@kitsy/cnos-cli 1.3.0 → 1.5.0

package/dist/index.js

@@ -44,9 +44,17 @@ function normalizeCommand(argv) {
   const [command = "doctor", ...rest] = argv;
   const resource = rest[0];
   const remaining = rest.slice(1);
+  const dottedNamespace = resource?.includes(".") ? {
+    namespace: resource.slice(0, resource.indexOf(".")),
+    path: resource.slice(resource.indexOf(".") + 1)
+  } : void 0;
+  const normalizedVerb = command === "remove" || command === "delete" ? "delete" : command === "create" || command === "add" ? "set" : command === "set" || command === "get" ? command : void 0;
   if ((command === "set" || command === "get") && (resource === "value" || resource === "secret")) {
     return [resource, command, ...remaining];
   }
+  if (normalizedVerb && dottedNamespace && dottedNamespace.namespace && dottedNamespace.path) {
+    return [dottedNamespace.namespace, normalizedVerb, dottedNamespace.path, ...remaining];
+  }
   if ((command === "create" || command === "add") && resource === "profile") {
     return ["profile", "create", ...remaining];
   }
@@ -86,6 +94,9 @@ function normalizeCommand(argv) {
   if ((command === "delete" || command === "remove") && resource === "value") {
     return ["value", "delete", ...remaining];
   }
+  if (normalizedVerb && resource && !["profile", "vault", "secret", "value"].includes(resource)) {
+    return [resource, normalizedVerb, ...remaining];
+  }
   if (command === "list" && resource === "value") {
     return ["value", "list", ...remaining];
   }
@@ -219,21 +230,29 @@ function consumeOption(args, flag) {
   return void 0;
 }
 
+// src/format/displayPath.ts
+import path from "path";
+function displayPath(filePath, root = process.cwd()) {
+  const absoluteRoot = path.resolve(root);
+  const absoluteFile = path.resolve(filePath);
+  const relative = path.relative(absoluteRoot, absoluteFile);
+  if (!relative || relative === "") {
+    return ".";
+  }
+  if (relative.startsWith("..") || path.isAbsolute(relative)) {
+    return absoluteFile;
+  }
+  return relative;
+}
+
 // src/format/printJson.ts
 function printJson(value) {
   return JSON.stringify(value, null, 2);
 }
 
-// src/services/writes.ts
-import { mkdir, readFile, writeFile } from "fs/promises";
-import path from "path";
-import {
-  createSecretVaultProvider,
-  parseYaml,
-  resolveConfigDocumentPath,
-  resolveVaultAuth,
-  stringifyYaml
-} from "@kitsy/cnos/internal";
+// src/services/envMaterialization.ts
+import { mkdir, writeFile } from "fs/promises";
+import path2 from "path";
 
 // src/services/runtime.ts
 import { createCnos } from "@kitsy/cnos/configure";
@@ -249,7 +268,92 @@ async function createRuntimeService(options = {}) {
   });
 }
 
