noodleseed-cli 0.1.10 → 0.1.12

package/dist/cli.js

@@ -3,22 +3,32 @@
  * `noodle` — the Noodle CLI by Noodle Seed for the hosted workflow.
  *
  *   noodle login
- *   noodle deploy app.ts [--save]
+ *   noodle deploy app.ts
  *   noodle whoami | logout | list
  *
  * `deploy` POSTs a manifest/authored server to a deploy service and prints the working tenant MCP
- * endpoint + a once-shown caller key. Service URL and auth token resolve **flag > env > config > default**
+ * endpoint. Service URL and auth token resolve **flag > env > config > default**
  * (config = `~/.noodle/config.json`, written by `login`).
  */
+import { spawn } from 'node:child_process';
 import { realpathSync } from 'node:fs';
-import { readFileSync } from 'node:fs';
+import { readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
+import { platform } from 'node:process';
+import { createInterface } from 'node:readline/promises';
+import { Writable } from 'node:stream';
+import { basename, extname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { appendServer, clearConfig, maskToken, readConfig, readServers, resolveServiceUrl, writeConfig, } from './config.js';
-import { browserLogin, resolveControlPlaneToken, serviceJson } from './control-plane.js';
+import { runAgents } from './agents.js';
+import { browserLogin, resolveControlPlaneToken, ServiceRequestError, serviceJson } from './control-plane.js';
+import { errorMessage, printRecovery } from './diagnostics.js';
 import { DEFAULT_SERVICE_URL, deploy } from './deploy.js';
-import { dev } from './dev.js';
+import { dev, localMcpCall } from './dev.js';
+import { runDoctor } from './doctor.js';
 import { deleteLocalConfigValue, readLocalConfigValues, resolveLocalConfigValues, setLocalConfigValue, } from './local-config.js';
+import { initProject, readProjectDeployment, readProjectLink, relativeEntrypoint, resolveLinkedEntrypoint, writeProjectDeployment, writeProjectLink, } from './project.js';
+import { importOpenApiProject } from './openapi-import.js';
 import { currentCliVersion, maybeCheckForCliUpdate, runUpdateCommand } from './update.js';
 import { validate } from './validate.js';
 const ACCEPT = 'application/json, text/event-stream';
@@ -26,22 +36,41 @@ function usage() {
     console.error([
         'usage: noodle <command>',
         '',
+        '  init   [dir] [--template hello|http-api] [--name <slug>] [--force]',
+        '                                   create a local Noodle project',
+        '  link   --org <slug> --app <slug> [--env <slug>] [--service <url>]',
+        '                                   [--access owner-only|org-members] [--entrypoint <path>]',
+        '                                   bind this directory to a Noodle Cloud target',
+        '  doctor [--service <url>] [--auth-token <t>] [--org <slug>] [--app <slug>]',
+        '                                   [--env <slug>] [--entrypoint <path>] [--connectors <f>]',
+        '                                   check login, service, project, validation, and config',
+        '  agents setup   [--client claude-code|codex|gemini|cursor|vscode|all] [--project <dir>]',
+        '                                   dry-run coding-agent setup guidance',
+        '  agents context [--client claude-code|codex|gemini|cursor|vscode|all] [--project <dir>]',
+        '                 [--write] [--force] generate project-local agent instructions',
+        '  docs export --format llms [--output <file>]',
+        '  connect claude-code|codex|gemini|cursor|vscode|claude|chatgpt|inspector [--json]',
+        '  import openapi <file> [--output <dir>] [--name <slug>] [--base-url <url>] [--force]',
         '  validate <manifest.yaml|server.ts> [--connectors <f>]',
         '                                   author-time check (schema, expressions, connector refs); no service',
+        '  test   <manifest.yaml|server.ts> [--connectors <f>] [--tool <name>] [--args <json>] [--json]',
+        '                                   local compile plus loopback MCP smoke',
         '  dev    <manifest.yaml|server.ts> [--connectors <f>]',
         '                                   [--org <slug>] [--app <slug>] [--env <slug>] [--port <n>]',
         '                                   run a local runtime, serve + hot-reload the manifest, exercise tools',
         '  deploy <manifest.yaml|server.ts> [--org <slug>] [--app <slug>] [--env <slug>]',
         '                                   [--connectors <f>] [--private]',
-        '                                   [--access <caller-key|owner-only|org-members>]',
-        '                                   [--service <url>] [--auth-token <t>] [--save]',
+        '                                   [--access <owner-only|org-members>]',
+        '                                   [--service <url>] [--auth-token <t>] [--save] [--no-save]',
+        '  open   [--print] [--dashboard]  open or print the latest linked deployment URL',
+        '  status [--org <slug>] [--app <slug>] [--env <slug>] [--service <url>] [--json]',
+        '  access set owner-only|org-members [--org <slug>] [--app <slug>] [--env <slug>] [--json]',
         '  login  [--service <url>] [--auth-token <token>] [--env <name>]',
         '  logout',
         '  whoami [--service <url>] [--auth-token <t>]',
         '  list   [--org <slug>] [--app <slug>] [--env <slug>] [--service <url>] [--auth-token <t>]',
         '  orgs   list|create <slug> [--display-name <name>]',
         '  members list|add|remove --org <slug> [--subject <sub>] [--email <email>] [--role owner|developer]',
-        '  keys   list|rotate --org <slug> --app <slug> [--env <slug>]',
         '  target show|set [--runtime local|cloud|other] [--service <url>] [--org <slug>]',
         '                  [--app <slug>] [--env <slug>]',
         '  secrets set|list|delete|resolve [name] --scope org|app|env [--value <v>]',
@@ -70,12 +99,40 @@ async function runCommand(command, rest, env, home) {
             return 0;
         case 'update':
             return runUpdateCommand(rest);
+        case 'init':
+            return runInit(rest);
+        case 'link':
+            return runLink(rest);
+        case 'doctor':
+            return runDoctor({ rest, env, home });
+        case 'agents':
+            return runAgents(rest, env);
+        case 'docs':
+            return runDocs(rest);
+        case 'connect':
+            return runConnect(rest);
+        case 'import':
+            return runImport(rest);
         case 'validate':
             return runValidate(rest);
+        case 'test':
+            return runLocalTest(rest);
+        case 'tools':
+            return runSmoke('tools', rest);
+        case 'resources':
+            return runSmoke('resources', rest);
+        case 'prompts':
+            return runSmoke('prompts', rest);
         case 'dev':
             return runDev(rest, env);
         case 'deploy':
             return runDeploy(rest, env, home);
+        case 'open':
+            return runOpen(rest, env, home);
+        case 'status':
+            return runStatus(rest, env, home);
+        case 'access':
+            return runAccess(rest, env, home);
         case 'login':
             return runLogin(rest, env, home);
         case 'logout':
@@ -89,7 +146,8 @@ async function runCommand(command, rest, env, home) {
         case 'members':
             return runMembers(rest, env, home);
         case 'keys':
-            return runKeys(rest, env, home);
+            console.error('keys: caller-key management has been removed; use identity access modes instead');
+            return 2;
         case 'target':
             return runTarget(rest, home);
         case 'secrets':
@@ -101,21 +159,244 @@ async function runCommand(command, rest, env, home) {
             return 1;
     }
 }
+function runInit(rest) {
+    let dir;
+    let template;
+    let name;
+    let force = false;
+    for (let i = 0; i < rest.length; i++) {
+        const arg = rest[i];
+        if (arg === '--template') {
+            const value = rest[++i];
+            if (value === 'hello' || value === 'http-api')
+                template = value;
+            else {
