From e19e0446a5286c8105f7b77915fbb2013b34178e Mon Sep 17 00:00:00 2001
From: masnwilliams <43387599+masnwilliams@users.noreply.github.com>
Date: Wed, 3 Jun 2026 13:53:37 +0000
Subject: [PATCH 1/4] docs: document managed auth, credentials, and utility CLI
 commands

Add CLI reference for `kernel auth connections`, `kernel credentials`,
and `kernel credential-providers`, plus `kernel status`, `kernel upgrade`,
and `kernel completion` on the CLI index.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 reference/cli.mdx      |  22 ++++-
 reference/cli/auth.mdx | 211 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 232 insertions(+), 1 deletion(-)

diff --git a/reference/cli.mdx b/reference/cli.mdx
index edcb503..89daaa5 100644
--- a/reference/cli.mdx
+++ b/reference/cli.mdx
@@ -29,7 +29,7 @@ kernel --version
     Scaffold new Kernel apps from templates.
   </Card>
   <Card icon="key" title="Authentication" href="/reference/cli/auth">
-    Login, logout, and check auth status.
+    Login, manage managed auth connections, credentials, and providers.
   </Card>
   <Card icon="browsers" title="Browsers" href="/reference/cli/browsers">
     Create, view, and manage Kernel browsers.
@@ -91,6 +91,26 @@ kernel deploy index.ts -o json
 
 See individual command documentation for JSON output availability.
 
+## Utility Commands
+
+### `kernel status`
+Check the operational status of Kernel services.
+
+- `--output json`, `-o json` - Output raw JSON object.
+
+### `kernel upgrade`
+Upgrade the Kernel CLI to the latest version.
+
+- `--dry-run` - Show what would be executed without running it.
+
+### `kernel completion <shell>`
+Generate a shell autocompletion script (`bash`, `zsh`, `fish`, or `powershell`).
+
+```bash
+# Load completions for the current zsh session
+source <(kernel completion zsh)
+```
+
 <Info>
 Looking for the API? See the [API Reference](https://kernel.sh/docs/api-reference/invocations/invoke-an-action).
 </Info>
diff --git a/reference/cli/auth.mdx b/reference/cli/auth.mdx
index 23b2771..e79829d 100644
--- a/reference/cli/auth.mdx
+++ b/reference/cli/auth.mdx
@@ -24,6 +24,217 @@ export KERNEL_API_KEY=sk_1234abcd
 
 Create and manage API keys from the Kernel dashboard or with [`kernel api-keys`](/reference/cli/api-keys).
 
+## Managed auth connections
+A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See [Managed auth](/auth/overview) for concepts and the [programmatic flow](/auth/programmatic) for the SDK equivalent.
+
+### `kernel auth connections create`
+Create a managed auth connection for a profile and domain.
+
+| Flag | Description |
+|------|-------------|
+| `--profile-name <name>` | Name of the profile to manage (required). |
+| `--domain <domain>` | Target domain for authentication (required). |
+| `--allowed-domain <domain>` | Additional allowed domains (repeatable). |
+| `--login-url <url>` | Login page URL to skip discovery. |
+| `--health-check-interval <seconds>` | Seconds between health checks (300–86400). |
+| `--proxy-id <id>` | Proxy ID to use. |
+| `--proxy-name <name>` | Proxy name to use. |
+| `--credential-provider <name>` | External credential provider name. |
+| `--credential-name <name>` | Kernel credential name to use. |
+| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
+| `--credential-auto` | Look up the credential by domain from the provider (defaults to true when `--credential-provider` is set without `--credential-path`). |
+| `--no-save-credentials` | Don't save credentials after a successful login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections list`
+List managed auth connections.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--profile-name <name>` | Filter by profile name. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel auth connections get <id>`
+Get a managed auth connection by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections login <id>`
+Start a login flow and return a hosted URL for authentication.
+
+| Flag | Description |
+|------|-------------|
+| `--proxy-id <id>` | Proxy ID to use for this login. |
+| `--proxy-name <name>` | Proxy name to use for this login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections submit <id>`
+Submit field values to an in-progress login flow. Poll the connection (or use `follow`) to track progress.
+
+| Flag | Description |
+|------|-------------|
+| `--field <name=value>` | Field name/value pair (repeatable). |
+| `--mfa-option-id <id>` | MFA option ID when an MFA method was selected. |
+| `--sign-in-option-id <id>` | Sign-in option ID when the flow returned non-MFA choices. |
+| `--sso-button-selector <xpath>` | XPath selector when choosing an SSO button. |
+| `--sso-provider <provider>` | SSO provider when choosing by provider (e.g. `google`, `github`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+```bash
+# Submit username and password
+kernel auth connections submit <id> --field username=myuser --field password=mypass
+
+# Select an MFA option
+kernel auth connections submit <id> --mfa-option-id <id>
+```
+
+### `kernel auth connections follow <id>`
+Stream real-time login flow state updates over SSE.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON events. |
+
+### `kernel auth connections update <id>`
+Update connection settings such as login URL, health checks, credential source, and proxy.
+
+| Flag | Description |
+|------|-------------|
+| `--login-url <url>` | Login page URL (set to an empty string to clear). |
+| `--allowed-domain <domain>` | Additional allowed domains (replaces the existing list). |
+| `--health-check-interval <seconds>` | Seconds between health checks. |
+| `--proxy-id <id>` | Proxy ID to use. |
+| `--proxy-name <name>` | Proxy name to use. |
+| `--credential-provider <name>` | External credential provider name. |
+| `--credential-name <name>` | Kernel credential name to use. |
+| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
+| `--credential-auto` | Look up the credential by domain from the provider. |
+| `--save-credentials` | Save credentials after a successful login. |
+| `--no-save-credentials` | Don't save credentials after a successful login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections delete <id>`
+Delete a managed auth connection.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip the confirmation prompt. |
+
+## Credentials
+Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
+
+### `kernel credentials create`
+Create a new credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Unique name for the credential (required). |
+| `--domain <domain>` | Target domain this credential is for (required). |
+| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
+| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials list`
+List credentials.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credentials get <id-or-name>`
+Get a credential by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials update <id-or-name>`
+Update a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New name for the credential. |
+| `--value <name=value>` | Field name/value pair to update (repeatable). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
+| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials totp-code <id-or-name>`
+Print the current TOTP code for a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials delete <id-or-name>`
+Delete a credential by ID or name.
+
+## Credential providers
+Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.
+
+### `kernel credential-providers create`
+Register a new credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
+| `--name <name>` | Human-readable name for this provider instance. |
+| `--token <token>` | Service account token for the provider. |
+| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list`
+List credential providers.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers get <id>`
+Get a credential provider by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list-items <id>`
+List items available from a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers test <id>`
+Test the connection to a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers update <id>`
+Update a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New human-readable name. |
+| `--token <token>` | New service account token (to rotate credentials). |
+| `--cache-ttl <seconds>` | How long to cache credential lists. |
+| `--enabled` | Whether the provider is enabled for credential lookups. |
+| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers delete <id>`
+Delete a credential provider.
+
 ## Global flags
 The following flags are available on every CLI command:
 

From 9761d9aeb8395f56adfd3f874d856c67a1c098bc Mon Sep 17 00:00:00 2001
From: masnwilliams <43387599+masnwilliams@users.noreply.github.com>
Date: Wed, 3 Jun 2026 13:59:18 +0000
Subject: [PATCH 2/4] docs: move managed auth CLI commands to their own page

Split managed auth connections, credentials, and credential-providers
out of the CLI Authentication page (which covers authenticating the CLI
itself) into a dedicated Managed Auth page, and add it to the nav.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 docs.json                      |   1 +
 reference/cli.mdx              |   5 +-
 reference/cli/auth.mdx         | 211 --------------------------------
 reference/cli/managed-auth.mdx | 216 +++++++++++++++++++++++++++++++++
 4 files changed, 221 insertions(+), 212 deletions(-)
 create mode 100644 reference/cli/managed-auth.mdx

diff --git a/docs.json b/docs.json
index 8e839d8..6c5c3ef 100644
--- a/docs.json
+++ b/docs.json
@@ -263,6 +263,7 @@
           "reference/cli",
           "reference/cli/create",
           "reference/cli/auth",
+          "reference/cli/managed-auth",
           "reference/cli/browsers",
           "reference/cli/apps",
           "reference/cli/projects",
diff --git a/reference/cli.mdx b/reference/cli.mdx
index 89daaa5..4ddb5c3 100644
--- a/reference/cli.mdx
+++ b/reference/cli.mdx
@@ -29,7 +29,10 @@ kernel --version
     Scaffold new Kernel apps from templates.
   </Card>
   <Card icon="key" title="Authentication" href="/reference/cli/auth">
-    Login, manage managed auth connections, credentials, and providers.
+    Login, logout, and check auth status.
+  </Card>
+  <Card icon="lock" title="Managed Auth" href="/reference/cli/managed-auth">
+    Manage auth connections, credentials, and credential providers.
   </Card>
   <Card icon="browsers" title="Browsers" href="/reference/cli/browsers">
     Create, view, and manage Kernel browsers.
diff --git a/reference/cli/auth.mdx b/reference/cli/auth.mdx
index e79829d..23b2771 100644
--- a/reference/cli/auth.mdx
+++ b/reference/cli/auth.mdx
@@ -24,217 +24,6 @@ export KERNEL_API_KEY=sk_1234abcd
 
 Create and manage API keys from the Kernel dashboard or with [`kernel api-keys`](/reference/cli/api-keys).
 
-## Managed auth connections
-A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See [Managed auth](/auth/overview) for concepts and the [programmatic flow](/auth/programmatic) for the SDK equivalent.
-
-### `kernel auth connections create`
-Create a managed auth connection for a profile and domain.
-
-| Flag | Description |
-|------|-------------|
-| `--profile-name <name>` | Name of the profile to manage (required). |
-| `--domain <domain>` | Target domain for authentication (required). |
-| `--allowed-domain <domain>` | Additional allowed domains (repeatable). |
-| `--login-url <url>` | Login page URL to skip discovery. |
-| `--health-check-interval <seconds>` | Seconds between health checks (300–86400). |
-| `--proxy-id <id>` | Proxy ID to use. |
-| `--proxy-name <name>` | Proxy name to use. |
-| `--credential-provider <name>` | External credential provider name. |
-| `--credential-name <name>` | Kernel credential name to use. |
-| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
-| `--credential-auto` | Look up the credential by domain from the provider (defaults to true when `--credential-provider` is set without `--credential-path`). |
-| `--no-save-credentials` | Don't save credentials after a successful login. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel auth connections list`
-List managed auth connections.
-
-| Flag | Description |
-|------|-------------|
-| `--domain <domain>` | Filter by domain. |
-| `--profile-name <name>` | Filter by profile name. |
-| `--limit <n>` | Maximum number of results to return. |
-| `--offset <n>` | Number of results to skip. |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel auth connections get <id>`
-Get a managed auth connection by ID.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel auth connections login <id>`
-Start a login flow and return a hosted URL for authentication.
-
-| Flag | Description |
-|------|-------------|
-| `--proxy-id <id>` | Proxy ID to use for this login. |
-| `--proxy-name <name>` | Proxy name to use for this login. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel auth connections submit <id>`
-Submit field values to an in-progress login flow. Poll the connection (or use `follow`) to track progress.
-
-| Flag | Description |
-|------|-------------|
-| `--field <name=value>` | Field name/value pair (repeatable). |
-| `--mfa-option-id <id>` | MFA option ID when an MFA method was selected. |
-| `--sign-in-option-id <id>` | Sign-in option ID when the flow returned non-MFA choices. |
-| `--sso-button-selector <xpath>` | XPath selector when choosing an SSO button. |
-| `--sso-provider <provider>` | SSO provider when choosing by provider (e.g. `google`, `github`). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-```bash
-# Submit username and password
-kernel auth connections submit <id> --field username=myuser --field password=mypass
-
-# Select an MFA option
-kernel auth connections submit <id> --mfa-option-id <id>
-```
-
-### `kernel auth connections follow <id>`
-Stream real-time login flow state updates over SSE.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON events. |
-
-### `kernel auth connections update <id>`
-Update connection settings such as login URL, health checks, credential source, and proxy.
-
-| Flag | Description |
-|------|-------------|
-| `--login-url <url>` | Login page URL (set to an empty string to clear). |
-| `--allowed-domain <domain>` | Additional allowed domains (replaces the existing list). |
-| `--health-check-interval <seconds>` | Seconds between health checks. |
-| `--proxy-id <id>` | Proxy ID to use. |
-| `--proxy-name <name>` | Proxy name to use. |
-| `--credential-provider <name>` | External credential provider name. |
-| `--credential-name <name>` | Kernel credential name to use. |
-| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
-| `--credential-auto` | Look up the credential by domain from the provider. |
-| `--save-credentials` | Save credentials after a successful login. |
-| `--no-save-credentials` | Don't save credentials after a successful login. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel auth connections delete <id>`
-Delete a managed auth connection.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Skip the confirmation prompt. |
-
-## Credentials
-Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
-
-### `kernel credentials create`
-Create a new credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Unique name for the credential (required). |
-| `--domain <domain>` | Target domain this credential is for (required). |
-| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
-| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials list`
-List credentials.
-
-| Flag | Description |
-|------|-------------|
-| `--domain <domain>` | Filter by domain. |
-| `--limit <n>` | Maximum number of results to return. |
-| `--offset <n>` | Number of results to skip. |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credentials get <id-or-name>`
-Get a credential by ID or name.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials update <id-or-name>`
-Update a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New name for the credential. |
-| `--value <name=value>` | Field name/value pair to update (repeatable). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
-| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials totp-code <id-or-name>`
-Print the current TOTP code for a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials delete <id-or-name>`
-Delete a credential by ID or name.
-
-## Credential providers
-Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.
-
-### `kernel credential-providers create`
-Register a new credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
-| `--name <name>` | Human-readable name for this provider instance. |
-| `--token <token>` | Service account token for the provider. |
-| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers list`
-List credential providers.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credential-providers get <id>`
-Get a credential provider by ID.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers list-items <id>`
-List items available from a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credential-providers test <id>`
-Test the connection to a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers update <id>`
-Update a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New human-readable name. |
-| `--token <token>` | New service account token (to rotate credentials). |
-| `--cache-ttl <seconds>` | How long to cache credential lists. |
-| `--enabled` | Whether the provider is enabled for credential lookups. |
-| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers delete <id>`
-Delete a credential provider.
-
 ## Global flags
 The following flags are available on every CLI command:
 