+// src/services/envMaterialization.ts
+function resolveEnvFromRuntime(runtime, cliArgs = []) {
+  const args = [...cliArgs];
+  const isPublic = consumeFlag(args, "--public");
+  const framework = consumeOption(args, "--framework");
+  const prefix = consumeOption(args, "--prefix");
+  return isPublic ? runtime.toPublicEnv({
+    ...framework ? { framework } : {},
+    ...prefix ? { prefix } : {}
+  }) : runtime.toEnv();
+}
+function formatEnvOutput(env) {
+  return Object.entries(env).sort(([left], [right]) => left.localeCompare(right)).map(([key, value]) => `${key}=${value}`).join("\n");
+}
+async function resolveMaterializedEnv(options = {}) {
+  const runtime = await createRuntimeService({
+    ...options,
+    cliArgs: [...options.cliArgs ?? []]
+  });
+  const env = resolveEnvFromRuntime(runtime, options.cliArgs ?? []);
+  return {
+    runtime,
+    env,
+    output: formatEnvOutput(env)
+  };
+}
+function resolveMaterializedEnvTarget(to, root = process.cwd()) {
+  return path2.resolve(root, to);
+}
+async function writeMaterializedEnvFile(to, output, root = process.cwd()) {
+  const targetPath = resolveMaterializedEnvTarget(to, root);
+  await mkdir(path2.dirname(targetPath), { recursive: true });
+  await writeFile(targetPath, output, "utf8");
+  return targetPath;
+}
+async function materializeEnvToFile(to, options = {}) {
+  const result = await resolveMaterializedEnv(options);
+  const targetPath = await writeMaterializedEnvFile(to, result.output, options.root ?? process.cwd());
+  return {
+    ...result,
+    targetPath
+  };
+}
+
+// src/commands/build.ts
+async function runBuild(subcommand, options = {}) {
+  if (subcommand !== "env") {
+    throw new Error(`Unsupported build target: ${subcommand ?? "(missing)"}`);
+  }
+  const infoArgs = [...options.cliArgs ?? []];
+  const isPublic = consumeFlag(infoArgs, "--public");
+  const framework = consumeOption(infoArgs, "--framework");
+  consumeOption(infoArgs, "--prefix");
+  const to = consumeOption(infoArgs, "--to");
+  if (!to) {
+    throw new Error("build env requires --to <path>");
+  }
+  const result = await materializeEnvToFile(to, {
+    ...options,
+    cliArgs: [...options.cliArgs ?? []]
+  });
+  if (options.json) {
+    return printJson({
+      to: result.targetPath,
+      count: Object.keys(result.env).length,
+      public: isPublic,
+      ...framework ? { framework } : {}
+    });
+  }
+  return `built env artifact at ${displayPath(result.targetPath, options.root ?? process.cwd())}`;
+}
+
+// src/commands/define.ts
+import path4 from "path";
+
 // src/services/writes.ts
+import { mkdir as mkdir2, readFile, writeFile as writeFile2 } from "fs/promises";
+import path3 from "path";
+import {
+  getNamespaceDefinition,
+  createSecretVaultProvider,
+  parseYaml,
+  resolveConfigDocumentPath,
+  resolveVaultAuth,
+  stringifyYaml
+} from "@kitsy/cnos/internal";
 function setNestedValue(target, pathSegments, value) {
   const [head, ...tail] = pathSegments;
   if (!head) {
@@ -330,14 +434,27 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
     };
   }
   const runtime = await createRuntimeService(options);
+  if (namespace !== "value" && namespace !== "secret" && !runtime.manifest.namespaces[namespace]) {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is not declared in .cnos/cnos.yml.`);
+  }
+  const namespaceDefinition = getNamespaceDefinition(runtime.manifest, namespace);
+  if (namespaceDefinition.kind !== "data") {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is not a data namespace.`);
+  }
+  if (namespaceDefinition.readonly) {
+    throw new Error(`Cannot write ${namespace}.${configPath} because namespace "${namespace}" is readonly.`);
+  }
+  if (namespaceDefinition.sensitive) {
+    throw new Error(`Cannot write ${namespace}.${configPath} with the generic data writer because namespace "${namespace}" is sensitive.`);
+  }
   const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
   const profile = options.profile ?? runtime.graph.profile;
   const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
   const document = await readYamlDocument(filePath);
   const parsedValue = parseScalarValue(rawValue);
   setNestedValue(document, configPath.split("."), parsedValue);
-  await mkdir(path.dirname(filePath), { recursive: true });
-  await writeFile(filePath, stringifyYaml(document), "utf8");
+  await mkdir2(path3.dirname(filePath), { recursive: true });
+  await writeFile2(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     value: parsedValue
@@ -374,8 +491,8 @@ async function setSecret(configPath, rawValue, options = {}) {
     };
   }
   setNestedValue(document, configPath.split("."), reference);
-  await mkdir(path.dirname(filePath), { recursive: true });
-  await writeFile(filePath, stringifyYaml(document), "utf8");
+  await mkdir2(path3.dirname(filePath), { recursive: true });
+  await writeFile2(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     provider: reference.provider,
@@ -397,7 +514,7 @@ async function deleteSecret(configPath, options = {}) {
       deleted: false
     };
   }
-  await writeFile(filePath, stringifyYaml(document), "utf8");
+  await writeFile2(filePath, stringifyYaml(document), "utf8");
   const secretRef = metadata?.secretRef;
   if (isSecretReference(secretRef) && secretRef.provider === "local") {
     const definition = runtime.manifest.vaults[secretRef.vault ?? "default"];
@@ -418,6 +535,19 @@ async function deleteValue(namespace, configPath, options = {}) {
     return deleteSecret(configPath, options);
   }
   const runtime = await createRuntimeService(options);
+  if (namespace !== "value" && namespace !== "secret" && !runtime.manifest.namespaces[namespace]) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is not declared in .cnos/cnos.yml.`);
+  }
+  const namespaceDefinition = getNamespaceDefinition(runtime.manifest, namespace);
+  if (namespaceDefinition.kind !== "data") {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is not a data namespace.`);
+  }
+  if (namespaceDefinition.readonly) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} because namespace "${namespace}" is readonly.`);
+  }
+  if (namespaceDefinition.sensitive) {
+    throw new Error(`Cannot delete ${namespace}.${configPath} with the generic data writer because namespace "${namespace}" is sensitive.`);
+  }
   const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
   const profile = options.profile ?? runtime.graph.profile;
   const filePath = resolveConfigDocumentPath(workspaceRoot, namespace, configPath, profile);
@@ -429,7 +559,7 @@ async function deleteValue(namespace, configPath, options = {}) {
       deleted: false
     };
   }
-  await writeFile(filePath, stringifyYaml(document), "utf8");
+  await writeFile2(filePath, stringifyYaml(document), "utf8");
   return {
     filePath,
     deleted: true
@@ -439,6 +569,7 @@ async function deleteValue(namespace, configPath, options = {}) {
 // src/commands/define.ts
 async function runDefine(namespace, configPath, rawValue, options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path4.resolve(options.root ?? process.cwd());
   const target = consumeOption(cliArgs, "--target") ?? "local";
   const local = consumeFlag(cliArgs, "--local");
   const remote = consumeFlag(cliArgs, "--remote");
@@ -464,7 +595,194 @@ async function runDefine(namespace, configPath, rawValue, options = {}) {
       value: result.value
     });
   }
-  return `defined ${namespace}.${configPath} in ${result.filePath}`;
+  return `defined ${namespace}.${configPath} in ${displayPath(result.filePath, root)}`;
+}
+
+// src/services/spawn.ts
+import { spawn } from "child_process";
+function shouldUseShellForCommand(command) {
+  if (process.platform !== "win32") {
+    return false;
+  }
+  return !/[\\/]/.test(command);
+}
+function spawnCommand(command, options) {
+  const executable = command[0];
+  if (!executable) {
+    throw new Error("A command is required.");
+  }
+  return spawn(executable, command.slice(1), {
+    cwd: options.cwd,
+    env: options.env,
+    stdio: options.stdio ?? "inherit",
+    shell: shouldUseShellForCommand(executable)
+  });
+}
+
+// src/services/watchLoop.ts
+import { watch } from "fs";
+import { diffGraphs, watchFiles } from "@kitsy/cnos/internal";
+async function startGraphWatchLoop(options) {
+  const debounceMs = options.debounceMs ?? 300;
+  let current = await createRuntimeService(options);
+  const watcherMap = /* @__PURE__ */ new Map();
+  let timer;
+  let closed = false;
+  const attachWatcher = (targetPath, recursive = false) => {
+    if (watcherMap.has(targetPath)) {
+      return;
+    }
+    try {
+      const watcher = watch(
+        targetPath,
+        recursive ? {
+          recursive: true
+        } : void 0,
+        () => {
+          if (timer) {
+            clearTimeout(timer);
+          }
+          timer = setTimeout(() => {
+            void handleChange();
+          }, debounceMs);
+        }
+      );
+      watcherMap.set(targetPath, watcher);
+    } catch {
+      if (recursive) {
+        attachWatcher(targetPath, false);
+      }
+    }
+  };
+  const refreshWatchers = async () => {
+    const nextTargets = await watchFiles(current, options.root);
+    attachWatcher(nextTargets.manifestPath, false);
+    for (const workspaceRoot of nextTargets.roots) {
+      attachWatcher(workspaceRoot, true);
+    }
+    for (const filePath of nextTargets.files) {
+      attachWatcher(filePath, false);
+    }
+  };
+  const handleChange = async () => {
+    if (closed) {
+      return;
+    }
+    const next = await createRuntimeService(options);
+    const changedKeys = diffGraphs(current.graph, next.graph);
+    current = next;
+    await refreshWatchers();
+    if (changedKeys.length === 0) {
+      return;
+    }
+    await options.onChange?.({
+      runtime: next,
+      changedKeys
+    });
+  };
+  await refreshWatchers();
+  return {
+    async close() {
+      closed = true;
+      if (timer) {
+        clearTimeout(timer);
+      }
+      for (const watcher of watcherMap.values()) {
+        watcher.close();
+      }
+      watcherMap.clear();
+    }
+  };
+}
+
+// src/commands/dev.ts
+async function startDevEnvLoop(command, options = {}) {
+  if (command.length === 0) {
+    throw new Error("dev env requires a command after --");
+  }
+  const cliArgs = [...options.cliArgs ?? []];
+  const to = consumeOption(cliArgs, "--to");
+  const isSignal = consumeFlag(cliArgs, "--signal");
+  const debounceMs = Number(consumeOption(cliArgs, "--debounce") ?? "300");
+  if (!to) {
+    throw new Error("dev env requires --to <path>");
+  }
+  const root = options.root ?? process.cwd();
+  let child;
+  const writeCurrent = async () => {
+    await materializeEnvToFile(to, {
+      ...options,
+      cliArgs: [...cliArgs]
+    });
+  };
+  await writeCurrent();
+  if (!isSignal) {
+    child = spawnCommand(command, {
+      cwd: root,
+      env: process.env,
+      stdio: "inherit"
+    });
+  }
+  const watcher = await startGraphWatchLoop({
+    ...options,
+    cliArgs,
+    debounceMs,
+    async onChange(payload) {
+      await writeCurrent();
+      if (isSignal) {
+        process.stdout.write(`${printJson({ changedKeys: payload.changedKeys })}
+`);
+        return;
+      }
+      if (child && !child.killed) {
+        await new Promise((resolve) => {
+          child?.once("close", () => resolve());
+          child?.kill();
+        });
+      }
+      child = spawnCommand(command, {
+        cwd: root,
+        env: process.env,
+        stdio: "inherit"
+      });
+    }
+  });
+  return {
+    async close() {
+      await watcher.close();
+      if (child && !child.killed) {
+        await new Promise((resolve) => {
+          child?.once("close", () => resolve());
+          child?.kill();
+        });
+      }
+    }
+  };
+}
+async function runDev(subcommand, command, options = {}) {
+  if (subcommand !== "env") {
+    throw new Error(`Unsupported dev target: ${subcommand ?? "(missing)"}`);
+  }
+  const cliArgs = [...options.cliArgs ?? []];
+  const to = consumeOption(cliArgs, "--to");
+  const isSignal = consumeFlag(cliArgs, "--signal");
+  if (!to) {
+    throw new Error("dev env requires --to <path>");
+  }
+  if (command.length === 0) {
+    throw new Error("dev env requires a command after --");
+  }
+  const handle = await startDevEnvLoop(command, {
+    ...options,
+    cliArgs
+  });
+  const closeLoop = () => {
+    void handle.close();
+  };
+  process.once("SIGINT", closeLoop);
+  process.once("SIGTERM", closeLoop);
+  const targetPath = displayPath(to, options.root ?? process.cwd());
+  return isSignal ? `watching config changes and rewriting ${targetPath} in signal mode` : `watching config changes, rewriting ${targetPath}, and restarting the child process`;
 }
 
 // src/commands/drift.ts
@@ -517,7 +835,7 @@ async function runDiff(leftProfile, rightProfile, options = {}) {
 
 // src/services/doctor.ts
 import { readdir, readFile as readFile2 } from "fs/promises";
-import path2 from "path";
+import path5 from "path";
 import {
   detectLegacyVaultFormat,
   isSecretReference as isSecretReference2,
@@ -539,7 +857,7 @@ async function createValidationSummary(options = {}) {
 
