@vibesdotdev/secrets 0.0.1

package/src/cli/list/secrets.list.cli-command.impl.ts

@@ -0,0 +1,79 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretEntry, SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor } from '../../kinds/store.schema';
+import { resolveSecretRequirements } from '../../requirements/resolver';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			backend?: string;
+			json?: boolean;
+		};
+
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const matching = descriptors.filter((d) => {
+			if (options.backend && d.id !== options.backend) return false;
+			return d.tiers.includes(envTier);
+		});
+
+		const aggregated = new Map<string, SecretEntry>();
+		const storesByPriority = [...matching].sort((a, b) => (a.priority ?? 0) - (b.priority ?? 0));
+
+		for (const desc of storesByPriority) {
+			const impl = (await runtime
+				.query('secrets/store')
+				.withId(desc.id)
+				.resolve()) as SecretsStoreImplementation;
+			const entries = await impl.list(envName);
+			for (const entry of entries) {
+				aggregated.set(entry.key, entry);
+			}
+		}
+
+		const entries = [...aggregated.values()].sort((a, b) => a.key.localeCompare(b.key));
+
+		if (options.json) {
+			const secrets = entries.map((e) => ({ key: e.key, hasValue: e.hasValue, source: e.source }));
+			ui.render({ environment: envName, secrets }, { format: 'json' });
+			return;
+		}
+
+		if (entries.length === 0) {
+			ui.info(`No secrets found for environment: ${envName}`);
+			return;
+		}
+
+		ui.log(`\nSecrets for environment: ${envName}\n`);
+		ui.log('  KEY'.padEnd(45) + 'SOURCE'.padEnd(20) + 'STATUS');
+		ui.log('  ' + '─'.repeat(70));
+
+		for (const entry of entries) {
+			const status = entry.hasValue ? 'set' : 'empty';
+			ui.log(`  ${entry.key.padEnd(43)} ${entry.source.padEnd(18)} ${status}`);
+		}
+		ui.log('');
+
+		try {
+			const requirements = await resolveSecretRequirements(runtime);
+			const required = requirements.filter((r) => r.required);
+			const setKeys = new Set(entries.filter((e) => e.hasValue).map((e) => e.key));
+			const missing = required.filter((r) => !setKeys.has(r.key));
+			if (missing.length > 0) {
+				ui.log(`  ${missing.length} required secret(s) missing. Run 'vibes secrets check' for details.`);
+				ui.log('');
+			}
+		} catch {
+			// infra kinds may not be loaded in all contexts
+		}
+	}
+};

package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.ts

@@ -0,0 +1,18 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'dev.secrets.pre-commit-check',
+	name: 'pre-commit-check',
+	description: 'Run secrets pattern detection on staged files',
+	group: 'secrets',
+	options: [
+		{ flags: '--workspace <path>', description: 'Workspace root (default: cwd)' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 1
+};
+
+export default descriptor;

package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.ts

@@ -0,0 +1,11 @@
+import { runSecretsPreCommitCheck } from '../hooks/pre-commit-secrets';
+
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const options = opts as { workspace?: string };
+		const workspacePath = options.workspace ?? process.cwd();
+
+		const exitCode = await runSecretsPreCommitCheck(workspacePath);
+		process.exit(exitCode);
+	}
+};

package/src/cli/pull/secrets.pull.cli-command.descriptor.ts

@@ -0,0 +1,22 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.pull',
+	name: 'pull',
+	description: 'Pull secrets from a remote backend to local store',
+	group: 'secrets',
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--from <backend>', description: 'Source remote backend (default: vault)' },
+		{ flags: '--to <backend>', description: 'Target local backend (default: encrypted-local)' },
+		{ flags: '--key <key>', description: 'Pull only one secret key (repeat or comma-separate for multiple keys)' },
+		{ flags: '--dry-run', description: 'Show what would be pulled without pulling' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 70
+};
+
+export default descriptor;