diff --git a/reference/cli/managed-auth.mdx b/reference/cli/managed-auth.mdx
new file mode 100644
index 0000000..224b1fd
--- /dev/null
+++ b/reference/cli/managed-auth.mdx
@@ -0,0 +1,216 @@
+---
+title: "Managed Auth"
+---
+
+Manage [managed auth](/auth/overview) connections, stored credentials, and external credential providers from the CLI. For authenticating the CLI itself (login, logout, API keys), see [Authentication](/reference/cli/auth).
+
+## Connections
+A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See [Managed auth](/auth/overview) for concepts and the [programmatic flow](/auth/programmatic) for the SDK equivalent.
+
+### `kernel auth connections create`
+Create a managed auth connection for a profile and domain.
+
+| Flag | Description |
+|------|-------------|
+| `--profile-name <name>` | Name of the profile to manage (required). |
+| `--domain <domain>` | Target domain for authentication (required). |
+| `--allowed-domain <domain>` | Additional allowed domains (repeatable). |
+| `--login-url <url>` | Login page URL to skip discovery. |
+| `--health-check-interval <seconds>` | Seconds between health checks (300–86400). |
+| `--proxy-id <id>` | Proxy ID to use. |
+| `--proxy-name <name>` | Proxy name to use. |
+| `--credential-provider <name>` | External credential provider name. |
+| `--credential-name <name>` | Kernel credential name to use. |
+| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
+| `--credential-auto` | Look up the credential by domain from the provider (defaults to true when `--credential-provider` is set without `--credential-path`). |
+| `--no-save-credentials` | Don't save credentials after a successful login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections list`
+List managed auth connections.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--profile-name <name>` | Filter by profile name. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel auth connections get <id>`
+Get a managed auth connection by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections login <id>`
+Start a login flow and return a hosted URL for authentication.
+
+| Flag | Description |
+|------|-------------|
+| `--proxy-id <id>` | Proxy ID to use for this login. |
+| `--proxy-name <name>` | Proxy name to use for this login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections submit <id>`
+Submit field values to an in-progress login flow. Poll the connection (or use `follow`) to track progress.
+
+| Flag | Description |
+|------|-------------|
+| `--field <name=value>` | Field name/value pair (repeatable). |
+| `--mfa-option-id <id>` | MFA option ID when an MFA method was selected. |
+| `--sign-in-option-id <id>` | Sign-in option ID when the flow returned non-MFA choices. |
+| `--sso-button-selector <xpath>` | XPath selector when choosing an SSO button. |
+| `--sso-provider <provider>` | SSO provider when choosing by provider (e.g. `google`, `github`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+```bash
+# Submit username and password
+kernel auth connections submit <id> --field username=myuser --field password=mypass
+
+# Select an MFA option
+kernel auth connections submit <id> --mfa-option-id <id>
+```
+
+### `kernel auth connections follow <id>`
+Stream real-time login flow state updates over SSE.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON events. |
+
+### `kernel auth connections update <id>`
+Update connection settings such as login URL, health checks, credential source, and proxy.
+
+| Flag | Description |
+|------|-------------|
+| `--login-url <url>` | Login page URL (set to an empty string to clear). |
+| `--allowed-domain <domain>` | Additional allowed domains (replaces the existing list). |
+| `--health-check-interval <seconds>` | Seconds between health checks. |
+| `--proxy-id <id>` | Proxy ID to use. |
+| `--proxy-name <name>` | Proxy name to use. |
+| `--credential-provider <name>` | External credential provider name. |
+| `--credential-name <name>` | Kernel credential name to use. |
+| `--credential-path <path>` | Provider-specific path (e.g. `VaultName/ItemName`). |
+| `--credential-auto` | Look up the credential by domain from the provider. |
+| `--save-credentials` | Save credentials after a successful login. |
+| `--no-save-credentials` | Don't save credentials after a successful login. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel auth connections delete <id>`
+Delete a managed auth connection.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip the confirmation prompt. |
+
+## Credentials
+Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
+
+### `kernel credentials create`
+Create a new credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Unique name for the credential (required). |
+| `--domain <domain>` | Target domain this credential is for (required). |
+| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
+| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials list`
+List credentials.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credentials get <id-or-name>`
+Get a credential by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials update <id-or-name>`
+Update a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New name for the credential. |
+| `--value <name=value>` | Field name/value pair to update (repeatable). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
+| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials totp-code <id-or-name>`
+Print the current TOTP code for a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials delete <id-or-name>`
+Delete a credential by ID or name.
+
+## Credential providers
+Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.
+
+### `kernel credential-providers create`
+Register a new credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
+| `--name <name>` | Human-readable name for this provider instance. |
+| `--token <token>` | Service account token for the provider. |
+| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list`
+List credential providers.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers get <id>`
+Get a credential provider by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list-items <id>`
+List items available from a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers test <id>`
+Test the connection to a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers update <id>`
+Update a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New human-readable name. |
+| `--token <token>` | New service account token (to rotate credentials). |
+| `--cache-ttl <seconds>` | How long to cache credential lists. |
+| `--enabled` | Whether the provider is enabled for credential lookups. |
+| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers delete <id>`
+Delete a credential provider.

From c5294b6675e9596b748b0bccd7a4e9f3af3367fb Mon Sep 17 00:00:00 2001
From: masnwilliams <43387599+masnwilliams@users.noreply.github.com>
Date: Wed, 3 Jun 2026 14:32:42 +0000
Subject: [PATCH 3/4] docs: reorganize CLI reference to mirror the OpenAPI tag
 structure

Split the consolidated browsers, apps, and managed-auth pages into one
page per API tag, grouped and ordered to match the OpenAPI spec
(browser controls, observability, resources & auth, deploy, org). Adds
previously undocumented commands surfaced by the split: browser
telemetry, curl, update, deploy github/get/delete, invoke
get/history/browsers/update, and app delete.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 docs.json                              |  71 +++-
 reference/cli.mdx                      |  27 +-
 reference/cli/apps.mdx                 |  52 +--
 reference/cli/browser-pools.mdx        |  68 ++++
 reference/cli/browsers-computer.mdx    |  75 ++++
 reference/cli/browsers-filesystem.mdx  | 103 +++++
 reference/cli/browsers-logs.mdx        |  17 +
 reference/cli/browsers-playwright.mdx  |  12 +
 reference/cli/browsers-processes.mdx   |  51 +++
 reference/cli/browsers-replays.mdx     |  31 ++
 reference/cli/browsers-telemetry.mdx   |  15 +
 reference/cli/browsers.mdx             | 511 ++-----------------------
 reference/cli/credential-providers.mdx |  59 +++
 reference/cli/credentials.mdx          |  55 +++
 reference/cli/deployments.mdx          |  59 +++
 reference/cli/extensions.mdx           |   6 +
 reference/cli/invocations.mdx          |  57 +++
 reference/cli/managed-auth.mdx         | 131 +------
 reference/cli/profiles.mdx             |  42 ++
 reference/cli/proxies.mdx              |  55 +++
 20 files changed, 835 insertions(+), 662 deletions(-)
 create mode 100644 reference/cli/browser-pools.mdx
 create mode 100644 reference/cli/browsers-computer.mdx
 create mode 100644 reference/cli/browsers-filesystem.mdx
 create mode 100644 reference/cli/browsers-logs.mdx
 create mode 100644 reference/cli/browsers-playwright.mdx
 create mode 100644 reference/cli/browsers-processes.mdx
 create mode 100644 reference/cli/browsers-replays.mdx
 create mode 100644 reference/cli/browsers-telemetry.mdx
 create mode 100644 reference/cli/credential-providers.mdx
 create mode 100644 reference/cli/credentials.mdx
 create mode 100644 reference/cli/deployments.mdx
 create mode 100644 reference/cli/invocations.mdx
 create mode 100644 reference/cli/profiles.mdx
 create mode 100644 reference/cli/proxies.mdx