+                console.error('init: --template must be hello or http-api');
+                return 2;
+            }
+        }
+        else if (arg === '--name')
+            name = rest[++i];
+        else if (arg === '--force')
+            force = true;
+        else if (!dir && arg !== undefined && !arg.startsWith('--'))
+            dir = arg;
+    }
+    try {
+        const target = initProject({
+            ...(dir !== undefined ? { dir } : {}),
+            ...(template !== undefined ? { template } : {}),
+            ...(name !== undefined ? { name } : {}),
+            ...(force ? { force } : {}),
+        });
+        console.log(`Initialized Noodle project in ${target}`);
+        console.log('Next: noodle link --org <org> --app <app>');
+        return 0;
+    }
+    catch (error) {
+        console.error(error.message);
+        return 2;
+    }
+}
+function runDocs(rest) {
+    const [action, ...tail] = rest;
+    let format;
+    let output;
+    for (let i = 0; i < tail.length; i++) {
+        const arg = tail[i];
+        if (arg === '--format')
+            format = tail[++i];
+        else if (arg === '--output')
+            output = tail[++i];
+    }
+    if (action !== 'export' || format !== 'llms') {
+        console.error('docs: usage: noodle docs export --format llms [--output <file>]');
+        return 2;
+    }
+    const content = llmsDocs();
+    if (output !== undefined) {
+        writeFileSync(output, content);
+        console.log(output);
+    }
+    else {
+        console.log(content);
+    }
+    return 0;
+}
+function llmsDocs() {
+    return [
+        '# Noodle Seed Platform LLM Context',
+        '',
+        'Noodle apps are declarative MCP servers authored with the Noodle CLI.',
+        '',
+        'Core workflow:',
+        '',
+        '```sh',
+        'noodle init',
+        'noodle validate',
+        'noodle doctor',
+        'noodle dev',
+        'noodle test',
+        'noodle deploy',
+        'noodle open',
+        '```',
+        '',
+        'Use test-driven development. Manage connector credentials with `noodle secrets set`; never place secret values in prompts, docs, generated files, or agent instructions. Hosted access is identity-only (`owner-only` or `org-members`); do not add caller-key mechanisms.',
+        '',
+    ].join('\n');
+}
+function runConnect(rest) {
+    const [client, ...tail] = rest;
+    const json = tail.includes('--json');
+    const write = tail.includes('--write');
+    const supported = ['claude-code', 'codex', 'gemini', 'cursor', 'vscode', 'claude', 'chatgpt', 'inspector'];
+    if (client === undefined || !supported.includes(client)) {
+        console.error('connect: expected claude-code, codex, gemini, cursor, vscode, claude, chatgpt, or inspector');
+        return 2;
+    }
+    if (write) {
+        printRecovery({
+            command: 'connect',
+            cause: 'connect --write is planned but not available in this P1 slice.',
+            fix: 'Use the printed setup flow and keep client config changes explicit.',
+            next: `noodle connect ${client}`,
+        });
+        return 2;
+    }
+    const steps = connectSteps(client);
+    if (json) {
+        console.log(JSON.stringify({ ok: true, client, steps }));
+        return 0;
+    }
+    console.log(`Client: ${client}`);
+    for (const step of steps)
+        console.log(`- ${step}`);
+    return 0;
+}
+function connectSteps(client) {
+    if (['codex', 'claude-code', 'gemini', 'cursor', 'vscode'].includes(client)) {
+        return [
+            `noodle agents context --write --client ${client}`,
+            'noodle agents doctor',
+            'noodle docs export --format llms',
+        ];
+    }
+    if (client === 'inspector')
+        return ['noodle dev', 'npx @modelcontextprotocol/inspector <printed MCP endpoint>'];
+    return ['noodle deploy', 'noodle open --print', 'Add the printed MCP endpoint to the client and sign in when prompted.'];
+}
+function runImport(rest) {
+    const [kind, specPath, ...tail] = rest;
+    if (kind !== 'openapi' || specPath === undefined) {
+        console.error('import: usage: noodle import openapi <file> [--output <dir>] [--name <slug>] [--base-url <url>] [--force]');
+        return 2;
+    }
+    let output = 'noodle-openapi-app';
+    let name = 'openapi-app';
+    let baseUrl;
+    let force = false;
+    for (let i = 0; i < tail.length; i++) {
+        const arg = tail[i];
+        if (arg === '--output')
+            output = tail[++i] ?? output;
+        else if (arg === '--name')
+            name = tail[++i] ?? name;
+        else if (arg === '--base-url')
+            baseUrl = tail[++i];
+        else if (arg === '--force')
+            force = true;
+    }
+    try {
+        const result = importOpenApiProject({
+            specPath,
+            output,
+            name,
+            ...(baseUrl !== undefined ? { baseUrl } : {}),
+            force,
+        });
+        console.log(`Imported OpenAPI project in ${result.output}`);
+        for (const warning of result.warnings)
+            console.log(`warning: ${warning}`);
+        console.log('Next: noodle validate');
+        return 0;
+    }
+    catch (error) {
+        printRecovery({
+            command: 'import openapi',
+            cause: errorMessage(error),
+            fix: 'Check the OpenAPI file and pass --base-url if the document has no server URL.',
+            next: 'noodle import openapi <file> --base-url <url>',
+        });
+        return 1;
+    }
+}
+function runLink(rest) {
+    let entrypoint;
+    let org;
+    let app;
+    let targetEnv;
+    let serviceUrl;
+    let accessMode;
+    for (let i = 0; i < rest.length; i++) {
+        const arg = rest[i];
+        if (arg === '--entrypoint')
+            entrypoint = relativeEntrypoint(rest[++i] ?? 'server.ts');
+        else if (arg === '--org')
+            org = rest[++i];
+        else if (arg === '--app')
+            app = rest[++i];
+        else if (arg === '--env')
+            targetEnv = rest[++i];
+        else if (arg === '--service')
+            serviceUrl = rest[++i];
+        else if (arg === '--access') {
+            const value = rest[++i];
+            if (!isAccessMode(value)) {
+                console.error('link: --access must be owner-only or org-members');
+                return 2;
+            }
+            accessMode = value;
+        }
+    }
+    if (org === undefined || app === undefined) {
+        console.error('link: --org and --app are required');
+        console.error('next: noodle link --org <org> --app <app>');
+        return 2;
+    }
+    const link = writeProjectLink({
+        org,
+        app,
+        ...(entrypoint !== undefined ? { entrypoint } : {}),
+        ...(targetEnv !== undefined ? { env: targetEnv } : {}),
+        ...(serviceUrl !== undefined ? { serviceUrl } : {}),
+        ...(accessMode !== undefined ? { accessMode } : {}),
+    });
+    console.log('Saved .noodle/project.json.');
+    console.log(`  entrypoint: ${link.entrypoint}`);
+    console.log(`  service:    ${link.serviceUrl}`);
+    console.log(`  org:        ${link.org}`);
+    console.log(`  app:        ${link.app}`);
+    console.log(`  env:        ${link.env}`);
+    console.log(`  access:     ${link.accessMode}`);
+    return 0;
+}
 async function runValidate(rest) {
     let manifestPath;
     let connectorsPath;
+    let agentOutput = false;
     for (let i = 0; i < rest.length; i++) {
         const arg = rest[i];
         if (arg === '--connectors')
             connectorsPath = rest[++i];
+        else if (arg === '--agent-output' || arg === '--fix-prompt')
+            agentOutput = true;
         else if (!manifestPath && arg !== undefined && !arg.startsWith('--'))
             manifestPath = arg;
     }
-    if (!manifestPath) {
-        console.error('validate: missing <manifest.yaml|server.ts>');
-        usage();
-        return 2;
-    }
+    if (!manifestPath)
+        manifestPath = resolveLinkedEntrypoint();
+    if (!manifestPath)
+        return missingProjectEntrypoint('validate');
     const outcome = await validate({
         manifestPath,
         ...(connectorsPath ? { connectorsPath } : {}),
