
+  const rawManifest = {
+    ...loadedManifest.rawManifest,
+    ...Object.keys(nextVaults).length > 0 ? { vaults: sortVaults(nextVaults) } : {}
+  };
+  if (Object.keys(nextVaults).length === 0) {
+    delete rawManifest.vaults;
+  }
+  await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
+  const vaultRoot = path15.join(resolveSecretStoreRoot2(options.processEnv), "vaults", vault);
+  let removedStore;
+  try {
+    await rm3(vaultRoot, { recursive: true, force: true });
+    removedStore = vaultRoot;
+  } catch {
+    removedStore = void 0;
+  }
+  await clearVaultSessionKey(vault, options.processEnv);
+  return {
+    name: vault,
+    deleted: true,
+    manifestPath: loadedManifest.manifestPath,
+    ...removedStore ? { removedStore } : {}
+  };
+}
+async function listLocalStoreVaults(options = {}) {
+  return listSecretVaults(resolveSecretStoreRoot2(options.processEnv));
+}
+async function authenticateVault(name, options = {}) {
+  const vault = name.trim() || "default";
+  const loadedManifest = await loadManifest3(options.root ? { root: options.root } : {});
+  const definition = loadedManifest.manifest.vaults[vault];
+  if (!definition) {
+    throw new Error(`Unknown vault "${vault}"`);
+  }
+  const auth = await resolveVaultAuth2(vault, definition, options.processEnv ?? process.env);
+  const storeRoot = resolveSecretStoreRoot2(options.processEnv);
+  if (definition.provider === "local") {
+    if (!auth.passphrase) {
+      throw new Error(`Vault "${vault}" requires passphrase-based authentication.`);
+    }
+    const metadata = await readVaultMetadata(storeRoot, vault);
+    if (!metadata) {
+      throw new Error(
+        `Vault "${vault}" has not been initialized yet. Run cnos vault create ${vault} first.`
+      );
+    }
+    const derivedKey = deriveVaultKey(auth.passphrase, Buffer.from(metadata.salt, "base64"), metadata.iterations);
+    await listLocalSecrets(
+      storeRoot,
+      {
+        derivedKey,
+        method: auth.method,
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      },
+      vault
+    );
+    const sessionPath2 = await writeVaultSessionKey(vault, derivedKey, options.processEnv);
+    if (options.storeKeychain) {
+      await writeKeychain(`cnos/${vault}`, derivedKey.toString("hex"));
+    }
+    return {
+      name: vault,
+      method: auth.method,
+      storedInKeychain: options.storeKeychain ?? false,
+      sessionPath: sessionPath2
+    };
+  }
+  const sessionPath = await writeVaultSessionKey(vault, Buffer.from(vault, "utf8"), options.processEnv);
+  return {
+    name: vault,
+    method: auth.method,
+    storedInKeychain: false,
+    sessionPath
+  };
+}
+async function logoutVault(name, options = {}) {
+  if (options.all) {
+    await clearAllVaultSessionKeys(options.processEnv);
+    return { scope: "all" };
+  }
+  const vault = name?.trim() || "default";
+  await clearVaultSessionKey(vault, options.processEnv);
+  return { scope: vault };
+}
+
 // src/commands/vault.ts
 function normalizeVaultAction(args) {
   const [action = "list", ...tail] = args;
-  if (["create", "add", "list", "delete", "remove"].includes(action)) {
+  if (["create", "add", "list", "delete", "remove", "auth", "logout"].includes(action)) {
     return {
-      action: action === "add" || action === "create" ? "create" : action === "delete" || action === "remove" ? "remove" : "list",
+      action: action === "add" || action === "create" ? "create" : action === "delete" || action === "remove" ? "remove" : action === "auth" ? "auth" : action === "logout" ? "logout" : "list",
       tail
     };
   }
@@ -2183,22 +2752,46 @@ function normalizeVaultAction(args) {
 async function runVault(args = [], options = {}) {
   const { action, tail } = normalizeVaultAction(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path16.resolve(options.root ?? process.cwd());
+  if (consumeOption(cliArgs, "--passphrase")) {
+    throw new Error("The --passphrase option is not supported in CNOS 1.4. Use env, keychain, or prompt-based auth.");
+  }
   if (action === "create") {
     const name = tail[0] ?? "default";
     const provider = consumeOption(cliArgs, "--provider") ?? "local";
-    const passphrase = consumeOption(cliArgs, "--passphrase");
     const noPassphrase = consumeFlag(cliArgs, "--no-passphrase");
     const result = await createVaultDefinition(name, {