 // src/services/doctor.ts
 async function checkGitignore(root) {
-  const gitignorePath = path2.join(root, ".gitignore");
+  const gitignorePath = path5.join(root, ".gitignore");
   const expected = [
     ".cnos/env/.env",
     ".cnos/env/.env.*",
@@ -574,12 +892,12 @@ async function collectYamlFiles(root) {
     const entries = await readdir(root, { withFileTypes: true });
     const results = [];
     for (const entry of entries) {
-      const target = path2.join(root, entry.name);
+      const target = path5.join(root, entry.name);
       if (entry.isDirectory()) {
         results.push(...await collectYamlFiles(target));
         continue;
       }
-      if (entry.isFile() && [".yml", ".yaml"].includes(path2.extname(entry.name).toLowerCase())) {
+      if (entry.isFile() && [".yml", ".yaml"].includes(path5.extname(entry.name).toLowerCase())) {
         results.push(target);
       }
     }
@@ -604,7 +922,7 @@ async function checkSecretSecurity(options, runtime) {
   );
   const legacyDetected = legacyPaths.filter((entry) => Boolean(entry.path));
   const secretFiles = await Promise.all(
-    runtime.graph.workspace.workspaceRoots.filter((root) => root.scope === "local").map((root) => collectYamlFiles(path2.join(root.path, "secrets")))
+    runtime.graph.workspace.workspaceRoots.filter((root) => root.scope === "local").map((root) => collectYamlFiles(path5.join(root.path, "secrets")))
   );
   const plaintextFiles = [];
   for (const file of secretFiles.flat()) {
@@ -634,10 +952,11 @@ async function checkSecretSecurity(options, runtime) {
   };
 }
 async function evaluateDoctor(options = {}) {
-  const root = path2.resolve(options.root ?? process.cwd());
+  const root = path5.resolve(options.root ?? process.cwd());
   const { runtime, summary } = await createValidationSummary(options);
   const localRoot = runtime.graph.workspace.workspaceRoots.find((entry) => entry.scope === "local");
   const globalRoot = runtime.graph.workspace.workspaceRoots.find((entry) => entry.scope === "global");
+  const declaredCustomNamespaces = Object.entries(runtime.manifest.namespaces).filter(([namespace]) => !["value", "secret", "meta", "process", "public", "env"].includes(namespace)).map(([namespace, definition]) => `${namespace}(${definition.kind}${definition.shareable ? ",shareable" : ""}${definition.readonly ? ",readonly" : ""})`).sort((left, right) => left.localeCompare(right));
   return [
     {
       name: "manifest",
@@ -649,6 +968,11 @@ async function evaluateDoctor(options = {}) {
       ok: true,
       details: `${runtime.graph.workspace.workspaceId} via ${runtime.graph.workspace.workspaceSource}`
     },
+    {
+      name: "namespaces",
+      ok: true,
+      details: declaredCustomNamespaces.length === 0 ? "built-ins: value, secret, meta, process, public, env" : `built-ins: value, secret, meta, process, public, env | custom: ${declaredCustomNamespaces.join(", ")}`
+    },
     {
       name: "source-roots",
       ok: Boolean(localRoot),
@@ -748,44 +1072,33 @@ async function runCodegen(options = {}) {
 }
 
 // src/commands/exportEnv.ts
-import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
-import path3 from "path";
-function formatEnvOutput(env) {
-  return Object.entries(env).sort(([left], [right]) => left.localeCompare(right)).map(([key, value]) => `${key}=${value}`).join("\n");
-}
 async function runExportEnv(options = {}) {
-  const cliArgs = [...options.cliArgs ?? []];
-  const isPublic = consumeFlag(cliArgs, "--public");
-  const framework = consumeOption(cliArgs, "--framework");
-  const prefix = consumeOption(cliArgs, "--prefix");
-  const to = consumeOption(cliArgs, "--to");
-  const runtime = await createRuntimeService({
+  const infoArgs = [...options.cliArgs ?? []];
+  const isPublic = consumeFlag(infoArgs, "--public");
+  const framework = consumeOption(infoArgs, "--framework");
+  consumeOption(infoArgs, "--prefix");
+  const to = consumeOption(infoArgs, "--to");
+  const baseOptions = {
     ...options,
-    cliArgs
-  });
-  const env = isPublic ? runtime.toPublicEnv({
-    ...framework ? { framework } : {},
-    ...prefix ? { prefix } : {}
-  }) : runtime.toEnv();
-  const output = formatEnvOutput(env);
+    cliArgs: [...options.cliArgs ?? []]
+  };
   if (to) {
-    const targetPath = path3.resolve(options.root ?? process.cwd(), to);
-    await mkdir2(path3.dirname(targetPath), { recursive: true });
-    await writeFile2(targetPath, output, "utf8");
+    const result2 = await materializeEnvToFile(to, baseOptions);
     if (options.json) {
       return printJson({
-        to: targetPath,
-        count: Object.keys(env).length,
+        to: result2.targetPath,
+        count: Object.keys(result2.env).length,
         public: isPublic,
         ...framework ? { framework } : {}
       });
     }
-    return `Wrote ${Object.keys(env).length} env vars to ${targetPath}`;
+    return `Wrote ${Object.keys(result2.env).length} env vars to ${displayPath(result2.targetPath, options.root ?? process.cwd())}`;
   }
+  const result = await resolveMaterializedEnv(baseOptions);
   if (options.json) {
-    return printJson(env);
+    return printJson(result.env);
   }
-  return output;
+  return result.output;
 }
 