@@ -124,6 +405,10 @@ async function runValidate(rest) {
         console.log(`✓ ${manifestPath} is valid.`);
         return 0;
     }
+    if (agentOutput) {
+        console.log(agentFixPrompt('validate', manifestPath, outcome.errors));
+        return 1;
+    }
     console.error(`✗ ${manifestPath} — ${outcome.errors.length} error(s) [${outcome.stage}]:`);
     for (const e of outcome.errors) {
         console.error(`  ${e.code}${e.path ? ` at ${e.path}` : ''}: ${e.message}`);
@@ -136,6 +421,188 @@ async function runValidate(rest) {
     }
     return 1;
 }
+function agentFixPrompt(command, subject, errors) {
+    return [
+        `Fix this Noodle validation failure from \`${command}\`.`,
+        '',
+        `Target: ${subject}`,
+        '',
+        'Errors:',
+        ...errors.map((error) => `- ${error.code}${error.path ? ` at ${error.path}` : ''}: ${error.message}`),
+        '',
+        'Update the Noodle app using test-driven development, then run `noodle validate` and `noodle test`.',
+    ].join('\n');
+}
+async function runLocalTest(rest) {
+    const args = parseAuthorSmokeArgs(rest);
+    const manifestPath = args.path ?? resolveLinkedEntrypoint();
+    if (!manifestPath)
+        return missingProjectEntrypoint('test');
+    const validation = await validate({
+        manifestPath,
+        ...(args.connectorsPath ? { connectorsPath: args.connectorsPath } : {}),
+    });
+    if (!validation.ok) {
+        if (args.agentOutput) {
+            console.log(agentFixPrompt('test', manifestPath, validation.errors));
+        }
+        else if (args.json) {
+            console.error(JSON.stringify({ ok: false, error: { code: 'validation_failed', errors: validation.errors } }));
+        }
+        else {
+            console.error(`validate: fail (${validation.errors.length} error(s))`);
+        }
+        return 1;
+    }
+    const handle = await dev({
+        manifestPath,
+        ...(args.connectorsPath ? { connectorsPath: args.connectorsPath } : {}),
+        watch: false,
+        interactive: false,
+        log: () => { },
+    });
+    try {
+        const init = await localMcpCall(handle.url, 'initialize', { protocolVersion: '2025-11-25' });
+        const tools = await localMcpCall(handle.url, 'tools/list', {});
+        const toolList = tools.body?.result?.tools ?? [];
+        let call;
+        if (args.tool !== undefined) {
+            const called = await localMcpCall(handle.url, 'tools/call', {
+                name: args.tool,
+                arguments: parseJsonArgs(args.args),
+            });
+            call = called.body?.result;
+        }
+        if (args.json) {
+            console.log(JSON.stringify({
+                ok: init.status === 200 && tools.status === 200,
+                endpoint: handle.url,
+                tools: toolList.map((tool) => tool.name),
+                ...(call !== undefined ? { call } : {}),
+            }));
+            return init.status === 200 && tools.status === 200 ? 0 : 5;
+        }
+        console.log('validate: pass');
+        console.log(`mcp: initialize ${init.status === 200 ? 'pass' : 'fail'}`);
+        console.log(`tools: ${toolList.map((tool) => tool.name).join(', ') || '(none)'}`);
+        if (call !== undefined)
+            console.log(JSON.stringify(call, null, 2));
+        return init.status === 200 && tools.status === 200 ? 0 : 5;
+    }
+    finally {
+        await handle.close();
+    }
+}
+async function runSmoke(kind, rest) {
+    const [action, subject, ...tail] = rest;
+    const args = parseAuthorSmokeArgs(kind === 'tools' && action === 'list' && subject !== undefined ? [subject, ...tail] : tail);
+    const manifestPath = args.path ?? resolveLinkedEntrypoint();
+    if (!manifestPath)
+        return missingProjectEntrypoint(kind);
+    const handle = await dev({
+        manifestPath,
+        ...(args.connectorsPath ? { connectorsPath: args.connectorsPath } : {}),
+        watch: false,
+        interactive: false,
+        log: () => { },
+    });
+    try {
+        let method;
+        let params;
+        if (kind === 'tools' && action === 'list') {
+            method = 'tools/list';
+            params = {};
+        }
+        else if (kind === 'tools' && action === 'call' && subject !== undefined) {
+            method = 'tools/call';
+            params = { name: subject, arguments: parseJsonArgs(args.args) };
+        }
+        else if (kind === 'resources' && action === 'read' && subject !== undefined) {
+            method = 'resources/read';
+            params = { uri: subject };
+        }
+        else if (kind === 'prompts' && action === 'get' && subject !== undefined) {
+            method = 'prompts/get';
+            params = { name: subject, arguments: parseJsonArgs(args.args) };
+        }
+        else {
+            usage();
+            return 2;
+        }
+        const response = await localMcpCall(handle.url, method, params);
+        if (response.body?.error !== undefined) {
+            if (args.json)
+                console.error(JSON.stringify({ ok: false, error: response.body.error }));
+            else
+                console.error(JSON.stringify(response.body.error));
+            return 5;
+        }
+        if (args.json) {
+            console.log(JSON.stringify({ ok: true, endpoint: handle.url, result: response.body?.result, ...smokeTopLevel(kind, action, response.body?.result) }));
+        }
+        else {
+            console.log(JSON.stringify(response.body?.result, null, 2));
+        }
+        return 0;
+    }
+    finally {
+        await handle.close();
+    }
+}
+function smokeTopLevel(kind, action, result) {
+    if (kind === 'tools' && action === 'list') {
+        return { tools: result?.tools ?? [] };
+    }
+    return {};
+}
+function parseAuthorSmokeArgs(rest) {
+    let path;
+    let connectorsPath;
+    let tool;
+    let args;
+    let json = false;
+    let agentOutput = false;
+    for (let i = 0; i < rest.length; i++) {
+        const arg = rest[i];
+        if (arg === '--connectors')
+            connectorsPath = rest[++i];
+        else if (arg === '--tool')
+            tool = rest[++i];
+        else if (arg === '--args')
+            args = rest[++i];
+        else if (arg === '--json')
+            json = true;
+        else if (arg === '--agent-output' || arg === '--fix-prompt')
+            agentOutput = true;
+        else if (!path && arg !== undefined && !arg.startsWith('--'))
+            path = arg;
+    }
+    return {
+        ...(path !== undefined ? { path } : {}),
+        ...(connectorsPath !== undefined ? { connectorsPath } : {}),
+        ...(tool !== undefined ? { tool } : {}),
+        ...(args !== undefined ? { args } : {}),
+        json,
+        agentOutput,
+    };
+}
+function parseJsonArgs(text) {
+    if (text === undefined)
+        return {};
+    const parsed = JSON.parse(text);
+    return typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)
+        ? parsed
+        : {};
+}
+function missingProjectEntrypoint(command) {
+    printRecovery({
+        command,
+        cause: 'No project entrypoint found.',
+        fix: 'Create a project or bind this directory to an existing project entrypoint.',
+        next: 'noodle init or noodle link --entrypoint <path>',
+    });
+    return 2;
+}
 async function runDev(rest, env) {
     let manifestPath;
     let connectorsPath;
@@ -162,19 +629,22 @@ async function runDev(rest, env) {
         else if (!manifestPath && arg !== undefined && !arg.startsWith('--'))
             manifestPath = arg;
     }
-    if (!manifestPath) {
-        console.error('dev: missing <manifest.yaml|server.ts>');
-        usage();
-        return 2;
-    }
+    const project = readProjectLink();
+    if (!manifestPath)
+        manifestPath = resolveLinkedEntrypoint();
+    if (!manifestPath)
+        return missingProjectEntrypoint('dev');
     let handle;
     try {
+        const resolvedOrg = org ?? project?.org;
+        const resolvedApp = app ?? project?.app;
+        const resolvedEnv = targetEnv ?? project?.env;
         handle = await dev({
             manifestPath,