diff --git a/docs.json b/docs.json
index 6c5c3ef..d391df4 100644
--- a/docs.json
+++ b/docs.json
@@ -259,17 +259,66 @@
       },
       {
         "tab": "CLI",
-        "pages": [
-          "reference/cli",
-          "reference/cli/create",
-          "reference/cli/auth",
-          "reference/cli/managed-auth",
-          "reference/cli/browsers",
-          "reference/cli/apps",
-          "reference/cli/projects",
-          "reference/cli/api-keys",
-          "reference/cli/mcp",
-          "reference/cli/extensions"
+        "groups": [
+          {
+            "group": "Get Started",
+            "pages": [
+              "reference/cli",
+              "reference/cli/create",
+              "reference/cli/auth",
+              "reference/cli/mcp"
+            ]
+          },
+          {
+            "group": "Browsers",
+            "pages": [
+              "reference/cli/browsers"
+            ]
+          },
+          {
+            "group": "Control the Browser",
+            "pages": [
+              "reference/cli/browsers-computer",
+              "reference/cli/browsers-playwright",
+              "reference/cli/browsers-filesystem",
+              "reference/cli/browsers-processes"
+            ]
+          },
+          {
+            "group": "Observe the Browser",
+            "pages": [
+              "reference/cli/browsers-replays",
+              "reference/cli/browsers-logs",
+              "reference/cli/browsers-telemetry"
+            ]
+          },
+          {
+            "group": "Configure Resources & Auth",
+            "pages": [
+              "reference/cli/profiles",
+              "reference/cli/proxies",
+              "reference/cli/extensions",
+              "reference/cli/browser-pools",
+              "reference/cli/managed-auth",
+              "reference/cli/credentials",
+              "reference/cli/credential-providers"
+            ]
+          },
+          {
+            "group": "Deploy Your Agent",
+            "pages": [
+              "reference/cli/apps",
+              "reference/cli/deployments",
+              "reference/cli/invocations"
+            ]
+          },
+          {
+            "group": "Organization",
+            "pages": [
+              "reference/cli/projects",
+              "reference/cli/api-keys"
+            ]
+          }
         ]
       },
       {
diff --git a/reference/cli.mdx b/reference/cli.mdx
index 4ddb5c3..4f175f4 100644
--- a/reference/cli.mdx
+++ b/reference/cli.mdx
@@ -24,33 +24,32 @@ which kernel
 kernel --version
 ```
 
+This reference is organized to mirror the [API reference](https://kernel.sh/docs/api-reference): browser sessions, the controls to drive and observe them, the resources and auth they use, app deployment, and organization management.
+
 <Columns cols={2}>
   <Card icon="code" title="Create Kernel App" href="/reference/cli/create">
     Scaffold new Kernel apps from templates.
   </Card>
   <Card icon="key" title="Authentication" href="/reference/cli/auth">
-    Login, logout, and check auth status.
-  </Card>
-  <Card icon="lock" title="Managed Auth" href="/reference/cli/managed-auth">
-    Manage auth connections, credentials, and credential providers.
+    Login, logout, and check CLI auth status.
   </Card>
   <Card icon="browsers" title="Browsers" href="/reference/cli/browsers">
-    Create, view, and manage Kernel browsers.
+    Create, view, and manage browser sessions — plus computer controls, Playwright, filesystem, processes, replays, logs, and telemetry.
   </Card>
-  <Card icon="rocket" title="Apps" href="/reference/cli/apps">
-    Deploy apps, invoke actions, and stream logs.
+  <Card icon="lock" title="Managed Auth" href="/reference/cli/managed-auth">
+    Auth connections, credentials, and credential providers.
+  </Card>
+  <Card icon="gear" title="Resources" href="/reference/cli/profiles">
+    Profiles, proxies, extensions, and browser pools.
   </Card>
-  <Card icon="puzzle-piece" title="Extensions" href="/reference/cli/extensions">
-    Upload, download, and build browser extensions.
+  <Card icon="rocket" title="Deploy Your Agent" href="/reference/cli/deployments">
+    Apps, deployments, and invocations.
   </Card>
   <Card icon="code-fork" title="MCP" href="/reference/cli/mcp">
     Install Kernel MCP server configuration for AI tools.
   </Card>
-  <Card icon="folder-tree" title="Projects" href="/reference/cli/projects">
-    Manage projects and scope commands with `--project`.
-  </Card>
-  <Card icon="key" title="API Keys" href="/reference/cli/api-keys">
-    Create, list, rename, and delete API keys.
+  <Card icon="folder-tree" title="Organization" href="/reference/cli/projects">
+    Manage projects and API keys.
   </Card>
 </Columns>
 
diff --git a/reference/cli/apps.mdx b/reference/cli/apps.mdx
index 062fe02..db6aa5d 100644
--- a/reference/cli/apps.mdx
+++ b/reference/cli/apps.mdx
@@ -2,49 +2,7 @@
 title: "Apps"
 ---
 
-## `kernel deploy <file>`
-Deploy an app to Kernel from the current directory. The entrypoint file and dependency manifest must live in the project root.
-
-| Flag | Description |
-|------|-------------|
-| `--version <version>` | Use a specific version label (default: latest). |
-| `--force` | Overwrite an existing version with the same label. |
-| `--env <KEY=VALUE>`, `-e` | Set environment variables (repeatable). |
-| `--env-file <file>` | Load environment variables from a file (repeatable). |
-| `--output json`, `-o json` | Output JSONL (one JSON object per line for each deployment event). |
-
-<Info>`package.json` (JS/TS) or `pyproject.toml` (Python) must be present next to the entrypoint.</Info>
-
-## `kernel deploy logs <deployment_id>`
-Stream build and runtime logs for a deployment.
-
-| Flag | Description |
-|------|-------------|
-| `--follow`, `-f` | Continue streaming logs in real time. |
-| `--since <duration>`, `-s` | Fetch logs starting from a relative duration (e.g. `5m`, `1h`, `1h30m`) or timestamp (`2006-01-02T15:04`). |
-| `--with-timestamps`, `-t` | Prefix each line with an RFC3339 timestamp. |
-
-<Info>Log lines longer than 64 KiB are truncated. Emit bulky payloads to external storage and log references.</Info>
-
-## `kernel deploy history [app_name]`
-Show deployment history for all apps or a specific app.
-
-| Flag | Description |
-|------|-------------|
-| `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel invoke <app> <action>`
-Invoke an app action. By default the CLI returns immediately after the invocation is queued.
-
-| Flag | Description |
-|------|-------------|
-| `--version <version>`, `-v` | Target a specific app version (default: latest). |
-| `--payload <json>`, `-p` | Provide a JSON payload (stringified, max 64 KB). |
-| `--sync`, `-s` | Wait for completion (timeout after 60 s). |
-| `--output json`, `-o json` | Output JSONL (one JSON object per line for each invocation event). |
-
-<Info>Press `Ctrl+C` to cancel an in-flight invocation. The associated browser sessions are cleaned up automatically.</Info>
+List applications and versions. To deploy an app, see [Deployments](/reference/cli/deployments); to run one, see [Invocations](/reference/cli/invocations).
 
 ## `kernel app list`
 List deployed app versions.
@@ -63,6 +21,14 @@ Show deployment history for a specific app.
 | `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
 | `--output json`, `-o json` | Output raw JSON array. |
 
+## `kernel app delete <app_name>`
+Delete an app and all of its deployments.
+
+| Flag | Description |
+|------|-------------|
+| `--version <version>` | Only delete deployments for this version (default: all versions). |
+| `--yes`, `-y` | Skip confirmation prompt. |
+
 ## `kernel logs <app_name>`
 Tail app logs.
 
diff --git a/reference/cli/browser-pools.mdx b/reference/cli/browser-pools.mdx
new file mode 100644
index 0000000..46dd64a
--- /dev/null
+++ b/reference/cli/browser-pools.mdx
@@ -0,0 +1,68 @@
+---
+title: "Browser Pools"
+---
+
+Create and manage browser pools for acquiring and releasing browsers. For more details, see [Browser Pools](/browsers/pools/overview).
+
+## `kernel browser-pools list`
+List all browser pools.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel browser-pools create [name]`
+Create a new browser pool.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Optional unique name for the pool. |
+| `--size <n>` | Number of browsers in the pool (required). |
+| `--fill-rate <n>` | Percentage of the pool to fill per minute. |
+| `--timeout <seconds>` | Idle timeout for browsers acquired from the pool. |
+| `--start-url <url>` | Initial page to open for new browsers. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browser-pools get <id-or-name>`
+Get pool details.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browser-pools update <id-or-name>`
+Update pool configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--size <n>` | Updated pool size. |
+| `--start-url <url>` | Initial page to open for new browsers. |
+| `--clear-start-url` | Clear the pool start URL. |
+| `--discard-all-idle` | Discard all idle browsers and refill. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browser-pools acquire <id-or-name>`
+Acquire a browser from the pool.
+
+| Flag | Description |
+|------|-------------|
+| `--timeout <seconds>` | Acquire timeout before returning 204. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browser-pools release <id-or-name>`
+Release a browser back to the pool.
+
+| Flag | Description |
+|------|-------------|
+| `--session-id <id>` | Browser session ID to release (required). |
+| `--reuse` | Reuse the browser instance (default: true). |
+
+## `kernel browser-pools delete <id-or-name>`
+Delete a pool.
+
+| Flag | Description |
+|------|-------------|
+| `--force` | Force delete even if browsers are leased. |
+
+## `kernel browser-pools flush <id-or-name>`
+Destroy all idle browsers in the pool.
diff --git a/reference/cli/browsers-computer.mdx b/reference/cli/browsers-computer.mdx
new file mode 100644
index 0000000..4f66294
--- /dev/null
+++ b/reference/cli/browsers-computer.mdx
@@ -0,0 +1,75 @@
+---
+title: "Browser Computer Controls"
+---
+
+Control mouse, keyboard, and screen on the browser instance.
+
+## `kernel browsers computer click-mouse <session-id>`
+Click the mouse at specific coordinates.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--num-clicks <n>` | Number of clicks (default: 1). |
+| `--button <button>` | Mouse button (`left`, `right`, `middle`, `back`, `forward`). |
+| `--click-type <type>` | `down`, `up`, or `click` (default: `click`). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+## `kernel browsers computer move-mouse <session-id>`
+Move the mouse pointer.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+## `kernel browsers computer screenshot <session-id>`
+Capture a screenshot.
+
+| Flag | Description |
+|------|-------------|
+| `--to <path>` | Output PNG path (required). |
+| `--x <coordinate>` | Region capture top-left X coordinate. |
+| `--y <coordinate>` | Region capture top-left Y coordinate. |
+| `--width <pixels>` | Region width. |
+| `--height <pixels>` | Region height. |
+
+## `kernel browsers computer type <session-id>`
+Type text into the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--text <text>` | Text to type (required). |
+| `--delay <ms>` | Delay between keystrokes in milliseconds. |
+
+## `kernel browsers computer press-key <session-id>`
+Press one or more keys.
+
+| Flag | Description |
+|------|-------------|
+| `--key <key>` | Key to press (repeatable). |
+| `--duration <ms>` | Duration to hold keys. |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+## `kernel browsers computer scroll <session-id>`
+Scroll the mouse wheel.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--delta-x <pixels>` | Horizontal scroll amount (+right, -left). |
+| `--delta-y <pixels>` | Vertical scroll amount (+down, -up). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+## `kernel browsers computer drag-mouse <session-id>`
+Drag the mouse along a path.
+
+| Flag | Description |
+|------|-------------|
+| `--point <x,y>` | Points to drag through (repeatable). |
+| `--delay <ms>` | Delay before dragging starts. |
+| `--button <button>` | Mouse button (`left`, `middle`, `right`; default: `left`). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
diff --git a/reference/cli/browsers-filesystem.mdx b/reference/cli/browsers-filesystem.mdx
new file mode 100644
index 0000000..a92d48f
--- /dev/null
+++ b/reference/cli/browsers-filesystem.mdx
@@ -0,0 +1,103 @@
+---
+title: "Browser Filesystem"
+---
+
+Read, write, and manage files on the browser instance.
+
+## `kernel browsers fs new-directory <session-id>`
+Create a directory in the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path to create (required). |
+| `--mode <mode>` | Directory mode in octal. |
+
+## `kernel browsers fs delete-directory <session-id>`
+Delete a directory.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path to delete (required). |
+
+## `kernel browsers fs delete-file <session-id>`
+Delete a file.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file path to delete (required). |
+
+## `kernel browsers fs download-dir-zip <session-id>`
+Download a directory as a zip archive.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path to download (required). |
+| `-o, --output <path>` | Output zip file path. |
+
+## `kernel browsers fs file-info <session-id>`
+Retrieve metadata for a file or directory.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file or directory path (required). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browsers fs list-files <session-id>`
+List directory contents.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path (required). |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel browsers fs move <session-id>`
+Move or rename a file or directory.
+
+| Flag | Description |
+|------|-------------|
+| `--src <path>` | Absolute source path (required). |
+| `--dest <path>` | Absolute destination path (required). |
+
+## `kernel browsers fs read-file <session-id>`
+Read a file from the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file path (required). |
+| `-o, --output <path>` | Output path for the downloaded file. |
+
+## `kernel browsers fs set-permissions <session-id>`
+Update file permissions or ownership.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute path (required). |
+| `--mode <mode>` | File mode bits (octal string). |
+| `--owner <user>` | New owner username or UID. |
+| `--group <group>` | New group name or GID. |
+
+## `kernel browsers fs upload <session-id>`
+Upload one or more files.
+
+| Flag | Description |
+|------|-------------|
+| `--file <local:remote>` | Local-to-remote file mapping (repeatable). |
+| `--dest-dir <path>` | Destination directory for uploads. |
+| `--paths <paths>` | Local file paths to upload. |
+
+## `kernel browsers fs upload-zip <session-id>`
+Upload a zip file and extract it.
+
+| Flag | Description |
+|------|-------------|
+| `--zip <path>` | Local zip file path (required). |
+| `--dest-dir <path>` | Directory to extract into (required). |
+
+## `kernel browsers fs write-file <session-id>`
+Write a local file to the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Destination absolute file path (required). |
+| `--mode <mode>` | File mode in octal. |
+| `--source <path>` | Local source file path (required). |
diff --git a/reference/cli/browsers-logs.mdx b/reference/cli/browsers-logs.mdx
new file mode 100644
index 0000000..a6f9e12
--- /dev/null
+++ b/reference/cli/browsers-logs.mdx
@@ -0,0 +1,17 @@
+---
+title: "Browser Logs"
+---
+
+Stream logs from the browser instance.
+
+## `kernel browsers logs stream <session-id>`
+Stream browser logs from the supervisor or a file path.
+
+| Flag | Description |
+|------|-------------|
+| `--source <source>` | `path` or `supervisor` (required). |
+| `--follow` | Continue streaming (default: true). |
+| `--path <path>` | File path when `--source=path`. |
+| `--supervisor-process <name>` | Supervisor process when `--source=supervisor` (e.g. `chromium`). |
+
+<Info>Log lines longer than 64 KiB are truncated.</Info>
diff --git a/reference/cli/browsers-playwright.mdx b/reference/cli/browsers-playwright.mdx
new file mode 100644
index 0000000..197a62b
--- /dev/null
+++ b/reference/cli/browsers-playwright.mdx
@@ -0,0 +1,12 @@
+---
+title: "Browser Playwright"
+---
+
+Execute Playwright code against the browser instance.
+
+## `kernel browsers playwright execute <session-id> [code]`
+Execute Playwright/TypeScript code against a running browser session.
+
+| Flag | Description |
+|------|-------------|
+| `--timeout <seconds>` | Maximum execution time for the snippet. |
diff --git a/reference/cli/browsers-processes.mdx b/reference/cli/browsers-processes.mdx
new file mode 100644
index 0000000..82ad348
--- /dev/null
+++ b/reference/cli/browsers-processes.mdx
@@ -0,0 +1,51 @@
+---
+title: "Browser Processes"
+---
+
+Execute and manage processes on the browser instance.
+
+## `kernel browsers process exec <session-id> [--] [command...]`
+Execute a command synchronously inside the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--command <cmd>` | Command to run; defaults to trailing args. |
+| `--args <args>` | Arguments for the command. |
+| `--cwd <path>` | Working directory. |
+| `--timeout <seconds>` | Execution timeout. |
+| `--as-user <user>` | Run as a specific user. |
+| `--as-root` | Run as root. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browsers process spawn <session-id> [--] [command...]`
+Execute a command asynchronously in the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--command <cmd>` | Command to run; defaults to trailing args. |
+| `--args <args>` | Arguments for the command. |
+| `--cwd <path>` | Working directory. |
+| `--timeout <seconds>` | Execution timeout. |
+| `--as-user <user>` | Run as a specific user. |
+| `--as-root` | Run as root. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browsers process kill <session-id> <process-id>`
+Send a signal to a process running in the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--signal <signal>` | Signal to send (`TERM`, `KILL`, `INT`, `HUP`; default: `TERM`). |
+
+## `kernel browsers process status <session-id> <process-id>`
+Check process status information.
+
+## `kernel browsers process stdin <session-id> <process-id>`
+Write base64-encoded data to a process stdin.
+
+| Flag | Description |
+|------|-------------|
+| `--data-b64 <data>` | Base64 payload to write (required). |
+
+## `kernel browsers process stdout-stream <session-id> <process-id>`
+Stream stdout and stderr from a process.
diff --git a/reference/cli/browsers-replays.mdx b/reference/cli/browsers-replays.mdx
new file mode 100644
index 0000000..a26b1e8
--- /dev/null
+++ b/reference/cli/browsers-replays.mdx
@@ -0,0 +1,31 @@
+---
+title: "Browser Replays"
+---
+
+Record and manage browser session video replays.
+
+## `kernel browsers replays list <session-id>`
+List replay recordings for a browser session.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel browsers replays start <session-id>`
+Start recording a replay.
+
+| Flag | Description |
+|------|-------------|
+| `--framerate <fps>` | Recording framerate in frames per second. |
+| `--max-duration <seconds>` | Maximum recording duration. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel browsers replays stop <session-id> <replay-id>`
+Stop an active replay recording.
+
+## `kernel browsers replays download <session-id> <replay-id>`
+Download a replay video.
+
+| Flag | Description |
+|------|-------------|
+| `-o, --output <path>` | Output path for the downloaded replay. |
diff --git a/reference/cli/browsers-telemetry.mdx b/reference/cli/browsers-telemetry.mdx
new file mode 100644
index 0000000..0e8c96e
--- /dev/null
+++ b/reference/cli/browsers-telemetry.mdx
@@ -0,0 +1,15 @@
+---
+title: "Browser Telemetry"
+---
+
+Stream live telemetry events from a browser session.
+
+## `kernel browsers telemetry stream <session-id>`
+Stream live telemetry events (API calls, console output, interactions, network, page, and system events) from a running browser session.
+
+| Flag | Description |
+|------|-------------|
+| `--categories <list>` | Filter by event category (`api`, `console`, `interaction`, `network`, `page`, `system`). `system` covers `monitor_*` and `cdp_*` events. |
+| `--types <list>` | Filter by event type (e.g. `network_response`, `console_error`). |
+| `--seq <n>` | Resume after sequence number N; replays events with `seq > N`. Default `-1` streams from now. |
+| `--output json`, `-o json` | Output newline-delimited JSON envelopes. |
diff --git a/reference/cli/browsers.mdx b/reference/cli/browsers.mdx
index 0b7586e..aac5df4 100644
--- a/reference/cli/browsers.mdx
+++ b/reference/cli/browsers.mdx
@@ -2,18 +2,18 @@
 title: "Browsers"
 ---
 
-## Browser sessions
+Create and manage browser sessions.
 
 <Info>Unless otherwise noted, `id` arguments refer to the browser session ID, not invocation IDs returned by Kernel commands.</Info>
 
-### `kernel browsers list`
+## `kernel browsers list`
 List all browser sessions.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON array. |
 
-### `kernel browsers create`
+## `kernel browsers create`
 Create a new browser session.
 
 | Flag | Description |
@@ -24,499 +24,64 @@ Create a new browser session.
 | `--start-url <url>` | Initial page to open on launch. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel browsers delete <session-id>`
-Delete a browser session. Use `-y` to skip confirmation.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Bypass the confirmation prompt. |
-
-### `kernel browsers view <session-id>`
-Return a live view URL for remote monitoring and control.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output JSON with `liveViewUrl` field. |
-
-### `kernel browsers get <session-id>`
+## `kernel browsers get <session-id>`
 Get detailed information about a browser session.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel browsers ssh <session-id>`
-Open an interactive SSH session to a browser VM. Requires [websocat](https://github.com/vi/websocat) to be installed locally.
-
-| Flag | Description |
-|------|-------------|
-| `-i, --identity <path>` | Path to SSH private key (generates ephemeral if not provided). |
-| `-L, --local-forward <spec>` | Local port forwarding (`localport:host:remoteport`). |
-| `-R, --remote-forward <spec>` | Remote port forwarding (`remoteport:host:localport`). |
-| `--setup-only` | Setup SSH on VM without connecting. |
-
-## Browser logs
-
-### `kernel browsers logs stream <session-id>`
-Stream browser logs from the supervisor or a file path.
-
-| Flag | Description |
-|------|-------------|
-| `--source <source>` | `path` or `supervisor` (required). |
-| `--follow` | Continue streaming (default: true). |
-| `--path <path>` | File path when `--source=path`. |
-| `--supervisor-process <name>` | Supervisor process when `--source=supervisor` (e.g. `chromium`). |
-
-<Info>Log lines longer than 64 KiB are truncated.</Info>
-
-## Replays
-
-### `kernel browsers replays list <session-id>`
-List replay recordings for a browser session.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel browsers replays start <session-id>`
-Start recording a replay.
-
-| Flag | Description |
-|------|-------------|
-| `--framerate <fps>` | Recording framerate in frames per second. |
-| `--max-duration <seconds>` | Maximum recording duration. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browsers replays stop <session-id> <replay-id>`
-Stop an active replay recording.
-
-### `kernel browsers replays download <session-id> <replay-id>`
-Download a replay video.
-
-| Flag | Description |
-|------|-------------|
-| `-o, --output <path>` | Output path for the downloaded replay. |
-
-## Process control
-
-### `kernel browsers process exec <session-id> [--] [command...]`
-Execute a command synchronously inside the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--command <cmd>` | Command to run; defaults to trailing args. |
-| `--args <args>` | Arguments for the command. |
-| `--cwd <path>` | Working directory. |
-| `--timeout <seconds>` | Execution timeout. |
-| `--as-user <user>` | Run as a specific user. |
-| `--as-root` | Run as root. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browsers process spawn <session-id> [--] [command...]`
-Execute a command asynchronously in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--command <cmd>` | Command to run; defaults to trailing args. |
-| `--args <args>` | Arguments for the command. |
-| `--cwd <path>` | Working directory. |
-| `--timeout <seconds>` | Execution timeout. |
