vcf-super-cli 0.2.0__py3-none-any.whl

vcf_super_cli-0.2.0.dist-info/METADATA

@@ -0,0 +1,101 @@
+Metadata-Version: 2.4
+Name: vcf-super-cli
+Version: 0.2.0
+Summary: Modern, agent-friendly CLI for VMware Cloud Foundation 9, with a command tree generated dynamically from the vcf-sdk vAPI bindings.
+Project-URL: Homepage, https://github.com/thomaschristory/vcf-super-cli
+Project-URL: Documentation, https://thomaschristory.github.io/vcf-super-cli/
+Project-URL: Issues, https://github.com/thomaschristory/vcf-super-cli/issues
+Author-email: Thomas <mick27@gmail.com>
+License-Expression: Apache-2.0
+License-File: LICENSE
+Keywords: automation,cli,nsx,vcenter,vcf,vcf-sdk,vmware,vsphere
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: System :: Networking
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.12
+Requires-Dist: keyring>=25.0
+Requires-Dist: platformdirs>=4.2
+Requires-Dist: pydantic>=2.7
+Requires-Dist: pyvmomi>=9.1.0.0
+Requires-Dist: rich>=13.7
+Requires-Dist: ruamel-yaml>=0.18
+Requires-Dist: structlog>=24.1
+Requires-Dist: typer>=0.12
+Requires-Dist: vcf-nsx>=9.1.0.0
+Requires-Dist: vmware-vcenter>=9.1.0.0
+Description-Content-Type: text/markdown
+
+# vcf-super-cli (`vsc`)
+
+[![PyPI](https://img.shields.io/pypi/v/vcf-super-cli.svg)](https://pypi.org/project/vcf-super-cli/)
+[![CI](https://github.com/thomaschristory/vcf-super-cli/actions/workflows/test.yml/badge.svg)](https://github.com/thomaschristory/vcf-super-cli/actions/workflows/test.yml)
+[![Lint](https://github.com/thomaschristory/vcf-super-cli/actions/workflows/lint.yml/badge.svg)](https://github.com/thomaschristory/vcf-super-cli/actions/workflows/lint.yml)
+[![Docs](https://github.com/thomaschristory/vcf-super-cli/actions/workflows/docs.yml/badge.svg)](https://thomaschristory.github.io/vcf-super-cli/)
+[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)
+
+A modern, **agent-friendly** CLI for **VMware Cloud Foundation 9**. The command
+tree is **generated dynamically** by introspecting the official
+[`vcf-sdk`](https://pypi.org/project/vcf-sdk/) vAPI bindings — so the surface
+mirrors the real VCF 9 API instead of being hand-maintained.
+
+```console
+$ vsc vsphere vm list --profile prod
+$ vsc vsphere host get --host host-42
+$ vsc nsx segments list --output table
+$ vsc vsphere power stop vm-42 --apply        # writes are dry-run without --apply
+```
+
+> ⚠️ **Alpha / pre-release.** Reads (vSphere + NSX inventory) and writes are both
+> available. **Writes are dry-run by default** — nothing changes without `--apply`,
+> and a dry-run never opens a connection.
+
+## Why
+
+- **Mirrors the real API.** Commands come from the SDK's own vAPI metadata
+  (`VapiInterface` services + `OperationRestMetadata`), covering both vCenter and
+  NSX from one generator.
+- **Modern.** REST-first via `vmware-vcenter`, with `pyVmomi` as a fallback where
+  REST lacks coverage.
+- **Safe by default.** Writes preview as dry-runs unless you pass `--apply`; a
+  dry-run never opens a connection.
+- **Agent-friendly.** Deterministic command shape, machine-readable JSON output,
+  a stable error envelope with documented exit codes, and a bundled agent Skill.
+
+## Scope
+
+| Area | Status |
+|------|--------|
+| vSphere / vCenter read (`vsc vsphere …`) | ✅ v0.1 |
+| NSX **Policy API** read (`vsc nsx …`) | ✅ v0.1 |
+| Writes — dry-run by default + `--apply` (`vsc vsphere …` / `vsc nsx …`) | ✅ v0.2 |
+| Dynamic shell completion, per-field filter flags, pyVmomi fallback | v0.3 (planned) |
+| NSX Manager / Global-Manager, SDDC Manager, Operations, LCM | deferred |
+
+## Install
+
+```sh
+uv tool install vcf-super-cli      # recommended
+# or
+pipx install vcf-super-cli
+# or
+pip install vcf-super-cli
+```
+
+From source:
+
+```sh
+uv sync && uv run vsc --help
+```
+
+## Documentation
+
+Full guide: **[thomaschristory.github.io/vcf-super-cli](https://thomaschristory.github.io/vcf-super-cli/)**
+
+## License
+
+Apache-2.0. See [LICENSE](LICENSE).

