diff --git a/README.md b/README.md
index 61b766ea..34f050e5 100644
--- a/README.md
+++ b/README.md
@@ -63,22 +63,28 @@ make build
 
 ## Platform Support
 
-`cr` stores secrets in the OS credential store through the shared
-`cli-common/credstore` library.
+`cr` stores secrets in explicit credential stores through the shared
+`cli-common/credstore` library. A built-in `local-os` store is always available
+for the current user.
 
-| Platform | Default credential backend |
+| Platform | Built-in `local-os` backend |
 |----------|----------------------------|
 | macOS | Keychain |
 | Windows | Credential Manager |
 | Linux | Secret Service |
 
-Supported backend names are `keychain`, `wincred`, `secret-service`, `file`,
-`pass`, and `memory`. Backend selection precedence is:
+Configured stores can also target `1Password` desktop, service account, or
+Connect backends, `pass`, encrypted file storage, or in-memory storage. Configure
+additional stores from interactive `cr init` under **Configure secrets
+storage**. The built-in `local-os` store is read-only configuration and cannot
+be removed.
 
-1. `--backend <name>`
-2. `CODEREVIEW_KEYRING_BACKEND=<name>`
-3. `keyring.backend` in `config.yml`
-4. OS default
+Interactive `cr init` discovers available secrets backends by default so it can
+offer local 1Password account/vault choices and passive backend availability
+checks. Use `cr init --secret-backend-discovery=safe` to skip active inventory
+probes, or `--secret-backend-discovery=off` to skip backend discovery entirely.
+The `CR_SECRET_BACKEND_DISCOVERY` environment variable accepts the same
+`full`, `safe`, and `off` values when the flag is not supplied.
 
 Secrets are never written to `config.yml`. Non-secret config lives in the
 `codereview` config directory resolved by the operating system, and durable
@@ -151,14 +157,12 @@ sequence looks like:
 
 ```bash
 cr --profile work init --non-interactive \
-  --set-default \
   --git-host github.com \
   --git-auth-mode pat \
   --llm-provider anthropic \
   --llm-auth subscription \
   --llm-adapter claude_cli \
-  --llm-reviewer-model-tier medium \
-  --keyring-backend file
+  --llm-reviewer-model-tier medium
 
 cr --profile work config route set \
   --host github.com \
@@ -169,7 +173,8 @@ cr --profile work config agent-source add ~/.config/codereview/agents
 cr --profile work config llm models set medium claude-sonnet-4-6
 cr config retention set --max-age-days 30 --enforcement manual_only
 printf '%s' "$GITHUB_TOKEN" | cr set-credential \
-  --ref codereview/work \
+  --store local-os \
+  --name codereview/work \
   --key git_token \
   --stdin \
   --overwrite
@@ -177,19 +182,12 @@ printf '%s' "$GITHUB_TOKEN" | cr set-credential \
 
 Use `cr config route` for repository routing, `cr config agent-source` for
 trusted source paths, `cr config llm models` for `llm.model_map`, and
-`cr config retention` for durable run-data policy. Use `cr init
---non-interactive --keyring-backend <backend>` to persist a keyring backend,
-`--reset-keyring-backend` to clear it, `--disable-reviewer` to remove separate
-reviewer credentials, `--llm-reviewer-model-tier` or
-`--clear-llm-reviewer-model-tier` for the durable reviewer baseline, and
-`--set-default` to make the target profile the default during init. For
-backward compatibility, init may still persist a runtime `--backend` when the
-command writes credentials or configures API-key LLM auth, but the explicit
-`--keyring-backend` / `--reset-keyring-backend` flags are the readable
-scripted surface to prefer.
+`cr config retention` for durable run-data policy. Use interactive `cr init` to
+configure additional credential stores. Use `--disable-reviewer` to remove
+separate reviewer credentials, `--llm-reviewer-model-tier` or
+`--clear-llm-reviewer-model-tier` for the durable reviewer baseline.
 
 ```yaml
-default_profile: personal
 repository_profiles:
   - profile: personal-reviewer-a
     match:
@@ -218,11 +216,11 @@ profiles:
 
 Route matching is deterministic: `host + namespace + repo` routes beat
 `host + namespace` routes, omitted `repos` means all repos in that namespace,
-and no match falls back to `default_profile`. Host matching is case-insensitive
-after normalization, while namespace and repo matching are case-sensitive after
-trimming whitespace. An explicit `--profile` bypasses repository routing. Route
-targets still use the profile's configured auth mode. Passing `--profile ""`
-also counts as explicit and resolves `default_profile` without route lookup.
+and no match fails with an actionable error asking for `--profile` or a route.
+Host matching is case-insensitive after normalization, while namespace and repo
+matching are case-sensitive after trimming whitespace. An explicit `--profile`
+bypasses repository routing. Route targets still use the profile's configured
+auth mode. Passing `--profile ""` is invalid.
 For GitHub App auth, `cr review` can use the PR owner/repo to look up the app
 installation when `github_app_installation_id` is not staged.
 
@@ -230,17 +228,18 @@ Add or replace one credential later:
 
 ```bash
 printf '%s' "$GITHUB_TOKEN" | cr set-credential \
-  --ref codereview/default \
+  --store local-os \
+  --name codereview/default \
   --key git_token \
   --stdin \
   --overwrite
 ```
 
-Credential refs use the `codereview/<profile>` service/profile form. `cr`
-accepts secrets by `--stdin` or `--from-env` during setup and credential writes;
-it does not read runtime tokens directly from arbitrary environment variables.
-Reviewer credentials use a separate credential ref that also stores key
-`git_token`; keep it distinct from the user Git ref.
+Credential names use the visible `codereview/<name>` form. `cr` accepts secrets
+by `--stdin` or `--from-env` during setup and credential writes; it does not
+read runtime tokens directly from arbitrary environment variables. Reviewer
+credentials use a separate credential name that also stores key `git_token`;
+keep it distinct from the user Git credential in the same store.
 
 ### Org Deployment / MDM
 
@@ -271,27 +270,38 @@ permissions needed by the enabled review workflow:
 Thread resolution uses the pull request review-thread GraphQL surface, so keep
 Pull requests write access when `review_policy.resolve_threads` is enabled.
 
-Either omit `keyring.backend` to use the platform default, or set it
-per-platform and run `set-credential` with the same backend selection.
-
 Example non-secret config template:
 
 ```yaml
-default_profile: work
+secrets:
+  stores:
+    work-1password:
+      display_name: 1Password Work
+      backend:
+        kind: op-desktop
+        onepassword:
+          account_url: signalft.1password.com
+          vault_name: Employee
 profiles:
   work:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/work
+      credential:
+        store: local-os
+        name: codereview/work
     reviewer_credentials:
       auth_mode: github_app
-      credential_ref: codereview/work-reviewer-app
+      credential:
+        store: work-1password
+        name: codereview/work-reviewer-app
     llm:
       provider: anthropic
       auth: api_key
       adapter: anthropic_api
-      credential_ref: codereview/work-llm
+      credential:
+        store: work-1password
+        name: codereview/work-llm
       model_map:
         medium: claude-sonnet-4-6
     agent_sources:
@@ -301,7 +311,7 @@ profiles:
 ```
 
 For adapter-managed LLM credentials, use `auth: subscription` and omit
-`llm.credential_ref`. Codex-backed profiles must set `provider: openai`,
+`llm.credential`. Codex-backed profiles must set `provider: openai`,
 `auth: subscription`, and `adapter: codex_cli` together. Pi-backed profiles
 must set `provider: pi`, `auth: subscription`, and `adapter: pi_rpc` together:
 
@@ -402,32 +412,37 @@ cr --profile work init --non-interactive \
   --llm-credential-ref codereview/work-llm
 
 printf '%s' "$USER_GITHUB_TOKEN" | cr set-credential \
-  --ref codereview/work \
+  --store local-os \
+  --name codereview/work \
   --key git_token \
   --stdin \
   --overwrite
 
 printf '%s' "$GITHUB_APP_ID" | cr set-credential \
-  --ref codereview/work-reviewer-app \
+  --store local-os \
+  --name codereview/work-reviewer-app \
   --key github_app_id \
   --stdin \
   --overwrite
 
 printf '%s' "$GITHUB_APP_PRIVATE_KEY" | cr set-credential \
-  --ref codereview/work-reviewer-app \
+  --store local-os \
+  --name codereview/work-reviewer-app \
   --key github_app_private_key \
   --stdin \
   --overwrite
 
 # Optional: needed for cr me and other commands without repository context.
 printf '%s' "$GITHUB_APP_INSTALLATION_ID" | cr set-credential \
-  --ref codereview/work-reviewer-app \
+  --store local-os \
+  --name codereview/work-reviewer-app \
   --key github_app_installation_id \
   --stdin \
   --overwrite
 
 printf '%s' "$ANTHROPIC_API_KEY" | cr set-credential \
-  --ref codereview/work-llm \
+  --store local-os \
+  --name codereview/work-llm \
   --key anthropic_api_key \
   --stdin \
   --overwrite
@@ -465,15 +480,14 @@ credential backend.
 Run `cr config show` to inspect the active profile and credential status.
 
 ```yaml
-default_profile: default
-keyring:
-  backend: keychain
 profiles:
   default:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/default
+      credential:
+        store: local-os
+        name: codereview/default
     llm:
       provider: anthropic
       auth: subscription
@@ -507,9 +521,8 @@ Supported values:
 | `data.retention.enforcement` | `at_write` applies review-time pruning before each `cr review`; `manual_only` disables review-time pruning and leaves `cr data prune` as the explicit maintenance path. |
 
 `subscription` LLM auth means the adapter owns its own credentials, such as a
-logged-in CLI or local runtime. `api_key` LLM auth requires
-`llm.credential_ref` and stores a provider-specific API key in the credential
-backend.
+logged-in CLI or local runtime. `api_key` LLM auth requires `llm.credential`
+and stores a provider-specific API key in the selected credential store.
 
 Reviewer agents use provider-neutral `model_tier` values as minimum floors. At
 runtime, `cr` combines the profile's `llm.reviewer_model_tier` baseline with
@@ -578,14 +591,14 @@ Credential key matrix:
 
 | Profile field | Purpose | Auth/provider | Required keys | Optional keys | v1 behavior |
 |---------------|---------|---------------|---------------|---------------|-------------|
-| `git.credential_ref` | User Git host auth | `pat` | `git_token` | None | Supported |
-| `reviewer_credentials.credential_ref` | Reviewer Git host auth | `pat` | `git_token` | None | Supported; must use a distinct ref from `git.credential_ref` in the same profile |
-| `git.credential_ref` / `reviewer_credentials.credential_ref` | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Supported for GitHub. `cr review` can discover the installation from the PR repository when the optional installation ID is omitted; commands without repository context require it |
-| `git.credential_ref` / `reviewer_credentials.credential_ref` | Git host auth | `oauth_device` | None | None | Reserved; config recognizes the mode but v1 rejects it and does not accept future keys such as `git_oauth_access_token` or `git_oauth_refresh_token` |
-| `llm.credential_ref` | Anthropic direct API auth | `api_key` + `anthropic` | `anthropic_api_key` | None | Supported |
-| `llm.credential_ref` | OpenAI direct API auth | `api_key` + `openai` | `openai_api_key` | None | Supported |
-| Omitted `llm.credential_ref` | Adapter-managed LLM auth | `subscription` + `anthropic`/`openai`/`pi` | None | None | Supported; credentials are owned by the selected adapter. `openai + codex_cli` is best-effort/beta until Codex exposes an explicit all-tools-disabled flag |
-| `llm.credential_ref` | Pi direct API auth | `api_key` + `pi` | None | None | Unsupported; use adapter-managed `subscription` auth with `pi_rpc` |
+| `git.credential` | User Git host auth | `pat` | `git_token` | None | Supported |
+| `reviewer_credentials.credential` | Reviewer Git host auth | `pat` | `git_token` | None | Supported; must use a distinct credential location from `git.credential` in the same profile |
+| `git.credential` / `reviewer_credentials.credential` | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Supported for GitHub. `cr review` can discover the installation from the PR repository when the optional installation ID is omitted; commands without repository context require it |
+| `git.credential` / `reviewer_credentials.credential` | Git host auth | `oauth_device` | None | None | Reserved; config recognizes the mode but v1 rejects it and does not accept future keys such as `git_oauth_access_token` or `git_oauth_refresh_token` |
+| `llm.credential` | Anthropic direct API auth | `api_key` + `anthropic` | `anthropic_api_key` | None | Supported |
+| `llm.credential` | OpenAI direct API auth | `api_key` + `openai` | `openai_api_key` | None | Supported |
+| Omitted `llm.credential` | Adapter-managed LLM auth | `subscription` + `anthropic`/`openai`/`pi` | None | None | Supported; credentials are owned by the selected adapter. `openai + codex_cli` is best-effort/beta until Codex exposes an explicit all-tools-disabled flag |
+| `llm.credential` | Pi direct API auth | `api_key` + `pi` | None | None | Unsupported; use adapter-managed `subscription` auth with `pi_rpc` |
 
 Upgrade note: pre-matrix versions used the generic `llm_api_key` key for direct
 LLM API credentials. Re-provision API-key LLM refs with `anthropic_api_key` or
@@ -678,8 +691,8 @@ All commands accept the global flags:
 
 | Flag | Semantics |
 |------|-----------|
-| `--profile <name>` | Select a configured profile and bypass repo-aware routing. When omitted, PR-aware commands may use `repository_profiles`, then fall back to `default_profile`; during `init`, empty means `default`. |
-| `--backend <name>` | Select the credential backend for this invocation. One of `keychain`, `wincred`, `secret-service`, `file`, `pass`, `memory`. |
+| `--profile <name>` | Select a configured profile and bypass repo-aware routing. When omitted, PR-aware commands use `repository_profiles`; commands that cannot resolve a route require `--profile`. During `init`, an omitted profile starts with the suggested name `default`. |
+| `--backend <name>` | Compatibility/runtime backend selector. It cannot override an explicit credential store destination. |
 
 ### `cr`
 
@@ -715,19 +728,20 @@ Flags:
 |------|-----------|
 | `--non-interactive` | Required in v1. Run without prompts. |
 | `--git-host <host>` | Git host, default `github.com`. The PR host must match this value. |
-| `--git-credential-ref <ref>` | Credential ref for Git auth. Defaults to `codereview/<profile>`. |
+| `--git-credential-ref <name>` | Credential name for Git auth. Defaults to `codereview/<profile>`. |
 | `--git-token-stdin` | Read the Git token from stdin and write key `git_token`. |
 | `--git-token-from-env <env>` | Read the Git token from an environment variable and write key `git_token`. |
-| `--reviewer-credential-ref <ref>` | Credential ref for reviewer Git auth. Defaults to `codereview/<profile>-reviewer` when reviewer credentials are requested. |
+| `--reviewer-credential-ref <name>` | Credential name for reviewer Git auth. Defaults to `codereview/<profile>-reviewer` when reviewer credentials are requested. |
 | `--reviewer-auth-mode <mode>` | Reviewer Git auth mode, default `pat`. `github_app` writes config and prints follow-up credential commands. |
 | `--reviewer-token-stdin` | Read the reviewer Git token from stdin and write key `git_token`; PAT reviewer auth only. |
 | `--reviewer-token-from-env <env>` | Read the reviewer Git token from an environment variable and write key `git_token`; PAT reviewer auth only. |
 | `--llm-provider <provider>` | LLM provider, default `anthropic`; also selects whether API-key ingress writes `anthropic_api_key` or `openai_api_key`. `pi` is adapter-managed and does not accept API-key ingress. |
-| `--llm-auth <mode>` | LLM auth mode, default `subscription`. Use `api_key` for keyring-managed direct API keys. |
+| `--llm-auth <mode>` | LLM auth mode, default `subscription`. Use `api_key` for credential-store-managed direct API keys. |
 | `--llm-adapter <adapter>` | LLM adapter, default `claude_cli`. |
-| `--llm-credential-ref <ref>` | Credential ref for LLM API-key auth. Defaults to `codereview/<profile>-llm` when `--llm-auth api_key`. |
+| `--llm-credential-ref <name>` | Credential name for LLM API-key auth. Defaults to `codereview/<profile>-llm` when `--llm-auth api_key`. |
 | `--llm-api-key-stdin` | Read the LLM API key from stdin and write `anthropic_api_key` or `openai_api_key` according to `--llm-provider`. |
 | `--llm-api-key-from-env <env>` | Read the LLM API key from an environment variable and write `anthropic_api_key` or `openai_api_key` according to `--llm-provider`. |
+| `--secret-backend-discovery <mode>` | Interactive secrets-backend discovery mode: `full` runs active inventory probes such as 1Password account/vault lookup, `safe` uses only passive availability checks, and `off` skips backend discovery. Defaults to `full`; `CR_SECRET_BACKEND_DISCOVERY` can set the same value when the flag is omitted. |
 | `--agent-source <path>` | Add a trusted agent source directory. Repeatable. |
 | `--major-event <policy>` | `comment` or `request_changes`. Controls review event for major findings. |
 | `--allow-self-approve` | Store profile policy allowing self approval. Live review can still require `--allow-self-approve` depending on invocation. |
@@ -737,7 +751,7 @@ Flags:
 | `--replace-profile` | Replace an existing profile config. |
 
 Only one stdin secret ingress flag may be used at a time. PAT reviewer
-credentials use key `git_token` under their own credential ref, so
+credentials use key `git_token` under their own credential name, so
 `--reviewer-credential-ref` must differ from `--git-credential-ref`. GitHub App
 reviewer credentials use `github_app_id` and `github_app_private_key`, plus
 optional `github_app_installation_id`; `init` does not accept reviewer token
@@ -749,25 +763,26 @@ ingress flag. `--allow-self-review` is intentionally runtime-only on
 ### `cr set-credential`
 
 ```text
-cr set-credential --ref <ref> --key <key> (--stdin | --from-env <env>) [flags]
+cr set-credential --store <id> --name <credential-name> --key <key> (--stdin | --from-env <env>) [flags]
 ```
 
-Writes one secret value to the credential store. Globally allowed keys are
+Writes one secret value to the selected credential store. Globally allowed keys are
 `git_token`, `github_app_id`, `github_app_private_key`,
 `github_app_installation_id`, `anthropic_api_key`, and `openai_api_key`. When
-`config.yml` declares the target ref, `set-credential` narrows that global
-allowlist to the exact key set expected for that ref. PAT user Git refs and PAT
-reviewer refs use `git_token`; GitHub App refs use `github_app_id`,
+`config.yml` declares the target credential location, `set-credential` narrows
+that global allowlist to the exact key set expected for that credential. PAT
+user Git credentials and PAT reviewer credentials use `git_token`; GitHub App credentials use `github_app_id`,
 `github_app_private_key`, and optional `github_app_installation_id`; Anthropic
-LLM API-key refs use `anthropic_api_key`; OpenAI LLM API-key refs use
+LLM API-key credentials use `anthropic_api_key`; OpenAI LLM API-key credentials use
 `openai_api_key`.
 
 Flags:
 
 | Flag | Semantics |
 |------|-----------|
-| `--ref <ref>` | Required credential ref, such as `codereview/default`. |
-| `--key <key>` | Required key name. Git refs accept the keys described in the credential key matrix; LLM API-key refs accept `anthropic_api_key` or `openai_api_key`. |
+| `--store <id>` | Required credential store id, such as `local-os` or a configured store. |
+| `--name <credential-name>` | Required credential name, such as `codereview/default`. |
+| `--key <key>` | Required key name. Git credentials accept the keys described in the credential key matrix; LLM API-key credentials accept `anthropic_api_key` or `openai_api_key`. |
 | `--stdin` | Read the secret from stdin. |
 | `--from-env <env>` | Read the secret from an environment variable. |
 | `--overwrite` | Replace an existing key. Without it, existing keys are not overwritten. |
@@ -782,9 +797,9 @@ cr config show [--json]
 ```
 
 Shows the resolved active profile, selected credential backend and source,
-credential refs, non-secret profile config, review policy, and data retention.
-For each declared credential ref, it reports whether expected keys are present
-and labels optional keys as optional.
+credential locations, non-secret profile config, review policy, and data
+retention. For each declared credential location, it reports whether expected
+keys are present and labels optional keys as optional.
 For each configured agent source, it reports deployment-material status,
 canonical path, warnings, and SHA-256 fingerprint prefix without inlining agent
 definition contents.
@@ -863,15 +878,13 @@ Flags:
 | Flag | Semantics |
 |------|-----------|
 | `--all` | Also remove the active profile from `config.yml` and clear the disposable cache root. Inactive profiles and durable data are not touched. |
-| `--dry-run` | Report the credential refs, config profile reset, and cache cleanup that would happen without deleting credentials, config, cache, or data. |
+| `--dry-run` | Report the credential locations, config profile reset, and cache cleanup that would happen without deleting credentials, config, cache, or data. |
 | `--json` | Emit a JSON result. |
 
 Without `--all`, this removes secret keyring entries only and leaves
 `config.yml` intact. With `--all`, `--profile <name>` selects the profile to
-reset; otherwise the default profile is reset. If other profiles remain after a
-profile reset, the default profile is updated deterministically to the first
-remaining profile name when needed. If the last profile is reset, `config.yml`
-is removed.
+reset; without a selected profile, the command fails. If the last profile is
+reset, `config.yml` is removed.
 
 `config clear` never touches durable review data. Use `cr data purge` for the
 data pillar.
@@ -1194,7 +1207,7 @@ The HTTP cache is under the OS cache directory for the `cr` binary.
 Releases before this state-layout alignment wrote data/cache below a nested
 `codereview` child inside the `cr` root. Commands that write review state
 migrate those legacy entries into the `cr` root without changing config or
-credential refs.
+credential locations.
 
 ### Posting, Markers, And Idempotency
 
diff --git a/cmd/cr/main_test.go b/cmd/cr/main_test.go
index b9f8284d..6e186d29 100644
--- a/cmd/cr/main_test.go
+++ b/cmd/cr/main_test.go
@@ -77,7 +77,7 @@ func TestRunConfigShowJSON(t *testing.T) {
 	}
 
 	var stdout, stderr bytes.Buffer
-	code := run([]string{"config", "show", "--json"}, strings.NewReader(""), &stdout, &stderr)
+	code := run([]string{"--profile", "home", "config", "show", "--json"}, strings.NewReader(""), &stdout, &stderr)
 	if code != 0 {
 		t.Fatalf("run exit code = %d, want 0; stderr = %q", code, stderr.String())
 	}
@@ -144,6 +144,13 @@ cases:
 func TestRunCredentialCommandsDoNotLeakSecrets(t *testing.T) {
 	statedirtest.Hermetic(t)
 	t.Setenv("CODEREVIEW_KEYRING_PASSPHRASE", "test-passphrase")
+	path, err := config.Path()
+	if err != nil {
+		t.Fatalf("config Path: %v", err)
+	}
+	if err := config.Save(path, mainCredentialCommandTestConfig()); err != nil {
+		t.Fatalf("config Save: %v", err)
+	}
 	const (
 		firstSecret  = "distinctive-secret-one"
 		secondSecret = "distinctive-secret-two"
@@ -158,25 +165,26 @@ func TestRunCredentialCommandsDoNotLeakSecrets(t *testing.T) {
 		wantCode int
 	}{
 		{
-			name: "init",
+			name: "set initial credential",
 			args: []string{
-				"--backend", "file",
-				"init",
-				"--non-interactive",
-				"--git-token-from-env", "CR_TOKEN_ONE",
+				"set-credential",
+				"--store", "test-file",
+				"--name", "codereview/default",
+				"--key", "git_token",
+				"--from-env", "CR_TOKEN_ONE",
 			},
 		},
 		{
 			name:     "config show",
-			args:     []string{"--backend", "file", "config", "show", "--json"},
+			args:     []string{"--profile", "default", "config", "show", "--json"},
 			wantCode: 0,
 		},
 		{
 			name: "existing credential failure",
 			args: []string{
-				"--backend", "file",
 				"set-credential",
-				"--ref", "codereview/default",
+				"--store", "test-file",
+				"--name", "codereview/default",
 				"--key", "git_token",
 				"--from-env", "CR_TOKEN_TWO",
 			},
@@ -185,9 +193,9 @@ func TestRunCredentialCommandsDoNotLeakSecrets(t *testing.T) {
 		{
 			name: "set overwrite",
 			args: []string{
-				"--backend", "file",
 				"set-credential",
-				"--ref", "codereview/default",
+				"--store", "test-file",
+				"--name", "codereview/default",
 				"--key", "git_token",
 				"--from-env", "CR_TOKEN_TWO",
 				"--overwrite",
@@ -196,7 +204,7 @@ func TestRunCredentialCommandsDoNotLeakSecrets(t *testing.T) {
 		},
 		{
 			name:     "config clear",
-			args:     []string{"--backend", "file", "config", "clear", "--json"},
+			args:     []string{"--profile", "default", "config", "clear", "--json"},
 			wantCode: 0,
 		},
 	}
@@ -216,14 +224,15 @@ func TestRunCredentialCommandsDoNotLeakSecrets(t *testing.T) {
 
 func mainTestConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
-					Host:          "github.com",
-					AuthMode:      config.GitAuthModePAT,
-					CredentialRef: "codereview/home",
+					Host:     "github.com",
+					AuthMode: config.GitAuthModePAT,
+					Credential: config.CredentialLocation{
+						Store: config.LocalOSCredentialStoreID,
+						Name:  "codereview/home",
+					},
 				},
 				LLM: config.LLMConfig{
 					Provider: config.LLMProviderAnthropic,
@@ -236,6 +245,24 @@ func mainTestConfig() config.File {
 	}
 }
 
+func mainCredentialCommandTestConfig() config.File {
+	cfg := mainTestConfig()
+	cfg.Secrets = config.SecretsConfig{
+		Stores: map[string]config.SecretsStore{
+			"test-file": {
+				DisplayName: "Test file store",
+				Backend: config.SecretsStoreBackend{
+					Kind: config.SecretsBackendKind("file"),
+				},
+			},
+		},
+	}
+	profile := cfg.Profiles["home"]
+	profile.Git.Credential = config.CredentialLocation{Store: "test-file", Name: "codereview/default"}
+	cfg.Profiles = map[string]config.Profile{"default": profile}
+	return cfg
+}
+
 func assertNoSecretLeak(t *testing.T, output string, secrets ...string) {
 	t.Helper()
 	for _, secret := range secrets {
diff --git a/docs/config-command-surface-design.md b/docs/config-command-surface-design.md
index 77c7f93a..650288b7 100644
--- a/docs/config-command-surface-design.md
+++ b/docs/config-command-surface-design.md
@@ -11,11 +11,11 @@ bootstrap, secret ingress, or the full long-term profile management API.
 
 This document is the semantic parent for:
 
-- `#167`: `cr config path` and default-profile commands
+- `#167`: `cr config path`
 - `#166`: `cr config route` management commands
 - `#169`: `cr config resolve-profile` route preview
 - `#168`: `cr config agent-source` management commands
-- `#294`: `cr config secrets-profile` management commands
+- `#294`: `cr config credential-store` inspection commands
 
 Related but out of scope for this batch:
 
@@ -49,10 +49,10 @@ The codebase already supports:
 - GitHub App reviewer auth
 
 The missing piece is command coverage. Today `cr config` exposes `show`,
-`clear`, and `llm models`, but path/default/route/route-preview/agent-source
-operations still require manual YAML edits. Named secrets-management profiles
-also need a non-interactive command surface, but that surface must remain
-config-only until the later secrets-profile resolver/selection tickets land.
+`clear`, and `llm models`, but path/route/route-preview/agent-source
+operations still require manual YAML edits. Credential-store inspection is
+available through `cr config credential-store`; creating, editing, and deleting
+configured stores belongs to the interactive `cr init` secrets-storage flow.
 
 ## Shared Command Rules
 
@@ -63,7 +63,7 @@ These rules apply across the batch unless a ticket explicitly narrows them.
 - Commands that operate on a profile should use the existing global
   `--profile <name>` flag.
 - When a command is not repository-aware, `--profile` selects the target
-  profile and otherwise falls back to `default_profile`.
+  profile; commands that need a profile must fail if none is selected.
 - Commands introduced in this batch must not invent a second profile-selection
   mechanism.
 
@@ -103,13 +103,11 @@ These rules apply across the batch unless a ticket explicitly narrows them.
 
 ## Ticket Ownership Matrix
 
-### `#167`: path and default profile
+### `#167`: path
 
 Owns:
 
 - `cr config path [--json]`
-- `cr config default get [--json]`
-- `cr config default set <profile>`
 
 Must not own:
 
@@ -120,8 +118,6 @@ Must not own:
 
 Required semantics:
 
-- `default set` changes only `default_profile`
-- `default set` validates that the target profile exists
 - path inspection reports resolved config location only; broader state-path
   expansion is optional follow-up work, not required by this ticket
 
@@ -137,7 +133,6 @@ Must not own:
 
 - route preview output beyond what is needed for route list/mutation
 - runtime route-resolution redesign
-- default-profile mutation
 
 Required semantics:
 
@@ -189,8 +184,7 @@ Must not own:
 Required semantics:
 
 - reuse the same repository-resolution path already used by runtime commands
-- report whether resolution came from explicit `--profile`, matched route, or
-  fallback to `default_profile`
+- report whether resolution came from explicit `--profile` or a matched route
 - remain a local preview command, not an execution path
 - if the existing runtime resolution path does not expose enough metadata for
   preview output, `#169` may add a shared resolution-result wrapper/helper that
@@ -237,40 +231,30 @@ Path normalization contract:
 This keeps mutation semantics deterministic and local-string-based rather than
 filesystem-state-based.
 
-### `#294`: secrets-management profile mutation
+### `#294`: credential-store inspection
 
 Owns:
 
-- `cr config secrets-profile list [--json]`
-- `cr config secrets-profile get <id> [--json]`
-- `cr config secrets-profile set <id> [--backend <kind>] [--label <text>] [--clear-label] [--op-timeout <duration>] [--op-vault-id <id>] [--op-item-title-prefix <text>] [--op-item-tag <text>] [--op-item-field-title <text>] [--op-connect-host <url>] [--op-connect-token-env <name>] [--op-service-token-env <name>] [--op-desktop-account-id <id>]`
-- `cr config secrets-profile default get [--json]`
-- `cr config secrets-profile default set <id>`
-- `cr config secrets-profile default unset`
-- `cr config secrets-profile remove <id>`
+- `cr config credential-store list [--json]`
+- `cr config credential-store get <id> [--json]`
 
 Must not own:
 
 - secret ingress or secret-value printing
-- runtime credential routing away from legacy `keyring.backend`
-- review-profile references to secrets-management profiles before the later selection tickets
+- creating, editing, deleting, or selecting credential stores for a write
+- any user-facing credential-store default
 
 Required semantics:
 
-- `list` and `default get` report the effective secrets-profile inventory/default, including the projected `legacy-default` compatibility entry when no explicit profiles exist
-- `default set` and `default unset` mutate only `config.secrets.default_profile`
-- `default set` rejects `legacy-default` because it is reserved/projected, not configured state
-- `set` is patch-style:
-  - create requires `--backend`
-  - update preserves omitted fields
-  - `--clear-label` explicitly clears the label
-  - `--label` plus `--clear-label` is a usage error
-  - whitespace-only `--label` is rejected
-  - update requires at least one mutation flag
-  - `--backend op`, `--backend op-connect`, and `--backend op-desktop` also require `--op-vault-id`; `op-connect` additionally requires `--op-connect-host`
-- `remove` is idempotent for already-absent configured profiles, but rejects `legacy-default` and blocks removing the configured default profile until it is unset or moved
+- `list` reports the effective credential-store inventory, including the
+  read-only built-in `local-os` store
+- `get` reports one effective credential store by id
+- configured stores are listed after `local-os` in stable order
+- `local-os` is projected and is never persisted under `secrets.stores`
+- JSON output must not include an `is_default` field for credential stores
 - backend validation must reuse shared credstore metadata rather than duplicating backend-name knowledge in command code
-- this ticket is config-only: mixed configs with both `keyring.backend` and `secrets.*` keep legacy runtime backend behavior until the later resolver ticket changes credential selection
+- old `config secrets-profile ...` subcommands are rejected instead of acting as
+  compatibility aliases
 
 ## `init` Boundary
 
@@ -300,7 +284,7 @@ The likely future design questions remain:
 
 - whether profile mutation should be patch-like or declarative replacement
 - whether field-specific subcommands and `profile set` should coexist
-- how profile mutation should interact with credential refs and route safety
+- how profile mutation should interact with credential locations and route safety
 
 Those questions belong to later work after the current true-up lands.
 
diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 7bb578d3..12416ae3 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -41,40 +41,30 @@ intentionally unsupported.
 
 | Path | Interactive handling | Scripted owner | Defaults and second-run prepopulation | Mutation semantics | Helper/command owner and expected tests |
 |------|----------------------|----------------|---------------------------------------|--------------------|-----------------------------------------|
-| config.default_profile | Core profile wizard lets the user preserve, set to the selected profile, or choose another existing profile. | Existing `cr config default set`; `cr init --set-default` owns the scripted "make this profile default" case during init. | First init sets the created profile as default. Existing value is pre-populated and preserved by default. | Overwrite only to an existing profile. Profile rename updates this field when it points at the renamed profile. | #177 shared profile rename/default helper. #180 tests create, preserve, set, and rename updates. |
-| config.keyring.backend | Configure secrets management now keeps `keyring.backend` only as an explicit legacy-compatibility row inside the secrets-management workflow. | `cr init --keyring-backend` and `--reset-keyring-backend` remain the scripted durable surface. Existing global `--backend` stays runtime-only and still conflicts with persisted defaults. | Empty means backend auto/env selection. Existing value is pre-populated in the legacy compatibility editor. | Preserve by leaving the compatibility row unchanged. Overwrite validates through credential backend parsing. Clearing the selection resets the field to auto/env behavior. Persistent `op`, `op-connect`, and `op-desktop` values remain rejected here; 1Password must be configured through a named secrets-management profile instead. | Existing keyring validation plus #184/#187 tests cover set, reset, backend conflict, legacy runtime persistence, and unrelated config preservation. #297 adds the interactive legacy-compatibility row. |
-| config.secrets.default_profile | Secrets-management workflow can stage or clear the configured default named secrets-management profile while creating or editing a profile. | `cr config secrets-profile default get/set/unset`. Not owned by legacy `keyring.backend`. | Empty means there is no configured default named secrets-management profile. Legacy configs instead project a read-only `legacy-default` compatibility profile in presentation/helpers. Existing default state is pre-populated in the editor. | Overwrite only to an existing named secrets-management profile id. `legacy-default` is reserved/projected and cannot be set. Global runtime `--backend` still conflicts with a configured named default during the current init invocation. | #293 establishes schema, validation, and compatibility projection. #294 adds scripted default get/set/unset. #297 adds interactive staging. |
-| config.secrets.profiles.<name>.label | Secrets-management workflow can create and edit human-friendly secrets-management profile labels directly. | `cr config secrets-profile set --label/--clear-label`. | Optional. Existing values are pre-populated. New profiles start from a backend-derived default label so the UI never opens on a blank unknown item. | Preserve on skip. Overwrite trims whitespace. Must remain a single line. Duplicate labels are allowed; stable ids remain authoritative and are deconflicted separately for new profiles by slugging the chosen label and appending `-2`, `-3`, and so on when needed. | #293 establishes schema/validation plus safe display summaries. #294 adds scripted create/update/clear-label behavior. #297 adds flat interactive editing. |
-| config.secrets.profiles.<name>.backend.kind | Secrets-management workflow can create a named profile for any surfaced backend and edit an existing profile's durable backend choice inline. | `cr config secrets-profile set --backend`. | Required for an explicit named secrets-management profile. Existing values are pre-populated. Legacy configs with no explicit `secrets.profiles` continue to project `legacy-default` from `keyring.backend` or auto/env resolution without persisting a synthetic entry. | Preserve on skip. Overwrite validates against recognized credential-store backend names. Backend-specific 1Password metadata is edited in the same flat workflow and cleared automatically when switching away from 1Password. | #293 establishes schema/validation, projected legacy inventory, and config-show summaries. #294 adds scripted create/update/remove/default management. #297 adds interactive inventory and flat editing. |
-| config.secrets.profiles.<name>.backend.onepassword.timeout | Secrets-management workflow edits the non-secret 1Password timeout inline whenever the selected backend kind needs it. | `cr config secrets-profile set --op-timeout`. | Empty input normalizes to the current service-account/desktop default timeout when that backend family requires one. Existing value is pre-populated. | Preserve on skip. Overwrite validates as a Go duration string. Switching away from 1Password clears the field from config. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.vault_id | Secrets-management workflow edits the non-secret 1Password vault selection inline. | `cr config secrets-profile set --op-vault-id`. | Required for `op`, `op-connect`, and `op-desktop`. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Switching away from 1Password clears the field from config. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.item_title_prefix | Secrets-management workflow edits the optional 1Password item naming override inline. | `cr config secrets-profile set --op-item-title-prefix`. | Empty means use the underlying keyring library default. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Switching away from 1Password clears the field from config. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.item_tag | Secrets-management workflow edits the optional 1Password item tag override inline. | `cr config secrets-profile set --op-item-tag`. | Empty means use the underlying keyring library default. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Switching away from 1Password clears the field from config. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.item_field_title | Secrets-management workflow edits the optional 1Password item-field title override inline. | `cr config secrets-profile set --op-item-field-title`. | Empty means use the underlying keyring library default. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Switching away from 1Password clears the field from config. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.connect_host | Secrets-management workflow edits the non-secret 1Password Connect endpoint inline when `op-connect` is selected. | `cr config secrets-profile set --op-connect-host`. | Required for `op-connect`. Ignored for other backend kinds. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Backend switches clear it when no longer relevant. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.connect_token_env | Secrets-management workflow edits the non-secret env-var name for the 1Password Connect token inline when `op-connect` is selected. | `cr config secrets-profile set --op-connect-token-env`. | Defaults to `OP_CONNECT_TOKEN` for `op-connect`. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Backend switches clear it when no longer relevant. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.service_token_env | Secrets-management workflow edits the non-secret env-var name for the 1Password service-account token inline when `op` is selected. | `cr config secrets-profile set --op-service-token-env`. | Defaults to `OP_SERVICE_ACCOUNT_TOKEN` for `op`. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Backend switches clear it when no longer relevant. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.secrets.profiles.<name>.backend.onepassword.desktop_account_id | Secrets-management workflow edits the optional explicit 1Password desktop account id inline when `op-desktop` is selected. | `cr config secrets-profile set --op-desktop-account-id`. | Optional for `op-desktop`; empty means the runtime may fall back to `OP_DESKTOP_ACCOUNT_ID`. Existing value is pre-populated. | Preserve on skip. Overwrite trims whitespace. Backend switches clear it when no longer relevant. | #296 adds schema, validation, runtime mapping, and command coverage. #297 adds interactive editing. |
-| config.profiles.<name>.secrets_profile | Review-profile editing now exposes a selection-only `Secrets management` field that chooses an existing named secrets-management profile or clears back to the built-in/default runtime path. It must not configure new backends inline. | Manual YAML plus the interactive selector. Still not owned by legacy `keyring.backend`. | Empty means the review profile follows legacy/default runtime resolution: use `secrets.default_profile` when configured, otherwise fall back to legacy `keyring.backend`/env/auto behavior. Existing explicit values are pre-populated when valid. Missing/deleted refs are surfaced as repairable recovery selections during interactive init. | Overwrite only to an existing named secrets-management profile id. `legacy-default` is reserved/projected and must not be persisted directly. Clearing the field restores legacy/default runtime resolution rather than forcing a named profile. Interactive init may temporarily open configs with `ErrSecretsProfileNotFound` so the user can repair the dangling ref, but final validation/save still rejects unresolved missing refs. | #295 introduces the schema plus runtime credential routing through this field. #298 adds the user-facing selector and missing-reference recovery UX. |
-| config.repository_profiles[] | Route editor opens directly with existing namespace and repo routes prefilled so the user can edit them in place or blank the field to remove all routes for the profile. | Existing `cr config route set` and `cr config route unset`; #186 documents route commands. #187 must not add a nested multi-route init grammar. | Empty or omitted means default-profile fallback. Existing routes are prefilled on later runs. | Leaving the prefilled text unchanged preserves routes. Mutations must converge through shared route helpers and preserve unrelated routes. Blanking the field removes the profile's routes. | #177 extracts route helpers. #185 tests list/edit/remove, route canonicalization, and preservation. |
+| config.secrets.stores | Configure secrets storage creates and edits user-configured credential stores. The built-in OS credential store is projected as `local-os` and is not persisted here. | Interactive main-menu secrets-storage flow only. Scripted credential writes choose an existing store explicitly. | Omitted means only the built-in OS credential store is available. Existing stores are pre-populated in the inventory. | Store ids must not be `local-os`. Store metadata is non-secret. Creating, editing, and deleting configured stores never deletes credential values. | #356 establishes explicit stores and removes ambient/default credential-store selection. |
+| config.llm_runtimes | Configure LLM runtimes creates and edits reusable runtime definitions independently from review profiles. Profiles select one configured runtime when composing a reviewer. | Interactive main-menu LLM runtime flow only for now. Future config commands may own scripted runtime CRUD. | Omitted means no reusable runtimes are configured yet. The profile editor can send the user to the runtime flow when no runtime exists. Existing runtimes are pre-populated in the inventory. | Runtime names are stable ids. Subscription runtimes store only non-secret provider/auth/adapter settings. API-key runtimes store an explicit credential location and never the secret value. Deleting a runtime requires affected profiles to select a replacement or be edited. | #356 makes runtime setup standalone and keeps profile composition explicit. |
+| config.repository_profiles[] | Route editor opens directly with existing namespace and repo routes prefilled so the user can edit them in place or blank the field to remove all routes for the profile. | Existing `cr config route set` and `cr config route unset`; #186 documents route commands. #187 must not add a nested multi-route init grammar. | Empty or omitted means no automatic repository profile selection; runtime commands require `--profile` until a matching route is configured. Existing routes are prefilled on later runs. | Leaving the prefilled text unchanged preserves routes. Mutations must converge through shared route helpers and preserve unrelated routes. Blanking the field removes the profile's routes. | #177 extracts route helpers. #185 tests list/edit/remove, route canonicalization, and preservation. |
 | config.repository_profiles[].profile | Route wizard selects the profile that a route resolves to. | Existing `cr config route set --profile <name> ...`. | No default inside an entry; required when a route exists. Existing profile is pre-populated. | Overwrite only to an existing profile. Profile rename updates matching route entries. | #177 profile rename/route reference helper. #185 tests rename updates and invalid profile rejection. |
 | config.repository_profiles[].match.host | Route wizard derives from selected profile host or pasted PR URL. | Existing `cr config route set --host`. | Required for a route. Existing host is pre-populated and normalized. | Must match the target profile's `git.host`. Host edits on a profile with routes are blocked or reconciled by #185. | #177 route helper, #185 PR URL derivation and host/profile validation tests. |
 | config.repository_profiles[].match.namespace | Route wizard asks for owner/org or derives from PR URL. | Existing `cr config route set --namespace`. | Required for a route. Existing namespace is pre-populated. | Overwrite validates non-empty and preserves repo-vs-namespace route identity. | #177 route helper. #185 namespace route tests. |
 | config.repository_profiles[].match.repos[] | Route wizard supports namespace-wide route when omitted or repo-specific routes when provided. | Existing repeatable `cr config route set --repo` and `cr config route unset --repo`. | Omitted means namespace-wide route. Existing repos are pre-populated in deterministic order. | Preserve on skip. Add/edit/remove dedupes and sorts via shared route helper. Clear repos converts only when the user explicitly chooses namespace-wide routing. | #177 route helper. #185 repo route and namespace conversion tests. |
-| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | Empty global `--profile` means `default` during current init. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential refs by default, updates default_profile and routes, and does not delete old keyring entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
+| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | When `cr init` starts without a global `--profile`, it suggests `default` as the new profile name. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
 | config.profiles.<name>.git.host | Core profile wizard edits Git host. | Existing `cr init --git-host`; existing route commands own route-safe scripted changes. | Current init defaults to `github.com`. Existing value is pre-populated. | Set validates non-empty normalized host. If routes reference the profile and reconciliation is not selected, block or defer the edit. | #180 blocks/defer route-unsafe host edits. #185 implements reconciliation tests. |
 | config.profiles.<name>.git.auth_mode | Core profile wizard chooses `pat` or `github_app`; `oauth_device` remains reserved. | `cr init --git-auth-mode`, parallel to existing reviewer auth mode. Current init otherwise defaults user Git auth to PAT. | Existing value is pre-populated. New profile defaults to `pat`. | Overwrite only to supported v1 modes. Switching auth modes re-plans credential keys but does not delete old secrets. | #179 credential-ref/key-spec planner. #180 auth-mode prompt tests. |
-| config.profiles.<name>.git.credential_ref | Credential-ref planner chooses ref for user Git auth before any secret ingress. | Existing `cr init --git-credential-ref`; `cr set-credential` writes secrets. | New profile defaults to `codereview/<profile>`. Existing ref is pre-populated and preserved by default. | Flattened interactive init shows the effective Git storage label inline. Leaving that field at the effective default means "follow the selected Git scope's default label" across later scope changes; entering a different value makes it a preserved custom override. Clear is invalid because Git credentials are required. | #179 planner tests default/custom refs and required state. #181 secret ingress tests. |
+| config.profiles.<name>.git.credential.store | User Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New profiles start with `local-os` selected. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
+| config.profiles.<name>.git.credential.name | User Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New profile defaults to `codereview/<profile>`. Existing name is pre-populated and preserved by default. | Must use the `codereview/<profile>` credential grammar. It must differ from other credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
 | config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
-| config.profiles.<name>.reviewer_credentials | Optional reviewer credential section. Wizard supports skip, preserve, enable, edit, or clear reviewer config. | Existing `cr init --reviewer-credential-ref` and `--reviewer-auth-mode` own enable/edit. `cr init --disable-reviewer` owns scripted removal. | Omitted means posting uses Git credentials. Existing section is pre-populated. | Clear removes the whole section. Enable requires auth mode and credential ref. Ref must differ from Git and LLM refs. | #179 planner and #180 optional section tests. #181 secret ingress tests. |
+| config.profiles.<name>.reviewer_credentials | Optional reviewer credential section. Wizard supports skip, preserve, enable, edit, or clear reviewer config. | Existing `cr init --reviewer-credential-ref` and `--reviewer-auth-mode` own enable/edit. `cr init --disable-reviewer` owns scripted removal. | Omitted means posting uses Git credentials. Existing section is pre-populated. | Clear removes the whole section. Enable requires auth mode and credential location. The store/name pair must differ from Git and LLM credential locations. | #179 planner and #180 optional section tests. #181 secret ingress tests. |
 | config.profiles.<name>.reviewer_credentials.auth_mode | Reviewer wizard chooses PAT or GitHub App; `oauth_device` remains reserved. | Existing `cr init --reviewer-auth-mode`. | Current init defaults reviewer mode to `pat` when reviewer credentials are requested. Existing value is pre-populated. | Overwrite only to supported v1 modes. Switching modes re-plans key specs and preserves old secrets unless explicit overwrite/migration occurs. | #179 credential bundle tests for PAT and GitHub App. |
-| config.profiles.<name>.reviewer_credentials.credential_ref | Credential-ref planner chooses reviewer Git ref. | Existing `cr init --reviewer-credential-ref`; `cr set-credential` writes secrets. | New reviewer section defaults to `codereview/<profile>-reviewer`, or `codereview/<label>-reviewer` when the user types a new reviewer entity label. Existing ref is pre-populated and preserved. | Flattened interactive init shows the effective reviewer storage label only when a separate reviewer entity is active. Label-derived defaults apply only while creating a new reviewer and before the user manually edits the storage label. Editing an existing reviewer label never migrates the credential ref. Switching back to posting with the profile Git account clears the reviewer ref from config. | #179 planner tests collision handling. #181 secret ingress tests. |
+| config.profiles.<name>.reviewer_credentials.credential.store | Reviewer Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New reviewer credentials start with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
+| config.profiles.<name>.reviewer_credentials.credential.name | Reviewer Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New reviewer section defaults to `codereview/<profile>-reviewer`, or `codereview/<label>-reviewer` when the user types a new reviewer entity label. Existing name is pre-populated and preserved. | Must use the `codereview/<profile>` credential grammar. It must differ from Git and LLM credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
 | config.profiles.<name>.reviewer_credentials.display_name | Reviewer wizard lets the user set or clear a human-friendly label for a separate reviewer entity. | Interactive `cr init` only for now. No dedicated scripted owner yet. | Empty means chooser labels fall back to deterministic credential-ref/profile-derived text. Existing value is pre-populated. | Preserve on skip. Overwrite trims surrounding whitespace. Clear is valid and returns the entity to fallback labeling. Conflicting labels across profiles that share one reviewer identity do not create duplicate identities; the shared chooser entry falls back to deterministic identity text until one label wins. | #244 tests round-trip, validation, shared-identity conflict fallback, and chooser labeling. |
 | config.profiles.<name>.reviewer_credentials.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New reviewer sections omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. | Preserve-only regression in #177/#180. |
 | config.profiles.<name>.llm.provider | Core profile wizard chooses provider. | Existing `cr init --llm-provider`. | Current init defaults to `anthropic`. Existing value is pre-populated. | Overwrite validates provider and may require compatible auth/adapter/key specs. | #179 provider credential planning. #180 provider/auth/adapter compatibility tests. |
-| config.profiles.<name>.llm.auth | Core profile wizard chooses subscription or API key auth. | Existing `cr init --llm-auth`. | Current init defaults to `subscription`. Existing value is pre-populated. | Subscription requires empty `llm.credential_ref`; API key requires a provider-supported ref and secret plan. | #179 planner tests subscription/API-key transitions. #181 ingress tests. |
+| config.profiles.<name>.llm.auth | Core profile wizard chooses subscription or API key auth. | Existing `cr init --llm-auth`. | Current init defaults to `subscription`. Existing value is pre-populated. | Subscription requires empty `llm.credential`; API key requires a provider-supported credential location and secret plan. | #179 planner tests subscription/API-key transitions. #181 ingress tests. |
 | config.profiles.<name>.llm.adapter | Core profile wizard chooses compatible adapter. | Existing `cr init --llm-adapter`. | Current init defaults to `claude_cli`. Existing value is pre-populated. | Overwrite validates provider/auth compatibility, including `openai+codex_cli+subscription` and `pi+pi_rpc+subscription`. | #180 compatibility tests. |
-| config.profiles.<name>.llm.credential_ref | Credential-ref planner chooses LLM API-key ref when required. | Existing `cr init --llm-credential-ref`; `cr set-credential` writes secrets. | Omitted for subscription auth. API-key auth defaults to `codereview/<profile>-llm`. Existing ref is pre-populated. | Flattened interactive init shows the effective LLM storage label only for API-key runtimes. Leaving the field at its effective default means "follow the selected runtime's default API-key label" across later runtime changes; entering a different value makes it a preserved custom override. Switching back to subscription clears the LLM ref from config. Ref must differ from Git/reviewer refs. | #179 planner tests. #181 API-key ingress/no-leak tests. |
+| config.profiles.<name>.llm.credential.store | LLM API-key auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | Omitted for subscription auth. API-key auth starts with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be empty for subscription auth. Must be `local-os` or a configured store id for API-key auth. Store setup is not available inline from this flow. | #356 explicit destination tests. |
+| config.profiles.<name>.llm.credential.name | LLM API-key auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | Omitted for subscription auth. API-key auth defaults to `codereview/<profile>-llm`. Existing name is pre-populated. | Must be empty for subscription auth. Must use the `codereview/<profile>` credential grammar for API-key auth. It must differ from Git/reviewer credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
 | config.profiles.<name>.llm.model_map | Model-tier mapping editor opens directly with the effective tier mappings for the selected runtime. Built-in mappings are shown in-place, configured overrides are shown in-place, and unmapped tiers stay visibly empty. | Existing `cr config llm models set/unset/reset`; #186 documents this scripted sequence. #187 must not add model-map init flags. | Omitted uses provider/adapter built-ins. Existing overrides are merged into the visible effective values. | Leaving a built-in value unchanged keeps the built-in mapping without serializing a redundant override. Entering a different value stores an explicit override. Clearing a prefilled override falls back to the built-in mapping when one exists, otherwise leaves the tier unmapped. | #182 tests add/edit/remove/reset and invalid entries, plus prompt-level round trips for keeping and clearing prefilled override-backed tiers. |
 | config.profiles.<name>.llm.reviewer_model_tier | Core profile wizard frames this as a minimum reviewer model tier and offers the built-in small baseline or explicit small, medium, and large baselines. | `cr init --llm-reviewer-model-tier` and `--clear-llm-reviewer-model-tier`, because no config command currently mutates this field directly. | Omitted means effective small baseline. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates model tier. | #180 prompt tests. #187 flag persistence tests. |
 | config.profiles.<name>.agent_sources[] | Direct trusted-directory editor shows existing profile agent-source paths in one multiline field with explanatory notes about trust and separate repo-local `.codereview/agents` discovery. | Existing `cr init --agent-source`; existing `cr config agent-source add/remove`; #186 docs sequence. | Omitted means no additional profile-specific trusted directories. Existing values are pre-populated line-by-line. | Preserve on skip. Clearing the field removes all profile-specific agent sources. Entered paths are normalized and deduped through the shared config-edit helper. | #177 extracts helper. #183 tests add/remove/reset/preserve. #289 prompt tests cover explanatory copy, multiline entry, and Back. |
@@ -87,37 +77,28 @@ intentionally unsupported.
 