-| `--as-user <user>` | Run as a specific user. |
-| `--as-root` | Run as root. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browsers process kill <session-id> <process-id>`
-Send a signal to a process running in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--signal <signal>` | Signal to send (`TERM`, `KILL`, `INT`, `HUP`; default: `TERM`). |
-
-### `kernel browsers process status <session-id> <process-id>`
-Check process status information.
-
-### `kernel browsers process stdin <session-id> <process-id>`
-Write base64-encoded data to a process stdin.
-
-| Flag | Description |
-|------|-------------|
-| `--data-b64 <data>` | Base64 payload to write (required). |
-
-### `kernel browsers process stdout-stream <session-id> <process-id>`
-Stream stdout and stderr from a process.
-
-## Filesystem
-
-### `kernel browsers fs new-directory <session-id>`
-Create a directory in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to create (required). |
-| `--mode <mode>` | Directory mode in octal. |
-
-### `kernel browsers fs delete-directory <session-id>`
-Delete a directory.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to delete (required). |
-
-### `kernel browsers fs delete-file <session-id>`
-Delete a file.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file path to delete (required). |
-
-### `kernel browsers fs download-dir-zip <session-id>`
-Download a directory as a zip archive.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to download (required). |
-| `-o, --output <path>` | Output zip file path. |
-
-### `kernel browsers fs file-info <session-id>`
-Retrieve metadata for a file or directory.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file or directory path (required). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browsers fs list-files <session-id>`
-List directory contents.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path (required). |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel browsers fs move <session-id>`
-Move or rename a file or directory.
-
-| Flag | Description |
-|------|-------------|
-| `--src <path>` | Absolute source path (required). |
-| `--dest <path>` | Absolute destination path (required). |
-
-### `kernel browsers fs read-file <session-id>`
-Read a file from the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file path (required). |
-| `-o, --output <path>` | Output path for the downloaded file. |
-
-### `kernel browsers fs set-permissions <session-id>`
-Update file permissions or ownership.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute path (required). |
-| `--mode <mode>` | File mode bits (octal string). |
-| `--owner <user>` | New owner username or UID. |
-| `--group <group>` | New group name or GID. |
-
-### `kernel browsers fs upload <session-id>`
-Upload one or more files.
-
-| Flag | Description |
-|------|-------------|
-| `--file <local:remote>` | Local-to-remote file mapping (repeatable). |
-| `--dest-dir <path>` | Destination directory for uploads. |
-| `--paths <paths>` | Local file paths to upload. |
-
-### `kernel browsers fs upload-zip <session-id>`
-Upload a zip file and extract it.
-
-| Flag | Description |
-|------|-------------|
-| `--zip <path>` | Local zip file path (required). |
-| `--dest-dir <path>` | Directory to extract into (required). |
-
-### `kernel browsers fs write-file <session-id>`
-Write a local file to the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Destination absolute file path (required). |
-| `--mode <mode>` | File mode in octal. |
-| `--source <path>` | Local source file path (required). |
-
-## Computer controls
-
-### `kernel browsers computer click-mouse <session-id>`
-Click the mouse at specific coordinates.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--num-clicks <n>` | Number of clicks (default: 1). |
-| `--button <button>` | Mouse button (`left`, `right`, `middle`, `back`, `forward`). |
-| `--click-type <type>` | `down`, `up`, or `click` (default: `click`). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-### `kernel browsers computer move-mouse <session-id>`
-Move the mouse pointer.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-### `kernel browsers computer screenshot <session-id>`
-Capture a screenshot.
-
-| Flag | Description |
-|------|-------------|
-| `--to <path>` | Output PNG path (required). |
-| `--x <coordinate>` | Region capture top-left X coordinate. |
-| `--y <coordinate>` | Region capture top-left Y coordinate. |
-| `--width <pixels>` | Region width. |
-| `--height <pixels>` | Region height. |
-
-### `kernel browsers computer type <session-id>`
-Type text into the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--text <text>` | Text to type (required). |
-| `--delay <ms>` | Delay between keystrokes in milliseconds. |
-
-### `kernel browsers computer press-key <session-id>`
-Press one or more keys.
-
-| Flag | Description |
-|------|-------------|
-| `--key <key>` | Key to press (repeatable). |
-| `--duration <ms>` | Duration to hold keys. |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-### `kernel browsers computer scroll <session-id>`
-Scroll the mouse wheel.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--delta-x <pixels>` | Horizontal scroll amount (+right, -left). |
-| `--delta-y <pixels>` | Vertical scroll amount (+down, -up). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-### `kernel browsers computer drag-mouse <session-id>`
-Drag the mouse along a path.
-
-| Flag | Description |
-|------|-------------|
-| `--point <x,y>` | Points to drag through (repeatable). |
-| `--delay <ms>` | Delay before dragging starts. |
-| `--button <button>` | Mouse button (`left`, `middle`, `right`; default: `left`). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-## Playwright
-
-### `kernel browsers playwright execute <session-id> [code]`
-Execute Playwright/TypeScript code against a running browser session.
-
-| Flag | Description |
-|------|-------------|
-| `--timeout <seconds>` | Maximum execution time for the snippet. |
-
-## Extension management
-
-### `kernel extensions list`
-List all uploaded extensions.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel extensions upload <directory>`
-Upload an unpacked extension directory.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Optional unique extension name. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel extensions download <id-or-name>`
-Download an extension archive.
-
-| Flag | Description |
-|------|-------------|
-| `--to <directory>` | Output directory (required). |
-
-### `kernel extensions download-web-store <url>`
-Download an extension from the Chrome Web Store.
-
-| Flag | Description |
-|------|-------------|
-| `--to <directory>` | Output directory (required). |
-| `--os <os>` | Target OS (`mac`, `win`, `linux`; default: `linux`). |
-
-### `kernel extensions delete <id-or-name>`
-Delete an uploaded extension.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Skip confirmation. |
-
-### `kernel browsers extensions upload <session-id> <extension-path>...`
-Upload one or more unpacked Chrome extensions directly into a running browser session.
-
-## Proxy management
-
-### `kernel proxies list`
-List available proxy configurations.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel proxies get <id>`
-Show details for a proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel proxies create`
-Create a new proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Proxy configuration name. |
-| `--type <type>` | `datacenter`, `isp`, `residential`, `mobile`, or `custom` (required). |
-| `--protocol <protocol>` | Protocol to use (`http` or `https`; default: `https`). |
-| `--country <code>` | ISO 3166 country code or `EU`. |
-| `--city <name>` | City (residential, mobile; requires `--country`). |
-| `--state <code>` | State/region code (residential, mobile). |
-| `--zip <zip>` | ZIP/postal code (residential, mobile). |
-| `--asn <asn>` | Autonomous system number (residential, mobile). |
-| `--os <os>` | Operating system (`windows`, `macos`, `android`; residential). |
-| `--carrier <carrier>` | Mobile carrier (mobile). |
-| `--host <host>` | Proxy host (custom; required). |
-| `--port <port>` | Proxy port (custom; required). |
-| `--username <username>` | Proxy username (custom). |
-| `--password <password>` | Proxy password (custom). |
-| `--bypass-host <hostname>` | Hostname to bypass proxy (repeatable; max 100). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel proxies delete <id>`
-Delete a proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Skip confirmation. |
-
-## Browser pools
-
-For more details on browser pools, see [Browser Pools](/browsers/pools/overview).
-
-### `kernel browser-pools list`
-List all browser pools.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel browser-pools create`
-Create a new browser pool.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Optional unique name for the pool. |
-| `--size <n>` | Number of browsers in the pool (required). |
-| `--fill-rate <n>` | Percentage of the pool to fill per minute. |
-| `--timeout <seconds>` | Idle timeout for browsers acquired from the pool. |
-| `--start-url <url>` | Initial page to open for new browsers. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browser-pools get <id-or-name>`
-Get pool details.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browser-pools update <id-or-name>`
-Update pool configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--size <n>` | Updated pool size. |
-| `--start-url <url>` | Initial page to open for new browsers. |
-| `--clear-start-url` | Clear the pool start URL. |
-| `--discard-all-idle` | Discard all idle browsers and refill. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel browser-pools acquire <id-or-name>`
-Acquire a browser from the pool.
+## `kernel browsers update <session-id>`
+Update a running browser session's profile, proxy, viewport, or telemetry settings.
 
 | Flag | Description |
 |------|-------------|
-| `--timeout <seconds>` | Acquire timeout before returning 204. |
+| `--profile-id <id>` | Profile ID to load (mutually exclusive with `--profile-name`). |
+| `--profile-name <name>` | Profile name to load (mutually exclusive with `--profile-id`). |
+| `--save-changes` | Save changes back to the profile when the session ends. |
+| `--proxy-id <id>` | Proxy ID to use for the session. |
+| `--clear-proxy` | Remove the proxy from the session. |
+| `--telemetry <spec>` | `all` to enable, `off` to disable, or per-category (e.g. `network=on,page=off`). |
+| `--force` | Force viewport resize even when a live view or replay is active. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel browser-pools release <id-or-name>`
-Release a browser back to the pool.
-
-| Flag | Description |
-|------|-------------|
-| `--session-id <id>` | Browser session ID to release (required). |
-| `--reuse` | Reuse the browser instance (default: true). |
-
-### `kernel browser-pools delete <id-or-name>`
-Delete a pool.
-
-| Flag | Description |
-|------|-------------|
-| `--force` | Force delete even if browsers are leased. |
-
-### `kernel browser-pools flush <id-or-name>`
-Destroy all idle browsers in the pool.
-
-## Profiles
-
-For more details on browser profiles, see [Profiles](/auth/profiles).
-
-### `kernel profiles list`
-List all browser profiles.
+## `kernel browsers view <session-id>`
+Return a live view URL for remote monitoring and control.
 
 | Flag | Description |
 |------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
+| `--output json`, `-o json` | Output JSON with `liveViewUrl` field. |
 
-### `kernel profiles get <id-or-name>`
-Get profile details.
+## `kernel browsers curl <session-id> <url>`
+Make an HTTP request from within a browser session (sharing its cookies and network context).
 
 | Flag | Description |
 |------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
+| `--request <method>`, `-X` | HTTP method (default: `GET`). |
+| `--header <Key: Value>`, `-H` | HTTP header (repeatable). |
+| `--data <body>`, `-d` | Request body. |
+| `--data-file <path>` | Read request body from a file. |
+| `--head`, `-I` | Fetch headers only. |
+| `--include`, `-i` | Include response headers in output. |
+| `--dump-header <file>`, `-D` | Write received headers to a file (`-` for stdout). |
+| `--output <file>`, `-o` | Write response body to a file. |
+| `--fail`, `-f` | Fail with no body output on HTTP errors. |
+| `--max-time <seconds>` | Maximum time allowed for the request (default: 30). |
+| `--silent`, `-s` | Suppress progress output. |
 
-### `kernel profiles create`
-Create a new browser profile.
+## `kernel browsers delete <session-id> [ids...]`
+Delete one or more browser sessions.
 
 | Flag | Description |
 |------|-------------|
-| `--name <name>` | Optional unique name for the profile. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel profiles download <id-or-name>`
-Download a profile as a ZIP archive.
-
-| Flag | Description |
-|------|-------------|
-| `--to <path>` | Output zip file path. Required. |
-| `--pretty` | Pretty-print JSON to file. |
+| `--yes`, `-y` | Bypass the confirmation prompt. |
 
-### `kernel profiles delete <id-or-name>`
-Delete a profile by ID or name.
+## `kernel browsers ssh <session-id>`
+Open an interactive SSH session to a browser VM. Requires [websocat](https://github.com/vi/websocat) to be installed locally.
 
 | Flag | Description |
 |------|-------------|
-| `--yes`, `-y` | Skip confirmation prompt. |
+| `-i, --identity <path>` | Path to SSH private key (generates ephemeral if not provided). |
+| `-L, --local-forward <spec>` | Local port forwarding (`localport:host:remoteport`). |
+| `-R, --remote-forward <spec>` | Remote port forwarding (`remoteport:host:localport`). |
+| `--setup-only` | Setup SSH on VM without connecting. |
diff --git a/reference/cli/credential-providers.mdx b/reference/cli/credential-providers.mdx
new file mode 100644
index 0000000..0415e0a
--- /dev/null
+++ b/reference/cli/credential-providers.mdx
@@ -0,0 +1,59 @@
+---
+title: "Credential Providers"
+---
+
+Configure external credential providers like 1Password so [managed auth](/reference/cli/managed-auth) connections can look up credentials at login time instead of storing them in Kernel.
+
+## `kernel credential-providers create`
+Register a new credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
+| `--name <name>` | Human-readable name for this provider instance. |
+| `--token <token>` | Service account token for the provider. |
+| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credential-providers list`
+List credential providers.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel credential-providers get <id>`
+Get a credential provider by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credential-providers list-items <id>`
+List items available from a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel credential-providers test <id>`
+Test the connection to a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credential-providers update <id>`
+Update a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New human-readable name. |
+| `--token <token>` | New service account token (to rotate credentials). |
+| `--cache-ttl <seconds>` | How long to cache credential lists. |
+| `--enabled` | Whether the provider is enabled for credential lookups. |
+| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credential-providers delete <id>`
+Delete a credential provider.
diff --git a/reference/cli/credentials.mdx b/reference/cli/credentials.mdx
new file mode 100644
index 0000000..1bd26e4
--- /dev/null
+++ b/reference/cli/credentials.mdx
@@ -0,0 +1,55 @@
+---
+title: "Credentials"
+---
+
+Create and manage credentials for authentication. Credentials store login field values, TOTP secrets, and SSO settings that [managed auth](/reference/cli/managed-auth) connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
+
+## `kernel credentials create`
+Create a new credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Unique name for the credential (required). |
+| `--domain <domain>` | Target domain this credential is for (required). |
+| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
+| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credentials list`
+List credentials.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel credentials get <id-or-name>`
+Get a credential by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credentials update <id-or-name>`
+Update a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New name for the credential. |
+| `--value <name=value>` | Field name/value pair to update (repeatable). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
+| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credentials totp-code <id-or-name>`
+Print the current TOTP code for a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel credentials delete <id-or-name>`
+Delete a credential by ID or name.
diff --git a/reference/cli/deployments.mdx b/reference/cli/deployments.mdx
new file mode 100644
index 0000000..0e3c675
--- /dev/null
+++ b/reference/cli/deployments.mdx
@@ -0,0 +1,59 @@
+---
+title: "Deployments"
+---
+
+Create and manage app deployments and stream deployment events.
+
+## `kernel deploy <file>`
+Deploy an app to Kernel from the current directory. The entrypoint file and dependency manifest must live in the project root.
+
+| Flag | Description |
+|------|-------------|
+| `--version <version>` | Use a specific version label (default: latest). |
+| `--force` | Overwrite an existing version with the same label. |
+| `--env <KEY=VALUE>`, `-e` | Set environment variables (repeatable). |
+| `--env-file <file>` | Load environment variables from a file (repeatable). |
+| `--output json`, `-o json` | Output JSONL (one JSON object per line for each deployment event). |
+
+<Info>`package.json` (JS/TS) or `pyproject.toml` (Python) must be present next to the entrypoint.</Info>
+
+## `kernel deploy github`
+Deploy directly from a GitHub repository instead of the local directory.
+
+| Flag | Description |
+|------|-------------|
+| `--url <url>` | GitHub repository URL (e.g. `https://github.com/org/repo`). |
+| `--ref <ref>` | Git ref to deploy (branch, tag, or commit SHA). |
+| `--entrypoint <path>` | Entrypoint within the repo/path (e.g. `src/index.ts`). |
+| `--path <subdir>` | Optional subdirectory within the repo (e.g. `apps/api`). |
+| `--github-token <token>` | GitHub token for private repositories (PAT or installation access token). |
+| `--region <region>` | Deployment region (currently only `aws.us-east-1a`). |
+
+## `kernel deploy get <deployment_id>`
+Get a deployment.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel deploy logs <deployment_id>`
+Stream build and runtime logs for a deployment.
+
+| Flag | Description |
+|------|-------------|
+| `--follow`, `-f` | Continue streaming logs in real time. |
+| `--since <duration>`, `-s` | Fetch logs starting from a relative duration (e.g. `5m`, `1h`, `1h30m`) or timestamp (`2006-01-02T15:04`). |
+| `--with-timestamps`, `-t` | Prefix each line with an RFC3339 timestamp. |
+
+<Info>Log lines longer than 64 KiB are truncated. Emit bulky payloads to external storage and log references.</Info>
+
+## `kernel deploy history [app_name]`
+Show deployment history for all apps or a specific app.
+
+| Flag | Description |
+|------|-------------|
+| `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel deploy delete <deployment_id>`
+Delete a deployment.
diff --git a/reference/cli/extensions.mdx b/reference/cli/extensions.mdx
index 0456734..d00840d 100644
--- a/reference/cli/extensions.mdx
+++ b/reference/cli/extensions.mdx
@@ -129,3 +129,9 @@ kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload my-web-bot
 <Info>
 This command requires Node.js and npm to be installed on your system.
 </Info>
+
+## Adding extensions to a running session
+
+### `kernel browsers extensions upload <session-id> <extension-path>...`
+
+Upload one or more unpacked extensions directly into a running browser session and restart Chromium.
diff --git a/reference/cli/invocations.mdx b/reference/cli/invocations.mdx
new file mode 100644
index 0000000..6e569da
--- /dev/null
+++ b/reference/cli/invocations.mdx
@@ -0,0 +1,57 @@
+---
+title: "Invocations"
+---
+
+Invoke actions and stream or query invocation status and events.
+
+## `kernel invoke <app> <action>`
+Invoke an app action. By default the CLI returns immediately after the invocation is queued.
+
+| Flag | Description |
+|------|-------------|
+| `--version <version>`, `-v` | Target a specific app version (default: latest). |
+| `--payload <json>`, `-p` | Provide a JSON payload (stringified, max 64 KB). |
+| `--sync`, `-s` | Wait for completion (timeout after 60 s). |
+| `--output json`, `-o json` | Output JSONL (one JSON object per line for each invocation event). |
+
+<Info>Press `Ctrl+C` to cancel an in-flight invocation. The associated browser sessions are cleaned up automatically.</Info>
+
+## `kernel invoke history`
+Show invocation history.
+
+| Flag | Description |
+|------|-------------|
+| `--app <app_name>`, `-a` | Filter by app name. |
+| `--action <action>` | Filter by action name. |
+| `--version <version>` | Filter by invocation version. |
+| `--deployment-id <id>` | Filter by deployment ID. |
+| `--status <status>` | Filter by status (`queued`, `running`, `succeeded`, `failed`). |
+| `--since <time>` | Show invocations that started since the given time. |
+| `--limit <n>` | Maximum invocations to return (default: 100). |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel invoke get <invocation_id>`
+Get an invocation.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel invoke update <invocation_id>`
+Update an invocation's status and output.
+
+| Flag | Description |
+|------|-------------|
+| `--status <status>` | New invocation status (`succeeded` or `failed`). |
+| `--output <json>` | Updated invocation output rendered as a JSON string. |
+
+## `kernel invoke browsers <invocation_id>`
+List browser sessions for an invocation.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel invoke delete-browsers <invocation_id>`
+Delete the browser sessions for an invocation.
diff --git a/reference/cli/managed-auth.mdx b/reference/cli/managed-auth.mdx
index 224b1fd..39cb684 100644
--- a/reference/cli/managed-auth.mdx
+++ b/reference/cli/managed-auth.mdx
@@ -2,12 +2,11 @@
 title: "Managed Auth"
 ---
 
-Manage [managed auth](/auth/overview) connections, stored credentials, and external credential providers from the CLI. For authenticating the CLI itself (login, logout, API keys), see [Authentication](/reference/cli/auth).
+Create and manage [managed auth](/auth/overview) connections for automated credential capture and login. A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See the [programmatic flow](/auth/programmatic) for the SDK equivalent.
 
-## Connections
-A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See [Managed auth](/auth/overview) for concepts and the [programmatic flow](/auth/programmatic) for the SDK equivalent.
+For authenticating the CLI itself (login, logout, API keys), see [Authentication](/reference/cli/auth).
 
-### `kernel auth connections create`
+## `kernel auth connections create`
 Create a managed auth connection for a profile and domain.
 
 | Flag | Description |
@@ -26,7 +25,7 @@ Create a managed auth connection for a profile and domain.
 | `--no-save-credentials` | Don't save credentials after a successful login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel auth connections list`
+## `kernel auth connections list`
 List managed auth connections.
 
 | Flag | Description |
@@ -37,14 +36,14 @@ List managed auth connections.
 | `--offset <n>` | Number of results to skip. |
 | `--output json`, `-o json` | Output raw JSON array. |
 
-### `kernel auth connections get <id>`
+## `kernel auth connections get <id>`
 Get a managed auth connection by ID.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel auth connections login <id>`
+## `kernel auth connections login <id>`
 Start a login flow and return a hosted URL for authentication.
 
 | Flag | Description |
@@ -53,7 +52,7 @@ Start a login flow and return a hosted URL for authentication.
 | `--proxy-name <name>` | Proxy name to use for this login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel auth connections submit <id>`
+## `kernel auth connections submit <id>`
 Submit field values to an in-progress login flow. Poll the connection (or use `follow`) to track progress.
 
 | Flag | Description |
@@ -73,14 +72,14 @@ kernel auth connections submit <id> --field username=myuser --field password=myp
 kernel auth connections submit <id> --mfa-option-id <id>
 ```
 