 // src/commands/export.ts
@@ -1001,7 +1314,7 @@ var COMMANDS = [
     id: "vault create",
     summary: "Create a manifest-defined vault.",
     usage: "cnos vault create <name> [--provider <local|github-secrets>] [--no-passphrase] [global-options]",
-    description: "Creates a vault definition in .cnos/cnos.yml and, for local vaults, initializes the encrypted store under ~/.cnos/secrets.",
+    description: "Creates a vault definition in .cnos/cnos.yml and, for local vaults, initializes the encrypted store under ~/.cnos/secrets. CNOS prompts for a passphrase when one is not already available from env or keychain.",
     examples: [
       "cnos vault create local-dev",
       "cnos vault create github-ci --provider github-secrets --no-passphrase"
@@ -1011,7 +1324,7 @@ var COMMANDS = [
     id: "vault auth",
     summary: "Authenticate a vault for the current shell session.",
     usage: "cnos vault auth <name> [--store-keychain] [global-options]",
-    description: "Authenticates a local vault using env, keychain, or prompt-based auth and stores a derived session key for later CNOS commands in the same shell.",
+    description: "Authenticates an existing local vault using env, keychain, or prompt-based auth and stores a derived session key for later CNOS commands in the same shell. Wrong passphrases fail authentication.",
     examples: ["cnos vault auth local-dev", "cnos vault auth local-dev --store-keychain"]
   },
   {
@@ -1084,11 +1397,11 @@ var COMMANDS = [
   {
     id: "list",
     summary: "List resolved config entries.",
-    usage: "cnos list [value|secret|meta|env|public|all] [--prefix <path>] [--framework <name>] [global-options]",
-    description: "Lists stored config or derived projections across one namespace or the full effective graph, with optional prefix filtering.",
+    usage: "cnos list [<namespace>|all] [--prefix <path>] [--framework <name>] [global-options]",
+    description: "Lists stored config or derived projections across one namespace or the full effective graph, with optional prefix filtering. Custom data namespaces such as flags are supported, and process exposes server-only ambient runtime state.",
     options: [
       {
-        flag: "--namespace <value|secret|meta|env|public|all>",
+        flag: "--namespace <name>",
         description: "Explicit namespace selector when not using a positional namespace argument."
       },
       {
@@ -1100,7 +1413,7 @@ var COMMANDS = [
         description: "When listing public output, apply framework-specific prefixes such as vite or next."
       }
     ],
-    examples: ["cnos list", "cnos list value --prefix app.", "cnos list env", "cnos list public --framework vite"]
+    examples: ["cnos list", "cnos list value --prefix app.", "cnos list flags", "cnos list process --prefix env.PATH", "cnos list env", "cnos list public --framework vite"]
   },
   {
     id: "profile",
@@ -1110,11 +1423,16 @@ var COMMANDS = [
     options: [
       {
         flag: "--inherit <name>",
-        description: "Parent profile to extend when creating a profile."
+        description: "Parent profile to extend when creating a profile. Base inheritance is implicit by default."
+      },
+      {
+        flag: "--no-inherit",
+        description: "Create a clean profile that does not inherit base fallback layers."
       }
     ],
     examples: [
-      "cnos profile create stage --inherit base",
+      "cnos profile create stage",
+      "cnos profile create isolated --no-inherit",
       "cnos profile list",
       "cnos profile use stage"
     ]
@@ -1122,9 +1440,9 @@ var COMMANDS = [
   {
     id: "profile create",
     summary: "Create a profile definition.",
-    usage: "cnos profile create <name> [--inherit <name>] [--root <path>] [--json]",
-    description: "Creates .cnos/profiles/<name>.yml for an explicit profile overlay.",
-    examples: ["cnos profile create stage --inherit base"]
+    usage: "cnos profile create <name> [--inherit <name> | --no-inherit] [--root <path>] [--json]",
+    description: "Creates .cnos/profiles/<name>.yml for an explicit profile overlay. New profiles inherit base by default unless --no-inherit is set.",
+    examples: ["cnos profile create stage", "cnos profile create isolated --no-inherit"]
   },
   {
     id: "profile list",
@@ -1151,7 +1469,7 @@ var COMMANDS = [
     id: "promote",
     summary: "Promote shareable config into public or env projection surfaces.",
     usage: "cnos promote <key...> --to <public|env> [--as <ENV_VAR>] [global-options]",
-    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected.",
+    description: "Adds keys to public.promote or envMapping.explicit in .cnos/cnos.yml. Sensitive or non-shareable namespaces are rejected, but declared shareable data namespaces such as flags are allowed.",
     options: [
       {
         flag: "--to <public|env>",
@@ -1164,6 +1482,7 @@ var COMMANDS = [
     ],
     examples: [
       "cnos promote value.flag.auth.upi_enabled --to public",
+      "cnos promote flags.upi_enabled --to public",
       "cnos promote value.server.port --to env --as PORT"
     ]
   },
@@ -1240,6 +1559,52 @@ var COMMANDS = [
       "cnos export env --public --framework next --workspace webapp"
     ]
   },
+  {
+    id: "build",
+    summary: "Build derived configuration artifacts from CNOS.",
+    usage: "cnos build <subcommand> [options] [global-options]",
+    description: "Builds deterministic derived outputs from the selected workspace. Currently supports env artifact generation.",
+    arguments: [
+      {
+        name: "subcommand",
+        description: "Supported value: env.",
+        required: true
+      }
+    ],
+    examples: [
+      "cnos build env --profile local --to .env.local",
+      "cnos build env --public --framework vite --profile prod --to .env.production"
+    ]
+  },
+  {
+    id: "build env",
+    summary: "Build a flat env-file artifact from CNOS.",
+    usage: "cnos build env --to <path> [--public] [--framework <name>] [--prefix <prefix>] [global-options]",
+    description: "Builds a deterministic KEY=VALUE artifact for legacy build and runtime workflows. The target file is derived output, not the CNOS source of truth.",
+    options: [
+      {
+        flag: "--to <path>",
+        description: "Write the rendered KEY=VALUE output to a file. Required."
+      },
+      {
+        flag: "--public",
+        description: "Build only public values based on manifest promotion rules."
+      },
+      {
+        flag: "--framework <name>",
+        description: "Apply framework-specific public env conventions such as vite or next."
+      },
+      {
+        flag: "--prefix <prefix>",
+        description: "Override the generated public env prefix."
+      }
+    ],
+    examples: [
+      "cnos build env --profile local --to .env.local",
+      "cnos build env --profile stage --to .env.stage",
+      "cnos build env --public --framework vite --to .env.local"
+    ]
+  },
   {
     id: "export env",
     summary: "Render environment variables for the selected workspace.",
@@ -1269,6 +1634,60 @@ var COMMANDS = [
       "cnos export env --public --framework vite --to .env.local --workspace api"
     ]
   },
+  {
+    id: "dev",
+    summary: "Run watched CNOS-driven development workflows.",
+    usage: "cnos dev <subcommand> [options] [global-options] -- <command...>",
+    description: "Runs higher-level development workflows that derive config artifacts from CNOS and keep them up to date while a child process is running.",
+    arguments: [
+      {
+        name: "subcommand",
+        description: "Supported value: env.",
+        required: true
+      }
+    ],
+    examples: [
+      "cnos dev env --profile local --to .env.local -- pnpm dev",
+      "cnos dev env --public --framework vite --to .env.local -- pnpm dev"
+    ]
+  },
+  {
+    id: "dev env",
+    summary: "Watch CNOS config, rewrite an env file, and restart a child process.",
+    usage: "cnos dev env --to <path> [--public] [--framework <name>] [--prefix <prefix>] [--debounce <ms>] [--signal] [global-options] -- <command...>",
+    description: "Writes a derived env file before first launch, watches CNOS inputs, rewrites the file on change, and restarts the child process by default.",
+    options: [
+      {
+        flag: "--to <path>",
+        description: "Write the rendered KEY=VALUE output to a file. Required."
+      },
+      {
+        flag: "--public",
+        description: "Build only public values based on manifest promotion rules."
+      },
+      {
+        flag: "--framework <name>",
+        description: "Apply framework-specific public env conventions such as vite or next."
+      },
+      {
+        flag: "--prefix <prefix>",
+        description: "Override the generated public env prefix."
+      },
+      {
+        flag: "--debounce <ms>",
+        description: "Debounce config changes before rebuilding the env artifact. Defaults to 300ms."
+      },
+      {
+        flag: "--signal",
+        description: "Rewrite the env artifact and emit changed keys as JSON instead of restarting the child process."
+      }
+    ],
+    examples: [
+      "cnos dev env --profile local --to .env.local -- pnpm dev",
+      "cnos dev env --profile stage --to .env.stage -- node server.js",
+      "cnos dev env --public --framework vite --to .env.local --signal -- pnpm dev"
+    ]
+  },
   {
     id: "dump",
     summary: "Materialize the selected workspace into files.",
@@ -1473,6 +1892,8 @@ var HELP_DOCUMENT = {
   examples: [
     "cnos use --profile stage",
     "cnos doctor --workspace api",
+    "cnos build env --profile stage --to .env.stage",
+    "cnos dev env --profile local --to .env.local -- pnpm dev",
     "cnos export env --public --framework vite",
     "cnos export env --public --framework next",
     "cnos help-ai --format json"
@@ -1586,11 +2007,11 @@ function runHelpAi(topic, cliArgs = []) {
 }
 
 // src/commands/init.ts
-import path5 from "path";
+import path7 from "path";
 
 // src/services/scaffold.ts
 import { mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
-import path4 from "path";
+import path6 from "path";
 function scaffoldManifest(projectName, workspace) {
   const lines = [
     "version: 1",
@@ -1629,7 +2050,7 @@ async function ensureFile(filePath, content) {
   }
 }
 async function ensureGitignore(root) {
-  const gitignorePath = path4.join(root, ".gitignore");
+  const gitignorePath = path6.join(root, ".gitignore");
   const requiredEntries = [
     ".cnos/env/.env",
     ".cnos/env/.env.*",
@@ -1657,13 +2078,13 @@ async function ensureGitignore(root) {
   return true;
 }
 async function scaffoldWorkspace(root, workspace) {
-  const cnosRoot = path4.join(root, ".cnos");
-  const workspaceRoot = workspace ? path4.join(cnosRoot, "workspaces", workspace) : cnosRoot;
+  const cnosRoot = path6.join(root, ".cnos");
+  const workspaceRoot = workspace ? path6.join(cnosRoot, "workspaces", workspace) : cnosRoot;
   const createdPaths = [];
-  await mkdir3(path4.join(workspaceRoot, "profiles"), { recursive: true });
-  await mkdir3(path4.join(workspaceRoot, "values"), { recursive: true });
-  await mkdir3(path4.join(workspaceRoot, "secrets"), { recursive: true });
-  await mkdir3(path4.join(workspaceRoot, "env"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "profiles"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "values"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "secrets"), { recursive: true });
+  await mkdir3(path6.join(workspaceRoot, "env"), { recursive: true });
   const relativePaths = workspace ? [
     ["workspaces", workspace, "profiles", ".gitkeep"],
     ["workspaces", workspace, "values", ".gitkeep"],
@@ -1676,15 +2097,15 @@ async function scaffoldWorkspace(root, workspace) {
     ["env", ".gitkeep"]
   ];
   for (const relativePath of relativePaths) {
-    const filePath = path4.join(cnosRoot, ...relativePath);
+    const filePath = path6.join(cnosRoot, ...relativePath);
     if (await ensureFile(filePath, "")) {
-      createdPaths.push(path4.relative(root, filePath).replace(/\\/g, "/"));
+      createdPaths.push(path6.relative(root, filePath).replace(/\\/g, "/"));
     }
   }
-  if (await ensureFile(path4.join(cnosRoot, "cnos.yml"), scaffoldManifest(path4.basename(root), workspace))) {
+  if (await ensureFile(path6.join(cnosRoot, "cnos.yml"), scaffoldManifest(path6.basename(root), workspace))) {
     createdPaths.push(".cnos/cnos.yml");
   }
-  if (workspace && await ensureFile(path4.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
+  if (workspace && await ensureFile(path6.join(root, ".cnos-workspace.yml"), `workspace: ${workspace}
 globalRoot: ~/.cnos
 `)) {
     createdPaths.push(".cnos-workspace.yml");
@@ -1701,7 +2122,7 @@ globalRoot: ~/.cnos
 