 ## Profile Lifecycle Semantics
 
-Runtime credential resolution for `profiles.<name>.secrets_profile` now follows
-this order:
+Each credential-writing workflow stores an explicit credential location in the
+profile: `credential.store` plus `credential.name`. The built-in OS credential
+store is always addressable as `local-os`, and user-configured stores live under
+`secrets.stores`. Runtime code must use the credential location attached to the
+Git, reviewer, or LLM credential being read or written; it must not infer a
+destination from a profile-level or global credential-store default.
 
-1. the active review profile's explicit `secrets_profile`
-2. `secrets.default_profile`, when configured
-3. legacy backend fallback via `keyring.backend`, environment selection, or
-   auto detection
-
-Shared credential refs use the same resolved store only when every declaring
-profile converges on the same logical secrets-management profile. When they do
-not:
-
-- `cr` with `--profile <name>` uses that selected profile only when it owns the
-  ref, and errors when another profile owns the ref instead
-- `cr` without `--profile` fails fast and tells the user to pass `--profile` to
-  disambiguate the conflicting owners
+The same `credential.name` may appear in different stores. Within one profile,
+credential locations must not collide when both the store and name match.
 
 Profile selection and mutation is shared by #177 and consumed by #180:
 
 - Creating a profile builds a complete, valid profile before saving.
 - Selecting an existing profile pre-populates every editable value.
-- Renaming a profile updates `config.default_profile` when it points at the old
-  name.
 - Renaming a profile updates `config.repository_profiles[].profile` entries
   that point at the old name.
-- Renaming a profile preserves all existing credential refs by default, even
-  refs that look auto-generated. This avoids stranding existing keyring
-  entries.
-- A wizard may offer credential-ref regeneration only when #181 has explicit
-  migration or overwrite behavior for the affected keyring entries.
-- Rename never deletes old keyring profiles implicitly.
+- Renaming a profile preserves all existing credential locations by default,
+  even names that look auto-generated. This avoids stranding existing
+  credential-store entries.
+- A wizard may offer credential-name regeneration only when #181 has explicit
+  migration or overwrite behavior for the affected credential-store entries.
+- Rename never deletes old credential-store entries implicitly.
 - Rename preserves `git.identity_cache` and
   `reviewer_credentials.identity_cache`. Cache invalidation requires a future
   dedicated owner.
@@ -151,20 +132,21 @@ profile.
 
 ## Credential Bundle Matrix
 
-Credential refs are non-secret config. Secret values are written only through
-the existing credential store plumbing. #179 owns ref/key-spec planning; #181
-owns interactive secret ingress.
+Credential locations are non-secret config: each write has an explicit store and
+name. Secret values are written only through the existing credential store
+plumbing. #179 owns credential-name/key-spec planning; #181 owns interactive
+secret ingress.
 
-| Purpose | Auth/provider | Ref default | Required keys | Optional keys | Keep/defer/overwrite semantics | Migration rule |
+| Purpose | Auth/provider | Name default | Required keys | Optional keys | Keep/defer/overwrite semantics | Migration rule |
 |---------|---------------|-------------|---------------|---------------|--------------------------------|----------------|
-| User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing ref and key. Defer stores ref and prints follow-up `cr set-credential`. Overwrite writes `git_token` through keyring only. | Profile rename preserves ref. Regenerate only with explicit key migration or overwrite. |
-| Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer ref. Keep preserves an unchanged existing ref. Clearing the reviewer section removes the ref from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing refs. No implicit ref migration. |
-| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer ref; optional installation ID may be left blank. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
+| User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing store/name and key. Defer stores the credential location and prints follow-up `cr set-credential --store ... --name ...`. Overwrite writes `git_token` through the selected credential store only. | Profile rename preserves the credential location. Regenerate only with explicit key migration or overwrite. |
+| Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer credential location. Keep preserves an unchanged credential location. Clearing the reviewer section removes the location from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing credential locations. No implicit rename/migration. |
+| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer credential location; optional installation ID may be left blank. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
 | Git auth | `oauth_device` | None | None | None | Unsupported in v1. The wizard must not offer it as a selectable mode. | Future OAuth work must amend this document. |
-| LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing ref. Defer stores ref only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through keyring. | Preserve custom refs on rename. Regeneration requires explicit migration/overwrite. |
+| LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing credential location. Defer stores the location only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through the selected credential store. | Preserve custom locations on rename. Regeneration requires explicit migration/overwrite. |
 | LLM API key | `openai` + `api_key` | `codereview/<profile>-llm` | `openai_api_key` | None | Same as Anthropic API-key auth. | Same as Anthropic API-key auth. |
-| LLM adapter-managed auth | `subscription` | No ref | None | None | Keep/preserve leaves empty ref. Switching from API key to subscription clears `llm.credential_ref` only after confirmation. | No keyring migration because config no longer points at a ref. |
-| LLM Pi auth | `pi` + `subscription` + `pi_rpc` | No ref | None | None | Supported adapter-managed mode. | No keyring migration. |
+| LLM adapter-managed auth | `subscription` | No credential location | None | None | Keep/preserve leaves `llm.credential` empty. Switching from API key to subscription clears `llm.credential` only after confirmation. | No credential-store migration because config no longer points at a location. |
+| LLM Pi auth | `pi` + `subscription` + `pi_rpc` | No credential location | None | None | Supported adapter-managed mode. | No credential-store migration. |
 | LLM Pi API key | `pi` + `api_key` | None | None | None | Unsupported in v1. The wizard must not offer this combination. | Future Pi API-key support must amend this document. |
 
 Secret ingress rules:
@@ -204,22 +186,19 @@ Scripted installs should remain readable. The intended shape is:
    any secrets intentionally supplied through stdin/env ingress.
 2. Use `cr set-credential` for scripted, deferred, or post-init credential
    bundles.
-3. Use `cr config default`, `cr config route`, `cr config agent-source`,
-   `cr config llm models`, and `cr config retention` for narrow idempotent
+3. Use `cr config route`, `cr config agent-source`, `cr config llm models`,
+   and `cr config retention` for narrow idempotent
    mutations.
 
-Persistent `keyring.backend` selection now belongs to `cr init
---non-interactive` through `--keyring-backend` and
-`--reset-keyring-backend`. There is still no standalone `cr config
-keyring ...` command. For backward compatibility, init may also persist a
-runtime `--backend` when the command writes credentials or configures API-key
-LLM auth; that older path remains supported but is no longer the recommended
-scripted contract.
+Credential storage is configured from the interactive main menu under
+**Configure secrets storage**. Scripted credential writes must choose a
+destination explicitly with `cr set-credential --store <id> --name <name>`.
+The root `--backend` flag remains runtime-only compatibility behavior and must
+not become durable config.
 
 #187 adds only the durable init flags assigned to it in the inventory table:
-`--git-auth-mode`, `--keyring-backend`, `--reset-keyring-backend`,
-`--disable-reviewer`, `--llm-reviewer-model-tier`,
-`--clear-llm-reviewer-model-tier`, and `--set-default`.
+`--git-auth-mode`, `--disable-reviewer`, `--llm-reviewer-model-tier`,
+and `--clear-llm-reviewer-model-tier`.
 It must not add a nested multi-route grammar, model-map flags, literal secret
 flags, or hidden YAML-in-a-flag structures.
 
@@ -230,7 +209,7 @@ The following flags are intentionally not durable init configuration.
 | Command | Flags | Rationale |
 |---------|-------|-----------|
 | Global/root | `--version` | Process output only. |
-| Global/root | `--backend` | Runtime credential backend selector. It may persist `keyring.backend` only through explicit init/config backend semantics; most invocations remain one-shot. |
+| Global/root | `--backend` | Compatibility runtime credential backend selector. It cannot override explicit credential-store destinations and must not persist to config. |
 | Global/root | `--profile` | Runtime profile selector. It participates in init profile selection but is not itself a durable field. |
 | `cr review` execution mode | `--dry-run`, `--no-post`, `--rerun`, `--retry-posts` | Per-run execution behavior, not profile policy. |
 | `cr review` output/audit | `--json`, `--verbose` | Presentation and diagnostic controls. |
@@ -240,7 +219,7 @@ The following flags are intentionally not durable init configuration.
 | `cr review` posting gates | `--fail-on`, `--allow-self-review`, `--allow-self-approve`, `--no-resolve-threads` | One-shot live review gates. Durable self-approval and thread policy are `review_policy.allow_self_approve` and `review_policy.resolve_threads`. |
 | `cr init` control | `--non-interactive`, `--replace-profile` | Command flow controls. They select scripted mode and replacement behavior but do not create durable config fields. |
 | `cr init` secret ingress | `--git-token-stdin`, `--git-token-from-env`, `--reviewer-token-stdin`, `--reviewer-token-from-env`, `--llm-api-key-stdin`, `--llm-api-key-from-env`, `--overwrite` | Secret ingress and overwrite controls. They may be part of init interaction, but their values must never become config. |
-| `cr set-credential` | `--ref`, `--key`, `--stdin`, `--from-env`, `--overwrite`, `--json` | Credential-store operation, not config schema. |
+| `cr set-credential` | `--store`, `--name`, `--key`, `--stdin`, `--from-env`, `--overwrite`, `--json` | Credential-store operation, not config schema. |
 | `cr config` read/output | `--json`, `--dry-run` where present | Presentation or preview-only behavior. |
 | `cr config route` | `--host`, `--namespace`, `--repo` | Command arguments for route mutation. The durable result is `repository_profiles`. |
 | `cr config llm models reset` | `--provider` | Safety guard for reset, not stored config. |
@@ -259,12 +238,12 @@ The following flags are intentionally not durable init configuration.
 - #177: shared mutation helpers for profile rename, routes, agent sources,
   retention validation, and optional clear/reset behavior.
 - #178: `cr config retention` command surface.
-- #179: credential-ref and key-spec planning.
+- #179: credential-location and key-spec planning.
 - #180: non-secret core interactive wizard.
 - #181: interactive secret ingress and safe keyring writes.
 - #182: interactive `llm.model_map`.
 - #183: interactive `agent_sources` and `review_policy`.
-- #184: interactive global `data.retention` and legacy secrets-management `keyring.backend`.
+- #184: interactive global `data.retention` and secrets-storage settings.
 - #185: interactive repository routes and host reconciliation.
 - #186: scripted installer documentation.
 - #187: maintainable non-interactive init parity flags.
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index d2523373..b01a0237 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -40,9 +40,9 @@ Supporting language is allowed when it helps teach the model:
 
 - A profile is the saved result.
 - A Git scope is the thing the user chooses while assembling that profile.
-- `credential_ref` remains an implementation term. User-facing prompts should
-  prefer **storage labels** and explain them in terms of the selected Git
-  scope, reviewer entity, or LLM runtime.
+- Credential storage is user-facing as **credential store** plus **credential
+  name**. The name is the full visible `codereview/...` path written to the
+  selected store.
 
 ## Core Mental Model
 
@@ -95,9 +95,8 @@ This ordering is intentional:
   configurations.
 - Global settings stay visible but conceptually separate from the core
   identity/runtime/profile model.
-- Secrets management stays top-level because it affects where credentials live,
-  but it should not be confused with the credential refs inside a review
-  profile.
+- Secrets storage stays top-level because it affects where credentials live.
+  Credential-writing flows choose one configured destination explicitly.
 
 ## First-Run Behavior
 
@@ -105,7 +104,7 @@ For a first-time user, interactive `init` should:
 
 - explain what `cr init` writes and what it does not write
 - teach the three building blocks before asking for schema-shaped details
-- avoid asking for raw credential refs on the primary path
+- avoid asking for raw schema terms on the primary path
 - treat secrets as requirements of a building block, not as unrelated chores
 
 The first-run user should be able to understand:
@@ -155,7 +154,7 @@ enough local context to understand why each secret is needed. Reviewer-entity
 setup collects the required PAT or GitHub App reviewer secrets inline on the
 reviewer details page before a new reviewer can be staged. Those values remain
 draft-local until commit; final commit still handles untouched or deferred Git
-and LLM credential refs.
+and LLM credential locations.
 
 If the user cancels during credential collection, whether from a subflow or after
 choosing **Commit staged changes and exit**, any pending secret values remain
@@ -164,7 +163,7 @@ begins, cancellation must still leave both config and keyring untouched.
 
 Credential status shown inside a subflow must also be draft-driven. Reviewer
 entity setup should show non-secret, per-key credential readiness for the
-selected reviewer credential ref:
+selected reviewer credential location:
 
 - PAT reviewers show `git_token`.
 - GitHub App reviewers show required `github_app_id` and
@@ -183,15 +182,15 @@ selected reviewer credential ref:
 - `optional` means an optional key has no staged, skipped, or existing value.
 - `status unavailable` means the backend or key contract could not be inspected,
   so the UI must not claim a key is missing.
-- The destination should include the storage label and the resolved
-  secrets-management profile/backend when known.
+- The destination should include the credential store, credential name, and
+  resolved backend when known.
 
 This status must never show raw secret values. Draft-local writes, defers, and
 optional-key skips should be preserved when the user re-enters reviewer entity
-setup, but they must be filtered out if the reviewer credential ref no longer
-uses those keys. Final commit remains the only write boundary for staged secret
-values, and the final readiness summary should continue to report follow-up
-credential work without leaking values.
+setup, but they must be filtered out if the reviewer credential location no
+longer uses those keys. Final commit remains the only write boundary for staged
+secret values, and the final readiness summary should continue to report
+follow-up credential work without leaking values.
 
 All credential-bearing init flows should show equivalent non-secret destination
 context before collecting secret values. This includes Git credentials, reviewer
@@ -201,11 +200,12 @@ collector.
 Destination summaries should include:
 
 - credential storage ref
-- resolved secrets-management profile label/id when a named profile applies
-- resolved backend display label, including platform-specific automatic OS
-  default copy such as `Automatic OS default (macOS Keychain)`
-- configured 1Password vault, item title prefix, item tag, item field title, and
-  other non-secret routing labels when present
+- selected credential store id and display name
+- credential name, including the visible `codereview/...` path
+- resolved backend display label, including platform-specific OS store copy
+  such as `macOS Login Keychain`
+- configured 1Password account, vault name/id, and other non-secret routing
+  metadata when present
 
 Destination summaries must be non-fatal. If a profile/backend destination cannot
 be resolved, the flow should show non-secret unavailable copy and continue to the
@@ -228,7 +228,7 @@ That means:
   objects on reload
 
 API-key-backed LLM runtimes may be reused across multiple profiles by selecting
-the same draft runtime and the same advanced storage label. If a user wants two
+the same draft runtime and the same credential store/name. If a user wants two
 distinct runtime entries that happen to use the same secret value, the system
 should allow that and should not deduplicate them automatically.
 
@@ -248,7 +248,7 @@ contextual variants of the same fallback choice, such as:
 This means:
 
 - the review is posted with the profile's main Git credentials
-- no separate reviewer credential ref is created for that choice
+- no separate reviewer credential location is created for that choice
 - in the current schema, that exports as `ReviewerCredentials=nil`
 
 Interactive `init` may also offer separate reviewer entities such as:
@@ -268,7 +268,7 @@ text, for example:
 - **Release reviewer (PAT reviewer)**
 
 When no explicit display name exists, the chooser should fall back to stable,
-deterministic identity text derived from the credential ref or equivalent
+deterministic identity text derived from the credential name or equivalent
 profile context, for example:
 
 - **open-cli-collective-rianjs-bot (GitHub App reviewer)**
@@ -296,7 +296,7 @@ and saved config must stay stable:
 - **Git scope** maps to `profile.git`, plus repository-route implications when
   the profile participates in `repository_profiles`.
 - **LLM runtime** maps to `profile.llm`, including the provider, auth mode,
-  adapter, and any optional LLM credential ref implied by API-key auth.
+  adapter, and any optional LLM credential location implied by API-key auth.
 - **Reviewer entity** maps to `profile.reviewer_credentials` when separate
   credentials are configured, or to `nil` when the user selected `Use a
   profile's Git account (no separate reviewer entity)`.
@@ -305,29 +305,28 @@ and saved config must stay stable:
 This section is intentionally high level. The detailed field inventory and
 mutation rules still live in `docs/init-config-surface.md`.
 
-## Storage Labels
+## Credential Storage
 
-Interactive `init` should treat credential refs as an advanced concept without
-forcing the user through a separate mode selector before they can see the
-relevant values.
+Interactive `init` should show credential storage as an explicit destination
+choice, not as a hidden default.
 
-Primary-path users should not be asked for `credential_ref` values directly.
-Instead:
+Primary-path users should choose a credential store and see or edit the full
+credential name. There is no namespace, label, or prefix prompt. Instead:
 
 - defaults should be generated automatically
 - new reviewer defaults may follow the typed entity label, for example
   `rianjs-bot` becomes `codereview/rianjs-bot-reviewer`
-- changing an existing reviewer label must not migrate or rename the existing
-  credential-store ref
-- users who need an override may edit the relevant inline **storage label**
+- changing an existing reviewer display name must not migrate or rename the
+  existing credential name
+- users who need an override may edit the relevant inline **credential name**
   fields for Git, reviewer, or LLM secrets
-- irrelevant reviewer/LLM storage-label fields should stay hidden when the
+- irrelevant reviewer/LLM credential-name fields should stay hidden when the
   profile is using its Git account or a subscription runtime
-- any advanced path should still explain that these labels are non-secret
-  pointers to keyring entries, not the secrets themselves
+- any advanced path should still explain that these names are non-secret
+  pointers to credential-store entries, not the secrets themselves
 - users who need to change where secrets are stored should configure/select a
-  secrets-management profile rather than entering GitHub App IDs, private keys,
-  or API keys in the top-level secrets-management workflow
+  credential store rather than entering GitHub App IDs, private keys, or API
+  keys in the top-level secrets-storage workflow
 
 ## Global Settings Area
 
@@ -337,7 +336,7 @@ assembly path.
 The top-level auxiliary areas should cover:
 
 - global settings for run-data retention behavior
-- secrets-management settings for credential-store/backend behavior
+- secrets-storage settings for credential-store/backend behavior
 
 These settings matter, but they are not part of the primary
 `Git scope + reviewer entity + LLM runtime = review profile` model.
@@ -354,7 +353,7 @@ behavior readable and explicitly tested where relevant, especially for:
   through the interactive workspace draft model
 - durable config ownership
 - credential-planning behavior
-- keyring backend persistence
+- explicit credential-store destination behavior
 - reviewer enable/disable behavior
 - LLM auth and credential-ref behavior
 
diff --git a/internal/benchmark/suite_test.go b/internal/benchmark/suite_test.go
index 52143575..e83f0263 100644
--- a/internal/benchmark/suite_test.go
+++ b/internal/benchmark/suite_test.go
@@ -517,7 +517,6 @@ func withRawSynthesisStage(body, stage string) string {
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
diff --git a/internal/cmd/agentscmd/agentscmd_test.go b/internal/cmd/agentscmd/agentscmd_test.go
index 98cf3ca1..b9d624b1 100644
--- a/internal/cmd/agentscmd/agentscmd_test.go
+++ b/internal/cmd/agentscmd/agentscmd_test.go
@@ -33,7 +33,7 @@ func TestAgentsListWithoutPRLoadsProfileAndFlagSources(t *testing.T) {
 		return nil, nil, nil
 	})
 
-	if err := root.Execute(cmd, []string{"agents", "list", "--agents-dir", flagDir, "--agents-dir", overrideFlagDir}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "agents", "list", "--agents-dir", flagDir, "--agents-dir", overrideFlagDir}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	text := out.String()
@@ -59,7 +59,7 @@ func TestAgentsListFailsFastForUnreadableProfileSource(t *testing.T) {
 		return nil, nil, nil
 	})
 
-	err := root.Execute(cmd, []string{"agents", "list"})
+	err := root.Execute(cmd, []string{"--profile", "home", "agents", "list"})
 	if err == nil || !strings.Contains(err.Error(), "agents: read source") {
 		t.Fatalf("Execute error = %v, want read source failure", err)
 	}
@@ -189,7 +189,7 @@ func TestAgentsShowWithPRUsesRepositoryProfileRoute(t *testing.T) {
 	}
 }
 
-func TestAgentsListExplicitEmptyProfileBypassesRepositoryRoute(t *testing.T) {
+func TestAgentsListExplicitEmptyProfileFailsBeforeRepositoryRoute(t *testing.T) {
 	fake, ref := fakeProviderWithRepoAgent(t, "repo", "reviewer", "repo desc")
 	cfg := testConfig("")
 	work := cfg.Profiles["home"]
@@ -203,24 +203,24 @@ func TestAgentsListExplicitEmptyProfileBypassesRepositoryRoute(t *testing.T) {
 			Repos:     []string{ref.Repo},
 		},
 	}}
-	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, profile config.Profile) (gitprovider.GitProvider, func(), error) {
-		if profile.Git.CredentialRef != "codereview/home" {
-			t.Fatalf("provider profile credential ref = %q, want default home", profile.Git.CredentialRef)
-		}
+	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, _ config.Profile) (gitprovider.GitProvider, func(), error) {
+		t.Fatal("provider factory should not be called for an empty explicit profile")
 		return fake, nil, nil
 	})
 
-	if err := root.Execute(cmd, []string{"--profile", "", "agents", "list", prURL(ref), "--json"}); err != nil {
-		t.Fatalf("Execute: %v", err)
+	err := root.Execute(cmd, []string{"--profile", "", "agents", "list", prURL(ref), "--json"})
+	if err == nil || !strings.Contains(err.Error(), "no profile selected") {
+		t.Fatalf("Execute error = %v, want empty profile failure", err)
 	}
 }
 
-func TestAgentsListImplicitDefaultProfileHostMismatch(t *testing.T) {
+func TestAgentsListExplicitProfileHostMismatch(t *testing.T) {
 	fake, ref := fakeProviderWithRepoAgent(t, "repo", "reviewer", "repo desc")
 	cfg := testConfig("")
 	home := cfg.Profiles["home"]
 	home.Git.Host = "gitlab.com"
 	cfg.Profiles["home"] = home
+	cfg.RepositoryProfiles = nil
 	work := home
 	work.Git.Host = "github.com"
 	work.Git.CredentialRef = "codereview/work"
@@ -234,11 +234,11 @@ func TestAgentsListImplicitDefaultProfileHostMismatch(t *testing.T) {
 		},
 	}}
 	cmd, _ := newTestCommand(t, cfg, func(*cobra.Command, *root.Options, config.File, config.Profile) (gitprovider.GitProvider, func(), error) {
-		t.Fatal("provider factory should not be called when fallback profile host mismatches")
+		t.Fatal("provider factory should not be called when explicit profile host mismatches")
 		return fake, nil, nil
 	})
 
-	err := root.Execute(cmd, []string{"agents", "list", prURL(ref)})
+	err := root.Execute(cmd, []string{"--profile", "home", "agents", "list", prURL(ref)})
 	if err == nil {
 		t.Fatal("Execute error = nil, want host mismatch")
 	}
@@ -297,7 +297,7 @@ func TestAgentsShowRendersAgentAndMissingFailure(t *testing.T) {
 	cfg := testConfig(profileDir)
 	cmd, out := newTestCommand(t, cfg, providerFactory(&gitprovider.Fake{}))
 
-	if err := root.Execute(cmd, []string{"agents", "show", "harness:architecture"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "agents", "show", "harness:architecture"}); err != nil {
 		t.Fatalf("Execute show: %v", err)
 	}
 	if text := out.String(); !strings.Contains(text, "Agent: harness:architecture") || !strings.Contains(text, "Read carefully.") || !strings.Contains(text, "Source canonical path:") {
@@ -305,7 +305,7 @@ func TestAgentsShowRendersAgentAndMissingFailure(t *testing.T) {
 	}
 
 	cmd, _ = newTestCommand(t, cfg, providerFactory(&gitprovider.Fake{}))
-	err := root.Execute(cmd, []string{"agents", "show", "missing:agent"})
+	err := root.Execute(cmd, []string{"--profile", "home", "agents", "show", "missing:agent"})
 	if err == nil {
 		t.Fatal("Execute missing error = nil, want failure")
 	}
@@ -359,7 +359,7 @@ func TestAgentsListRejectsInvalidPRArg(t *testing.T) {
 	}
 
 	cmd, _ = newTestCommand(t, cfg, providerFactory(&gitprovider.Fake{}))
-	err = root.Execute(cmd, []string{"agents", "list", "https://gitlab.com/open-cli-collective/codereview-cli/pull/28"})
+	err = root.Execute(cmd, []string{"--profile", "home", "agents", "list", "https://gitlab.com/open-cli-collective/codereview-cli/pull/28"})
 	if err == nil {
 		t.Fatal("Execute wrong host error = nil, want usage error")
 	}
@@ -409,9 +409,16 @@ func testConfig(agentSource string) config.File {
 		profile.AgentSources = []string{agentSource}
 	}
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
-		Profiles:       map[string]config.Profile{"home": profile},
+		Keyring: config.KeyringConfig{Backend: "memory"},
+		RepositoryProfiles: []config.RepositoryProfile{{
+			Profile: "home",
+			Match: config.RepositoryProfileMatch{
+				Host:      "github.com",
+				Namespace: "open-cli-collective",
+				Repos:     []string{"codereview-cli"},
+			},
+		}},
+		Profiles: map[string]config.Profile{"home": profile},
 	}
 }
 
diff --git a/internal/cmd/benchmarkcmd/benchmarkcmd_test.go b/internal/cmd/benchmarkcmd/benchmarkcmd_test.go
index 50f5b96d..12b37a30 100644
--- a/internal/cmd/benchmarkcmd/benchmarkcmd_test.go
+++ b/internal/cmd/benchmarkcmd/benchmarkcmd_test.go
@@ -1022,8 +1022,7 @@ func withBenchmarkSynthesisStage(body, promptPath string) string {
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Keyring: config.KeyringConfig{Backend: "memory"},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
diff --git a/internal/cmd/configcmd/configcmd.go b/internal/cmd/configcmd/configcmd.go
index 81bfb4a1..37376c47 100644
--- a/internal/cmd/configcmd/configcmd.go
+++ b/internal/cmd/configcmd/configcmd.go
@@ -41,6 +41,12 @@ func Register(rootCmd *cobra.Command, opts *root.Options) {
 	configCmd := &cobra.Command{
 		Use:   "config",
 		Short: "Inspect cr configuration",
+		Args: func(_ *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				return exitcode.Usage(fmt.Errorf("unknown config command %q", args[0]))
+			}
+			return nil
+		},
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cmd.Help()
 		},
@@ -138,76 +144,6 @@ func Register(rootCmd *cobra.Command, opts *root.Options) {
 	}
 	pathCmd.Flags().BoolVar(&pathJSON, "json", false, "Emit JSON")
 
-	defaultCmd := &cobra.Command{
-		Use:   "default",
-		Short: "Inspect and update the default profile",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return cmd.Help()
-		},
-	}
-
-	var defaultGetJSON bool
-	defaultGetCmd := &cobra.Command{
-		Use:   "get",
-		Short: "Show the configured default profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				return exitcode.Usage(fmt.Errorf("config default get takes no arguments"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, _ []string) error {
-			path, err := configPath(opts)
-			if err != nil {
-				return exitcode.AuthConfig(err)
-			}
-			cfg, err := config.Load(path)
-			if err != nil {
-				return cmderr.Config(err)
-			}
-			result := view.ConfigDefault{DefaultProfile: cfg.DefaultProfile}
-			if defaultGetJSON {
-				return view.RenderConfigDefaultJSON(opts.Stdout, result)
-			}
-			return view.RenderConfigDefaultText(opts.Stdout, result)
-		},
-	}
-	defaultGetCmd.Flags().BoolVar(&defaultGetJSON, "json", false, "Emit JSON")
-
-	defaultSetCmd := &cobra.Command{
-		Use:   "set <profile>",
-		Short: "Set the configured default profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return exitcode.Usage(fmt.Errorf("config default set requires <profile>"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, args []string) error {
-			profileName := strings.TrimSpace(args[0])
-			if profileName == "" {
-				return exitcode.Usage(fmt.Errorf("profile must be non-empty"))
-			}
-			path, err := configPath(opts)
-			if err != nil {
-				return exitcode.AuthConfig(err)
-			}
-			cfg, err := config.Load(path)
-			if err != nil {
-				return cmderr.Config(err)
-			}
-			cfg, _, err = configedit.SetDefaultProfile(cfg, profileName)
-			if err != nil {
-				return cmderr.Config(err)
-			}
-			if err := saveConfigFile(path, cfg); err != nil {
-				return cmderr.Config(err)
-			}
-			return view.RenderConfigDefaultText(opts.Stdout, view.ConfigDefault{DefaultProfile: profileName})
-		},
-	}
-	defaultCmd.AddCommand(defaultGetCmd, defaultSetCmd)
-
 	routeCmd := &cobra.Command{
 		Use:   "route",
 		Short: "Inspect and update repository profile routes",
@@ -540,7 +476,6 @@ func Register(rootCmd *cobra.Command, opts *root.Options) {
 					return fmt.Errorf("config clear --all credentials already cleared for profile %q (%s), but config reset failed: %w", profileName, credentialRefList(profiles), err)
 				}
 				result.ConfigProfileRemoved = change.profileRemoved
-				result.DefaultProfile = change.defaultProfile
 				result.ConfigPathRemoved = change.configPathRemoved
 
 				cache, err := clearCacheRoot(clearDryRun)
@@ -574,7 +509,7 @@ func Register(rootCmd *cobra.Command, opts *root.Options) {
 	clearCmd.Flags().BoolVar(&clearJSON, "json", false, "Emit JSON")
 	clearCmd.Flags().BoolVar(&clearDryRun, "dry-run", false, "Report what would be cleared without deleting credentials, config, or cache")
 
-	configCmd.AddCommand(showCmd, pathCmd, defaultCmd, routeCmd, resolveProfileCmd, agentSourceCmd, newSecretsProfileCommand(opts), newRetentionCommand(opts), clearCmd, newLLMCommand(opts))
+	configCmd.AddCommand(showCmd, pathCmd, routeCmd, resolveProfileCmd, agentSourceCmd, newSecretsProfileCommand(opts), newRetentionCommand(opts), clearCmd, newLLMCommand(opts))
 	rootCmd.AddCommand(configCmd)
 }
 
@@ -1112,7 +1047,6 @@ func renderModelResolveText(w io.Writer, result modelResolveResult) error {
 
 type configClearChange struct {
 	profileRemoved    string
-	defaultProfile    string
 	configPathRemoved string
 }
 
@@ -1125,18 +1059,15 @@ func configPath(opts *root.Options) (string, error) {
 
 func backendMetadata(store *credstore.Store, flagValue string, flagSet bool, cfg config.File, resolvedSecretsProfile credentials.ResolvedSecretsProfile) (credstore.Backend, credstore.Source, error) {
 	if store != nil {
-		backend, source := store.Backend()
-		if resolvedSecretsProfile.IsNamed() {
-			return backend, credentials.BackendSourceSecretsProfile, nil
-		}
-		return backend, source, nil
+		backend, _ := store.Backend()
+		return backend, credentials.BackendSourceCredentialStore, nil
 	}
 	if resolvedSecretsProfile.IsNamed() {
 		backend, err := credstore.ParseBackend(resolvedSecretsProfile.Backend)
 		if err != nil {
 			return "", "", fmt.Errorf("%w: %w", credentials.ErrInvalidBackendSelection, err)
 		}
-		return backend, credentials.BackendSourceSecretsProfile, nil
+		return backend, credentials.BackendSourceCredentialStore, nil
 	}
 	return credentials.BackendMetadata(flagValue, flagSet, cfg)
 }
@@ -1183,10 +1114,6 @@ func removeProfileFromConfig(path string, cfg config.File, profileName string) (
 		return change, nil
 	}
 	cfg.RepositoryProfiles = configedit.PruneRepositoryProfileRoutes(cfg.RepositoryProfiles, profileName)
-	if cfg.DefaultProfile == profileName {
-		cfg.DefaultProfile = configedit.FirstProfileName(cfg.Profiles)
-		change.defaultProfile = cfg.DefaultProfile
-	}
 	if err := saveConfigFile(path, cfg); err != nil {
 		return configClearChange{}, err
 	}
@@ -1211,10 +1138,11 @@ func clearCredentialBundle(store *credstore.Store, profile string, dryRun bool)
 
 func resolvedSecretsProfileViewPtr(resolved credentials.ResolvedSecretsProfile) *view.ConfigSecretsProfile {
 	return &view.ConfigSecretsProfile{
-		ID:      resolved.ID,
-		Label:   resolved.Label,
-		Backend: resolved.Backend,
-		Source:  string(resolved.Source),
+		ID:       resolved.ID,
+		Label:    resolved.Label,
+		Backend:  resolved.Backend,
+		ReadOnly: resolved.Source == config.EffectiveSecretsStoreSourceBuiltIn,
+		Source:   string(resolved.Source),
 	}
 }
 
@@ -1236,15 +1164,6 @@ func previewProfileFromConfig(path string, cfg config.File, profileName string)
 		change.configPathRemoved = path
 		return change, nil
 	}
-	if cfg.DefaultProfile == profileName {
-		remaining := make(map[string]config.Profile, len(cfg.Profiles)-1)
-		for name, profile := range cfg.Profiles {
-			if name != profileName {
-				remaining[name] = profile
-			}
-		}
-		change.defaultProfile = configedit.FirstProfileName(remaining)
-	}
 	return change, nil
 }
 
diff --git a/internal/cmd/configcmd/configcmd_test.go b/internal/cmd/configcmd/configcmd_test.go
index 08946dc6..03f1c0fb 100644
--- a/internal/cmd/configcmd/configcmd_test.go
+++ b/internal/cmd/configcmd/configcmd_test.go
@@ -19,7 +19,6 @@ import (
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/exitcode"
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/configedit"
 	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 	"github.com/open-cli-collective/codereview-cli/internal/statepaths"
 	"github.com/open-cli-collective/codereview-cli/internal/view"
@@ -29,7 +28,7 @@ func TestConfigShowText(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "show"}); err != nil {
+	if err := root.Execute(cmd, []string{"config", "show", "--profile", "home"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if !strings.Contains(out.String(), "Profile: home") {
@@ -53,7 +52,7 @@ func TestConfigShowProfileFlag(t *testing.T) {
 	if !strings.Contains(out.String(), "Profile: work") {
 		t.Fatalf("stdout = %q, want work profile", out.String())
 	}
-	if !strings.Contains(out.String(), "Credential ref: codereview/work-llm") {
+	if !strings.Contains(out.String(), "Credential name: codereview/work-llm") {
 		t.Fatalf("stdout = %q, want work LLM ref", out.String())
 	}
 }
@@ -87,8 +86,8 @@ func TestConfigShowJSON(t *testing.T) {
 	if got.LLMCredential.Ref != "codereview/work-llm" {
 		t.Fatalf("llm credential = %#v, want work LLM ref", got.LLMCredential)
 	}
-	if got.Backend != "memory" || got.BackendSource != "config" {
-		t.Fatalf("backend = (%q,%q), want (memory,config)", got.Backend, got.BackendSource)
+	if got.Backend != "memory" || got.BackendSource != "credential_store" {
+		t.Fatalf("backend = (%q,%q), want (memory,credential_store)", got.Backend, got.BackendSource)
 	}
 	if got.CredentialRef != "codereview/work" {
 		t.Fatalf("credential_ref = %q, want codereview/work", got.CredentialRef)
@@ -188,567 +187,76 @@ func TestConfigPathTextUsesDefaultResolvedPathOffline(t *testing.T) {
 	}
 }
 
-func TestConfigDefaultGetText(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{"config", "default", "get"}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	if got := out.String(); got != "Default profile: home\n" {
-		t.Fatalf("stdout = %q, want default profile text", got)
-	}
-}
-
-func TestConfigDefaultGetJSON(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{"config", "default", "get", "--json"}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	var got view.ConfigDefault
-	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
-		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
-	}
-	if got.DefaultProfile != "home" {
-		t.Fatalf("default_profile = %q, want home", got.DefaultProfile)
-	}
-}
-
-func TestConfigDefaultSetUpdatesOnlyDefaultProfile(t *testing.T) {
-	cfg := testConfig()
-	cfg.RepositoryProfiles = []config.RepositoryProfile{{
-		Profile: "work",
-		Match: config.RepositoryProfileMatch{
-			Host:      "github.com",
-			Namespace: "open-cli-collective",
-		},
-	}}
-	path := saveTestConfig(t, cfg)
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{"config", "default", "set", "work"}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	if got := out.String(); got != "Default profile: work\n" {
-		t.Fatalf("stdout = %q, want updated default profile text", got)
-	}
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if saved.DefaultProfile != "work" {
-		t.Fatalf("default_profile = %q, want work", saved.DefaultProfile)
-	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) {
-		t.Fatalf("profiles = %#v, want %#v", saved.Profiles, cfg.Profiles)
-	}
-	if !reflect.DeepEqual(saved.RepositoryProfiles, cfg.RepositoryProfiles) {
-		t.Fatalf("repository_profiles = %#v, want %#v", saved.RepositoryProfiles, cfg.RepositoryProfiles)
-	}
-	if !reflect.DeepEqual(saved.Keyring, cfg.Keyring) {
-		t.Fatalf("keyring = %#v, want %#v", saved.Keyring, cfg.Keyring)
-	}
-	if !reflect.DeepEqual(saved.Data, cfg.Data) {
-		t.Fatalf("data = %#v, want %#v", saved.Data, cfg.Data)
-	}
-}
-
-func TestConfigDefaultSetTrimsProfileArgument(t *testing.T) {
+func TestConfigDefaultCommandIsRemoved(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, _ := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "default", "set", " work "}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if saved.DefaultProfile != "work" {
-		t.Fatalf("default_profile = %q, want work", saved.DefaultProfile)
-	}
-}
-
-func TestConfigDefaultSetRejectsMissingProfile(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, _ := newTestCommand(path)
-	oldSave := saveConfigFile
-	calledSave := false
-	saveConfigFile = func(string, config.File) error {
-		calledSave = true
-		return nil
-	}
-	t.Cleanup(func() { saveConfigFile = oldSave })
-
-	err := root.Execute(cmd, []string{"config", "default", "set", "missing"})
-	if !errors.Is(err, config.ErrProfileNotFound) {
-		t.Fatalf("Execute error = %v, want ErrProfileNotFound", err)
-	}
-	if got := exitcode.FromError(err); got != exitcode.AuthConfigError {
-		t.Fatalf("exit code = %d, want %d", got, exitcode.AuthConfigError)
-	}
-	if calledSave {
-		t.Fatal("saveConfigFile called for missing profile, want pre-save validation")
-	}
-}
-
-func TestConfigDefaultSetRejectsBlankProfile(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, _ := newTestCommand(path)
-
-	err := root.Execute(cmd, []string{"config", "default", "set", "   "})
-	if err == nil {
-		t.Fatal("Execute error = nil, want usage error")
+	err := root.Execute(cmd, []string{"config", "default", "get"})
+	if err == nil || !strings.Contains(err.Error(), `unknown config command "default"`) {
+		t.Fatalf("Execute error = %v, want unknown command", err)
 	}
 	if got := exitcode.FromError(err); got != exitcode.UsageError {
 		t.Fatalf("exit code = %d, want %d", got, exitcode.UsageError)
 	}
 }
 
-func TestConfigSecretsProfileListTextProjectedLegacy(t *testing.T) {
+func TestConfigCredentialStoreListTextIncludesBuiltIn(t *testing.T) {
 	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{}
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "list"}); err != nil {
+	if err := root.Execute(cmd, []string{"config", "credential-store", "list"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
-	want := "Secrets management profiles:\n  - legacy-default: Legacy default (memory, projected_legacy) [default]\n"
+	want := "Credential stores:\n  - local-os: OS credential store (auto, built_in)\n  - test-memory: Test Memory Store (memory, configured)\n"
 	if out.String() != want {
 		t.Fatalf("stdout = %q, want %q", out.String(), want)
 	}
 }
 
-func TestConfigSecretsProfileGetAndDefaultGetJSON(t *testing.T) {
+func TestConfigCredentialStoreGetJSON(t *testing.T) {
 	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
-			"personal-keychain": {
-				Label:   "Personal Keychain",
-				Backend: config.SecretsProfileBackend{Kind: "keychain"},
-			},
-			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: "file"},
-			},
-		},
+	cfg.Secrets.Stores["personal-keychain"] = config.SecretsStore{
+		DisplayName: "Personal Keychain",
+		Backend:     config.SecretsStoreBackend{Kind: "keychain"},
+	}
+	cfg.Secrets.Stores["work-file"] = config.SecretsStore{
+		DisplayName: "Work File Store",
+		Backend:     config.SecretsStoreBackend{Kind: "file"},
 	}
 	path := saveTestConfig(t, cfg)
 
 	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "get", "work-file", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"config", "credential-store", "get", "work-file", "--json"}); err != nil {
 		t.Fatalf("Execute get: %v", err)
 	}
 	var got view.ConfigSecretsProfile
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal get JSON: %v\n%s", err, out.String())
 	}
-	want := view.ConfigSecretsProfile{ID: "work-file", Label: "Work File Store", Backend: "file", Source: "configured", IsDefault: true}
+	want := view.ConfigSecretsProfile{ID: "work-file", Label: "Work File Store", Backend: "file", Source: "configured"}
 	if !reflect.DeepEqual(got, want) {
 		t.Fatalf("get JSON = %#v, want %#v", got, want)
 	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "get", "--json"}); err != nil {
-		t.Fatalf("Execute default get: %v", err)
-	}
-	var defaultGot view.ConfigSecretsProfileDefault
-	wantDefault := view.ConfigSecretsProfileDefault{DefaultProfile: &want}
-	if err := json.Unmarshal(out.Bytes(), &defaultGot); err != nil {
-		t.Fatalf("Unmarshal default JSON: %v\n%s", err, out.String())
-	}
-	if !reflect.DeepEqual(defaultGot, wantDefault) {
-		t.Fatalf("default get JSON = %#v, want %#v", defaultGot, wantDefault)
-	}
-}
-
-func TestConfigSecretsProfileDefaultGetProjectedLegacy(t *testing.T) {
-	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{}
-	path := saveTestConfig(t, cfg)
-
-	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "get"}); err != nil {
-		t.Fatalf("Execute text: %v", err)
-	}
-	wantText := "Default secrets profile: legacy-default\nLabel: Legacy default\nBackend: memory\nSource: projected_legacy\n"
-	if out.String() != wantText {
-		t.Fatalf("default get text = %q, want %q", out.String(), wantText)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "get", "--json"}); err != nil {
-		t.Fatalf("Execute JSON: %v", err)
-	}
-	wantJSON := view.ConfigSecretsProfileDefault{
-		DefaultProfile: &view.ConfigSecretsProfile{
-			ID:        "legacy-default",
-			Label:     "Legacy default",
-			Backend:   "memory",
-			Source:    "projected_legacy",
-			IsDefault: true,
-		},
-	}
-	var got view.ConfigSecretsProfileDefault
-	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
-		t.Fatalf("Unmarshal projected legacy JSON: %v\n%s", err, out.String())
-	}
-	if !reflect.DeepEqual(got, wantJSON) {
-		t.Fatalf("default get JSON = %#v, want %#v", got, wantJSON)
-	}
-}
-
-func TestConfigSecretsProfileDefaultGetReportsNoneForValidUnsetState(t *testing.T) {
-	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{
-		Profiles: map[string]config.SecretsProfile{
-			"work-file": {Label: "Work File Store", Backend: config.SecretsProfileBackend{Kind: "file"}},
-		},
-	}
-	path := saveTestConfig(t, cfg)
-
-	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "get"}); err != nil {
-		t.Fatalf("Execute text: %v", err)
-	}
-	if out.String() != "Default secrets profile: none\n" {
-		t.Fatalf("default get text = %q, want none text", out.String())
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "get", "--json"}); err != nil {
-		t.Fatalf("Execute JSON: %v", err)
-	}
-	defaultGot := view.ConfigSecretsProfileDefault{}
-	if err := json.Unmarshal(out.Bytes(), &defaultGot); err != nil {
-		t.Fatalf("Unmarshal default-none JSON: %v\n%s", err, out.String())
-	}
-	if !reflect.DeepEqual(defaultGot, view.ConfigSecretsProfileDefault{}) {
-		t.Fatalf("default get JSON = %#v, want empty default wrapper", defaultGot)
-	}
 }
 
-func TestConfigSecretsProfileSetCreateUpdateAndPreserveUnrelatedConfig(t *testing.T) {
-	cfg := testConfig()
-	path := saveTestConfig(t, cfg)
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal-keychain", "--backend", "keychain", "--label", " Personal Keychain "}); err != nil {
-		t.Fatalf("Execute create: %v", err)
-	}
-	wantText := "Secrets profile: personal-keychain\nLabel: Personal Keychain\nBackend: keychain\nSource: configured\nDefault: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after create = %q, want %q", out.String(), wantText)
-	}
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load after create: %v", err)
-	}
-	if got := saved.Secrets.Profiles["personal-keychain"]; got.Label != "Personal Keychain" || got.Backend.Kind != "keychain" {
-		t.Fatalf("saved secrets profile = %#v, want trimmed label + backend", got)
-	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) || !reflect.DeepEqual(saved.Data, cfg.Data) || !reflect.DeepEqual(saved.Keyring, cfg.Keyring) {
-		t.Fatalf("unrelated config changed: profiles=%#v data=%#v keyring=%#v", saved.Profiles, saved.Data, saved.Keyring)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal-keychain", "--backend", "file", "--clear-label"}); err != nil {
-		t.Fatalf("Execute update: %v", err)
-	}
-	wantText = "Secrets profile: personal-keychain\nBackend: file\nSource: configured\nDefault: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after update = %q, want %q", out.String(), wantText)
-	}
-	saved, err = config.Load(path)
-	if err != nil {
-		t.Fatalf("Load after update: %v", err)
-	}
-	if got := saved.Secrets.Profiles["personal-keychain"]; got.Label != "" || got.Backend.Kind != "file" {
-		t.Fatalf("updated secrets profile = %#v, want cleared label + file backend", got)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal-keychain", "--label", " Renamed profile "}); err != nil {
-		t.Fatalf("Execute label-only update: %v", err)
-	}
-	wantText = "Secrets profile: personal-keychain\nLabel: Renamed profile\nBackend: file\nSource: configured\nDefault: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after label-only update = %q, want %q", out.String(), wantText)
-	}
-	saved, err = config.Load(path)
-	if err != nil {
-		t.Fatalf("Load after label-only update: %v", err)
-	}
-	if got := saved.Secrets.Profiles["personal-keychain"]; got.Label != "Renamed profile" || got.Backend.Kind != "file" {
-		t.Fatalf("label-only update profile = %#v, want renamed label + preserved backend", got)
-	}
-}
-
-func TestConfigSecretsProfileSetCreateWithoutLabel(t *testing.T) {
+func TestConfigCredentialStoreMutatingCommandsAreUnavailable(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal-keychain", "--backend", "keychain"}); err != nil {
-		t.Fatalf("Execute create without label: %v", err)
-	}
-	wantText := "Secrets profile: personal-keychain\nBackend: keychain\nSource: configured\nDefault: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout = %q, want %q", out.String(), wantText)
-	}
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if got := saved.Secrets.Profiles["personal-keychain"]; got.Label != "" || got.Backend.Kind != "keychain" {
-		t.Fatalf("saved profile = %#v, want empty label + keychain backend", got)
-	}
-}
-
-func TestConfigSecretsProfileSetRejectsLabelEdgeCases(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, _ := newTestCommand(path)
-
-	err := root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal", "--backend", "keychain", "--label", "name", "--clear-label"})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("conflicting label flags error = %v, want usage error", err)
-	}
-
-	cmd, _ = newTestCommand(path)
-	err = root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal", "--backend", "keychain", "--label", "   "})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("blank label error = %v, want usage error", err)
-	}
-}
-
-func TestConfigSecretsProfileSetAndGetOnePasswordBackend(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
-
-	args := []string{
-		"config", "secrets-profile", "set", "work-op",
-		"--backend", "op-connect",
-		"--label", "Work Connect",
-		"--op-vault-id", "vault-123",
-		"--op-timeout", "7s",
-		"--op-connect-host", "https://connect.example",
-		"--op-connect-token-env", "CUSTOM_CONNECT_TOKEN",
-		"--op-item-title-prefix", "cr",
-	}
-	if err := root.Execute(cmd, args); err != nil {
-		t.Fatalf("Execute create op-connect: %v", err)
-	}
-	wantText := "" +
-		"Secrets profile: work-op\n" +
-		"Label: Work Connect\n" +
-		"Backend: op-connect\n" +
-		"1Password timeout: 7s\n" +
-		"1Password vault id: vault-123\n" +
-		"1Password item title prefix: cr\n" +
-		"1Password Connect host: https://connect.example\n" +
-		"1Password Connect token env: CUSTOM_CONNECT_TOKEN\n" +
-		"Source: configured\n" +
-		"Default: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after op-connect create = %q, want %q", out.String(), wantText)
-	}
-
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load after op-connect create: %v", err)
-	}
-	got := saved.Secrets.Profiles["work-op"]
-	if got.Backend.Kind != "op-connect" || got.Backend.OnePassword == nil {
-		t.Fatalf("saved backend = %#v, want op-connect payload", got.Backend)
-	}
-	if got.Backend.OnePassword.ConnectTokenEnv != "CUSTOM_CONNECT_TOKEN" || got.Backend.OnePassword.ConnectHost != "https://connect.example" {
-		t.Fatalf("saved onepassword payload = %#v, want connect settings", got.Backend.OnePassword)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "get", "work-op", "--json"}); err != nil {
-		t.Fatalf("Execute get op-connect: %v", err)
-	}
-	var viewGot view.ConfigSecretsProfile
-	if err := json.Unmarshal(out.Bytes(), &viewGot); err != nil {
-		t.Fatalf("Unmarshal get JSON: %v\n%s", err, out.String())
-	}
-	if viewGot.Backend != "op-connect" || viewGot.BackendInfo == nil || viewGot.BackendInfo.OnePassword == nil {
-		t.Fatalf("get JSON = %#v, want backend details", viewGot)
-	}
-	if viewGot.BackendInfo.OnePassword.ConnectTokenEnv != "CUSTOM_CONNECT_TOKEN" || viewGot.BackendInfo.OnePassword.DesktopAccountEnv != "" {
-		t.Fatalf("get JSON backend info = %#v, want safe 1password details", viewGot.BackendInfo.OnePassword)
-	}
-}
-
-func TestConfigSecretsProfileSetShowsNormalizedOnePasswordDefaults(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{
-		"config", "secrets-profile", "set", "work-op",
-		"--backend", "op",
-		"--op-vault-id", "vault-123",
-	}); err != nil {
-		t.Fatalf("Execute create op: %v", err)
-	}
-	wantText := "" +
-		"Secrets profile: work-op\n" +
-		"Backend: op\n" +
-		"1Password timeout: 5s\n" +
-		"1Password vault id: vault-123\n" +
-		"1Password service token env: OP_SERVICE_ACCOUNT_TOKEN\n" +
-		"Source: configured\n" +
-		"Default: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after op create = %q, want %q", out.String(), wantText)
-	}
-}
-
-func TestConfigSecretsProfileBackendSwitchClearsOnePasswordPayload(t *testing.T) {
-	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{
-		Profiles: map[string]config.SecretsProfile{
-			"work-op": {
-				Backend: config.SecretsProfileBackend{
-					Kind: config.SecretsBackendKind(credstore.BackendOPConnect),
-					OnePassword: &config.SecretsProfileOnePasswordConfig{
-						VaultID:         "vault-123",
-						ConnectHost:     "https://connect.example",
-						ConnectTokenEnv: "CUSTOM_CONNECT_TOKEN",
-					},
-				},
-			},
-		},
-	}
-	path := saveTestConfig(t, cfg)
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{
-		"config", "secrets-profile", "set", "work-op",
-		"--backend", "file",
-	}); err != nil {
-		t.Fatalf("Execute backend downgrade: %v", err)
-	}
-	wantText := "" +
-		"Secrets profile: work-op\n" +
-		"Backend: file\n" +
-		"Source: configured\n" +
-		"Default: false\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after backend downgrade = %q, want %q", out.String(), wantText)
-	}
-
-	saved, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load after backend downgrade: %v", err)
-	}
-	if got := saved.Secrets.Profiles["work-op"]; got.Backend.OnePassword != nil {
-		t.Fatalf("saved backend still has 1password payload: %#v", got.Backend)
-	}
-}
-
-func TestConfigSecretsProfileSetRejectsIncompatibleOnePasswordFlags(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, _ := newTestCommand(path)
-
-	err := root.Execute(cmd, []string{
-		"config", "secrets-profile", "set", "work-op",
-		"--backend", "op",
-		"--op-vault-id", "vault-123",
-		"--op-connect-host", "https://connect.example",
-	})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("incompatible 1password flags error = %v, want usage error", err)
-	}
-
-	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{
-		Profiles: map[string]config.SecretsProfile{
-			"personal-keychain": {
-				Label:   "Personal Keychain",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)},
-			},
-		},
-	}
-	path = saveTestConfig(t, cfg)
-	cmd, _ = newTestCommand(path)
-	err = root.Execute(cmd, []string{
-		"config", "secrets-profile", "set", "personal-keychain",
-		"--op-vault-id", "vault-123",
-	})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("non-1password profile accepted op flags: %v", err)
-	}
-}
-
-func TestConfigSecretsProfileDefaultSetUnsetAndRemove(t *testing.T) {
-	cfg := testConfig()
-	cfg.Secrets = config.SecretsConfig{
-		Profiles: map[string]config.SecretsProfile{
-			"work-file": {Label: "Work File Store", Backend: config.SecretsProfileBackend{Kind: "file"}},
-		},
-	}
-	path := saveTestConfig(t, cfg)
-	cmd, out := newTestCommand(path)
-
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "set", " work-file "}); err != nil {
-		t.Fatalf("Execute default set: %v", err)
-	}
-	wantText := "Secrets profile: work-file\nLabel: Work File Store\nBackend: file\nSource: configured\nDefault: true\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after default set = %q, want %q", out.String(), wantText)
-	}
-
-	cmd, _ = newTestCommand(path)
-	err := root.Execute(cmd, []string{"config", "secrets-profile", "remove", "work-file"})
-	if !errors.Is(err, configedit.ErrSecretsProfileDefaultConfigured) {
-		t.Fatalf("remove default error = %v, want ErrSecretsProfileDefaultConfigured", err)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "unset"}); err != nil {
-		t.Fatalf("Execute default unset: %v", err)
-	}
-	wantText = "Secrets management profiles:\n  - work-file: Work File Store (file, configured)\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after default unset = %q, want %q", out.String(), wantText)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "remove", "work-file"}); err != nil {
-		t.Fatalf("Execute remove existing: %v", err)
-	}
-	wantText = "Secrets management profiles:\n  - legacy-default: Legacy default (memory, projected_legacy) [default]\n"
-	if out.String() != wantText {
-		t.Fatalf("stdout after remove existing = %q, want %q", out.String(), wantText)
-	}
-
-	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "secrets-profile", "remove", "work-file"}); err != nil {
-		t.Fatalf("Execute remove absent: %v", err)
-	}
-	if out.String() != wantText {
-		t.Fatalf("stdout after remove absent = %q, want %q", out.String(), wantText)
-	}
-}
-
-func TestConfigSecretsProfileReservedAndInvalidBackendErrors(t *testing.T) {
-	path := saveTestConfig(t, testConfig())
-	cmd, _ := newTestCommand(path)
-
-	err := root.Execute(cmd, []string{"config", "secrets-profile", "default", "set", "legacy-default"})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("default set reserved error = %v, want usage error", err)
-	}
-
-	cmd, _ = newTestCommand(path)
-	err = root.Execute(cmd, []string{"config", "secrets-profile", "set", "personal", "--backend", "bogus"})
-	if err == nil || exitcode.FromError(err) != exitcode.UsageError {
-		t.Fatalf("invalid backend error = %v, want usage error", err)
+	for _, args := range [][]string{
+		{"config", "credential-store", "set", "work-file", "--backend", "file"},
+		{"config", "credential-store", "remove", "work-file"},
+		{"config", "credential-store", "default", "get"},
+		{"config", "secrets-profile", "list"},
+	} {
+		cmd, _ := newTestCommand(path)
+		err := root.Execute(cmd, args)
+		if err == nil {
+			t.Fatalf("Execute(%v) error = nil, want unavailable command", args)
+		}
+		if got := exitcode.FromError(err); got != exitcode.UsageError {
+			t.Fatalf("Execute(%v) exit code = %d, want %d; err=%v", args, got, exitcode.UsageError, err)
+		}
 	}
 }
 