package/src/cli/pull/secrets.pull.cli-command.impl.ts

@@ -0,0 +1,103 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor } from '../../kinds/store.schema';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+
+const LOCAL_BACKENDS = new Set(['env-file', 'encrypted-local']);
+const REMOTE_BACKENDS = new Set(['cloudflare-api', 'vault']);
+
+function parseKeyFilter(value: unknown): Set<string> | undefined {
+	const rawValues = Array.isArray(value)
+		? value.filter((entry): entry is string => typeof entry === 'string')
+		: typeof value === 'string'
+			? [value]
+			: [];
+	const keys = rawValues
+		.flatMap((entry) => entry.split(','))
+		.map((entry) => entry.trim())
+		.filter((entry) => entry.length > 0);
+	return keys.length > 0 ? new Set(keys) : undefined;
+}
+
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			from?: string;
+			to?: string;
+			key?: string | string[];
+			dryRun?: boolean;
+		};
+
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+
+		const source = options.from
+			? descriptors.find((d) => d.id === options.from)
+			: descriptors
+					.filter((d) => d.tiers.includes(envTier) && REMOTE_BACKENDS.has(d.backend))
+					.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+
+		const target = options.to
+			? descriptors.find((d) => d.id === options.to)
+			: descriptors
+					.filter((d) => d.tiers.includes(envTier) && LOCAL_BACKENDS.has(d.backend))
+					.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+
+		if (!source) {
+			ui.error('No remote secrets store available. Cloudflare does not support pulling secret values.');
+			process.exit(1);
+		}
+		if (!target) {
+			ui.error('No local secrets store available.');
+			process.exit(1);
+		}
+
+		if (source.backend === 'cloudflare-api' || source.backend === 'cloudflare-secrets-store') {
+			ui.warn('Cloudflare secrets backends do not expose secret values. Pull is only supported from Vault.');
+			process.exit(1);
+		}
+
+		const sourceImpl = (await runtime
+			.query('secrets/store')
+			.withId(source.id)
+			.resolve()) as SecretsStoreImplementation;
+		let secrets = await sourceImpl.getAll(envName);
+		const keyFilter = parseKeyFilter(options.key);
+		if (keyFilter) {
+			secrets = Object.fromEntries(
+				Object.entries(secrets).filter(([key]) => keyFilter.has(key))
+			);
+		}
+		const keys = Object.keys(secrets);
+
+		if (keys.length === 0) {
+			ui.info(`No secrets found in [${source.id}] for environment: ${envName}`);
+			return;
+		}
+
+		if (options.dryRun) {
+			ui.log(`\nDry run: would pull ${keys.length} secret(s) from [${source.id}] to [${target.id}]\n`);
+			for (const key of keys.sort()) {
+				ui.log(`  ${key}`);
+			}
+			ui.log('');
+			return;
+		}
+
+		const targetImpl = (await runtime
+			.query('secrets/store')
+			.withId(target.id)
+			.resolve()) as SecretsStoreImplementation;
+		await targetImpl.setAll(envName, secrets);
+
+		ui.success(`Pulled ${keys.length} secret(s) from [${source.id}] to [${target.id}] for ${envName}`);
+	}
+};

package/src/cli/push/secrets.push.cli-command.descriptor.ts

@@ -0,0 +1,24 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.push',
+	name: 'push',
+	description: 'Deploy secrets from local store to a remote backend',
+	group: 'secrets',
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--source-env <name>', description: 'Source environment in the source backend (default: source backend\'s primary tier, e.g. "local" for encrypted-local)' },
+		{ flags: '--from <backend>', description: 'Source backend (default: highest-priority local)' },
+		{ flags: '--to <backend>', description: 'Target backend (default: highest-priority remote)' },
+		{ flags: '--key <key>', description: 'Push only one secret key (repeat or comma-separate for multiple keys)' },
+		{ flags: '--app <id>', description: 'Push only secrets required by this app' },
+		{ flags: '--dry-run', description: 'Show what would be pushed without pushing' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 60
+};
+
+export default descriptor;