 // src/commands/init.ts
 async function runInit(options = {}) {
-  const root = path5.resolve(options.root ?? process.cwd());
+  const root = path7.resolve(options.root ?? process.cwd());
   const result = await scaffoldWorkspace(root, options.workspace);
   if (options.json) {
     return printJson(result);
@@ -1793,7 +2214,7 @@ function matchesPrefix(key, prefix) {
   return key.startsWith(prefix) || key.split(".").slice(1).join(".").startsWith(prefix);
 }
 function toStoredEntry(namespace, entry, filter = {}) {
-  const sourceId = namespace === "value" ? "filesystem-values" : "filesystem-secrets";
+  const sourceId = namespace === "secret" ? "filesystem-secrets" : "filesystem-values";
   const candidates = [entry.winner, ...entry.overridden].filter((candidate) => candidate.sourceId === sourceId);
   if (candidates.length === 0) {
     return void 0;
@@ -1814,16 +2235,16 @@ function listStoredNamespace(namespace, options) {
 }
 function listProjectedNamespace(namespace, options) {
   return createRuntimeService(options).then((runtime) => {
-    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.toEnv() : runtime.toPublicEnv({
+    const projected = namespace === "meta" ? flattenObject2(runtime.toNamespace("meta")) : namespace === "env" ? runtime.toEnv() : namespace === "public" ? runtime.toPublicEnv({
       ...options.framework ? {
         framework: options.framework
       } : {}
-    });
+    }) : flattenObject2(runtime.toNamespace(namespace));
     const entries = namespace === "env" ? Object.entries(projected).map(([envVar, value]) => ({
       key: envVar,
       value
     })) : Object.entries(projected).map(([key, value]) => ({
-      key: namespace === "meta" ? `meta.${key}` : key,
+      key: namespace === "meta" || namespace === "process" ? `${namespace}.${key}` : key,
       value
     }));
     return entries.filter((entry) => entry.value !== void 0).filter((entry) => matchesPrefix(entry.key, options.prefix)).sort((left, right) => left.key.localeCompare(right.key));
@@ -1833,15 +2254,21 @@ async function listConfigEntries(namespace, options = {}) {
   if (namespace === "value" || namespace === "secret") {
     return listStoredNamespace(namespace, options);
   }
-  if (namespace === "meta" || namespace === "env" || namespace === "public") {
+  if (namespace === "meta" || namespace === "env" || namespace === "public" || namespace === "process") {
     return listProjectedNamespace(namespace, options);
   }
-  const [values, secrets, meta] = await Promise.all([
-    listStoredNamespace("value", options),
-    listStoredNamespace("secret", options),
-    listProjectedNamespace("meta", options)
-  ]);
-  return [...values, ...secrets, ...meta].sort((left, right) => left.key.localeCompare(right.key));
+  if (namespace !== "all") {
+    return listStoredNamespace(namespace, options);
+  }
+  const runtime = await createRuntimeService(options);
+  const namespaces = Array.from(
+    new Set(
+      Array.from(runtime.graph.entries.values()).map((entry) => entry.namespace).filter((entry) => entry !== "meta" && entry !== "env" && entry !== "public")
+    )
+  ).sort((left, right) => left.localeCompare(right));
+  const stored = await Promise.all(namespaces.map((entry) => listStoredNamespace(entry, options)));
+  const meta = await listProjectedNamespace("meta", options);
+  return [...stored.flat(), ...meta].sort((left, right) => left.key.localeCompare(right.key));
 }
 
 // src/commands/list.ts
@@ -1858,13 +2285,16 @@ function normalizeNamespace(value) {
   if (value === "meta") {
     return "meta";
   }
+  if (value === "process") {
+    return "process";
+  }
   if (value === "env") {
     return "env";
   }
   if (value === "public") {
     return "public";
   }
-  throw new Error(`Unsupported list namespace: ${value}`);
+  return value;
 }
 async function runList(args = [], options = {}) {
   const cliArgs = [...options.cliArgs ?? []];
@@ -1887,7 +2317,7 @@ async function runList(args = [], options = {}) {
 }
 
 // src/commands/migrate.ts
-import path6 from "path";
+import path8 from "path";
 import {
   applyManifestMappings,
   loadManifest,
@@ -1905,7 +2335,7 @@ async function runMigrate(options = {}) {
     throw new Error(`Unknown migrate options: ${cliArgs.join(" ")}`);
   }
   const manifest = await loadManifest(options.root ? { root: options.root } : {});
-  const scanRoot = path6.resolve(manifest.repoRoot, scan ?? "src");
+  const scanRoot = path8.resolve(manifest.repoRoot, scan ?? "src");
   const usages = await scanEnvUsage(scanRoot);
   const uniqueProposals = new Map(usages.map((usage) => [usage.envVar, proposeMapping(usage.envVar)]));
   const proposals = Array.from(uniqueProposals.values()).sort((left, right) => left.envVar.localeCompare(right.envVar));
@@ -1966,33 +2396,118 @@ async function runMigrate(options = {}) {
   return lines.join("\n");
 }
 
+// src/commands/namespace.ts
+import path9 from "path";
+function normalizeCommand2(args) {
+  const [actionOrPath, ...tail] = args;
+  if (!actionOrPath) {
+    return {
+      action: "list",
+      tail: []
+    };
+  }
+  if (["get", "set", "create", "add", "list", "delete", "remove"].includes(actionOrPath)) {
+    return {
+      action: actionOrPath === "remove" ? "delete" : actionOrPath === "create" || actionOrPath === "add" ? "set" : actionOrPath,
+      tail
+    };
+  }
+  return {
+    action: "get",
+    tail: args
+  };
+}
+async function runNamespace(namespace, args = [], options = {}) {
+  const { action, tail } = normalizeCommand2(args);
+  const cliArgs = [...options.cliArgs ?? []];
+  const root = path9.resolve(options.root ?? process.cwd());
+  if (action === "list") {
+    const prefix = consumeOption(cliArgs, "--prefix");
+    const entries = await listConfigEntries(namespace, {
+      ...options,
+      cliArgs,
+      ...prefix ? { prefix } : {}
+    });
+    if (options.json) {
+      return printJson(entries);
+    }
+    return entries.map((entry) => `${entry.key}=${printValue(entry.value)}`).join("\n");
+  }
+  if (action === "set") {
+    const configPath2 = tail[0] ?? "app.name";
+    const rawValue = tail[1] ?? "";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await defineValue(namespace, configPath2, rawValue, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson({
+        namespace,
+        path: configPath2,
+        target,
+        filePath: result.filePath,
+        value: result.value
+      });
+    }
+    return `set ${namespace}.${configPath2} in ${displayPath(result.filePath, root)}`;
+  }
+  if (action === "delete") {
+    const configPath2 = tail[0] ?? "app.name";
+    const target = consumeOption(cliArgs, "--target") ?? "local";
+    const result = await deleteValue(namespace, configPath2, {
+      ...options,
+      cliArgs,
+      target
+    });
+    if (options.json) {
+      return printJson(result);
+    }
+    return result.deleted ? `deleted ${namespace}.${configPath2} from ${displayPath(result.filePath, root)}` : `no ${namespace}.${configPath2} found in ${displayPath(result.filePath, root)}`;
+  }
+  const runtime = await createRuntimeService(options);
+  const configPath = tail[0] ?? "app.name";
+  const value = runtime.read(`${namespace}.${configPath}`);
+  if (value === void 0) {
+    throw new Error(`Missing CNOS ${namespace} path: ${configPath}`);
+  }
+  if (options.json) {
+    return printJson({
+      key: `${namespace}.${configPath}`,
+      value
+    });
+  }
+  return printValue(value);
+}
+
 // src/commands/onboard.ts
 import { copyFile, readdir as readdir2, rm } from "fs/promises";
-import path7 from "path";
+import path10 from "path";
 var ROOT_ENV_FILE_PATTERN = /^\.env(?:\.[A-Za-z0-9_-]+)*(?:\.example)?$/;
 async function listRootEnvFiles(root) {
   const entries = await readdir2(root, { withFileTypes: true });
   return entries.filter((entry) => entry.isFile() && ROOT_ENV_FILE_PATTERN.test(entry.name)).map((entry) => entry.name).sort((left, right) => left.localeCompare(right));
 }
 async function runOnboard(options = {}) {
-  const root = path7.resolve(options.root ?? process.cwd());
-  const workspace = options.workspace ?? path7.basename(root);
+  const root = path10.resolve(options.root ?? process.cwd());
+  const workspace = options.workspace ?? path10.basename(root);
   const cliArgs = [...options.cliArgs ?? []];
   const move = consumeFlag(cliArgs, "--move");
   if (cliArgs.length > 0) {
     throw new Error(`Unsupported onboard arguments: ${cliArgs.join(" ")}`);
   }
   const scaffold = await scaffoldWorkspace(root, workspace);
-  const envRoot = path7.join(root, ".cnos", "workspaces", workspace, "env");
+  const envRoot = path10.join(root, ".cnos", "workspaces", workspace, "env");
   const rootFiles = await listRootEnvFiles(root);
   const imported = [];
   const skipped = [];
   for (const fileName of rootFiles) {
-    const sourcePath = path7.join(root, fileName);
-    const targetPath = path7.join(envRoot, fileName);
+    const sourcePath = path10.join(root, fileName);
+    const targetPath = path10.join(envRoot, fileName);
     try {
       await copyFile(sourcePath, targetPath);
-      imported.push(path7.relative(root, targetPath).replace(/\\/g, "/"));
+      imported.push(path10.relative(root, targetPath).replace(/\\/g, "/"));
       if (move) {
         await rm(sourcePath);
       }
@@ -2017,14 +2532,14 @@ async function runOnboard(options = {}) {
 }
 