       ...options,
       cliArgs,
       provider,
-      ...passphrase ? { passphrase } : {},
       ...noPassphrase ? { noPassphrase: true } : {}
     });
     if (options.json) {
       return printJson(result);
     }
-    return `created vault "${result.name}" with provider "${result.provider}" in ${result.manifestPath}`;
+    return `created vault "${result.name}" with provider "${result.provider}" in ${displayPath(result.manifestPath, root)}`;
+  }
+  if (action === "auth") {
+    const result = await authenticateVault(tail[0] ?? "default", {
+      ...options,
+      cliArgs,
+      storeKeychain: consumeFlag(cliArgs, "--store-keychain")
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return `authenticated vault "${result.name}" via ${result.method}`;
+  }
+  if (action === "logout") {
+    const result = await logoutVault(tail[0], {
+      ...options,
+      cliArgs,
+      all: consumeFlag(cliArgs, "--all")
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.scope === "all" ? "logged out all vault sessions" : `logged out vault "${result.scope}"`;
   }
   if (action === "remove") {
     const name = tail[0] ?? "default";
@@ -2224,16 +2817,11 @@ async function runVault(args = [], options = {}) {
     return "";
   }
   return manifestVaults.map(
-    (vault) => `${vault.name} provider=${vault.provider} passphrase=${vault.passphrasePolicy}${localStoreVaults.includes(vault.name) ? " local-store=true" : ""}`
+    (vault) => `${vault.name} provider=${vault.provider} auth=${vault.authMethod}${localStoreVaults.includes(vault.name) ? " local-store=true" : ""}`
   ).join("\n");
 }
 
 // src/commands/secret.ts
-function isSecretRef(value) {
-  return Boolean(
-    value && typeof value === "object" && !Array.isArray(value) && typeof value.provider === "string" && typeof value.ref === "string"
-  );
-}
 function normalizeSecretCommand(args) {
   const [actionOrPath, next, ...tail] = args;
   if (!actionOrPath) {
@@ -2259,53 +2847,74 @@ function normalizeSecretCommand(args) {
     tail: args
   };
 }
+async function readStdinValue() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  return Buffer.concat(chunks).toString("utf8").trimEnd();
+}
 async function runSecret(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeSecretCommand(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path17.resolve(options.root ?? process.cwd());
+  if (consumeOption(cliArgs, "--passphrase")) {
+    throw new Error("The --passphrase option is not supported in CNOS 1.4. Use env, keychain, or prompt-based auth.");
+  }
   if (action === "create-vault") {
     return runVault(["create", tail[0] ?? "default"], options);
   }
   if (action === "list") {
+    const runtime2 = await createRuntimeService(options);
     const prefix = consumeOption(cliArgs, "--prefix");
     const vault = consumeOption(cliArgs, "--vault");
     const provider = consumeOption(cliArgs, "--provider");
-    const entries = await listConfigEntries("secret", {
-      ...options,
-      cliArgs,
-      ...prefix ? { prefix } : {},
-      ...vault ? { vault } : {},
-      ...provider ? { provider } : {}
-    });
+    const entries = Array.from(runtime2.graph.entries.values()).filter((entry2) => entry2.namespace === "secret").filter((entry2) => !prefix || entry2.key.startsWith(`secret.${prefix}`) || entry2.key.startsWith(prefix)).filter((entry2) => {
+      const secretRef2 = entry2.winner.metadata?.secretRef;
+      if (vault && secretRef2?.vault !== vault) {
+        return false;
+      }
+      if (provider && secretRef2?.provider !== provider) {
+        return false;
+      }
+      return true;
+    }).map((entry2) => {
+      const secretRef2 = entry2.winner.metadata?.secretRef;
+      return {
+        key: entry2.key,
+        vault: secretRef2?.vault ?? "default",
+        provider: secretRef2?.provider ?? "local"
+      };
+    }).sort((left, right) => left.key.localeCompare(right.key));
     if (options.json) {
       return printJson(entries);
     }
-    return entries.map((entry2) => `${entry2.key}=${printValue(entry2.value)}`).join("\n");
+    return entries.map((entry2) => `${entry2.key} (vault: ${entry2.vault}, provider: ${entry2.provider})`).join("\n");
   }
   if (action === "set") {
     const secretPath2 = tail[0];
-    const rawValue = tail[1] ?? "";
     const local = consumeFlag(cliArgs, "--local");