             ...(connectorsPath ? { connectorsPath } : {}),
-            ...(org ? { org } : {}),
-            ...(app ? { app } : {}),
-            ...(targetEnv ? { env: targetEnv } : {}),
+            ...(resolvedOrg !== undefined ? { org: resolvedOrg } : {}),
+            ...(resolvedApp !== undefined ? { app: resolvedApp } : {}),
+            ...(resolvedEnv !== undefined ? { env: resolvedEnv } : {}),
             ...(port !== undefined ? { port } : {}),
         });
     }
@@ -200,7 +670,10 @@ async function runDeploy(rest, env, home) {
     let org;
     let app;
     let targetEnv;
-    let save = false;
+    let saveLegacy = false;
+    let noSave = false;
+    let noPrompt = false;
+    let json = false;
     let accessMode;
     for (let i = 0; i < rest.length; i++) {
         const arg = rest[i];
@@ -221,13 +694,34 @@ async function runDeploy(rest, env, home) {
         else if (arg === '--env')
             targetEnv = rest[++i];
         else if (arg === '--save')
-            save = true;
+            saveLegacy = true;
+        else if (arg === '--no-save')
+            noSave = true;
+        else if (arg === '--no-prompt')
+            noPrompt = true;
+        else if (arg === '--json')
+            json = true;
         else if (arg === '--private')
             accessMode = 'owner-only';
         else if (arg === '--access') {
             const value = rest[++i];
             if (!isAccessMode(value)) {
-                console.error('deploy: --access must be caller-key, owner-only, or org-members');
+                if (value === 'caller-key') {
+                    printRecovery({
+                        command: 'deploy',
+                        cause: 'caller-key access has been removed.',
+                        fix: 'Use identity-based hosted access.',
+                        next: 'noodle deploy --access owner-only or noodle deploy --access org-members',
+                    });
+                }
+                else {
+                    printRecovery({
+                        command: 'deploy',
+                        cause: '--access must be owner-only or org-members.',
+                        fix: 'Choose one of the supported identity access modes.',
+                        next: 'noodle deploy --access owner-only',
+                    });
+                }
                 return 2;
             }
             accessMode = value;
@@ -235,33 +729,95 @@ async function runDeploy(rest, env, home) {
         else if (!manifestPath && arg !== undefined && !arg.startsWith('--'))
             manifestPath = arg;
     }
-    if (!manifestPath) {
-        usage();
-        return 1;
-    }
+    const project = readProjectLink();
+    if (!manifestPath)
+        manifestPath = resolveLinkedEntrypoint();
+    if (!manifestPath)
+        return missingProjectEntrypoint('deploy');
     const { serviceUrl, token } = await resolveControlPlaneToken({
-        serviceFlag,
+        serviceFlag: serviceFlag ??
+            (env.NOODLE_SERVICE_URL === undefined && project?.serviceUrl !== undefined
+                ? project.serviceUrl
+                : undefined),
         authFlag,
         env,
         home,
     });
     const config = readConfig(home);
-    const outcome = await deploy({
+    const resolvedOrg = org ?? project?.org ?? config.defaultOrg;
+    const resolvedApp = app ?? project?.app ?? config.defaultApp;
+    const resolvedEnv = targetEnv ?? project?.env ?? config.defaultEnv;
+    const resolvedAccessMode = accessMode ?? project?.accessMode;
+    let outcome = await deploy({
         manifestPath,
         ...(connectorsPath ? { connectorsPath } : {}),
         ...(serviceUrl ? { serviceUrl } : {}),
         ...(token ? { authToken: token } : {}),
-        ...(org ?? config.defaultOrg ? { org: org ?? config.defaultOrg } : {}),
-        ...(app ?? config.defaultApp ? { app: app ?? config.defaultApp } : {}),
-        ...(targetEnv ?? config.defaultEnv ? { env: targetEnv ?? config.defaultEnv } : {}),
-        ...(accessMode ? { accessMode } : {}),
+        ...(resolvedOrg !== undefined ? { org: resolvedOrg } : {}),
+        ...(resolvedApp !== undefined ? { app: resolvedApp } : {}),
+        ...(resolvedEnv !== undefined ? { env: resolvedEnv } : {}),
+        ...(resolvedAccessMode !== undefined ? { accessMode: resolvedAccessMode } : {}),
     });
     if (!outcome.ok) {
-        console.error(outcome.message);
-        if (outcome.errors !== undefined)
-            console.error(JSON.stringify(outcome.errors, null, 2));
+        const missingSecrets = missingSecretNames(outcome.errors);
+        if (missingSecrets.length > 0 && !noPrompt && token !== undefined && process.stdin.isTTY === true && process.stdout.isTTY === true) {
+            const target = {
+                org: resolvedOrg ?? 'local',
+                app: resolvedApp ?? basename(manifestPath, extname(manifestPath)),
+                env: resolvedEnv ?? 'prod',
+            };
+            await promptAndSetMissingSecrets({ missingSecrets, serviceUrl, token, target });
+            outcome = await deploy({
+                manifestPath,
+                ...(connectorsPath ? { connectorsPath } : {}),
+                ...(serviceUrl ? { serviceUrl } : {}),
+                authToken: token,
+                org: target.org,
+                app: target.app,
+                env: target.env,
+                ...(resolvedAccessMode !== undefined ? { accessMode: resolvedAccessMode } : {}),
+            });
+        }
+    }
+    if (!outcome.ok) {
+        const missingSecrets = missingSecretNames(outcome.errors);
+        if (missingSecrets.length > 0) {
+            const target = {
+                org: resolvedOrg ?? 'local',
+                app: resolvedApp ?? basename(manifestPath, extname(manifestPath)),
+                env: resolvedEnv ?? 'prod',
+            };
+            if (json) {
+                console.error(JSON.stringify({ ok: false, error: { code: 'missing_secret', message: `Missing required managed secret(s): ${missingSecrets.join(', ')}`, next: secretSetCommand(missingSecrets[0], target) } }));
+            }
+            else
+                printRecovery({
+                    command: 'deploy',
+                    cause: `Missing required managed secret(s): ${missingSecrets.join(', ')}`,
+                    fix: 'Set the missing secret(s) at the environment scope.',
+                    next: secretSetCommand(missingSecrets[0], target),
+                });
+        }
+        else {
+            if (json) {
+                console.error(JSON.stringify({ ok: false, error: { code: 'deploy_failed', message: outcome.message, status: outcome.status } }));
+            }
+            else
+                printRecovery({
+                    command: 'deploy',
+                    cause: outcome.message,
+                    fix: deployFailureFix(outcome.status),
+                    next: deployFailureNext(outcome.status, serviceUrl),
+                });
+            if (!json && outcome.errors !== undefined)
+                console.error(JSON.stringify(outcome.errors, null, 2));
+        }
         return 1;
     }
+    if (json) {
+        console.log(JSON.stringify({ ok: true, deploymentId: outcome.deploymentId, url: outcome.url, accessMode: outcome.accessMode, service: serviceUrl }));
+        return 0;
+    }
     console.log(`Deployed.  deploymentId: ${outcome.deploymentId}`);
     console.log(`Endpoint:  ${outcome.url}`);
     if (outcome.accessMode === 'owner-only') {
@@ -272,28 +828,176 @@ async function runDeploy(rest, env, home) {
         console.log('Access:    org-members — members of the deployment org can call it via login.');
         console.log('           Connect from an MCP client (e.g. Claude.ai) and sign in when prompted.');
     }
-    else if (outcome.callerKey !== undefined) {
-        console.log(`Caller key (shown once — store it): ${outcome.callerKey}`);
+    const createdAt = new Date().toISOString();
+    if (!noSave && project !== undefined) {
+        writeProjectDeployment({
+            deploymentId: outcome.deploymentId,
+            url: outcome.url,
+            org: resolvedOrg ?? project.org,