-### `kernel auth connections follow <id>`
+## `kernel auth connections follow <id>`
 Stream real-time login flow state updates over SSE.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON events. |
 
-### `kernel auth connections update <id>`
+## `kernel auth connections update <id>`
 Update connection settings such as login URL, health checks, credential source, and proxy.
 
 | Flag | Description |
@@ -98,119 +97,9 @@ Update connection settings such as login URL, health checks, credential source,
 | `--no-save-credentials` | Don't save credentials after a successful login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-### `kernel auth connections delete <id>`
+## `kernel auth connections delete <id>`
 Delete a managed auth connection.
 
 | Flag | Description |
 |------|-------------|
 | `--yes`, `-y` | Skip the confirmation prompt. |
-
-## Credentials
-Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
-
-### `kernel credentials create`
-Create a new credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Unique name for the credential (required). |
-| `--domain <domain>` | Target domain this credential is for (required). |
-| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
-| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials list`
-List credentials.
-
-| Flag | Description |
-|------|-------------|
-| `--domain <domain>` | Filter by domain. |
-| `--limit <n>` | Maximum number of results to return. |
-| `--offset <n>` | Number of results to skip. |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credentials get <id-or-name>`
-Get a credential by ID or name.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials update <id-or-name>`
-Update a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New name for the credential. |
-| `--value <name=value>` | Field name/value pair to update (repeatable). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
-| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials totp-code <id-or-name>`
-Print the current TOTP code for a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credentials delete <id-or-name>`
-Delete a credential by ID or name.
-
-## Credential providers
-Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.
-
-### `kernel credential-providers create`
-Register a new credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
-| `--name <name>` | Human-readable name for this provider instance. |
-| `--token <token>` | Service account token for the provider. |
-| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers list`
-List credential providers.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credential-providers get <id>`
-Get a credential provider by ID.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers list-items <id>`
-List items available from a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-### `kernel credential-providers test <id>`
-Test the connection to a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers update <id>`
-Update a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New human-readable name. |
-| `--token <token>` | New service account token (to rotate credentials). |
-| `--cache-ttl <seconds>` | How long to cache credential lists. |
-| `--enabled` | Whether the provider is enabled for credential lookups. |
-| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-### `kernel credential-providers delete <id>`
-Delete a credential provider.
diff --git a/reference/cli/profiles.mdx b/reference/cli/profiles.mdx
new file mode 100644
index 0000000..f750c23
--- /dev/null
+++ b/reference/cli/profiles.mdx
@@ -0,0 +1,42 @@
+---
+title: "Profiles"
+---
+
+Create, list, retrieve, and delete browser profiles. For more details, see [Profiles](/auth/profiles).
+
+## `kernel profiles list`
+List all browser profiles.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel profiles create`
+Create a new browser profile.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Optional unique name for the profile. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel profiles get <id-or-name>`
+Get profile details.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel profiles download <id-or-name>`
+Download a profile as a ZIP archive.
+
+| Flag | Description |
+|------|-------------|
+| `--to <path>` | Output zip file path (required). |
+| `--pretty` | Pretty-print JSON to file. |
+
+## `kernel profiles delete <id-or-name>`
+Delete a profile by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip confirmation prompt. |
diff --git a/reference/cli/proxies.mdx b/reference/cli/proxies.mdx
new file mode 100644
index 0000000..6be56c5
--- /dev/null
+++ b/reference/cli/proxies.mdx
@@ -0,0 +1,55 @@
+---
+title: "Proxies"
+---
+
+Create and manage proxy configurations for routing browser traffic.
+
+## `kernel proxies list`
+List available proxy configurations.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel proxies get <id>`
+Show details for a proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel proxies create`
+Create a new proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Proxy configuration name. |
+| `--type <type>` | `datacenter`, `isp`, `residential`, `mobile`, or `custom` (required). |
+| `--protocol <protocol>` | Protocol to use (`http` or `https`; default: `https`). |
+| `--country <code>` | ISO 3166 country code or `EU`. |
+| `--city <name>` | City (residential, mobile; requires `--country`). |
+| `--state <code>` | State/region code (residential, mobile). |
+| `--zip <zip>` | ZIP/postal code (residential, mobile). |
+| `--asn <asn>` | Autonomous system number (residential, mobile). |
+| `--os <os>` | Operating system (`windows`, `macos`, `android`; residential). |
+| `--carrier <carrier>` | Mobile carrier (mobile). |
+| `--host <host>` | Proxy host (custom; required). |
+| `--port <port>` | Proxy port (custom; required). |
+| `--username <username>` | Proxy username (custom). |
+| `--password <password>` | Proxy password (custom). |
+| `--bypass-host <hostname>` | Hostname to bypass proxy (repeatable; max 100). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel proxies check <id>`
+Run a health check on a proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+## `kernel proxies delete <id>`
+Delete a proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip confirmation. |

From bd0a6526fec8065a49a6714d0dc7c5dabc2dbd8f Mon Sep 17 00:00:00 2001
From: masnwilliams <43387599+masnwilliams@users.noreply.github.com>
Date: Wed, 3 Jun 2026 14:36:59 +0000
Subject: [PATCH 4/4] docs: keep single-page CLI layout, order browsers before
 managed auth

Revert the per-tag page split; restore the consolidated browsers/apps
pages and the single managed-auth page. Reorder the CLI nav and index
cards so Browsers comes before Managed Auth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 docs.json                              |  71 +---
 reference/cli.mdx                      |  25 +-
 reference/cli/apps.mdx                 |  52 ++-
 reference/cli/browser-pools.mdx        |  68 ----
 reference/cli/browsers-computer.mdx    |  75 ----
 reference/cli/browsers-filesystem.mdx  | 103 -----
 reference/cli/browsers-logs.mdx        |  17 -
 reference/cli/browsers-playwright.mdx  |  12 -
 reference/cli/browsers-processes.mdx   |  51 ---
 reference/cli/browsers-replays.mdx     |  31 --
 reference/cli/browsers-telemetry.mdx   |  15 -
 reference/cli/browsers.mdx             | 511 +++++++++++++++++++++++--
 reference/cli/credential-providers.mdx |  59 ---
 reference/cli/credentials.mdx          |  55 ---
 reference/cli/deployments.mdx          |  59 ---
 reference/cli/extensions.mdx           |   6 -
 reference/cli/invocations.mdx          |  57 ---
 reference/cli/managed-auth.mdx         | 131 ++++++-
 reference/cli/profiles.mdx             |  42 --
 reference/cli/proxies.mdx              |  55 ---
 20 files changed, 661 insertions(+), 834 deletions(-)
 delete mode 100644 reference/cli/browser-pools.mdx
 delete mode 100644 reference/cli/browsers-computer.mdx
 delete mode 100644 reference/cli/browsers-filesystem.mdx
 delete mode 100644 reference/cli/browsers-logs.mdx
 delete mode 100644 reference/cli/browsers-playwright.mdx
 delete mode 100644 reference/cli/browsers-processes.mdx
 delete mode 100644 reference/cli/browsers-replays.mdx
 delete mode 100644 reference/cli/browsers-telemetry.mdx
 delete mode 100644 reference/cli/credential-providers.mdx
 delete mode 100644 reference/cli/credentials.mdx
 delete mode 100644 reference/cli/deployments.mdx
 delete mode 100644 reference/cli/invocations.mdx
 delete mode 100644 reference/cli/profiles.mdx
 delete mode 100644 reference/cli/proxies.mdx