package/src/cli/push/secrets.push.cli-command.impl.ts

@@ -0,0 +1,149 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor, EnvironmentTier } from '../../kinds/store.schema';
+import { resolveSecretRequirements, uniqueSecretKeys } from '../../requirements/resolver';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+
+const LOCAL_BACKENDS = new Set(['env-file', 'encrypted-local']);
+const REMOTE_BACKENDS = new Set(['cloudflare-api', 'cloudflare-secrets-store', 'vault']);
+
+// Preferred ordering when picking a backend's primary tier as the default
+// source-env. We pick the lowest tier the backend serves (local > dev >
+// staging > production), since that's where a developer's local `secrets set`
+// writes land. Keeps `push --environment production` reading from the user's
+// machine-local store rather than stale data left in vault.environments.production
+// from a long-ago `vibes secrets import`.
+const TIER_PREFERENCE: EnvironmentTier[] = ['local', 'dev', 'staging', 'production'];
+
+function pickPrimaryTier(descriptor: SecretsStoreDescriptor): EnvironmentTier {
+	for (const tier of TIER_PREFERENCE) {
+		if (descriptor.tiers.includes(tier)) return tier;
+	}
+	return descriptor.tiers[0] ?? 'local';
+}
+
+function findBackend(
+	descriptors: SecretsStoreDescriptor[],
+	tier: EnvironmentTier,
+	backendId: string | undefined,
+	filter: Set<string>
+): SecretsStoreDescriptor | undefined {
+	if (backendId) return descriptors.find((d) => d.id === backendId);
+	return descriptors
+		.filter((d) => d.tiers.includes(tier) && filter.has(d.backend))
+		.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+}
+
+function parseKeyFilter(value: unknown): Set<string> | undefined {
+	const rawValues = Array.isArray(value)
+		? value.filter((entry): entry is string => typeof entry === 'string')
+		: typeof value === 'string'
+			? [value]
+			: [];
+	const keys = rawValues
+		.flatMap((entry) => entry.split(','))
+		.map((entry) => entry.trim())
+		.filter((entry) => entry.length > 0);
+	return keys.length > 0 ? new Set(keys) : undefined;
+}
+
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			sourceEnv?: string;
+			from?: string;
+			to?: string;
+			key?: string | string[];
+			app?: string;
+			dryRun?: boolean;
+		};
+
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		// Pick the source backend independently of the target env tier: typical
+		// flow is "push from machine-local store to production CF store" and
+		// the local store doesn't serve the production tier.
+		const source = options.from
+			? descriptors.find((d) => d.id === options.from)
+			: descriptors
+				.filter((d) => LOCAL_BACKENDS.has(d.backend))
+				.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+		const target = findBackend(descriptors, envTier, options.to, REMOTE_BACKENDS);
+
+		if (!source) {
+			ui.error('No local secrets store found. Set secrets with `vibes secrets set` first.');
+			process.exit(1);
+		}
+		if (!target) {
+			ui.error('No remote secrets store available for this environment tier.');
+			process.exit(1);
+		}
+
+		// Source env defaults to the source backend's primary tier (e.g. 'local'
+		// for encrypted-local), NOT the target env. Reading from `getAll(envName)`
+		// blindly used to pull whatever stale values a prior `vibes secrets import`
+		// left in `vault.environments[envName]`, even though developers' day-to-day
+		// `vibes secrets set` writes always land in the local-tier namespace.
+		// That mismatch would overwrite live prod keys with stale test keys.
+		const sourceEnv = options.sourceEnv ?? pickPrimaryTier(source);
+
+		if (sourceEnv !== envName) {
+			ui.log(
+				`Reading from [${source.id}] env "${sourceEnv}" (source backend's primary tier); writing to [${target.id}] env "${envName}". Override with --source-env if needed.`
+			);
+		}
+
+		const sourceImpl = (await runtime
+			.query('secrets/store')
+			.withId(source.id)
+			.resolve()) as SecretsStoreImplementation;
+		let secrets = await sourceImpl.getAll(sourceEnv);
+
+		if (options.app) {
+			const requirements = await resolveSecretRequirements(runtime);
+			const appReqs = requirements.filter((r) => r.appId === options.app);
+			const appKeys = new Set(uniqueSecretKeys(appReqs));
+			secrets = Object.fromEntries(
+				Object.entries(secrets).filter(([k]) => appKeys.has(k))
+			);
+		}
+
+		const keyFilter = parseKeyFilter(options.key);
+		if (keyFilter) {
+			secrets = Object.fromEntries(
+				Object.entries(secrets).filter(([key]) => keyFilter.has(key))
+			);
+		}
+
+		const keys = Object.keys(secrets);
+		if (keys.length === 0) {
+			ui.info('No secrets to push.');
+			return;
+		}
+
+		if (options.dryRun) {
+			ui.log(`\nDry run: would push ${keys.length} secret(s) from [${source.id}] to [${target.id}]\n`);
+			for (const key of keys.sort()) {
+				ui.log(`  ${key}`);
+			}
+			ui.log('');
+			return;
+		}
+
+		const targetImpl = (await runtime
+			.query('secrets/store')
+			.withId(target.id)
+			.resolve()) as SecretsStoreImplementation;
+		await targetImpl.setAll(envName, secrets);
+
+		ui.success(`Pushed ${keys.length} secret(s) from [${source.id}] to [${target.id}] for ${envName}`);
+	}
+};