@@ -823,11 +331,11 @@ func TestConfigRouteListJSON(t *testing.T) {
 	}
 }
 
-func TestConfigRouteSetNamespaceRouteUsesDefaultProfile(t *testing.T) {
+func TestConfigRouteSetNamespaceRouteUsesSelectedProfile(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "route", "set", "--host", "https://github.com/", "--namespace", "open-cli-collective"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "route", "set", "--host", "https://github.com/", "--namespace", "open-cli-collective"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if got := out.String(); got != "Set route for profile home: github.com/open-cli-collective\n" {
@@ -980,7 +488,7 @@ func TestConfigRouteSetRejectsHostMismatch(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"config", "route", "set", "--host", "gitlab.com", "--namespace", "open-cli-collective"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "route", "set", "--host", "gitlab.com", "--namespace", "open-cli-collective"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want usage error")
 	}
@@ -993,7 +501,7 @@ func TestConfigRouteSetRejectsBlankRepo(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"config", "route", "set", "--host", "github.com", "--namespace", "rianjs", "--repo", " "})
+	err := root.Execute(cmd, []string{"--profile", "work", "config", "route", "set", "--host", "github.com", "--namespace", "rianjs", "--repo", " "})
 	if err == nil {
 		t.Fatal("Execute error = nil, want usage error")
 	}
@@ -1226,19 +734,19 @@ func TestConfigResolveProfileText(t *testing.T) {
 	}
 }
 
-func TestConfigResolveProfileJSON(t *testing.T) {
+func TestConfigResolveProfileRejectsUnmatchedRoute(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
+	cmd, _ := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1", "--json"}); err != nil {
-		t.Fatalf("Execute: %v", err)
+	err := root.Execute(cmd, []string{"config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1", "--json"})
+	if !errors.Is(err, config.ErrProfileNotFound) {
+		t.Fatalf("Execute error = %v, want ErrProfileNotFound", err)
 	}
-	var got view.ConfigResolveProfile
-	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
-		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
+	if got := exitcode.FromError(err); got != exitcode.AuthConfigError {
+		t.Fatalf("exit code = %d, want %d", got, exitcode.AuthConfigError)
 	}
-	if got.ResolvedProfile != "home" || got.Source != "default_profile" || got.GitHost != "github.com" || got.MatchedRoute != nil {
-		t.Fatalf("resolve-profile JSON = %#v, want default-profile preview", got)
+	if !strings.Contains(err.Error(), "no repository profile route matched github.com/open-cli-collective/codereview-cli") {
+		t.Fatalf("error = %v, want unmatched route guidance", err)
 	}
 }
 
@@ -1310,7 +818,7 @@ func TestConfigResolveProfileRejectsHostMismatchAfterResolution(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want usage error")
 	}
@@ -1336,19 +844,19 @@ func TestConfigResolveProfileRejectsHostMismatchForExplicitProfile(t *testing.T)
 	}
 }
 
-func TestConfigResolveProfileExplicitEmptyProfileUsesExplicitSource(t *testing.T) {
+func TestConfigResolveProfileExplicitEmptyProfileRejectsMissingSelection(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
-	cmd, out := newTestCommand(path)
+	cmd, _ := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"--profile", "", "config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1", "--json"}); err != nil {
-		t.Fatalf("Execute: %v", err)
+	err := root.Execute(cmd, []string{"--profile", "", "config", "resolve-profile", "https://github.com/open-cli-collective/codereview-cli/pull/1", "--json"})
+	if !errors.Is(err, config.ErrProfileNotFound) {
+		t.Fatalf("Execute error = %v, want ErrProfileNotFound", err)
 	}
-	var got view.ConfigResolveProfile
-	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
-		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
+	if got := exitcode.FromError(err); got != exitcode.AuthConfigError {
+		t.Fatalf("exit code = %d, want %d", got, exitcode.AuthConfigError)
 	}
-	if got.ResolvedProfile != "home" || got.Source != "explicit_profile" {
-		t.Fatalf("resolve-profile JSON = %#v, want explicit empty-profile source", got)
+	if !strings.Contains(err.Error(), "no profile selected") {
+		t.Fatalf("error = %v, want no-profile-selected guidance", err)
 	}
 }
 
@@ -1416,7 +924,7 @@ func TestConfigShowJSONReportsAgentSourceDeploymentStatus(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "show", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "show", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if strings.Contains(out.String(), "Do not inline this prompt") {
@@ -1455,23 +963,27 @@ func hasConfigSourceWarning(warnings []string, want string) bool {
 	return false
 }
 
-func TestConfigShowReportsUnknownPresenceWhenKeyringCannotBeQueried(t *testing.T) {
-	t.Setenv("XDG_DATA_HOME", t.TempDir())
+func TestConfigShowReportsUnknownPresenceWhenCredentialStoreCannotBeQueried(t *testing.T) {
+	statedirtest.Hermetic(t)
 	t.Setenv("CODEREVIEW_KEYRING_PASSPHRASE", "")
 	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg.Secrets.Stores[testFileCredentialStoreID] = config.SecretsStore{
+		DisplayName: "Test File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+	}
+	cfg = withCredentialStore(cfg, testFileCredentialStoreID)
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "show", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "show", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigShow
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Backend != "file" || got.BackendSource != "config" {
-		t.Fatalf("backend = (%q,%q), want (file,config)", got.Backend, got.BackendSource)
+	if got.Backend != "file" || got.BackendSource != "credential_store" {
+		t.Fatalf("backend = (%q,%q), want (file,credential_store)", got.Backend, got.BackendSource)
 	}
 	if len(got.CredentialRefs) != 1 || len(got.CredentialRefs[0].Keys) != 1 {
 		t.Fatalf("credential refs = %#v, want one key status", got.CredentialRefs)
@@ -1482,102 +994,114 @@ func TestConfigShowReportsUnknownPresenceWhenKeyringCannotBeQueried(t *testing.T
 	}
 }
 
-func TestConfigShowReportsProjectedLegacySecretsProfile(t *testing.T) {
+func TestConfigShowReportsEffectiveCredentialStores(t *testing.T) {
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "show", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "show", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigShow
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Backend != "memory" || got.BackendSource != "config" {
-		t.Fatalf("backend = (%q,%q), want (memory,config)", got.Backend, got.BackendSource)
+	if got.Backend != "memory" || got.BackendSource != "credential_store" {
+		t.Fatalf("backend = (%q,%q), want (memory,credential_store)", got.Backend, got.BackendSource)
 	}
 	want := []config.EffectiveSecretsProfile{{
-		ID:        config.LegacyProjectedSecretsProfileID,
-		Label:     "Legacy default",
-		Backend:   "memory",
-		IsDefault: true,
-		Source:    config.EffectiveSecretsProfileSourceProjectedLegacy,
+		ID:          config.LocalOSCredentialStoreID,
+		DisplayName: "OS credential store",
+		Label:       "OS credential store",
+		Backend:     config.ProjectedOSCredentialStoreBackendKind,
+		ReadOnly:    true,
+		Source:      config.EffectiveSecretsStoreSourceBuiltIn,
+	}, {
+		ID:          "test-memory",
+		DisplayName: "Test Memory Store",
+		Label:       "Test Memory Store",
+		Backend:     "memory",
+		Source:      config.EffectiveSecretsStoreSourceConfigured,
 	}}
 	if !reflect.DeepEqual(got.SecretsProfiles, want) {
-		t.Fatalf("secrets_profiles = %#v, want %#v", got.SecretsProfiles, want)
+		t.Fatalf("credential stores = %#v, want %#v", got.SecretsProfiles, want)
 	}
 }
 
-func TestConfigShowSeparatesRuntimeBackendFromConfiguredSecretsProfiles(t *testing.T) {
+func TestConfigShowSelectsProfileCredentialStore(t *testing.T) {
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
-	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
-			"personal-keychain": {
-				Label:   "Personal Keychain",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("keychain")},
-			},
-			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
-			},
-		},
+	cfg.Secrets.Stores["personal-keychain"] = config.SecretsStore{
+		DisplayName: "Personal Keychain",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("keychain")},
+	}
+	cfg.Secrets.Stores["work-file"] = config.SecretsStore{
+		DisplayName: "Work File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 	}
+	cfg = withCredentialStore(cfg, "work-file")
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "show", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "show", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigShow
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Backend != "file" || got.BackendSource != "secrets_profile" {
-		t.Fatalf("backend = (%q,%q), want selected secrets-profile backend (file,secrets_profile)", got.Backend, got.BackendSource)
+	if got.Backend != "file" || got.BackendSource != "credential_store" {
+		t.Fatalf("backend = (%q,%q), want selected credential-store backend (file,credential_store)", got.Backend, got.BackendSource)
 	}
 	if got.ActiveSecretsProfile == nil || got.ActiveSecretsProfile.ID != "work-file" || got.ActiveSecretsProfile.Label != "Work File Store" {
-		t.Fatalf("active_secrets_profile = %#v, want work-file", got.ActiveSecretsProfile)
+		t.Fatalf("active credential store = %#v, want work-file", got.ActiveSecretsProfile)
 	}
 	want := []config.EffectiveSecretsProfile{
 		{
-			ID:      "personal-keychain",
-			Label:   "Personal Keychain",
-			Backend: "keychain",
-			Source:  config.EffectiveSecretsProfileSourceConfigured,
+			ID:          config.LocalOSCredentialStoreID,
+			DisplayName: "OS credential store",
+			Label:       "OS credential store",
+			Backend:     config.ProjectedOSCredentialStoreBackendKind,
+			ReadOnly:    true,
+			Source:      config.EffectiveSecretsStoreSourceBuiltIn,
 		},
 		{
-			ID:        "work-file",
-			Label:     "Work File Store",
-			Backend:   "file",
-			IsDefault: true,
-			Source:    config.EffectiveSecretsProfileSourceConfigured,
+			ID:          "personal-keychain",
+			DisplayName: "Personal Keychain",
+			Label:       "Personal Keychain",
+			Backend:     "keychain",
+			Source:      config.EffectiveSecretsProfileSourceConfigured,
+		},
+		{
+			ID:          "test-memory",
+			DisplayName: "Test Memory Store",
+			Label:       "Test Memory Store",
+			Backend:     "memory",
+			Source:      config.EffectiveSecretsProfileSourceConfigured,
+		},
+		{
+			ID:          "work-file",
+			DisplayName: "Work File Store",
+			Label:       "Work File Store",
+			Backend:     "file",
+			Source:      config.EffectiveSecretsProfileSourceConfigured,
 		},
 	}
 	if !reflect.DeepEqual(got.SecretsProfiles, want) {
-		t.Fatalf("secrets_profiles = %#v, want %#v", got.SecretsProfiles, want)
+		t.Fatalf("credential stores = %#v, want %#v", got.SecretsProfiles, want)
 	}
 }
 
-func TestConfigShowRejectsBackendOverrideForNamedSecretsProfile(t *testing.T) {
+func TestConfigShowRejectsBackendOverrideForCredentialStore(t *testing.T) {
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
-	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
-			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
-			},
-		},
+	cfg.Secrets.Stores["work-file"] = config.SecretsStore{
+		DisplayName: "Work File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 	}
+	cfg = withCredentialStore(cfg, "work-file")
 	path := saveTestConfig(t, cfg)
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"--backend", "memory", "config", "show", "--json"})
+	err := root.Execute(cmd, []string{"--backend", "memory", "--profile", "home", "config", "show", "--json"})
 	if !errors.Is(err, config.ErrInvalid) {
 		t.Fatalf("Execute error = %v, want ErrInvalid", err)
 	}
@@ -1626,7 +1150,7 @@ func TestConfigAgentSourceListText(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "agent-source", "list"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "list"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	want := "Profile: home\nAgent sources:\n  - ~/agents\n  - ../shared/agents\n"
@@ -1660,7 +1184,7 @@ func TestConfigAgentSourceListJSONEmptyArray(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "agent-source", "list", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "list", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigAgentSources
@@ -1680,7 +1204,7 @@ func TestConfigAgentSourceAddNormalizesAndIsIdempotent(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 
 	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "agent-source", "add", " ./agents/../agents/team/ "}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "add", " ./agents/../agents/team/ "}); err != nil {
 		t.Fatalf("Execute add: %v", err)
 	}
 	want := "Profile: home\nAgent sources:\n  -  ./agents/../agents/team/ \n"
@@ -1689,7 +1213,7 @@ func TestConfigAgentSourceAddNormalizesAndIsIdempotent(t *testing.T) {
 	}
 
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "agent-source", "add", "./agents/../agents/team"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "add", "./agents/../agents/team"}); err != nil {
 		t.Fatalf("Execute second add: %v", err)
 	}
 	if out.String() != want {
@@ -1714,7 +1238,7 @@ func TestConfigAgentSourceRemoveIsIdempotent(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 
 	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "agent-source", "remove", " ./agents/../agents/team "}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "remove", " ./agents/../agents/team "}); err != nil {
 		t.Fatalf("Execute remove: %v", err)
 	}
 	want := "Profile: home\nAgent sources:\n  - ../shared/agents\n"
@@ -1723,7 +1247,7 @@ func TestConfigAgentSourceRemoveIsIdempotent(t *testing.T) {
 	}
 
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "agent-source", "remove", "./missing"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "remove", "./missing"}); err != nil {
 		t.Fatalf("Execute second remove: %v", err)
 	}
 	if out.String() != want {
@@ -1806,7 +1330,7 @@ func TestConfigAgentSourcePreservesUnrelatedProfileFields(t *testing.T) {
 		t.Fatalf("Load baseline: %v", err)
 	}
 
-	if err := root.Execute(cmd, []string{"config", "agent-source", "add", "./team/agents"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "add", "./team/agents"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 
@@ -1826,7 +1350,7 @@ func TestConfigAgentSourceAddRejectsBlankPath(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"config", "agent-source", "add", "   "})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "add", "   "})
 	if err == nil {
 		t.Fatal("Execute error = nil, want usage error")
 	}
@@ -1842,7 +1366,7 @@ func TestConfigAgentSourceRemoveRejectsBlankPath(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	cmd, _ := newTestCommand(path)
 
-	err := root.Execute(cmd, []string{"config", "agent-source", "remove", "   "})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "agent-source", "remove", "   "})
 	if err == nil {
 		t.Fatal("Execute error = nil, want usage error")
 	}
@@ -2086,7 +1610,7 @@ func TestConfigLLMModelsListAndResolve(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 
 	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "list"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "list"}); err != nil {
 		t.Fatalf("Execute list: %v", err)
 	}
 	if !strings.Contains(out.String(), "small: <unset> (unset)") ||
@@ -2096,7 +1620,7 @@ func TestConfigLLMModelsListAndResolve(t *testing.T) {
 	}
 
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "list", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "list", "--json"}); err != nil {
 		t.Fatalf("Execute list json: %v", err)
 	}
 	var listed modelMapResultView
@@ -2108,7 +1632,7 @@ func TestConfigLLMModelsListAndResolve(t *testing.T) {
 	}
 
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "resolve", "medium", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "resolve", "medium", "--json"}); err != nil {
 		t.Fatalf("Execute resolve json: %v", err)
 	}
 	var resolved modelResolveResult
@@ -2124,7 +1648,7 @@ func TestConfigLLMModelsSetUnsetAndReset(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 
 	cmd, out := newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "set", "medium", "claude-custom"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "set", "medium", "claude-custom"}); err != nil {
 		t.Fatalf("Execute set: %v", err)
 	}
 	if !strings.Contains(out.String(), "Set medium: claude-custom") {
@@ -2139,7 +1663,7 @@ func TestConfigLLMModelsSetUnsetAndReset(t *testing.T) {
 	}
 
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "unset", "medium"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "unset", "medium"}); err != nil {
 		t.Fatalf("Execute unset: %v", err)
 	}
 	if !strings.Contains(out.String(), "Unset medium") {
@@ -2154,11 +1678,11 @@ func TestConfigLLMModelsSetUnsetAndReset(t *testing.T) {
 	}
 
 	cmd, _ = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "set", "large", "claude-large"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "set", "large", "claude-large"}); err != nil {
 		t.Fatalf("Execute second set: %v", err)
 	}
 	cmd, out = newTestCommand(path)
-	if err := root.Execute(cmd, []string{"config", "llm", "models", "reset", "--provider", "anthropic"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "llm", "models", "reset", "--provider", "anthropic"}); err != nil {
 		t.Fatalf("Execute reset: %v", err)
 	}
 	if !strings.Contains(out.String(), "Reset model map for profile home") {
@@ -2238,9 +1762,9 @@ func TestConfigLLMModelsRejectsInvalidInputs(t *testing.T) {
 		name string
 		args []string
 	}{
-		{name: "bad tier", args: []string{"config", "llm", "models", "set", "flagship", "gpt"}},
-		{name: "blank model", args: []string{"config", "llm", "models", "set", "medium", " \t "}},
-		{name: "provider guard mismatch", args: []string{"config", "llm", "models", "reset", "--provider", "openai"}},
+		{name: "bad tier", args: []string{"--profile", "home", "config", "llm", "models", "set", "flagship", "gpt"}},
+		{name: "blank model", args: []string{"--profile", "home", "config", "llm", "models", "set", "medium", " \t "}},
+		{name: "provider guard mismatch", args: []string{"--profile", "home", "config", "llm", "models", "reset", "--provider", "openai"}},
 	}
 
 	for _, tt := range tests {
@@ -2311,13 +1835,19 @@ func TestConfigShowMissingProfileExitCode(t *testing.T) {
 
 func TestConfigShowInvalidEnumExitCode(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeRawConfig(t, path, `default_profile: home
+	writeRawConfig(t, path, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: test-memory
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -2336,13 +1866,19 @@ profiles:
 
 func TestConfigShowReservedAuthModeExitCode(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeRawConfig(t, path, `default_profile: home
+	writeRawConfig(t, path, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   home:
     git:
       host: github.com
       auth_mode: oauth_device
-      credential_ref: codereview/home
+      credential:
+        store: test-memory
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -2367,7 +1903,7 @@ func TestConfigClearDefaultClearsActiveProfileOnlyAndPreservesData(t *testing.T)
 	seedFileBackend(t, "work-llm", map[string]string{credentials.AnthropicAPIKeyKey: "llm-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
@@ -2398,7 +1934,7 @@ func TestConfigClearDryRunReportsActiveProfileAndPreservesState(t *testing.T) {
 	seedFileBackend(t, "work", map[string]string{credentials.GitTokenKey: "work-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--dry-run", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--dry-run", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
@@ -2435,6 +1971,7 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
 	home.Git.CredentialRef = "codereview/home-app"
+	home.Git.Credential.Name = "codereview/home-app"
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
 	appKeys := []string{
@@ -2449,7 +1986,7 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	})
 
 	dryRunCmd, dryRunOut := newTestCommand(path)
-	if err := root.Execute(dryRunCmd, []string{"config", "clear", "--dry-run", "--json"}); err != nil {
+	if err := root.Execute(dryRunCmd, []string{"--profile", "home", "config", "clear", "--dry-run", "--json"}); err != nil {
 		t.Fatalf("Execute dry-run: %v", err)
 	}
 	var dryRun view.ConfigClear
@@ -2462,7 +1999,7 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	assertFileBackendKeys(t, "home-app", appKeys)
 
 	clearCmd, clearOut := newTestCommand(path)
-	if err := root.Execute(clearCmd, []string{"config", "clear", "--json"}); err != nil {
+	if err := root.Execute(clearCmd, []string{"--profile", "home", "config", "clear", "--json"}); err != nil {
 		t.Fatalf("Execute clear: %v", err)
 	}
 	var cleared view.ConfigClear
@@ -2482,7 +2019,7 @@ func TestConfigClearDryRunTextReportsDryRun(t *testing.T) {
 	seedFileBackend(t, "home", map[string]string{credentials.GitTokenKey: "home-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--dry-run"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--dry-run"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	got := out.String()
@@ -2503,14 +2040,13 @@ func TestConfigClearDryRunTextReportsDryRun(t *testing.T) {
 
 func TestConfigClearAllDryRunTextReportsPredictedReset(t *testing.T) {
 	cfg := fileBackendConfig(t)
-	cfg.DefaultProfile = "work"
 	path := saveTestConfig(t, cfg)
 	cacheFile := writeCacheSentinel(t)
 	seedFileBackend(t, "home", map[string]string{credentials.GitTokenKey: "home-token"})
 	seedFileBackend(t, "work", map[string]string{credentials.GitTokenKey: "work-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--all", "--dry-run"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "work", "config", "clear", "--all", "--dry-run"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	got := out.String()
@@ -2518,7 +2054,6 @@ func TestConfigClearAllDryRunTextReportsPredictedReset(t *testing.T) {
 		"Dry run: true",
 		"Credential targets:",
 		"Config profile removed: work",
-		"Default profile: home",
 		"Cache status: would_remove",
 	} {
 		if !strings.Contains(got, want) {
@@ -2531,13 +2066,15 @@ func TestConfigClearAllDryRunTextReportsPredictedReset(t *testing.T) {
 	}
 }
 
-func TestConfigClearAllClearsOnlyDefaultProfileAndRemovesCache(t *testing.T) {
+func TestConfigClearAllClearsOnlySelectedProfileAndRemovesCache(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	alpha := cfg.Profiles["home"]
 	alpha.Git.CredentialRef = "codereview/alpha"
+	alpha.Git.Credential.Name = "codereview/alpha"
 	cfg.Profiles["alpha"] = alpha
 	beta := cfg.Profiles["home"]
 	beta.Git.CredentialRef = "codereview/beta"
+	beta.Git.Credential.Name = "codereview/beta"
 	cfg.Profiles["beta"] = beta
 	path := saveTestConfig(t, cfg)
 	cacheFile := writeCacheSentinel(t)
@@ -2551,21 +2088,21 @@ func TestConfigClearAllClearsOnlyDefaultProfileAndRemovesCache(t *testing.T) {
 	seedFileBackend(t, "work-llm", map[string]string{credentials.AnthropicAPIKeyKey: "llm-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--all", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Backend != "file" || got.BackendSource != "config" {
-		t.Fatalf("backend = (%q,%q), want (file,config)", got.Backend, got.BackendSource)
+	if got.Backend != "file" || got.BackendSource != "credential_store" {
+		t.Fatalf("backend = (%q,%q), want (file,credential_store)", got.Backend, got.BackendSource)
 	}
 	if len(got.Cleared) != 1 || got.Cleared[0].Ref != "codereview/home" {
 		t.Fatalf("cleared = %#v, want default home ref only", got.Cleared)
 	}
-	if got.ConfigProfileRemoved != "home" || got.DefaultProfile != "alpha" {
-		t.Fatalf("config clear fields = profile:%q default:%q, want home/alpha", got.ConfigProfileRemoved, got.DefaultProfile)
+	if got.ConfigProfileRemoved != "home" {
+		t.Fatalf("config clear profile = %q, want removed home", got.ConfigProfileRemoved)
 	}
 	if got.ConfigPathRemoved != "" {
 		t.Fatalf("config_path_removed = %q, want empty because work remains", got.ConfigPathRemoved)
@@ -2594,9 +2131,6 @@ func TestConfigClearAllClearsOnlyDefaultProfileAndRemovesCache(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load remaining config: %v", err)
 	}
-	if cfg.DefaultProfile != "alpha" {
-		t.Fatalf("default_profile = %q, want alpha", cfg.DefaultProfile)
-	}
 	if len(cfg.Profiles) != 3 {
 		t.Fatalf("profiles len = %d, want alpha/beta/work", len(cfg.Profiles))
 	}
@@ -2616,7 +2150,6 @@ func TestConfigClearAllClearsOnlyDefaultProfileAndRemovesCache(t *testing.T) {
 
 func TestConfigClearAllDryRunReportsProfileCacheAndPreservesState(t *testing.T) {
 	cfg := fileBackendConfig(t)
-	cfg.DefaultProfile = "work"
 	cfg.RepositoryProfiles = []config.RepositoryProfile{
 		{
 			Profile: "work",
@@ -2659,8 +2192,8 @@ func TestConfigClearAllDryRunReportsProfileCacheAndPreservesState(t *testing.T)
 	if !got.DryRun {
 		t.Fatalf("dry_run = false, want true")
 	}
-	if got.ConfigProfileRemoved != "work" || got.DefaultProfile != "home" || got.ConfigPathRemoved != "" {
-		t.Fatalf("config dry-run fields = profile:%q default:%q path:%q, want work/home with retained path", got.ConfigProfileRemoved, got.DefaultProfile, got.ConfigPathRemoved)
+	if got.ConfigProfileRemoved != "work" || got.ConfigPathRemoved != "" {
+		t.Fatalf("config dry-run fields = profile:%q path:%q, want work removal preview with retained path", got.ConfigProfileRemoved, got.ConfigPathRemoved)
 	}
 	if got.Cache == nil || got.Cache.Status != "would_remove" {
 		t.Fatalf("cache = %#v, want would_remove", got.Cache)
@@ -2714,20 +2247,19 @@ func TestConfigClearAllDryRunReportsProfileCacheAndPreservesState(t *testing.T)
 func TestConfigClearAllDryRunSingleProfileReportsConfigPathRemoval(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	cfg.Profiles = map[string]config.Profile{"home": cfg.Profiles["home"]}
-	cfg.DefaultProfile = "home"
 	path := saveTestConfig(t, cfg)
 	seedFileBackend(t, "home", map[string]string{credentials.GitTokenKey: "home-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--all", "--dry-run", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--dry-run", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if !got.DryRun || got.ConfigProfileRemoved != "home" || got.DefaultProfile != "" || got.ConfigPathRemoved != path {
-		t.Fatalf("config dry-run fields = dry:%t profile:%q default:%q path:%q, want single-profile removal preview", got.DryRun, got.ConfigProfileRemoved, got.DefaultProfile, got.ConfigPathRemoved)
+	if !got.DryRun || got.ConfigProfileRemoved != "home" || got.ConfigPathRemoved != path {
+		t.Fatalf("config dry-run fields = dry:%t profile:%q path:%q, want single-profile removal preview", got.DryRun, got.ConfigProfileRemoved, got.ConfigPathRemoved)
 	}
 	assertFileBackendPresent(t, "home", credentials.GitTokenKey)
 	if _, err := os.Stat(path); err != nil {
@@ -2746,7 +2278,7 @@ func TestConfigClearAllDryRunReportsMissingCache(t *testing.T) {
 	t.Cleanup(func() { resolveCacheRoot = oldResolve })
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--all", "--dry-run", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--dry-run", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
@@ -2798,8 +2330,8 @@ func TestConfigClearProfileAllClearsOnlySelectedProfile(t *testing.T) {
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.ConfigProfileRemoved != "work" || got.DefaultProfile != "" {
-		t.Fatalf("config clear fields = profile:%q default:%q, want removed work with unchanged default omitted", got.ConfigProfileRemoved, got.DefaultProfile)
+	if got.ConfigProfileRemoved != "work" {
+		t.Fatalf("config clear profile = %q, want removed work", got.ConfigProfileRemoved)
 	}
 	if got.Cache == nil || got.Cache.Status != "removed" {
 		t.Fatalf("cache = %#v, want removed", got.Cache)
@@ -2815,7 +2347,7 @@ func TestConfigClearProfileAllClearsOnlySelectedProfile(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load remaining config: %v", err)
 	}
-	if cfg.DefaultProfile != "home" || len(cfg.Profiles) != 1 {
+	if len(cfg.Profiles) != 1 {
 		t.Fatalf("remaining config = %#v, want home only", cfg)
 	}
 	if len(cfg.RepositoryProfiles) != 1 || cfg.RepositoryProfiles[0].Profile != "home" {
@@ -2834,12 +2366,12 @@ func TestConfigClearProfileAllClearsOnlySelectedProfile(t *testing.T) {
 	}
 }
 
-func TestConfigClearProfileAllReselectsDefaultWhenSelectedProfileIsDefault(t *testing.T) {
+func TestConfigClearProfileAllPrunesSelectedProfileRoutes(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	alpha := cfg.Profiles["home"]
 	alpha.Git.CredentialRef = "codereview/alpha"
+	alpha.Git.Credential.Name = "codereview/alpha"
 	cfg.Profiles["alpha"] = alpha
-	cfg.DefaultProfile = "work"
 	cfg.RepositoryProfiles = []config.RepositoryProfile{
 		{
 			Profile: "work",
@@ -2877,8 +2409,8 @@ func TestConfigClearProfileAllReselectsDefaultWhenSelectedProfileIsDefault(t *te
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.ConfigProfileRemoved != "work" || got.DefaultProfile != "alpha" {
-		t.Fatalf("config clear fields = profile:%q default:%q, want work/alpha", got.ConfigProfileRemoved, got.DefaultProfile)
+	if got.ConfigProfileRemoved != "work" {
+		t.Fatalf("config clear profile = %q, want removed work", got.ConfigProfileRemoved)
 	}
 	assertFileBackendMissing(t, "work", credentials.GitTokenKey)
 	assertFileBackendPresent(t, "alpha", credentials.GitTokenKey)
@@ -2887,8 +2419,8 @@ func TestConfigClearProfileAllReselectsDefaultWhenSelectedProfileIsDefault(t *te
 	if err != nil {
 		t.Fatalf("Load remaining config: %v", err)
 	}
-	if cfg.DefaultProfile != "alpha" || len(cfg.Profiles) != 2 {
-		t.Fatalf("remaining config = %#v, want alpha default with alpha/home only", cfg)
+	if len(cfg.Profiles) != 2 {
+		t.Fatalf("remaining config = %#v, want alpha/home only", cfg)
 	}
 	if len(cfg.RepositoryProfiles) != 2 {
 		t.Fatalf("repository_profiles = %#v, want two routes after pruning work", cfg.RepositoryProfiles)
@@ -2906,7 +2438,6 @@ func TestConfigClearProfileAllReselectsDefaultWhenSelectedProfileIsDefault(t *te
 func TestConfigClearAllSingleProfileRemovesConfigFileAndEmptyParent(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	cfg.Profiles = map[string]config.Profile{"home": cfg.Profiles["home"]}
-	cfg.DefaultProfile = "home"
 	configHome := t.TempDir()
 	path := saveTestConfigAt(t, filepath.Join(configHome, statepaths.AppDir, "config.yml"), cfg)
 	configDir := filepath.Dir(path)
@@ -2915,15 +2446,15 @@ func TestConfigClearAllSingleProfileRemovesConfigFileAndEmptyParent(t *testing.T
 	seedFileBackend(t, "home", map[string]string{credentials.GitTokenKey: "home-token"})
 	cmd, out := newTestCommand(path)
 
-	if err := root.Execute(cmd, []string{"config", "clear", "--all", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	var got view.ConfigClear
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.ConfigProfileRemoved != "home" || got.DefaultProfile != "" || got.ConfigPathRemoved != path {
-		t.Fatalf("config clear fields = profile:%q default:%q path:%q, want removed home config", got.ConfigProfileRemoved, got.DefaultProfile, got.ConfigPathRemoved)
+	if got.ConfigProfileRemoved != "home" || got.ConfigPathRemoved != path {
+		t.Fatalf("config clear fields = profile:%q path:%q, want removed home config", got.ConfigProfileRemoved, got.ConfigPathRemoved)
 	}
 	assertFileBackendMissing(t, "home", credentials.GitTokenKey)
 	if _, err := os.Stat(path); !os.IsNotExist(err) {
@@ -2955,7 +2486,7 @@ func TestConfigClearAllJSONIncludesCacheCleanupFailure(t *testing.T) {
 	}
 	t.Cleanup(func() { removeCacheRoot = oldRemove })
 
-	err := root.Execute(cmd, []string{"config", "clear", "--all", "--json"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--json"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want cache cleanup failure")
 	}
@@ -2989,7 +2520,7 @@ func TestConfigClearAllTextIncludesPartialResultOnCacheFailure(t *testing.T) {
 	}
 	t.Cleanup(func() { removeCacheRoot = oldRemove })
 
-	err := root.Execute(cmd, []string{"config", "clear", "--all"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want cache cleanup failure")
 	}
@@ -2997,7 +2528,6 @@ func TestConfigClearAllTextIncludesPartialResultOnCacheFailure(t *testing.T) {
 	for _, want := range []string{
 		"Cleared credentials:",
 		"Config profile removed: home",
-		"Default profile: work",
 		"Cache status: error",
 		"Cache error: permission denied",
 	} {
@@ -3021,7 +2551,7 @@ func TestConfigClearAllJSONIncludesCacheResolutionFailure(t *testing.T) {
 	}
 	t.Cleanup(func() { resolveCacheRoot = oldResolve })
 
-	err := root.Execute(cmd, []string{"config", "clear", "--all", "--json"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all", "--json"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want cache resolution failure")
 	}
@@ -3048,7 +2578,7 @@ func TestConfigClearAllReportsConfigMutationFailureAfterCredentialDelete(t *test
 	}
 	t.Cleanup(func() { saveConfigFile = oldSave })
 
-	err := root.Execute(cmd, []string{"config", "clear", "--all"})
+	err := root.Execute(cmd, []string{"--profile", "home", "config", "clear", "--all"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want config mutation failure")
 	}
@@ -3060,9 +2590,6 @@ func TestConfigClearAllReportsConfigMutationFailureAfterCredentialDelete(t *test
 	if loadErr != nil {
 		t.Fatalf("Load config after failed save: %v", loadErr)
 	}
-	if cfg.DefaultProfile != "home" {
-		t.Fatalf("default_profile after failed save = %q, want home", cfg.DefaultProfile)
-	}
 	if _, ok := cfg.Profiles["home"]; !ok {
 		t.Fatalf("home profile missing from on-disk config after failed save: %#v", cfg.Profiles)
 	}
@@ -3088,12 +2615,33 @@ func newTestCommandWithOptions(opts *root.Options) (*cobra.Command, *bytes.Buffe
 	return cmd, &out
 }
 
+const testFileCredentialStoreID = "test-file"
+
 func fileBackendConfig(t *testing.T) config.File {
 	t.Helper()
 	statedirtest.Hermetic(t)
 	t.Setenv("CODEREVIEW_KEYRING_PASSPHRASE", "test-passphrase")
 	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg.Secrets.Stores[testFileCredentialStoreID] = config.SecretsStore{
+		DisplayName: "Test File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+	}
+	return withCredentialStore(cfg, testFileCredentialStoreID)
+}
+
+func withCredentialStore(cfg config.File, storeID string) config.File {
+	for name, profile := range cfg.Profiles {
+		if profile.Git.Credential.Name != "" {
+			profile.Git.Credential.Store = storeID
+		}
+		if profile.ReviewerCredentials != nil && profile.ReviewerCredentials.Credential.Name != "" {
+			profile.ReviewerCredentials.Credential.Store = storeID
+		}
+		if profile.LLM.Credential.Name != "" {
+			profile.LLM.Credential.Store = storeID
+		}
+		cfg.Profiles[name] = profile
+	}
 	return cfg
 }
 
@@ -3262,13 +2810,20 @@ func writeConfigTestAgentSource(t *testing.T, root, prompt string) {
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				"test-memory": {
+					DisplayName: "Test Memory Store",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendMemory)},
+				},
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/home"},
 					CredentialRef: "codereview/home",
 				},
 				LLM: config.LLMConfig{
@@ -3282,16 +2837,19 @@ func testConfig() config.File {
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/work"},
 					CredentialRef: "codereview/work",
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/work-reviewer"},
 					CredentialRef: "codereview/work-reviewer",
 				},
 				LLM: config.LLMConfig{
 					Provider:      config.LLMProviderAnthropic,
 					Auth:          config.LLMAuthAPIKey,
 					Adapter:       config.LLMAdapterAnthropicAPI,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/work-llm"},
 					CredentialRef: "codereview/work-llm",
 				},
 				ReviewPolicy: config.ReviewPolicy{MajorEvent: config.ReviewMajorEventRequestChanges},
diff --git a/internal/cmd/configcmd/secrets_profiles.go b/internal/cmd/configcmd/secrets_profiles.go
index 45fa9021..708636c9 100644
--- a/internal/cmd/configcmd/secrets_profiles.go
+++ b/internal/cmd/configcmd/secrets_profiles.go
@@ -1,7 +1,6 @@
 package configcmd
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 
@@ -12,14 +11,19 @@ import (
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/exitcode"
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/configedit"
 	"github.com/open-cli-collective/codereview-cli/internal/view"
 )
 
 func newSecretsProfileCommand(opts *root.Options) *cobra.Command {
 	secretsCmd := &cobra.Command{
-		Use:   "secrets-profile",
-		Short: "Inspect and update secrets-management profiles",
+		Use:   "credential-store",
+		Short: "Inspect configured credential stores",
+		Args: func(_ *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				return exitcode.Usage(fmt.Errorf("unknown config credential-store command %q", args[0]))
+			}
+			return nil
+		},
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cmd.Help()
 		},
@@ -28,10 +32,10 @@ func newSecretsProfileCommand(opts *root.Options) *cobra.Command {
 	var listJSON bool
 	listCmd := &cobra.Command{
 		Use:   "list",
-		Short: "List effective secrets-management profiles",
+		Short: "List effective credential stores",
 		Args: func(_ *cobra.Command, args []string) error {
 			if len(args) > 0 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile list takes no arguments"))
+				return exitcode.Usage(fmt.Errorf("config credential-store list takes no arguments"))
 			}
 			return nil
 		},
@@ -52,10 +56,10 @@ func newSecretsProfileCommand(opts *root.Options) *cobra.Command {
 	var getJSON bool
 	getCmd := &cobra.Command{
 		Use:   "get <id>",
-		Short: "Show one effective secrets-management profile",
+		Short: "Show one effective credential store",
 		Args: func(_ *cobra.Command, args []string) error {
 			if len(args) != 1 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile get requires <id>"))
+				return exitcode.Usage(fmt.Errorf("config credential-store get requires <id>"))
 			}
 			return nil
 		},
@@ -77,321 +81,10 @@ func newSecretsProfileCommand(opts *root.Options) *cobra.Command {
 	}
 	getCmd.Flags().BoolVar(&getJSON, "json", false, "Emit JSON")
 
-	var setBackend string
-	var setLabel string
-	var setBackendSet bool
-	var setLabelSet bool
-	var opTimeout string
-	var opVaultID string
-	var opItemTitlePrefix string
-	var opItemTag string
-	var opItemFieldTitle string
-	var opConnectHost string
-	var opConnectTokenEnv string
-	var opServiceTokenEnv string
-	var opDesktopAccountID string
-	var clearLabel bool
-	setCmd := &cobra.Command{
-		Use:   "set <id>",
-		Short: "Create or update a secrets-management profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile set requires <id>"))
-			}
-			return nil
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			setBackendSet = cmd.Flags().Changed("backend")
-			setLabelSet = cmd.Flags().Changed("label")
-			path, cfg, err := loadConfig(opts)
-			if err != nil {
-				return err
-			}
-			var patch configedit.SecretsProfilePatch
-			existing := cfg.Secrets.Profiles[strings.TrimSpace(args[0])]
-			if backendChanged(cmd) {
-				nextBackend, err := buildSecretsProfileBackendPatch(cmd, existing, setBackendSet, setBackend)
-				if err != nil {
-					return exitcode.Usage(err)
-				}
-				patch.Backend = nextBackend
-			}
-			if setLabelSet {
-				value := setLabel
-				patch.Label = &value
-			}
-			patch.ClearLabel = clearLabel
-			nextCfg, changed, _, err := configedit.SetSecretsProfile(cfg, args[0], patch)
-			if err != nil {
-				return mapSecretsProfileMutationError(err)
-			}
-			if changed {
-				if err := saveConfigFile(path, nextCfg); err != nil {
-					return cmderr.Config(err)
-				}
-			}
-			profile, err := effectiveSecretsProfileByID(nextCfg, args[0])
-			if err != nil {
-				return cmderr.Config(err)
-			}
-			return view.RenderConfigSecretsProfileText(opts.Stdout, configSecretsProfileView(nextCfg, profile))
-		},
-	}
-	setCmd.Flags().StringVar(&setBackend, "backend", "", fmt.Sprintf("Secrets backend kind (%s)", strings.Join(credstore.ValidBackendNames(), ", ")))
-	setCmd.Flags().StringVar(&setLabel, "label", "", "Human-friendly label for the secrets-management profile")
-	setCmd.Flags().BoolVar(&clearLabel, "clear-label", false, "Clear the configured label")
-	setCmd.Flags().StringVar(&opTimeout, "op-timeout", "", "1Password timeout (for example 5s)")
-	setCmd.Flags().StringVar(&opVaultID, "op-vault-id", "", "1Password vault id")
-	setCmd.Flags().StringVar(&opItemTitlePrefix, "op-item-title-prefix", "", "1Password item title prefix")
-	setCmd.Flags().StringVar(&opItemTag, "op-item-tag", "", "1Password item tag")
-	setCmd.Flags().StringVar(&opItemFieldTitle, "op-item-field-title", "", "1Password item field title")
-	setCmd.Flags().StringVar(&opConnectHost, "op-connect-host", "", "1Password Connect host")
-	setCmd.Flags().StringVar(&opConnectTokenEnv, "op-connect-token-env", "", "Environment variable holding the 1Password Connect token")
-	setCmd.Flags().StringVar(&opServiceTokenEnv, "op-service-token-env", "", "Environment variable holding the 1Password service account token")
-	setCmd.Flags().StringVar(&opDesktopAccountID, "op-desktop-account-id", "", "1Password desktop account id")
-
-	removeCmd := &cobra.Command{
-		Use:   "remove <id>",
-		Short: "Remove one configured secrets-management profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile remove requires <id>"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, args []string) error {
-			path, cfg, err := loadConfig(opts)
-			if err != nil {
-				return err
-			}
-			nextCfg, changed, err := configedit.RemoveSecretsProfile(cfg, args[0])
-			if err != nil {
-				return mapSecretsProfileMutationError(err)
-			}
-			if changed {
-				if err := saveConfigFile(path, nextCfg); err != nil {
-					return cmderr.Config(err)
-				}
-			}
-			return view.RenderConfigSecretsProfilesText(opts.Stdout, view.ConfigSecretsProfiles{Profiles: configSecretsProfilesView(config.EffectiveSecretsProfiles(nextCfg))})
-		},
-	}
-
-	defaultCmd := &cobra.Command{
-		Use:   "default",
-		Short: "Inspect and update the default secrets-management profile",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return cmd.Help()
-		},
-	}
-
-	var defaultJSON bool
-	defaultGetCmd := &cobra.Command{
-		Use:   "get",
-		Short: "Show the effective default secrets-management profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile default get takes no arguments"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, _ []string) error {
-			_, cfg, err := loadConfig(opts)
-			if err != nil {
-				return err
-			}
-			profile, ok := config.EffectiveDefaultSecretsProfile(cfg)
-			if !ok {
-				result := view.ConfigSecretsProfileDefault{}
-				if defaultJSON {
-					return view.RenderConfigSecretsProfileDefaultJSON(opts.Stdout, result)
-				}
-				return view.RenderConfigSecretsProfileDefaultText(opts.Stdout, result)
-			}
-			result := view.ConfigSecretsProfileDefault{DefaultProfile: configSecretsProfileViewPtr(cfg, profile)}
-			if defaultJSON {
-				return view.RenderConfigSecretsProfileDefaultJSON(opts.Stdout, result)
-			}
-			return view.RenderConfigSecretsProfileDefaultText(opts.Stdout, result)
-		},
-	}
-	defaultGetCmd.Flags().BoolVar(&defaultJSON, "json", false, "Emit JSON")
-
-	defaultSetCmd := &cobra.Command{
-		Use:   "set <id>",
-		Short: "Set the configured default secrets-management profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile default set requires <id>"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, args []string) error {
-			path, cfg, err := loadConfig(opts)
-			if err != nil {
-				return err
-			}
-			nextCfg, changed, err := configedit.SetDefaultSecretsProfile(cfg, args[0])
-			if err != nil {
-				return mapSecretsProfileMutationError(err)
-			}
-			if changed {
-				if err := saveConfigFile(path, nextCfg); err != nil {
-					return cmderr.Config(err)
-				}
-			}
-			profile, ok := config.EffectiveDefaultSecretsProfile(nextCfg)
-			if !ok {
-				return cmderr.Config(fmt.Errorf("%w", config.ErrSecretsProfileNotFound))
-			}
-			return view.RenderConfigSecretsProfileText(opts.Stdout, configSecretsProfileView(nextCfg, profile))
-		},
-	}
-
-	defaultUnsetCmd := &cobra.Command{
-		Use:   "unset",
-		Short: "Clear the configured default secrets-management profile",
-		Args: func(_ *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				return exitcode.Usage(fmt.Errorf("config secrets-profile default unset takes no arguments"))
-			}
-			return nil
-		},
-		RunE: func(_ *cobra.Command, _ []string) error {
-			path, cfg, err := loadConfig(opts)
-			if err != nil {
-				return err
-			}
-			nextCfg, changed, err := configedit.UnsetDefaultSecretsProfile(cfg)
-			if err != nil {
-				return mapSecretsProfileMutationError(err)
-			}
-			if changed {
-				if err := saveConfigFile(path, nextCfg); err != nil {
-					return cmderr.Config(err)
-				}
-			}
-			return view.RenderConfigSecretsProfilesText(opts.Stdout, view.ConfigSecretsProfiles{Profiles: configSecretsProfilesView(config.EffectiveSecretsProfiles(nextCfg))})
-		},
-	}
-
-	defaultCmd.AddCommand(defaultGetCmd, defaultSetCmd, defaultUnsetCmd)
-	secretsCmd.AddCommand(listCmd, getCmd, setCmd, removeCmd, defaultCmd)
+	secretsCmd.AddCommand(listCmd, getCmd)
 	return secretsCmd
 }
 
-func backendChanged(cmd *cobra.Command) bool {
-	for _, name := range []string{
-		"backend",
-		"op-timeout",
-		"op-vault-id",
-		"op-item-title-prefix",
-		"op-item-tag",
-		"op-item-field-title",
-		"op-connect-host",
-		"op-connect-token-env",
-		"op-service-token-env",
-		"op-desktop-account-id",
-	} {
-		if cmd.Flags().Changed(name) {
-			return true
-		}
-	}
-	return false
-}
-
-func buildSecretsProfileBackendPatch(cmd *cobra.Command, existing config.SecretsProfile, backendSet bool, backendValue string) (*config.SecretsProfileBackend, error) {
-	next := existing.Backend
-	if backendSet {
-		backend, err := credstore.ParseBackend(strings.TrimSpace(backendValue))
-		if err != nil {
-			return nil, err
-		}
-		next.Kind = config.SecretsBackendKind(backend)
-	}
-	if strings.TrimSpace(string(next.Kind)) == "" {
-		return nil, configedit.ErrSecretsProfileBackendRequired
-	}
-	if err := validateSecretsProfileBackendFlags(cmd, next.Kind); err != nil {
-		return nil, err
-	}
-	if !config.IsOnePasswordSecretsBackend(next.Kind) {
-		next.OnePassword = nil
-		return &next, nil
-	}
-	if next.OnePassword != nil {
-		copyValue := *next.OnePassword
-		next.OnePassword = &copyValue
-	} else {
-		next.OnePassword = &config.SecretsProfileOnePasswordConfig{}
-	}
-	if cmd.Flags().Changed("op-timeout") {
-		next.OnePassword.Timeout, _ = cmd.Flags().GetString("op-timeout")
-	}
-	if cmd.Flags().Changed("op-vault-id") {
-		next.OnePassword.VaultID, _ = cmd.Flags().GetString("op-vault-id")
-	}
-	if cmd.Flags().Changed("op-item-title-prefix") {
-		next.OnePassword.ItemTitlePrefix, _ = cmd.Flags().GetString("op-item-title-prefix")
-	}
-	if cmd.Flags().Changed("op-item-tag") {
-		next.OnePassword.ItemTag, _ = cmd.Flags().GetString("op-item-tag")
-	}
-	if cmd.Flags().Changed("op-item-field-title") {
-		next.OnePassword.ItemFieldTitle, _ = cmd.Flags().GetString("op-item-field-title")
-	}
-	if cmd.Flags().Changed("op-connect-host") {
-		next.OnePassword.ConnectHost, _ = cmd.Flags().GetString("op-connect-host")
-	}
-	if cmd.Flags().Changed("op-connect-token-env") {
-		next.OnePassword.ConnectTokenEnv, _ = cmd.Flags().GetString("op-connect-token-env")
-	}
-	if cmd.Flags().Changed("op-service-token-env") {
-		next.OnePassword.ServiceTokenEnv, _ = cmd.Flags().GetString("op-service-token-env")
-	}
-	if cmd.Flags().Changed("op-desktop-account-id") {
-		next.OnePassword.DesktopAccountID, _ = cmd.Flags().GetString("op-desktop-account-id")
-	}
-	return &next, nil
-}
-
-func validateSecretsProfileBackendFlags(cmd *cobra.Command, kind config.SecretsBackendKind) error {
-	changed := func(name string) bool { return cmd.Flags().Changed(name) }
-	if !config.IsOnePasswordSecretsBackend(kind) {
-		for _, name := range []string{
-			"op-timeout",
-			"op-vault-id",
-			"op-item-title-prefix",
-			"op-item-tag",
-			"op-item-field-title",
-			"op-connect-host",
-			"op-connect-token-env",
-			"op-service-token-env",
-			"op-desktop-account-id",
-		} {
-			if changed(name) {
-				return fmt.Errorf("--%s requires a 1Password backend", name)
-			}
-		}
-		return nil
-	}
-	switch kind {
-	case config.SecretsBackendKind(credstore.BackendOP):
-		if changed("op-connect-host") || changed("op-connect-token-env") || changed("op-desktop-account-id") {
-			return fmt.Errorf("op backend does not accept connect or desktop-specific flags")
-		}
-	case config.SecretsBackendKind(credstore.BackendOPConnect):
-		if changed("op-service-token-env") || changed("op-desktop-account-id") {
-			return fmt.Errorf("op-connect backend does not accept service-account or desktop-specific flags")
-		}
-	case config.SecretsBackendKind(credstore.BackendOPDesktop):
-		if changed("op-connect-host") || changed("op-connect-token-env") || changed("op-service-token-env") {
-			return fmt.Errorf("op-desktop backend does not accept service-account or connect-specific flags")
-		}
-	}
-	return nil
-}
-
 func configSecretsProfilesView(profiles []config.EffectiveSecretsProfile) []view.ConfigSecretsProfile {
 	items := make([]view.ConfigSecretsProfile, 0, len(profiles))
 	for _, profile := range profiles {
@@ -402,11 +95,11 @@ func configSecretsProfilesView(profiles []config.EffectiveSecretsProfile) []view
 
 func configSecretsProfileView(cfg config.File, profile config.EffectiveSecretsProfile) view.ConfigSecretsProfile {
 	result := view.ConfigSecretsProfile{
-		ID:        profile.ID,
-		Label:     profile.Label,
-		Backend:   profile.Backend,
-		IsDefault: profile.IsDefault,
-		Source:    string(profile.Source),
+		ID:       profile.ID,
+		Label:    profile.Label,
+		Backend:  profile.Backend,
+		ReadOnly: profile.ReadOnly,
+		Source:   string(profile.Source),
 	}
 	if configured, ok := configuredOnePasswordSecretsProfile(cfg, profile); ok {
 		onePassword := &view.ConfigSecretsProfileOnePassword{
@@ -442,15 +135,10 @@ func configuredOnePasswordSecretsProfile(cfg config.File, profile config.Effecti
 	return configured, true
 }
 