diff --git a/docs.json b/docs.json
index d391df4..76480d7 100644
--- a/docs.json
+++ b/docs.json
@@ -259,66 +259,17 @@
       },
       {
         "tab": "CLI",
-        "groups": [
-          {
-            "group": "Get Started",
-            "pages": [
-              "reference/cli",
-              "reference/cli/create",
-              "reference/cli/auth",
-              "reference/cli/mcp"
-            ]
-          },
-          {
-            "group": "Browsers",
-            "pages": [
-              "reference/cli/browsers"
-            ]
-          },
-          {
-            "group": "Control the Browser",
-            "pages": [
-              "reference/cli/browsers-computer",
-              "reference/cli/browsers-playwright",
-              "reference/cli/browsers-filesystem",
-              "reference/cli/browsers-processes"
-            ]
-          },
-          {
-            "group": "Observe the Browser",
-            "pages": [
-              "reference/cli/browsers-replays",
-              "reference/cli/browsers-logs",
-              "reference/cli/browsers-telemetry"
-            ]
-          },
-          {
-            "group": "Configure Resources & Auth",
-            "pages": [
-              "reference/cli/profiles",
-              "reference/cli/proxies",
-              "reference/cli/extensions",
-              "reference/cli/browser-pools",
-              "reference/cli/managed-auth",
-              "reference/cli/credentials",
-              "reference/cli/credential-providers"
-            ]
-          },
-          {
-            "group": "Deploy Your Agent",
-            "pages": [
-              "reference/cli/apps",
-              "reference/cli/deployments",
-              "reference/cli/invocations"
-            ]
-          },
-          {
-            "group": "Organization",
-            "pages": [
-              "reference/cli/projects",
-              "reference/cli/api-keys"
-            ]
-          }
+        "pages": [
+          "reference/cli",
+          "reference/cli/create",
+          "reference/cli/auth",
+          "reference/cli/browsers",
+          "reference/cli/apps",
+          "reference/cli/managed-auth",
+          "reference/cli/projects",
+          "reference/cli/api-keys",
+          "reference/cli/mcp",
+          "reference/cli/extensions"
         ]
       },
       {
diff --git a/reference/cli.mdx b/reference/cli.mdx
index 4f175f4..7a4e39c 100644
--- a/reference/cli.mdx
+++ b/reference/cli.mdx
@@ -24,32 +24,33 @@ which kernel
 kernel --version
 ```
 
-This reference is organized to mirror the [API reference](https://kernel.sh/docs/api-reference): browser sessions, the controls to drive and observe them, the resources and auth they use, app deployment, and organization management.
-
 <Columns cols={2}>
   <Card icon="code" title="Create Kernel App" href="/reference/cli/create">
     Scaffold new Kernel apps from templates.
   </Card>
   <Card icon="key" title="Authentication" href="/reference/cli/auth">
-    Login, logout, and check CLI auth status.
+    Login, logout, and check auth status.
   </Card>
   <Card icon="browsers" title="Browsers" href="/reference/cli/browsers">
-    Create, view, and manage browser sessions — plus computer controls, Playwright, filesystem, processes, replays, logs, and telemetry.
+    Create, view, and manage Kernel browsers.
   </Card>
-  <Card icon="lock" title="Managed Auth" href="/reference/cli/managed-auth">
-    Auth connections, credentials, and credential providers.
+  <Card icon="rocket" title="Apps" href="/reference/cli/apps">
+    Deploy apps, invoke actions, and stream logs.
   </Card>
-  <Card icon="gear" title="Resources" href="/reference/cli/profiles">
-    Profiles, proxies, extensions, and browser pools.
+  <Card icon="lock" title="Managed Auth" href="/reference/cli/managed-auth">
+    Manage auth connections, credentials, and credential providers.
   </Card>
-  <Card icon="rocket" title="Deploy Your Agent" href="/reference/cli/deployments">
-    Apps, deployments, and invocations.
+  <Card icon="puzzle-piece" title="Extensions" href="/reference/cli/extensions">
+    Upload, download, and build browser extensions.
   </Card>
   <Card icon="code-fork" title="MCP" href="/reference/cli/mcp">
     Install Kernel MCP server configuration for AI tools.
   </Card>
-  <Card icon="folder-tree" title="Organization" href="/reference/cli/projects">
-    Manage projects and API keys.
+  <Card icon="folder-tree" title="Projects" href="/reference/cli/projects">
+    Manage projects and scope commands with `--project`.
+  </Card>
+  <Card icon="key" title="API Keys" href="/reference/cli/api-keys">
+    Create, list, rename, and delete API keys.
   </Card>
 </Columns>
 
diff --git a/reference/cli/apps.mdx b/reference/cli/apps.mdx
index db6aa5d..062fe02 100644
--- a/reference/cli/apps.mdx
+++ b/reference/cli/apps.mdx
@@ -2,7 +2,49 @@
 title: "Apps"
 ---
 
-List applications and versions. To deploy an app, see [Deployments](/reference/cli/deployments); to run one, see [Invocations](/reference/cli/invocations).
+## `kernel deploy <file>`
+Deploy an app to Kernel from the current directory. The entrypoint file and dependency manifest must live in the project root.
+
+| Flag | Description |
+|------|-------------|
+| `--version <version>` | Use a specific version label (default: latest). |
+| `--force` | Overwrite an existing version with the same label. |
+| `--env <KEY=VALUE>`, `-e` | Set environment variables (repeatable). |
+| `--env-file <file>` | Load environment variables from a file (repeatable). |
+| `--output json`, `-o json` | Output JSONL (one JSON object per line for each deployment event). |
+
+<Info>`package.json` (JS/TS) or `pyproject.toml` (Python) must be present next to the entrypoint.</Info>
+
+## `kernel deploy logs <deployment_id>`
+Stream build and runtime logs for a deployment.
+
+| Flag | Description |
+|------|-------------|
+| `--follow`, `-f` | Continue streaming logs in real time. |
+| `--since <duration>`, `-s` | Fetch logs starting from a relative duration (e.g. `5m`, `1h`, `1h30m`) or timestamp (`2006-01-02T15:04`). |
+| `--with-timestamps`, `-t` | Prefix each line with an RFC3339 timestamp. |
+
+<Info>Log lines longer than 64 KiB are truncated. Emit bulky payloads to external storage and log references.</Info>
+
+## `kernel deploy history [app_name]`
+Show deployment history for all apps or a specific app.
+
+| Flag | Description |
+|------|-------------|
+| `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+## `kernel invoke <app> <action>`
+Invoke an app action. By default the CLI returns immediately after the invocation is queued.
+
+| Flag | Description |
+|------|-------------|
+| `--version <version>`, `-v` | Target a specific app version (default: latest). |
+| `--payload <json>`, `-p` | Provide a JSON payload (stringified, max 64 KB). |
+| `--sync`, `-s` | Wait for completion (timeout after 60 s). |
+| `--output json`, `-o json` | Output JSONL (one JSON object per line for each invocation event). |
+
+<Info>Press `Ctrl+C` to cancel an in-flight invocation. The associated browser sessions are cleaned up automatically.</Info>
 
 ## `kernel app list`
 List deployed app versions.
@@ -21,14 +63,6 @@ Show deployment history for a specific app.
 | `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
 | `--output json`, `-o json` | Output raw JSON array. |
 
-## `kernel app delete <app_name>`
-Delete an app and all of its deployments.
-
-| Flag | Description |
-|------|-------------|
-| `--version <version>` | Only delete deployments for this version (default: all versions). |
-| `--yes`, `-y` | Skip confirmation prompt. |
-
 ## `kernel logs <app_name>`
 Tail app logs.
 
diff --git a/reference/cli/browser-pools.mdx b/reference/cli/browser-pools.mdx
deleted file mode 100644
index 46dd64a..0000000
--- a/reference/cli/browser-pools.mdx
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: "Browser Pools"
----
-
-Create and manage browser pools for acquiring and releasing browsers. For more details, see [Browser Pools](/browsers/pools/overview).
-
-## `kernel browser-pools list`
-List all browser pools.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel browser-pools create [name]`
-Create a new browser pool.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Optional unique name for the pool. |
-| `--size <n>` | Number of browsers in the pool (required). |
-| `--fill-rate <n>` | Percentage of the pool to fill per minute. |
-| `--timeout <seconds>` | Idle timeout for browsers acquired from the pool. |
-| `--start-url <url>` | Initial page to open for new browsers. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browser-pools get <id-or-name>`
-Get pool details.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browser-pools update <id-or-name>`
-Update pool configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--size <n>` | Updated pool size. |
-| `--start-url <url>` | Initial page to open for new browsers. |
-| `--clear-start-url` | Clear the pool start URL. |
-| `--discard-all-idle` | Discard all idle browsers and refill. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browser-pools acquire <id-or-name>`
-Acquire a browser from the pool.
-
-| Flag | Description |
-|------|-------------|
-| `--timeout <seconds>` | Acquire timeout before returning 204. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browser-pools release <id-or-name>`
-Release a browser back to the pool.
-
-| Flag | Description |
-|------|-------------|
-| `--session-id <id>` | Browser session ID to release (required). |
-| `--reuse` | Reuse the browser instance (default: true). |
-
-## `kernel browser-pools delete <id-or-name>`
-Delete a pool.
-
-| Flag | Description |
-|------|-------------|
-| `--force` | Force delete even if browsers are leased. |
-
-## `kernel browser-pools flush <id-or-name>`
-Destroy all idle browsers in the pool.
diff --git a/reference/cli/browsers-computer.mdx b/reference/cli/browsers-computer.mdx
deleted file mode 100644
index 4f66294..0000000
--- a/reference/cli/browsers-computer.mdx
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: "Browser Computer Controls"
----
-
-Control mouse, keyboard, and screen on the browser instance.
-
-## `kernel browsers computer click-mouse <session-id>`
-Click the mouse at specific coordinates.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--num-clicks <n>` | Number of clicks (default: 1). |
-| `--button <button>` | Mouse button (`left`, `right`, `middle`, `back`, `forward`). |
-| `--click-type <type>` | `down`, `up`, or `click` (default: `click`). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-## `kernel browsers computer move-mouse <session-id>`
-Move the mouse pointer.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-## `kernel browsers computer screenshot <session-id>`
-Capture a screenshot.
-
-| Flag | Description |
-|------|-------------|
-| `--to <path>` | Output PNG path (required). |
-| `--x <coordinate>` | Region capture top-left X coordinate. |
-| `--y <coordinate>` | Region capture top-left Y coordinate. |
-| `--width <pixels>` | Region width. |
-| `--height <pixels>` | Region height. |
-
-## `kernel browsers computer type <session-id>`
-Type text into the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--text <text>` | Text to type (required). |
-| `--delay <ms>` | Delay between keystrokes in milliseconds. |
-
-## `kernel browsers computer press-key <session-id>`
-Press one or more keys.
-
-| Flag | Description |
-|------|-------------|
-| `--key <key>` | Key to press (repeatable). |
-| `--duration <ms>` | Duration to hold keys. |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-## `kernel browsers computer scroll <session-id>`
-Scroll the mouse wheel.
-
-| Flag | Description |
-|------|-------------|
-| `--x <coordinate>` | X coordinate (required). |
-| `--y <coordinate>` | Y coordinate (required). |
-| `--delta-x <pixels>` | Horizontal scroll amount (+right, -left). |
-| `--delta-y <pixels>` | Vertical scroll amount (+down, -up). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
-
-## `kernel browsers computer drag-mouse <session-id>`
-Drag the mouse along a path.
-
-| Flag | Description |
-|------|-------------|
-| `--point <x,y>` | Points to drag through (repeatable). |
-| `--delay <ms>` | Delay before dragging starts. |
-| `--button <button>` | Mouse button (`left`, `middle`, `right`; default: `left`). |
-| `--hold-key <key>` | Modifier keys to hold (repeatable). |
diff --git a/reference/cli/browsers-filesystem.mdx b/reference/cli/browsers-filesystem.mdx
deleted file mode 100644
index a92d48f..0000000
--- a/reference/cli/browsers-filesystem.mdx
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: "Browser Filesystem"
----
-
-Read, write, and manage files on the browser instance.
-
-## `kernel browsers fs new-directory <session-id>`
-Create a directory in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to create (required). |
-| `--mode <mode>` | Directory mode in octal. |
-
-## `kernel browsers fs delete-directory <session-id>`
-Delete a directory.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to delete (required). |
-
-## `kernel browsers fs delete-file <session-id>`
-Delete a file.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file path to delete (required). |
-
-## `kernel browsers fs download-dir-zip <session-id>`
-Download a directory as a zip archive.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path to download (required). |
-| `-o, --output <path>` | Output zip file path. |
-
-## `kernel browsers fs file-info <session-id>`
-Retrieve metadata for a file or directory.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file or directory path (required). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browsers fs list-files <session-id>`
-List directory contents.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute directory path (required). |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel browsers fs move <session-id>`
-Move or rename a file or directory.
-
-| Flag | Description |
-|------|-------------|
-| `--src <path>` | Absolute source path (required). |
-| `--dest <path>` | Absolute destination path (required). |
-
-## `kernel browsers fs read-file <session-id>`
-Read a file from the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute file path (required). |
-| `-o, --output <path>` | Output path for the downloaded file. |
-
-## `kernel browsers fs set-permissions <session-id>`
-Update file permissions or ownership.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Absolute path (required). |
-| `--mode <mode>` | File mode bits (octal string). |
-| `--owner <user>` | New owner username or UID. |
-| `--group <group>` | New group name or GID. |
-
-## `kernel browsers fs upload <session-id>`
-Upload one or more files.
-
-| Flag | Description |
-|------|-------------|
-| `--file <local:remote>` | Local-to-remote file mapping (repeatable). |
-| `--dest-dir <path>` | Destination directory for uploads. |
-| `--paths <paths>` | Local file paths to upload. |
-
-## `kernel browsers fs upload-zip <session-id>`
-Upload a zip file and extract it.
-
-| Flag | Description |
-|------|-------------|
-| `--zip <path>` | Local zip file path (required). |
-| `--dest-dir <path>` | Directory to extract into (required). |
-
-## `kernel browsers fs write-file <session-id>`
-Write a local file to the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--path <path>` | Destination absolute file path (required). |
-| `--mode <mode>` | File mode in octal. |
-| `--source <path>` | Local source file path (required). |
diff --git a/reference/cli/browsers-logs.mdx b/reference/cli/browsers-logs.mdx
deleted file mode 100644
index a6f9e12..0000000
--- a/reference/cli/browsers-logs.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: "Browser Logs"
----
-
-Stream logs from the browser instance.
-
-## `kernel browsers logs stream <session-id>`
-Stream browser logs from the supervisor or a file path.
-
-| Flag | Description |
-|------|-------------|
-| `--source <source>` | `path` or `supervisor` (required). |
-| `--follow` | Continue streaming (default: true). |
-| `--path <path>` | File path when `--source=path`. |
-| `--supervisor-process <name>` | Supervisor process when `--source=supervisor` (e.g. `chromium`). |
-
-<Info>Log lines longer than 64 KiB are truncated.</Info>
diff --git a/reference/cli/browsers-playwright.mdx b/reference/cli/browsers-playwright.mdx
deleted file mode 100644
index 197a62b..0000000
--- a/reference/cli/browsers-playwright.mdx
+++ /dev/null
@@ -1,12 +0,0 @@
----
-title: "Browser Playwright"
----
-
-Execute Playwright code against the browser instance.
-
-## `kernel browsers playwright execute <session-id> [code]`
-Execute Playwright/TypeScript code against a running browser session.
-
-| Flag | Description |
-|------|-------------|
-| `--timeout <seconds>` | Maximum execution time for the snippet. |
diff --git a/reference/cli/browsers-processes.mdx b/reference/cli/browsers-processes.mdx
deleted file mode 100644
index 82ad348..0000000
--- a/reference/cli/browsers-processes.mdx
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: "Browser Processes"
----
-
-Execute and manage processes on the browser instance.
-
-## `kernel browsers process exec <session-id> [--] [command...]`
-Execute a command synchronously inside the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--command <cmd>` | Command to run; defaults to trailing args. |
-| `--args <args>` | Arguments for the command. |
-| `--cwd <path>` | Working directory. |
-| `--timeout <seconds>` | Execution timeout. |
-| `--as-user <user>` | Run as a specific user. |
-| `--as-root` | Run as root. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browsers process spawn <session-id> [--] [command...]`
-Execute a command asynchronously in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--command <cmd>` | Command to run; defaults to trailing args. |
-| `--args <args>` | Arguments for the command. |
-| `--cwd <path>` | Working directory. |
-| `--timeout <seconds>` | Execution timeout. |
-| `--as-user <user>` | Run as a specific user. |
-| `--as-root` | Run as root. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browsers process kill <session-id> <process-id>`
-Send a signal to a process running in the browser VM.
-
-| Flag | Description |
-|------|-------------|
-| `--signal <signal>` | Signal to send (`TERM`, `KILL`, `INT`, `HUP`; default: `TERM`). |
-
-## `kernel browsers process status <session-id> <process-id>`
-Check process status information.
-
-## `kernel browsers process stdin <session-id> <process-id>`
-Write base64-encoded data to a process stdin.
-
-| Flag | Description |
-|------|-------------|
-| `--data-b64 <data>` | Base64 payload to write (required). |
-
-## `kernel browsers process stdout-stream <session-id> <process-id>`
-Stream stdout and stderr from a process.
diff --git a/reference/cli/browsers-replays.mdx b/reference/cli/browsers-replays.mdx
deleted file mode 100644
index a26b1e8..0000000
--- a/reference/cli/browsers-replays.mdx
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: "Browser Replays"
----
-
-Record and manage browser session video replays.
-
-## `kernel browsers replays list <session-id>`
-List replay recordings for a browser session.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel browsers replays start <session-id>`
-Start recording a replay.
-
-| Flag | Description |
-|------|-------------|
-| `--framerate <fps>` | Recording framerate in frames per second. |
-| `--max-duration <seconds>` | Maximum recording duration. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel browsers replays stop <session-id> <replay-id>`
-Stop an active replay recording.
-
-## `kernel browsers replays download <session-id> <replay-id>`
-Download a replay video.
-
-| Flag | Description |
-|------|-------------|
-| `-o, --output <path>` | Output path for the downloaded replay. |
diff --git a/reference/cli/browsers-telemetry.mdx b/reference/cli/browsers-telemetry.mdx
deleted file mode 100644
index 0e8c96e..0000000
--- a/reference/cli/browsers-telemetry.mdx
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: "Browser Telemetry"
----
-
-Stream live telemetry events from a browser session.
-
-## `kernel browsers telemetry stream <session-id>`
-Stream live telemetry events (API calls, console output, interactions, network, page, and system events) from a running browser session.
-
-| Flag | Description |
-|------|-------------|
-| `--categories <list>` | Filter by event category (`api`, `console`, `interaction`, `network`, `page`, `system`). `system` covers `monitor_*` and `cdp_*` events. |
-| `--types <list>` | Filter by event type (e.g. `network_response`, `console_error`). |
-| `--seq <n>` | Resume after sequence number N; replays events with `seq > N`. Default `-1` streams from now. |
-| `--output json`, `-o json` | Output newline-delimited JSON envelopes. |
diff --git a/reference/cli/browsers.mdx b/reference/cli/browsers.mdx
index aac5df4..0b7586e 100644
--- a/reference/cli/browsers.mdx
+++ b/reference/cli/browsers.mdx
@@ -2,18 +2,18 @@
 title: "Browsers"
 ---
 
-Create and manage browser sessions.
+## Browser sessions
 
 <Info>Unless otherwise noted, `id` arguments refer to the browser session ID, not invocation IDs returned by Kernel commands.</Info>
 
-## `kernel browsers list`
+### `kernel browsers list`
 List all browser sessions.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON array. |
 
-## `kernel browsers create`
+### `kernel browsers create`
 Create a new browser session.
 
 | Flag | Description |
@@ -24,64 +24,499 @@ Create a new browser session.
 | `--start-url <url>` | Initial page to open on launch. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel browsers get <session-id>`
+### `kernel browsers delete <session-id>`
+Delete a browser session. Use `-y` to skip confirmation.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Bypass the confirmation prompt. |
+
+### `kernel browsers view <session-id>`
+Return a live view URL for remote monitoring and control.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output JSON with `liveViewUrl` field. |
+
+### `kernel browsers get <session-id>`
 Get detailed information about a browser session.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel browsers update <session-id>`
-Update a running browser session's profile, proxy, viewport, or telemetry settings.
+### `kernel browsers ssh <session-id>`
+Open an interactive SSH session to a browser VM. Requires [websocat](https://github.com/vi/websocat) to be installed locally.
+
+| Flag | Description |
+|------|-------------|
+| `-i, --identity <path>` | Path to SSH private key (generates ephemeral if not provided). |
+| `-L, --local-forward <spec>` | Local port forwarding (`localport:host:remoteport`). |
+| `-R, --remote-forward <spec>` | Remote port forwarding (`remoteport:host:localport`). |
+| `--setup-only` | Setup SSH on VM without connecting. |
+
+## Browser logs
+
+### `kernel browsers logs stream <session-id>`
+Stream browser logs from the supervisor or a file path.
+
+| Flag | Description |
+|------|-------------|
+| `--source <source>` | `path` or `supervisor` (required). |
+| `--follow` | Continue streaming (default: true). |
+| `--path <path>` | File path when `--source=path`. |
+| `--supervisor-process <name>` | Supervisor process when `--source=supervisor` (e.g. `chromium`). |
+
+<Info>Log lines longer than 64 KiB are truncated.</Info>
+
+## Replays
+
+### `kernel browsers replays list <session-id>`
+List replay recordings for a browser session.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel browsers replays start <session-id>`
+Start recording a replay.
+
+| Flag | Description |
+|------|-------------|
+| `--framerate <fps>` | Recording framerate in frames per second. |
+| `--max-duration <seconds>` | Maximum recording duration. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browsers replays stop <session-id> <replay-id>`
+Stop an active replay recording.
+
+### `kernel browsers replays download <session-id> <replay-id>`
+Download a replay video.
 
 | Flag | Description |
 |------|-------------|
-| `--profile-id <id>` | Profile ID to load (mutually exclusive with `--profile-name`). |
-| `--profile-name <name>` | Profile name to load (mutually exclusive with `--profile-id`). |
-| `--save-changes` | Save changes back to the profile when the session ends. |
-| `--proxy-id <id>` | Proxy ID to use for the session. |
-| `--clear-proxy` | Remove the proxy from the session. |
-| `--telemetry <spec>` | `all` to enable, `off` to disable, or per-category (e.g. `network=on,page=off`). |
-| `--force` | Force viewport resize even when a live view or replay is active. |
+| `-o, --output <path>` | Output path for the downloaded replay. |
+
+## Process control
+
+### `kernel browsers process exec <session-id> [--] [command...]`
+Execute a command synchronously inside the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--command <cmd>` | Command to run; defaults to trailing args. |
+| `--args <args>` | Arguments for the command. |
+| `--cwd <path>` | Working directory. |
+| `--timeout <seconds>` | Execution timeout. |