     const remote = consumeFlag(cliArgs, "--remote");
     const ref = consumeFlag(cliArgs, "--ref");
+    const stdin = consumeFlag(cliArgs, "--stdin");
     const target = consumeOption(cliArgs, "--target") ?? "local";
     const provider = consumeOption(cliArgs, "--provider");
-    const passphrase = consumeOption(cliArgs, "--passphrase");
     const vault = consumeOption(cliArgs, "--vault") ?? "default";
     const mode = local ? "local" : remote ? "remote" : ref ? "ref" : void 0;
+    const rawValue = stdin ? await readStdinValue() : tail[1] ?? "";
     const result = await setSecret(secretPath2 ?? "app.token", rawValue, {
       ...options,
       cliArgs,
       target,
       vault,
       ...mode ? { mode } : {},
-      ...provider ? { provider } : {},
-      ...passphrase ? { passphrase } : {}
+      ...provider ? { provider } : {}
     });
     if (options.json) {
       return printJson(result);
     }
-    return result.provider === "local" ? `set secret.${secretPath2} in vault "${result.vault ?? "default"}" with ref "${result.ref}" and repo pointer ${result.filePath}` : `set secret.${secretPath2} via ${result.provider} in ${result.filePath}`;
+    return result.provider === "local" ? `set secret.${secretPath2} in vault "${result.vault ?? "default"}" with ref "${result.ref}" and repo pointer ${displayPath(result.filePath, root)}` : `set secret.${secretPath2} via ${result.provider} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const secretPath2 = tail[0];
@@ -2318,11 +2927,12 @@ async function runSecret(argsOrPath, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return result.deleted ? `deleted secret.${secretPath2} from ${result.filePath}` : `no secret.${secretPath2} found in ${result.filePath}`;
+    return result.deleted ? `deleted secret.${secretPath2} from ${displayPath(result.filePath, root)}` : `no secret.${secretPath2} found in ${displayPath(result.filePath, root)}`;
   }
   const runtime = await createRuntimeService(options);
   const secretPath = tail[0] ?? "app.token";
   const expectedVault = consumeOption(cliArgs, "--vault");
+  const reveal = consumeFlag(cliArgs, "--reveal");
   const entry = runtime.graph.entries.get(`secret.${secretPath}`);
   const secretRef = entry?.winner.metadata?.secretRef;
   const value = runtime.secret(secretPath);
@@ -2332,36 +2942,24 @@ async function runSecret(argsOrPath, options = {}) {
   if (expectedVault && secretRef?.vault && secretRef.vault !== expectedVault) {
     throw new Error(`Secret ${secretPath} belongs to vault "${secretRef.vault}", not "${expectedVault}"`);
   }
-  if (isSecretRef(value)) {
-    if (value.provider === "local") {
-      const vault = value.vault ?? "default";
-      throw new Error(
-        `Secret ${secretPath} is stored in vault "${vault}" as ref "${value.ref}". Provide the correct vault passphrase to resolve it.`
-      );
-    }
-    if (value.provider === "github-secrets") {
-      throw new Error(
-        `Secret ${secretPath} is backed by GitHub secrets via ref "${value.ref}". Set that env var in the current process or CI job to resolve it.`
-      );
-    }
-    throw new Error(`Secret ${secretPath} is stored as a ${value.provider} reference "${value.ref}" and is not resolved.`);
-  }
+  const valueForOutput = reveal ? value : maskSecretValue(value);
   if (options.json) {
     return printJson({
       key: `secret.${secretPath}`,
-      value
+      value: valueForOutput,
+      vault: secretRef?.vault ?? "default"
     });
   }
-  return printValue(value);
+  return printValue(valueForOutput);
 }
 
 // src/commands/use.ts
-import path11 from "path";
+import path18 from "path";
 async function runUse(args = [], options = {}) {
-  const root = path11.resolve(options.root ?? process.cwd());
-  const action = args[0] ?? "show";
+  const root = path18.resolve(options.root ?? process.cwd());
+  const action = args[0];
   const hasUpdates = Boolean(options.workspace || options.profile || options.globalRoot);
-  if (action === "show" || !hasUpdates) {
+  if (action === "show" || !action && !hasUpdates) {
     const context = await loadCliContext(root);
     if (options.json) {
       return printJson(context);
@@ -2377,7 +2975,7 @@ async function runUse(args = [], options = {}) {
   if (options.json) {
     return printJson(result);
   }
-  return `updated CLI context in ${result.filePath}`;