vcf_super_cli-0.2.0.dist-info/RECORD

@@ -0,0 +1,31 @@
+vsc/__init__.py,sha256=V06TllRhI7XxsdyRD6D_JpSpRDYfM9GE0GXeQi-kPFc,316
+vsc/_version.py,sha256=_RmvbVZrkbsHZ4h_b7TTacj9h4ent4lXeWux_gZnSeI,217
+vsc/logging_config.py,sha256=zjxvOTkeBLXCkUTelkNzDRdU77TX97thMuLOzYl3Vow,861
+vsc/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+vsc/cli/app.py,sha256=1dxgBQGPJJtGDQfdgKYaoJ7Cl0Zu2HLGuz2y3Y6jI3w,2731
+vsc/cli/profiles.py,sha256=bo2hjpLGVM4ej5bh-ZWOr0UuHerh-ujdzF2rUvfxi6g,7874
+vsc/cli/skill.py,sha256=ZeCjAV7PLrO6KIXy4CBI0wI5IKUvY8eYdOqTiYRI0nc,888
+vsc/config/__init__.py,sha256=lvpce4_TyeNCa6USPeXTtspFkvssN9Q62PItNZPxGqo,339
+vsc/config/schema.py,sha256=Lxk9YzfltkqFc--ZZnXQkdJk5ddgzwI3f0Q5uRWuFFc,949
+vsc/config/store.py,sha256=05cVMUgKb7gWqcNljeNMFSUleBSAMOZt0sLEOQKrXUs,3329
+vsc/connect/__init__.py,sha256=apTWhOMAhYKVn25TqjTeKUa7qtcCA_ki4ImFWnbWhMI,282
+vsc/connect/session.py,sha256=_bc6-1OFOsUIcR_rIZACmXnE_ZWUxAw06TlQE6SL0Bc,2550
+vsc/connect/targets.py,sha256=6saJAI8MOxfCOs62lbrhvthfxbg46NY0_awmbFU37sQ,4210
+vsc/gen/__init__.py,sha256=kjx70eP9G_yGWF1KDf0LVLPB7Xh9zDV_qUa7hNCQ6ds,322
+vsc/gen/builder.py,sha256=enje5AIf0QeKoxQRbJEkfRuduRf2N0cMRJt7Q0qUDd8,9588
+vsc/gen/discover.py,sha256=nRnreZ2hheQ2oeqOSqo00HIQ6BufsKoVCnygtZtEWhg,8261
+vsc/gen/model.py,sha256=EewK3SUGSgwenfLlFEn54Z76Hal_hqyGBX27P0nTkKI,3008
+vsc/gen/params.py,sha256=tvsjbMUoQsiJNN_hTlkyvj3c1m2FEr_vwBVjd18HYzM,8366
+vsc/gen/preview.py,sha256=hv42i8EtLaagQX8a_h6cgM_ODvUMxnH8bQGSRYgHKmY,3327
+vsc/output/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+vsc/output/errors.py,sha256=Lt_E8nzpqiEl0T8hpB9-_-XnWHOGa2AZ-OPrTshwYXs,3613
+vsc/output/exit_codes.py,sha256=AlTZzYcMm8K9ggId9yOf94nEynhUwz9SHxwoFr84vyI,972
+vsc/output/render.py,sha256=CipvUYI16b9bvYhxGAJqX76yP63dz2w1IB5FP08duJI,4339
+vsc/skill/__init__.py,sha256=ZT3uXUjY8ur2ec5VepFMYvr3xPIRbuXmzFK7mtc0qPQ,54
+vsc/skill/export.py,sha256=31a-RV-NKnTf9YP8LpOxAhigvIO-yhv0I_8Gg5L6R9g,802
+vsc/skill/assets/SKILL.md,sha256=ymao_n-qEMUA092YSFfetnZ5reap39eKOm3DoeVcEek,4229
+vcf_super_cli-0.2.0.dist-info/METADATA,sha256=SMW5dXoWx7IPkXPJA6rQw3jY-j9__XFF1GO4AMWjcNU,4120
+vcf_super_cli-0.2.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+vcf_super_cli-0.2.0.dist-info/entry_points.txt,sha256=YucZbal8BS_ujDQOeEdqy0mU5naS71A_H-QnxiLR-c0,74
+vcf_super_cli-0.2.0.dist-info/licenses/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358
+vcf_super_cli-0.2.0.dist-info/RECORD,,