+| `--as-user <user>` | Run as a specific user. |
+| `--as-root` | Run as root. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel browsers view <session-id>`
-Return a live view URL for remote monitoring and control.
+### `kernel browsers process spawn <session-id> [--] [command...]`
+Execute a command asynchronously in the browser VM.
 
 | Flag | Description |
 |------|-------------|
-| `--output json`, `-o json` | Output JSON with `liveViewUrl` field. |
+| `--command <cmd>` | Command to run; defaults to trailing args. |
+| `--args <args>` | Arguments for the command. |
+| `--cwd <path>` | Working directory. |
+| `--timeout <seconds>` | Execution timeout. |
+| `--as-user <user>` | Run as a specific user. |
+| `--as-root` | Run as root. |
+| `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel browsers curl <session-id> <url>`
-Make an HTTP request from within a browser session (sharing its cookies and network context).
+### `kernel browsers process kill <session-id> <process-id>`
+Send a signal to a process running in the browser VM.
 
 | Flag | Description |
 |------|-------------|
-| `--request <method>`, `-X` | HTTP method (default: `GET`). |
-| `--header <Key: Value>`, `-H` | HTTP header (repeatable). |
-| `--data <body>`, `-d` | Request body. |
-| `--data-file <path>` | Read request body from a file. |
-| `--head`, `-I` | Fetch headers only. |
-| `--include`, `-i` | Include response headers in output. |
-| `--dump-header <file>`, `-D` | Write received headers to a file (`-` for stdout). |
-| `--output <file>`, `-o` | Write response body to a file. |
-| `--fail`, `-f` | Fail with no body output on HTTP errors. |
-| `--max-time <seconds>` | Maximum time allowed for the request (default: 30). |
-| `--silent`, `-s` | Suppress progress output. |
+| `--signal <signal>` | Signal to send (`TERM`, `KILL`, `INT`, `HUP`; default: `TERM`). |
+
+### `kernel browsers process status <session-id> <process-id>`
+Check process status information.
 
-## `kernel browsers delete <session-id> [ids...]`
-Delete one or more browser sessions.
+### `kernel browsers process stdin <session-id> <process-id>`
+Write base64-encoded data to a process stdin.
 
 | Flag | Description |
 |------|-------------|
-| `--yes`, `-y` | Bypass the confirmation prompt. |
+| `--data-b64 <data>` | Base64 payload to write (required). |
 
-## `kernel browsers ssh <session-id>`
-Open an interactive SSH session to a browser VM. Requires [websocat](https://github.com/vi/websocat) to be installed locally.
+### `kernel browsers process stdout-stream <session-id> <process-id>`
+Stream stdout and stderr from a process.
+
+## Filesystem
+
+### `kernel browsers fs new-directory <session-id>`
+Create a directory in the browser VM.
 
 | Flag | Description |
 |------|-------------|
-| `-i, --identity <path>` | Path to SSH private key (generates ephemeral if not provided). |
-| `-L, --local-forward <spec>` | Local port forwarding (`localport:host:remoteport`). |
-| `-R, --remote-forward <spec>` | Remote port forwarding (`remoteport:host:localport`). |
-| `--setup-only` | Setup SSH on VM without connecting. |
+| `--path <path>` | Absolute directory path to create (required). |
+| `--mode <mode>` | Directory mode in octal. |
+
+### `kernel browsers fs delete-directory <session-id>`
+Delete a directory.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path to delete (required). |
+
+### `kernel browsers fs delete-file <session-id>`
+Delete a file.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file path to delete (required). |
+
+### `kernel browsers fs download-dir-zip <session-id>`
+Download a directory as a zip archive.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path to download (required). |
+| `-o, --output <path>` | Output zip file path. |
+
+### `kernel browsers fs file-info <session-id>`
+Retrieve metadata for a file or directory.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file or directory path (required). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browsers fs list-files <session-id>`
+List directory contents.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute directory path (required). |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel browsers fs move <session-id>`
+Move or rename a file or directory.
+
+| Flag | Description |
+|------|-------------|
+| `--src <path>` | Absolute source path (required). |
+| `--dest <path>` | Absolute destination path (required). |
+
+### `kernel browsers fs read-file <session-id>`
+Read a file from the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute file path (required). |
+| `-o, --output <path>` | Output path for the downloaded file. |
+
+### `kernel browsers fs set-permissions <session-id>`
+Update file permissions or ownership.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Absolute path (required). |
+| `--mode <mode>` | File mode bits (octal string). |
+| `--owner <user>` | New owner username or UID. |
+| `--group <group>` | New group name or GID. |
+
+### `kernel browsers fs upload <session-id>`
+Upload one or more files.
+
+| Flag | Description |
+|------|-------------|
+| `--file <local:remote>` | Local-to-remote file mapping (repeatable). |
+| `--dest-dir <path>` | Destination directory for uploads. |
+| `--paths <paths>` | Local file paths to upload. |
+
+### `kernel browsers fs upload-zip <session-id>`
+Upload a zip file and extract it.
+
+| Flag | Description |
+|------|-------------|
+| `--zip <path>` | Local zip file path (required). |
+| `--dest-dir <path>` | Directory to extract into (required). |
+
+### `kernel browsers fs write-file <session-id>`
+Write a local file to the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--path <path>` | Destination absolute file path (required). |
+| `--mode <mode>` | File mode in octal. |
+| `--source <path>` | Local source file path (required). |
+
+## Computer controls
+
+### `kernel browsers computer click-mouse <session-id>`
+Click the mouse at specific coordinates.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--num-clicks <n>` | Number of clicks (default: 1). |
+| `--button <button>` | Mouse button (`left`, `right`, `middle`, `back`, `forward`). |
+| `--click-type <type>` | `down`, `up`, or `click` (default: `click`). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+### `kernel browsers computer move-mouse <session-id>`
+Move the mouse pointer.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+### `kernel browsers computer screenshot <session-id>`
+Capture a screenshot.
+
+| Flag | Description |
+|------|-------------|
+| `--to <path>` | Output PNG path (required). |
+| `--x <coordinate>` | Region capture top-left X coordinate. |
+| `--y <coordinate>` | Region capture top-left Y coordinate. |
+| `--width <pixels>` | Region width. |
+| `--height <pixels>` | Region height. |
+
+### `kernel browsers computer type <session-id>`
+Type text into the browser VM.
+
+| Flag | Description |
+|------|-------------|
+| `--text <text>` | Text to type (required). |
+| `--delay <ms>` | Delay between keystrokes in milliseconds. |
+
+### `kernel browsers computer press-key <session-id>`
+Press one or more keys.
+
+| Flag | Description |
+|------|-------------|
+| `--key <key>` | Key to press (repeatable). |
+| `--duration <ms>` | Duration to hold keys. |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+### `kernel browsers computer scroll <session-id>`
+Scroll the mouse wheel.
+
+| Flag | Description |
+|------|-------------|
+| `--x <coordinate>` | X coordinate (required). |
+| `--y <coordinate>` | Y coordinate (required). |
+| `--delta-x <pixels>` | Horizontal scroll amount (+right, -left). |
+| `--delta-y <pixels>` | Vertical scroll amount (+down, -up). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+### `kernel browsers computer drag-mouse <session-id>`
+Drag the mouse along a path.
+
+| Flag | Description |
+|------|-------------|
+| `--point <x,y>` | Points to drag through (repeatable). |
+| `--delay <ms>` | Delay before dragging starts. |
+| `--button <button>` | Mouse button (`left`, `middle`, `right`; default: `left`). |
+| `--hold-key <key>` | Modifier keys to hold (repeatable). |
+
+## Playwright
+
+### `kernel browsers playwright execute <session-id> [code]`
+Execute Playwright/TypeScript code against a running browser session.
+
+| Flag | Description |
+|------|-------------|
+| `--timeout <seconds>` | Maximum execution time for the snippet. |
+
+## Extension management
+
+### `kernel extensions list`
+List all uploaded extensions.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel extensions upload <directory>`
+Upload an unpacked extension directory.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Optional unique extension name. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel extensions download <id-or-name>`
+Download an extension archive.
+
+| Flag | Description |
+|------|-------------|
+| `--to <directory>` | Output directory (required). |
+
+### `kernel extensions download-web-store <url>`
+Download an extension from the Chrome Web Store.
+
+| Flag | Description |
+|------|-------------|
+| `--to <directory>` | Output directory (required). |
+| `--os <os>` | Target OS (`mac`, `win`, `linux`; default: `linux`). |
+
+### `kernel extensions delete <id-or-name>`
+Delete an uploaded extension.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip confirmation. |
+
+### `kernel browsers extensions upload <session-id> <extension-path>...`
+Upload one or more unpacked Chrome extensions directly into a running browser session.
+
+## Proxy management
+
+### `kernel proxies list`
+List available proxy configurations.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel proxies get <id>`
+Show details for a proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel proxies create`
+Create a new proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Proxy configuration name. |
+| `--type <type>` | `datacenter`, `isp`, `residential`, `mobile`, or `custom` (required). |
+| `--protocol <protocol>` | Protocol to use (`http` or `https`; default: `https`). |
+| `--country <code>` | ISO 3166 country code or `EU`. |
+| `--city <name>` | City (residential, mobile; requires `--country`). |
+| `--state <code>` | State/region code (residential, mobile). |
+| `--zip <zip>` | ZIP/postal code (residential, mobile). |
+| `--asn <asn>` | Autonomous system number (residential, mobile). |
+| `--os <os>` | Operating system (`windows`, `macos`, `android`; residential). |
+| `--carrier <carrier>` | Mobile carrier (mobile). |
+| `--host <host>` | Proxy host (custom; required). |
+| `--port <port>` | Proxy port (custom; required). |
+| `--username <username>` | Proxy username (custom). |
+| `--password <password>` | Proxy password (custom). |
+| `--bypass-host <hostname>` | Hostname to bypass proxy (repeatable; max 100). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel proxies delete <id>`
+Delete a proxy configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip confirmation. |
+
+## Browser pools
+
+For more details on browser pools, see [Browser Pools](/browsers/pools/overview).
+
+### `kernel browser-pools list`
+List all browser pools.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel browser-pools create`
+Create a new browser pool.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Optional unique name for the pool. |
+| `--size <n>` | Number of browsers in the pool (required). |
+| `--fill-rate <n>` | Percentage of the pool to fill per minute. |
+| `--timeout <seconds>` | Idle timeout for browsers acquired from the pool. |
+| `--start-url <url>` | Initial page to open for new browsers. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browser-pools get <id-or-name>`
+Get pool details.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browser-pools update <id-or-name>`
+Update pool configuration.
+
+| Flag | Description |
+|------|-------------|
+| `--size <n>` | Updated pool size. |
+| `--start-url <url>` | Initial page to open for new browsers. |
+| `--clear-start-url` | Clear the pool start URL. |
+| `--discard-all-idle` | Discard all idle browsers and refill. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browser-pools acquire <id-or-name>`
+Acquire a browser from the pool.
+
+| Flag | Description |
+|------|-------------|
+| `--timeout <seconds>` | Acquire timeout before returning 204. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel browser-pools release <id-or-name>`
+Release a browser back to the pool.
+
+| Flag | Description |
+|------|-------------|
+| `--session-id <id>` | Browser session ID to release (required). |
+| `--reuse` | Reuse the browser instance (default: true). |
+
+### `kernel browser-pools delete <id-or-name>`
+Delete a pool.
+
+| Flag | Description |
+|------|-------------|
+| `--force` | Force delete even if browsers are leased. |
+
+### `kernel browser-pools flush <id-or-name>`
+Destroy all idle browsers in the pool.
+
+## Profiles
+
+For more details on browser profiles, see [Profiles](/auth/profiles).
+
+### `kernel profiles list`
+List all browser profiles.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel profiles get <id-or-name>`
+Get profile details.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel profiles create`
+Create a new browser profile.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Optional unique name for the profile. |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel profiles download <id-or-name>`
+Download a profile as a ZIP archive.
+
+| Flag | Description |
+|------|-------------|
+| `--to <path>` | Output zip file path. Required. |
+| `--pretty` | Pretty-print JSON to file. |
+
+### `kernel profiles delete <id-or-name>`
+Delete a profile by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--yes`, `-y` | Skip confirmation prompt. |
diff --git a/reference/cli/credential-providers.mdx b/reference/cli/credential-providers.mdx
deleted file mode 100644
index 0415e0a..0000000
--- a/reference/cli/credential-providers.mdx
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: "Credential Providers"
----
-
-Configure external credential providers like 1Password so [managed auth](/reference/cli/managed-auth) connections can look up credentials at login time instead of storing them in Kernel.
-
-## `kernel credential-providers create`
-Register a new credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
-| `--name <name>` | Human-readable name for this provider instance. |
-| `--token <token>` | Service account token for the provider. |
-| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credential-providers list`
-List credential providers.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel credential-providers get <id>`
-Get a credential provider by ID.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credential-providers list-items <id>`
-List items available from a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel credential-providers test <id>`
-Test the connection to a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credential-providers update <id>`
-Update a credential provider.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New human-readable name. |
-| `--token <token>` | New service account token (to rotate credentials). |
-| `--cache-ttl <seconds>` | How long to cache credential lists. |
-| `--enabled` | Whether the provider is enabled for credential lookups. |
-| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credential-providers delete <id>`
-Delete a credential provider.
diff --git a/reference/cli/credentials.mdx b/reference/cli/credentials.mdx
deleted file mode 100644
index 1bd26e4..0000000
--- a/reference/cli/credentials.mdx
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: "Credentials"
----
-
-Create and manage credentials for authentication. Credentials store login field values, TOTP secrets, and SSO settings that [managed auth](/reference/cli/managed-auth) connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
-
-## `kernel credentials create`
-Create a new credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Unique name for the credential (required). |
-| `--domain <domain>` | Target domain this credential is for (required). |
-| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
-| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credentials list`
-List credentials.
-
-| Flag | Description |
-|------|-------------|
-| `--domain <domain>` | Filter by domain. |
-| `--limit <n>` | Maximum number of results to return. |
-| `--offset <n>` | Number of results to skip. |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel credentials get <id-or-name>`
-Get a credential by ID or name.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credentials update <id-or-name>`
-Update a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | New name for the credential. |
-| `--value <name=value>` | Field name/value pair to update (repeatable). |
-| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
-| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credentials totp-code <id-or-name>`
-Print the current TOTP code for a credential.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel credentials delete <id-or-name>`
-Delete a credential by ID or name.
diff --git a/reference/cli/deployments.mdx b/reference/cli/deployments.mdx
deleted file mode 100644
index 0e3c675..0000000
--- a/reference/cli/deployments.mdx
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: "Deployments"
----
-
-Create and manage app deployments and stream deployment events.
-
-## `kernel deploy <file>`
-Deploy an app to Kernel from the current directory. The entrypoint file and dependency manifest must live in the project root.
-
-| Flag | Description |
-|------|-------------|
-| `--version <version>` | Use a specific version label (default: latest). |
-| `--force` | Overwrite an existing version with the same label. |
-| `--env <KEY=VALUE>`, `-e` | Set environment variables (repeatable). |
-| `--env-file <file>` | Load environment variables from a file (repeatable). |
-| `--output json`, `-o json` | Output JSONL (one JSON object per line for each deployment event). |
-
-<Info>`package.json` (JS/TS) or `pyproject.toml` (Python) must be present next to the entrypoint.</Info>
-
-## `kernel deploy github`
-Deploy directly from a GitHub repository instead of the local directory.
-
-| Flag | Description |
-|------|-------------|
-| `--url <url>` | GitHub repository URL (e.g. `https://github.com/org/repo`). |
-| `--ref <ref>` | Git ref to deploy (branch, tag, or commit SHA). |
-| `--entrypoint <path>` | Entrypoint within the repo/path (e.g. `src/index.ts`). |
-| `--path <subdir>` | Optional subdirectory within the repo (e.g. `apps/api`). |
-| `--github-token <token>` | GitHub token for private repositories (PAT or installation access token). |
-| `--region <region>` | Deployment region (currently only `aws.us-east-1a`). |
-
-## `kernel deploy get <deployment_id>`
-Get a deployment.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel deploy logs <deployment_id>`
-Stream build and runtime logs for a deployment.
-
-| Flag | Description |
-|------|-------------|
-| `--follow`, `-f` | Continue streaming logs in real time. |
-| `--since <duration>`, `-s` | Fetch logs starting from a relative duration (e.g. `5m`, `1h`, `1h30m`) or timestamp (`2006-01-02T15:04`). |
-| `--with-timestamps`, `-t` | Prefix each line with an RFC3339 timestamp. |
-
-<Info>Log lines longer than 64 KiB are truncated. Emit bulky payloads to external storage and log references.</Info>
-
-## `kernel deploy history [app_name]`
-Show deployment history for all apps or a specific app.
-
-| Flag | Description |
-|------|-------------|
-| `--limit <n>` | Maximum number of deployments to return (default: 100, `0` = all). |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel deploy delete <deployment_id>`
-Delete a deployment.
diff --git a/reference/cli/extensions.mdx b/reference/cli/extensions.mdx
index d00840d..0456734 100644
--- a/reference/cli/extensions.mdx
+++ b/reference/cli/extensions.mdx
@@ -129,9 +129,3 @@ kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload my-web-bot
 <Info>
 This command requires Node.js and npm to be installed on your system.
 </Info>
-
-## Adding extensions to a running session
-
-### `kernel browsers extensions upload <session-id> <extension-path>...`
-
-Upload one or more unpacked extensions directly into a running browser session and restart Chromium.
diff --git a/reference/cli/invocations.mdx b/reference/cli/invocations.mdx
deleted file mode 100644
index 6e569da..0000000
--- a/reference/cli/invocations.mdx
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: "Invocations"
----
-
-Invoke actions and stream or query invocation status and events.
-
-## `kernel invoke <app> <action>`
-Invoke an app action. By default the CLI returns immediately after the invocation is queued.
-
-| Flag | Description |
-|------|-------------|
-| `--version <version>`, `-v` | Target a specific app version (default: latest). |
-| `--payload <json>`, `-p` | Provide a JSON payload (stringified, max 64 KB). |
-| `--sync`, `-s` | Wait for completion (timeout after 60 s). |
-| `--output json`, `-o json` | Output JSONL (one JSON object per line for each invocation event). |
-
-<Info>Press `Ctrl+C` to cancel an in-flight invocation. The associated browser sessions are cleaned up automatically.</Info>
-
-## `kernel invoke history`
-Show invocation history.
-
-| Flag | Description |
-|------|-------------|
-| `--app <app_name>`, `-a` | Filter by app name. |
-| `--action <action>` | Filter by action name. |
-| `--version <version>` | Filter by invocation version. |
-| `--deployment-id <id>` | Filter by deployment ID. |
-| `--status <status>` | Filter by status (`queued`, `running`, `succeeded`, `failed`). |
-| `--since <time>` | Show invocations that started since the given time. |
-| `--limit <n>` | Maximum invocations to return (default: 100). |
-| `--offset <n>` | Number of results to skip. |
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel invoke get <invocation_id>`
-Get an invocation.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel invoke update <invocation_id>`
-Update an invocation's status and output.
-
-| Flag | Description |
-|------|-------------|
-| `--status <status>` | New invocation status (`succeeded` or `failed`). |
-| `--output <json>` | Updated invocation output rendered as a JSON string. |
-
-## `kernel invoke browsers <invocation_id>`
-List browser sessions for an invocation.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel invoke delete-browsers <invocation_id>`
-Delete the browser sessions for an invocation.
diff --git a/reference/cli/managed-auth.mdx b/reference/cli/managed-auth.mdx
index 39cb684..224b1fd 100644
--- a/reference/cli/managed-auth.mdx
+++ b/reference/cli/managed-auth.mdx
@@ -2,11 +2,12 @@
 title: "Managed Auth"
 ---
 
-Create and manage [managed auth](/auth/overview) connections for automated credential capture and login. A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See the [programmatic flow](/auth/programmatic) for the SDK equivalent.
+Manage [managed auth](/auth/overview) connections, stored credentials, and external credential providers from the CLI. For authenticating the CLI itself (login, logout, API keys), see [Authentication](/reference/cli/auth).
 
-For authenticating the CLI itself (login, logout, API keys), see [Authentication](/reference/cli/auth).
+## Connections
+A managed auth connection keeps a [profile](/auth/profiles) logged into a domain so future browsers reuse the authenticated session. See [Managed auth](/auth/overview) for concepts and the [programmatic flow](/auth/programmatic) for the SDK equivalent.
 
-## `kernel auth connections create`
+### `kernel auth connections create`
 Create a managed auth connection for a profile and domain.
 
 | Flag | Description |
@@ -25,7 +26,7 @@ Create a managed auth connection for a profile and domain.
 | `--no-save-credentials` | Don't save credentials after a successful login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel auth connections list`
+### `kernel auth connections list`
 List managed auth connections.
 
 | Flag | Description |
@@ -36,14 +37,14 @@ List managed auth connections.
 | `--offset <n>` | Number of results to skip. |
 | `--output json`, `-o json` | Output raw JSON array. |
 
-## `kernel auth connections get <id>`
+### `kernel auth connections get <id>`
 Get a managed auth connection by ID.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel auth connections login <id>`
+### `kernel auth connections login <id>`
 Start a login flow and return a hosted URL for authentication.
 
 | Flag | Description |
@@ -52,7 +53,7 @@ Start a login flow and return a hosted URL for authentication.
 | `--proxy-name <name>` | Proxy name to use for this login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel auth connections submit <id>`
+### `kernel auth connections submit <id>`
 Submit field values to an in-progress login flow. Poll the connection (or use `follow`) to track progress.
 
 | Flag | Description |
@@ -72,14 +73,14 @@ kernel auth connections submit <id> --field username=myuser --field password=myp
 kernel auth connections submit <id> --mfa-option-id <id>
 ```
 