-func configSecretsProfileViewPtr(cfg config.File, profile config.EffectiveSecretsProfile) *view.ConfigSecretsProfile {
-	result := configSecretsProfileView(cfg, profile)
-	return &result
-}
-
 func effectiveSecretsProfileByID(cfg config.File, rawID string) (config.EffectiveSecretsProfile, error) {
 	id := strings.TrimSpace(rawID)
 	if id == "" {
-		return config.EffectiveSecretsProfile{}, fmt.Errorf("%w", configedit.ErrSecretsProfileIDRequired)
+		return config.EffectiveSecretsProfile{}, fmt.Errorf("%w: credential store id is required", config.ErrInvalid)
 	}
 	for _, profile := range config.EffectiveSecretsProfiles(cfg) {
 		if profile.ID == id {
@@ -459,21 +147,3 @@ func effectiveSecretsProfileByID(cfg config.File, rawID string) (config.Effectiv
 	}
 	return config.EffectiveSecretsProfile{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, id)
 }
-
-func mapSecretsProfileMutationError(err error) error {
-	switch {
-	case errors.Is(err, configedit.ErrSecretsProfileIDRequired),
-		errors.Is(err, configedit.ErrSecretsProfileReserved),
-		errors.Is(err, configedit.ErrSecretsProfileBackendRequired),
-		errors.Is(err, configedit.ErrSecretsProfileMutationRequired),
-		errors.Is(err, configedit.ErrSecretsProfileLabelConflict),
-		errors.Is(err, configedit.ErrSecretsProfileLabelRequired):
-		return exitcode.Usage(err)
-	case errors.Is(err, configedit.ErrSecretsProfileDefaultConfigured),
-		errors.Is(err, config.ErrSecretsProfileNotFound),
-		errors.Is(err, config.ErrInvalid):
-		return cmderr.Config(err)
-	default:
-		return cmderr.Config(err)
-	}
-}
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index a6aaba05..dd369b05 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -39,6 +39,8 @@ func Register(rootCmd *cobra.Command, opts *root.Options) {
 
 type setCredentialOptions struct {
 	ref       string
+	store     string
+	name      string
 	key       string
 	stdin     bool
 	fromEnv   string
@@ -49,8 +51,8 @@ type setCredentialOptions struct {
 func newSetCredentialCommand(opts *root.Options) *cobra.Command {
 	var flags setCredentialOptions
 	cmd := &cobra.Command{
-		Use:   "set-credential",
-		Short: "Write one secret value to cr's credential store",
+		Use:   "set-credential --store <id> --name <credential-name> --key <key>",
+		Short: "Write one secret value to a credential store",
 		Args: func(_ *cobra.Command, args []string) error {
 			if len(args) > 0 {
 				return exitcode.Usage(fmt.Errorf("set-credential takes no arguments"))
@@ -71,21 +73,30 @@ func newSetCredentialCommand(opts *root.Options) *cobra.Command {
 			return err
 		},
 	}
-	cmd.Flags().StringVar(&flags.ref, "ref", "", "Credential ref (<service>/<profile>)")
+	cmd.Flags().StringVar(&flags.store, "store", "", "Credential store id")
+	cmd.Flags().StringVar(&flags.name, "name", "", "Credential name (<service>/<profile>)")
 	cmd.Flags().StringVar(&flags.key, "key", "", "Credential key")
 	cmd.Flags().BoolVar(&flags.stdin, "stdin", false, "Read the secret value from stdin")
 	cmd.Flags().StringVar(&flags.fromEnv, "from-env", "", "Read the secret value from this environment variable")
 	cmd.Flags().BoolVar(&flags.overwrite, "overwrite", false, "Replace an existing credential")
 	cmd.Flags().BoolVar(&flags.json, "json", false, "Emit JSON")
+	cmd.Flags().StringVar(&flags.ref, "ref", "", "Deprecated compatibility flag; use --name")
+	_ = cmd.Flags().MarkHidden("ref")
 	return cmd
 }
 
 func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentialOptions) (view.CredentialWrite, error) {
-	result := view.CredentialWrite{Ref: flags.ref, Key: flags.key}
-	if flags.ref == "" {
-		return result, exitcode.Usage(fmt.Errorf("--ref is required"))
+	result := view.CredentialWrite{Store: flags.store, Name: flags.name, Key: flags.key}
+	if flags.ref != "" {
+		return result, exitcode.Usage(fmt.Errorf("--ref has been replaced by --name"))
 	}
-	parsed, err := credentials.ParseRef(flags.ref)
+	if flags.store == "" {
+		return result, exitcode.Usage(fmt.Errorf("--store is required"))
+	}
+	if flags.name == "" {
+		return result, exitcode.Usage(fmt.Errorf("--name is required"))
+	}
+	parsed, err := credentials.ParseRef(flags.name)
 	if err != nil {
 		return result, exitcode.Usage(err)
 	}
@@ -96,19 +107,23 @@ func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentia
 	if err != nil {
 		return result, cmderr.Config(err)
 	}
-	if err := credentials.ValidateAllowedKeyForConfig(cfg, flags.ref, flags.key); err != nil {
+	if err := credentials.ValidateAllowedKeyForConfig(cfg, flags.name, flags.key); err != nil {
 		if errors.Is(err, config.ErrInvalid) || errors.Is(err, config.ErrUnsupported) {
 			return result, cmderr.Config(err)
 		}
 		return result, exitcode.Usage(err)
 	}
-	resolvedSecretsProfile, err := credentials.ResolveSecretsProfileForRef(cfg, flags.ref, opts.Profile)
+	backendFlagChanged := cmderr.BackendFlagChanged(cmd)
+	resolvedStore, err := credentials.ResolveCredentialStore(cfg, flags.store)
 	if err != nil {
+		if errors.Is(err, config.ErrInvalid) || errors.Is(err, config.ErrSecretsStoreNotFound) {
+			return result, cmderr.Config(err)
+		}
 		return result, exitcode.AuthConfig(err)
 	}
-	store, err := credentials.OpenResolvedStore(opts.Backend, cmderr.BackendFlagChanged(cmd), cfg, resolvedSecretsProfile)
+	store, err := credentials.OpenResolvedStore(opts.Backend, backendFlagChanged, cfg, resolvedStore)
 	if err != nil {
-		if errors.Is(err, config.ErrInvalid) || errors.Is(err, config.ErrProfileNotFound) || errors.Is(err, config.ErrSecretsProfileNotFound) {
+		if errors.Is(err, config.ErrInvalid) || errors.Is(err, config.ErrProfileNotFound) || errors.Is(err, config.ErrSecretsProfileNotFound) || errors.Is(err, config.ErrSecretsStoreNotFound) {
 			return result, cmderr.Config(err)
 		}
 		return result, cmderr.Credential(err)
@@ -118,13 +133,9 @@ func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentia
 	if err != nil {
 		return result, exitcode.Usage(err)
 	}
-	backend, source := store.Backend()
+	backend, _ := store.Backend()
 	result.Backend = string(backend)
-	if resolvedSecretsProfile.IsNamed() {
-		result.BackendSource = string(credentials.BackendSourceSecretsProfile)
-	} else {
-		result.BackendSource = string(source)
-	}
+	result.BackendSource = string(credentials.BackendSourceCredentialStore)
 	setOpts := []credstore.SetOpt{}
 	if flags.overwrite {
 		setOpts = append(setOpts, credstore.WithOverwrite())
@@ -134,7 +145,7 @@ func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentia
 	}
 	result.Written = true
 	if !flags.json {
-		_, err = fmt.Fprintf(opts.Stderr, "wrote %s to %s via %s\n", flags.key, flags.ref, backend)
+		_, err = fmt.Fprintf(opts.Stderr, "wrote %s to %s in %s via %s\n", flags.key, flags.name, resolvedStore.DisplayName(), backend)
 	}
 	return result, err
 }
@@ -166,9 +177,7 @@ type initOptions struct {
 	llmKeyEnv          string
 	overwrite          bool
 	replaceProfile     bool
-	setDefault         bool
-	keyringBackend     string
-	resetKeyring       bool
+	secretsDiscovery   string
 }
 
 type initPrompter interface {
@@ -220,7 +229,6 @@ type initPromptContext struct {
 	ExistingProfileName          string
 	ExistingProfile              *config.Profile
 	ExistingProfileNames         []string
-	DefaultProfileName           string
 	ExistingConfig               config.File
 	BackendArg                   string
 	BackendFlagSet               bool
@@ -257,12 +265,13 @@ type initDraft struct {
 	ActionTarget                 string
 	OriginalProfileName          string
 	ProfileName                  string
-	MakeDefault                  bool
 	GitHost                      string
 	GitAuth                      string
+	GitCredentialStore           string
 	GitCredentialRef             string
 	ReviewerEnabled              bool
 	ReviewerAuth                 string
+	ReviewerCredentialStore      string
 	ReviewerCredentialRef        string
 	ReviewerDisplayName          string
 	ReviewerCredentialWriteRef   string
@@ -275,6 +284,7 @@ type initDraft struct {
 	LLMAuth                      string
 	LLMAdapter                   string
 	LLMReviewerModelTier         string
+	LLMCredentialStore           string
 	LLMCredentialRef             string
 	AdvancedStorageLabels        bool
 	RoutesSet                    bool
@@ -346,7 +356,6 @@ type initKeyringBackendPrompt struct {
 type initKeyringBackendEdit struct {
 	Apply         bool
 	HasConfigEdit bool
-	Backend       string
 	Config        config.File
 }
 
@@ -489,6 +498,7 @@ type initSessionDraft struct {
 	cfg                          config.File
 	requestedProfileName         string
 	backendFlagSet               bool
+	saveRequested                bool
 	workspace                    *initWorkspaceDraft
 	touchedProfiles              map[string]string
 	writes                       map[string]map[string]string
@@ -518,17 +528,19 @@ type initPendingReviewerEntityDelete struct {
 }
 
 type initPendingLLMRuntimeDelete struct {
-	RuntimeName string
-	Replacement initLLMRuntimeDraft
-	Applied     map[string]config.LLMConfig
-	Original    map[string]config.LLMConfig
+	RuntimeName        string
+	Replacement        initLLMRuntimeDraft
+	Applied            map[string]config.LLMConfig
+	Original           map[string]config.LLMConfig
+	StandaloneOriginal *config.LLMConfig
 }
 
 type initGitScopeDraft struct {
-	Name          string
-	Host          string
-	AuthMode      config.GitAuthMode
-	CredentialRef string
+	Name            string
+	Host            string
+	AuthMode        config.GitAuthMode
+	CredentialStore string
+	CredentialRef   string
 }
 
 type initReviewerEntityKind string
@@ -540,11 +552,12 @@ const (
 )
 
 type initReviewerEntityDraft struct {
-	Name          string
-	Kind          initReviewerEntityKind
-	AuthMode      config.GitAuthMode
-	CredentialRef string
-	DisplayName   string
+	Name            string
+	Kind            initReviewerEntityKind
+	AuthMode        config.GitAuthMode
+	CredentialStore string
+	CredentialRef   string
+	DisplayName     string
 }
 
 type initLLMRuntimePreset string
@@ -561,12 +574,13 @@ const (
 )
 
 type initLLMRuntimeDraft struct {
-	Name          string
-	Preset        initLLMRuntimePreset
-	Provider      config.LLMProvider
-	Auth          config.LLMAuth
-	Adapter       config.LLMAdapter
-	CredentialRef string
+	Name            string
+	Preset          initLLMRuntimePreset
+	Provider        config.LLMProvider
+	Auth            config.LLMAuth
+	Adapter         config.LLMAdapter
+	CredentialStore string
+	CredentialRef   string
 }
 
 type initStore interface {
@@ -686,6 +700,7 @@ func defaultInitDeps() initDeps {
 
 func (deps initDeps) withDefaults() initDeps {
 	defaults := defaultInitDeps()
+	hasInjectedOpenStore := deps.openStore != nil
 	if deps.secretPrompter == nil {
 		deps.secretPrompter = defaults.secretPrompter
 	}
@@ -738,7 +753,13 @@ func (deps initDeps) withDefaults() initDeps {
 		deps.openStore = defaults.openStore
 	}
 	if deps.openResolvedStore == nil {
-		deps.openResolvedStore = defaults.openResolvedStore
+		if hasInjectedOpenStore {
+			deps.openResolvedStore = func(_ credentials.ResolvedSecretsProfile, flagValue string, flagSet bool, cfg config.File) (initStore, error) {
+				return deps.openStore(flagValue, flagSet, cfg)
+			}
+		} else {
+			deps.openResolvedStore = defaults.openResolvedStore
+		}
 	}
 	if deps.readSecret == nil {
 		deps.readSecret = defaults.readSecret
@@ -748,13 +769,14 @@ func (deps initDeps) withDefaults() initDeps {
 
 func newInitCommand(opts *root.Options) *cobra.Command {
 	flags := initOptions{
-		gitHost:      "github.com",
-		gitAuth:      string(config.GitAuthModePAT),
-		reviewerAuth: string(config.GitAuthModePAT),
-		llmProvider:  string(config.LLMProviderAnthropic),
-		llmAuth:      string(config.LLMAuthSubscription),
-		llmAdapter:   string(config.LLMAdapterClaudeCLI),
-		majorEvent:   string(config.ReviewMajorEventComment),
+		gitHost:          "github.com",
+		gitAuth:          string(config.GitAuthModePAT),
+		reviewerAuth:     string(config.GitAuthModePAT),
+		llmProvider:      string(config.LLMProviderAnthropic),
+		llmAuth:          string(config.LLMAuthSubscription),
+		llmAdapter:       string(config.LLMAdapterClaudeCLI),
+		majorEvent:       string(config.ReviewMajorEventComment),
+		secretsDiscovery: string(initSecretsBackendDiscoveryModeFull),
 	}
 	cmd := &cobra.Command{
 		Use:   "init",
@@ -772,14 +794,14 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.nonInteractive, "non-interactive", false, "Run without prompts")
 	cmd.Flags().StringVar(&flags.gitHost, "git-host", flags.gitHost, "Git host")
 	cmd.Flags().StringVar(&flags.gitAuth, "git-auth-mode", flags.gitAuth, "Git credential auth mode")
-	cmd.Flags().StringVar(&flags.gitRef, "git-credential-ref", "", "Git credential ref")
-	cmd.Flags().StringVar(&flags.reviewerRef, "reviewer-credential-ref", "", "Reviewer credential ref")
+	cmd.Flags().StringVar(&flags.gitRef, "git-credential-ref", "", "Git credential name")
+	cmd.Flags().StringVar(&flags.reviewerRef, "reviewer-credential-ref", "", "Reviewer credential name")
 	cmd.Flags().StringVar(&flags.reviewerAuth, "reviewer-auth-mode", flags.reviewerAuth, "Reviewer credential auth mode")
 	cmd.Flags().BoolVar(&flags.disableReviewer, "disable-reviewer", false, "Disable separate reviewer credentials")
 	cmd.Flags().StringVar(&flags.llmProvider, "llm-provider", flags.llmProvider, "LLM provider")
 	cmd.Flags().StringVar(&flags.llmAuth, "llm-auth", flags.llmAuth, "LLM auth mode")
 	cmd.Flags().StringVar(&flags.llmAdapter, "llm-adapter", flags.llmAdapter, "LLM adapter")
-	cmd.Flags().StringVar(&flags.llmRef, "llm-credential-ref", "", "LLM credential ref")
+	cmd.Flags().StringVar(&flags.llmRef, "llm-credential-ref", "", "LLM credential name")
 	cmd.Flags().StringVar(&flags.llmReviewerTier, "llm-reviewer-model-tier", "", "Reviewer model tier override")
 	cmd.Flags().BoolVar(&flags.clearLLMReviewer, "clear-llm-reviewer-model-tier", false, "Clear the configured reviewer model tier")
 	cmd.Flags().StringArrayVar(&flags.agentSources, "agent-source", nil, "Agent source ref (repeatable)")
@@ -795,9 +817,7 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().StringVar(&flags.llmKeyEnv, "llm-api-key-from-env", "", "Read the LLM API key from this environment variable")
 	cmd.Flags().BoolVar(&flags.overwrite, "overwrite", false, "Replace existing keyring entries")
 	cmd.Flags().BoolVar(&flags.replaceProfile, "replace-profile", false, "Replace an existing config profile")
-	cmd.Flags().BoolVar(&flags.setDefault, "set-default", false, "Set the target profile as the default profile")
-	cmd.Flags().StringVar(&flags.keyringBackend, "keyring-backend", "", "Persist this keyring backend in config")
-	cmd.Flags().BoolVar(&flags.resetKeyring, "reset-keyring-backend", false, "Clear any persisted keyring backend")
+	cmd.Flags().StringVar(&flags.secretsDiscovery, "secret-backend-discovery", flags.secretsDiscovery, "Secrets backend discovery mode: full, safe, or off")
 	return cmd
 }
 
@@ -807,6 +827,11 @@ func runInit(cmd *cobra.Command, opts *root.Options, flags initOptions) error {
 
 func runInitWithDeps(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps) error {
 	deps = deps.withDefaults()
+	discoveryMode, err := resolveInitSecretsBackendDiscoveryMode(cmd, flags)
+	if err != nil {
+		return err
+	}
+	flags.secretsDiscovery = string(discoveryMode)
 	if !flags.nonInteractive {
 		return runInteractiveInit(cmd, opts, flags, deps)
 	}
@@ -817,6 +842,27 @@ func runInitWithDeps(cmd *cobra.Command, opts *root.Options, flags initOptions,
 	return applyInitPlan(opts, flags, deps, plan)
 }
 
+func resolveInitSecretsBackendDiscoveryMode(cmd *cobra.Command, flags initOptions) (initSecretsBackendDiscoveryMode, error) {
+	value := flags.secretsDiscovery
+	if !initCommandFlagChanged(cmd, "secret-backend-discovery") {
+		if envValue := strings.TrimSpace(os.Getenv(initSecretsBackendDiscoveryEnv)); envValue != "" {
+			value = envValue
+		}
+	}
+	mode, err := parseInitSecretsBackendDiscoveryMode(value)
+	if err != nil {
+		return "", exitcode.Usage(err)
+	}
+	return mode, nil
+}
+
+func initCommandFlagChanged(cmd *cobra.Command, name string) bool {
+	if cmd == nil || cmd.Flags() == nil || cmd.Flags().Lookup(name) == nil {
+		return false
+	}
+	return cmd.Flags().Changed(name)
+}
+
 func runInteractiveInit(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps) error {
 	if err := validateInteractiveInitFlags(cmd, flags); err != nil {
 		return exitcode.Usage(err)
@@ -848,7 +894,14 @@ func runInteractiveInit(cmd *cobra.Command, opts *root.Options, flags initOption
 			return err
 		}
 		if session.workspace == nil {
-			return nil
+			if !session.saveRequested {
+				return nil
+			}
+			plan, err := buildInteractiveInitSessionPlan(opts, session)
+			if err != nil {
+				return err
+			}
+			return applyInteractiveInitSessionPlan(opts, deps, plan)
 		}
 		plan, err := buildInteractiveInitSessionPlan(opts, session)
 		if err != nil {
@@ -892,7 +945,7 @@ func runInjectedInteractiveInit(cmd *cobra.Command, opts *root.Options, flags in
 	}
 	// The injected legacy path remains a direct test seam for older prompt
 	// dependencies; it intentionally preserves the pre-menu sequencing here even
-	// though the user-facing menu now exposes retention and secrets management as
+	// though the user-facing menu now exposes retention and secrets storage as
 	// separate top-level categories.
 	if deps.retentionPrompter != nil {
 		session.cfg, err = collectInteractiveInitRetentionConfig(opts, deps, cloneInitConfigFile(session.cfg))
@@ -906,7 +959,7 @@ func runInjectedInteractiveInit(cmd *cobra.Command, opts *root.Options, flags in
 		}
 	}
 	if deps.keyringPrompter != nil {
-		session.cfg, err = collectInteractiveInitKeyringBackendConfig(opts, deps, session.backendFlagSet, cloneInitConfigFile(session.cfg))
+		session.cfg, err = collectInteractiveInitKeyringBackendConfig(opts, deps, initSecretsBackendDiscoveryMode(flags.secretsDiscovery), session.backendFlagSet, cloneInitConfigFile(session.cfg))
 		if err != nil {
 			return initSessionDraft{}, err
 		}
@@ -1011,13 +1064,17 @@ type huhInitRetentionPrompter struct {
 }
 
 type huhInitKeyringBackendPrompter struct {
-	stdin           io.Reader
-	stderr          io.Writer
-	inventoryRunner initInventoryRunner
-	editorRunner    initSecretsManagementEditorRunner
+	stdin                io.Reader
+	stderr               io.Writer
+	inventoryRunner      initInventoryRunner
+	editorRunner         initSecretsManagementEditorRunner
+	onePasswordCmdRunner initOnePasswordCommandRunner
+	executableLookPath   initExecutableLookPath
+	discoveryMode        initSecretsBackendDiscoveryMode
 }
 
 const (
+	initialInitProfileName                = "default"
 	initCustomGitScopeSelection           = "__custom_git_scope__"
 	initCustomLLMRuntimeSelection         = "__custom_llm_runtime__"
 	initConfigureNewLLMRuntimeSelection   = "__configure_new_llm_runtime__"
@@ -1060,8 +1117,8 @@ func newHuhInitRoutesPrompter(opts *root.Options) initRoutesPrompter {
 	return huhInitRoutesPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
 }
 
-func newHuhInitKeyringBackendPrompter(opts *root.Options) initKeyringBackendPrompter {
-	return huhInitKeyringBackendPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
+func newHuhInitKeyringBackendPrompter(opts *root.Options, mode initSecretsBackendDiscoveryMode) initKeyringBackendPrompter {
+	return huhInitKeyringBackendPrompter{stdin: opts.Stdin, stderr: opts.Stderr, discoveryMode: mode}
 }
 
 func buildInteractiveInitInventoryPromptContext(ctx initPromptContext) initPromptContext {
@@ -1075,7 +1132,7 @@ func buildInteractiveInitInventoryPromptContext(ctx initPromptContext) initPromp
 func bootstrapInteractiveInitSession(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps) (initSessionDraft, error) {
 	profileName := opts.Profile
 	if profileName == "" {
-		profileName = credstore.DefaultProfile
+		profileName = initialInitProfileName
 	}
 	path, err := deps.configPath(opts)
 	if err != nil {
@@ -1088,6 +1145,11 @@ func bootstrapInteractiveInitSession(cmd *cobra.Command, opts *root.Options, fla
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]config.Profile{}
 	}
+	if opts.Profile == "" {
+		if _, ok := cfg.Profiles[profileName]; !ok && len(cfg.Profiles) == 1 {
+			profileName = sortedProfileNames(cfg.Profiles)[0]
+		}
+	}
 	session := initSessionDraft{
 		path:                         path,
 		originalCfg:                  cloneInitConfigFile(cfg),
@@ -1109,18 +1171,11 @@ func bootstrapInteractiveInitSession(cmd *cobra.Command, opts *root.Options, fla
 		existingProfileName = profileName
 		profileCopy := profile
 		existingProfile = &profileCopy
-	} else if opts.Profile == "" && session.cfg.DefaultProfile != "" {
-		if profile, ok := session.cfg.Profiles[session.cfg.DefaultProfile]; ok {
-			existingProfileName = session.cfg.DefaultProfile
-			profileCopy := profile
-			existingProfile = &profileCopy
-			session.requestedProfileName = session.cfg.DefaultProfile
-		}
 	}
 	if existingProfile == nil {
 		return session, nil
 	}
-	draft := seedInteractiveInitDraft(session.requestedProfileName, existingProfileName, session.cfg.DefaultProfile, existingProfile)
+	draft := seedInteractiveInitDraft(session.requestedProfileName, existingProfileName, existingProfile)
 	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, path, session.cfg, draft)
 	if err != nil {
 		return initSessionDraft{}, err
@@ -1138,6 +1193,8 @@ func buildInteractiveInitMenuPrompt(session initSessionDraft) initMenuPrompt {
 		LLMRuntimeCount:     len(llmRuntimes),
 		ReviewerEntityCount: countConfiguredInitReviewerEntities(reviewerEntities),
 		ReviewProfileCount:  len(session.cfg.Profiles),
+		CanConfigureLLM:     true,
+		CanSave:             initSessionCanCommitWithoutWorkspace(session),
 	}
 	if session.workspace == nil {
 		return prompt
@@ -1149,6 +1206,20 @@ func buildInteractiveInitMenuPrompt(session initSessionDraft) initMenuPrompt {
 	return prompt
 }
 
+func initSessionCanCommitWithoutWorkspace(session initSessionDraft) bool {
+	if !initSessionHasStagedChanges(session) {
+		return false
+	}
+	return config.Validate(session.cfg) == nil
+}
+
+func initSessionHasStagedChanges(session initSessionDraft) bool {
+	if !initConfigsEqual(session.originalCfg, session.cfg) {
+		return true
+	}
+	return len(session.writes) > 0 || len(session.overwriteRefs) > 0 || len(session.satisfiedRefs) > 0
+}
+
 func currentInteractiveInitInventoryPromptContext(session initSessionDraft) initPromptContext {
 	return buildInteractiveInitInventoryPromptContext(currentInteractiveInitPromptContextBase(session))
 }
@@ -1170,7 +1241,6 @@ func currentInteractiveInitPromptContextBase(session initSessionDraft) initPromp
 		ExistingProfileName:          existingProfileName,
 		ExistingProfile:              existingProfile,
 		ExistingProfileNames:         sortedProfileNames(session.cfg.Profiles),
-		DefaultProfileName:           session.cfg.DefaultProfile,
 		ExistingConfig:               session.cfg,
 		PendingProfileDeletes:        session.pendingProfileDeletes,
 		PendingReviewerEntityDeletes: session.pendingReviewerEntityDeletes,
@@ -1184,7 +1254,8 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 		menuPrompter = newHuhInitMenuPrompter(opts)
 	}
 	for {
-		action, err := menuPrompter.ChooseAction(buildInteractiveInitMenuPrompt(session))
+		prompt := buildInteractiveInitMenuPrompt(session)
+		action, err := menuPrompter.ChooseAction(prompt)
 		if err != nil {
 			return initSessionDraft{}, err
 		}
@@ -1198,13 +1269,19 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 		case initMenuActionGlobalSettings:
 			session, err = editInteractiveInitGlobalSettings(cmd, opts, deps, session)
 		case initMenuActionSecretsManagement:
-			session, err = editInteractiveInitSecretsManagement(cmd, opts, deps, session)
+			session, err = editInteractiveInitSecretsManagement(cmd, opts, flags, deps, session)
 		case initMenuActionSave:
-			if session.workspace == nil {
-				return initSessionDraft{}, exitcode.Usage(errors.New("commit requires at least one configured profile"))
+			if !prompt.CanSave {
+				reason := initMenuDisabledReason(prompt, initMenuActionSave)
+				if reason == "" {
+					reason = "stage changes before committing"
+				}
+				return initSessionDraft{}, exitcode.Usage(errors.New(reason))
 			}
+			session.saveRequested = true
 			return session, nil
 		case initMenuActionExit:
+			session.saveRequested = false
 			session.workspace = nil
 			return session, nil
 		default:
@@ -1410,9 +1487,6 @@ func loopInteractiveInitLLMRuntime(cmd *cobra.Command, opts *root.Options, flags
 }
 
 func editInteractiveInitLLMRuntimeStep(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
-	if session.workspace == nil {
-		return initSessionDraft{}, false, exitcode.Usage(errors.New("configure a review profile before editing LLM runtimes"))
-	}
 	prompter := deps.llmRuntimePrompter
 	if prompter == nil {
 		prompter = newHuhInitLLMRuntimePrompter(opts)
@@ -1436,6 +1510,10 @@ func editInteractiveInitLLMRuntimeStep(cmd *cobra.Command, opts *root.Options, f
 	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported LLM-runtime draft action %q", draft.Action)
 	}
+	if session.workspace == nil {
+		session, err = stageStandaloneInteractiveInitLLMRuntime(session, draft)
+		return session, false, err
+	}
 	previousProfileName := session.workspace.profileName
 	previousProfile := session.workspace.profile
 	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, session.path, session.cfg, draft)
@@ -1460,6 +1538,42 @@ func editInteractiveInitLLMRuntimeStep(cmd *cobra.Command, opts *root.Options, f
 	return session, false, nil
 }
 
+func stageStandaloneInteractiveInitLLMRuntime(session initSessionDraft, draft initDraft) (initSessionDraft, error) {
+	runtime := initLLMRuntimeDraftFromSeedDraft(draft)
+	if runtime.Provider == "" || runtime.Auth == "" || runtime.Adapter == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("LLM runtime provider, auth, and adapter are required"))
+	}
+	working := cloneInitConfigFile(session.cfg)
+	if working.LLMRuntimes == nil {
+		working.LLMRuntimes = map[string]config.LLMConfig{}
+	}
+	name := strings.TrimSpace(runtime.Name)
+	if name == "" {
+		name = uniqueInitLLMRuntimeName(buildInitStandaloneLLMRuntimeNameSet(working.LLMRuntimes), runtime.suggestedName())
+	}
+	if runtime.Auth == config.LLMAuthAPIKey && strings.TrimSpace(runtime.CredentialRef) == "" {
+		ref, err := credentials.FormatRef(name)
+		if err != nil {
+			return initSessionDraft{}, exitcode.Usage(err)
+		}
+		runtime.CredentialRef = ref
+	}
+	working.LLMRuntimes[name] = runtime.exportConfig()
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.cfg = config.Normalize(working)
+	return session, nil
+}
+
+func buildInitStandaloneLLMRuntimeNameSet(runtimes map[string]config.LLMConfig) map[string]initLLMRuntimeDraft {
+	existing := make(map[string]initLLMRuntimeDraft, len(runtimes))
+	for name := range runtimes {
+		existing[name] = initLLMRuntimeDraft{}
+	}
+	return existing
+}
+
 func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	for {
 		var stayInCategory bool
@@ -1612,6 +1726,7 @@ func propagateSharedReviewerEntityChanges(priorCfg config.File, updatedCfg confi
 	}
 	identityKey := previousEntity.identityKey()
 	displayName := normalizeOptionalDisplayName(nextEntity.DisplayName)
+	credentialStore := initCredentialStoreDraftValue(nextEntity.CredentialStore)
 	credentialRef := strings.TrimSpace(nextEntity.CredentialRef)
 	for profileName, previousProfile := range priorCfg.Profiles {
 		if profileName == activeProfileName {
@@ -1628,6 +1743,7 @@ func propagateSharedReviewerEntityChanges(priorCfg config.File, updatedCfg confi
 			continue
 		}
 		profile.ReviewerCredentials.AuthMode = nextEntity.AuthMode
+		profile.ReviewerCredentials.Credential = initCredentialLocation(credentialStore, credentialRef)
 		profile.ReviewerCredentials.CredentialRef = credentialRef
 		profile.ReviewerCredentials.DisplayName = displayName
 		updatedCfg.Profiles[profileName] = profile
@@ -1653,8 +1769,8 @@ func editInteractiveInitGlobalSettings(_ *cobra.Command, opts *root.Options, dep
 	return session, nil
 }
 
-func editInteractiveInitSecretsManagement(_ *cobra.Command, opts *root.Options, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
-	nextCfg, err := collectInteractiveInitKeyringBackendConfig(opts, deps, session.backendFlagSet, cloneInitConfigFile(session.cfg))
+func editInteractiveInitSecretsManagement(_ *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
+	nextCfg, err := collectInteractiveInitKeyringBackendConfig(opts, deps, initSecretsBackendDiscoveryMode(flags.secretsDiscovery), session.backendFlagSet, cloneInitConfigFile(session.cfg))
 	if errors.Is(err, errInitNavigateBack) {
 		return session, nil
 	}
@@ -1713,7 +1829,7 @@ func initMenuDescription(prompt initMenuPrompt) string {
 	if prompt.HasWorkspace && strings.TrimSpace(prompt.ActiveProfileName) != "" {
 		return fmt.Sprintf("Active profile: %s", prompt.ActiveProfileName)
 	}
-	return "Configure the parts cr needs, stage changes as you go, then commit when the active profile is ready."
+	return "Configure the parts cr needs, stage changes as you go, then commit them."
 }
 
 func runBackableInitForm(form *huh.Form, stdin io.Reader, stderr io.Writer) (bool, error) {
@@ -1790,11 +1906,11 @@ func (p huhInitLLMRuntimePrompter) EditLLMRuntime(prompt initLLMRuntimePrompt) (
 }
 
 func (p huhInitLLMRuntimePrompter) editLLMRuntimeInventory(prompt initLLMRuntimePrompt) (initDraft, error) {
-	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
 			Title:       "LLM Runtime",
-			Description: "Choose how reviewer agents run for this profile.",
+			Description: "Choose how reviewer agents run.",
 			Rows:        initLLMRuntimeInventoryRows(prompt.Context),
 			Width:       80,
 			Height:      20,
@@ -1995,7 +2111,7 @@ func (p huhInitReviewerEntityPrompter) EditReviewerEntity(prompt initReviewerEnt
 }
 
 func (p huhInitReviewerEntityPrompter) editReviewerEntityInventory(prompt initReviewerEntityPrompt) (initDraft, error) {
-	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
 			Title:       "Reviewer Entity",
@@ -2213,7 +2329,7 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 		if selectedCreateNewProfile {
 			requestedProfileName = initCreateProfileSeedName(ctx)
 		}
-		draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, ctx.DefaultProfileName, selectedExistingProfile)
+		draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, selectedExistingProfile)
 		if warnings := ctx.ProfileWarnings[selectedProfileName]; len(warnings) > 0 {
 			_, _ = fmt.Fprintln(p.stderr, "Existing profile secret health:")
 			for _, warning := range warnings {
@@ -2238,9 +2354,10 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			}
 			gitScopeOptions := initGitScopeOptions(ctx.GitScopes)
 			selectedGit := initGitScopeDraft{
-				Host:          draft.GitHost,
-				AuthMode:      config.GitAuthMode(draft.GitAuth),
-				CredentialRef: strings.TrimSpace(draft.GitCredentialRef),
+				Host:            draft.GitHost,
+				AuthMode:        config.GitAuthMode(draft.GitAuth),
+				CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
+				CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
 			}
 			if scopeName := ctx.ProfileGitScopes[selectedProfileName]; scopeName != "" {
 				if scope, ok := ctx.GitScopes[scopeName]; ok {
@@ -2248,13 +2365,6 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 				}
 			}
 			reviewerEntityOptions := initReviewerEntitySelectionOptions(ctx.ReviewerEntities, profileEditorReviewerEntityFallbackLabel(selectedGit, selectedExistingProfile))
-			_, selectedSecretsProfile := initProfileEditorSecretsProfileSelection(
-				ctx.SecretsProfiles,
-				ctx.ProfileSecretsProfiles[selectedProfileName],
-				ctx.BrokenProfileSecretsProfiles[selectedProfileName],
-				initSecretsProfileDefaultOptionLabel(ctx.ExistingConfig),
-				draft,
-			)
 			llmRuntimes := maps.Clone(ctx.LLMRuntimes)
 			if llmRuntimes == nil {
 				llmRuntimes = map[string]initLLMRuntimeDraft{}
@@ -2278,6 +2388,9 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			gitStorageLabel := initEffectiveStorageLabelValue(draft.GitCredentialRef, standardGitCredentialRef)
 			reviewerStorageLabel := initEffectiveStorageLabelValue(draft.ReviewerCredentialRef, standardReviewerCredentialRef)
 			llmStorageLabel := initEffectiveStorageLabelValue(draft.LLMCredentialRef, standardLLMCredentialRef)
+			credentialStoreOptions := initCredentialStoreOptions(ctx.ExistingConfig)
+			gitCredentialStore := initCredentialStoreDraftValue(draft.GitCredentialStore)
+			llmCredentialStore := initCredentialStoreDraftValue(draft.LLMCredentialStore)
 			initialSelectedLLMRuntime := selectedLLMRuntime
 			modelMapLLM := initProfileEditorModelMapLLM(draft, selectedLLMRuntime, llmRuntimes)
 			modelMapFields, modelMapValues := initModelMapEditorFields(modelMapLLM, draft.ModelMap)
@@ -2370,16 +2483,40 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			profileFields = append(profileFields, reviewPolicyFields...)
 			profileFields = append(profileFields,
 				huh.NewNote().
-					Description("Edit only if this profile should use a different Git secret location than the selected Git scope's default. Useful for advanced deployment scenarios. Leave unchanged if you're unsure."),
+					Title("Git credentials").
+					Description("Choose where this profile's Git credentials are stored. The credential name is the full codereview/... path written to the selected store."),
+				huh.NewSelect[string]().
+					Title("Git credential store").
+					Options(credentialStoreOptions...).
+					Value(&gitCredentialStore),
 				huh.NewInput().
-					Title("Git secrets storage label").
-					Description("Edit only if this profile should use a different Git secret location than the selected Git scope's default. Useful for advanced deployment scenarios. Leave unchanged if you're unsure.").
+					Title("Git credential name").
+					Description("Full credential name under the selected store.").
 					Value(&gitStorageLabel).
-					Validate(validateOptionalCredentialRef),
+					Validate(validateRequiredCredentialRef),
 			)
 			profileFields = append(profileFields, actionFields...)
+			llmCredentialFields := []huh.Field{
+				huh.NewNote().
+					Title("LLM API key credentials").
+					Description("Choose where this profile's LLM API key is stored."),
+				huh.NewSelect[string]().
+					Title("LLM credential store").
+					Options(credentialStoreOptions...).
+					Value(&llmCredentialStore),
+				huh.NewInput().
+					Title("LLM credential name").
+					Description("Full credential name under the selected store.").
+					Value(&llmStorageLabel).
+					Validate(validateRequiredCredentialRef),
+			}
 			form := huh.NewForm(
 				huh.NewGroup(profileFields...).Title("Profile"),
+				huh.NewGroup(llmCredentialFields...).
+					Title("LLM API key credentials").
+					WithHideFunc(func() bool {
+						return !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes)
+					}),
 				huh.NewGroup(
 					huh.NewSelect[string]().
 						Title("Git scope").
@@ -2454,8 +2591,17 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			llmUsesDefaultBeforeSelection := initStorageLabelUsesDefault(llmStorageLabel, standardLLMCredentialRef)
 			applyGitScopeSelection(&draft, selectedGitScope, ctx.GitScopes)
 			applyReviewerEntityInventorySelection(&draft, selectedReviewerEntity, ctx.ReviewerEntities)
-			applySecretsProfileSelection(&draft, selectedSecretsProfile)
 			applyLLMRuntimeInventorySelection(&draft, selectedLLMRuntime, llmRuntimes)
+			draft.GitCredentialStore = initCredentialStoreDraftValue(gitCredentialStore)
+			if strings.TrimSpace(gitStorageLabel) != "" {
+				draft.GitCredentialRef = strings.TrimSpace(gitStorageLabel)
+			}
+			if initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes) {
+				draft.LLMCredentialStore = initCredentialStoreDraftValue(llmCredentialStore)
+				if strings.TrimSpace(llmStorageLabel) != "" {
+					draft.LLMCredentialRef = strings.TrimSpace(llmStorageLabel)
+				}
+			}
 			// Inventory selections fill provider/auth/ref fields; rerunning the mode finalizers applies side effects like clearing refs for self-reviewers or subscription runtimes.
 			reviewerMode = string(initReviewerEntityDraftFromSeedDraft(draft).Kind)
 			selectedRuntimePreset := string(initLLMRuntimeDraftFromSeedDraft(draft).Preset)
@@ -2566,9 +2712,6 @@ func sortProfileInventoryNames(names []string, ctx initPromptContext) {
 }
 
 func profileInventorySortKey(name string, ctx initPromptContext) int {
-	if name == strings.TrimSpace(ctx.DefaultProfileName) {
-		return 3
-	}
 	routes := currentProfileRouteSpecs(ctx.ExistingConfig.RepositoryProfiles, name)
 	if len(routes) == 0 {
 		return 2
@@ -2582,9 +2725,6 @@ func profileInventorySortKey(name string, ctx initPromptContext) int {
 }
 
 func profileInventoryRowDescription(name string, ctx initPromptContext) string {
-	if name == strings.TrimSpace(ctx.DefaultProfileName) {
-		return "Everything else"
-	}
 	return formatInitRouteSpecsInline(currentProfileRouteSpecs(ctx.ExistingConfig.RepositoryProfiles, name))
 }
 
@@ -2604,9 +2744,10 @@ func initReviewerEntityDraftFromSeedDraft(draft initDraft) initReviewerEntityDra
 		return initReviewerEntityDraft{Kind: initReviewerEntityKindUseGitIdentity}
 	}
 	entity := initReviewerEntityDraft{
-		AuthMode:      config.GitAuthMode(draft.ReviewerAuth),
-		CredentialRef: strings.TrimSpace(draft.ReviewerCredentialRef),
-		DisplayName:   normalizeOptionalDisplayName(draft.ReviewerDisplayName),
+		AuthMode:        config.GitAuthMode(draft.ReviewerAuth),
+		CredentialStore: initCredentialStoreDraftValue(draft.ReviewerCredentialStore),
+		CredentialRef:   strings.TrimSpace(draft.ReviewerCredentialRef),
+		DisplayName:     normalizeOptionalDisplayName(draft.ReviewerDisplayName),
 	}
 	switch entity.AuthMode {
 	case config.GitAuthModeGitHubApp:
@@ -2660,6 +2801,7 @@ func applyGitScopeSelection(draft *initDraft, selection string, scopes map[strin
 	}
 	draft.GitHost = scope.Host
 	draft.GitAuth = string(scope.AuthMode)
+	draft.GitCredentialStore = initCredentialStoreDraftValue(scope.CredentialStore)
 	if !draft.AdvancedStorageLabels {
 		draft.GitCredentialRef = scope.CredentialRef
 	}
@@ -2778,13 +2920,6 @@ func initProfileEditorSecretsProfileSelectionVisible(profiles []config.Effective
 	return len(profiles) > 0 || strings.TrimSpace(missingSelection) != ""
 }
 
-func initSecretsProfileDefaultOptionLabel(cfg config.File) string {
-	if profile, ok := config.EffectiveDefaultSecretsProfile(cfg); ok {
-		return fmt.Sprintf("Use built-in default (%s)", initSecretsProfileLabel(profile))
-	}
-	return "Use built-in default"
-}
-
 func initSecretsProfileLabel(profile config.EffectiveSecretsProfile) string {
 	displayName := strings.TrimSpace(profile.Label)
 	if displayName == "" {
@@ -3112,6 +3247,7 @@ func applyReviewerEntityInventorySelection(draft *initDraft, selection string, e
 	}
 	draft.ReviewerEnabled = entity.Kind != initReviewerEntityKindUseGitIdentity
 	draft.ReviewerAuth = string(entity.AuthMode)
+	draft.ReviewerCredentialStore = initCredentialStoreDraftValue(entity.CredentialStore)
 	draft.ReviewerDisplayName = normalizeOptionalDisplayName(entity.DisplayName)
 	if !draft.AdvancedStorageLabels {
 		draft.ReviewerCredentialRef = entity.CredentialRef
@@ -3141,6 +3277,7 @@ func initLLMRuntimeDraftFromSeedDraft(draft initDraft) initLLMRuntimeDraft {
 		Provider:      config.LLMProvider(draft.LLMProvider),
 		Auth:          config.LLMAuth(draft.LLMAuth),
 		Adapter:       config.LLMAdapter(draft.LLMAdapter),
+		Credential:    initCredentialLocationIfName(draft.LLMCredentialStore, draft.LLMCredentialRef),
 		CredentialRef: strings.TrimSpace(draft.LLMCredentialRef),
 	})
 }
@@ -3299,6 +3436,7 @@ func applyLLMRuntimeInventorySelection(draft *initDraft, selection string, runti
 		draft.LLMAuth = string(runtime.Auth)
 		draft.LLMAdapter = string(runtime.Adapter)
 		if !draft.AdvancedStorageLabels {
+			draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
 			draft.LLMCredentialRef = runtime.CredentialRef
 		}
 		return
@@ -3366,6 +3504,7 @@ func applyLLMRuntimeSelection(draft *initDraft, selection string) {
 	draft.LLMAuth = string(runtime.Auth)
 	draft.LLMAdapter = string(runtime.Adapter)
 	if runtime.Auth != config.LLMAuthAPIKey && !draft.AdvancedStorageLabels {
+		draft.LLMCredentialStore = initCredentialStoreDefaultID()
 		draft.LLMCredentialRef = ""
 	}
 }
@@ -3626,7 +3765,7 @@ func (p huhInitRoutesPrompter) EditRoutes(prompt initRoutesPrompt) (initRoutesEd
 
 func initRouteEditorFields(routeText *string, includeIntroTitle bool) []huh.Field {
 	intro := huh.NewNote().
-		Description("Routes tell cr when to use this profile automatically. Explicit --profile still wins; otherwise matching routes beat the default profile.")
+		Description("Routes tell cr when to use this profile automatically. Explicit --profile still wins; otherwise a matching route is required.")
 	if includeIntroTitle {
 		intro = intro.Title("Automatic profile selection")
 	}
@@ -3754,6 +3893,14 @@ func validateOptionalCredentialRef(value string) error {
 	return err
 }
 
+func validateRequiredCredentialRef(value string) error {
+	trimmed := strings.TrimSpace(value)
+	if trimmed == "" {
+		return fmt.Errorf("credential name is required")
+	}
+	return validateOptionalCredentialRef(trimmed)
+}
+
 func normalizeOptionalDisplayName(value string) string {
 	return strings.TrimSpace(value)
 }
@@ -3814,46 +3961,46 @@ func validateInteractiveInitFlags(cmd *cobra.Command, flags initOptions) error {
 	}
 	anyNonInteractiveParityFlagSet := flags.disableReviewer ||
 		flags.clearLLMReviewer ||
-		flags.setDefault ||
-		flags.resetKeyring ||
 		cmd.Flags().Changed("git-auth-mode") ||
-		cmd.Flags().Changed("llm-reviewer-model-tier") ||
-		cmd.Flags().Changed("keyring-backend")
+		cmd.Flags().Changed("llm-reviewer-model-tier")
 	if anyNonInteractiveParityFlagSet {
 		return fmt.Errorf("non-interactive parity flags are only supported with --non-interactive")
 	}
 	return nil
 }
 