 // src/commands/profile.ts
-import path10 from "path";
+import path13 from "path";
 
 // src/services/context.ts
 import { readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
-import path8 from "path";
+import path11 from "path";
 import { parseYaml as parseYaml3, stringifyYaml as stringifyYaml2 } from "@kitsy/cnos/internal";
 async function loadCliContext(root = process.cwd()) {
-  const filePath = path8.join(path8.resolve(root), ".cnos-workspace.yml");
+  const filePath = path11.join(path11.resolve(root), ".cnos-workspace.yml");
   try {
     const source = await readFile4(filePath, "utf8");
     const parsed = parseYaml3(source);
@@ -2037,8 +2552,8 @@ async function loadCliContext(root = process.cwd()) {
   }
 }
 async function saveCliContext(options = {}) {
-  const root = path8.resolve(options.root ?? process.cwd());
-  const filePath = path8.join(root, ".cnos-workspace.yml");
+  const root = path11.resolve(options.root ?? process.cwd());
+  const filePath = path11.join(root, ".cnos-workspace.yml");
   const current = await loadCliContext(root);
   const next = {
     ...current.workspace ? { workspace: current.workspace } : {},
@@ -2057,12 +2572,19 @@ async function saveCliContext(options = {}) {
 
 // src/services/profiles.ts
 import { mkdir as mkdir4, readdir as readdir3, readFile as readFile5, rm as rm2, writeFile as writeFile5 } from "fs/promises";
-import path9 from "path";
+import path12 from "path";
 import { parseYaml as parseYaml4, stringifyYaml as stringifyYaml3 } from "@kitsy/cnos/internal";
-async function createProfileDefinition(root = process.cwd(), profile, inherit) {
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
-  await mkdir4(path9.dirname(filePath), { recursive: true });
-  const document = inherit && inherit !== "base" ? {
+async function createProfileDefinition(root = process.cwd(), profile, inherit, options = {}) {
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  await mkdir4(path12.dirname(filePath), { recursive: true });
+  const document = options.noInherit ? {
+    name: profile,
+    activate: {
+      values: [`profiles/${profile}/values`, `values/${profile}`],
+      secrets: [`profiles/${profile}/secrets`, `secrets/${profile}`],
+      envFiles: [`.env.${profile}`]
+    }
+  } : inherit && inherit !== "base" ? {
     name: profile,
     extends: [inherit]
   } : {
@@ -2072,11 +2594,12 @@ async function createProfileDefinition(root = process.cwd(), profile, inherit) {
   return {
     filePath,
     profile,
-    ...inherit ? { inherit } : {}
+    ...inherit ? { inherit } : {},
+    ...options.noInherit ? { noInherit: true } : {}
   };
 }
 async function listProfiles(root = process.cwd()) {
-  const profilesRoot = path9.join(path9.resolve(root), ".cnos", "profiles");
+  const profilesRoot = path12.join(path12.resolve(root), ".cnos", "profiles");
   try {
     const entries = await readdir3(profilesRoot, { withFileTypes: true });
     const discovered = /* @__PURE__ */ new Set(["base"]);
@@ -2091,7 +2614,7 @@ async function listProfiles(root = process.cwd()) {
   }
 }
 async function deleteProfileDefinition(root = process.cwd(), profile) {
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
   try {
     await rm2(filePath);
     return {
@@ -2111,7 +2634,7 @@ async function readProfileDefinition(root = process.cwd(), profile = "base") {
       name: "base"
     };
   }
-  const filePath = path9.join(path9.resolve(root), ".cnos", "profiles", `${profile}.yml`);
+  const filePath = path12.join(path12.resolve(root), ".cnos", "profiles", `${profile}.yml`);
   try {
     return parseYaml4(await readFile5(filePath, "utf8")) ?? void 0;
   } catch {
@@ -2135,16 +2658,23 @@ function normalizeProfileAction(args) {
 }
 async function runProfile(args, options = {}) {
   const { action, tail } = normalizeProfileAction(args);
-  const root = path10.resolve(options.root ?? process.cwd());
+  const root = path13.resolve(options.root ?? process.cwd());
   const cliArgs = [...options.cliArgs ?? []];
   if (action === "create") {
     const profile = tail[0] ?? "stage";
     const inherit = consumeOption(cliArgs, "--inherit");
-    const result = await createProfileDefinition(root, profile, inherit);
+    const noInherit = consumeFlag(cliArgs, "--no-inherit");
+    if (inherit && noInherit) {
+      throw new Error("profile create accepts either --inherit <name> or --no-inherit, not both");
+    }
+    const result = await createProfileDefinition(root, profile, inherit, { noInherit });
     if (options.json) {
       return printJson(result);
     }
-    return `created profile ${profile} at ${result.filePath}`;
+    if (noInherit) {
+      return `created profile ${profile} at ${displayPath(result.filePath, root)} without inheriting base`;
+    }
+    return `created profile ${profile} at ${displayPath(result.filePath, root)}; inherits values from base by default`;
   }
   if (action === "use") {
     const profile = tail[0] ?? "base";
@@ -2155,7 +2685,7 @@ async function runProfile(args, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return `active profile set to ${profile} in ${result.filePath}`;
+    return `active profile set to ${profile} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const profile = tail[0] ?? "base";
@@ -2179,6 +2709,7 @@ async function runProfile(args, options = {}) {
 }
 
 // src/commands/promote.ts
+import path14 from "path";
 import { writeFile as writeFile6 } from "fs/promises";
 import {
   ensureProjectionAllowed,
@@ -2195,6 +2726,7 @@ function sortRecord(record) {
   return Object.fromEntries(Object.entries(record).sort(([left], [right]) => left.localeCompare(right)));
 }
 async function runPromote(args = [], options = {}) {
+  const root = path14.resolve(options.root ?? process.cwd());
   const cliArgs = [...options.cliArgs ?? []];
   const target = normalizeTarget(consumeOption(cliArgs, "--to"));
   const alias = consumeOption(cliArgs, "--as");
@@ -2242,7 +2774,7 @@ async function runPromote(args = [], options = {}) {
       manifestPath: loadedManifest.manifestPath
     });
   }
-  return target === "public" ? `promoted ${keys.join(", ")} to public in ${loadedManifest.manifestPath}` : `promoted ${keys[0]} to env as ${alias} in ${loadedManifest.manifestPath}`;
+  return target === "public" ? `promoted ${keys.join(", ")} to public in ${displayPath(loadedManifest.manifestPath, root)}` : `promoted ${keys[0]} to env as ${alias} in ${displayPath(loadedManifest.manifestPath, root)}`;
 }
 
 // src/commands/read.ts
@@ -2253,7 +2785,9 @@ async function runRead(key, options = {}) {
     throw new Error(`Missing CNOS config key: ${key}`);
   }
   const isSecret = key.startsWith("secret.");
-  const valueForOutput = isSecret ? maskSecretValue(value) : value;
+  const cliArgs = [...options.cliArgs ?? []];
+  const reveal = consumeFlag(cliArgs, "--reveal");
+  const valueForOutput = isSecret && !reveal ? maskSecretValue(value) : value;
   if (options.json) {
     return printJson({ key, value: valueForOutput });
   }
@@ -2261,7 +2795,6 @@ async function runRead(key, options = {}) {
 }
 