+            app: resolvedApp ?? project.app,
+            env: resolvedEnv ?? project.env,
+            accessMode: outcome.accessMode,
+            serviceUrl,
+            createdAt,
+        });
+        console.log('Saved deployment metadata to .noodle/deployment.json.');
     }
-    if (save) {
+    if (!noSave && saveLegacy) {
         appendServer({
             deploymentId: outcome.deploymentId,
             url: outcome.url,
-            ...(outcome.callerKey !== undefined ? { callerKey: outcome.callerKey } : {}),
-            createdAt: new Date().toISOString(),
+            createdAt,
         }, home);
-        console.log('Saved to ~/.noodle/servers.json (live caller keys — do not commit/sync).');
+        console.log('Saved legacy deployment metadata to ~/.noodle/servers.json.');
+    }
+    return 0;
+}
+function runOpen(rest, env, home) {
+    let printOnly = false;
+    let dashboard = false;
+    for (let i = 0; i < rest.length; i++) {
+        const arg = rest[i];
+        if (arg === '--print')
+            printOnly = true;
+        else if (arg === '--dashboard')
+            dashboard = true;
+    }
+    const projectDeployment = readProjectDeployment();
+    const legacy = readServers(home).at(-1);
+    const url = dashboard
+        ? (projectDeployment?.serviceUrl ?? serviceUrlFromLegacy(legacy))
+        : (projectDeployment?.url ?? legacy?.url);
+    if (url === undefined) {
+        printRecovery({
+            command: 'open',
+            cause: 'No saved deployment metadata found.',
+            fix: 'Deploy this project first so the CLI can remember its endpoint.',
+            next: 'noodle deploy',
+        });
+        return 1;
     }
-    if (outcome.accessMode === 'caller-key' && outcome.callerKey !== undefined) {
-        console.log('Try it:');
-        console.log(`  curl -s ${outcome.url} -H 'content-type: application/json' -H 'accept: ${ACCEPT}' ` +
-            `-H 'mcp-protocol-version: 2025-11-25' -H 'authorization: Bearer ${outcome.callerKey}' ` +
-            `-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'`);
+    if (printOnly || env.CI === 'true' || process.stdout.isTTY !== true) {
+        console.log(url);
+        return 0;
     }
+    openUrl(url);
+    console.log(url);
     return 0;
 }
+function serviceUrlFromLegacy(server) {
+    if (server === undefined)
+        return undefined;
+    try {
+        const url = new URL(server.url);
+        return `${url.protocol}//${url.host}`;
+    }
+    catch {
+        return undefined;
+    }
+}
+function openUrl(url) {
+    const command = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
+    const args = platform === 'win32' ? ['/c', 'start', '', url] : [url];
+    const child = spawn(command, args, { detached: true, stdio: 'ignore' });
+    child.unref();
+}
+async function runStatus(rest, env, home) {
+    const args = parseTenantCommandArgs(rest);
+    const target = resolveTenantTarget(args, home);
+    if (!target.ok)
+        return printCliFailure('status', target.error, args.json);
+    const resolved = await resolveControlPlaneToken({
+        serviceFlag: args.service ?? target.serviceUrl,
+        authFlag: args.authToken,
+        env,
+        home,
+    });
+    if (resolved.token === undefined) {
+        return printCliFailure('status', {
+            code: 'auth_required',
+            message: 'No control-plane login token is available.',
+            cause: 'Hosted status requires an authenticated Noodle Cloud identity.',
+            fix: 'Sign in to the target service.',
+            next: 'noodle login',
+            exitCode: 3,
+        }, args.json);
+    }
+    try {
+        const body = await serviceJson(`${resolved.serviceUrl}/v1/orgs/${encodeURIComponent(target.org)}` +
+            `/apps/${encodeURIComponent(target.app)}/envs/${encodeURIComponent(target.env)}/status`, resolved.token);
+        if (args.json) {
+            console.log(JSON.stringify({ ...body, service: resolved.serviceUrl }));
+            return 0;
+        }
+        console.log(`service: ${resolved.serviceUrl}`);
+        console.log(`target:  ${body.target.org}/${body.target.app}/${body.target.env}`);
+        console.log(`deploy:  ${body.deployment.deploymentId}`);
+        console.log(`url:     ${body.deployment.endpointUrl}`);
+        console.log(`access:  ${body.deployment.accessMode}`);
+        console.log(`health:  ${body.health.state}`);
+        if (!body.config.ok)
+            console.log(`missing secrets: ${body.config.missingSecrets.join(', ')}`);
+        return 0;
+    }
+    catch (error) {
+        return printCliFailure('status', serviceFailure('status', error, 'noodle doctor'), args.json);
+    }
+}
+async function runAccess(rest, env, home) {
+    const [action, mode, ...tail] = rest;
+    const args = parseTenantCommandArgs(tail);
+    if (action !== 'set' || !isAccessMode(mode)) {
+        return printCliFailure('access', {
+            code: 'usage_error',
+            message: 'usage: noodle access set owner-only|org-members',
+            cause: 'The access command needs a supported identity access mode.',
+            fix: 'Choose owner-only or org-members.',
+            next: 'noodle access set owner-only',
+            exitCode: 2,
+        }, args.json);
+    }
+    const target = resolveTenantTarget(args, home);
+    if (!target.ok)
+        return printCliFailure('access', target.error, args.json);
+    const resolved = await resolveControlPlaneToken({
+        serviceFlag: args.service ?? target.serviceUrl,
+        authFlag: args.authToken,
+        env,
+        home,
+    });
+    if (resolved.token === undefined) {
+        return printCliFailure('access', {
+            code: 'auth_required',
+            message: 'No control-plane login token is available.',
+            cause: 'Hosted access updates require an authenticated Noodle Cloud identity.',
+            fix: 'Sign in to the target service.',
+            next: 'noodle login',
+            exitCode: 3,
+        }, args.json);
+    }
+    try {
+        const body = await serviceJson(`${resolved.serviceUrl}/v1/orgs/${encodeURIComponent(target.org)}` +
+            `/apps/${encodeURIComponent(target.app)}/envs/${encodeURIComponent(target.env)}/access`, resolved.token, {
+            method: 'PATCH',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ accessMode: mode }),
+        });
+        if (args.json) {
+            console.log(JSON.stringify({ ...body, service: resolved.serviceUrl }));
+            return 0;
+        }
+        console.log(`service: ${resolved.serviceUrl}`);
+        console.log(`target:  ${body.target.org}/${body.target.app}/${body.target.env}`);
+        console.log(`deploy:  ${body.deployment.deploymentId}`);
+        console.log(`access:  ${body.deployment.accessMode}`);
+        return 0;
+    }
+    catch (error) {
+        return printCliFailure('access', serviceFailure('access', error, 'noodle status'), args.json);
+    }
+}
 function isAccessMode(value) {
-    return value === 'caller-key' || value === 'owner-only' || value === 'org-members';
+    return value === 'owner-only' || value === 'org-members';
 }
 async function runLogin(rest, env, home) {
     let service;
@@ -324,7 +1028,12 @@ async function runLogin(rest, env, home) {
             return 0;
         }
         catch (error) {
-            console.error(`login: ${error.message}`);
+            printRecovery({
+                command: 'login',
+                cause: errorMessage(error),
+                fix: 'Check the service URL, browser login configuration, and network connection.',
+                next: `noodle login --service ${serviceUrl}`,
+            });
             return 1;
         }
     }
@@ -374,12 +1083,18 @@ async function runWhoami(env, home, rest = []) {
         return 0;
     }
     catch (error) {
-        console.error(`whoami: ${error.message}`);
+        printRecovery({
+            command: 'whoami',
+            cause: errorMessage(error),
+            fix: 'Check your login and service URL.',
+            next: `noodle login --service ${serviceUrl}`,
+        });
         return 1;
     }
 }
 async function runList(rest, env, home) {