vcf_super_cli-0.2.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

vcf_super_cli-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+vcf-super-cli = vsc.cli.app:main
+vsc = vsc.cli.app:main

vcf_super_cli-0.2.0.dist-info/licenses/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vsc/__init__.py

@@ -0,0 +1,11 @@
+"""vcf-super-cli (`vsc`) — a modern CLI for VMware Cloud Foundation 9.
+
+The command tree is generated dynamically by introspecting the ``vcf-sdk`` vAPI
+bindings. See ``docs/superpowers/specs`` for the design.
+"""
+
+from __future__ import annotations
+
+from vsc._version import __version__
+
+__all__ = ["__version__"]

vsc/_version.py

@@ -0,0 +1,7 @@
+"""Single source of truth for the package version.
+
+`release.yml` validates the git tag against this value before publishing.
+Keep this in sync with `[project].version` in `pyproject.toml`.
+"""
+
+__version__ = "0.2.0"

vsc/cli/app.py

@@ -0,0 +1,98 @@
+"""Entry point: assemble and run the ``vsc`` Typer application.
+
+The ``vsphere`` and ``nsx`` groups are generated at startup by introspecting the
+installed ``vcf-sdk`` vAPI bindings (``vsc.gen``). Generation is offline, so
+``--version`` and ``--help`` work without a server or credentials.
+"""
+
+from __future__ import annotations
+
+import typer
+
+from vsc import __version__
+from vsc.cli.profiles import profiles_app
+from vsc.cli.skill import skill_app
+from vsc.connect.targets import connect_for_backend, set_active_profile
+from vsc.gen.builder import build_group
+from vsc.gen.discover import (
+    discover_operations,
+    nsx_services,
+    vsphere_services,
+)
+from vsc.logging_config import configure_logging
+
+
+def _build_app() -> typer.Typer:
+    configure_logging()
+    app = typer.Typer(
+        name="vsc",
+        help="CLI for VMware Cloud Foundation 9 (vSphere + NSX), generated from the vcf-sdk.",
+        no_args_is_help=True,
+        add_completion=True,
+    )
+
+    # Reads and writes are both mounted; write commands are dry-run by default and
+    # require --apply to execute (see vsc.gen.builder), so exposing them is safe.
+    vsphere_ops = [
+        op
+        for cls in vsphere_services()
+        for op in discover_operations(cls, "vsphere", read_only=False)
+    ]
+    nsx_ops = [
+        op for cls in nsx_services() for op in discover_operations(cls, "nsx", read_only=False)
+    ]
+
+    app.add_typer(
+        build_group(vsphere_ops, connect_for_backend),
+        name="vsphere",
+        help="vSphere / vCenter commands (generated from vmware-vcenter).",
+        no_args_is_help=True,
+    )
+    app.add_typer(
+        build_group(nsx_ops, connect_for_backend),
+        name="nsx",
+        help="NSX Policy commands (generated from vcf-nsx).",
+        no_args_is_help=True,
+    )
+    app.add_typer(profiles_app, name="profiles")
+    app.add_typer(skill_app, name="skill")
+
+    @app.callback()
+    def main_callback(
+        profile: str | None = typer.Option(
+            None,
+            "--profile",
+            "-p",
+            help="Named profile to use (overrides VSC_PROFILE and the config default).",
+        ),
+        _version: bool = typer.Option(
+            False,
+            "--version",
+            "-V",
+            help="Show the vsc version and exit.",
+            callback=_version_callback,
+            is_eager=True,
+        ),
+    ) -> None:
+        """Global options for ``vsc``."""
+        set_active_profile(profile)
+
+    return app
+
+
+def _version_callback(value: bool) -> None:
+    if value:
+        typer.echo(__version__)
+        raise typer.Exit()
+
+
+app = _build_app()
+
+
+def main() -> None:
+    """Console-script entry point."""
+    app()
+
+
+if __name__ == "__main__":
+    main()