 // src/commands/run.ts
-import { spawn } from "child_process";
 import {
   CNOS_GRAPH_ENV_VAR,
   CNOS_SECRET_PAYLOAD_ENV_VAR,
@@ -2335,11 +2868,10 @@ async function runCommand(command, options = {}) {
       reject(new Error("run requires a command after --"));
       return;
     }
-    const child = spawn(executable, command.slice(1), {
+    const child = spawnCommand(command, {
       cwd: options.root ?? process.cwd(),
       env,
-      stdio: options.stdio === "pipe" ? "pipe" : "inherit",
-      shell: false
+      stdio: options.stdio === "pipe" ? "pipe" : "inherit"
     });
     let stdout = "";
     let stderr = "";
@@ -2362,14 +2894,21 @@ async function runCommand(command, options = {}) {
   });
 }
 
+// src/commands/secret.ts
+import path17 from "path";
+
+// src/commands/vault.ts
+import path16 from "path";
+
 // src/services/vaults.ts
 import { rm as rm3, writeFile as writeFile7 } from "fs/promises";
-import path11 from "path";
+import path15 from "path";
 import {
   clearAllVaultSessionKeys,
   clearVaultSessionKey,
   createSecretVault,
   deriveVaultKey,
+  listLocalSecrets,
   loadManifest as loadManifest3,
   listSecretVaults,
   readVaultMetadata,
@@ -2380,6 +2919,21 @@ import {
   writeKeychain,
   writeVaultSessionKey
 } from "@kitsy/cnos/internal";
+function buildVaultDefinition(vault, provider) {
+  return provider === "local" ? {
+    provider: "local",
+    auth: {
+      passphrase: {
+        from: defaultLocalAuthSources(vault)
+      }
+    }
+  } : {
+    provider,
+    auth: {
+      method: "environment"
+    }
+  };
+}
 function sortVaults(vaults) {
   return Object.fromEntries(Object.entries(vaults).sort(([left], [right]) => left.localeCompare(right)));
 }
@@ -2394,27 +2948,27 @@ async function createVaultDefinition(name, options = {}) {
     throw new Error("Local vaults cannot be passwordless.");
   }
   const loadedManifest = await loadManifest3(options.root ? { root: options.root } : {});
+  const vaultDefinition = buildVaultDefinition(vault, provider);
   const rawManifest = {
     ...loadedManifest.rawManifest,
     vaults: {
       ...loadedManifest.rawManifest.vaults ?? {},
-      [vault]: provider === "local" ? {
-        provider: "local",
-        auth: {
-          passphrase: {
-            from: defaultLocalAuthSources(vault)
-          }
-        }
-      } : {
-        provider,
-        auth: {
-          method: "environment"
-        }
-      }
+      [vault]: vaultDefinition
     }
   };
   await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
-  const definition = resolveVaultDefinition({ [vault]: rawManifest.vaults[vault] }, vault);
+  const definition = resolveVaultDefinition({ [vault]: vaultDefinition }, vault);
+  if (provider === "local") {
+    const auth = await resolveVaultAuth2(vault, vaultDefinition, options.processEnv ?? process.env);
+    if (!auth.passphrase) {
+      throw new Error(`Vault "${vault}" requires passphrase-based authentication during creation.`);
+    }
+    const storeRoot = resolveSecretStoreRoot2(options.processEnv);
+    const existing = await readVaultMetadata(storeRoot, vault);
+    if (!existing) {
+      await createSecretVault(storeRoot, vault, auth.passphrase);
+    }
+  }
   return {
     ...definition,
     authMethod: definition.auth?.method ?? (provider === "local" ? "passphrase" : "environment"),
@@ -2454,7 +3008,7 @@ async function removeVaultDefinition(name, options = {}) {
     delete rawManifest.vaults;
   }
   await writeFile7(loadedManifest.manifestPath, stringifyYaml5(rawManifest), "utf8");
-  const vaultRoot = path11.join(resolveSecretStoreRoot2(options.processEnv), "vaults", vault);
+  const vaultRoot = path15.join(resolveSecretStoreRoot2(options.processEnv), "vaults", vault);
   let removedStore;
   try {
     await rm3(vaultRoot, { recursive: true, force: true });
@@ -2486,15 +3040,22 @@ async function authenticateVault(name, options = {}) {
     if (!auth.passphrase) {
       throw new Error(`Vault "${vault}" requires passphrase-based authentication.`);
     }
-    const existing = await readVaultMetadata(storeRoot, vault);
-    if (!existing) {
-      await createSecretVault(storeRoot, vault, auth.passphrase);
-    }
     const metadata = await readVaultMetadata(storeRoot, vault);
     if (!metadata) {
-      throw new Error(`Failed to initialize vault "${vault}"`);
+      throw new Error(
+        `Vault "${vault}" has not been initialized yet. Run cnos vault create ${vault} first.`
+      );
     }
     const derivedKey = deriveVaultKey(auth.passphrase, Buffer.from(metadata.salt, "base64"), metadata.iterations);
+    await listLocalSecrets(
+      storeRoot,
+      {
+        derivedKey,
+        method: auth.method,
+        ...definition.auth?.config ? { config: definition.auth.config } : {}
+      },
+      vault
+    );
     const sessionPath2 = await writeVaultSessionKey(vault, derivedKey, options.processEnv);
     if (options.storeKeychain) {
       await writeKeychain(`cnos/${vault}`, derivedKey.toString("hex"));
@@ -2541,6 +3102,7 @@ function normalizeVaultAction(args) {
 async function runVault(args = [], options = {}) {
   const { action, tail } = normalizeVaultAction(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path16.resolve(options.root ?? process.cwd());
   if (consumeOption(cliArgs, "--passphrase")) {
     throw new Error("The --passphrase option is not supported in CNOS 1.4. Use env, keychain, or prompt-based auth.");
   }
@@ -2557,7 +3119,7 @@ async function runVault(args = [], options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return `created vault "${result.name}" with provider "${result.provider}" in ${result.manifestPath}`;
+    return `created vault "${result.name}" with provider "${result.provider}" in ${displayPath(result.manifestPath, root)}`;
   }
   if (action === "auth") {
     const result = await authenticateVault(tail[0] ?? "default", {
@@ -2646,6 +3208,7 @@ async function runSecret(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeSecretCommand(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path17.resolve(options.root ?? process.cwd());
   if (consumeOption(cliArgs, "--passphrase")) {
     throw new Error("The --passphrase option is not supported in CNOS 1.4. Use env, keychain, or prompt-based auth.");
   }
@@ -2701,7 +3264,7 @@ async function runSecret(argsOrPath, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return result.provider === "local" ? `set secret.${secretPath2} in vault "${result.vault ?? "default"}" with ref "${result.ref}" and repo pointer ${result.filePath}` : `set secret.${secretPath2} via ${result.provider} in ${result.filePath}`;
+    return result.provider === "local" ? `set secret.${secretPath2} in vault "${result.vault ?? "default"}" with ref "${result.ref}" and repo pointer ${displayPath(result.filePath, root)}` : `set secret.${secretPath2} via ${result.provider} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const secretPath2 = tail[0];
@@ -2714,7 +3277,7 @@ async function runSecret(argsOrPath, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return result.deleted ? `deleted secret.${secretPath2} from ${result.filePath}` : `no secret.${secretPath2} found in ${result.filePath}`;
+    return result.deleted ? `deleted secret.${secretPath2} from ${displayPath(result.filePath, root)}` : `no secret.${secretPath2} found in ${displayPath(result.filePath, root)}`;
   }
   const runtime = await createRuntimeService(options);
   const secretPath = tail[0] ?? "app.token";
@@ -2741,12 +3304,12 @@ async function runSecret(argsOrPath, options = {}) {
 }
 
 // src/commands/use.ts
-import path12 from "path";
+import path18 from "path";
 async function runUse(args = [], options = {}) {
-  const root = path12.resolve(options.root ?? process.cwd());
-  const action = args[0] ?? "show";
+  const root = path18.resolve(options.root ?? process.cwd());
+  const action = args[0];
   const hasUpdates = Boolean(options.workspace || options.profile || options.globalRoot);
-  if (action === "show" || !hasUpdates) {
+  if (action === "show" || !action && !hasUpdates) {
     const context = await loadCliContext(root);
     if (options.json) {
       return printJson(context);
@@ -2762,7 +3325,7 @@ async function runUse(args = [], options = {}) {
   if (options.json) {
     return printJson(result);
   }
-  return `updated CLI context in ${result.filePath}`;
+  return `updated CLI context in ${displayPath(result.filePath, root)}`;
 }
 