-func seedInteractiveInitDraft(requestedProfileName string, existingProfileName string, defaultProfileName string, existingProfile *config.Profile) initDraft {
+func seedInteractiveInitDraft(requestedProfileName string, existingProfileName string, existingProfile *config.Profile) initDraft {
 	profileName := requestedProfileName
 	if existingProfileName != "" {
 		profileName = existingProfileName
 	}
 	if strings.TrimSpace(profileName) == "" {
-		profileName = credstore.DefaultProfile
+		profileName = initialInitProfileName
 	}
 	draft := initDraft{
-		OriginalProfileName: existingProfileName,
-		ProfileName:         profileName,
-		MakeDefault:         existingProfileName == "" && defaultProfileName == "",
-		GitHost:             "github.com",
-		GitAuth:             string(config.GitAuthModePAT),
-		ReviewerAuth:        string(config.GitAuthModePAT),
-		LLMProvider:         string(config.LLMProviderAnthropic),
-		LLMAuth:             string(config.LLMAuthSubscription),
-		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
+		OriginalProfileName:     existingProfileName,
+		ProfileName:             profileName,
+		GitHost:                 "github.com",
+		GitAuth:                 string(config.GitAuthModePAT),
+		GitCredentialStore:      initCredentialStoreDefaultID(),
+		ReviewerAuth:            string(config.GitAuthModePAT),
+		ReviewerCredentialStore: initCredentialStoreDefaultID(),
+		LLMProvider:             string(config.LLMProviderAnthropic),
+		LLMAuth:                 string(config.LLMAuthSubscription),
+		LLMAdapter:              string(config.LLMAdapterClaudeCLI),
+		LLMCredentialStore:      initCredentialStoreDefaultID(),
 	}
 	if existingProfile != nil {
-		draft.MakeDefault = defaultProfileName == existingProfileName
 		draft.GitHost = existingProfile.Git.Host
 		draft.GitAuth = string(existingProfile.Git.AuthMode)
-		draft.GitCredentialRef = existingProfile.Git.CredentialRef
+		draft.GitCredentialStore = initCredentialStoreDraftValue(existingProfile.Git.Credential.Store)
+		draft.GitCredentialRef = firstNonEmpty(existingProfile.Git.Credential.Name, existingProfile.Git.CredentialRef)
 		draft.LLMProvider = string(existingProfile.LLM.Provider)
 		draft.LLMAuth = string(existingProfile.LLM.Auth)
 		draft.LLMAdapter = string(existingProfile.LLM.Adapter)
 		draft.LLMReviewerModelTier = string(existingProfile.LLM.ReviewerModelTier)
-		draft.LLMCredentialRef = existingProfile.LLM.CredentialRef
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(existingProfile.LLM.Credential.Store)
+		draft.LLMCredentialRef = firstNonEmpty(existingProfile.LLM.Credential.Name, existingProfile.LLM.CredentialRef)
 		draft.ModelMap = copyModelMap(existingProfile.LLM.ModelMap)
 		draft.AgentSources = append([]string(nil), existingProfile.AgentSources...)
 		draft.ReviewPolicy = existingProfile.ReviewPolicy
@@ -3861,7 +4008,8 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 		if existingProfile.ReviewerCredentials != nil {
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(existingProfile.ReviewerCredentials.AuthMode)
-			draft.ReviewerCredentialRef = existingProfile.ReviewerCredentials.CredentialRef
+			draft.ReviewerCredentialStore = initCredentialStoreDraftValue(existingProfile.ReviewerCredentials.Credential.Store)
+			draft.ReviewerCredentialRef = firstNonEmpty(existingProfile.ReviewerCredentials.Credential.Name, existingProfile.ReviewerCredentials.CredentialRef)
 			draft.ReviewerDisplayName = normalizeOptionalDisplayName(existingProfile.ReviewerCredentials.DisplayName)
 		}
 	}
@@ -3932,9 +4080,6 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	if stdinSecrets > 1 {
 		return initPlan{}, exitcode.Usage(fmt.Errorf("only one stdin secret ingress flag may be set"))
 	}
-	if flags.keyringBackend != "" && flags.resetKeyring {
-		return initPlan{}, exitcode.Usage(fmt.Errorf("--keyring-backend and --reset-keyring-backend may not be used together; use one or the other"))
-	}
 	if flags.llmReviewerTier != "" && flags.clearLLMReviewer {
 		return initPlan{}, exitcode.Usage(fmt.Errorf("--llm-reviewer-model-tier and --clear-llm-reviewer-model-tier may not be used together; use one or the other"))
 	}
@@ -3947,7 +4092,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	}
 	profileName := opts.Profile
 	if profileName == "" {
-		profileName = credstore.DefaultProfile
+		profileName = initialInitProfileName
 	}
 	path, err := deps.configPath(opts)
 	if err != nil {
@@ -3972,7 +4117,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	}
 	defaultGitRef, err := credentials.FormatRef(profileName)
 	if err != nil {
-		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential ref segment: %w", profileName, err))
+		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
 	}
 	gitRef := flags.gitRef
 	if gitRef == "" {
@@ -4063,10 +4208,27 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	if previousProfile != nil && !flags.replaceProfile {
 		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q already exists; use --replace-profile to replace config only", profileName))
 	}
+	gitStore := config.LocalOSCredentialStoreID
+	llmStore := config.LocalOSCredentialStoreID
+	reviewerStore := config.LocalOSCredentialStoreID
+	if previousProfile != nil {
+		if store := strings.TrimSpace(previousProfile.Git.Credential.Store); store != "" {
+			gitStore = store
+		}
+		if store := strings.TrimSpace(previousProfile.LLM.Credential.Store); store != "" {
+			llmStore = store
+		}
+		if previousProfile.ReviewerCredentials != nil {
+			if store := strings.TrimSpace(previousProfile.ReviewerCredentials.Credential.Store); store != "" {
+				reviewerStore = store
+			}
+		}
+	}
 	profile := config.Profile{
 		Git: config.GitConfig{
 			Host:          flags.gitHost,
 			AuthMode:      gitMode,
+			Credential:    initCredentialLocation(gitStore, gitRef),
 			CredentialRef: gitRef,
 		},
 		LLM: config.LLMConfig{
@@ -4083,6 +4245,9 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			ResolveAfter:     flags.resolveAfter,
 		},
 	}
+	if llmRef != "" {
+		profile.LLM.Credential = initCredentialLocation(llmStore, llmRef)
+	}
 	if flags.clearLLMReviewer {
 		profile.LLM.ReviewerModelTier = ""
 	} else {
@@ -4091,6 +4256,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	if reviewerRequested && !flags.disableReviewer {
 		profile.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      reviewerMode,
+			Credential:    initCredentialLocation(reviewerStore, reviewerRef),
 			CredentialRef: reviewerRef,
 		}
 	}
@@ -4128,12 +4294,6 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		}
 	}
 	cfg.Profiles[profileName] = profile
-	if !exists {
-		cfg.DefaultProfile = profileName
-	}
-	if flags.setDefault {
-		cfg.DefaultProfile = profileName
-	}
 
 	writes := map[string]map[string]string{}
 	if hasGitSecret {
@@ -4161,30 +4321,6 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			return initPlan{}, cmderr.Credential(err)
 		}
 	}
-	explicitKeyringBackend := flags.keyringBackend != ""
-	if explicitKeyringBackend {
-		if _, err := credentials.StoreOptions(flags.keyringBackend, true, cfg); err != nil {
-			return initPlan{}, cmderr.Credential(err)
-		}
-		if backendFlagSet && opts.Backend != flags.keyringBackend {
-			return initPlan{}, exitcode.Usage(fmt.Errorf("--backend %q conflicts with --keyring-backend %q", opts.Backend, flags.keyringBackend))
-		}
-		cfg.Keyring.Backend = flags.keyringBackend
-	}
-	if flags.resetKeyring {
-		cfg.Keyring.Backend = ""
-	}
-	// Preserve the legacy init behavior where a write-backed runtime backend may
-	// still become durable. New scripted flows should prefer --keyring-backend
-	// and --reset-keyring-backend for readable, explicit ownership.
-	persistRuntimeBackend := !explicitKeyringBackend && !flags.resetKeyring && backendFlagSet && (len(writes) > 0 || profile.LLM.Auth == config.LLMAuthAPIKey)
-	if persistRuntimeBackend {
-		if cfg.Keyring.Backend != "" && cfg.Keyring.Backend != opts.Backend {
-			return initPlan{}, exitcode.Usage(fmt.Errorf("--backend %q conflicts with existing keyring.backend %q", opts.Backend, cfg.Keyring.Backend))
-		}
-		cfg.Keyring.Backend = opts.Backend
-	}
-
 	if err := config.Validate(cfg); err != nil {
 		return initPlan{}, cmderr.Config(err)
 	}
@@ -4246,17 +4382,6 @@ func buildInteractiveInitWorkspace(cmd *cobra.Command, opts *root.Options, flags
 		return initWorkspaceDraft{}, err
 	}
 	working.Profiles[profileName] = profile
-	if draft.MakeDefault || working.DefaultProfile == "" {
-		var changed bool
-		working, changed, err = configedit.SetDefaultProfile(working, profileName)
-		_ = changed
-		if err != nil {
-			if errors.Is(err, config.ErrProfileNotFound) || errors.Is(err, configedit.ErrProfileNameRequired) {
-				return initWorkspaceDraft{}, exitcode.Usage(err)
-			}
-			return initWorkspaceDraft{}, cmderr.Config(err)
-		}
-	}
 	if err := validateInteractiveInitConfig(initValidationConfigForProfileHost(working, profileName, previousProfile, profile.Git.Host)); err != nil {
 		return initWorkspaceDraft{}, cmderr.Config(err)
 	}
@@ -4440,7 +4565,7 @@ func mergeInteractiveInitSessionPlanEntry(entriesByKey map[string]initCredential
 		return nil
 	}
 	if existing.State != initCredentialPlanStateClearRef && entry.State != initCredentialPlanStateClearRef && !sameInitCredentialStore(existing.SecretsProfile, entry.SecretsProfile) {
-		return fmt.Errorf("%w: init credential ref %q is staged for multiple secrets-management profiles in one session", config.ErrInvalid, entry.Ref.Ref)
+		return fmt.Errorf("%w: credential name %q is staged for multiple credential stores in one session", config.ErrInvalid, entry.Ref.Ref)
 	}
 	if existing.State == initCredentialPlanStateClearRef && entry.State != initCredentialPlanStateClearRef {
 		entriesByKey[key] = entry
@@ -4584,13 +4709,10 @@ func deleteInteractiveInitProfile(session initSessionDraft, profileName string)
 			prunedRoutes = append(prunedRoutes, route)
 		}
 	}
-	fallbackDefault := configedit.FirstProfileName(withoutProfile(session.cfg.Profiles, profileName))
 	touchedOriginal, hadTouchedProfile := session.touchedProfiles[profileName]
 	pending := initPendingProfileDelete{
 		ProfileName:       profileName,
 		Profile:           cloneInitProfile(profile),
-		OriginalDefault:   session.cfg.DefaultProfile,
-		FallbackDefault:   fallbackDefault,
 		PrunedRoutes:      append([]config.RepositoryProfile(nil), prunedRoutes...),
 		WasActive:         session.workspace != nil && session.workspace.profileName == profileName,
 		HadTouchedProfile: hadTouchedProfile,
@@ -4598,9 +4720,6 @@ func deleteInteractiveInitProfile(session initSessionDraft, profileName string)
 	}
 	delete(session.cfg.Profiles, profileName)
 	session.cfg.RepositoryProfiles = configedit.PruneRepositoryProfileRoutes(session.cfg.RepositoryProfiles, profileName)
-	if session.cfg.DefaultProfile == profileName {
-		session.cfg.DefaultProfile = fallbackDefault
-	}
 	delete(session.touchedProfiles, profileName)
 	session.pendingProfileDeletes[profileName] = pending
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
@@ -4618,9 +4737,6 @@ func undoInteractiveInitProfileDelete(session initSessionDraft, profileName stri
 	}
 	session.cfg.Profiles[profileName] = cloneInitProfile(pending.Profile)
 	session.cfg.RepositoryProfiles = configedit.CanonicalRepositoryRoutes(append(append([]config.RepositoryProfile(nil), session.cfg.RepositoryProfiles...), pending.PrunedRoutes...))
-	if pending.OriginalDefault == profileName && session.cfg.DefaultProfile == pending.FallbackDefault {
-		session.cfg.DefaultProfile = profileName
-	}
 	if pending.HadTouchedProfile {
 		if session.touchedProfiles == nil {
 			session.touchedProfiles = map[string]string{}
@@ -4705,6 +4821,14 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 	_, profileRuntimeNames := buildInitLLMRuntimeInventory(session.cfg)
 	original := map[string]config.LLMConfig{}
 	applied := map[string]config.LLMConfig{}
+	var standaloneOriginal *config.LLMConfig
+	if session.cfg.LLMRuntimes != nil {
+		if runtime, ok := session.cfg.LLMRuntimes[runtimeName]; ok {
+			runtimeCopy := cloneInitLLMConfig(runtime)
+			standaloneOriginal = &runtimeCopy
+			delete(session.cfg.LLMRuntimes, runtimeName)
+		}
+	}
 	for profileName, selected := range profileRuntimeNames {
 		if selected != runtimeName {
 			continue
@@ -4719,14 +4843,15 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 		profile.LLM = nextLLM
 		session.cfg.Profiles[profileName] = profile
 	}
-	if len(original) == 0 {
+	if len(original) == 0 && standaloneOriginal == nil {
 		return initSessionDraft{}, exitcode.Usage(fmt.Errorf("LLM runtime %q is not deletable", runtimeName))
 	}
 	session.pendingLLMRuntimeDeletes[runtimeName] = initPendingLLMRuntimeDelete{
-		RuntimeName: runtimeName,
-		Replacement: replacement,
-		Applied:     applied,
-		Original:    original,
+		RuntimeName:        runtimeName,
+		Replacement:        replacement,
+		Applied:            applied,
+		Original:           original,
+		StandaloneOriginal: standaloneOriginal,
 	}
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4750,6 +4875,12 @@ func undoInteractiveInitLLMRuntimeDelete(session initSessionDraft, runtimeName s
 		profile.LLM = cloneInitLLMConfig(previous)
 		session.cfg.Profiles[profileName] = profile
 	}
+	if pending.StandaloneOriginal != nil {
+		if session.cfg.LLMRuntimes == nil {
+			session.cfg.LLMRuntimes = map[string]config.LLMConfig{}
+		}
+		session.cfg.LLMRuntimes[runtimeName] = cloneInitLLMConfig(*pending.StandaloneOriginal)
+	}
 	delete(session.pendingLLMRuntimeDeletes, runtimeName)
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4770,29 +4901,16 @@ func initLLMConfigForReplacement(profileName string, runtime initLLMRuntimeDraft
 	return llm, nil
 }
 
-func withoutProfile(profiles map[string]config.Profile, removed string) map[string]config.Profile {
-	if len(profiles) == 0 {
-		return nil
-	}
-	next := make(map[string]config.Profile, max(len(profiles)-1, 0))
-	for name, profile := range profiles {
-		if name == removed {
-			continue
-		}
-		next[name] = profile
-	}
-	return next
-}
-
 func initCredentialEntryKey(ref config.CredentialRef) string {
-	return strings.Join([]string{ref.Purpose, ref.Ref, ref.Mode, ref.Provider}, "\x00")
+	return strings.Join([]string{ref.Store, ref.Purpose, ref.Ref, ref.Mode, ref.Provider}, "\x00")
 }
 
 func initGitScopeDraftFromConfig(git config.GitConfig) initGitScopeDraft {
 	return initGitScopeDraft{
-		Host:          strings.TrimSpace(git.Host),
-		AuthMode:      git.AuthMode,
-		CredentialRef: strings.TrimSpace(git.CredentialRef),
+		Host:            strings.TrimSpace(git.Host),
+		AuthMode:        git.AuthMode,
+		CredentialStore: initCredentialStoreDraftValue(git.Credential.Store),
+		CredentialRef:   strings.TrimSpace(firstNonEmpty(git.Credential.Name, git.CredentialRef)),
 	}
 }
 
@@ -4800,6 +4918,7 @@ func (scope initGitScopeDraft) exportConfig(previous *config.GitConfig) config.G
 	git := config.GitConfig{
 		Host:          strings.TrimSpace(scope.Host),
 		AuthMode:      scope.AuthMode,
+		Credential:    initCredentialLocation(scope.CredentialStore, scope.CredentialRef),
 		CredentialRef: strings.TrimSpace(scope.CredentialRef),
 	}
 	if previous != nil && scope.matchesConfig(*previous) {
@@ -4813,6 +4932,7 @@ func (scope initGitScopeDraft) identityKey() string {
 	return strings.Join([]string{
 		config.NormalizeHost(scope.Host),
 		string(scope.AuthMode),
+		initCredentialStoreDraftValue(scope.CredentialStore),
 		strings.TrimSpace(scope.CredentialRef),
 	}, "\x00")
 }
@@ -4830,7 +4950,8 @@ func (scope initGitScopeDraft) suggestedName() string {
 func (scope initGitScopeDraft) matchesConfig(previous config.GitConfig) bool {
 	return config.NormalizeHost(previous.Host) == config.NormalizeHost(scope.Host) &&
 		previous.AuthMode == scope.AuthMode &&
-		strings.TrimSpace(previous.CredentialRef) == strings.TrimSpace(scope.CredentialRef)
+		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(scope.CredentialStore) &&
+		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(scope.CredentialRef)
 }
 
 func buildInitGitScopeInventory(cfg config.File) (map[string]initGitScopeDraft, map[string]string) {
@@ -4876,9 +4997,10 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 		}
 	}
 	entity := initReviewerEntityDraft{
-		AuthMode:      profile.ReviewerCredentials.AuthMode,
-		CredentialRef: strings.TrimSpace(profile.ReviewerCredentials.CredentialRef),
-		DisplayName:   normalizeOptionalDisplayName(profile.ReviewerCredentials.DisplayName),
+		AuthMode:        profile.ReviewerCredentials.AuthMode,
+		CredentialStore: initCredentialStoreDraftValue(profile.ReviewerCredentials.Credential.Store),
+		CredentialRef:   strings.TrimSpace(firstNonEmpty(profile.ReviewerCredentials.Credential.Name, profile.ReviewerCredentials.CredentialRef)),
+		DisplayName:     normalizeOptionalDisplayName(profile.ReviewerCredentials.DisplayName),
 	}
 	switch profile.ReviewerCredentials.AuthMode {
 	case config.GitAuthModeGitHubApp:
@@ -4895,6 +5017,7 @@ func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCred
 	}
 	reviewer := &config.ReviewerCredentials{
 		AuthMode:      entity.AuthMode,
+		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
 		CredentialRef: strings.TrimSpace(entity.CredentialRef),
 		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
 	}
@@ -4911,6 +5034,7 @@ func (entity initReviewerEntityDraft) identityKey() string {
 	return strings.Join([]string{
 		string(entity.Kind),
 		string(entity.AuthMode),
+		initCredentialStoreDraftValue(entity.CredentialStore),
 		strings.TrimSpace(entity.CredentialRef),
 	}, "\x00")
 }
@@ -4930,7 +5054,8 @@ func (entity initReviewerEntityDraft) suggestedName() string {
 func (entity initReviewerEntityDraft) matchesConfig(previous config.ReviewerCredentials) bool {
 	return entity.Kind == initReviewerEntityDraftFromConfig(config.Profile{ReviewerCredentials: &previous}).Kind &&
 		previous.AuthMode == entity.AuthMode &&
-		strings.TrimSpace(previous.CredentialRef) == strings.TrimSpace(entity.CredentialRef)
+		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
+		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
 }
 
 func buildInitReviewerEntityInventory(cfg config.File) (map[string]initReviewerEntityDraft, map[string]string) {
@@ -4992,11 +5117,12 @@ func uniqueInitReviewerEntityName(existing map[string]initReviewerEntityDraft, b
 
 func initLLMRuntimeDraftFromConfig(llm config.LLMConfig) initLLMRuntimeDraft {
 	runtime := initLLMRuntimeDraft{
-		Preset:        initLLMRuntimePresetCustom,
-		Provider:      llm.Provider,
-		Auth:          llm.Auth,
-		Adapter:       llm.Adapter,
-		CredentialRef: strings.TrimSpace(llm.CredentialRef),
+		Preset:          initLLMRuntimePresetCustom,
+		Provider:        llm.Provider,
+		Auth:            llm.Auth,
+		Adapter:         llm.Adapter,
+		CredentialStore: initCredentialStoreDraftValue(llm.Credential.Store),
+		CredentialRef:   strings.TrimSpace(firstNonEmpty(llm.Credential.Name, llm.CredentialRef)),
 	}
 	switch {
 	case runtime.Provider == config.LLMProviderAnthropic && runtime.Auth == config.LLMAuthSubscription && runtime.Adapter == config.LLMAdapterClaudeCLI:
@@ -5023,6 +5149,7 @@ func (runtime initLLMRuntimeDraft) exportConfig() config.LLMConfig {
 		Adapter:  runtime.Adapter,
 	}
 	if runtime.Auth == config.LLMAuthAPIKey {
+		llm.Credential = initCredentialLocation(runtime.CredentialStore, runtime.CredentialRef)
 		llm.CredentialRef = strings.TrimSpace(runtime.CredentialRef)
 	}
 	return llm
@@ -5033,6 +5160,7 @@ func (runtime initLLMRuntimeDraft) identityKey() string {
 		string(runtime.Provider),
 		string(runtime.Auth),
 		string(runtime.Adapter),
+		initCredentialStoreDraftValue(runtime.CredentialStore),
 		strings.TrimSpace(runtime.CredentialRef),
 	}, "\x00")
 }
@@ -5059,6 +5187,17 @@ func buildInitLLMRuntimeInventory(cfg config.File) (map[string]initLLMRuntimeDra
 	runtimes := map[string]initLLMRuntimeDraft{}
 	profileRuntimeNames := map[string]string{}
 	runtimeNamesByKey := map[string]string{}
+	rootRuntimeNames := make([]string, 0, len(cfg.LLMRuntimes))
+	for name := range cfg.LLMRuntimes {
+		rootRuntimeNames = append(rootRuntimeNames, name)
+	}
+	sort.Strings(rootRuntimeNames)
+	for _, name := range rootRuntimeNames {
+		runtime := initLLMRuntimeDraftFromConfig(cfg.LLMRuntimes[name])
+		runtime.Name = name
+		runtimes[name] = runtime
+		runtimeNamesByKey[runtime.identityKey()] = name
+	}
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
 		runtime := initLLMRuntimeDraftFromConfig(profile.LLM)
@@ -5113,6 +5252,39 @@ func cloneInitConfigFile(cfg config.File) config.File {
 		value := *cfg.Data.Retention.MaxAgeDays
 		cloned.Data.Retention.MaxAgeDays = &value
 	}
+	if cfg.LLMRuntimes != nil {
+		cloned.LLMRuntimes = make(map[string]config.LLMConfig, len(cfg.LLMRuntimes))
+		for name, runtime := range cfg.LLMRuntimes {
+			cloned.LLMRuntimes[name] = cloneInitLLMConfig(runtime)
+		}
+	}
+	cloned.Secrets = cloneInitSecretsConfig(cfg.Secrets)
+	return cloned
+}
+
+func cloneInitSecretsConfig(secrets config.SecretsConfig) config.SecretsConfig {
+	cloned := secrets
+	if secrets.Stores != nil {
+		cloned.Stores = make(map[string]config.SecretsStore, len(secrets.Stores))
+		for id, store := range secrets.Stores {
+			cloned.Stores[id] = cloneInitSecretsStore(store)
+		}
+	}
+	if secrets.Profiles != nil {
+		cloned.Profiles = make(map[string]config.SecretsProfile, len(secrets.Profiles))
+		for id, store := range secrets.Profiles {
+			cloned.Profiles[id] = cloneInitSecretsStore(store)
+		}
+	}
+	return cloned
+}
+
+func cloneInitSecretsStore(store config.SecretsStore) config.SecretsStore {
+	cloned := store
+	if store.Backend.OnePassword != nil {
+		onePassword := *store.Backend.OnePassword
+		cloned.Backend.OnePassword = &onePassword
+	}
 	return cloned
 }
 
@@ -5179,7 +5351,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	}
 	defaultGitRef, err := credentials.FormatRef(profileName)
 	if err != nil {
-		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential ref segment: %w", profileName, err))
+		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
 	}
 	profile.Git.Host = strings.TrimSpace(draft.GitHost)
 	profile.Git.AuthMode = config.GitAuthMode(draft.GitAuth)
@@ -5187,6 +5359,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	if profile.Git.CredentialRef == "" {
 		profile.Git.CredentialRef = defaultGitRef
 	}
+	profile.Git.Credential = initCredentialLocation(draft.GitCredentialStore, profile.Git.CredentialRef)
 	// Changing the selected Git scope means any cached resolved identity may belong to the wrong host/auth pair.
 	if previousProfile != nil && !initGitScopeDraftFromConfig(profile.Git).matchesConfig(previousProfile.Git) {
 		profile.Git.IdentityCache = ""
@@ -5203,6 +5376,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		}
 		reviewer := config.ReviewerCredentials{
 			AuthMode:      config.GitAuthMode(draft.ReviewerAuth),
+			Credential:    initCredentialLocation(draft.ReviewerCredentialStore, reviewerRef),
 			CredentialRef: reviewerRef,
 			DisplayName:   normalizeOptionalDisplayName(draft.ReviewerDisplayName),
 		}
@@ -5227,8 +5401,10 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 			}
 		}
 		profile.LLM.CredentialRef = llmRef
+		profile.LLM.Credential = initCredentialLocationIfName(draft.LLMCredentialStore, llmRef)
 	} else {
 		profile.LLM.CredentialRef = ""
+		profile.LLM.Credential = config.CredentialLocation{}
 	}
 	if draft.ModelMapSet {
 		profile.LLM.ModelMap = normalizeInitModelMap(profile.LLM, draft.ModelMap)
@@ -5549,10 +5725,10 @@ func collectInteractiveInitRetentionConfig(opts *root.Options, deps initDeps, cf
 	return nextCfg, nil
 }
 
-func collectInteractiveInitKeyringBackendConfig(opts *root.Options, deps initDeps, backendFlagSet bool, cfg config.File) (config.File, error) {
+func collectInteractiveInitKeyringBackendConfig(opts *root.Options, deps initDeps, discoveryMode initSecretsBackendDiscoveryMode, backendFlagSet bool, cfg config.File) (config.File, error) {
 	prompter := deps.keyringPrompter
 	if prompter == nil {
-		prompter = newHuhInitKeyringBackendPrompter(opts)
+		prompter = newHuhInitKeyringBackendPrompter(opts, discoveryMode)
 	}
 	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
 		Config:         cfg,
@@ -5568,24 +5744,10 @@ func collectInteractiveInitKeyringBackendConfig(opts *root.Options, deps initDep
 	nextCfg := cfg
 	if edit.HasConfigEdit {
 		nextCfg = config.Normalize(edit.Config)
-	} else {
-		nextCfg.Keyring.Backend = strings.TrimSpace(edit.Backend)
 	}
 	if err := validateInteractiveInitGlobalConfig(nextCfg); err != nil {
 		return config.File{}, cmderr.Config(err)
 	}
-	if backendFlagSet && nextCfg.Keyring.Backend != "" && nextCfg.Keyring.Backend != opts.Backend {
-		return config.File{}, exitcode.Usage(fmt.Errorf("--backend %q conflicts with selected keyring.backend %q", opts.Backend, nextCfg.Keyring.Backend))
-	}
-	if backendFlagSet {
-		if effectiveDefault, ok := config.EffectiveDefaultSecretsProfile(nextCfg); ok && effectiveDefault.Source == config.EffectiveSecretsProfileSourceConfigured {
-			name := strings.TrimSpace(effectiveDefault.Label)
-			if name == "" {
-				name = effectiveDefault.ID
-			}
-			return config.File{}, exitcode.Usage(fmt.Errorf("--backend %q conflicts with default secrets-management profile %q", opts.Backend, name))
-		}
-	}
 	return nextCfg, nil
 }
 
@@ -5601,7 +5763,7 @@ func validateInteractiveInitConfig(cfg config.File) error {
 	hadBrokenSecretsProfile := false
 	for name, profile := range recovered.Profiles {
 		selection := strings.TrimSpace(profile.SecretsProfile)
-		if selection == "" || selection == config.LegacyProjectedSecretsProfileID {
+		if selection == "" || selection == config.LocalOSCredentialStoreID {
 			continue
 		}
 		if _, ok := recovered.Secrets.Profiles[selection]; ok {
@@ -5621,8 +5783,8 @@ func validateInteractiveInitConfig(cfg config.File) error {
 }
 
 func validateInteractiveInitGlobalConfig(cfg config.File) error {
-	if len(cfg.Profiles) == 0 || strings.TrimSpace(cfg.DefaultProfile) == "" {
-		if err := config.ValidateKeyring(cfg.Keyring); err != nil {
+	if len(cfg.Profiles) == 0 {
+		if err := config.ValidateSecrets(cfg.Secrets); err != nil {
 			return err
 		}
 		return config.ValidateRetention(cfg.Data.Retention)
@@ -5630,13 +5792,10 @@ func validateInteractiveInitGlobalConfig(cfg config.File) error {
 	return validateInteractiveInitConfig(cfg)
 }
 
-func interactiveInitBackendArg(opts *root.Options, backendFlagSet bool, cfg config.File) string {
+func interactiveInitBackendArg(opts *root.Options, backendFlagSet bool, _ config.File) string {
 	if !backendFlagSet {
 		return ""
 	}
-	if strings.TrimSpace(cfg.Keyring.Backend) == strings.TrimSpace(opts.Backend) {
-		return ""
-	}
 	return fmt.Sprintf(" --backend %s", opts.Backend)
 }
 
@@ -5702,8 +5861,8 @@ type initReviewerCredentialCleanupGroup struct {
 
 func groupInitWritesByStore(entries []initCredentialPlanEntry, writes map[string]map[string]string, overwriteRefs map[string]bool) ([]initWriteGroup, error) {
 	if len(entries) == 0 {
-		// An empty credential plan means init is using the legacy/default store
-		// path, represented by the zero-value unresolved selection.
+		// An empty credential plan means init is using the legacy OS store path,
+		// represented by the zero-value unresolved selection.
 		return []initWriteGroup{{
 			Writes:        writes,
 			OverwriteRefs: overwriteRefs,
@@ -5810,10 +5969,6 @@ func activeReviewerCredentialEntriesByStoreRef(cfg config.File, fallback []initC
 	sort.Strings(profileNames)
 	for _, profileName := range profileNames {
 		profile := cfg.Profiles[profileName]
-		resolved, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
-		if err != nil {
-			return nil, nil, err
-		}
 		refs, err := config.CredentialRefs(profile)
 		if err != nil {
 			return nil, nil, err
@@ -5822,6 +5977,10 @@ func activeReviewerCredentialEntriesByStoreRef(cfg config.File, fallback []initC
 			if ref.Purpose != "reviewer_credentials" || strings.TrimSpace(ref.Ref) == "" {
 				continue
 			}
+			resolved, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+			if err != nil {
+				return nil, nil, err
+			}
 			specs, err := credentials.KeySpecsForPurpose(ref)
 			if err != nil {
 				return nil, nil, err
@@ -5862,10 +6021,17 @@ func initCredentialEntryChangesReviewerModeInPlace(entry initCredentialPlanEntry
 }
 
 func openInitStoreForEntry(deps initDeps, opts *root.Options, flagSet bool, cfg config.File, entry initCredentialPlanEntry) (initStore, error) {
-	if entry.SecretsProfile.IsNamed() {
-		return deps.openResolvedStore(entry.SecretsProfile, opts.Backend, flagSet, cfg)
+	backend := ""
+	if opts != nil {
+		backend = opts.Backend
+	}
+	if deps.openResolvedStore != nil {
+		return deps.openResolvedStore(entry.SecretsProfile, backend, flagSet, cfg)
 	}
-	return deps.openStore(opts.Backend, flagSet, cfg)
+	if !entry.SecretsProfile.IsNamed() && deps.openStore != nil {
+		return deps.openStore(backend, flagSet, cfg)
+	}
+	return nil, errors.New("credential store opener unavailable")
 }
 
 func collectInteractiveInitSecrets(_ *cobra.Command, opts *root.Options, deps initDeps, plan initWorkspaceDraft) (initWorkspaceDraft, error) {
@@ -5992,7 +6158,7 @@ func collectInteractiveInitSecrets(_ *cobra.Command, opts *root.Options, deps in
 			}
 			if action == initCredentialSecretActionKeep {
 				if !targetHasRequired {
-					return initWorkspaceDraft{}, exitcode.Usage(fmt.Errorf("%s credential ref %q does not have all required keys", initCredentialPurposeLabel(entry.Ref.Purpose), entry.Ref.Ref))
+					return initWorkspaceDraft{}, exitcode.Usage(fmt.Errorf("%s credential name %q does not have all required keys", initCredentialPurposeLabel(entry.Ref.Purpose), entry.Ref.Ref))
 				}
 				clearInitCredentialEntryDecisions(plan.credentialDecisions, entry)
 				plan.satisfiedRefs[entry.Ref.Ref] = true
@@ -6083,7 +6249,7 @@ func collectInteractiveInitSecrets(_ *cobra.Command, opts *root.Options, deps in
 			}
 			planned := entryWrites[entry.Ref.Ref]
 			if !initCredentialWritePlanSatisfiesEntry(entry, targetKeys, planned) {
-				return initWorkspaceDraft{}, exitcode.Usage(fmt.Errorf("%s credential ref %q still needs required keys; keep existing values or defer instead", initCredentialPurposeLabel(entry.Ref.Purpose), entry.Ref.Ref))
+				return initWorkspaceDraft{}, exitcode.Usage(fmt.Errorf("%s credential name %q still needs required keys; keep existing values or defer instead", initCredentialPurposeLabel(entry.Ref.Purpose), entry.Ref.Ref))
 			}
 			if len(planned) == 0 {
 				delete(plan.writes, entry.Ref.Ref)
@@ -6631,7 +6797,7 @@ func applyInteractiveInitSessionPlan(opts *root.Options, deps initDeps, plan ini
 			return cmderr.Config(err)
 		}
 		if len(touchedCredentialRefs) > 0 {
-			return fmt.Errorf("init updated credentials but failed to save config; credential refs needing cleanup: %v: %w", sortedCredentialRefSet(touchedCredentialRefs), err)
+			return fmt.Errorf("init updated credentials but failed to save config; credential names needing cleanup: %v: %w", sortedCredentialRefSet(touchedCredentialRefs), err)
 		}
 		return err
 	}
@@ -6681,19 +6847,19 @@ func interactiveInitSessionSummaryLines(plan initSessionPlan) []string {
 	}
 	if !reflect.DeepEqual(plan.originalCfg.Secrets, plan.cfg.Secrets) {
 		if changed := changedInitSecretsManagementProfileCount(plan.originalCfg.Secrets, plan.cfg.Secrets); changed > 0 {
-			lines = append(lines, fmt.Sprintf("secrets management: %d %s", changed, pluralizeInitSummary(changed, "profile", "profiles")))
+			lines = append(lines, fmt.Sprintf("secrets storage: %d %s", changed, pluralizeInitSummary(changed, "store", "stores")))
 		} else {
-			lines = append(lines, "secrets management")
+			lines = append(lines, "secrets storage")
 		}
 	}
 	if !reflect.DeepEqual(plan.originalCfg.Keyring, plan.cfg.Keyring) {
-		lines = append(lines, "default credential store")
+		lines = append(lines, "credential store settings")
 	}
 	if !reflect.DeepEqual(plan.originalCfg.Data.Retention, plan.cfg.Data.Retention) {
 		lines = append(lines, "global settings")
 	}
 	if len(plan.writes) > 0 {
-		lines = append(lines, fmt.Sprintf("credential secrets: %d %s", len(plan.writes), pluralizeInitSummary(len(plan.writes), "ref", "refs")))
+		lines = append(lines, fmt.Sprintf("credential secrets: %d %s", len(plan.writes), pluralizeInitSummary(len(plan.writes), "name", "names")))
 	}
 	if len(lines) == 0 {
 		lines = append(lines, "configuration saved")
@@ -6780,12 +6946,12 @@ func applyStaleReviewerCredentialCleanups(opts *root.Options, deps initDeps, bac
 	for _, group := range groups {
 		store, err := openInitStoreForEntry(deps, opts, backendFlagSet, cfg, initCredentialPlanEntry{SecretsProfile: group.Resolved})
 		if err != nil {
-			return cmderr.Credential(fmt.Errorf("init saved config before failing to open credential store for stale reviewer cleanup; stale credential refs needing manual cleanup: %v: %w", sortedCredentialEntryRefs(group.Entries), err))
+			return cmderr.Credential(fmt.Errorf("init saved config before failing to open credential store for stale reviewer cleanup; stale credential names needing manual cleanup: %v: %w", sortedCredentialEntryRefs(group.Entries), err))
 		}
 		cleanedRefs, err := deleteStaleReviewerCredentialKeysForRefs(store, group.Entries)
 		if err != nil {
 			_ = store.Close()
-			return cmderr.Credential(fmt.Errorf("init saved config before failing to delete stale reviewer keys on %s; stale credential refs needing manual cleanup: %v: %w", firstUncleanedReviewerCredentialRef(group.Entries, cleanedRefs), sortedCredentialEntryRefs(group.Entries), err))
+			return cmderr.Credential(fmt.Errorf("init saved config before failing to delete stale reviewer keys on %s; stale credential names needing manual cleanup: %v: %w", firstUncleanedReviewerCredentialRef(group.Entries, cleanedRefs), sortedCredentialEntryRefs(group.Entries), err))
 		}
 		_ = store.Close()
 	}
@@ -6891,7 +7057,7 @@ func applyInitPlan(opts *root.Options, flags initOptions, deps initDeps, plan in
 			return cmderr.Config(err)
 		}
 		if len(touchedCredentialRefs) > 0 {
-			return fmt.Errorf("init updated credentials but failed to save config for profile %q; credential refs needing cleanup: %v: %w", plan.profileName, sortedCredentialRefSet(touchedCredentialRefs), err)
+			return fmt.Errorf("init updated credentials but failed to save config for profile %q; credential names needing cleanup: %v: %w", plan.profileName, sortedCredentialRefSet(touchedCredentialRefs), err)
 		}
 		return err
 	}
@@ -6914,7 +7080,7 @@ func applyInitPlan(opts *root.Options, flags initOptions, deps initDeps, plan in
 	return writeErr
 }
 
-func writeInitCredentialPlanHints(w io.Writer, backendArg string, entry initCredentialPlanEntry) error {
+func writeInitCredentialPlanHints(w io.Writer, _ string, entry initCredentialPlanEntry) error {
 	keys := entry.MissingRequiredKeys
 	if len(keys) == 0 {
 		keys = initCredentialRequiredKeys(entry)
@@ -6923,8 +7089,15 @@ func writeInitCredentialPlanHints(w io.Writer, backendArg string, entry initCred
 	if hintLabel := initSecretsProfileHintLabel(entry.SecretsProfile); hintLabel != "" {
 		hintPrefix += hintLabel
 	}
+	storeID := strings.TrimSpace(entry.Ref.Store)
+	if storeID == "" {
+		storeID = strings.TrimSpace(entry.SecretsProfile.ID)
+	}
+	if storeID == "" {
+		storeID = config.LocalOSCredentialStoreID
+	}
 	for _, key := range keys {
-		if _, err := fmt.Fprintf(w, "%s: cr%s set-credential --ref %s --key %s --stdin\n", hintPrefix, backendArg, entry.Ref.Ref, key); err != nil {
+		if _, err := fmt.Fprintf(w, "%s: cr set-credential --store %s --name %s --key %s --stdin\n", hintPrefix, storeID, entry.Ref.Ref, key); err != nil {
 			return err
 		}
 	}
@@ -6971,10 +7144,6 @@ func planInitCredentialsWithConfig(cfg config.File, previousProfile *config.Prof
 	if err != nil {
 		return nil, err
 	}
-	resolvedSecretsProfile, err := credentials.ResolveSecretsProfileForProfile(cfg, desiredProfile)
-	if err != nil {
-		return nil, err
-	}
 	var previousRefs []config.CredentialRef
 	if previousProfile != nil {
 		previousRefs, err = config.CredentialRefs(*previousProfile)
@@ -6990,6 +7159,10 @@ func planInitCredentialsWithConfig(cfg config.File, previousProfile *config.Prof
 
 	entries := make([]initCredentialPlanEntry, 0, len(desiredRefs)+len(previousRefs))
 	for _, ref := range desiredRefs {
+		resolvedStore, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			return nil, err
+		}
 		specs, err := credentials.KeySpecsForPurpose(ref)
 		if err != nil {
 			return nil, err
@@ -7000,7 +7173,7 @@ func planInitCredentialsWithConfig(cfg config.File, previousProfile *config.Prof
 		}
 		entry := initCredentialPlanEntry{
 			Ref:              ref,
-			SecretsProfile:   resolvedSecretsProfile,
+			SecretsProfile:   resolvedStore,
 			KeySpecs:         append([]credentials.KeySpec(nil), specs...),
 			PlannedWriteKeys: writeKeys,
 		}
@@ -7017,9 +7190,14 @@ func planInitCredentialsWithConfig(cfg config.File, previousProfile *config.Prof
 		if _, ok := previousByPurpose[ref.Purpose]; !ok {
 			continue
 		}
+		resolvedStore, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			return nil, err
+		}
 		entries = append(entries, initCredentialPlanEntry{
-			Ref:   ref,
-			State: initCredentialPlanStateClearRef,
+			Ref:            ref,
+			SecretsProfile: resolvedStore,
+			State:          initCredentialPlanStateClearRef,
 		})
 	}
 	return entries, nil
@@ -7037,7 +7215,7 @@ func validateInitPlannedWriteKeys(ref config.CredentialRef, specs []credentials.
 		if _, ok := allowed[key]; ok {
 			continue
 		}
-		return fmt.Errorf("init credential planner: unexpected planned write key %q for %s ref %q", key, ref.Purpose, ref.Ref)
+		return fmt.Errorf("init credential planner: unexpected planned write key %q for %s credential name %q", key, ref.Purpose, ref.Ref)
 	}
 	return nil
 }
@@ -7074,6 +7252,7 @@ func classifyInitCredentialPlanEntry(entry initCredentialPlanEntry) initCredenti
 		return initCredentialPlanStateDefer
 	}
 	if entry.PreviousRef.Purpose == entry.Ref.Purpose &&
+		entry.PreviousRef.Store == entry.Ref.Store &&
 		entry.PreviousRef.Ref == entry.Ref.Ref &&
 		entry.PreviousRef.Mode == entry.Ref.Mode &&
 		entry.PreviousRef.Provider == entry.Ref.Provider {
@@ -7262,7 +7441,7 @@ func writeBundles(store initStore, writes map[string]map[string]string, overwrit
 				cleanupRefs = append(cleanupRefs, ref)
 			}
 			if len(cleanupRefs) > 0 {
-				return writtenRefs, fmt.Errorf("init wrote credentials before failing on %s; credential refs needing cleanup: %v: %w", ref, cleanupRefs, err)
+				return writtenRefs, fmt.Errorf("init wrote credentials before failing on %s; credential names needing cleanup: %v: %w", ref, cleanupRefs, err)
 			}
 			return writtenRefs, err
 		}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index c1bb9ac8..39dbe1f7 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -2,25 +2,28 @@ package credentialcmd
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
+	"regexp"
 	"runtime"
 	"slices"
 	"sort"
 	"strings"
 	"testing"
+	"time"
 
 	tea "github.com/charmbracelet/bubbletea"
 	"github.com/charmbracelet/huh"
 	"github.com/creack/pty"
 	"github.com/open-cli-collective/cli-common/credstore"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v3"
 
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/exitcode"
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
@@ -33,12 +36,13 @@ import (
 func TestSetCredentialStdinJSONWritesFileBackend(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	hermeticFileBackend(t)
+	saveCredentialTestConfig(t, path, testFileCredentialStoreConfig("work"))
 	cmd, out, _ := newTestCommand(path, strings.NewReader("distinctive-token\n"))
 
 	err := root.Execute(cmd, []string{
-		"--backend", "file",
 		"set-credential",
-		"--ref", "codereview/work",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work",
 		"--key", credentials.GitTokenKey,
 		"--stdin",
 		"--json",
@@ -53,39 +57,30 @@ func TestSetCredentialStdinJSONWritesFileBackend(t *testing.T) {
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Ref != "codereview/work" || got.Key != credentials.GitTokenKey || !got.Written {
+	if got.Store != testFileCredentialStoreID || got.Name != "codereview/work" || got.Key != credentials.GitTokenKey || !got.Written {
 		t.Fatalf("credential write JSON = %#v, want written git token", got)
 	}
-	if got.Backend != "file" || got.BackendSource != "explicit" {
-		t.Fatalf("backend JSON = (%q,%q), want (file,explicit)", got.Backend, got.BackendSource)
+	if got.Backend != "file" || got.BackendSource != string(credentials.BackendSourceCredentialStore) {
+		t.Fatalf("backend JSON = (%q,%q), want (file,credential_store)", got.Backend, got.BackendSource)
 	}
 	assertStored(t, "work", credentials.GitTokenKey, "distinctive-token")
 }
 
-func TestSetCredentialUsesSelectedSecretsProfileStore(t *testing.T) {
+func TestSetCredentialUsesExplicitConfiguredStore(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	hermeticFileBackend(t)
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
-		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
-			Profiles: map[string]config.SecretsProfile{
-				"work-file": {
-					Label:   "Work File Store",
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
-				},
-			},
-		},
+		Secrets: testFileSecretsConfig(),
 		Profiles: map[string]config.Profile{
-			"work": basicProfile("work"),
+			"work": profileWithCredentialStore(basicProfile("work"), testFileCredentialStoreID),
 		},
 	})
 	cmd, out, _ := newTestCommand(path, strings.NewReader("distinctive-token\n"))
 
 	err := root.Execute(cmd, []string{
 		"set-credential",
-		"--ref", "codereview/work",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work",
 		"--key", credentials.GitTokenKey,
 		"--stdin",
 		"--json",
@@ -97,8 +92,8 @@ func TestSetCredentialUsesSelectedSecretsProfileStore(t *testing.T) {
 	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 	}
-	if got.Backend != "file" || got.BackendSource != "secrets_profile" {
-		t.Fatalf("backend JSON = (%q,%q), want (file,secrets_profile)", got.Backend, got.BackendSource)
+	if got.Backend != "file" || got.BackendSource != string(credentials.BackendSourceCredentialStore) {
+		t.Fatalf("backend JSON = (%q,%q), want (file,credential_store)", got.Backend, got.BackendSource)
 	}
 	assertStored(t, "work", credentials.GitTokenKey, "distinctive-token")
 }
@@ -108,7 +103,8 @@ func TestSetCredentialRejectsLiteralIngress(t *testing.T) {
 
 	err := root.Execute(cmd, []string{
 		"set-credential",
-		"--ref", "codereview/work",
+		"--store", config.LocalOSCredentialStoreID,
+		"--name", "codereview/work",
 		"--key", credentials.GitTokenKey,
 		"--value=distinctive-token",
 	})
@@ -134,9 +130,9 @@ func TestSetCredentialRejectsDisallowedKeysBeforeIngress(t *testing.T) {
 			cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), failReader{})
 
 			err := root.Execute(cmd, []string{
-				"--backend", "memory",
 				"set-credential",
-				"--ref", "codereview/work",
+				"--store", config.LocalOSCredentialStoreID,
+				"--name", "codereview/work",
 				"--key", key,
 				"--stdin",
 			})
@@ -154,18 +150,17 @@ func TestSetCredentialUsesConfigCredentialMatrix(t *testing.T) {
 	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "file"},
+		Secrets: testFileSecretsConfig(),
 		Profiles: map[string]config.Profile{
-			"work": apiKeyProfile("work", config.LLMProviderAnthropic),
+			"work": profileWithCredentialStore(apiKeyProfile("work", config.LLMProviderAnthropic), testFileCredentialStoreID),
 		},
 	})
 
 	cmd, _, _ := newTestCommand(path, failReader{})
 	err := root.Execute(cmd, []string{
-		"--backend", "file",
 		"set-credential",
-		"--ref", "codereview/work-llm",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work-llm",
 		"--key", credentials.OpenAIAPIKeyKey,
 		"--stdin",
 	})
@@ -179,9 +174,9 @@ func TestSetCredentialUsesConfigCredentialMatrix(t *testing.T) {
 
 	cmd, _, _ = newTestCommand(path, strings.NewReader("openai-token"))
 	err = root.Execute(cmd, []string{
-		"--backend", "file",
 		"set-credential",
-		"--ref", "codereview/ad-hoc-openai",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/ad-hoc-openai",
 		"--key", credentials.OpenAIAPIKeyKey,
 		"--stdin",
 	})
@@ -192,9 +187,9 @@ func TestSetCredentialUsesConfigCredentialMatrix(t *testing.T) {
 
 	cmd, _, _ = newTestCommand(path, strings.NewReader("anthropic-token"))
 	err = root.Execute(cmd, []string{
-		"--backend", "file",
 		"set-credential",
-		"--ref", "codereview/work-llm",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work-llm",
 		"--key", credentials.AnthropicAPIKeyKey,
 		"--stdin",
 	})
@@ -205,65 +200,22 @@ func TestSetCredentialUsesConfigCredentialMatrix(t *testing.T) {
 	assertStored(t, "work-llm", credentials.AnthropicAPIKeyKey, "anthropic-token")
 }
 
-func TestSetCredentialRejectsAmbiguousRefAcrossSecretsProfilesBeforeIngress(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "config.yml")
-	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
-		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
-			Profiles: map[string]config.SecretsProfile{
-				"personal-keychain": {
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)},
-				},
-				"work-file": {
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
-				},
-			},
-		},
-		Profiles: map[string]config.Profile{
-			"home": func() config.Profile {
-				p := basicProfile("home")
-				p.Git.CredentialRef = "codereview/shared"
-				p.SecretsProfile = "personal-keychain"
-				return p
-			}(),
-			"work": func() config.Profile {
-				p := basicProfile("work")
-				p.Git.CredentialRef = "codereview/shared"
-				return p
-			}(),
-		},
-	})
-	cmd, _, _ := newTestCommand(path, failReader{})
-
-	err := root.Execute(cmd, []string{
-		"set-credential",
-		"--ref", "codereview/shared",
-		"--key", credentials.GitTokenKey,
-		"--stdin",
-	})
-	if got := exitcode.FromError(err); got != exitcode.AuthConfigError {
-		t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.AuthConfigError, err)
-	}
-	if strings.Contains(err.Error(), "secret ingress was read") {
-		t.Fatalf("set-credential read secret ingress before rejecting ambiguity: %v", err)
-	}
-}
-
 func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "file"},
+		Secrets: testFileSecretsConfig(),
 		Profiles: map[string]config.Profile{
-			"work": basicProfile("work"),
+			"work": profileWithCredentialStore(basicProfile("work"), testFileCredentialStoreID),
 		},
 	}
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
+		AuthMode: config.GitAuthModeGitHubApp,
+		Credential: config.CredentialLocation{
+			Store: testFileCredentialStoreID,
+			Name:  "codereview/work-reviewer",
+		},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg.Profiles["work"] = work
@@ -271,9 +223,9 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 
 	cmd, _, _ := newTestCommand(path, failReader{})
 	err := root.Execute(cmd, []string{
-		"--backend", "file",
 		"set-credential",
-		"--ref", "codereview/work-reviewer",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work-reviewer",
 		"--key", credentials.GitTokenKey,
 		"--stdin",
 	})
@@ -294,9 +246,9 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 	} {
 		cmd, _, _ = newTestCommand(path, strings.NewReader(write.value))
 		err = root.Execute(cmd, []string{
-			"--backend", "file",
 			"set-credential",
-			"--ref", "codereview/work-reviewer",
+			"--store", testFileCredentialStoreID,
+			"--name", "codereview/work-reviewer",
 			"--key", write.key,
 			"--stdin",
 		})
@@ -316,15 +268,14 @@ func TestSetCredentialRejectsUnsupportedConfigBeforeIngress(t *testing.T) {
 	hermeticFileBackend(t)
 	t.Setenv("CR_FUTURE_TOKEN", "")
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeRawCredentialTestConfig(t, path, `default_profile: future
-keyring:
-  backend: file
-profiles:
+	writeRawCredentialTestConfig(t, path, `profiles:
   future:
     git:
       host: github.com
       auth_mode: oauth_device
-      credential_ref: codereview/future
+      credential:
+        store: local-os
+        name: codereview/future
     llm:
       provider: anthropic
       auth: subscription
@@ -340,9 +291,9 @@ profiles:
 		{
 			name: "stdin",
 			args: []string{
-				"--backend", "file",
 				"set-credential",
-				"--ref", "codereview/future",
+				"--store", config.LocalOSCredentialStoreID,
+				"--name", "codereview/future",
 				"--key", credentials.GitTokenKey,
 				"--stdin",
 			},
@@ -352,9 +303,9 @@ profiles:
 		{
 			name: "from-env",
 			args: []string{
-				"--backend", "file",
 				"set-credential",
-				"--ref", "codereview/future",
+				"--store", config.LocalOSCredentialStoreID,
+				"--name", "codereview/future",
 				"--key", credentials.GitTokenKey,
 				"--from-env", "CR_FUTURE_TOKEN",
 			},
@@ -380,12 +331,66 @@ profiles:
 }
 
 func TestSetCredentialExitCodeClasses(t *testing.T) {
-	t.Run("invalid backend flag", func(t *testing.T) {
+	t.Run("missing explicit destination", func(t *testing.T) {
+		for _, tt := range []struct {
+			name string
+			args []string
+			want string
+		}{
+			{
+				name: "store",
+				args: []string{"set-credential", "--name", "codereview/work", "--key", credentials.GitTokenKey, "--stdin"},
+				want: "--store is required",
+			},
+			{
+				name: "name",
+				args: []string{"set-credential", "--store", config.LocalOSCredentialStoreID, "--key", credentials.GitTokenKey, "--stdin"},
+				want: "--name is required",
+			},
+		} {
+			t.Run(tt.name, func(t *testing.T) {
+				cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), failReader{})
+				err := root.Execute(cmd, tt.args)
+				if got := exitcode.FromError(err); got != exitcode.UsageError {
+					t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
+				}
+				if err == nil || !strings.Contains(err.Error(), tt.want) {
+					t.Fatalf("error = %v, want %q", err, tt.want)
+				}
+				if strings.Contains(err.Error(), "secret ingress was read") {
+					t.Fatalf("set-credential read secret ingress before rejecting missing destination: %v", err)
+				}
+			})
+		}
+	})
+
+	t.Run("unknown store", func(t *testing.T) {
+		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), failReader{})
+		err := root.Execute(cmd, []string{
+			"set-credential",
+			"--store", "missing-store",
+			"--name", "codereview/work",
+			"--key", credentials.GitTokenKey,
+			"--stdin",
+		})
+		if got := exitcode.FromError(err); got != exitcode.AuthConfigError {
+			t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.AuthConfigError, err)
+		}
+		if !errors.Is(err, config.ErrSecretsStoreNotFound) {
+			t.Fatalf("error = %v, want ErrSecretsStoreNotFound", err)
+		}
+		if strings.Contains(err.Error(), "secret ingress was read") {
+			t.Fatalf("set-credential read secret ingress before rejecting unknown store: %v", err)
+		}
+	})
+
+	t.Run("backend flag conflicts with credential store", func(t *testing.T) {
 		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("token"))
 		err := root.Execute(cmd, []string{
 			"--backend", "bogus",
 			"set-credential",
-			"--ref", "codereview/work",
+			"--store", config.LocalOSCredentialStoreID,
+			"--name", "codereview/work",
 			"--key", credentials.GitTokenKey,
 			"--stdin",
 		})
@@ -397,9 +402,9 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 	t.Run("disallowed key", func(t *testing.T) {
 		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("token"))
 		err := root.Execute(cmd, []string{
-			"--backend", "memory",
 			"set-credential",
-			"--ref", "codereview/work",
+			"--store", config.LocalOSCredentialStoreID,
+			"--name", "codereview/work",
 			"--key", "bad_key",
 			"--stdin",
 		})
@@ -411,9 +416,9 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 	t.Run("json error envelope", func(t *testing.T) {
 		cmd, out, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("token"))
 		err := root.Execute(cmd, []string{
-			"--backend", "memory",
 			"set-credential",
-			"--ref", "codereview/work",
+			"--store", config.LocalOSCredentialStoreID,
+			"--name", "codereview/work",
 			"--key", "bad_key",
 			"--stdin",
 			"--json",
@@ -425,7 +430,7 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 		if err := json.Unmarshal(out.Bytes(), &got); err != nil {
 			t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
 		}
-		if got.Written || got.Error == "" || got.Ref != "codereview/work" || got.Key != "bad_key" {
+		if got.Written || got.Error == "" || got.Store != config.LocalOSCredentialStoreID || got.Name != "codereview/work" || got.Key != "bad_key" {
 			t.Fatalf("credential write JSON = %#v, want written=false error envelope", got)
 		}
 	})
@@ -433,9 +438,9 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 	t.Run("wrong service ref", func(t *testing.T) {
 		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("token"))
 		err := root.Execute(cmd, []string{
-			"--backend", "memory",
 			"set-credential",
-			"--ref", "other/work",
+			"--store", config.LocalOSCredentialStoreID,
+			"--name", "other/work",
 			"--key", credentials.GitTokenKey,
 			"--stdin",
 		})
@@ -447,11 +452,13 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 	t.Run("file backend without passphrase", func(t *testing.T) {
 		t.Setenv("XDG_DATA_HOME", t.TempDir())
 		t.Setenv("CODEREVIEW_KEYRING_PASSPHRASE", "")
-		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("token"))
+		path := filepath.Join(t.TempDir(), "config.yml")
+		saveCredentialTestConfig(t, path, testFileCredentialStoreConfig("work"))
+		cmd, _, _ := newTestCommand(path, strings.NewReader("token"))
 		err := root.Execute(cmd, []string{
-			"--backend", "file",
 			"set-credential",
-			"--ref", "codereview/work",
+			"--store", testFileCredentialStoreID,
+			"--name", "codereview/work",
 			"--key", credentials.GitTokenKey,
 			"--stdin",
 		})
@@ -463,11 +470,13 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 	t.Run("existing without overwrite", func(t *testing.T) {
 		hermeticFileBackend(t)
 		seedFileBackend(t, "work", credentials.GitTokenKey, "first")
-		cmd, _, _ := newTestCommand(filepath.Join(t.TempDir(), "config.yml"), strings.NewReader("second"))
+		path := filepath.Join(t.TempDir(), "config.yml")
+		saveCredentialTestConfig(t, path, testFileCredentialStoreConfig("work"))
+		cmd, _, _ := newTestCommand(path, strings.NewReader("second"))
 		err := root.Execute(cmd, []string{
-			"--backend", "file",
 			"set-credential",
-			"--ref", "codereview/work",
+			"--store", testFileCredentialStoreID,
+			"--name", "codereview/work",
 			"--key", credentials.GitTokenKey,
 			"--stdin",
 		})
@@ -479,17 +488,12 @@ func TestSetCredentialExitCodeClasses(t *testing.T) {
 }
 
 func TestInitNonInteractiveWritesConfigAndSecret(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "init-token")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -500,29 +504,25 @@ func TestInitNonInteractiveWritesConfigAndSecret(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "default" {
-		t.Fatalf("default_profile = %q, want default", cfg.DefaultProfile)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 	}
-	if cfg.Keyring.Backend != "file" {
-		t.Fatalf("keyring.backend = %q, want file", cfg.Keyring.Backend)
+	profile := cfg.Profiles["default"]
+	if profile.Git.Credential.Store != config.LocalOSCredentialStoreID || profile.Git.Credential.Name != "codereview/default" {
+		t.Fatalf("git credential = %#v, want local-os codereview/default", profile.Git.Credential)
 	}
-	assertStored(t, "default", credentials.GitTokenKey, "init-token")
+	assertFakeStored(t, store, "default", credentials.GitTokenKey, "init-token")
 }
 