package/src/cli/reveal/secrets.reveal.cli-command.descriptor.ts

@@ -0,0 +1,21 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.reveal',
+	name: 'reveal',
+	description: 'Reveal a secret value (writes to stderr with audit log)',
+	group: 'secrets',
+	arguments: [{ name: 'key', description: 'Secret key to reveal', required: true }],
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--backend <id>', description: 'Filter to a specific backend' },
+		{ flags: '--force', description: 'Skip confirmation prompt' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 20
+};
+
+export default descriptor;

package/src/cli/reveal/secrets.reveal.cli-command.impl.ts

@@ -0,0 +1,108 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor, EnvironmentTier } from '../../kinds/store.schema';
+import type { AuditLogInput } from '@vibesdotdev/logging';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+
+function resolveBackend(
+	descriptors: SecretsStoreDescriptor[],
+	tier: EnvironmentTier,
+	backendId?: string
+): SecretsStoreDescriptor | undefined {
+	if (backendId) return descriptors.find((d) => d.id === backendId);
+	const tierStores = descriptors
+		.filter((d) => d.tiers.includes(tier))
+		.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+	return tierStores[0];
+}
+
+function emitAudit(input: AuditLogInput): void {
+	process.stderr.write(`[AUDIT] ${JSON.stringify({
+		id: crypto.randomUUID(),
+		timestamp: new Date().toISOString(),
+		...input
+	})}\n`);
+}
+
+export default {
+	async execute(args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const key = args.key as string;
+		const options = opts as { environment?: string; backend?: string; force?: boolean };
+
+		if (!key) {
+			ui.error('Usage: vibes secrets reveal <KEY>');
+			process.exit(1);
+		}
+
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const target = resolveBackend(descriptors, envTier, options.backend);
+
+		if (!target) {
+			ui.error(`No secrets store available for tier: ${envTier}`);
+			process.exit(1);
+		}
+
+		const impl = (await runtime
+			.query('secrets/store')
+			.withId(target.id)
+			.resolve()) as SecretsStoreImplementation;
+
+		const value = await impl.get(envName, key);
+		if (value === undefined || value === '') {
+			ui.error(`Secret not found: ${key}`);
+			process.exit(1);
+		}
+
+		// Skip the interactive confirmation when:
+		//   - explicit --force flag
+		//   - VIBES_SECRETS_REVEAL_NO_PROMPT=1 set (CI / scripts opt-in)
+		//   - stdin or stderr is not a TTY (automation context — there's no
+		//     human to answer the prompt, and blocking on stdin would hang)
+		const noPromptEnv = process.env.VIBES_SECRETS_REVEAL_NO_PROMPT === '1';
+		const stdinIsTty = Boolean((process.stdin as { isTTY?: boolean }).isTTY);
+		const stderrIsTty = Boolean((process.stderr as { isTTY?: boolean }).isTTY);
+		const skipPrompt = options.force || noPromptEnv || !stdinIsTty || !stderrIsTty;
+		if (!skipPrompt) {
+			process.stderr.write(`\n[REVEAL] About to reveal secret "${key}" to terminal.\n`);
+			process.stderr.write(`This value will be printed to stderr and logged to the audit trail.\n`);
+			process.stderr.write(`Continue? [y/N] `);
+
+			let confirmation = '';
+			for await (const chunk of process.stdin) {
+				confirmation = (chunk as Buffer).toString('utf-8').trim().toLowerCase();
+				break;
+			}
+
+			if (confirmation !== 'y' && confirmation !== 'yes') {
+				ui.info('Reveal cancelled.');
+				process.exit(0);
+			}
+		}
+
+		emitAudit({
+			category: 'data_access',
+			severity: 'high',
+			action: 'secrets.reveal',
+			actor: { id: 'cli', type: 'user', name: 'CLI user' },
+			target: { id: key, type: 'secret', name: key },
+			outcome: 'success',
+			context: {
+				environment: envName,
+				backend: target.id
+			}
+		});
+
+		// Value goes to STDOUT so scripts can capture it via `$(vibes secrets reveal X)`.
+		// Audit/notice messaging stays on STDERR so a piped consumer gets a clean value.
+		process.stdout.write(`${value}\n`);
+		process.stderr.write(`\n[REVEAL] ${key} revealed (logged to audit trail).\n`);
+	}
+};