 // src/commands/validate.ts
@@ -2780,7 +3343,7 @@ async function runValidate(options = {}) {
 // package.json
 var package_default = {
   name: "@kitsy/cnos-cli",
-  version: "1.3.0",
+  version: "1.5.0",
   description: "CLI entry point and developer tooling for CNOS.",
   type: "module",
   main: "./dist/index.js",
@@ -2835,6 +3398,7 @@ function runVersion() {
 }
 
 // src/commands/value.ts
+import path19 from "path";
 function normalizeValueCommand(args) {
   const [actionOrPath, ...tail] = args;
   if (!actionOrPath) {
@@ -2858,6 +3422,7 @@ async function runValue(argsOrPath, options = {}) {
   const args = Array.isArray(argsOrPath) ? argsOrPath : [argsOrPath];
   const { action, tail } = normalizeValueCommand(args);
   const cliArgs = [...options.cliArgs ?? []];
+  const root = path19.resolve(options.root ?? process.cwd());
   if (action === "list") {
     const prefix = consumeOption(cliArgs, "--prefix");
     const entries = await listConfigEntries("value", {
@@ -2888,7 +3453,7 @@ async function runValue(argsOrPath, options = {}) {
         value: result.value
       });
     }
-    return `set value.${valuePath} in ${result.filePath}`;
+    return `set value.${valuePath} in ${displayPath(result.filePath, root)}`;
   }
   if (action === "delete") {
     const valuePath = tail[0] ?? "app.name";
@@ -2901,7 +3466,7 @@ async function runValue(argsOrPath, options = {}) {
     if (options.json) {
       return printJson(result);
     }
-    return result.deleted ? `deleted value.${valuePath} from ${result.filePath}` : `no value.${valuePath} found in ${result.filePath}`;
+    return result.deleted ? `deleted value.${valuePath} from ${displayPath(result.filePath, root)}` : `no value.${valuePath} found in ${displayPath(result.filePath, root)}`;
   }
   const runtime = await createRuntimeService(options);
   const value = runtime.value(tail[0] ?? "app.name");
@@ -2918,16 +3483,12 @@ async function runValue(argsOrPath, options = {}) {
 }
 
 // src/commands/watch.ts
-import { watch } from "fs";
-import { spawn as spawn2 } from "child_process";
 import {
   CNOS_GRAPH_ENV_VAR as CNOS_GRAPH_ENV_VAR2,
   CNOS_SECRET_PAYLOAD_ENV_VAR as CNOS_SECRET_PAYLOAD_ENV_VAR2,
   CNOS_SESSION_KEY_ENV_VAR as CNOS_SESSION_KEY_ENV_VAR2,
-  diffGraphs,
   serializeRuntimeGraph as serializeRuntimeGraph2,
-  serializeSecretPayload as serializeSecretPayload2,
-  watchFiles
+  serializeSecretPayload as serializeSecretPayload2
 } from "@kitsy/cnos/internal";
 async function buildRunEnvironment(options) {
   const cliArgs = [...options.cliArgs ?? []];
@@ -2964,11 +3525,10 @@ function spawnWatchedChild(command, cwd, env) {
   if (!executable) {
     throw new Error("watch requires a command after -- unless --signal is used");
   }
-  return spawn2(executable, command.slice(1), {
+  return spawnCommand(command, {
     cwd,
     env,
-    stdio: "inherit",
-    shell: false
+    stdio: "inherit"
   });
 }
 async function startWatchLoop(options) {
@@ -2982,85 +3542,39 @@ async function startWatchLoop(options) {
     cliArgs
   });
   let child = !isSignal ? spawnWatchedChild(command, root, current.env) : void 0;
-  const watcherMap = /* @__PURE__ */ new Map();
-  let timer;
   let closed = false;
-  const attachWatcher = (targetPath, recursive = false) => {
-    if (watcherMap.has(targetPath)) {
-      return;
-    }
-    try {
-      const watcher = watch(
-        targetPath,
-        recursive ? {
-          recursive: true
-        } : void 0,
-        () => {
-          if (timer) {
-            clearTimeout(timer);
-          }
-          timer = setTimeout(() => {
-            void handleChange();
-          }, debounceMs);
-        }
-      );
-      watcherMap.set(targetPath, watcher);
-    } catch {
-      if (recursive) {
-        attachWatcher(targetPath, false);
+  const watcher = await startGraphWatchLoop({
+    ...options,
+    cliArgs,
+    debounceMs,
+    async onChange(payload) {
+      if (closed) {
+        return;
       }
-    }
-  };
-  const refreshWatchers = async () => {
-    const nextTargets = await watchFiles(current.runtime, options.root);
-    attachWatcher(nextTargets.manifestPath, false);
-    for (const workspaceRoot of nextTargets.roots) {
-      attachWatcher(workspaceRoot, true);
-    }
-    for (const filePath of nextTargets.files) {
-      attachWatcher(filePath, false);
-    }
-  };
-  const handleChange = async () => {
-    if (closed) {
-      return;
-    }
-    const next = await buildRunEnvironment({
-      ...options,
-      cliArgs
-    });
-    const changedKeys = diffGraphs(current.runtime.graph, next.runtime.graph);
-    current = next;
-    await refreshWatchers();
-    if (changedKeys.length === 0) {
-      return;
-    }
-    if (isSignal) {
-      await options.onSignal?.({ changedKeys });
-      process.stdout.write(`${printJson({ changedKeys })}
-`);
-      return;
-    }
-    if (child && !child.killed) {
-      await new Promise((resolve) => {
-        child?.once("close", () => resolve());
-        child?.kill();
+      current = await buildRunEnvironment({
+        ...options,
+        cliArgs
       });
+      if (isSignal) {
+        await options.onSignal?.({ changedKeys: payload.changedKeys });
+        process.stdout.write(`${printJson({ changedKeys: payload.changedKeys })}
+`);
+        return;
+      }
+      if (child && !child.killed) {
+        await new Promise((resolve) => {
+          child?.once("close", () => resolve());
+          child?.kill();
+        });
+      }
+      child = spawnWatchedChild(command, root, current.env);
+      await options.onRestart?.({ changedKeys: payload.changedKeys });
     }
-    child = spawnWatchedChild(command, root, current.env);
-    await options.onRestart?.({ changedKeys });
-  };
-  await refreshWatchers();
+  });
   return {
     async close() {
       closed = true;
-      if (timer) {
-        clearTimeout(timer);
-      }
-      for (const watcher of watcherMap.values()) {
-        watcher.close();
-      }
-      watcherMap.clear();
+      await watcher.close();
       if (child && !child.killed) {
         await new Promise((resolve) => {
           child?.once("close", () => resolve());
@@ -3099,6 +3613,12 @@ function resolveHelpTopic(command, args) {
   if (command === "export" && args[0] === "env") {
     return normalizeHelpTopic([command, args[0]]);
   }
+  if (command === "build" && args[0] === "env") {
+    return normalizeHelpTopic([command, args[0]]);
+  }
+  if (command === "dev" && args[0] === "env") {
+    return normalizeHelpTopic([command, args[0]]);
+  }
   if (command === "vault" && args[0] && ["create", "add", "list", "delete", "remove"].includes(args[0])) {
     return normalizeHelpTopic([command, args[0] === "delete" ? "remove" : args[0] === "add" ? "create" : args[0]]);
   }
@@ -3229,6 +3749,14 @@ async function main(argv) {
       return;
     case "export":
       process.stdout.write(`${await runExport(args[0], runtimeOptions)}
+`);
+      return;
+    case "build":
+      process.stdout.write(`${await runBuild(args[0], runtimeOptions)}
+`);
+      return;
+    case "dev":
+      process.stdout.write(`${await runDev(args[0], passthrough.length > 0 ? passthrough : args.slice(1), runtimeOptions)}
 `);
       return;
     case "dump":
@@ -3260,6 +3788,11 @@ async function main(argv) {
 `);
       return;
     default:
+      if (args.length > 0 && /^[a-z][a-z0-9-]*$/i.test(command)) {
+        process.stdout.write(`${await runNamespace(command, args, runtimeOptions)}
+`);
+        return;
+      }
       process.stderr.write(`Unknown command: ${command}
 `);
       process.exitCode = 1;