 func TestInitNonInteractiveWritesReviewerCredential(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
 	t.Setenv("CR_REVIEWER_TOKEN", "reviewer-token")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-		"--reviewer-token-from-env", "CR_REVIEWER_TOKEN",
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	flags.reviewerTokenEnv = "CR_REVIEWER_TOKEN"
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -541,8 +541,11 @@ func TestInitNonInteractiveWritesReviewerCredential(t *testing.T) {
 	if reviewer.AuthMode != config.GitAuthModePAT || reviewer.CredentialRef != "codereview/default-reviewer" {
 		t.Fatalf("reviewer credentials = %#v, want pat codereview/default-reviewer", reviewer)
 	}
-	assertStored(t, "default", credentials.GitTokenKey, "git-token")
-	assertStored(t, "default-reviewer", credentials.GitTokenKey, "reviewer-token")
+	if reviewer.Credential.Store != config.LocalOSCredentialStoreID || reviewer.Credential.Name != "codereview/default-reviewer" {
+		t.Fatalf("reviewer credential = %#v, want local-os codereview/default-reviewer", reviewer.Credential)
+	}
+	assertFakeStored(t, store, "default", credentials.GitTokenKey, "git-token")
+	assertFakeStored(t, store, "default-reviewer", credentials.GitTokenKey, "reviewer-token")
 }
 
 func TestInitNonInteractiveWritesGitHubAppReviewerConfigOnly(t *testing.T) {
@@ -613,20 +616,14 @@ func TestInitGitHubAppReviewerRejectsTokenIngressBeforeRead(t *testing.T) {
 }
 
 func TestInitNonInteractiveWritesCustomReviewerCredentialFromStdin(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader("reviewer-token\n"))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"--profile", "work",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-		"--reviewer-credential-ref", "codereview/review-bot",
-		"--reviewer-token-stdin",
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	flags.reviewerRef = "codereview/review-bot"
+	flags.reviewerTokenStdin = true
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "work", strings.NewReader("reviewer-token\n"), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -637,31 +634,22 @@ func TestInitNonInteractiveWritesCustomReviewerCredentialFromStdin(t *testing.T)
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "work" {
-		t.Fatalf("default_profile = %q, want work", cfg.DefaultProfile)
-	}
 	reviewer := cfg.Profiles["work"].ReviewerCredentials
 	if reviewer == nil || reviewer.CredentialRef != "codereview/review-bot" {
 		t.Fatalf("reviewer credentials = %#v, want custom codereview/review-bot", reviewer)
 	}
-	assertStored(t, "work", credentials.GitTokenKey, "git-token")
-	assertStored(t, "review-bot", credentials.GitTokenKey, "reviewer-token")
+	assertFakeStored(t, store, "work", credentials.GitTokenKey, "git-token")
+	assertFakeStored(t, store, "review-bot", credentials.GitTokenKey, "reviewer-token")
 }
 
 func TestInitNonInteractiveDerivesReviewerRefFromStdinForProfile(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader("reviewer-token\n"))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"--profile", "work",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-		"--reviewer-token-stdin",
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	flags.reviewerTokenStdin = true
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "work", strings.NewReader("reviewer-token\n"), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -676,8 +664,8 @@ func TestInitNonInteractiveDerivesReviewerRefFromStdinForProfile(t *testing.T) {
 	if reviewer == nil || reviewer.CredentialRef != "codereview/work-reviewer" {
 		t.Fatalf("reviewer credentials = %#v, want derived codereview/work-reviewer", reviewer)
 	}
-	assertStored(t, "work", credentials.GitTokenKey, "git-token")
-	assertStored(t, "work-reviewer", credentials.GitTokenKey, "reviewer-token")
+	assertFakeStored(t, store, "work", credentials.GitTokenKey, "git-token")
+	assertFakeStored(t, store, "work-reviewer", credentials.GitTokenKey, "reviewer-token")
 }
 
 func TestInitNonInteractiveWritesProviderSpecificAPIKeySecret(t *testing.T) {
@@ -703,22 +691,17 @@ func TestInitNonInteractiveWritesProviderSpecificAPIKeySecret(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			hermeticFileBackend(t)
 			path := filepath.Join(t.TempDir(), "config.yml")
 			t.Setenv("CR_GIT_TOKEN", "git-token")
 			t.Setenv("CR_LLM_KEY", "llm-token")
-			cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-			err := root.Execute(cmd, []string{
-				"--backend", "file",
-				"init",
-				"--non-interactive",
-				"--git-token-from-env", "CR_GIT_TOKEN",
-				"--llm-provider", string(tt.provider),
-				"--llm-auth", string(config.LLMAuthAPIKey),
-				"--llm-adapter", string(tt.adapter),
-				"--llm-api-key-from-env", "CR_LLM_KEY",
-			})
+			store := newFakeInitStore(nil)
+			flags := defaultNonInteractiveInitOptionsForTest()
+			flags.gitTokenEnv = "CR_GIT_TOKEN"
+			flags.llmProvider = string(tt.provider)
+			flags.llmAuth = string(config.LLMAuthAPIKey)
+			flags.llmAdapter = string(tt.adapter)
+			flags.llmKeyEnv = "CR_LLM_KEY"
+			out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 			if err != nil {
 				t.Fatalf("Execute: %v", err)
 			}
@@ -733,28 +716,23 @@ func TestInitNonInteractiveWritesProviderSpecificAPIKeySecret(t *testing.T) {
 			if profile.LLM.Provider != tt.provider || profile.LLM.CredentialRef != "codereview/default-llm" {
 				t.Fatalf("LLM config = %#v, want provider %s default LLM ref", profile.LLM, tt.provider)
 			}
-			assertFileBundleKeys(t, "default", []string{credentials.GitTokenKey})
-			assertFileBundleKeys(t, "default-llm", []string{tt.key})
-			assertStored(t, "default-llm", tt.key, "llm-token")
+			assertFakeBundleKeys(t, store, "default", []string{credentials.GitTokenKey})
+			assertFakeBundleKeys(t, store, "default-llm", []string{tt.key})
+			assertFakeStored(t, store, "default-llm", tt.key, "llm-token")
 		})
 	}
 }
 
 func TestInitNonInteractiveWritesPiRPCProfile(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-		"--llm-provider", string(config.LLMProviderPi),
-		"--llm-auth", string(config.LLMAuthSubscription),
-		"--llm-adapter", string(config.LLMAdapterPiRPC),
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	flags.llmProvider = string(config.LLMProviderPi)
+	flags.llmAuth = string(config.LLMAuthSubscription)
+	flags.llmAdapter = string(config.LLMAdapterPiRPC)
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -772,8 +750,8 @@ func TestInitNonInteractiveWritesPiRPCProfile(t *testing.T) {
 		profile.LLM.CredentialRef != "" {
 		t.Fatalf("LLM config = %#v, want pi subscription pi_rpc without credential ref", profile.LLM)
 	}
-	assertFileBundleKeys(t, "default", []string{credentials.GitTokenKey})
-	assertStored(t, "default", credentials.GitTokenKey, "git-token")
+	assertFakeBundleKeys(t, store, "default", []string{credentials.GitTokenKey})
+	assertFakeStored(t, store, "default", credentials.GitTokenKey, "git-token")
 }
 
 func TestPlanInitCredentials(t *testing.T) {
@@ -861,7 +839,6 @@ func TestPlanInitCredentials(t *testing.T) {
 
 	t.Run("preserve custom refs across rename interactions", func(t *testing.T) {
 		cfg := config.File{
-			DefaultProfile: "work",
 			Profiles: map[string]config.Profile{
 				"work": {
 					Git: config.GitConfig{
@@ -904,9 +881,9 @@ func TestPlanInitCredentials(t *testing.T) {
 
 	t.Run("overwrite custom ref without writes is tracked separately", func(t *testing.T) {
 		previous := basicProfile("work")
-		previous.Git.CredentialRef = "codereview/custom-old"
+		previous.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-old"}
 		desired := previous
-		desired.Git.CredentialRef = "codereview/custom-new"
+		desired.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-new"}
 		entries, err := planInitCredentials(&previous, desired, nil)
 		if err != nil {
 			t.Fatalf("planInitCredentials: %v", err)
@@ -1078,7 +1055,6 @@ func TestLoadInteractiveCredentialPlanStatePreservesSettledEntriesWhenMixedPlanN
 
 func TestBuildInteractiveInitSessionPlanUsesOriginalProfileForRenamedTouchedProfile(t *testing.T) {
 	original := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": {
 				Git: config.GitConfig{
@@ -1160,8 +1136,8 @@ func TestInitRuntimeOnlyBackendIsCarriedIntoCredentialHint(t *testing.T) {
 	if cfg.Keyring.Backend != "" {
 		t.Fatalf("keyring.backend = %q, want empty runtime-only backend", cfg.Keyring.Backend)
 	}
-	if !strings.Contains(errOut.String(), "cr --backend memory set-credential") {
-		t.Fatalf("stderr = %q, want backend-preserving set-credential hint", errOut.String())
+	if !strings.Contains(errOut.String(), "cr set-credential --store local-os --name codereview/default --key git_token --stdin") {
+		t.Fatalf("stderr = %q, want explicit local-os set-credential hint", errOut.String())
 	}
 }
 
@@ -1187,8 +1163,8 @@ func TestInitReviewerConfigOnlyCarriesBackendIntoCredentialHint(t *testing.T) {
 	if reviewer == nil || reviewer.CredentialRef != "codereview/default-reviewer" {
 		t.Fatalf("reviewer credentials = %#v, want codereview/default-reviewer", reviewer)
 	}
-	if got := errOut.String(); !strings.Contains(got, "cr --backend file set-credential --ref codereview/default-reviewer --key git_token --stdin") {
-		t.Fatalf("stderr = %q, want backend-preserving reviewer set-credential hint", got)
+	if got := errOut.String(); !strings.Contains(got, "cr set-credential --store local-os --name codereview/default-reviewer --key git_token --stdin") {
+		t.Fatalf("stderr = %q, want explicit reviewer set-credential hint", got)
 	}
 	store := openFileStore(t)
 	defer store.Close()
@@ -1202,17 +1178,13 @@ func TestInitReviewerConfigOnlyCarriesBackendIntoCredentialHint(t *testing.T) {
 }
 
 func TestInitPersistsExplicitBackendWhenExistingAPIKeySatisfiesConfig(t *testing.T) {
-	hermeticFileBackend(t)
-	seedFileBackend(t, "default-llm", credentials.AnthropicAPIKeyKey, "llm-token")
 	path := filepath.Join(t.TempDir(), "config.yml")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--llm-auth", string(config.LLMAuthAPIKey),
+	store := newFakeInitStore(map[string]map[string]string{
+		"default-llm": {credentials.AnthropicAPIKeyKey: "llm-token"},
 	})
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.llmAuth = string(config.LLMAuthAPIKey)
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -1223,73 +1195,68 @@ func TestInitPersistsExplicitBackendWhenExistingAPIKeySatisfiesConfig(t *testing
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.Keyring.Backend != "file" {
-		t.Fatalf("keyring.backend = %q, want file", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
+	}
+	if cfg.Profiles["default"].LLM.Credential.Store != config.LocalOSCredentialStoreID {
+		t.Fatalf("llm credential store = %q, want local-os", cfg.Profiles["default"].LLM.Credential.Store)
 	}
 }
 
 func TestInitAPIKeyAuthWithExistingKeyDoesNotPrintLLMFollowUpHint(t *testing.T) {
-	hermeticFileBackend(t)
-	seedFileBackend(t, "default-llm", credentials.AnthropicAPIKeyKey, "llm-token")
 	path := filepath.Join(t.TempDir(), "config.yml")
-	cmd, out, errOut := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--llm-auth", string(config.LLMAuthAPIKey),
+	store := newFakeInitStore(map[string]map[string]string{
+		"default-llm": {credentials.AnthropicAPIKeyKey: "llm-token"},
 	})
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.llmAuth = string(config.LLMAuthAPIKey)
+	out, errOut, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if strings.Contains(out.String()+errOut.String(), "llm-token") {
 		t.Fatalf("command output leaked secret: stdout=%q stderr=%q", out.String(), errOut.String())
 	}
-	if strings.Contains(errOut.String(), "--ref codereview/default-llm") {
+	if strings.Contains(errOut.String(), "--name codereview/default-llm") {
 		t.Fatalf("stderr = %q, want no llm follow-up hint when key already exists", errOut.String())
 	}
 }
 
 func TestInitReplaceProfilePreservesExistingCredentialRefsByDefault(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "file"},
+		Secrets: testFileSecretsConfig(),
 		Profiles: map[string]config.Profile{
-			"work": {
+			"work": profileWithCredentialStore(config.Profile{
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-git"},
 					CredentialRef: "codereview/custom-git",
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-reviewer"},
 					CredentialRef: "codereview/custom-reviewer",
 				},
 				LLM: config.LLMConfig{
 					Provider:      config.LLMProviderAnthropic,
 					Auth:          config.LLMAuthAPIKey,
 					Adapter:       config.LLMAdapterAnthropicAPI,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-llm"},
 					CredentialRef: "codereview/custom-llm",
 				},
-			},
+			}, testFileCredentialStoreID),
 		},
 	}
 	saveCredentialTestConfig(t, path, cfg)
-	seedFileBackend(t, "custom-llm", credentials.AnthropicAPIKeyKey, "llm-token")
-	cmd, _, _ := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"--profile", "work",
-		"init",
-		"--non-interactive",
-		"--replace-profile",
-		"--reviewer-auth-mode", string(config.GitAuthModePAT),
-		"--llm-auth", string(config.LLMAuthAPIKey),
+	store := newFakeInitStore(map[string]map[string]string{
+		"custom-llm": {credentials.AnthropicAPIKeyKey: "llm-token"},
 	})
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.replaceProfile = true
+	flags.llmAuth = string(config.LLMAuthAPIKey)
+	_, _, err := runNonInteractiveInitWithFakeStore(t, path, "work", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
@@ -1301,18 +1268,26 @@ func TestInitReplaceProfilePreservesExistingCredentialRefsByDefault(t *testing.T
 	if profile.Git.CredentialRef != "codereview/custom-git" {
 		t.Fatalf("git ref = %q, want preserved custom-git", profile.Git.CredentialRef)
 	}
+	if profile.Git.Credential.Store != testFileCredentialStoreID || profile.Git.Credential.Name != "codereview/custom-git" {
+		t.Fatalf("git credential = %#v, want preserved test-file custom-git", profile.Git.Credential)
+	}
 	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != "codereview/custom-reviewer" {
 		t.Fatalf("reviewer = %#v, want preserved custom-reviewer", profile.ReviewerCredentials)
 	}
+	if profile.ReviewerCredentials.Credential.Store != testFileCredentialStoreID || profile.ReviewerCredentials.Credential.Name != "codereview/custom-reviewer" {
+		t.Fatalf("reviewer credential = %#v, want preserved test-file custom-reviewer", profile.ReviewerCredentials.Credential)
+	}
 	if profile.LLM.CredentialRef != "codereview/custom-llm" {
 		t.Fatalf("llm ref = %q, want preserved custom-llm", profile.LLM.CredentialRef)
 	}
+	if profile.LLM.Credential.Store != testFileCredentialStoreID || profile.LLM.Credential.Name != "codereview/custom-llm" {
+		t.Fatalf("llm credential = %#v, want preserved test-file custom-llm", profile.LLM.Credential)
+	}
 }
 
 func TestInitReplaceProfileRefOverwriteEmitsFollowUpHint(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -1336,22 +1311,16 @@ func TestInitReplaceProfileRefOverwriteEmitsFollowUpHint(t *testing.T) {
 	if got.Profiles["work"].Git.CredentialRef != "codereview/rotated-git" {
 		t.Fatalf("git ref = %q, want rotated-git", got.Profiles["work"].Git.CredentialRef)
 	}
-	if !strings.Contains(errOut.String(), "set-credential --ref codereview/rotated-git --key git_token --stdin") {
+	if !strings.Contains(errOut.String(), "set-credential --store local-os --name codereview/rotated-git --key git_token --stdin") {
 		t.Fatalf("stderr = %q, want overwrite-ref follow-up hint", errOut.String())
 	}
 }
 
 func TestInitAPIKeyAuthRejectsMissingSecretWithoutWritingDanglingConfig(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
-	cmd, _, _ := newTestCommand(path, strings.NewReader(""))
-
-	err := root.Execute(cmd, []string{
-		"--backend", "file",
-		"init",
-		"--non-interactive",
-		"--llm-auth", string(config.LLMAuthAPIKey),
-	})
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.llmAuth = string(config.LLMAuthAPIKey)
+	_, _, err := runNonInteractiveInitWithFakeStore(t, path, "", strings.NewReader(""), flags, newFakeInitStore(nil))
 	if got := exitcode.FromError(err); got != exitcode.UsageError {
 		t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
 	}
@@ -1361,26 +1330,21 @@ func TestInitAPIKeyAuthRejectsMissingSecretWithoutWritingDanglingConfig(t *testi
 }
 
 func TestInitMergeReplaceAndBackendConflictSemantics(t *testing.T) {
-	hermeticFileBackend(t)
 	path := filepath.Join(t.TempDir(), "config.yml")
 	if err := config.Save(path, config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "file"},
+		Secrets: testFileSecretsConfig(),
 		Profiles: map[string]config.Profile{
-			"home": basicProfile("home"),
+			"home": profileWithCredentialStore(basicProfile("home"), testFileCredentialStoreID),
 		},
 	}); err != nil {
 		t.Fatalf("Save config: %v", err)
 	}
 
 	t.Setenv("CR_GIT_TOKEN", "work-token")
-	cmd, _, _ := newTestCommand(path, strings.NewReader(""))
-	err := root.Execute(cmd, []string{
-		"--profile", "work",
-		"init",
-		"--non-interactive",
-		"--git-token-from-env", "CR_GIT_TOKEN",
-	})
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.gitTokenEnv = "CR_GIT_TOKEN"
+	_, _, err := runNonInteractiveInitWithFakeStore(t, path, "work", strings.NewReader(""), flags, store)
 	if err != nil {
 		t.Fatalf("merge absent profile Execute: %v", err)
 	}
@@ -1388,14 +1352,15 @@ func TestInitMergeReplaceAndBackendConflictSemantics(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "home" {
-		t.Fatalf("default_profile = %q, want existing home", cfg.DefaultProfile)
-	}
 	if _, ok := cfg.Profiles["work"]; !ok {
 		t.Fatalf("work profile missing after merge: %#v", cfg.Profiles)
 	}
+	if cfg.Profiles["work"].Git.Credential.Store != config.LocalOSCredentialStoreID {
+		t.Fatalf("work git credential store = %q, want local-os for new profile", cfg.Profiles["work"].Git.Credential.Store)
+	}
+	assertFakeStored(t, store, "work", credentials.GitTokenKey, "work-token")
 
-	cmd, _, _ = newTestCommand(path, strings.NewReader(""))
+	cmd, _, _ := newTestCommand(path, strings.NewReader(""))
 	err = root.Execute(cmd, []string{"--profile", "work", "init", "--non-interactive"})
 	if got := exitcode.FromError(err); got != exitcode.UsageError {
 		t.Fatalf("existing profile exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
@@ -1410,14 +1375,13 @@ func TestInitMergeReplaceAndBackendConflictSemantics(t *testing.T) {
 		"--git-token-from-env", "CR_GIT_TOKEN",
 	})
 	if got := exitcode.FromError(err); got != exitcode.UsageError {
-		t.Fatalf("backend conflict exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
+		t.Fatalf("runtime backend conflict exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
 	}
 }
 
-func TestInitSetDefaultUpdatesExistingConfigWhenRequested(t *testing.T) {
+func TestInitSetDefaultFlagRemoved(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	if err := config.Save(path, config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": basicProfile("home"),
 		},
@@ -1430,23 +1394,16 @@ func TestInitSetDefaultUpdatesExistingConfigWhenRequested(t *testing.T) {
 		"--profile", "work",
 		"init",
 		"--non-interactive",
-		"--set-default",
+		"--set-" + "default",
 	})
-	if err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-
-	got, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load config: %v", err)
-	}
-	if got.DefaultProfile != "work" {
-		t.Fatalf("default_profile = %q, want work", got.DefaultProfile)
+	removedFlag := "--set-" + "default"
+	if err == nil || !strings.Contains(err.Error(), "unknown flag: "+removedFlag) {
+		t.Fatalf("Execute error = %v, want unknown %s flag", err, removedFlag)
 	}
 }
 
-func TestInitDurableKeyringBackendFlags(t *testing.T) {
-	t.Run("set backend", func(t *testing.T) {
+func TestInitDurableKeyringBackendFlagsRemoved(t *testing.T) {
+	t.Run("set backend flag is unavailable", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
 		cmd, _, _ := newTestCommand(path, strings.NewReader(""))
 
@@ -1455,24 +1412,14 @@ func TestInitDurableKeyringBackendFlags(t *testing.T) {
 			"--non-interactive",
 			"--keyring-backend", "file",
 		})
-		if err != nil {
-			t.Fatalf("Execute: %v", err)
-		}
-
-		got, err := config.Load(path)
-		if err != nil {
-			t.Fatalf("Load config: %v", err)
-		}
-		if got.Keyring.Backend != "file" {
-			t.Fatalf("keyring.backend = %q, want file", got.Keyring.Backend)
+		if got := exitcode.FromError(err); got != exitcode.UsageError {
+			t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
 		}
 	})
 
-	t.Run("reset backend", func(t *testing.T) {
+	t.Run("reset backend flag is unavailable", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
 		if err := config.Save(path, config.File{
-			DefaultProfile: "work",
-			Keyring:        config.KeyringConfig{Backend: "file"},
 			Profiles: map[string]config.Profile{
 				"work": basicProfile("work"),
 			},
@@ -1488,16 +1435,8 @@ func TestInitDurableKeyringBackendFlags(t *testing.T) {
 			"--replace-profile",
 			"--reset-keyring-backend",
 		})
-		if err != nil {
-			t.Fatalf("Execute: %v", err)
-		}
-
-		got, err := config.Load(path)
-		if err != nil {
-			t.Fatalf("Load config: %v", err)
-		}
-		if got.Keyring.Backend != "" {
-			t.Fatalf("keyring.backend = %q, want empty after reset", got.Keyring.Backend)
+		if got := exitcode.FromError(err); got != exitcode.UsageError {
+			t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
 		}
 	})
 }
@@ -1553,7 +1492,6 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 		ResolveAfter:     "24h",
 	}
 	if err := config.Save(path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": existing,
 		},
@@ -1579,6 +1517,7 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 	}
 	expected := existing
 	expected.ReviewerCredentials = nil
+	expected = normalizeTestProfile(expected)
 	if !reflect.DeepEqual(got.Profiles["work"], expected) {
 		t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 	}
@@ -1594,7 +1533,6 @@ func TestInitReplaceProfilePreservesReviewerDisplayNameWhenReviewerIdentityUncha
 		IdentityCache: "reviewer-cache",
 	}
 	if err := config.Save(path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": existing,
 		},
@@ -1672,7 +1610,6 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 			ResolveAfter:     "24h",
 		}
 		if err := config.Save(path, config.File{
-			DefaultProfile: "work",
 			Profiles: map[string]config.Profile{
 				"work": existing,
 			},
@@ -1698,6 +1635,7 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 		}
 		expected := existing
 		expected.LLM.ReviewerModelTier = ""
+		expected = normalizeTestProfile(expected)
 		if !reflect.DeepEqual(got.Profiles["work"], expected) {
 			t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 		}
@@ -1737,8 +1675,7 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		ResolveAfter:     "24h",
 	}
 	existing := config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "file"},
+		Keyring: config.KeyringConfig{Backend: "file"},
 		RepositoryProfiles: []config.RepositoryProfile{
 			{
 				Profile: "home",
@@ -1854,7 +1791,7 @@ func TestBuildNonInteractiveInitPlanDoesNotApplySideEffects(t *testing.T) {
 		t.Fatalf("plan path = %q, want %q", plan.path, path)
 	}
 	if _, ok := plan.cfg.Profiles["default"]; !ok {
-		t.Fatalf("plan config profiles = %#v, want default profile", plan.cfg.Profiles)
+		t.Fatalf("plan config profiles = %#v, want suggested profile", plan.cfg.Profiles)
 	}
 }
 
@@ -1940,7 +1877,6 @@ func TestBuildInteractiveInitWorkspaceDoesNotMutateInputConfig(t *testing.T) {
 	cfg := config.File{Profiles: map[string]config.Profile{}}
 	draft := initDraft{
 		ProfileName: "default",
-		MakeDefault: true,
 		GitHost:     "github.com",
 		GitAuth:     string(config.GitAuthModePAT),
 		LLMProvider: string(config.LLMProviderAnthropic),
@@ -1956,11 +1892,11 @@ func TestBuildInteractiveInitWorkspaceDoesNotMutateInputConfig(t *testing.T) {
 		t.Fatalf("input config mutated during workspace build: %#v", cfg.Profiles)
 	}
 	if _, ok := workspace.cfg.Profiles["default"]; !ok {
-		t.Fatalf("workspace config profiles = %#v, want draft default profile", workspace.cfg.Profiles)
+		t.Fatalf("workspace config profiles = %#v, want draft profile", workspace.cfg.Profiles)
 	}
 }
 
-func TestBuildInteractiveInitWorkspaceKeepsFirstProfileDefaultWhenDraftDoesNotOptIn(t *testing.T) {
+func TestBuildInteractiveInitWorkspaceOnlyCreatesNamedProfile(t *testing.T) {
 	opts := &root.Options{
 		Stdin:  strings.NewReader(""),
 		Stdout: &bytes.Buffer{},
@@ -1969,7 +1905,6 @@ func TestBuildInteractiveInitWorkspaceKeepsFirstProfileDefaultWhenDraftDoesNotOp
 	cfg := config.File{Profiles: map[string]config.Profile{}}
 	draft := initDraft{
 		ProfileName: "default",
-		MakeDefault: false,
 		GitHost:     "github.com",
 		GitAuth:     string(config.GitAuthModePAT),
 		LLMProvider: string(config.LLMProviderAnthropic),
@@ -1981,8 +1916,8 @@ func TestBuildInteractiveInitWorkspaceKeepsFirstProfileDefaultWhenDraftDoesNotOp
 	if err != nil {
 		t.Fatalf("buildInteractiveInitWorkspace: %v", err)
 	}
-	if got, want := workspace.cfg.DefaultProfile, "default"; got != want {
-		t.Fatalf("default profile = %q, want %q", got, want)
+	if _, ok := workspace.cfg.Profiles["default"]; !ok {
+		t.Fatalf("workspace config profiles = %#v, want draft profile", workspace.cfg.Profiles)
 	}
 }
 
@@ -1990,6 +1925,7 @@ func TestInitGitScopeDraftRoundTripPreservesIdentityCacheFromPreviousProfile(t *
 	git := config.GitConfig{
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
@@ -2006,14 +1942,16 @@ func TestInitGitScopeDraftExportClearsIdentityCacheWhenShapeChanges(t *testing.T
 	previous := config.GitConfig{
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
 
 	scope := initGitScopeDraft{
-		Host:          "github.mycompany.com",
-		AuthMode:      config.GitAuthModePAT,
-		CredentialRef: "codereview/work-2",
+		Host:            "github.mycompany.com",
+		AuthMode:        config.GitAuthModePAT,
+		CredentialStore: config.LocalOSCredentialStoreID,
+		CredentialRef:   "codereview/work-2",
 	}
 	exported := scope.exportConfig(&previous)
 
@@ -2046,6 +1984,7 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 				p := basicProfile("work")
 				p.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 					CredentialRef: "codereview/work-reviewer",
 					IdentityCache: "review-bot",
 				}
@@ -2053,11 +1992,13 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 			}(),
 			previous: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModePAT,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-bot",
 			},
 			want: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModePAT,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-bot",
 			},
@@ -2069,6 +2010,7 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 				p := basicProfile("work")
 				p.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 					CredentialRef: "codereview/work-reviewer",
 					IdentityCache: "review-app",
 				}
@@ -2076,11 +2018,13 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 			}(),
 			previous: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
 			want: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
@@ -2104,13 +2048,15 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 func TestInitReviewerEntityDraftExportClearsIdentityCacheWhenShapeChanges(t *testing.T) {
 	previous := &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 		CredentialRef: "codereview/work-reviewer",
 		IdentityCache: "review-app",
 	}
 	entity := initReviewerEntityDraft{
-		Kind:          initReviewerEntityKindPAT,
-		AuthMode:      config.GitAuthModePAT,
-		CredentialRef: "codereview/work-reviewer-2",
+		Kind:            initReviewerEntityKindPAT,
+		AuthMode:        config.GitAuthModePAT,
+		CredentialStore: config.LocalOSCredentialStoreID,
+		CredentialRef:   "codereview/work-reviewer-2",
 	}
 
 	exported := entity.exportConfig(previous)
@@ -2128,18 +2074,19 @@ func TestBuildInteractiveInitWorkspaceClearsReviewerDisplayNameWhenDraftLeavesIt
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": existing,
 		},
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerCredentialStore = config.LocalOSCredentialStoreID
 	draft.ReviewerCredentialRef = "codereview/work-reviewer"
 	draft.ReviewerDisplayName = ""
 
@@ -2162,8 +2109,8 @@ func TestBuildInitGitScopeInventoryDeduplicatesNormalizedGitHubEnterpriseHost(t
 	work.Git.Host = "github.mycompany.com"
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
 	work.Git.AuthMode = config.GitAuthModeGitHubApp
-	home.Git.CredentialRef = "codereview/shared-ghe"
-	work.Git.CredentialRef = "codereview/shared-ghe"
+	home.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-ghe"}
+	work.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-ghe"}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
 			"home": home,
@@ -2507,7 +2454,6 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 		DisplayName:   "Old work label",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2524,7 +2470,7 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	}
 	session = rebuildInteractiveInitWorkspace(session, "home")
 
-	draft := seedInteractiveInitDraft("home", "home", "home", &home)
+	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 	draft.ReviewerCredentialRef = "codereview/open-cli-collective-rianjs-bot-renamed"
@@ -2576,7 +2522,6 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRe
 		DisplayName:   "Old work label",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2593,7 +2538,7 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRe
 	}
 	session = rebuildInteractiveInitWorkspace(session, "home")
 
-	draft := seedInteractiveInitDraft("home", "home", "home", &home)
+	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 	draft.ReviewerCredentialRef = ""
@@ -2643,7 +2588,6 @@ func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateS
 		DisplayName:   "Old work label",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2660,7 +2604,7 @@ func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateS
 	}
 	session = rebuildInteractiveInitWorkspace(session, "home")
 
-	draft := seedInteractiveInitDraft("home", "home", "home", &home)
+	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = false
 	draft.ReviewerAuth = ""
 	draft.ReviewerCredentialRef = ""
@@ -2951,6 +2895,7 @@ func TestInitLLMRuntimeDraftFromConfigRecognizesKnownPresets(t *testing.T) {
 				Provider:      config.LLMProviderAnthropic,
 				Auth:          config.LLMAuthAPIKey,
 				Adapter:       config.LLMAdapterAnthropicAPI,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-llm"},
 				CredentialRef: "codereview/work-llm",
 			},
 			preset: initLLMRuntimePresetAnthropicAPIKey,
@@ -2961,6 +2906,7 @@ func TestInitLLMRuntimeDraftFromConfigRecognizesKnownPresets(t *testing.T) {
 				Provider:      config.LLMProviderOpenAI,
 				Auth:          config.LLMAuthAPIKey,
 				Adapter:       config.LLMAdapterOpenAIAPI,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-llm"},
 				CredentialRef: "codereview/work-llm",
 			},
 			preset: initLLMRuntimePresetOpenAIAPIKey,
@@ -2992,8 +2938,8 @@ func TestInitLLMRuntimeDraftFromConfigRecognizesKnownPresets(t *testing.T) {
 func TestBuildInitLLMRuntimeInventoryDeduplicatesSharedAPIKeyRuntime(t *testing.T) {
 	home := apiKeyProfile("home", config.LLMProviderOpenAI)
 	work := apiKeyProfile("work", config.LLMProviderOpenAI)
-	home.LLM.CredentialRef = "codereview/shared-llm"
-	work.LLM.CredentialRef = "codereview/shared-llm"
+	home.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
+	work.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
 			"home": home,
@@ -3018,6 +2964,42 @@ func TestBuildInitLLMRuntimeInventoryDeduplicatesSharedAPIKeyRuntime(t *testing.
 	}
 }
 
+func TestBuildInitLLMRuntimeInventoryIncludesStandaloneRuntimes(t *testing.T) {
+	home := basicProfile("home")
+	home.LLM = config.LLMConfig{
+		Provider: config.LLMProviderOpenAI,
+		Auth:     config.LLMAuthSubscription,
+		Adapter:  config.LLMAdapterCodexCLI,
+	}
+	cfg := config.File{
+		LLMRuntimes: map[string]config.LLMConfig{
+			"codex-cli": home.LLM,
+			"openai-api-key": {
+				Provider: config.LLMProviderOpenAI,
+				Auth:     config.LLMAuthAPIKey,
+				Adapter:  config.LLMAdapterOpenAIAPI,
+				Credential: config.CredentialLocation{
+					Store: config.LocalOSCredentialStoreID,
+					Name:  "codereview/openai-api-key",
+				},
+			},
+		},
+		Profiles: map[string]config.Profile{"home": home},
+	}
+
+	runtimes, profileRuntimeNames := buildInitLLMRuntimeInventory(cfg)
+
+	if len(runtimes) != 2 {
+		t.Fatalf("len(runtimes) = %d, want 2; runtimes=%#v", len(runtimes), runtimes)
+	}
+	if profileRuntimeNames["home"] != "codex-cli" {
+		t.Fatalf("profileRuntimeNames = %#v, want home to reuse standalone codex-cli", profileRuntimeNames)
+	}
+	if runtimes["openai-api-key"].CredentialRef != "codereview/openai-api-key" {
+		t.Fatalf("openai runtime = %#v, want configured credential ref", runtimes["openai-api-key"])
+	}
+}
+
 func TestInitLLMRuntimeLabelsDifferentiateSamePresetEntries(t *testing.T) {
 	first := initLLMRuntimeDraft{
 		Name:          "anthropic-api-key",
@@ -3039,8 +3021,8 @@ func TestInitLLMRuntimeLabelsDifferentiateSamePresetEntries(t *testing.T) {
 func TestBuildInitLLMRuntimeInventoryKeepsCrossProviderSameRefDistinct(t *testing.T) {
 	openAI := apiKeyProfile("home", config.LLMProviderOpenAI)
 	anthropic := apiKeyProfile("work", config.LLMProviderAnthropic)
-	openAI.LLM.CredentialRef = "codereview/shared-llm"
-	anthropic.LLM.CredentialRef = "codereview/shared-llm"
+	openAI.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
+	anthropic.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
 			"home": openAI,
@@ -3061,13 +3043,12 @@ func TestBuildInitLLMRuntimeInventoryKeepsCrossProviderSameRefDistinct(t *testin
 	}
 }
 
-func TestDeleteInteractiveInitProfilePrunesRoutesReselectsDefaultAndUndoRestores(t *testing.T) {
+func TestDeleteInteractiveInitProfilePrunesRoutesAndUndoRestores(t *testing.T) {
 	work := basicProfile("work")
 	alpha := basicProfile("alpha")
 	home := basicProfile("home")
 	session := initSessionDraft{
 		cfg: config.File{
-			DefaultProfile: "work",
 			RepositoryProfiles: []config.RepositoryProfile{
 				{
 					Profile: "work",
@@ -3104,9 +3085,6 @@ func TestDeleteInteractiveInitProfilePrunesRoutesReselectsDefaultAndUndoRestores
 	if _, ok := next.cfg.Profiles["work"]; ok {
 		t.Fatalf("profiles after delete = %#v, want work removed", next.cfg.Profiles)
 	}
-	if next.cfg.DefaultProfile != "alpha" {
-		t.Fatalf("default profile after delete = %q, want alpha", next.cfg.DefaultProfile)
-	}
 	if len(next.cfg.RepositoryProfiles) != 1 || next.cfg.RepositoryProfiles[0].Profile != "home" {
 		t.Fatalf("repository_profiles after delete = %#v, want only home route", next.cfg.RepositoryProfiles)
 	}
@@ -3124,9 +3102,6 @@ func TestDeleteInteractiveInitProfilePrunesRoutesReselectsDefaultAndUndoRestores
 	if err != nil {
 		t.Fatalf("undoInteractiveInitProfileDelete: %v", err)
 	}
-	if restored.cfg.DefaultProfile != "work" {
-		t.Fatalf("default profile after undo = %q, want work", restored.cfg.DefaultProfile)
-	}
 	if !reflect.DeepEqual(restored.cfg.Profiles["work"], work) {
 		t.Fatalf("restored work profile = %#v, want %#v", restored.cfg.Profiles["work"], work)
 	}
@@ -3155,7 +3130,6 @@ func TestDeleteInteractiveInitReviewerEntityClearsAffectedProfilesAndUndoSkipsRe
 	bot := basicProfile("bot")
 	session := initSessionDraft{
 		cfg: config.File{
-			DefaultProfile: "work",
 			Profiles: map[string]config.Profile{
 				"bot":  bot,
 				"home": home,
@@ -3211,7 +3185,6 @@ func TestDeleteInteractiveInitLLMRuntimeRebindsAffectedProfilesAndUndoSkipsReedi
 	}
 	session := initSessionDraft{
 		cfg: config.File{
-			DefaultProfile: "work",
 			Profiles: map[string]config.Profile{
 				"bot":  bot,
 				"home": home,
@@ -3274,16 +3247,15 @@ func TestBuildInteractiveInitWorkspaceImportsLLMRuntimeInventory(t *testing.T) {
 	}
 	home := apiKeyProfile("home", config.LLMProviderOpenAI)
 	work := apiKeyProfile("work", config.LLMProviderOpenAI)
-	home.LLM.CredentialRef = "codereview/shared-llm"
-	work.LLM.CredentialRef = "codereview/shared-llm"
+	home.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
+	work.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
 		},
 	}
-	draft := seedInteractiveInitDraft("home", "home", "home", &home)
+	draft := seedInteractiveInitDraft("home", "home", &home)
 
 	workspace, err := buildInteractiveInitWorkspace(&cobra.Command{}, opts, initOptions{}, initDeps{}, filepath.Join(t.TempDir(), "config.yml"), cfg, draft)
 	if err != nil {
@@ -3310,18 +3282,19 @@ func TestBuildInteractiveInitWorkspaceImportsGitScopeAndReviewerEntityInventory(
 	existing := basicProfile("work")
 	existing.Git.Host = "github.mycompany.com"
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
+	existing.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-git"}
 	existing.Git.CredentialRef = "codereview/office-git"
 	existing.Git.IdentityCache = "git-cache"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-reviewer"},
 		CredentialRef: "codereview/office-reviewer",
 		IdentityCache: "reviewer-cache",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 
 	workspace, err := buildInteractiveInitWorkspace(&cobra.Command{}, opts, initOptions{}, initDeps{}, filepath.Join(t.TempDir(), "config.yml"), cfg, draft)
 	if err != nil {
@@ -3351,15 +3324,15 @@ func TestInitInteractivePromptDrivenFlowStillExportsReviewerNilAfterDraftInvento
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
-				ProfileName:      "office",
-				MakeDefault:      true,
-				GitHost:          "github.mycompany.com",
-				GitAuth:          string(config.GitAuthModePAT),
-				GitCredentialRef: "codereview/office-git",
-				ReviewerEnabled:  false,
-				LLMProvider:      string(config.LLMProviderAnthropic),
-				LLMAuth:          string(config.LLMAuthSubscription),
-				LLMAdapter:       string(config.LLMAdapterClaudeCLI),
+				ProfileName:        "office",
+				GitHost:            "github.mycompany.com",
+				GitAuth:            string(config.GitAuthModePAT),
+				GitCredentialStore: config.LocalOSCredentialStoreID,
+				GitCredentialRef:   "codereview/office-git",
+				ReviewerEnabled:    false,
+				LLMProvider:        string(config.LLMProviderAnthropic),
+				LLMAuth:            string(config.LLMAuthSubscription),
+				LLMAdapter:         string(config.LLMAdapterClaudeCLI),
 			}, nil
 		}),
 		configPath: func(*root.Options) (string, error) { return opts.ConfigPath, nil },
@@ -3370,7 +3343,7 @@ func TestInitInteractivePromptDrivenFlowStillExportsReviewerNilAfterDraftInvento
 		secretPrompter: &fakeInitSecretPrompter{
 			actions: []initCredentialSecretAction{initCredentialSecretActionKeep},
 		},
-		openStore: func(string, bool, config.File) (initStore, error) {
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
 			return newFakeInitStore(map[string]map[string]string{
 				"office-git": {credentials.GitTokenKey: "existing-token"},
 			}), nil
@@ -3405,17 +3378,18 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
-				ProfileName:           "office",
-				MakeDefault:           true,
-				GitHost:               "github.mycompany.com",
-				GitAuth:               string(config.GitAuthModePAT),
-				GitCredentialRef:      "codereview/office-git",
-				ReviewerEnabled:       true,
-				ReviewerAuth:          string(config.GitAuthModeGitHubApp),
-				ReviewerCredentialRef: "codereview/office-reviewer",
-				LLMProvider:           string(config.LLMProviderAnthropic),
-				LLMAuth:               string(config.LLMAuthSubscription),
-				LLMAdapter:            string(config.LLMAdapterClaudeCLI),
+				ProfileName:             "office",
+				GitHost:                 "github.mycompany.com",
+				GitAuth:                 string(config.GitAuthModePAT),
+				GitCredentialStore:      config.LocalOSCredentialStoreID,
+				GitCredentialRef:        "codereview/office-git",
+				ReviewerEnabled:         true,
+				ReviewerAuth:            string(config.GitAuthModeGitHubApp),
+				ReviewerCredentialStore: config.LocalOSCredentialStoreID,
+				ReviewerCredentialRef:   "codereview/office-reviewer",
+				LLMProvider:             string(config.LLMProviderAnthropic),
+				LLMAuth:                 string(config.LLMAuthSubscription),
+				LLMAdapter:              string(config.LLMAdapterClaudeCLI),
 			}, nil
 		}),
 		configPath: func(*root.Options) (string, error) { return opts.ConfigPath, nil },
@@ -3432,7 +3406,7 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 				initCredentialSecretActionKeep,
 			},
 		},
-		openStore: func(string, bool, config.File) (initStore, error) {
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
 			return newFakeInitStore(map[string]map[string]string{
 				"office-git": {
 					credentials.GitTokenKey: "existing-git-token",
@@ -3471,7 +3445,6 @@ func TestCollectInteractiveInitSecretsRecordsDraftWritesBeforeApply(t *testing.T
 	cfg := config.File{Profiles: map[string]config.Profile{}}
 	draft := initDraft{
 		ProfileName: "default",
-		MakeDefault: true,
 		GitHost:     "github.com",
 		GitAuth:     string(config.GitAuthModePAT),
 		LLMProvider: string(config.LLMProviderAnthropic),
@@ -3496,7 +3469,9 @@ func TestCollectInteractiveInitSecretsRecordsDraftWritesBeforeApply(t *testing.T
 			t.Fatal("clipboard should not be read")
 			return "", nil
 		},
-		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
 	}
 
 	workspace, err = collectInteractiveInitSecrets(&cobra.Command{}, opts, deps, workspace)
@@ -3584,17 +3559,23 @@ func TestCollectInteractiveInitSecretsPassesDestinationToSharedCredentialPrompts
 		t.Fatalf("writes = %#v, want three staged credential refs", workspace.writes)
 	}
 	for _, prompt := range prompter.actionPrompts {
-		if !strings.Contains(prompt.Destination, "Destination: "+prompt.Entry.Ref.Ref+" via Team Vault (Encrypted file)") {
+		if !strings.Contains(prompt.Destination, "Destination: Team Vault / "+prompt.Entry.Ref.Ref) ||
+			!strings.Contains(prompt.Destination, "Credential store: team-vault") ||
+			!strings.Contains(prompt.Destination, "Backend kind: file") {
 			t.Fatalf("action prompt destination = %q for %#v", prompt.Destination, prompt.Entry.Ref)
 		}
 	}
 	for _, prompt := range prompter.sourcePrompts {
-		if !strings.Contains(prompt.Destination, "Destination: "+prompt.Entry.Ref.Ref+" via Team Vault (Encrypted file)") {
+		if !strings.Contains(prompt.Destination, "Destination: Team Vault / "+prompt.Entry.Ref.Ref) ||
+			!strings.Contains(prompt.Destination, "Credential store: team-vault") ||
+			!strings.Contains(prompt.Destination, "Backend kind: file") {
 			t.Fatalf("source prompt destination = %q for %#v", prompt.Destination, prompt.Entry.Ref)
 		}
 	}
 	for _, prompt := range prompter.pastePrompts {
-		if !strings.Contains(prompt.Destination, "Destination: "+prompt.Entry.Ref.Ref+" via Team Vault (Encrypted file)") {
+		if !strings.Contains(prompt.Destination, "Destination: Team Vault / "+prompt.Entry.Ref.Ref) ||
+			!strings.Contains(prompt.Destination, "Credential store: team-vault") ||
+			!strings.Contains(prompt.Destination, "Backend kind: file") {
 			t.Fatalf("paste prompt destination = %q for %#v", prompt.Destination, prompt.Entry.Ref)
 		}
 	}
@@ -3613,11 +3594,11 @@ func TestCollectInteractiveInitSecretsDestinationUsesRawRuntimeBackend(t *testin
 		credentialPlan: []initCredentialPlanEntry{{
 			Ref: config.CredentialRef{Purpose: "git", Ref: "codereview/work", Mode: string(config.GitAuthModePAT)},
 			SecretsProfile: credentials.ResolvedSecretsProfile{
-				ID:              config.LegacyProjectedSecretsProfileID,
-				Label:           "Legacy default",
-				Backend:         config.ProjectedLegacySecretsBackendKind,
+				ID:              config.LocalOSCredentialStoreID,
+				Label:           "OS credential store",
+				Backend:         config.ProjectedOSCredentialStoreBackendKind,
 				Source:          config.EffectiveSecretsProfileSourceProjectedLegacy,
-				SelectionSource: credentials.SecretsProfileSelectionLegacyDefault,
+				SelectionSource: credentials.SecretsProfileSelectionBuiltInOS,
 			},
 			KeySpecs:            []credentials.KeySpec{{Key: credentials.GitTokenKey, Required: true}},
 			MissingRequiredKeys: []string{credentials.GitTokenKey},
@@ -3633,7 +3614,8 @@ func TestCollectInteractiveInitSecretsDestinationUsesRawRuntimeBackend(t *testin
 		t.Fatalf("action prompts = %d, want 1", len(prompter.actionPrompts))
 	}
 	destination := prompter.actionPrompts[0].Destination
-	if !strings.Contains(destination, "Destination: codereview/work via Legacy default (In-memory store)") {
+	if !strings.Contains(destination, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/work") ||
+		!strings.Contains(destination, "Backend kind: memory") {
 		t.Fatalf("destination = %q, want raw runtime backend metadata", destination)
 	}
 	if strings.Contains(destination, "credential destination unavailable") {
@@ -3654,11 +3636,11 @@ func TestCollectInteractiveInitSecretsDestinationUsesInferredDefaultBackend(t *t
 		credentialPlan: []initCredentialPlanEntry{{
 			Ref: config.CredentialRef{Purpose: "git", Ref: "codereview/work", Mode: string(config.GitAuthModePAT)},
 			SecretsProfile: credentials.ResolvedSecretsProfile{
-				ID:              config.LegacyProjectedSecretsProfileID,
-				Label:           "Legacy default",
-				Backend:         config.ProjectedLegacySecretsBackendKind,
+				ID:              config.LocalOSCredentialStoreID,
+				Label:           "OS credential store",
+				Backend:         config.ProjectedOSCredentialStoreBackendKind,
 				Source:          config.EffectiveSecretsProfileSourceProjectedLegacy,
-				SelectionSource: credentials.SecretsProfileSelectionLegacyDefault,
+				SelectionSource: credentials.SecretsProfileSelectionBuiltInOS,
 			},
 			KeySpecs:            []credentials.KeySpec{{Key: credentials.GitTokenKey, Required: true}},
 			MissingRequiredKeys: []string{credentials.GitTokenKey},
@@ -3672,8 +3654,9 @@ func TestCollectInteractiveInitSecretsDestinationUsesInferredDefaultBackend(t *t
 		t.Fatalf("action prompts = %d, want 1", len(prompter.actionPrompts))
 	}
 	destination := prompter.actionPrompts[0].Destination
-	if !strings.Contains(destination, initAutomaticOSDefaultSecretsBackendLabel()) {
-		t.Fatalf("destination = %q, want inferred automatic backend copy", destination)
+	if !strings.Contains(destination, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/work") ||
+		!strings.Contains(destination, "Backend kind: auto") {
+		t.Fatalf("destination = %q, want inferred built-in credential-store copy", destination)
 	}
 	if strings.Contains(destination, "credential destination unavailable") {
 		t.Fatalf("destination = %q, want available inferred backend summary", destination)
@@ -3696,7 +3679,9 @@ func TestCollectInteractiveInitSecretsSourceBackReturnsToCredentialChoices(t *te
 			t.Fatal("clipboard should not be read")
 			return "", nil
 		},
-		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
 	}, testInitSecretWorkspace())
 	if err != nil {
 		t.Fatalf("collectInteractiveInitSecrets: %v", err)
@@ -3727,7 +3712,9 @@ func TestCollectInteractiveInitSecretsPasteBackReturnsToSourceChoices(t *testing
 			clipboardReads++
 			return "clipboard-token", nil
 		},
-		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
 	}, testInitSecretWorkspace())
 	if err != nil {
 		t.Fatalf("collectInteractiveInitSecrets: %v", err)
@@ -3766,7 +3753,9 @@ func TestCollectInteractiveInitSecretsBackAfterPartialMultiKeyWriteDiscardsScrat
 			t.Fatal("clipboard should not be read")
 			return "", nil
 		},
-		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
 	}, testInitMultiKeySecretWorkspace())
 	if err != nil {
 		t.Fatalf("collectInteractiveInitSecrets: %v", err)
@@ -3803,11 +3792,11 @@ func TestCollectInteractiveInitSecretsMapsNamedSecretsProfileOpenConflictAsConfi
 			return "", nil
 		},
 		openStore: func(string, bool, config.File) (initStore, error) {
-			t.Fatal("legacy openStore should not be used for named secrets profile")
+			t.Fatal("legacy openStore should not be used for configured credential stores")
 			return nil, nil
 		},
 		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
-			return nil, fmt.Errorf("%w: named secrets-management profile conflict", config.ErrInvalid)
+			return nil, fmt.Errorf("%w: configured credential store conflict", config.ErrInvalid)
 		},
 	}, workspace)
 	if !errors.Is(err, config.ErrInvalid) {
@@ -3839,11 +3828,11 @@ func TestCollectInteractiveInitSessionSecretsMapsNamedSecretsProfileLoadConflict
 