package/src/cli/secrets.cli-group.descriptor.ts

@@ -0,0 +1,13 @@
+import type { CLIGroupAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLIGroupAssetDescriptor = {
+	kind: 'cli/group',
+	id: 'secrets',
+	name: 'secrets',
+	description: 'Manage environment secrets across backends',
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true
+};
+
+export default descriptor;

package/src/cli/set/secrets.set.cli-command.descriptor.ts

@@ -0,0 +1,23 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.set',
+	name: 'set',
+	description: 'Set a secret value for the current environment',
+	group: 'secrets',
+	arguments: [
+		{ name: 'key', description: 'Secret key name (e.g., VIBES_AUTH_SECRET)', required: true },
+		{ name: 'value', description: 'Secret value (omit to prompt securely)', required: false }
+	],
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--backend <id>', description: 'Target backend (default: primary for tier)' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 20
+};
+
+export default descriptor;

package/src/cli/set/secrets.set.cli-command.impl.ts

@@ -0,0 +1,77 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor, EnvironmentTier } from '../../kinds/store.schema';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+
+// `set` is the write side of the local-development workflow: the user types
+// a value and expects it to land in their machine-local store. Remote
+// backends (vault, cloudflare-secrets-store, ...) are the *deploy* side —
+// reached via `secrets push` after the user explicitly opts in. Default
+// routing therefore restricts to local backend kinds; an explicit
+// `--backend <id>` still wins.
+const LOCAL_BACKEND_KINDS = new Set(['env-file', 'encrypted-local']);
+
+function resolveBackend(
+	descriptors: SecretsStoreDescriptor[],
+	tier: EnvironmentTier,
+	backendId?: string
+): SecretsStoreDescriptor | undefined {
+	if (backendId) return descriptors.find((d) => d.id === backendId);
+	const tierStores = descriptors
+		.filter((d) => d.tiers.includes(tier))
+		.filter((d) => LOCAL_BACKEND_KINDS.has(d.backend))
+		.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+	return tierStores[0];
+}
+
+export default {
+	async execute(args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const key = args.key as string;
+		let value = args.value as string | undefined;
+		const options = opts as { environment?: string; backend?: string };
+
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+
+		if (!key || !/^[_A-Z0-9]+$/.test(key)) {
+			ui.error('Secret key must match pattern: ^[_A-Z0-9]+$');
+			process.exit(1);
+		}
+
+		if (!value) {
+			process.stdout.write(`Enter value for ${key}: `);
+			const chunks: Buffer[] = [];
+			for await (const chunk of process.stdin) {
+				chunks.push(chunk as Buffer);
+				if ((chunk as Buffer).includes(10)) break;
+			}
+			value = Buffer.concat(chunks).toString('utf-8').trim();
+		}
+
+		if (!value) {
+			ui.error('No value provided');
+			process.exit(1);
+		}
+
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const target = resolveBackend(descriptors, envTier, options.backend);
+
+		if (!target) {
+			ui.error(`No secrets store available for tier: ${envTier}`);
+			process.exit(1);
+		}
+
+		const impl = (await runtime
+			.query('secrets/store')
+			.withId(target.id)
+			.resolve()) as SecretsStoreImplementation;
+		await impl.set(envName, key, value);
+
+		ui.success(`Set ${key} in [${target.id}] for environment: ${envName}`);
+	}
+};