     const { serviceFlag, authFlag, org, app, targetEnv } = parseListArgs(rest);
+    const json = rest.includes('--json');
     const { serviceUrl, token } = await resolveControlPlaneToken({
         serviceFlag,
         authFlag,
@@ -394,6 +1109,21 @@ async function runList(rest, env, home) {
             if (targetEnv !== undefined)
                 url.searchParams.set('env', targetEnv);
             const body = await serviceJson(url.toString(), token);
+            if (json) {
+                console.log(JSON.stringify({
+                    ok: true,
+                    target: {
+                        service: serviceUrl,
+                        org,
+                        ...(app !== undefined ? { app } : {}),
+                        ...(targetEnv !== undefined ? { env: targetEnv } : {}),
+                    },
+                    deployments: body.deployments,
+                }));
+                return 0;
+            }
+            console.log(`service: ${serviceUrl}`);
+            console.log(`target:  ${org}${app !== undefined ? `/${app}` : ''}${targetEnv !== undefined ? `/${targetEnv}` : ''}`);
             for (const d of body.deployments) {
                 console.log(`${d.deploymentId}\t${d.appSlug}\t${d.environment}\t${d.accessMode}\t${d.active ? 'active' : 'inactive'}\t${d.createdAt}`);
             }
@@ -401,24 +1131,32 @@ async function runList(rest, env, home) {
             return 0;
         }
         catch (error) {
-            console.error(`list: ${error.message}`);
-            return 1;
+            return printCliFailure('list', serviceFailure('list', error, 'noodle doctor'), json);
         }
     }
     const servers = readServers(home);
     if (servers.length === 0) {
-        console.log('No saved servers. Deploy with `--save` to remember one locally.');
+        if (json) {
+            console.log(JSON.stringify({ ok: true, target: { runtime: 'local' }, deployments: [] }));
+            return 0;
+        }
+        console.log('No saved servers. Deploy a linked project with `noodle deploy` to remember one locally.');
+        return 0;
+    }
+    if (json) {
+        console.log(JSON.stringify({ ok: true, target: { runtime: 'local' }, deployments: servers }));
         return 0;
     }
     for (const s of servers) {
         console.log(`${s.deploymentId}\t${s.url}\t${s.createdAt}`);
     }
-    console.log(`\n${servers.length} server(s) cached in ~/.noodle/servers.json (caller keys stored there — keep private).`);
+    console.log(`\n${servers.length} server(s) cached in ~/.noodle/servers.json.`);
     return 0;
 }
 async function runOrgs(rest, env, home) {
     const [action, maybeSlug, ...tail] = rest;
     const { serviceFlag, authFlag, displayName } = parseOrgArgs(tail);
+    const json = tail.includes('--json');
     const { serviceUrl, token } = await resolveControlPlaneToken({
         serviceFlag,
         authFlag,
@@ -430,6 +1168,10 @@ async function runOrgs(rest, env, home) {
     try {
         if (action === 'list') {
             const body = await serviceJson(`${serviceUrl}/v1/orgs`, token);
+            if (json) {
+                console.log(JSON.stringify({ ok: true, service: serviceUrl, orgs: body.orgs }));
+                return 0;
+            }
             for (const org of body.orgs)
                 console.log(`${org.slug}\t${org.displayName ?? ''}`);
             return 0;
@@ -440,6 +1182,10 @@ async function runOrgs(rest, env, home) {
                 headers: { 'content-type': 'application/json' },
                 body: JSON.stringify({ slug: maybeSlug, ...(displayName ? { displayName } : {}) }),
             });
+            if (json) {
+                console.log(JSON.stringify({ ok: true, service: serviceUrl, org: body.org }));
+                return 0;
+            }
             console.log(`created ${body.org.slug}`);
             return 0;
         }
@@ -454,6 +1200,7 @@ async function runOrgs(rest, env, home) {
 async function runMembers(rest, env, home) {
     const [action, ...tail] = rest;
     const args = parseMemberArgs(tail);
+    const json = tail.includes('--json');
     if (!args.org) {
         console.error('members: --org is required');
         return 2;
@@ -470,6 +1217,10 @@ async function runMembers(rest, env, home) {
         const base = `${serviceUrl}/v1/orgs/${encodeURIComponent(args.org)}/members`;
         if (action === 'list') {
             const body = await serviceJson(base, token);
+            if (json) {
+                console.log(JSON.stringify({ ok: true, service: serviceUrl, org: args.org, members: body.members }));
+                return 0;
+            }
             for (const member of body.members) {
                 console.log(`${member.email}\t${member.role}\t${member.subject}`);
             }
@@ -485,11 +1236,19 @@ async function runMembers(rest, env, home) {
                     ...(args.role ? { role: args.role } : {}),
                 }),
             });
+            if (json) {
+                console.log(JSON.stringify({ ok: true, service: serviceUrl, org: args.org, email: args.email }));
+                return 0;
+            }
             console.log(`added ${args.email}`);
             return 0;
         }
         if (action === 'remove' && args.subject) {
             await serviceJson(`${base}/${encodeURIComponent(args.subject)}`, token, { method: 'DELETE' });
+            if (json) {
+                console.log(JSON.stringify({ ok: true, service: serviceUrl, org: args.org, subject: args.subject, removed: true }));
+                return 0;
+            }
             console.log(`removed ${args.subject}`);
             return 0;
         }
@@ -501,50 +1260,22 @@ async function runMembers(rest, env, home) {
     usage();
     return 2;
 }
-async function runKeys(rest, env, home) {
-    const [action, ...tail] = rest;
-    const args = parseListArgs(tail);
-    if (!args.org || !args.app) {
-        console.error('keys: --org and --app are required');
-        return 2;
-    }
-    const targetEnv = args.targetEnv ?? 'prod';
-    const { serviceUrl, token } = await resolveControlPlaneToken({
-        serviceFlag: args.serviceFlag,
-        authFlag: args.authFlag,
-        env,
-        home,
-    });
-    if (token === undefined)
-        return missingLogin('keys');
-    const base = `${serviceUrl}/v1/orgs/${encodeURIComponent(args.org)}/apps/${encodeURIComponent(args.app)}/envs/${encodeURIComponent(targetEnv)}/keys`;
-    try {
-        if (action === 'list') {
-            const body = await serviceJson(base, token);
-            for (const key of body.keys) {
-                console.log(`${key.deploymentId}\t${key.active ? 'active' : 'inactive'}\t${key.createdAt}`);
-            }
-            return 0;
-        }
-        if (action === 'rotate') {
-            const body = await serviceJson(`${base}/rotate`, token, { method: 'POST' });
-            console.log(`rotated ${body.key.deploymentId}`);
-            console.log(`Caller key (shown once — store it): ${body.callerKey}`);
-            return 0;
-        }
-    }
-    catch (error) {
-        console.error(`keys: ${error.message}`);
-        return 1;
-    }
-    usage();
-    return 2;
-}
 function runTarget(rest, home) {
     const [action, ...tail] = rest;
     const args = parseTargetArgs(tail);
     const config = readConfig(home);
+    const json = tail.includes('--json');
     if (action === 'show') {
+        if (json) {
+            console.log(JSON.stringify({ ok: true, target: {
+                    runtime: config.defaultRuntime ?? 'local',
+                    service: config.serviceUrl ?? null,
+                    org: config.defaultOrg ?? null,
+                    app: config.defaultApp ?? null,
+                    env: config.defaultEnv ?? null,
+                } }));
+            return 0;
+        }
         console.log(`runtime: ${config.defaultRuntime ?? 'local'}`);
         console.log(`service: ${config.serviceUrl ?? '(none)'}`);
         console.log(`org:     ${config.defaultOrg ?? '(none)'}`);
@@ -553,14 +1284,25 @@ function runTarget(rest, home) {
         return 0;
     }
     if (action === 'set') {
-        writeConfig({