+  return `updated CLI context in ${displayPath(result.filePath, root)}`;
 }
 
 // src/commands/validate.ts
@@ -2395,7 +2993,7 @@ async function runValidate(options = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos-cli",
-  version: "1.2.0",
+  version: "1.4.0",
   description: "CLI entry point and developer tooling for CNOS.",
   type: "module",
   main: "./dist/index.js",
@@ -2450,6 +3048,7 @@ function runVersion() {
 }
 
 // src/commands/value.ts
+import path19 from "path";
 function normalizeValueCommand(args) {
   const [actionOrPath, ...tail] = args;
   if (!actionOrPath) {
@@ -2473,6 +3072,7 @@ async function runValue(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeValueCommand(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path19.resolve(options.root ?? process.cwd());
   if (action === "list") {
     const prefix = consumeOption(cliArgs, "--prefix");
     const entries = await listConfigEntries("value", {
@@ -2503,7 +3103,7 @@ async function runValue(argsOrPath, options = {}) {
         value: result.value
       });
     }
-    return `set value.${valuePath} in ${result.filePath}`;
+    return `set value.${valuePath} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const valuePath = tail[0] ?? "app.name";
@@ -2516,7 +3116,7 @@ async function runValue(argsOrPath, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return result.deleted ? `deleted value.${valuePath} from ${result.filePath}` : `no value.${valuePath} found in ${result.filePath}`;
+    return result.deleted ? `deleted value.${valuePath} from ${displayPath(result.filePath, root)}` : `no value.${valuePath} found in ${displayPath(result.filePath, root)}`;
   }
   const runtime = await createRuntimeService(options);
   const value = runtime.value(tail[0] ?? "app.name");
@@ -2532,6 +3132,180 @@ async function runValue(argsOrPath, options = {}) {
   return printValue(value);
 }
 
+// src/commands/watch.ts
+import { watch } from "fs";
+import { spawn as spawn2 } from "child_process";
+import {
+  CNOS_GRAPH_ENV_VAR as CNOS_GRAPH_ENV_VAR2,
+  CNOS_SECRET_PAYLOAD_ENV_VAR as CNOS_SECRET_PAYLOAD_ENV_VAR2,
+  CNOS_SESSION_KEY_ENV_VAR as CNOS_SESSION_KEY_ENV_VAR2,
+  diffGraphs,
+  serializeRuntimeGraph as serializeRuntimeGraph2,
+  serializeSecretPayload as serializeSecretPayload2,
+  watchFiles
+} from "@kitsy/cnos/internal";
+async function buildRunEnvironment(options) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const isPublic = consumeFlag(cliArgs, "--public");
+  const isAuthenticated = consumeFlag(cliArgs, "--auth");
+  const framework = consumeOption(cliArgs, "--framework");
+  const prefix = consumeOption(cliArgs, "--prefix");
+  const runtime = await createRuntimeService({
+    ...options,
+    cliArgs
+  });
+  const authenticatedSecrets = isAuthenticated ? Object.fromEntries(
+    Array.from(runtime.graph.entries.values()).filter((entry) => entry.namespace === "secret").map((entry) => [entry.key, runtime.read(entry.key)])
+  ) : void 0;
+  const secretPayload = authenticatedSecrets ? serializeSecretPayload2(authenticatedSecrets) : void 0;
+  return {
+    runtime,
+    env: {
+      ...process.env,
+      ...isPublic ? runtime.toPublicEnv({
+        ...framework ? { framework } : {},
+        ...prefix ? { prefix } : {}
+      }) : runtime.toEnv(),
+      [CNOS_GRAPH_ENV_VAR2]: serializeRuntimeGraph2(runtime.graph),
+      ...secretPayload ? {
+        [CNOS_SECRET_PAYLOAD_ENV_VAR2]: secretPayload.payload,
+        [CNOS_SESSION_KEY_ENV_VAR2]: secretPayload.sessionKey
+      } : {}
+    }
+  };
+}
+function spawnWatchedChild(command, cwd, env) {
+  const executable = command[0];
+  if (!executable) {
+    throw new Error("watch requires a command after -- unless --signal is used");
+  }
+  return spawn2(executable, command.slice(1), {
+    cwd,
+    env,
+    stdio: "inherit",
+    shell: false
+  });
+}
+async function startWatchLoop(options) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const isSignal = consumeFlag(cliArgs, "--signal");
+  const debounceMs = Number(consumeOption(cliArgs, "--debounce") ?? "300");
+  const command = options.command ?? [];
+  const root = options.root ?? process.cwd();
+  let current = await buildRunEnvironment({
+    ...options,
+    cliArgs
+  });
+  let child = !isSignal ? spawnWatchedChild(command, root, current.env) : void 0;