 	_, err := collectInteractiveInitSessionSecrets(&root.Options{Backend: "memory"}, initDeps{
 		openStore: func(string, bool, config.File) (initStore, error) {
-			t.Fatal("legacy openStore should not be used for named secrets profile")
+			t.Fatal("legacy openStore should not be used for configured credential stores")
 			return nil, nil
 		},
 		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
-			return nil, fmt.Errorf("%w: named secrets-management profile conflict", config.ErrInvalid)
+			return nil, fmt.Errorf("%w: configured credential store conflict", config.ErrInvalid)
 		},
 	}, plan)
 	if !errors.Is(err, config.ErrInvalid) {
@@ -3881,7 +3870,7 @@ func TestMergeInteractiveInitSessionPlanEntryRejectsSameRefAcrossDifferentSecret
 	if !errors.Is(err, config.ErrInvalid) {
 		t.Fatalf("merge conflicting entry error = %v, want ErrInvalid", err)
 	}
-	if !strings.Contains(err.Error(), "multiple secrets-management profiles") {
+	if !strings.Contains(err.Error(), "multiple credential stores") {
 		t.Fatalf("merge conflicting entry error = %v, want conflict detail", err)
 	}
 }
@@ -4005,7 +3994,7 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 	}
 	got := stderr.String()
 	for _, key := range []string{credentials.GitHubAppIDKey, credentials.GitHubAppPrivateKeyKey} {
-		if !strings.Contains(got, "cr set-credential --ref codereview/rianjs-bot --key "+key+" --stdin") {
+		if !strings.Contains(got, "cr set-credential --store local-os --name codereview/rianjs-bot --key "+key+" --stdin") {
 			t.Fatalf("stderr = %q, want required setup hint for %s", got, key)
 		}
 	}
@@ -4019,11 +4008,11 @@ func TestHuhInitPrompterAccessiblePrefillsExistingProfile(t *testing.T) {
 	existing := apiKeyProfile("work", config.LLMProviderOpenAI)
 	existing.Git.Host = "gitlab.com"
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
-	existing.Git.CredentialRef = "codereview/custom-git"
+	existing.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-git"}
 	existing.LLM.ReviewerModelTier = config.ModelTierMedium
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/custom-reviewer",
+		AuthMode:   config.GitAuthModeGitHubApp,
+		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-reviewer"},
 	}
 	var stderr bytes.Buffer
 	prompter := huhInitPrompter{
@@ -4066,9 +4055,7 @@ func TestHuhInitPrompterAccessiblePrefillsExistingProfile(t *testing.T) {
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
 		ExistingProfileNames: []string{"work"},
-		DefaultProfileName:   "work",
 		ExistingConfig: config.File{
-			DefaultProfile: "work",
 			RepositoryProfiles: []config.RepositoryProfile{{
 				Profile: "work",
 				Match: config.RepositoryProfileMatch{
@@ -4098,9 +4085,6 @@ func TestHuhInitPrompterAccessiblePrefillsExistingProfile(t *testing.T) {
 	if draft.ProfileName != "work" || draft.OriginalProfileName != "work" {
 		t.Fatalf("draft profile = %#v, want existing work prefill", draft)
 	}
-	if !draft.MakeDefault {
-		t.Fatal("draft.MakeDefault = false, want existing default true")
-	}
 	if draft.GitHost != "gitlab.com" || draft.GitAuth != string(config.GitAuthModeGitHubApp) || draft.GitCredentialRef != "codereview/custom-git" {
 		t.Fatalf("git draft = %#v, want existing values", draft)
 	}
@@ -4148,11 +4132,15 @@ func TestHuhInitPrompterAccessiblePrefillsExistingProfile(t *testing.T) {
 	if strings.Contains(strings.ToLower(out), "paste a secret") {
 		t.Fatalf("wizard output unexpectedly requested secret ingress: %q", out)
 	}
-	if strings.Contains(out, "Default profile") || strings.Contains(out, "This profile is already the default profile.") {
-		t.Fatalf("wizard output still shows default-profile prompt in profile editor: %q", out)
+	staleProfileHeading := "Default " + "profile"
+	staleAlreadySelected := "This profile is already the " + "default " + "profile."
+	if strings.Contains(out, staleProfileHeading) || strings.Contains(out, staleAlreadySelected) {
+		t.Fatalf("wizard output still shows removed profile-selection prompt in profile editor: %q", out)
 	}
-	if strings.Contains(out, "Make this the default profile") || strings.Contains(out, "No, keep the current default profile") {
-		t.Fatalf("wizard output contains stale default-profile select copy: %q", out)
+	staleMakeSelected := "Make this the " + "default " + "profile"
+	staleKeepSelected := "No, keep the current " + "default " + "profile"
+	if strings.Contains(out, staleMakeSelected) || strings.Contains(out, staleKeepSelected) {
+		t.Fatalf("wizard output contains removed profile-selection copy: %q", out)
 	}
 }
 
@@ -4160,7 +4148,6 @@ func TestHuhInitPrompterAccessibleOmitsSecretsManagementFromProfileEditor(t *tes
 	t.Setenv("TERM", "dumb")
 	work := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"team-vault": {
@@ -4218,7 +4205,6 @@ func TestHuhInitPrompterAccessibleOmitsSecretsManagementFromProfileEditor(t *tes
 		ExistingProfileName:          "work",
 		ExistingProfile:              &work,
 		ExistingProfileNames:         []string{"work"},
-		DefaultProfileName:           "work",
 		ExistingConfig:               cfg,
 		GitScopes:                    gitScopes,
 		ProfileGitScopes:             profileGitScopes,
@@ -4252,7 +4238,6 @@ func TestHuhInitPrompterAccessibleKeepsFallbackReviewerSelectedInMixedInventory(
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -4292,7 +4277,6 @@ func TestHuhInitPrompterAccessibleKeepsFallbackReviewerSelectedInMixedInventory(
 		ExistingProfileName:     "home",
 		ExistingProfile:         &home,
 		ExistingProfileNames:    []string{"home"},
-		DefaultProfileName:      "home",
 		ExistingConfig:          cfg,
 		GitScopes:               gitScopes,
 		ProfileGitScopes:        profileGitScopes,
@@ -4321,7 +4305,6 @@ func TestHuhInitPrompterAccessibleConfiguredReviewerHidesInlineReviewerEntityEdi
 		DisplayName:   "Work reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": work,
 		},
@@ -4362,7 +4345,6 @@ func TestHuhInitPrompterAccessibleConfiguredReviewerHidesInlineReviewerEntityEdi
 		ExistingProfileName:     "work",
 		ExistingProfile:         &work,
 		ExistingProfileNames:    []string{"work"},
-		DefaultProfileName:      "work",
 		ExistingConfig:          cfg,
 		GitScopes:               gitScopes,
 		ProfileGitScopes:        profileGitScopes,
@@ -4393,7 +4375,6 @@ func TestHuhInitPrompterAccessibleConfiguredLLMRuntimeHidesInlineRuntimeEditing(
 	t.Setenv("TERM", "dumb")
 	work := apiKeyProfile("work", config.LLMProviderOpenAI)
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": work,
 		},
@@ -4432,7 +4413,6 @@ func TestHuhInitPrompterAccessibleConfiguredLLMRuntimeHidesInlineRuntimeEditing(
 		ExistingProfileName:     "work",
 		ExistingProfile:         &work,
 		ExistingProfileNames:    []string{"work"},
-		DefaultProfileName:      "work",
 		ExistingConfig:          cfg,
 		GitScopes:               gitScopes,
 		ProfileGitScopes:        profileGitScopes,
@@ -4507,7 +4487,7 @@ func TestHuhInitPrompterAccessibleProfileEditorBootstrapsNewLLMRuntimeWhenNoneCo
 			if len(prompt.Context.LLMRuntimes) != 0 {
 				t.Fatalf("prompt.Context.LLMRuntimes = %#v, want empty first-run bootstrap inventory", prompt.Context.LLMRuntimes)
 			}
-			draft := seedInteractiveInitDraft("default", "", "", nil)
+			draft := seedInteractiveInitDraft("default", "", nil)
 			draft.LLMProvider = string(config.LLMProviderOpenAI)
 			draft.LLMAuth = string(config.LLMAuthSubscription)
 			draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
@@ -4517,7 +4497,6 @@ func TestHuhInitPrompterAccessibleProfileEditorBootstrapsNewLLMRuntimeWhenNoneCo
 
 	draft, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		DefaultProfileName:   "",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
 	})
 	if err != nil {
@@ -4568,7 +4547,6 @@ func TestHuhInitPrompterAccessibleCreateNewProfileFallsBackToFirstConfiguredRunt
 
 	draft, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		DefaultProfileName:   "",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
 		LLMRuntimes: map[string]initLLMRuntimeDraft{
 			"alpha-runtime": {
@@ -4643,10 +4621,8 @@ func TestHuhInitPrompterAccessibleCreateNewProfileStartsFreshSeed(t *testing.T)
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
 		ExistingProfileNames: []string{"work"},
-		DefaultProfileName:   "work",
 		ExistingConfig: config.File{
-			DefaultProfile: "work",
-			Profiles:       map[string]config.Profile{"work": existing},
+			Profiles: map[string]config.Profile{"work": existing},
 		},
 		GitScopes: map[string]initGitScopeDraft{
 			"gitlab-work": initGitScopeDraftFromConfig(existing.Git),
@@ -4670,9 +4646,6 @@ func TestHuhInitPrompterAccessibleCreateNewProfileStartsFreshSeed(t *testing.T)
 	if draft.ProfileName != "new-profile" {
 		t.Fatalf("draft.ProfileName = %q, want non-conflicting create-new profile seed", draft.ProfileName)
 	}
-	if draft.MakeDefault {
-		t.Fatalf("draft.MakeDefault = true, want create-new seed to preserve false selection when an existing default profile is present")
-	}
 	if draft.GitHost != "github.com" || draft.GitAuth != string(config.GitAuthModePAT) {
 		t.Fatalf("git draft = %#v, want fresh defaults for create-new seed", draft)
 	}
@@ -4697,13 +4670,12 @@ func TestHuhInitPrompterAccessibleCreateNewProfileStartsFreshSeed(t *testing.T)
 	}
 }
 
-func TestHuhInitPrompterAccessibleCreateNewProfileDefaultsToMakeDefaultWhenNoDefaultExists(t *testing.T) {
+func TestHuhInitPrompterAccessibleCreateNewProfileOmitsSelectionPrompt(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
 			"", // Profile name
-			"", // Make default: keep seeded yes selection
 			"", // Git scope host
 			"", // Git scope auth mode
 			"", // Reviewer entity
@@ -4737,28 +4709,28 @@ func TestHuhInitPrompterAccessibleCreateNewProfileDefaultsToMakeDefaultWhenNoDef
 
 	draft, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		DefaultProfileName:   "",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
 	})
 	if err != nil {
 		t.Fatalf("Run: %v", err)
 	}
-	if !draft.MakeDefault {
-		t.Fatalf("draft.MakeDefault = false, want no-default interactive flow to preserve seeded true selection")
+	if draft.ProfileName != "default" {
+		t.Fatalf("draft.ProfileName = %q, want requested profile name", draft.ProfileName)
 	}
-	if strings.Contains(stderr.String(), "Yes, make this profile the default") || strings.Contains(stderr.String(), "Default profile") {
-		t.Fatalf("stderr = %q, want profile editor to omit default-profile select copy", stderr.String())
+	staleMakeSelected := "Yes, make this profile the " + "default"
+	staleProfileHeading := "Default " + "profile"
+	if strings.Contains(stderr.String(), staleMakeSelected) || strings.Contains(stderr.String(), staleProfileHeading) {
+		t.Fatalf("stderr = %q, want profile editor to omit removed selection copy", stderr.String())
 	}
 }
 
-func TestHuhInitPrompterAccessibleCreateNewProfileAvoidsExistingDefaultProfileName(t *testing.T) {
+func TestHuhInitPrompterAccessibleCreateNewProfileAvoidsExistingProfileName(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	existing := basicProfile(credstore.DefaultProfile)
+	existing := basicProfile("default")
 	var stderr bytes.Buffer
 	prompter := huhInitPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
 			"", // Profile name
-			"", // Make default
 			"", // Git host
 			"", // Git auth
 			"", // Reviewer entity
@@ -4784,19 +4756,17 @@ func TestHuhInitPrompterAccessibleCreateNewProfileAvoidsExistingDefaultProfileNa
 	}
 
 	draft, err := prompter.Run(initPromptContext{
-		RequestedProfileName: credstore.DefaultProfile,
-		ExistingProfileName:  credstore.DefaultProfile,
+		RequestedProfileName: "default",
+		ExistingProfileName:  "default",
 		ExistingProfile:      &existing,
-		ExistingProfileNames: []string{credstore.DefaultProfile},
-		DefaultProfileName:   credstore.DefaultProfile,
+		ExistingProfileNames: []string{"default"},
 		ExistingConfig: config.File{
-			DefaultProfile: credstore.DefaultProfile,
-			Profiles:       map[string]config.Profile{credstore.DefaultProfile: existing},
+			Profiles: map[string]config.Profile{"default": existing},
 		},
 		LLMRuntimes: map[string]initLLMRuntimeDraft{
 			"default-runtime": initLLMRuntimeDraftFromConfig(existing.LLM),
 		},
-		ProfileLLMRuntimes: map[string]string{credstore.DefaultProfile: "default-runtime"},
+		ProfileLLMRuntimes: map[string]string{"default": "default-runtime"},
 	})
 	if err != nil {
 		t.Fatalf("Run: %v", err)
@@ -4805,21 +4775,18 @@ func TestHuhInitPrompterAccessibleCreateNewProfileAvoidsExistingDefaultProfileNa
 		t.Fatalf("draft.OriginalProfileName = %q, want blank for create-new seed", draft.OriginalProfileName)
 	}
 	if draft.ProfileName != "new-profile" {
-		t.Fatalf("draft.ProfileName = %q, want create-new seed to avoid existing default profile", draft.ProfileName)
-	}
-	if draft.MakeDefault {
-		t.Fatalf("draft.MakeDefault = true, want existing default profile to remain default")
+		t.Fatalf("draft.ProfileName = %q, want create-new seed to avoid existing suggested-name profile", draft.ProfileName)
 	}
 }
 
 func TestInitCreateProfileSeedNameUsesNextAvailableGeneratedName(t *testing.T) {
 	got := initCreateProfileSeedName(initPromptContext{
-		RequestedProfileName: credstore.DefaultProfile,
-		ExistingProfileNames: []string{credstore.DefaultProfile, "new-profile"},
+		RequestedProfileName: "default",
+		ExistingProfileNames: []string{"default", "new-profile"},
 		ExistingConfig: config.File{
 			Profiles: map[string]config.Profile{
-				credstore.DefaultProfile: {},
-				"new-profile":            {},
+				"default":     {},
+				"new-profile": {},
 			},
 		},
 		PendingProfileDeletes: map[string]initPendingProfileDelete{
@@ -4838,7 +4805,7 @@ func TestProfileEditorSelectionPreservesSelectedReviewerEntityLabel(t *testing.T
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 
 	reviewerEntities := map[string]initReviewerEntityDraft{
 		"work-reviewer": initReviewerEntityDraftFromConfig(existing),
@@ -4875,10 +4842,8 @@ func TestHuhInitPrompterAccessibleCanMarkExistingProfileForDeletion(t *testing.T
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig: config.File{
-			DefaultProfile: "work",
-			Profiles:       map[string]config.Profile{"work": existing},
+			Profiles: map[string]config.Profile{"work": existing},
 		},
 	})
 	if err != nil {
@@ -4951,10 +4916,8 @@ func TestHuhInitPrompterAccessibleCanRestorePendingDeletedProfile(t *testing.T)
 		ExistingProfileName:  "home",
 		ExistingProfile:      &home,
 		ExistingProfileNames: []string{"home"},
-		DefaultProfileName:   "home",
 		ExistingConfig: config.File{
-			DefaultProfile: "home",
-			Profiles:       map[string]config.Profile{"home": home},
+			Profiles: map[string]config.Profile{"home": home},
 		},
 		PendingProfileDeletes: map[string]initPendingProfileDelete{
 			"work": {ProfileName: "work"},
@@ -5066,7 +5029,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleKeepsFallbackSelectedInMixedInve
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -5095,7 +5057,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleKeepsFallbackSelectedInMixedInve
 			RequestedProfileName:    "home",
 			ExistingProfileName:     "home",
 			ExistingProfile:         &home,
-			DefaultProfileName:      "home",
 			ExistingConfig:          cfg,
 			ReviewerEntities:        reviewerEntities,
 			ProfileReviewerEntities: profileReviewerEntities,
@@ -5121,7 +5082,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 		CredentialRef: "codereview/custom-work-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -5152,7 +5112,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 			RequestedProfileName:    "home",
 			ExistingProfileName:     "home",
 			ExistingProfile:         &home,
-			DefaultProfileName:      "home",
 			ExistingConfig:          cfg,
 			ReviewerEntities:        reviewerEntities,
 			ProfileReviewerEntities: profileReviewerEntities,
@@ -5334,8 +5293,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleConfiguredRuntimeShowsDetails(t *tes
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5358,7 +5316,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleConfiguredRuntimeShowsDetails(t *tes
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -5382,8 +5339,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleTemplateShowsDetails(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5407,7 +5363,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleTemplateShowsDetails(t *testing.T) {
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -5460,7 +5415,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleTemplateShowsAvailabilityNote(t *tes
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if err != nil {
@@ -5503,8 +5457,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleCustomRuntimeShowsCustomFields(t *te
 		Adapter:  config.LLMAdapterAnthropicAPI,
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	var stderr bytes.Buffer
 	prompter := huhInitLLMRuntimePrompter{
@@ -5531,7 +5484,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleCustomRuntimeShowsCustomFields(t *te
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes: map[string]initLLMRuntimeDraft{
 			"claude-cli": {
@@ -5579,7 +5531,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleBackReturnsNavigateBack(t *testing.T
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if !errors.Is(err, errInitNavigateBack) {
@@ -5592,7 +5543,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleBackReturnsNavigateBack(t *testing.T
 
 func TestHuhInitLLMRuntimeDetailsBackDoesNotMutateDraft(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	draft.LLMProvider = string(config.LLMProviderOpenAI)
 	draft.LLMAuth = string(config.LLMAuthSubscription)
 	draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
@@ -5619,8 +5570,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleCanMarkConfiguredRuntimeForDeletion(
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5646,7 +5596,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleCanMarkConfiguredRuntimeForDeletion(
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -5669,8 +5618,7 @@ func TestHuhInitLLMRuntimePrompterReplacementChoosesConfiguredTemplate(t *testin
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5698,11 +5646,10 @@ func TestHuhInitLLMRuntimePrompterReplacementChoosesConfiguredTemplate(t *testin
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
-	}}, "claude-cli", seedInteractiveInitDraft("work", "work", "work", &existing))
+	}}, "claude-cli", seedInteractiveInitDraft("work", "work", &existing))
 	if err != nil {
 		t.Fatalf("chooseLLMRuntimeDeleteReplacement: %v", err)
 	}
@@ -5718,8 +5665,7 @@ func TestHuhInitLLMRuntimePrompterReplacementBackExcludesDeletedRuntime(t *testi
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5735,11 +5681,10 @@ func TestHuhInitLLMRuntimePrompterReplacementBackExcludesDeletedRuntime(t *testi
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
-	}}, "claude-cli", seedInteractiveInitDraft("work", "work", "work", &existing))
+	}}, "claude-cli", seedInteractiveInitDraft("work", "work", &existing))
 	if !errors.Is(err, errInitNavigateBack) {
 		t.Fatalf("chooseLLMRuntimeDeleteReplacement error = %v, want errInitNavigateBack", err)
 	}
@@ -5777,7 +5722,6 @@ func TestHuhInitLLMRuntimePrompterAccessibleCanRestorePendingDeletedRuntime(t *t
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		LLMRuntimes:          map[string]initLLMRuntimeDraft{},
 		PendingLLMRuntimeDeletes: map[string]initPendingLLMRuntimeDelete{
@@ -5798,8 +5742,7 @@ func TestHuhInitLLMRuntimePrompterAccessibleCanRestorePendingDeletedRuntime(t *t
 func TestHuhInitLLMRuntimePrompterDefaultUsesLinearRuntimeFlow(t *testing.T) {
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5823,7 +5766,6 @@ func TestHuhInitLLMRuntimePrompterDefaultUsesLinearRuntimeFlow(t *testing.T) {
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -5862,8 +5804,7 @@ func TestHuhInitLLMRuntimePrompterDefaultUsesLinearRuntimeFlow(t *testing.T) {
 func TestHuhInitLLMRuntimePrompterDefaultCanDeleteWithInlineReplacement(t *testing.T) {
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	var stderr bytes.Buffer
@@ -5916,7 +5857,6 @@ func TestHuhInitLLMRuntimePrompterDefaultCanDeleteWithInlineReplacement(t *testi
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -5942,20 +5882,18 @@ func TestHuhInitLLMRuntimePrompterDefaultCanDeleteWithInlineReplacement(t *testi
 func TestInitLLMRuntimeLinearEditorRejectsCustomDeleteReplacementMatchingDeleted(t *testing.T) {
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	ctx := initPromptContext{
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
 	}
-	seed := seedInteractiveInitDraft(ctx.RequestedProfileName, ctx.ExistingProfileName, ctx.DefaultProfileName, ctx.ExistingProfile)
+	seed := seedInteractiveInitDraft(ctx.RequestedProfileName, ctx.ExistingProfileName, ctx.ExistingProfile)
 	model := newInitLinearEditorModel(initLLMRuntimeLinearEditor(ctx, seed, func(initLLMRuntimePreset) string { return "" }), 160, 60)
 	model = focusInitLinearField(t, model, initLLMRuntimeFieldSelection)
 
@@ -6001,20 +5939,18 @@ func TestInitLLMRuntimeLinearEditorRejectsCustomDeleteReplacementMatchingDeleted
 func TestInitLLMRuntimeLinearEditorChangingSelectionResetsDeleteMode(t *testing.T) {
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	ctx := initPromptContext{
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
 	}
-	seed := seedInteractiveInitDraft(ctx.RequestedProfileName, ctx.ExistingProfileName, ctx.DefaultProfileName, ctx.ExistingProfile)
+	seed := seedInteractiveInitDraft(ctx.RequestedProfileName, ctx.ExistingProfileName, ctx.ExistingProfile)
 	model := newInitLinearEditorModel(initLLMRuntimeLinearEditor(ctx, seed, func(initLLMRuntimePreset) string { return "" }), 160, 60)
 	model = focusInitLinearField(t, model, initLLMRuntimeFieldSelection)
 
@@ -6061,8 +5997,7 @@ func TestHuhInitLLMRuntimePrompterDefaultPreservesConfiguredAPIKeyRuntimeRef(t *
 		CredentialRef: "codereview/custom-openai",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	}
 	llmRuntimes, profileLLMRuntimes := buildInitLLMRuntimeInventory(cfg)
 	prompter := huhInitLLMRuntimePrompter{
@@ -6074,7 +6009,6 @@ func TestHuhInitLLMRuntimePrompterDefaultPreservesConfiguredAPIKeyRuntimeRef(t *
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		LLMRuntimes:          llmRuntimes,
 		ProfileLLMRuntimes:   profileLLMRuntimes,
@@ -6110,7 +6044,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleBackReturnsNavigateBack(t *testi
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if !errors.Is(err, errInitNavigateBack) {
@@ -6147,7 +6080,6 @@ func TestHuhInitReviewerEntityPrompterAccessibleChoiceShowsDetails(t *testing.T)
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if err != nil {
@@ -6197,7 +6129,6 @@ func TestHuhInitReviewerEntityPrompterNewTemplateDoesNotInheritCustomSecretLocat
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if err != nil {
@@ -6218,7 +6149,7 @@ func TestHuhInitReviewerEntityPrompterNewTemplateDoesNotInheritCustomSecretLocat
 }
 
 func TestFinalizeReviewerEntityEditorDraftPersistsCustomSecretLocation(t *testing.T) {
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	finalizeReviewerEntityEditorDraft(
 		&draft,
 		"",
@@ -6280,7 +6211,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCustomSecretLocationPersis
 		CredentialRef: "codereview/custom-work-reviewer",
 		DisplayName:   "Old reviewer",
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
 		stderr:       &stderr,
@@ -6315,7 +6246,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerFallbackSeedDoesNotPersist
 		AuthMode:      config.GitAuthModeGitHubApp,
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
 		stderr:       &stderr,
@@ -6342,7 +6273,7 @@ func TestHuhInitReviewerEntityPrompterAccessibleShowsSeededDisplayNamePrompt(t *
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 	draft.ReviewerCredentialRef = "codereview/work-reviewer"
@@ -6375,7 +6306,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCanEditLabel(t *testing.T)
 		AuthMode:      config.GitAuthModeGitHubApp,
 		CredentialRef: "codereview/work-reviewer",
 	}
-	draft := seedInteractiveInitDraft("work", "work", "work", &existing)
+	draft := seedInteractiveInitDraft("work", "work", &existing)
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
 		stderr: &stderr,
@@ -6431,7 +6362,6 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if err != nil {
@@ -6452,7 +6382,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 		"Entity label",
 		"Reviewer secret location",
 		"Reviewer credential status",
-		"This is a credential-store ref, not a PAT",
+		"This is a credential name, not a PAT",
 		credentials.GitTokenKey,
 		"staged",
 		"Reviewer credential values",
@@ -6502,7 +6432,6 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}})
 	if err != nil {
@@ -6521,8 +6450,8 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 	for _, want := range []string{
 		"GitHub App reviewer. Required credential keys",
 		"Reviewer secret location",
-		"credential-store ref",
-		"This is a credential-store ref, not a PAT",
+		"Credential name for this reviewer",
+		"This is a credential name, not a PAT",
 		"Reviewer credential status",
 		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
@@ -6554,10 +6483,9 @@ func TestReviewerEntityLinearEditorNewLabelDerivesDefaultSecretLocation(t *testi
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 
@@ -6572,7 +6500,7 @@ func TestReviewerEntityLinearEditorNewLabelDerivesDefaultSecretLocation(t *testi
 		t.Fatalf("secret location = %q, want label-derived %q", got, want)
 	}
 	status := model.document[model.document.fieldIndexByID(initReviewerEntityFieldCredentialStatus)].Description
-	if !strings.Contains(status, "Destination: codereview/rianjs-bot-reviewer") {
+	if !strings.Contains(status, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/rianjs-bot-reviewer") {
 		t.Fatalf("status = %q, want label-derived destination", status)
 	}
 	if !strings.Contains(status, credentials.GitHubAppIDKey) || !strings.Contains(status, string(initReviewerCredentialKeyMissing)) || strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
@@ -6586,10 +6514,9 @@ func TestReviewerEntityLinearEditorManualSecretLocationStopsLabelDerivedUpdates(
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
 
@@ -6620,21 +6547,19 @@ func TestReviewerEntityLinearEditorExistingReviewerLabelDoesNotMigrateRef(t *tes
 		DisplayName:   "Old label",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": profile},
+		Profiles: map[string]config.Profile{"work": profile},
 	}
 	entities, profileEntities := buildInitReviewerEntityInventory(cfg)
 	profileCopy := profile
 	ctx := initPromptContext{
 		RequestedProfileName:    "work",
 		ExistingProfileName:     "work",
-		DefaultProfileName:      "work",
 		ExistingProfile:         &profileCopy,
 		ExistingConfig:          cfg,
 		ReviewerEntities:        entities,
 		ProfileReviewerEntities: profileEntities,
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &profile)
+	seed := seedInteractiveInitDraft("work", "work", &profile)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 
 	model.setFieldValue(initReviewerEntityFieldLabel, "rianjs-bot")
@@ -6656,7 +6581,7 @@ func TestReviewerEntityExistingReviewerChangedRefRequiresInlineSecrets(t *testin
 		CredentialRef: "codereview/existing-reviewer",
 		DisplayName:   "Existing reviewer",
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &profile)
+	seed := seedInteractiveInitDraft("work", "work", &profile)
 	state, err := newReviewerEntityEditorState(initReviewerEntityDraft{
 		Kind:          initReviewerEntityKindPAT,
 		AuthMode:      config.GitAuthModePAT,
@@ -6710,15 +6635,13 @@ func TestReviewerEntityExistingReviewerChangedRefRequiresInlineSecretsWhenStatus
 		DisplayName:   "Existing reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": profile},
+		Profiles: map[string]config.Profile{"work": profile},
 	}
 	entities, profileEntities := buildInitReviewerEntityInventory(cfg)
 	profileCopy := profile
 	ctx := initPromptContext{
 		RequestedProfileName:    "work",
 		ExistingProfileName:     "work",
-		DefaultProfileName:      "work",
 		ExistingProfile:         &profileCopy,
 		ExistingConfig:          cfg,
 		ReviewerEntities:        entities,
@@ -6737,7 +6660,7 @@ func TestReviewerEntityExistingReviewerChangedRefRequiresInlineSecretsWhenStatus
 			}},
 		}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &profile)
+	seed := seedInteractiveInitDraft("work", "work", &profile)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model.setFieldValue(initReviewerEntityFieldSecretLocation, "codereview/new-reviewer")
 	model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldSecretLocation))
@@ -6767,10 +6690,9 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 	model.setFieldValue(initReviewerEntityFieldLabel, "rianjs-bot")
@@ -6838,7 +6760,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOver
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		ReviewerCredentialStatuses: []initReviewerCredentialStatus{{
 			Ref: config.CredentialRef{
@@ -6853,7 +6774,7 @@ func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOver
 			},
 		}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 	model.setFieldValue(initReviewerEntityFieldLabel, "rianjs-bot")
@@ -6881,7 +6802,6 @@ func TestReviewerEntityLinearEditorManualRefDoesNotMarkUnavailableStatusAsOverwr
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		ReviewerCredentialStatuses: []initReviewerCredentialStatus{{
 			Ref: config.CredentialRef{
@@ -6896,7 +6816,7 @@ func TestReviewerEntityLinearEditorManualRefDoesNotMarkUnavailableStatusAsOverwr
 			},
 		}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 	model.setFieldValue(initReviewerEntityFieldSecretLocation, "codereview/manual-reviewer")
@@ -6924,7 +6844,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefPreservesBackendUnavailableSta
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		ReviewerCredentialStatuses: []initReviewerCredentialStatus{{
 			Ref: config.CredentialRef{
@@ -6940,14 +6859,14 @@ func TestReviewerEntityLinearEditorLabelDerivedRefPreservesBackendUnavailableSta
 			},
 		}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &existing)
+	seed := seedInteractiveInitDraft("work", "work", &existing)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 120, 40)
 	model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 	model.setFieldValue(initReviewerEntityFieldLabel, "rianjs-bot")
 	model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldLabel))
 
 	status := model.document[model.document.fieldIndexByID(initReviewerEntityFieldCredentialStatus)].Description
-	if !strings.Contains(status, "Destination: codereview/rianjs-bot-reviewer") ||
+	if !strings.Contains(status, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/rianjs-bot-reviewer") ||
 		!strings.Contains(status, "credential backend status unavailable") ||
 		!strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
 		t.Fatalf("status = %q, want label-derived ref to preserve backend-unavailable state", status)
@@ -6964,15 +6883,13 @@ func TestHuhInitReviewerEntityStatusUpdatesWhenSecretLocationChanges(t *testing.
 		CredentialRef: "codereview/old-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": profile},
+		Profiles: map[string]config.Profile{"work": profile},
 	}
 	entities, profileEntities := buildInitReviewerEntityInventory(cfg)
 	profileCopy := profile
 	ctx := initPromptContext{
 		RequestedProfileName:    "work",
 		ExistingProfileName:     "work",
-		DefaultProfileName:      "work",
 		ExistingProfile:         &profileCopy,
 		ExistingConfig:          cfg,
 		ReviewerEntities:        entities,
@@ -6990,7 +6907,7 @@ func TestHuhInitReviewerEntityStatusUpdatesWhenSecretLocationChanges(t *testing.
 			}},
 		}},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", &profile)
+	seed := seedInteractiveInitDraft("work", "work", &profile)
 	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, seed), 180, 60)
 	statusIndex := model.document.fieldIndexByID(initReviewerEntityFieldCredentialStatus)
 	if statusIndex < 0 {
@@ -7009,7 +6926,7 @@ func TestHuhInitReviewerEntityStatusUpdatesWhenSecretLocationChanges(t *testing.
 	model.afterFieldChange(locationIndex)
 
 	updated := model.document[statusIndex].Description
-	for _, want := range []string{"Destination: codereview/new-reviewer", "credential backend status unavailable", credentials.GitTokenKey, string(initReviewerCredentialKeyUnavailable)} {
+	for _, want := range []string{"Destination: " + initBuiltInOSCredentialStoreTitle() + " / codereview/new-reviewer", "credential backend status unavailable", credentials.GitTokenKey, string(initReviewerCredentialKeyUnavailable)} {
 		if !strings.Contains(updated, want) {
 			t.Fatalf("updated status = %q, want %q", updated, want)
 		}
@@ -7021,7 +6938,7 @@ func TestHuhInitReviewerEntityStatusUpdatesWhenSecretLocationChanges(t *testing.
 
 func TestHuhInitReviewerEntityDetailsBackDoesNotMutateDraft(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	want := draft
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
@@ -7046,7 +6963,7 @@ func TestHuhInitReviewerEntityDetailsBackDoesNotMutateDraft(t *testing.T) {
 
 func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	var stderr bytes.Buffer
 	privateKey := testReviewerGitHubAppPrivateKey()
 	prompter := huhInitReviewerEntityPrompter{
@@ -7077,8 +6994,8 @@ func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testi
 	for _, want := range []string{
 		"GitHub App reviewer. Required credential keys",
 		"Reviewer secret location",
-		"credential-store ref",
-		"This is a credential-store ref, not a PAT",
+		"Credential name for this reviewer",
+		"This is a credential name, not a PAT",
 		"Reviewer credential values",
 		"GitHub App ID",
 		"GitHub App private key",
@@ -7100,7 +7017,8 @@ func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testi
 
 func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
+	draft.ReviewerCredentialStore = "work-file"
 	resolved := credentials.ResolvedSecretsProfile{
 		ID:      "work-file",
 		Label:   "Work file",
@@ -7108,9 +7026,20 @@ func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *te
 		Backend: string(credstore.BackendFile),
 	}
 	ctx := initPromptContext{
+		ExistingConfig: config.File{
+			Secrets: config.SecretsConfig{
+				Stores: map[string]config.SecretsStore{
+					"work-file": {
+						DisplayName: "Work file",
+						Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+					},
+				},
+			},
+		},
 		ReviewerCredentialStatuses: []initReviewerCredentialStatus{{
 			Ref: config.CredentialRef{
 				Purpose: "reviewer_credentials",
+				Store:   "work-file",
 				Ref:     "codereview/work-reviewer",
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
@@ -7145,7 +7074,7 @@ func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *te
 
 func TestHuhInitReviewerEntityDetailsAccessibleHidesSecretLocationForGitIdentity(t *testing.T) {
 	t.Setenv("TERM", "dumb")
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
 		stderr:       &stderr,
@@ -7169,7 +7098,7 @@ func TestHuhInitReviewerEntityDetailsAccessibleHidesSecretLocationForGitIdentity
 }
 
 func TestInitInventorySelectionsApplyToDraft(t *testing.T) {
-	draft := seedInteractiveInitDraft("default", "", "", nil)
+	draft := seedInteractiveInitDraft("default", "", nil)
 	gitScopes := map[string]initGitScopeDraft{
 		"gitlab-work": {
 			Name:          "gitlab-work",
@@ -7213,7 +7142,7 @@ func TestInitInventorySelectionsApplyToDraft(t *testing.T) {
 }
 
 func TestCustomLLMRuntimeSelectionUsesEditedProviderAuthAndAdapter(t *testing.T) {
-	draft := seedInteractiveInitDraft("work", "work", "work", nil)
+	draft := seedInteractiveInitDraft("work", "work", nil)
 	draft.LLMProvider = string(config.LLMProviderOpenAI)
 	draft.LLMAuth = string(config.LLMAuthAPIKey)
 	draft.LLMAdapter = string(config.LLMAdapterOpenAIAPI)
@@ -7302,7 +7231,7 @@ func TestInitProfileEditorLLMRuntimeSelectionPrefersMatchingDraftRuntime(t *test
 			Adapter:  config.LLMAdapterCodexCLI,
 		},
 	}
-	draft := seedInteractiveInitDraft("default", "", "", nil)
+	draft := seedInteractiveInitDraft("default", "", nil)
 	draft.LLMProvider = string(config.LLMProviderOpenAI)
 	draft.LLMAuth = string(config.LLMAuthSubscription)
 	draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
@@ -7335,7 +7264,7 @@ func TestInitProfileEditorLLMRuntimeSelectionFallsBackToFirstConfiguredRuntimeWi
 			CredentialRef: "codereview/zeta-llm",
 		},
 	}
-	draft := seedInteractiveInitDraft("default", "", "", nil)
+	draft := seedInteractiveInitDraft("default", "", nil)
 
 	options, selected := initProfileEditorLLMRuntimeSelection(runtimes, "", draft)
 	if got, want := selected, "alpha-runtime"; got != want {
@@ -7386,7 +7315,7 @@ func TestInitProfileEditorSecretsProfileSelectionKeepsBrokenReferenceSelectable(
 		},
 	}
 	existing := basicProfile("work")
-	options, selected := initProfileEditorSecretsProfileSelection(profiles, "missing-vault", "missing-vault", "Use built-in default (Legacy default)", seedInteractiveInitDraft("work", "work", "work", &existing))
+	options, selected := initProfileEditorSecretsProfileSelection(profiles, "missing-vault", "missing-vault", "Use built-in default (Legacy default)", seedInteractiveInitDraft("work", "work", &existing))
 	if got, want := selected, initMissingSecretsProfileSelection("missing-vault"); got != want {
 		t.Fatalf("selected = %q, want missing-selection sentinel %q", got, want)
 	}
@@ -7430,115 +7359,28 @@ func TestApplySecretsProfileSelection(t *testing.T) {
 	}
 }
 
-func TestLoadConfigForInitRecoversMissingSecretsProfileReference(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "config.yml")
-	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
-		Profiles: map[string]config.Profile{
-			"work": func() config.Profile {
-				profile := basicProfile("work")
-				profile.SecretsProfile = "missing-vault"
-				return profile
-			}(),
-		},
-	})
-	body, err := yaml.Marshal(cfg)
-	if err != nil {
-		t.Fatalf("yaml.Marshal: %v", err)
-	}
-	if err := os.WriteFile(path, body, 0o600); err != nil {
-		t.Fatalf("WriteFile: %v", err)
-	}
-
-	recovered, existed, err := loadConfigForInit(path)
-	if err != nil {
-		t.Fatalf("loadConfigForInit: %v", err)
-	}
-	if !existed {
-		t.Fatal("existed = false, want true")
-	}
-	if got := recovered.Profiles["work"].SecretsProfile; got != "missing-vault" {
-		t.Fatalf("recovered secrets_profile = %q, want missing-vault", got)
-	}
-	if err := config.Validate(recovered); !errors.Is(err, config.ErrSecretsProfileNotFound) {
-		t.Fatalf("Validate(recovered) error = %v, want ErrSecretsProfileNotFound", err)
-	}
-}
-
-func TestBuildNonInteractiveInitPlanRejectsMissingSecretsProfileReference(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "config.yml")
-	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
-		Profiles: map[string]config.Profile{
-			"work": func() config.Profile {
-				profile := basicProfile("work")
-				profile.SecretsProfile = "missing-vault"
-				return profile
-			}(),
-		},
-	})
-	body, err := yaml.Marshal(cfg)
-	if err != nil {
-		t.Fatalf("yaml.Marshal: %v", err)
-	}
-	if err := os.WriteFile(path, body, 0o600); err != nil {
-		t.Fatalf("WriteFile: %v", err)
-	}
-
-	opts := &root.Options{ConfigPath: path}
-	flags := initOptions{
-		nonInteractive: true,
-		gitHost:        "github.com",
-		gitAuth:        string(config.GitAuthModePAT),
-		reviewerAuth:   string(config.GitAuthModePAT),
-		llmProvider:    string(config.LLMProviderAnthropic),
-		llmAuth:        string(config.LLMAuthSubscription),
-		llmAdapter:     string(config.LLMAdapterClaudeCLI),
-		majorEvent:     string(config.ReviewMajorEventComment),
-	}
-	_, err = buildNonInteractiveInitPlan(&cobra.Command{}, opts, flags, defaultInitDeps())
-	if !errors.Is(err, config.ErrSecretsProfileNotFound) {
-		t.Fatalf("buildNonInteractiveInitPlan error = %v, want ErrSecretsProfileNotFound", err)
-	}
-}
-
 func TestValidateInteractiveInitConfigDoesNotMaskUnrelatedInvalidState(t *testing.T) {
 	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "bogus"},
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				"broken": {
+					Backend: config.SecretsStoreBackend{Kind: "bogus"},
+				},
+			},
+		},
 		Profiles: map[string]config.Profile{
-			"work": func() config.Profile {
-				profile := basicProfile("work")
-				profile.SecretsProfile = "missing-vault"
-				return profile
-			}(),
+			"work": basicProfile("work"),
 		},
 	})
 	err := validateInteractiveInitConfig(cfg)
 	if err == nil {
-		t.Fatal("validateInteractiveInitConfig error = nil, want invalid keyring backend")
+		t.Fatal("validateInteractiveInitConfig error = nil, want invalid store backend")
 	}
-	if !strings.Contains(err.Error(), `keyring.backend "bogus"`) {
+	if !strings.Contains(err.Error(), `secrets.stores.broken.backend.kind "bogus"`) {
 		t.Fatalf("validateInteractiveInitConfig error = %v, want unrelated invalid state preserved", err)
 	}
 }
 
-func TestValidateInteractiveInitConfigAllowsOnlyMissingSecretsProfile(t *testing.T) {
-	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
-		Profiles: map[string]config.Profile{
-			"work": func() config.Profile {
-				profile := basicProfile("work")
-				profile.SecretsProfile = "missing-vault"
-				return profile
-			}(),
-		},
-	})
-	if err := validateInteractiveInitConfig(cfg); err != nil {
-		t.Fatalf("validateInteractiveInitConfig error = %v, want nil for interactive recovery", err)
-	}
-}
-
 func TestHuhInitSecretPrompterAccessibleNamesSelectedSecretsProfile(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
@@ -7561,7 +7403,7 @@ func TestHuhInitSecretPrompterAccessibleNamesSelectedSecretsProfile(t *testing.T
 		t.Fatalf("ChooseCredentialAction: %v", err)
 	}
 	if got := stderr.String(); !strings.Contains(got, "via Team Vault") {
-		t.Fatalf("stderr = %q, want selected secrets-management profile in prompt title", got)
+		t.Fatalf("stderr = %q, want selected credential-store context in prompt title", got)
 	}
 }
 
@@ -7584,7 +7426,7 @@ func TestWriteInitCredentialPlanHintsNamesSelectedSecretsProfile(t *testing.T) {
 		t.Fatalf("writeInitCredentialPlanHints: %v", err)
 	}
 	if got := out.String(); !strings.Contains(got, "Next via Team Vault:") {
-		t.Fatalf("hint output = %q, want selected secrets-management profile context", got)
+		t.Fatalf("hint output = %q, want selected credential-store context", got)
 	}
 }
 
@@ -7600,7 +7442,7 @@ func TestInitCredentialReadinessNoteNamesSelectedSecretsProfile(t *testing.T) {
 		State: initCredentialPlanStateDefer,
 	})
 	if !strings.Contains(note, "Git via Team Vault deferred") {
-		t.Fatalf("note = %q, want named selected secrets-management profile", note)
+		t.Fatalf("note = %q, want named selected credential-store context", note)
 	}
 	if strings.Contains(note, "required:") {
 		t.Fatalf("note = %q, want single-key deferred credentials to keep concise readiness copy", note)
@@ -7682,7 +7524,6 @@ func TestInitProfileReadinessLineIncludesNotes(t *testing.T) {
 
 func TestBuildInteractiveInitWorkspaceRepairsBrokenSecretsProfileSelection(t *testing.T) {
 	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": func() config.Profile {
 				profile := basicProfile("work")
@@ -7692,7 +7533,7 @@ func TestBuildInteractiveInitWorkspaceRepairsBrokenSecretsProfileSelection(t *te
 		},
 	})
 	profile := cfg.Profiles["work"]
-	draft := seedInteractiveInitDraft("work", "work", "work", &profile)
+	draft := seedInteractiveInitDraft("work", "work", &profile)
 	applySecretsProfileSelection(&draft, initSecretsProfileDefaultSelection)
 
 	workspace, err := buildInteractiveInitWorkspace(&cobra.Command{}, &root.Options{}, initOptions{}, initDeps{}, filepath.Join(t.TempDir(), "config.yml"), cfg, draft)
@@ -7706,7 +7547,6 @@ func TestBuildInteractiveInitWorkspaceRepairsBrokenSecretsProfileSelection(t *te
 
 func TestBuildInteractiveInitWorkspaceRepairsBrokenSecretsProfileToConfiguredProfile(t *testing.T) {
 	cfg := config.Normalize(config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"team-vault": {
@@ -7724,7 +7564,7 @@ func TestBuildInteractiveInitWorkspaceRepairsBrokenSecretsProfileToConfiguredPro
 		},
 	})
 	profile := cfg.Profiles["work"]
-	draft := seedInteractiveInitDraft("work", "work", "work", &profile)
+	draft := seedInteractiveInitDraft("work", "work", &profile)
 	applySecretsProfileSelection(&draft, "team-vault")
 
 	workspace, err := buildInteractiveInitWorkspace(&cobra.Command{}, &root.Options{}, initOptions{}, initDeps{}, filepath.Join(t.TempDir(), "config.yml"), cfg, draft)
@@ -7752,15 +7592,14 @@ func TestRunInitWithDepsDeferredHintsUseSelectedSecretsProfile(t *testing.T) {
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
-				ProfileName:      "work",
-				MakeDefault:      true,
-				GitHost:          "github.com",
-				GitAuth:          string(config.GitAuthModePAT),
-				GitCredentialRef: "codereview/work",
-				SecretsProfile:   "team-vault",
-				LLMProvider:      string(config.LLMProviderAnthropic),
-				LLMAuth:          string(config.LLMAuthSubscription),
-				LLMAdapter:       string(config.LLMAdapterClaudeCLI),
+				ProfileName:        "work",
+				GitHost:            "github.com",
+				GitAuth:            string(config.GitAuthModePAT),
+				GitCredentialStore: "team-vault",
+				GitCredentialRef:   "codereview/work",
+				LLMProvider:        string(config.LLMProviderAnthropic),
+				LLMAuth:            string(config.LLMAuthSubscription),
+				LLMAdapter:         string(config.LLMAdapterClaudeCLI),
 			}, nil
 		}),
 		configPath: func(*root.Options) (string, error) { return path, nil },
@@ -7768,10 +7607,10 @@ func TestRunInitWithDepsDeferredHintsUseSelectedSecretsProfile(t *testing.T) {
 			return config.File{
 				Profiles: map[string]config.Profile{},
 				Secrets: config.SecretsConfig{
-					Profiles: map[string]config.SecretsProfile{
+					Stores: map[string]config.SecretsStore{
 						"team-vault": {
-							Label:   "Team Vault",
-							Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+							DisplayName: "Team Vault",
+							Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
 						},
 					},
 				},
@@ -7786,14 +7625,13 @@ func TestRunInitWithDepsDeferredHintsUseSelectedSecretsProfile(t *testing.T) {
 	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
-	if got := stderr.String(); !strings.Contains(got, "Next via Team Vault: cr set-credential --ref codereview/work --key "+credentials.GitTokenKey+" --stdin") {
-		t.Fatalf("stderr = %q, want deferred hint naming the selected secrets-management profile", got)
+	if got := stderr.String(); !strings.Contains(got, "Next via Team Vault: cr set-credential --store team-vault --name codereview/work --key "+credentials.GitTokenKey+" --stdin") {
+		t.Fatalf("stderr = %q, want deferred hint naming the selected credential store", got)
 	}
 }
 
 func TestBuildInteractiveInitWorkspaceAllowsRepairWhileAnotherProfileStillHasBrokenSecretsProfile(t *testing.T) {
 	cfg := config.Normalize(config.File{
-		DefaultProfile: "home",
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"team-vault": {
@@ -7812,7 +7650,7 @@ func TestBuildInteractiveInitWorkspaceAllowsRepairWhileAnotherProfileStillHasBro
 		},
 	})
 	home := cfg.Profiles["home"]
-	draft := seedInteractiveInitDraft("home", "home", "home", &home)
+	draft := seedInteractiveInitDraft("home", "home", &home)
 	applySecretsProfileSelection(&draft, "team-vault")
 
 	workspace, err := buildInteractiveInitWorkspace(&cobra.Command{}, &root.Options{}, initOptions{}, initDeps{}, filepath.Join(t.TempDir(), "config.yml"), cfg, draft)
@@ -7829,13 +7667,13 @@ func TestHuhInitPrompterAccessibleAdvancedStorageLabelsExposeRefInputs(t *testin
 	existing := basicProfile("work")
 	existing.Git.CredentialRef = "codereview/work"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModePAT,
-		CredentialRef: "codereview/shared-reviewer",
+		AuthMode:   config.GitAuthModePAT,
+		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-reviewer"},
 	}
 	existing.LLM.Provider = config.LLMProviderAnthropic
 	existing.LLM.Auth = config.LLMAuthAPIKey
 	existing.LLM.Adapter = config.LLMAdapterAnthropicAPI
-	existing.LLM.CredentialRef = "codereview/shared-llm"
+	existing.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/shared-llm"}
 	runtimes := map[string]initLLMRuntimeDraft{
 		"anthropic-runtime": {
 			Name:          "anthropic-runtime",
@@ -7865,9 +7703,10 @@ func TestHuhInitPrompterAccessibleAdvancedStorageLabelsExposeRefInputs(t *testin
 			"", // LLM runtime
 			"", // Reviewer model tier
 			"", // Repository routes
-			"", // Git storage label
-			"", // Reviewer storage label
-			"", // LLM storage label
+			"", // LLM credential store
+			"", // LLM credential name
+			"", // Git credential store
+			"", // Git credential name
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -7888,8 +7727,7 @@ func TestHuhInitPrompterAccessibleAdvancedStorageLabelsExposeRefInputs(t *testin
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
-		DefaultProfileName:   "work",
-		ExistingConfig:       config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{"work": existing}},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		ReviewerEntities:     reviewerEntities,
 		ProfileReviewerEntities: map[string]string{
 			"work": "pat-reviewer",
@@ -7906,14 +7744,17 @@ func TestHuhInitPrompterAccessibleAdvancedStorageLabelsExposeRefInputs(t *testin
 	if strings.Contains(out, "Storage label handling") || strings.Contains(out, "Customize storage labels (advanced)") {
 		t.Fatalf("wizard output still shows legacy storage label mode prompt: %q", out)
 	}
-	if !strings.Contains(out, "Git secrets storage label") {
-		t.Fatalf("wizard output missing inline Git storage label prompt: %q", out)
+	if !strings.Contains(out, "Git credentials") || !strings.Contains(out, "Git credential store") || !strings.Contains(out, "Git credential name") {
+		t.Fatalf("wizard output missing inline Git credential prompts: %q", out)
 	}
-	if strings.Contains(out, "Reviewer storage label") || strings.Contains(out, "LLM storage label") {
-		t.Fatalf("wizard output exposed reviewer/LLM storage labels in profile editor: %q", out)
+	if !strings.Contains(out, "LLM API key credentials") || !strings.Contains(out, "LLM credential store") || !strings.Contains(out, "LLM credential name") {
+		t.Fatalf("wizard output missing inline LLM credential prompts for API-key runtime: %q", out)
 	}
-	if !strings.Contains(out, "Useful for advanced deployment scenarios. Leave unchanged if you're unsure.") {
-		t.Fatalf("wizard output missing advanced Git storage-label guidance: %q", out)
+	if strings.Contains(out, "Reviewer storage label") || strings.Contains(out, "LLM storage label") || strings.Contains(out, "Git secrets storage label") {
+		t.Fatalf("wizard output exposed legacy storage-label copy: %q", out)
+	}
+	if !strings.Contains(out, "credential name is the full codereview/... path written to the selected store") {
+		t.Fatalf("wizard output missing explicit credential-name guidance: %q", out)
 	}
 	if draft.AdvancedStorageLabels {
 		t.Fatalf("draft.AdvancedStorageLabels = true, want false when the flattened fields keep their selected defaults")
@@ -7924,7 +7765,6 @@ func TestHuhInitPrompterAccessibleStorageLabelsDefaultSkipPath(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	work := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": work,
 		},
@@ -7941,7 +7781,8 @@ func TestHuhInitPrompterAccessibleStorageLabelsDefaultSkipPath(t *testing.T) {
 			"", // LLM runtime
 			"", // Reviewer model tier
 			"", // Repository routes
-			"", // Git storage label
+			"", // Git credential store
+			"", // Git credential name
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -7962,7 +7803,6 @@ func TestHuhInitPrompterAccessibleStorageLabelsDefaultSkipPath(t *testing.T) {
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &work,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		GitScopes:            gitScopes,
 		ProfileGitScopes:     profileGitScopes,
@@ -7976,8 +7816,8 @@ func TestHuhInitPrompterAccessibleStorageLabelsDefaultSkipPath(t *testing.T) {
 	if strings.Contains(out, "Storage label handling") {
 		t.Fatalf("wizard output still shows legacy storage label mode prompt: %q", out)
 	}
-	if !strings.Contains(out, "Git secrets storage label") {
-		t.Fatalf("wizard output missing inline git secrets storage label: %q", out)
+	if !strings.Contains(out, "Git credentials") || !strings.Contains(out, "Git credential store") || !strings.Contains(out, "Git credential name") {
+		t.Fatalf("wizard output missing inline Git credential prompts: %q", out)
 	}
 	if !strings.Contains(out, "Profile action") || !strings.Contains(out, "Stage profile settings") {
 		t.Fatalf("wizard output missing profile-level staging action: %q", out)
@@ -7994,7 +7834,6 @@ func TestHuhInitPrompterAccessibleStorageLabelsOnlyExposeGitLabel(t *testing.T)
 	t.Setenv("TERM", "dumb")
 	work := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": work,
 		},
@@ -8008,19 +7847,21 @@ func TestHuhInitPrompterAccessibleStorageLabelsOnlyExposeGitLabel(t *testing.T)
 			Adapter:  config.LLMAdapterClaudeCLI,
 		},
 		"z-api-runtime": {
-			Name:          "z-api-runtime",
-			Provider:      config.LLMProviderAnthropic,
-			Auth:          config.LLMAuthAPIKey,
-			Adapter:       config.LLMAdapterAnthropicAPI,
-			CredentialRef: "codereview/shared-llm",
+			Name:            "z-api-runtime",
+			Provider:        config.LLMProviderAnthropic,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterAnthropicAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/shared-llm",
 		},
 	}
 	reviewerEntities := map[string]initReviewerEntityDraft{
 		"pat-reviewer": {
-			Name:          "pat-reviewer",
-			Kind:          initReviewerEntityKindPAT,
-			AuthMode:      config.GitAuthModePAT,
-			CredentialRef: "codereview/shared-reviewer",
+			Name:            "pat-reviewer",
+			Kind:            initReviewerEntityKindPAT,
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/shared-reviewer",
 		},
 	}
 	var stderr bytes.Buffer
@@ -8033,9 +7874,10 @@ func TestHuhInitPrompterAccessibleStorageLabelsOnlyExposeGitLabel(t *testing.T)
 			"2", // LLM runtime: z-api-runtime
 			"",  // Reviewer model tier
 			"",  // Repository routes
-			"",  // Git storage label
-			"",  // Reviewer storage label
-			"",  // LLM storage label
+			"",  // LLM credential store
+			"",  // LLM credential name
+			"",  // Git credential store
+			"",  // Git credential name
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -8056,7 +7898,6 @@ func TestHuhInitPrompterAccessibleStorageLabelsOnlyExposeGitLabel(t *testing.T)
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
 		ExistingProfile:      &work,
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 		GitScopes:            gitScopes,
 		ProfileGitScopes:     profileGitScopes,
@@ -8067,11 +7908,14 @@ func TestHuhInitPrompterAccessibleStorageLabelsOnlyExposeGitLabel(t *testing.T)
 		t.Fatalf("Run: %v", err)
 	}
 	out := stderr.String()
-	if !strings.Contains(out, "Git secrets storage label") {
-		t.Fatalf("stderr = %q, want inline Git storage label", out)
+	if !strings.Contains(out, "Git credentials") || !strings.Contains(out, "Git credential store") || !strings.Contains(out, "Git credential name") {
+		t.Fatalf("stderr = %q, want inline Git credential prompts", out)
+	}
+	if !strings.Contains(out, "LLM API key credentials") || !strings.Contains(out, "LLM credential store") || !strings.Contains(out, "LLM credential name") {
+		t.Fatalf("stderr = %q, want inline LLM credential prompts for API-key runtime", out)
 	}
-	if strings.Contains(out, "Reviewer storage label") || strings.Contains(out, "LLM storage label") {
-		t.Fatalf("stderr = %q, want profile editor to omit reviewer/LLM storage labels", out)
+	if strings.Contains(out, "Reviewer storage label") || strings.Contains(out, "LLM storage label") || strings.Contains(out, "Git secrets storage label") {
+		t.Fatalf("stderr = %q, want profile editor to omit legacy storage-label prompts", out)
 	}
 	_ = draft
 }
@@ -8195,17 +8039,16 @@ func TestInitProfileStorageLabelSelectionTransitionFollowsChangedDefaults(t *tes
 func TestHuhInitPrompterAccessibleStorageLabelsKeepCustomOverridesAcrossSelections(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	existing := basicProfile("work")
-	existing.Git.CredentialRef = "codereview/custom-git"
+	existing.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-git"}
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModePAT,
-		CredentialRef: "codereview/custom-reviewer",
+		AuthMode:   config.GitAuthModePAT,
+		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-reviewer"},
 	}
 	existing.LLM.Provider = config.LLMProviderAnthropic
 	existing.LLM.Auth = config.LLMAuthAPIKey
 	existing.LLM.Adapter = config.LLMAdapterAnthropicAPI
-	existing.LLM.CredentialRef = "codereview/custom-llm"
+	existing.LLM.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-llm"}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": existing,
 		},
@@ -8290,7 +8133,6 @@ func TestHuhInitPrompterAccessibleStorageLabelsKeepCustomOverridesAcrossSelectio
 		ExistingProfileName:     "work",
 		ExistingProfile:         &existing,
 		ExistingProfileNames:    []string{"work"},
-		DefaultProfileName:      "work",
 		ExistingConfig:          cfg,
 		GitScopes:               gitScopes,
 		ProfileGitScopes:        map[string]string{"work": "a-old-git"},
@@ -8485,8 +8327,7 @@ func TestHuhInitPrompterAccessibleShowsExistingProfileHealthWarnings(t *testing.
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
 		ExistingProfileNames: []string{"work"},
-		DefaultProfileName:   "work",
-		ExistingConfig:       config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{"work": existing}},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": existing}},
 		ProfileWarnings: map[string][]string{
 			"work": {"Git secret health: codereview/work is missing required keys (git_token)"},
 		},
@@ -8540,7 +8381,6 @@ func TestHuhInitPrompterAccessibleHidesReviewerEntityLabelForProfileGitAccount(t
 