+        const updated = {
             ...config,
             ...(args.runtime !== undefined ? { defaultRuntime: args.runtime } : {}),
             ...(args.service !== undefined ? { serviceUrl: args.service } : {}),
             ...(args.org !== undefined ? { defaultOrg: args.org } : {}),
             ...(args.app !== undefined ? { defaultApp: args.app } : {}),
             ...(args.targetEnv !== undefined ? { defaultEnv: args.targetEnv } : {}),
-        }, home);
+        };
+        writeConfig(updated, home);
+        if (json) {
+            console.log(JSON.stringify({ ok: true, target: {
+                    runtime: updated.defaultRuntime ?? 'local',
+                    service: updated.serviceUrl ?? null,
+                    org: updated.defaultOrg ?? null,
+                    app: updated.defaultApp ?? null,
+                    env: updated.defaultEnv ?? null,
+                } }));
+            return 0;
+        }
         console.log('Saved ~/.noodle/config.json (0600).');
         return 0;
     }
@@ -576,12 +1318,19 @@ async function runConfigValues(kind, rest, env, home) {
     const runtime = args.runtime ?? config.defaultRuntime ?? 'local';
     const scope = configScope(args.scope ?? 'env', args, config);
     if (scope === undefined) {
-        console.error(`${configCommand(kind)}: --org, --app, and --env are required for the chosen scope`);
+        printRecovery({
+            command: configCommand(kind),
+            cause: '--org, --app, and --env are required for the chosen scope.',
+            fix: 'Set a target once or pass the scope identifiers explicitly.',
+            next: 'noodle target set --org <org> --app <app> --env <env>',
+        });
         return 2;
     }
     const command = configCommand(kind);
     try {
         if (runtime === 'local') {
+            if (!args.json)
+                printConfigTarget({ runtime, scope });
             if (action === 'set' && name !== undefined) {
                 setLocalConfigValue(process.cwd(), {
                     kind,
@@ -589,21 +1338,34 @@ async function runConfigValues(kind, rest, env, home) {
                     name,
                     value: await configInputValue(args, env),
                 });
-                console.log(`set ${name}`);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, scope, name }));
+                else
+                    console.log(`set ${name}`);
                 return 0;
             }
             if (action === 'list') {
-                printConfigRecords(kind, readLocalConfigValues(process.cwd(), kind, scope));
+                const records = readLocalConfigValues(process.cwd(), kind, scope);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, scope, values: safeConfigRecords(kind, records) }));
+                else
+                    printConfigRecords(kind, records);
                 return 0;
             }
             if (action === 'delete' && name !== undefined) {
                 const deleted = deleteLocalConfigValue(process.cwd(), kind, scope, name);
-                console.log(deleted ? `deleted ${name}` : `${name} was not set`);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, scope, name, deleted }));
+                else
+                    console.log(deleted ? `deleted ${name}` : `${name} was not set`);
                 return 0;
             }
             if (action === 'resolve') {
                 const values = resolveLocalConfigValues(process.cwd(), kind, tenantForScope(scope, config));
-                printResolvedConfig(kind, values, name);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, scope, values: safeResolvedConfig(kind, values, name) }));
+                else
+                    printResolvedConfig(kind, values, name);
                 return 0;
             }
         }
@@ -614,6 +1376,10 @@ async function runConfigValues(kind, rest, env, home) {
                 env,
                 home,
             });
+            if (token === undefined)
+                return missingLogin(command);
+            if (!args.json)
+                printConfigTarget({ runtime, scope, serviceUrl });
             const base = `${serviceUrl}${configApiPath(kind, scope)}`;
             if (action === 'set' && name !== undefined) {
                 await serviceJson(`${base}/${encodeURIComponent(name)}`, token, {
@@ -621,32 +1387,244 @@ async function runConfigValues(kind, rest, env, home) {
                     headers: { 'content-type': 'application/json' },
                     body: JSON.stringify({ value: await configInputValue(args, env) }),
                 });
-                console.log(`set ${name}`);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, service: serviceUrl, scope, name }));
+                else
+                    console.log(`set ${name}`);
                 return 0;
             }
             if (action === 'list' || action === 'resolve') {
                 const body = await serviceJson(base, token);
-                printConfigRecords(kind, body.values);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, service: serviceUrl, scope, values: safeConfigRecords(kind, body.values) }));
+                else
+                    printConfigRecords(kind, body.values);
                 return 0;
             }
             if (action === 'delete' && name !== undefined) {
                 await serviceJson(`${base}/${encodeURIComponent(name)}`, token, { method: 'DELETE' });
-                console.log(`deleted ${name}`);
+                if (args.json)
+                    console.log(JSON.stringify({ ok: true, runtime, service: serviceUrl, scope, name, deleted: true }));
+                else
+                    console.log(`deleted ${name}`);
                 return 0;
             }
         }
     }
     catch (error) {
-        console.error(`${command}: ${error.message}`);
+        printRecovery({
+            command,
+            cause: errorMessage(error),
+            fix: 'Check the target scope, login, service URL, and value source.',
+            next: `${command} list --scope ${scope.level}`,
+        });
         return 1;
     }
     usage();
     return 2;
 }
+function printConfigTarget(input) {
+    console.log(`runtime: ${input.runtime}`);
+    if (input.serviceUrl !== undefined)
+        console.log(`service: ${input.serviceUrl}`);
+    console.log(`scope:   ${configScopeLabel(input.scope)}`);
+}
+function configScopeLabel(scope) {
+    if (scope.level === 'org')
+        return `org/${scope.org}`;
+    if (scope.level === 'app')
+        return `org/${scope.org}/app/${scope.app}`;
+    return `org/${scope.org}/app/${scope.app}/env/${scope.env}`;
+}
 function missingLogin(command) {
-    console.error(`${command}: login first or pass --auth-token <token>`);
+    printRecovery({
+        command,
+        cause: 'No control-plane login token is available.',
+        fix: 'Sign in or pass an explicit auth token for this command.',
+        next: 'noodle login',
+    });
     return 1;
 }
+function printCliFailure(command, failure, json = false) {
+    if (json) {
+        console.error(JSON.stringify({
+            ok: false,
+            error: {
+                code: failure.code,
+                message: failure.message,
+                cause: failure.cause,
+                fix: failure.fix,
+                next: failure.next,
+                ...(failure.requestId !== undefined ? { requestId: failure.requestId } : {}),
+            },
+        }));
+    }
+    else {
+        printRecovery({
+            command,
+            cause: failure.cause,
+            fix: failure.fix,
+            next: failure.next,
+        });
+    }
+    return failure.exitCode;
+}
+function serviceFailure(command, error, next) {
+    if (error instanceof ServiceRequestError) {
+        const auth = error.status === 401 || error.status === 403;
+        const network = error.status === 0;
+        return {
+            code: auth ? 'auth_failed' : network ? 'service_unreachable' : 'service_error',
+            message: error.message,
+            cause: error.message,
+            fix: auth
+                ? 'Sign in again and confirm org access.'