+  const watcherMap = /* @__PURE__ */ new Map();
+  let timer;
+  let closed = false;
+  const attachWatcher = (targetPath, recursive = false) => {
+    if (watcherMap.has(targetPath)) {
+      return;
+    }
+    try {
+      const watcher = watch(
+        targetPath,
+        recursive ? {
+          recursive: true
+        } : void 0,
+        () => {
+          if (timer) {
+            clearTimeout(timer);
+          }
+          timer = setTimeout(() => {
+            void handleChange();
+          }, debounceMs);
+        }
+      );
+      watcherMap.set(targetPath, watcher);
+    } catch {
+      if (recursive) {
+        attachWatcher(targetPath, false);
+      }
+    }
+  };
+  const refreshWatchers = async () => {
+    const nextTargets = await watchFiles(current.runtime, options.root);
+    attachWatcher(nextTargets.manifestPath, false);
+    for (const workspaceRoot of nextTargets.roots) {
+      attachWatcher(workspaceRoot, true);
+    }
+    for (const filePath of nextTargets.files) {
+      attachWatcher(filePath, false);
+    }
+  };
+  const handleChange = async () => {
+    if (closed) {
+      return;
+    }
+    const next = await buildRunEnvironment({
+      ...options,
+      cliArgs
+    });
+    const changedKeys = diffGraphs(current.runtime.graph, next.runtime.graph);
+    current = next;
+    await refreshWatchers();
+    if (changedKeys.length === 0) {
+      return;
+    }
+    if (isSignal) {
+      await options.onSignal?.({ changedKeys });
+      process.stdout.write(`${printJson({ changedKeys })}
+`);
+      return;
+    }
+    if (child && !child.killed) {
+      await new Promise((resolve) => {
+        child?.once("close", () => resolve());
+        child?.kill();
+      });
+    }
+    child = spawnWatchedChild(command, root, current.env);
+    await options.onRestart?.({ changedKeys });
+  };
+  await refreshWatchers();
+  return {
+    async close() {
+      closed = true;
+      if (timer) {
+        clearTimeout(timer);
+      }
+      for (const watcher of watcherMap.values()) {
+        watcher.close();
+      }
+      watcherMap.clear();
+      if (child && !child.killed) {
+        await new Promise((resolve) => {
+          child?.once("close", () => resolve());
+          child?.kill();
+        });
+      }
+    }
+  };
+}
+async function runWatch(command, options = {}) {
+  const cliArgs = [...options.cliArgs ?? []];
+  const isSignal = consumeFlag(cliArgs, "--signal");
+  const debounce = consumeOption(cliArgs, "--debounce");
+  const handle = await startWatchLoop({
+    ...options,
+    cliArgs: [
+      ...cliArgs,
+      ...isSignal ? ["--signal"] : [],
+      ...debounce ? ["--debounce", debounce] : []
+    ],
+    command
+  });
+  const closeWatcher = () => {
+    void handle.close();
+  };
+  process.once("SIGINT", closeWatcher);
+  process.once("SIGTERM", closeWatcher);
+  return isSignal ? "watching config changes in signal mode" : "watching config changes in restart mode";
+}
+
 // src/index.ts
 function resolveHelpTopic(command, args) {
   if (command === "help" || command === "help-ai") {
@@ -2612,6 +3386,14 @@ async function main(argv) {
       return;
     case "onboard":
       process.stdout.write(`${await runOnboard(runtimeOptions)}
+`);
+      return;
+    case "migrate":
+      process.stdout.write(`${await runMigrate(runtimeOptions)}
+`);
+      return;
+    case "codegen":
+      process.stdout.write(`${await runCodegen(runtimeOptions)}
 `);
       return;
     case "read":
@@ -2676,8 +3458,16 @@ async function main(argv) {
       process.exitCode = result.exitCode;
       return;
     }
+    case "watch":
+      process.stdout.write(`${await runWatch(passthrough.length > 0 ? passthrough : args, runtimeOptions)}
+`);
+      return;
     case "diff":
       process.stdout.write(`${await runDiff(args[0] ?? "local", args[1] ?? "stage", runtimeOptions)}
+`);
+      return;
+    case "drift":
+      process.stdout.write(`${await runDrift(runtimeOptions)}
 `);
       return;
     case "doctor":
@@ -2685,6 +3475,11 @@ async function main(argv) {
 `);
       return;
     default:
+      if (args.length > 0 && /^[a-z][a-z0-9-]*$/i.test(command)) {
+        process.stdout.write(`${await runNamespace(command, args, runtimeOptions)}
+`);
+        return;
+      }
       process.stderr.write(`Unknown command: ${command}
 `);
       process.exitCode = 1;