-## `kernel auth connections follow <id>`
+### `kernel auth connections follow <id>`
 Stream real-time login flow state updates over SSE.
 
 | Flag | Description |
 |------|-------------|
 | `--output json`, `-o json` | Output raw JSON events. |
 
-## `kernel auth connections update <id>`
+### `kernel auth connections update <id>`
 Update connection settings such as login URL, health checks, credential source, and proxy.
 
 | Flag | Description |
@@ -97,9 +98,119 @@ Update connection settings such as login URL, health checks, credential source,
 | `--no-save-credentials` | Don't save credentials after a successful login. |
 | `--output json`, `-o json` | Output raw JSON object. |
 
-## `kernel auth connections delete <id>`
+### `kernel auth connections delete <id>`
 Delete a managed auth connection.
 
 | Flag | Description |
 |------|-------------|
 | `--yes`, `-y` | Skip the confirmation prompt. |
+
+## Credentials
+Store login field values, TOTP secrets, and SSO settings that managed auth connections use to authenticate. See [Credentials](/auth/credentials) for concepts.
+
+### `kernel credentials create`
+Create a new credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Unique name for the credential (required). |
+| `--domain <domain>` | Target domain this credential is for (required). |
+| `--value <name=value>` | Field name/value pair (repeatable, e.g. `--value username=myuser --value password=mypass`). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret for 2FA. |
+| `--sso-provider <provider>` | SSO provider (e.g. `google`, `github`, `microsoft`). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials list`
+List credentials.
+
+| Flag | Description |
+|------|-------------|
+| `--domain <domain>` | Filter by domain. |
+| `--limit <n>` | Maximum number of results to return. |
+| `--offset <n>` | Number of results to skip. |
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credentials get <id-or-name>`
+Get a credential by ID or name.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials update <id-or-name>`
+Update a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New name for the credential. |
+| `--value <name=value>` | Field name/value pair to update (repeatable). |
+| `--totp-secret <secret>` | Base32-encoded TOTP secret (set to an empty string to remove). |
+| `--sso-provider <provider>` | SSO provider (set to an empty string to remove). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials totp-code <id-or-name>`
+Print the current TOTP code for a credential.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credentials delete <id-or-name>`
+Delete a credential by ID or name.
+
+## Credential providers
+Connect an external secrets manager (e.g. 1Password) so managed auth connections can look up credentials at login time instead of storing them in Kernel.
+
+### `kernel credential-providers create`
+Register a new credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--provider-type <type>` | Provider type (e.g. `onepassword`). |
+| `--name <name>` | Human-readable name for this provider instance. |
+| `--token <token>` | Service account token for the provider. |
+| `--cache-ttl <seconds>` | How long to cache credential lists (default: 300). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list`
+List credential providers.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers get <id>`
+Get a credential provider by ID.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers list-items <id>`
+List items available from a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON array. |
+
+### `kernel credential-providers test <id>`
+Test the connection to a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers update <id>`
+Update a credential provider.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | New human-readable name. |
+| `--token <token>` | New service account token (to rotate credentials). |
+| `--cache-ttl <seconds>` | How long to cache credential lists. |
+| `--enabled` | Whether the provider is enabled for credential lookups. |
+| `--priority <n>` | Priority for credential lookups (lower numbers are checked first). |
+| `--output json`, `-o json` | Output raw JSON object. |
+
+### `kernel credential-providers delete <id>`
+Delete a credential provider.
diff --git a/reference/cli/profiles.mdx b/reference/cli/profiles.mdx
deleted file mode 100644
index f750c23..0000000
--- a/reference/cli/profiles.mdx
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: "Profiles"
----
-
-Create, list, retrieve, and delete browser profiles. For more details, see [Profiles](/auth/profiles).
-
-## `kernel profiles list`
-List all browser profiles.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel profiles create`
-Create a new browser profile.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Optional unique name for the profile. |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel profiles get <id-or-name>`
-Get profile details.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel profiles download <id-or-name>`
-Download a profile as a ZIP archive.
-
-| Flag | Description |
-|------|-------------|
-| `--to <path>` | Output zip file path (required). |
-| `--pretty` | Pretty-print JSON to file. |
-
-## `kernel profiles delete <id-or-name>`
-Delete a profile by ID or name.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Skip confirmation prompt. |
diff --git a/reference/cli/proxies.mdx b/reference/cli/proxies.mdx
deleted file mode 100644
index 6be56c5..0000000
--- a/reference/cli/proxies.mdx
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: "Proxies"
----
-
-Create and manage proxy configurations for routing browser traffic.
-
-## `kernel proxies list`
-List available proxy configurations.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON array. |
-
-## `kernel proxies get <id>`
-Show details for a proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel proxies create`
-Create a new proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--name <name>` | Proxy configuration name. |
-| `--type <type>` | `datacenter`, `isp`, `residential`, `mobile`, or `custom` (required). |
-| `--protocol <protocol>` | Protocol to use (`http` or `https`; default: `https`). |
-| `--country <code>` | ISO 3166 country code or `EU`. |
-| `--city <name>` | City (residential, mobile; requires `--country`). |
-| `--state <code>` | State/region code (residential, mobile). |
-| `--zip <zip>` | ZIP/postal code (residential, mobile). |
-| `--asn <asn>` | Autonomous system number (residential, mobile). |
-| `--os <os>` | Operating system (`windows`, `macos`, `android`; residential). |
-| `--carrier <carrier>` | Mobile carrier (mobile). |
-| `--host <host>` | Proxy host (custom; required). |
-| `--port <port>` | Proxy port (custom; required). |
-| `--username <username>` | Proxy username (custom). |
-| `--password <password>` | Proxy password (custom). |
-| `--bypass-host <hostname>` | Hostname to bypass proxy (repeatable; max 100). |
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel proxies check <id>`
-Run a health check on a proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--output json`, `-o json` | Output raw JSON object. |
-
-## `kernel proxies delete <id>`
-Delete a proxy configuration.
-
-| Flag | Description |
-|------|-------------|
-| `--yes`, `-y` | Skip confirmation. |