+                : network
+                    ? 'Check the service URL and network connection.'
+                    : 'Check the service response and retry.',
+            next: auth ? 'noodle login' : next,
+            ...(error.requestId !== undefined ? { requestId: error.requestId } : {}),
+            exitCode: auth ? 3 : network ? 4 : 1,
+        };
+    }
+    return {
+        code: 'command_failed',
+        message: errorMessage(error),
+        cause: errorMessage(error),
+        fix: 'Check command inputs and retry.',
+        next,
+        exitCode: 1,
+    };
+}
+function parseTenantCommandArgs(rest) {
+    let org;
+    let app;
+    let targetEnv;
+    let service;
+    let authToken;
+    let json = false;
+    for (let i = 0; i < rest.length; i++) {
+        const arg = rest[i];
+        if (arg === '--org')
+            org = rest[++i];
+        else if (arg === '--app')
+            app = rest[++i];
+        else if (arg === '--env')
+            targetEnv = rest[++i];
+        else if (arg === '--service')
+            service = rest[++i];
+        else if (arg === '--auth-token')
+            authToken = rest[++i];
+        else if (arg === '--json')
+            json = true;
+    }
+    return {
+        ...(org !== undefined ? { org } : {}),
+        ...(app !== undefined ? { app } : {}),
+        ...(targetEnv !== undefined ? { targetEnv } : {}),
+        ...(service !== undefined ? { service } : {}),
+        ...(authToken !== undefined ? { authToken } : {}),
+        json,
+    };
+}
+function resolveTenantTarget(args, home) {
+    const project = readProjectLink();
+    const config = readConfig(home);
+    const org = args.org ?? project?.org ?? config.defaultOrg;
+    const app = args.app ?? project?.app ?? config.defaultApp;
+    const targetEnv = args.targetEnv ?? project?.env ?? config.defaultEnv ?? 'prod';
+    if (org === undefined || app === undefined) {
+        return {
+            ok: false,
+            error: {
+                code: 'target_required',
+                message: 'org and app are required',
+                cause: 'No org/app target was supplied or saved.',
+                fix: 'Pass --org and --app or link the project.',
+                next: 'noodle link --org <org> --app <app>',
+                exitCode: 2,
+            },
+        };
+    }
+    return {
+        ok: true,
+        org,
+        app,
+        env: targetEnv,
+        ...(args.service ?? project?.serviceUrl ?? config.serviceUrl
+            ? { serviceUrl: args.service ?? project?.serviceUrl ?? config.serviceUrl }
+            : {}),
+    };
+}
+function missingSecretNames(errors) {
+    if (!Array.isArray(errors))
+        return [];
+    const names = new Set();
+    for (const error of errors) {
+        if (typeof error !== 'object' || error === null)
+            continue;
+        const item = error;
+        if (item.code !== 'missing_secret')
+            continue;
+        if (typeof item.path === 'string' && item.path.startsWith('secrets.')) {
+            names.add(item.path.slice('secrets.'.length));
+            continue;
+        }
+        if (typeof item.message === 'string') {
+            const match = /required secret "([^"]+)"/.exec(item.message);
+            if (match?.[1])
+                names.add(match[1]);
+        }
+    }
+    return [...names].sort();
+}
+function secretSetCommand(name, target) {
+    return (`noodle secrets set ${name} --scope env --org ${target.org}` +
+        ` --app ${target.app} --env ${target.env} --value <value>`);
+}
+async function promptAndSetMissingSecrets(input) {
+    const muted = new Writable({
+        write(_chunk, _encoding, callback) {
+            callback();
+        },
+    });
+    const rl = createInterface({ input: process.stdin, output: muted });
+    try {
+        for (const name of input.missingSecrets) {
+            console.error(`Enter value for secret ${name}:`);
+            const value = await rl.question('');
+            await serviceJson(`${input.serviceUrl}/v1/orgs/${encodeURIComponent(input.target.org)}` +
+                `/apps/${encodeURIComponent(input.target.app)}/envs/${encodeURIComponent(input.target.env)}` +
+                `/secrets/${encodeURIComponent(name)}`, input.token, {
+                method: 'PUT',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ value }),
+            });
+            console.error(`set ${name}`);
+        }
+    }
+    finally {
+        rl.close();
+    }
+}
+function deployFailureFix(status) {
+    if (status === 401 || status === 403)
+        return 'Sign in to the target service and confirm org access.';
+    if (status === 0)
+        return 'Check that the deploy service URL is reachable.';
+    if (status === 400)
+        return 'Fix the deploy input reported by the service.';
+    return 'Check the service status and retry.';
+}
+function deployFailureNext(status, serviceUrl) {
+    if (status === 401 || status === 403)
+        return `noodle login --service ${serviceUrl}`;
+    if (status === 0)
+        return `noodle doctor --service ${serviceUrl}`;
+    if (status === 400)
+        return 'noodle validate';
+    return 'noodle doctor';
+}
 function parseTargetArgs(rest) {
     let runtime;
     let service;
@@ -689,6 +1667,7 @@ function parseConfigArgs(rest) {
     let fromStdin = false;
     let service;
     let authToken;
+    let json = false;
     for (let i = 0; i < rest.length; i++) {
         const arg = rest[i];
         if (arg === '--runtime') {
@@ -719,6 +1698,8 @@ function parseConfigArgs(rest) {
             service = rest[++i];
         else if (arg === '--auth-token')
             authToken = rest[++i];
+        else if (arg === '--json')
+            json = true;
     }
     return {
         ...(runtime !== undefined ? { runtime } : {}),
@@ -732,6 +1713,7 @@ function parseConfigArgs(rest) {
         ...(fromStdin ? { fromStdin } : {}),
         ...(service !== undefined ? { service } : {}),
         ...(authToken !== undefined ? { authToken } : {}),
+        ...(json ? { json } : {}),
     };
 }
 function configScope(level, args, config) {
@@ -802,6 +1784,19 @@ function printResolvedConfig(kind, values, name) {
         console.log(`${key}=${kind === 'secret' ? '********' : value}`);
     }
 }
+function safeConfigRecords(kind, records) {
+    return records.map((record) => ({
+        name: record.name,
+        ...(record.value !== undefined ? { value: kind === 'secret' ? '********' : record.value } : {}),
+        ...(record.updatedAt !== undefined ? { updatedAt: record.updatedAt } : {}),
+    }));
+}
+function safeResolvedConfig(kind, values, name) {
+    const entries = name !== undefined ? [[name, values[name]]] : Object.entries(values).sort();
+    return Object.fromEntries(entries
+        .filter((entry) => entry[1] !== undefined)
+        .map(([key, value]) => [key, kind === 'secret' ? '********' : value]));
+}
 function parseServiceFlags(rest) {
     let serviceFlag;
     let authFlag;