vsc/cli/profiles.py

@@ -0,0 +1,208 @@
+"""Curated (non-generated) commands for managing named profiles."""
+
+from __future__ import annotations
+
+import typer
+
+from vsc.config.schema import BACKENDS, BackendCreds, Config, Profile
+from vsc.config.store import (
+    ConfigError,
+    keyring_delete,
+    keyring_set,
+    load_config,
+    save_config,
+)
+from vsc.output.exit_codes import ExitCode
+from vsc.output.render import to_json
+
+profiles_app = typer.Typer(no_args_is_help=True, help="Manage named connection profiles.")
+
+
+def _print(data: object) -> None:
+    print(to_json(data))
+
+
+def _load() -> Config:
+    """Load config, turning a malformed file into a clean CONFIG exit."""
+    try:
+        return load_config()
+    except ConfigError as exc:
+        typer.echo(str(exc), err=True)
+        raise typer.Exit(int(ExitCode.CONFIG)) from exc
+
+
+def _store_password(profile: str, backend: str, password: str, store_in_file: bool) -> str | None:
+    """Persist a password. Returns the value to keep in the file (None if keyring)."""
+    if store_in_file:
+        return password
+    if keyring_set(profile, backend, password):
+        return None
+    typer.echo(
+        f"No usable OS keyring backend; re-run with --store-in-file to save the "
+        f"{backend} password in the config file (mode 0600).",
+        err=True,
+    )
+    raise typer.Exit(int(ExitCode.CONFIG))
+
+
+def _make_creds(
+    backend: str,
+    server: str | None,
+    username: str | None,
+    password: str | None,
+    insecure: bool,
+    store_in_file: bool,
+) -> tuple[BackendCreds | None, tuple[str, str] | None]:
+    """Build creds and, separately, any (backend, password) keyring write to defer.
+
+    Keyring writes are returned rather than performed so the caller can persist
+    them only after the config is saved (avoiding an orphaned keyring entry if a
+    later backend fails).
+    """
+    if not server and not username and not password:
+        return None, None
+    if not server or not username:
+        typer.echo(
+            f"{backend}: both --{backend}-server and --{backend}-username are required.", err=True
+        )
+        raise typer.Exit(int(ExitCode.USAGE))
+    if password and store_in_file:
+        return BackendCreds(
+            server=server, username=username, password=password, insecure=insecure
+        ), None
+    pending = (backend, password) if password else None
+    return BackendCreds(server=server, username=username, password=None, insecure=insecure), pending
+
+
+@profiles_app.command("add")
+def add(
+    name: str = typer.Argument(..., help="Profile name."),
+    vsphere_server: str | None = typer.Option(None, "--vsphere-server"),
+    vsphere_username: str | None = typer.Option(None, "--vsphere-username"),
+    vsphere_password: str | None = typer.Option(None, "--vsphere-password", hide_input=True),
+    vsphere_insecure: bool = typer.Option(False, "--vsphere-insecure/--vsphere-verify"),
+    nsx_server: str | None = typer.Option(None, "--nsx-server"),
+    nsx_username: str | None = typer.Option(None, "--nsx-username"),
+    nsx_password: str | None = typer.Option(None, "--nsx-password", hide_input=True),
+    nsx_insecure: bool = typer.Option(False, "--nsx-insecure/--nsx-verify"),
+    store_in_file: bool = typer.Option(
+        False, "--store-in-file", help="Store passwords in the config file instead of the keyring."
+    ),
+    use: bool = typer.Option(False, "--use/--no-use", help="Make this the current profile."),
+) -> None:
+    """Create or update a profile (passwords go to the OS keyring by default)."""
+    config = _load()
+    vsphere_creds, vsphere_pending = _make_creds(
+        "vsphere",
+        vsphere_server,
+        vsphere_username,
+        vsphere_password,
+        vsphere_insecure,
+        store_in_file,
+    )
+    nsx_creds, nsx_pending = _make_creds(
+        "nsx", nsx_server, nsx_username, nsx_password, nsx_insecure, store_in_file
+    )
+    config.profiles[name] = Profile(vsphere=vsphere_creds, nsx=nsx_creds)
+    if use or config.current_profile is None:
+        config.current_profile = name
+    path = save_config(config)
+
+    # Store keyring passwords only after the config is safely written.
+    pending = [p for p in (vsphere_pending, nsx_pending) if p is not None]
+    failed = [backend for backend, password in pending if not keyring_set(name, backend, password)]
+    if failed:
+        typer.echo(
+            f"Saved profile {name!r}, but no usable keyring backend stored the "
+            f"{', '.join(failed)} password(s). Re-run `vsc profiles set-password "
+            f"{name} <backend> --store-in-file`.",
+            err=True,
+        )
+        raise typer.Exit(int(ExitCode.CONFIG))
+    _print({"saved": name, "current": config.current_profile, "path": str(path)})
+
+
+@profiles_app.command("list")
+def list_profiles() -> None:
+    """List configured profiles."""
+    config = _load()
+    _print(
+        {
+            "current": config.current_profile,
+            "profiles": sorted(config.profiles),
+        }
+    )
+
+
+@profiles_app.command("show")
+def show(name: str = typer.Argument(..., help="Profile name.")) -> None:
+    """Show a profile (passwords are never printed)."""
+    config = _load()
+    profile = config.profiles.get(name)
+    if profile is None:
+        typer.echo(f"No such profile: {name}", err=True)
+        raise typer.Exit(int(ExitCode.NOT_FOUND))
+    out: dict[str, object] = {"name": name, "current": config.current_profile == name}
+    for backend in BACKENDS:
+        creds = profile.backend(backend)
+        if creds is not None:
+            out[backend] = {
+                "server": creds.server,
+                "username": creds.username,
+                "password": "set-in-file" if creds.password else "keyring-or-env",
+                "insecure": creds.insecure,
+            }
+    _print(out)
+
+
+@profiles_app.command("use")
+def use(name: str = typer.Argument(..., help="Profile name.")) -> None:
+    """Set the current (default) profile."""
+    config = _load()
+    if name not in config.profiles:
+        typer.echo(f"No such profile: {name}", err=True)
+        raise typer.Exit(int(ExitCode.NOT_FOUND))
+    config.current_profile = name
+    save_config(config)
+    _print({"current": name})
+
+
+@profiles_app.command("delete")
+def delete(name: str = typer.Argument(..., help="Profile name.")) -> None:
+    """Delete a profile and its keyring entries."""
+    config = _load()
+    if name not in config.profiles:
+        typer.echo(f"No such profile: {name}", err=True)
+        raise typer.Exit(int(ExitCode.NOT_FOUND))
+    del config.profiles[name]
+    for backend in BACKENDS:
+        keyring_delete(name, backend)
+    if config.current_profile == name:
+        config.current_profile = next(iter(config.profiles), None)
+    save_config(config)
+    _print({"deleted": name, "current": config.current_profile})
+
+
+@profiles_app.command("set-password")
+def set_password(
+    name: str = typer.Argument(..., help="Profile name."),
+    backend: str = typer.Argument(..., help="vsphere or nsx."),
+    password: str = typer.Option(..., "--password", prompt=True, hide_input=True),
+    store_in_file: bool = typer.Option(False, "--store-in-file"),
+) -> None:
+    """Set/replace the password for a profile backend."""
+    if backend not in BACKENDS:
+        typer.echo(f"backend must be one of {BACKENDS}", err=True)
+        raise typer.Exit(int(ExitCode.USAGE))
+    config = _load()
+    profile = config.profiles.get(name)
+    if profile is None or profile.backend(backend) is None:
+        typer.echo(f"No {backend} config in profile {name!r}", err=True)
+        raise typer.Exit(int(ExitCode.NOT_FOUND))
+    stored = _store_password(name, backend, password, store_in_file)
+    creds = profile.backend(backend)
+    assert creds is not None
+    creds.password = stored
+    config.profiles[name] = profile
+    save_config(config)
+    _print({"updated": name, "backend": backend, "in_file": stored is not None})