 	_, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		DefaultProfileName:   "",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
 	})
 	if err != nil {
@@ -9054,7 +8894,6 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 		IdentityCache: "reviewer-cache",
 	}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -9079,7 +8918,6 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 			return initDraft{
 				OriginalProfileName:   "work",
 				ProfileName:           "office",
-				MakeDefault:           true,
 				GitHost:               "github.com",
 				GitAuth:               string(config.GitAuthModeGitHubApp),
 				GitCredentialRef:      "codereview/office-git",
@@ -9123,8 +8961,8 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	if err != nil {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
-	if gotCtx.ExistingProfileName != "work" || gotCtx.DefaultProfileName != "work" {
-		t.Fatalf("prompt context = %#v, want existing/default work", gotCtx)
+	if gotCtx.ExistingProfileName != "work" {
+		t.Fatalf("prompt context = %#v, want existing work", gotCtx)
 	}
 	if gotCtx.ExistingProfile == nil || gotCtx.ExistingProfile.Git.CredentialRef != "codereview/work" {
 		t.Fatalf("prompt existing profile = %#v, want work profile", gotCtx.ExistingProfile)
@@ -9133,9 +8971,6 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "office" {
-		t.Fatalf("default_profile = %q, want office", cfg.DefaultProfile)
-	}
 	if _, ok := cfg.Profiles["work"]; ok {
 		t.Fatalf("old profile still present after rename: %#v", cfg.Profiles)
 	}
@@ -9167,10 +9002,10 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	if profile.LLM.ReviewerModelTier != config.ModelTierSmall {
 		t.Fatalf("reviewer_model_tier = %q, want small", profile.LLM.ReviewerModelTier)
 	}
-	if !strings.Contains(stderr.String(), "set-credential --ref codereview/custom-office-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/custom-office-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want deferred llm follow-up hint", stderr.String())
 	}
-	if !strings.Contains(stderr.String(), "set-credential --ref codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
 		t.Fatalf("stderr = %q, want github app git follow-up hint", stderr.String())
 	}
 	if route := cfg.RepositoryProfiles[0]; route.Profile != "office" {
@@ -9183,8 +9018,7 @@ func TestInitInteractiveModelMapPreserveUsesEditedLLMContext(t *testing.T) {
 	existing := basicProfile("work")
 	existing.LLM.ModelMap = config.ModelMap{"medium": "claude-custom"}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": existing},
+		Profiles: map[string]config.Profile{"work": existing},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -9198,7 +9032,6 @@ func TestInitInteractiveModelMapPreserveUsesEditedLLMContext(t *testing.T) {
 			return initDraft{
 				OriginalProfileName:  "work",
 				ProfileName:          "work",
-				MakeDefault:          true,
 				GitHost:              "github.com",
 				GitAuth:              string(config.GitAuthModePAT),
 				GitCredentialRef:     "codereview/work",
@@ -9239,7 +9072,6 @@ func TestInitInteractiveModelMapPreserveUsesEditedLLMContext(t *testing.T) {
 func TestEditInteractiveInitProfileSkipsInlineProfileDetailCollectors(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -9251,7 +9083,7 @@ func TestEditInteractiveInitProfileSkipsInlineProfileDetailCollectors(t *testing
 		ConfigPath: path,
 	}
 	work := cfg.Profiles["work"]
-	draft := seedInteractiveInitDraft("work", "work", "work", &work)
+	draft := seedInteractiveInitDraft("work", "work", &work)
 	draft.RoutesSet = true
 	draft.ModelMapSet = true
 	draft.ModelMap = config.ModelMap{"large": "claude-custom"}
@@ -9315,7 +9147,6 @@ func TestLoopInteractiveInitProfileV2StagesDraftIntoSessionBeforeReentry(t *test
 	path := filepath.Join(t.TempDir(), "config.yml")
 	existing := basicProfile("open-cli-collective")
 	cfg := config.File{
-		DefaultProfile: "open-cli-collective",
 		Profiles: map[string]config.Profile{
 			"open-cli-collective": existing,
 		},
@@ -9342,7 +9173,7 @@ func TestLoopInteractiveInitProfileV2StagesDraftIntoSessionBeforeReentry(t *test
 				return initDraft{}, errInitNavigateBack
 			}
 			work := ctx.ExistingConfig.Profiles["open-cli-collective"]
-			draft := seedInteractiveInitDraft("open-cli-collective", "open-cli-collective", "open-cli-collective", &work)
+			draft := seedInteractiveInitDraft("open-cli-collective", "open-cli-collective", &work)
 			draft.ProfileName = "open-cli-collective-lkjlkj"
 			draft.GitCredentialRef = "codereview/open-cli-collective12365"
 			draft.RoutesSet = true
@@ -9383,7 +9214,6 @@ func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T
 	path := filepath.Join(t.TempDir(), "config.yml")
 	existing := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": existing,
 		},
@@ -9416,7 +9246,7 @@ func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T
 				return initDraft{}, errInitNavigateBack
 			}
 			work := ctx.ExistingConfig.Profiles["work"]
-			draft := seedInteractiveInitDraft("work", "work", "work", &work)
+			draft := seedInteractiveInitDraft("work", "work", &work)
 			draft.GitCredentialRef = "codereview/custom-work-git"
 			draft.LLMProvider = string(config.LLMProviderOpenAI)
 			draft.LLMAuth = string(config.LLMAuthSubscription)
@@ -9698,8 +9528,7 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 			existing.LLM.ModelMap = copyModelMap(tt.existing)
 			existing.AgentSources = []string{"/tmp/agents"}
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Profiles:       map[string]config.Profile{"work": existing},
+				Profiles: map[string]config.Profile{"work": existing},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -9712,7 +9541,6 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 					return initDraft{
 						OriginalProfileName:  "work",
 						ProfileName:          "work",
-						MakeDefault:          true,
 						GitHost:              "github.com",
 						GitAuth:              string(config.GitAuthModePAT),
 						GitCredentialRef:     "codereview/work",
@@ -9741,6 +9569,7 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 			expected := existing
 			expected.LLM.ModelMap = copyModelMap(tt.want)
 			expected.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
+			expected = normalizeTestProfile(expected)
 			if !reflect.DeepEqual(cfg.Profiles["work"], expected) {
 				t.Fatalf("saved profile = %#v, want %#v", cfg.Profiles["work"], expected)
 			}
@@ -9766,8 +9595,7 @@ func TestInitInteractiveModelMapRejectsInvalidEntries(t *testing.T) {
 			path := filepath.Join(t.TempDir(), "config.yml")
 			existing := basicProfile("work")
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Profiles:       map[string]config.Profile{"work": existing},
+				Profiles: map[string]config.Profile{"work": existing},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -9780,7 +9608,6 @@ func TestInitInteractiveModelMapRejectsInvalidEntries(t *testing.T) {
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -9876,8 +9703,7 @@ func TestInitInteractiveAgentSourcesPreserveAddRemoveAndReset(t *testing.T) {
 				ResolveAfter:     "24h",
 			}
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Profiles:       map[string]config.Profile{"work": existing},
+				Profiles: map[string]config.Profile{"work": existing},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -9890,7 +9716,6 @@ func TestInitInteractiveAgentSourcesPreserveAddRemoveAndReset(t *testing.T) {
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -9928,8 +9753,7 @@ func TestInitInteractiveAgentSourcesPreserveAddRemoveAndReset(t *testing.T) {
 func TestInitInteractiveAgentSourcesCanClearToEmpty(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -9942,7 +9766,6 @@ func TestInitInteractiveAgentSourcesCanClearToEmpty(t *testing.T) {
 			return initDraft{
 				OriginalProfileName: "work",
 				ProfileName:         "work",
-				MakeDefault:         true,
 				GitHost:             "github.com",
 				GitAuth:             string(config.GitAuthModePAT),
 				GitCredentialRef:    "codereview/work",
@@ -10019,8 +9842,7 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 			existing.AgentSources = []string{"/tmp/agents"}
 			existing.ReviewPolicy = tt.existing
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Profiles:       map[string]config.Profile{"work": existing},
+				Profiles: map[string]config.Profile{"work": existing},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -10033,7 +9855,6 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -10103,8 +9924,7 @@ func TestInitInteractiveReviewPolicyRejectsInvalidEntries(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			path := filepath.Join(t.TempDir(), "config.yml")
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+				Profiles: map[string]config.Profile{"work": basicProfile("work")},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -10117,7 +9937,6 @@ func TestInitInteractiveReviewPolicyRejectsInvalidEntries(t *testing.T) {
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -10608,11 +10427,17 @@ func TestHuhInitKeyringBackendPrompterAccessibleShowsField(t *testing.T) {
 	if len(rows) == 0 {
 		t.Fatal("initSecretsManagementInventoryRows returned no rows")
 	}
-	if rows[0].Title != "Fallback credential store: "+initAutomaticOSDefaultSecretsBackendLabel() {
-		t.Fatalf("first row title = %q, want fallback credential-store row first", rows[0].Title)
+	if rows[0].ID != config.LocalOSCredentialStoreID {
+		t.Fatalf("first row id = %q, want built-in OS credential store first", rows[0].ID)
+	}
+	if rows[0].Title != initBuiltInOSCredentialStoreTitle() {
+		t.Fatalf("first row title = %q, want built-in OS credential-store title", rows[0].Title)
 	}
-	if !strings.Contains(rows[0].Description, "Legacy fallback credential store") {
-		t.Fatalf("first row description = %q, want legacy fallback wording", rows[0].Description)
+	if rows[0].Description != initBuiltInOSCredentialStoreDescription() {
+		t.Fatalf("first row description = %q, want built-in OS credential-store description", rows[0].Description)
+	}
+	if rows[0].Deletable {
+		t.Fatalf("built-in row is deletable: %#v", rows[0])
 	}
 	var foundConfigure bool
 	for _, row := range rows {
@@ -10624,13 +10449,6 @@ func TestHuhInitKeyringBackendPrompterAccessibleShowsField(t *testing.T) {
 	if !foundConfigure {
 		t.Fatalf("rows = %#v, want configure-new backend command copy", rows)
 	}
-	options := initLegacySecretsBackendOptions("")
-	if len(options) == 0 {
-		t.Fatal("initLegacySecretsBackendOptions returned no options")
-	}
-	if options[0].Key != initAutomaticOSDefaultSecretsBackendLabel() {
-		t.Fatalf("first legacy backend option = %q, want platform-aware automatic OS default", options[0].Key)
-	}
 }
 
 func TestInitAutomaticOSDefaultSecretsBackendLabelForGOOS(t *testing.T) {
@@ -10638,10 +10456,10 @@ func TestInitAutomaticOSDefaultSecretsBackendLabelForGOOS(t *testing.T) {
 		goos string
 		want string
 	}{
-		{goos: "darwin", want: "Automatic OS default (macOS Keychain)"},
-		{goos: "windows", want: "Automatic OS default (Windows Credential Manager)"},
-		{goos: "linux", want: "Automatic OS default (Linux Secret Service)"},
-		{goos: "plan9", want: "Automatic OS default"},
+		{goos: "darwin", want: "macOS Login Keychain"},
+		{goos: "windows", want: "Windows Credential Manager"},
+		{goos: "linux", want: "Linux Secret Service"},
+		{goos: "plan9", want: "OS credential store"},
 	}
 
 	for _, tt := range tests {
@@ -10660,13 +10478,12 @@ func TestInitSecretsManagementInventoryRowsUsePreferredBackendOrder(t *testing.T
 		titles = append(titles, row.Title)
 	}
 	assertContentOrder(t, strings.Join(titles, "\n"),
-		"Fallback credential store",
-		"Configure new macos keychain profile",
+		initBuiltInOSCredentialStoreTitle(),
+		"Configure new 1Password desktop app profile",
+		"Configure new 1Password service account profile",
+		"Configure new 1Password Connect profile",
 		"Configure new pass password store profile",
 		"Configure new encrypted file profile",
-		"Configure new 1password desktop app profile",
-		"Configure new 1password service account profile",
-		"Configure new 1password connect profile",
 		"Configure new in-memory store profile",
 	)
 }
@@ -10674,7 +10491,6 @@ func TestInitSecretsManagementInventoryRowsUsePreferredBackendOrder(t *testing.T
 func TestInitInteractiveProfileSubflowBackPreservesBuiltWorkspace(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -10706,7 +10522,6 @@ func TestInitInteractiveProfileSubflowBackPreservesBuiltWorkspace(t *testing.T)
 				return initDraft{
 					OriginalProfileName: "work",
 					ProfileName:         "work",
-					MakeDefault:         true,
 					GitHost:             "gitlab.com",
 					GitAuth:             string(config.GitAuthModePAT),
 					GitCredentialRef:    "codereview/work",
@@ -10762,8 +10577,7 @@ func TestInitInteractiveProfileSubflowBackPreservesBuiltWorkspace(t *testing.T)
 func TestInitInteractiveSecretsManagementBackPreservesEarlierRetentionDraft(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -10923,10 +10737,9 @@ func TestInitInteractiveRetentionPreserveEditResetAndExplicitZero(t *testing.T)
 			path := filepath.Join(t.TempDir(), "config.yml")
 			existing := basicProfile("work")
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Keyring:        config.KeyringConfig{Backend: "file"},
-				Profiles:       map[string]config.Profile{"work": existing},
-				Data:           config.DataConfig{Retention: tt.existing},
+				Keyring:  config.KeyringConfig{Backend: "file"},
+				Profiles: map[string]config.Profile{"work": existing},
+				Data:     config.DataConfig{Retention: tt.existing},
 			})
 			opts := &root.Options{
 				Stdin:      strings.NewReader(""),
@@ -10939,7 +10752,6 @@ func TestInitInteractiveRetentionPreserveEditResetAndExplicitZero(t *testing.T)
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -10967,160 +10779,13 @@ func TestInitInteractiveRetentionPreserveEditResetAndExplicitZero(t *testing.T)
 			if cfg.Data.Retention.MaxAgeDaysValue() != tt.wantDays || cfg.Data.Retention.Enforcement != tt.wantMode {
 				t.Fatalf("retention = %#v, want %d/%s", cfg.Data.Retention, tt.wantDays, tt.wantMode)
 			}
-			if cfg.Keyring.Backend != "file" {
-				t.Fatalf("keyring.backend = %q, want preserved file", cfg.Keyring.Backend)
-			}
-		})
-	}
-}
-
-func TestInitInteractiveKeyringBackendPreserveSetResetAndConflict(t *testing.T) {
-	tests := []struct {
-		name        string
-		existing    string
-		edit        initKeyringBackendEdit
-		runtime     string
-		wantBackend string
-		wantHint    string
-		wantErr     string
-	}{
-		{
-			name:        "preserve existing",
-			existing:    "file",
-			edit:        initKeyringBackendEdit{Apply: false},
-			wantBackend: "file",
-		},
-		{
-			name:        "set backend",
-			edit:        initKeyringBackendEdit{Apply: true, Backend: "memory"},
-			wantBackend: "memory",
-		},
-		{
-			name:        "reset runtime only backend keeps hint",
-			existing:    "file",
-			edit:        initKeyringBackendEdit{Apply: true, Backend: ""},
-			runtime:     "memory",
-			wantBackend: "",
-			wantHint:    "--backend memory",
-		},
-		{
-			name:    "runtime conflict",
-			edit:    initKeyringBackendEdit{Apply: true, Backend: "file"},
-			runtime: "memory",
-			wantErr: `--backend "memory" conflicts with selected keyring.backend "file"`,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			path := filepath.Join(t.TempDir(), "config.yml")
-			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile: "work",
-				Keyring:        config.KeyringConfig{Backend: tt.existing},
-				Profiles:       map[string]config.Profile{"work": basicProfile("work")},
-			})
-			cmd := &cobra.Command{}
-			cmd.Flags().String(credstore.BackendFlagName, "", "")
-			opts := &root.Options{
-				Backend:    tt.runtime,
-				Stdin:      strings.NewReader(""),
-				Stdout:     &bytes.Buffer{},
-				Stderr:     &bytes.Buffer{},
-				ConfigPath: path,
-			}
-			if tt.runtime != "" {
-				if err := cmd.Flags().Set(credstore.BackendFlagName, tt.runtime); err != nil {
-					t.Fatalf("set backend flag: %v", err)
-				}
-			}
-			var stderr bytes.Buffer
-			opts.Stderr = &stderr
-			deps := initDeps{
-				prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
-					return initDraft{
-						OriginalProfileName: "work",
-						ProfileName:         "work",
-						MakeDefault:         true,
-						GitHost:             "github.com",
-						GitAuth:             string(config.GitAuthModePAT),
-						GitCredentialRef:    "codereview/work",
-						LLMProvider:         string(config.LLMProviderOpenAI),
-						LLMAuth:             string(config.LLMAuthAPIKey),
-						LLMAdapter:          string(config.LLMAdapterOpenAIAPI),
-						LLMCredentialRef:    "codereview/work-llm",
-					}, nil
-				}),
-				keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-					return tt.edit, nil
-				}),
-				secretPrompter: &fakeInitSecretPrompter{
-					actions: []initCredentialSecretAction{initCredentialSecretActionDefer, initCredentialSecretActionDefer},
-				},
-				configPath: func(*root.Options) (string, error) { return path, nil },
-				loadConfig: loadConfigForInit,
-				saveConfig: config.Save,
-				openStore: func(string, bool, config.File) (initStore, error) {
-					return newFakeInitStore(nil), nil
-				},
-			}
-
-			err := runInitWithDeps(cmd, opts, initOptions{}, deps)
-			if tt.wantErr != "" {
-				if err == nil || !strings.Contains(err.Error(), tt.wantErr) {
-					t.Fatalf("error = %v, want %q", err, tt.wantErr)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatalf("runInitWithDeps: %v", err)
-			}
-			cfg, err := config.Load(path)
-			if err != nil {
-				t.Fatalf("Load config: %v", err)
-			}
-			if cfg.Keyring.Backend != tt.wantBackend {
-				t.Fatalf("keyring.backend = %q, want %q", cfg.Keyring.Backend, tt.wantBackend)
-			}
-			if tt.wantHint != "" && !strings.Contains(stderr.String(), tt.wantHint) {
-				t.Fatalf("stderr = %q, want %q hint", stderr.String(), tt.wantHint)
+			if cfg.Keyring.Backend != "" {
+				t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 			}
 		})
 	}
 }
 
-func TestInitInteractiveKeyringBackendRejectsDefaultNamedSecretsProfileWhenRuntimeBackendSet(t *testing.T) {
-	opts := &root.Options{Backend: "memory"}
-	cfg := config.File{
-		DefaultProfile: "default",
-		Profiles: map[string]config.Profile{
-			"default": basicProfile("default"),
-		},
-		Secrets: config.SecretsConfig{
-			Profiles: map[string]config.SecretsProfile{
-				"team-vault": {
-					Label: "Team Vault",
-					Backend: config.SecretsProfileBackend{
-						Kind: config.SecretsBackendKind(credstore.BackendFile),
-					},
-				},
-			},
-			DefaultProfile: "team-vault",
-		},
-	}
-
-	_, err := collectInteractiveInitKeyringBackendConfig(opts, initDeps{
-		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: cfg}, nil
-		}),
-	}, true, cfg)
-	if err == nil {
-		t.Fatal("collectInteractiveInitKeyringBackendConfig error = nil, want runtime backend conflict")
-	}
-	if !strings.Contains(err.Error(), `--backend "memory" conflicts with default secrets-management profile "Team Vault"`) {
-		t.Fatalf("error = %v, want named default secrets-management conflict", err)
-	}
-}
-
 func TestInitSecretsProfileIDFromLabelDeconflictsDeterministically(t *testing.T) {
 	existing := map[string]config.SecretsProfile{
 		"work-vault":   {},
@@ -11132,7 +10797,7 @@ func TestInitSecretsProfileIDFromLabelDeconflictsDeterministically(t *testing.T)
 	}
 }
 
-func TestInitSecretsManagementInventoryRowsDisableUnavailableBackends(t *testing.T) {
+func TestInitSecretsManagementInventoryRowsOmitBuiltInBackendsFromConfigureActions(t *testing.T) {
 	rows := initSecretsManagementInventoryRows(config.File{})
 	availability := map[string]bool{}
 	for _, row := range rows {
@@ -11140,23 +10805,18 @@ func TestInitSecretsManagementInventoryRowsDisableUnavailableBackends(t *testing
 			availability[row.ID] = row.Selectable
 		}
 	}
-	switch runtime.GOOS {
-	case "darwin":
-		if !availability[initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendKeychain)] {
-			t.Fatal("macOS keychain backend should be selectable on darwin")
-		}
-		if availability[initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendWinCred)] {
-			t.Fatal("wincred backend should not be selectable on darwin")
-		}
-	case "linux":
-		if !availability[initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendSecretService)] {
-			t.Fatal("secret-service backend should be selectable on linux")
-		}
-	case "windows":
-		if !availability[initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendWinCred)] {
-			t.Fatal("wincred backend should be selectable on windows")
+	for _, backend := range []credstore.Backend{
+		credstore.BackendKeychain,
+		credstore.BackendWinCred,
+		credstore.BackendSecretService,
+	} {
+		if _, ok := availability[initConfigureSecretsProfileSelectionPrefix+string(backend)]; ok {
+			t.Fatalf("%s should not be a configure-new action; OS credential stores are projected as local-os", backend)
 		}
 	}
+	if _, ok := availability[initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendFile)]; !ok {
+		t.Fatalf("encrypted file backend should be configurable: %#v", availability)
+	}
 }
 
 func TestValidateInitSecretsRequiredSingleLine(t *testing.T) {
@@ -11202,10 +10862,7 @@ func TestInitSecretsProfileBackendOptionsUsePreferredOrder(t *testing.T) {
 		values = append(values, option.Value)
 	}
 	joined := "\n" + strings.Join(values, "\n") + "\n"
-	want := []string{
-		"\n" + string(credstore.BackendPass) + "\n",
-		"\n" + string(credstore.BackendFile) + "\n",
-	}
+	want := []string{}
 	if initOnePasswordBackendsAvailable() {
 		want = append(want,
 			"\n"+string(credstore.BackendOPDesktop)+"\n",
@@ -11213,6 +10870,10 @@ func TestInitSecretsProfileBackendOptionsUsePreferredOrder(t *testing.T) {
 			"\n"+string(credstore.BackendOPConnect)+"\n",
 		)
 	}
+	want = append(want,
+		"\n"+string(credstore.BackendPass)+"\n",
+		"\n"+string(credstore.BackendFile)+"\n",
+	)
 	want = append(want, "\n"+string(credstore.BackendMemory)+"\n")
 	assertContentOrder(t, joined, want...)
 }
@@ -11222,8 +10883,7 @@ func TestInitSecretsManagementLinearEditorHidesOnePasswordCreateTargetsWhenUnava
 		t.Skip("1Password create targets are hidden only in keyring_no1password builds")
 	}
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 	}
 	editor := initSecretsManagementLinearEditor(cfg)
 	model := newInitLinearEditorModel(editor, 180, 32)
@@ -11248,14 +10908,14 @@ func TestInitSecretsManagementLinearEditorHidesOnePasswordCreateTargetsWhenUnava
 func TestHuhInitKeyringBackendPrompterStagesNewSecretsProfileEndToEnd(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	callCount := 0
+	var stderr bytes.Buffer
 	prompter := huhInitKeyringBackendPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
 			"", // keep backend-derived label
 			"", // keep selected backend
-			"", // keep not-default selection
 			"", // stage settings
 		}, "\n")),
-		stderr: &bytes.Buffer{},
+		stderr: &stderr,
 		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
 			callCount++
 			switch callCount {
@@ -11277,10 +10937,10 @@ func TestHuhInitKeyringBackendPrompterStagesNewSecretsProfileEndToEnd(t *testing
 	}
 
 	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
-		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}, DefaultProfile: "default"},
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
 	})
 	if err != nil {
-		t.Fatalf("EditKeyringBackend: %v", err)
+		t.Fatalf("EditKeyringBackend: %v\n%s", err, stderr.String())
 	}
 	if !edit.Apply {
 		t.Fatalf("edit = %#v, want apply=true", edit)
@@ -11297,124 +10957,193 @@ func TestHuhInitKeyringBackendPrompterStagesNewSecretsProfileEndToEnd(t *testing
 	}
 }
 
-func TestHuhInitKeyringBackendPrompterAccessibleLegacyFallbackFormShowsFallbackCopy(t *testing.T) {
-	t.Setenv("TERM", "dumb")
+func TestHuhInitKeyringBackendPrompterDefaultUsesLinearSecretsManagementFlow(t *testing.T) {
 	var stderr bytes.Buffer
 	prompter := huhInitKeyringBackendPrompter{
-		stdin: strings.NewReader(strings.Join([]string{
-			"", // keep selected memory backend
-			"", // stage fallback settings
-			"",
-		}, "\n")),
-		stderr: &stderr,
-	}
+		stderr:        &stderr,
+		discoveryMode: initSecretsBackendDiscoveryModeOff,
+		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+			model := newInitLinearEditorModel(editor, 180, 32)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendFile))
+			_, _ = io.WriteString(out, model.layout.Content)
+			model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionEdit)
+			model.resultAction = initDetailActionEdit
+			return model, nil
+		},
+	}
 
-	edit, err := prompter.editLegacySecretsManagement(string(credstore.BackendMemory))
+	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
+	})
 	if err != nil {
-		t.Fatalf("editLegacySecretsManagement: %v", err)
+		t.Fatalf("EditKeyringBackend: %v", err)
 	}
-	if !edit.Apply || edit.Backend != string(credstore.BackendMemory) {
-		t.Fatalf("edit = %#v, want staged memory fallback backend", edit)
+	if !edit.Apply || !edit.HasConfigEdit {
+		t.Fatalf("edit = %#v, want config edit", edit)
+	}
+	profile, ok := edit.Config.Secrets.Profiles["encrypted-file"]
+	if !ok {
+		t.Fatalf("secrets profiles = %#v, want generated encrypted-file profile", edit.Config.Secrets.Profiles)
+	}
+	if profile.Backend.Kind != config.SecretsBackendKind(credstore.BackendFile) {
+		t.Fatalf("backend kind = %q, want file", profile.Backend.Kind)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"Legacy fallback credential store backend",
-		"Fallback credential-store action",
-		"Stage fallback credential-store settings",
-		initAutomaticOSDefaultSecretsBackendLabel(),
-		"In-memory store",
+		"Secrets storage",
+		"Credential store",
+		"Configure new encrypted file profile",
+		"Credential store name",
+		"Secrets-storage action",
 	} {
 		if !strings.Contains(out, want) {
-			t.Fatalf("legacy fallback form output missing %q:\n%s", want, out)
+			t.Fatalf("stderr missing %q:\n%s", want, out)
 		}
 	}
-	for _, stale := range []string{
-		"Default Credential Store",
-		"Default credential store backend",
-		"Default credential-store action",
-		"Stage default credential-store settings",
-	} {
-		if strings.Contains(out, stale) {
-			t.Fatalf("legacy fallback form output contains stale copy %q:\n%s", stale, out)
-		}
+	assertContentOrder(t, out, "Credential store", "Credential store name", "Secrets-storage action")
+	if strings.Contains(out, "Back to main menu") {
+		t.Fatalf("stderr = %q, want action-local Back without staging instead of inventory Back", out)
+	}
+	if strings.Contains(out, "1Password vault name or id") {
+		t.Fatalf("stderr = %q, want file backend to hide 1Password-specific fields", out)
 	}
 }
 
-func TestHuhInitKeyringBackendPrompterInventoryLegacyFallbackStagesBackend(t *testing.T) {
-	t.Setenv("TERM", "dumb")
-	memoryChoice := 0
-	for index, option := range initLegacySecretsBackendOptions("") {
-		if option.Value == string(credstore.BackendMemory) {
-			memoryChoice = index + 1
-			break
+func TestHuhInitKeyringBackendPrompterWritesDiscoveryNoticeBeforeOnePasswordProbe(t *testing.T) {
+	var stderr bytes.Buffer
+	probeSawNotice := false
+	prompter := huhInitKeyringBackendPrompter{
+		stderr: &stderr,
+		executableLookPath: func(name string) (string, error) {
+			if name == "pass" {
+				return "", exec.ErrNotFound
+			}
+			return "", fmt.Errorf("unexpected executable lookup %q", name)
+		},
+		onePasswordCmdRunner: func(_ context.Context, _ string, args ...string) ([]byte, error) {
+			if strings.Join(args, " ") == "account list --format=json" {
+				out := stderr.String()
+				probeSawNotice = strings.Contains(out, "Checking available secrets storage backends.") &&
+					strings.Contains(out, "You may see permission prompts")
+			}
+			return nil, os.ErrNotExist
+		},
+		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+			model := newInitLinearEditorModel(editor, 180, 32)
+			_, _ = io.WriteString(out, model.layout.Content)
+			model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionBack)
+			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+			next, ok := updated.(initLinearEditorModel)
+			if !ok {
+				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+			}
+			return next, nil
+		},
+	}
+
+	_, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
+	})
+	if !errors.Is(err, errInitNavigateBack) {
+		t.Fatalf("EditKeyringBackend error = %v, want navigate back", err)
+	}
+	if !probeSawNotice {
+		t.Fatalf("1Password probe ran before discovery notice; stderr = %q", stderr.String())
+	}
+	out := stderr.String()
+	for _, want := range []string{
+		initBuiltInOSCredentialStoreTitle() + ": available",
+		"1Password desktop app: not found",
+		"pass password store: not found",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("stderr missing probe result %q:\n%s", want, out)
 		}
 	}
-	if memoryChoice == 0 {
-		t.Fatal("memory backend option missing from legacy fallback backend options")
+}
+
+func TestHuhInitKeyringBackendPrompterWritesDiscoveryProbeResults(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password probe result uses 1Password-enabled backend labels")
 	}
 	var stderr bytes.Buffer
-	callCount := 0
 	prompter := huhInitKeyringBackendPrompter{
-		stdin:  strings.NewReader(fmt.Sprintf("%d\n1\n", memoryChoice)),
 		stderr: &stderr,
-		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
-			callCount++
-			switch callCount {
-			case 1:
-				return initInventoryResult{
-					Action: initInventoryActionCommand,
-					Row: initInventoryRow{
-						ID:    initSecretsManagementLegacySelection,
-						Title: initLegacySecretsManagementInventoryTitle(config.File{}),
-					},
-				}, nil
-			case 2:
-				return initInventoryResult{
-					Action: initInventoryActionBack,
-					Row:    initInventoryRow{ID: initBackSelection},
-				}, nil
+		executableLookPath: func(name string) (string, error) {
+			if name == "pass" {
+				return "/usr/bin/pass", nil
+			}
+			return "", fmt.Errorf("unexpected executable lookup %q", name)
+		},
+		onePasswordCmdRunner: func(_ context.Context, _ string, args ...string) ([]byte, error) {
+			switch strings.Join(args, " ") {
+			case "account list --format=json":
+				return []byte(`[{"account_uuid":"acct-1","account_name":"SignalFT","url":"signalft.1password.com"}]`), nil
+			case "vault list --account acct-1 --format=json":
+				return []byte(`[{"id":"vault-emp","name":"Employee"}]`), nil
 			default:
-				t.Fatalf("unexpected inventory call %d", callCount)
-				return initInventoryResult{}, nil
+				return nil, fmt.Errorf("unexpected op command %q", strings.Join(args, " "))
+			}
+		},
+		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+			model := newInitLinearEditorModel(editor, 180, 32)
+			_, _ = io.WriteString(out, model.layout.Content)
+			model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionBack)
+			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+			next, ok := updated.(initLinearEditorModel)
+			if !ok {
+				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
 			}
+			return next, nil
 		},
 	}
 
-	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
-		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}, DefaultProfile: "default"},
+	_, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
 	})
-	if err != nil {
-		t.Fatalf("EditKeyringBackend: %v", err)
-	}
-	if !edit.Apply || !edit.HasConfigEdit {
-		t.Fatalf("edit = %#v, want staged config edit", edit)
-	}
-	if got := edit.Config.Keyring.Backend; got != string(credstore.BackendMemory) {
-		t.Fatalf("keyring.backend = %q, want memory after legacy fallback inventory path", got)
+	if !errors.Is(err, errInitNavigateBack) {
+		t.Fatalf("EditKeyringBackend error = %v, want navigate back", err)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"Legacy fallback credential store backend",
-		"Fallback credential-store action",
-		"Stage fallback credential-store settings",
-		"In-memory store",
+		initBuiltInOSCredentialStoreTitle() + ": available",
+		"1Password desktop app: available (1 account, 1 vault)",
+		"pass password store: available",
 	} {
 		if !strings.Contains(out, want) {
-			t.Fatalf("legacy fallback inventory path output missing %q:\n%s", want, out)
+			t.Fatalf("stderr missing probe result %q:\n%s", want, out)
 		}
 	}
+	assertContentOrder(t, out, "Checking available secrets storage backends.", "1Password desktop app: available (1 account, 1 vault)", "pass password store: available")
 }
 
-func TestHuhInitKeyringBackendPrompterDefaultUsesLinearSecretsManagementFlow(t *testing.T) {
+func TestHuhInitKeyringBackendPrompterSafeDiscoverySkipsActiveInventory(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
 	var stderr bytes.Buffer
 	prompter := huhInitKeyringBackendPrompter{
-		stderr: &stderr,
+		stderr:        &stderr,
+		discoveryMode: initSecretsBackendDiscoveryModeSafe,
+		executableLookPath: func(name string) (string, error) {
+			if name == "pass" {
+				return "", exec.ErrNotFound
+			}
+			return "", fmt.Errorf("unexpected executable lookup %q", name)
+		},
+		onePasswordCmdRunner: func(context.Context, string, ...string) ([]byte, error) {
+			t.Fatal("1Password command runner called despite safe discovery mode")
+			return nil, nil
+		},
 		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
 			model := newInitLinearEditorModel(editor, 180, 32)
-			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendFile))
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
 			_, _ = io.WriteString(out, model.layout.Content)
 			model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
-			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionEdit)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionBack)
 			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
 			next, ok := updated.(initLinearEditorModel)
 			if !ok {
@@ -11424,99 +11153,151 @@ func TestHuhInitKeyringBackendPrompterDefaultUsesLinearSecretsManagementFlow(t *
 		},
 	}
 
-	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
-		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}, DefaultProfile: "default"},
+	_, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
 	})
-	if err != nil {
-		t.Fatalf("EditKeyringBackend: %v", err)
+	if !errors.Is(err, errInitNavigateBack) {
+		t.Fatalf("EditKeyringBackend error = %v, want navigate back", err)
 	}
-	if !edit.Apply || !edit.HasConfigEdit {
-		t.Fatalf("edit = %#v, want config edit", edit)
+	out := stderr.String()
+	for _, want := range []string{
+		"Only passive discovery is enabled; inventory probes are skipped.",
+		"1Password desktop app: skipped",
+		"pass password store: not found",
+		"1Password account URL",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("stderr missing safe discovery output %q:\n%s", want, out)
+		}
 	}
-	profile, ok := edit.Config.Secrets.Profiles["encrypted-file"]
-	if !ok {
-		t.Fatalf("secrets profiles = %#v, want generated encrypted-file profile", edit.Config.Secrets.Profiles)
+	if strings.Contains(out, "You may see permission prompts") {
+		t.Fatalf("safe discovery output still mentions permission prompts:\n%s", out)
 	}
-	if profile.Backend.Kind != config.SecretsBackendKind(credstore.BackendFile) {
-		t.Fatalf("backend kind = %q, want file", profile.Backend.Kind)
+}
+
+func TestHuhInitKeyringBackendPrompterOffDiscoverySkipsAllBackendProbes(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	var stderr bytes.Buffer
+	prompter := huhInitKeyringBackendPrompter{
+		stderr:        &stderr,
+		discoveryMode: initSecretsBackendDiscoveryModeOff,
+		executableLookPath: func(name string) (string, error) {
+			t.Fatalf("executable lookup %q called despite off discovery mode", name)
+			return "", nil
+		},
+		onePasswordCmdRunner: func(context.Context, string, ...string) ([]byte, error) {
+			t.Fatal("1Password command runner called despite off discovery mode")
+			return nil, nil
+		},
+		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+			model := newInitLinearEditorModel(editor, 180, 32)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+			_, _ = io.WriteString(out, model.layout.Content)
+			model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionBack)
+			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+			next, ok := updated.(initLinearEditorModel)
+			if !ok {
+				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+			}
+			return next, nil
+		},
+	}
+
+	_, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
+	})
+	if !errors.Is(err, errInitNavigateBack) {
+		t.Fatalf("EditKeyringBackend error = %v, want navigate back", err)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"Secrets management",
-		"Secrets-management target",
-		"Configure new encrypted file profile",
-		"Secrets-management profile",
-		"Secrets-management profile label",
-		"Default secrets-management profile",
-		"Secrets-management action",
+		"Secrets backend discovery is disabled.",
+		"1Password desktop app: skipped",
+		"pass password store: skipped",
+		"1Password account URL",
 	} {
 		if !strings.Contains(out, want) {
-			t.Fatalf("stderr missing %q:\n%s", want, out)
+			t.Fatalf("stderr missing off discovery output %q:\n%s", want, out)
 		}
 	}
-	assertContentOrder(t, out, "Secrets-management target", "Secrets-management profile label", "Default secrets-management profile", "Secrets-management action")
-	if strings.Contains(out, "Back to main menu") {
-		t.Fatalf("stderr = %q, want action-local Back without staging instead of inventory Back", out)
+	if strings.Contains(out, "Checking available secrets storage backends.") {
+		t.Fatalf("off discovery output still says it is checking backends:\n%s", out)
 	}
-	if strings.Contains(out, "1Password vault name or id") {
-		t.Fatalf("stderr = %q, want file backend to hide 1Password-specific fields", out)
+}
+
+func TestResolveInitSecretsBackendDiscoveryModeUsesEnvUnlessFlagSet(t *testing.T) {
+	t.Setenv(initSecretsBackendDiscoveryEnv, "safe")
+	cmd := newInitCommand(&root.Options{Stdin: failReader{}, Stdout: &bytes.Buffer{}, Stderr: &bytes.Buffer{}})
+	mode, err := resolveInitSecretsBackendDiscoveryMode(cmd, initOptions{secretsDiscovery: string(initSecretsBackendDiscoveryModeFull)})
+	if err != nil {
+		t.Fatalf("resolveInitSecretsBackendDiscoveryMode env: %v", err)
+	}
+	if mode != initSecretsBackendDiscoveryModeSafe {
+		t.Fatalf("mode = %q, want safe from env", mode)
+	}
+	if err := cmd.Flags().Set("secret-backend-discovery", "off"); err != nil {
+		t.Fatalf("set secret-backend-discovery: %v", err)
+	}
+	mode, err = resolveInitSecretsBackendDiscoveryMode(cmd, initOptions{secretsDiscovery: string(initSecretsBackendDiscoveryModeOff)})
+	if err != nil {
+		t.Fatalf("resolveInitSecretsBackendDiscoveryMode flag: %v", err)
+	}
+	if mode != initSecretsBackendDiscoveryModeOff {
+		t.Fatalf("mode = %q, want off from flag", mode)
+	}
+}
+
+func TestResolveInitSecretsBackendDiscoveryModeRejectsInvalidValue(t *testing.T) {
+	_, err := resolveInitSecretsBackendDiscoveryMode(&cobra.Command{}, initOptions{secretsDiscovery: "loud"})
+	if got := exitcode.FromError(err); got != exitcode.UsageError {
+		t.Fatalf("exit code = %d, want %d; err=%v", got, exitcode.UsageError, err)
+	}
+	if !strings.Contains(err.Error(), "valid values are full, safe, off") {
+		t.Fatalf("error = %v, want valid-values copy", err)
 	}
 }
 
-func TestInitSecretsManagementLinearEditorShowsLegacyFallbackWording(t *testing.T) {
-	cfg := config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}, DefaultProfile: "default"}
+func TestInitSecretsManagementLinearEditorShowsBuiltInOSStoreReadOnly(t *testing.T) {
+	cfg := config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}}
 	editor := initSecretsManagementLinearEditor(cfg)
 	model := newInitLinearEditorModel(editor, 180, 32)
 	out := model.layout.Content
 	for _, want := range []string{
-		"Secrets-management target",
-		"Fallback credential store: " + initAutomaticOSDefaultSecretsBackendLabel(),
-		"Legacy fallback credential store",
-		"Compatibility path for profiles that do not choose a named secrets-management profile.",
-		"Fallback persistent backend",
-		initAutomaticOSDefaultSecretsBackendLabel(),
+		"Secrets storage",
+		"Built in",
+		"These built-in credential stores are always available and cannot be deleted:",
+		initBuiltInOSCredentialStoreTitle(),
+		initBuiltInOSCredentialStoreDescription(),
+		"Actions",
+		"Configure new encrypted file profile",
+		"Back without staging",
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("initial linear editor output missing %q:\n%s", want, out)
 		}
 	}
-	if strings.Contains(out, "Default credential store") || strings.Contains(out, "Legacy persistent backend") {
-		t.Fatalf("initial linear editor output contains redundant legacy copy:\n%s", out)
-	}
-
-	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldLegacyBackend, string(credstore.BackendMemory))
-	index := model.document.fieldIndexByID(initSecretsManagementFieldLegacyBackend)
-	if index < 0 {
-		t.Fatal("legacy backend field missing")
-	}
-	description := model.document[index].Description
-	for _, want := range []string{
-		"Ephemeral",
-		"tests or CI",
-		"not normal local use",
-		"legacy fallback backend",
-	} {
-		if !strings.Contains(description, want) {
-			t.Fatalf("legacy backend description = %q, want %q", description, want)
-		}
+	if strings.Contains(out, "[x] "+initBuiltInOSCredentialStoreTitle()) || strings.Contains(out, "[ ] "+initBuiltInOSCredentialStoreTitle()) {
+		t.Fatalf("built-in OS store rendered as selectable checkbox row:\n%s", out)
 	}
-	for _, want := range []string{
-		"Keep credentials in memory only for this process.",
-		"Ephemeral; best suited for tests or CI, not normal local use.",
-		"[x] In-memory store",
+	for _, stale := range []string{
+		"Fallback credential store",
+		"Default credential store",
+		"Default secrets-storage profile",
+		"secrets-storage profile",
 	} {
-		if !strings.Contains(model.layout.Content, want) {
-			t.Fatalf("memory-selected linear editor output missing %q:\n%s", want, model.layout.Content)
+		if strings.Contains(out, stale) {
+			t.Fatalf("initial linear editor output contains stale copy %q:\n%s", stale, out)
 		}
 	}
 }
 
 func TestHuhInitKeyringBackendPrompterLinearCanDeleteConfiguredSecretsProfile(t *testing.T) {
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "personal",
 			Profiles: map[string]config.SecretsProfile{
 				"personal": {
 					Label: "1Password",
@@ -11538,42 +11319,23 @@ func TestHuhInitKeyringBackendPrompterLinearCanDeleteConfiguredSecretsProfile(t
 	var stderr bytes.Buffer
 	editorCalls := 0
 	prompter := huhInitKeyringBackendPrompter{
-		stderr: &stderr,
+		stderr:        &stderr,
+		discoveryMode: initSecretsBackendDiscoveryModeOff,
 		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
 			editorCalls++
+			if editorCalls != 1 {
+				t.Fatalf("unexpected editor call %d; delete should return an applied config edit immediately", editorCalls)
+			}
 			model := newInitLinearEditorModel(editor, 180, 32)
-			switch editorCalls {
-			case 1:
-				model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, "onepasswordfoo")
-				model = focusInitLinearField(t, model, initSecretsManagementFieldTarget)
-				updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'d'}})
-				next, ok := updated.(initLinearEditorModel)
-				if !ok {
-					t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
-				}
-				return next, nil
-			case 2:
-				_, _ = io.WriteString(out, model.View())
-				if !strings.Contains(model.layout.Content, "1PasswordFoo (1Password desktop app) (Staged for deletion)") {
-					t.Fatalf("second editor content missing pending row:\n%s", model.layout.Content)
-				}
-				targetIndex := model.document.fieldIndexByID(initSecretsManagementFieldTarget)
-				targetOptions := model.document[targetIndex].Options
-				if got := targetOptions[len(targetOptions)-1].Value; got != initSecretsManagementRestoreSelectionPrefix+"onepasswordfoo" {
-					t.Fatalf("last target option = %q, want staged deletion restore option last; options = %#v", got, targetOptions)
-				}
-				model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
-				model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionEdit)
-				updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
-				next, ok := updated.(initLinearEditorModel)
-				if !ok {
-					t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
-				}
-				return next, nil
-			default:
-				t.Fatalf("unexpected editor call %d", editorCalls)
-				return initLinearEditorModel{}, nil
+			_, _ = io.WriteString(out, model.View())
+			model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, "onepasswordfoo")
+			model = focusInitLinearField(t, model, initSecretsManagementFieldTarget)
+			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'d'}})
+			next, ok := updated.(initLinearEditorModel)
+			if !ok {
+				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
 			}
+			return next, nil
 		},
 	}
 
@@ -11590,18 +11352,17 @@ func TestHuhInitKeyringBackendPrompterLinearCanDeleteConfiguredSecretsProfile(t
 	if _, ok := edit.Config.Secrets.Profiles["personal"]; !ok {
 		t.Fatalf("secrets profiles = %#v, want personal retained", edit.Config.Secrets.Profiles)
 	}
-	if edit.Config.Secrets.DefaultProfile != "personal" {
-		t.Fatalf("default secrets profile = %q, want personal", edit.Config.Secrets.DefaultProfile)
+	if editorCalls != 1 {
+		t.Fatalf("editorCalls = %d, want one delete editor call", editorCalls)
 	}
-	if !strings.Contains(stderr.String(), "1PasswordFoo (1Password desktop app) (Staged for deletion)") {
-		t.Fatalf("stderr = %q, want staged deletion suffix", stderr.String())
+	if !strings.Contains(stderr.String(), "1PasswordFoo (1Password desktop app)") {
+		t.Fatalf("stderr = %q, want deleted store visible before delete", stderr.String())
 	}
 }
 
 func TestInitSecretsManagementTargetOptionsMovesPendingDeletesToBottomInDeletionOrder(t *testing.T) {
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"personal": {
@@ -11636,12 +11397,19 @@ func TestInitSecretsManagementTargetOptionsMovesPendingDeletesToBottomInDeletion
 	}
 }
 
+func TestInitSecretsManagementTargetOptionsExcludeBuiltInOSStore(t *testing.T) {
+	options := initSecretsManagementTargetOptions(config.File{}, nil, nil)
+	for _, option := range options {
+		if option.Value == config.LocalOSCredentialStoreID {
+			t.Fatalf("target options include built-in OS store as selectable row: %#v", options)
+		}
+	}
+}
+
 func TestInitSecretsManagementLinearEditorDeleteActionOnlyAppliesToConfiguredProfiles(t *testing.T) {
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "personal",
 			Profiles: map[string]config.SecretsProfile{
 				"personal": {
 					Label:   "1Password",
@@ -11669,10 +11437,17 @@ func TestInitSecretsManagementLinearEditorDeleteActionOnlyAppliesToConfiguredPro
 
 	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, "personal")
 	targetIndex := model.document.fieldIndexByID(initSecretsManagementFieldTarget)
+	foundPersonalDeletable := false
 	for _, option := range model.document[targetIndex].Options {
-		if option.Value == "personal" && option.Deletable {
-			t.Fatalf("default secrets-management profile option is deletable: %#v", option)
+		if option.Value == "personal" {
+			foundPersonalDeletable = option.Deletable
 		}
+		if option.Value == config.LocalOSCredentialStoreID && option.Deletable {
+			t.Fatalf("built-in OS credential store option is deletable: %#v", option)
+		}
+	}
+	if !foundPersonalDeletable {
+		t.Fatalf("target options = %#v, want configured profile to be deletable", model.document[targetIndex].Options)
 	}
 	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, "unused")
 	foundDeletable := false
@@ -11682,7 +11457,7 @@ func TestInitSecretsManagementLinearEditorDeleteActionOnlyAppliesToConfiguredPro
 		}
 	}
 	if !foundDeletable {
-		t.Fatalf("target options = %#v, want non-default configured profile to be deletable", model.document[targetIndex].Options)
+		t.Fatalf("target options = %#v, want configured profile to be deletable", model.document[targetIndex].Options)
 	}
 }
 
@@ -11737,8 +11512,7 @@ func TestInitLinearEditorPreservesExplicitDescriptionNewlines(t *testing.T) {
 
 func TestInitSecretsManagementLinearEditorOnlyFocusedSelectChangesAndShowsCaret(t *testing.T) {
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"work-secrets": {
@@ -11756,16 +11530,12 @@ func TestInitSecretsManagementLinearEditorOnlyFocusedSelectChangesAndShowsCaret(
 	model = focusInitLinearField(t, model, initSecretsManagementFieldBackend)
 
 	targetBefore := model.document.selectedValue(initSecretsManagementFieldTarget)
-	defaultBefore := model.document.selectedValue(initSecretsManagementFieldDefault)
 	actionBefore := model.document.selectedValue(initSecretsManagementFieldAction)
 	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyDown})
 
 	if got := model.document.selectedValue(initSecretsManagementFieldTarget); got != targetBefore {
 		t.Fatalf("target selection = %q, want unchanged %q", got, targetBefore)
 	}
-	if got := model.document.selectedValue(initSecretsManagementFieldDefault); got != defaultBefore {
-		t.Fatalf("default selection = %q, want unchanged %q", got, defaultBefore)
-	}
 	if got := model.document.selectedValue(initSecretsManagementFieldAction); got != actionBefore {
 		t.Fatalf("action selection = %q, want unchanged %q", got, actionBefore)
 	}
@@ -11790,8 +11560,7 @@ func TestInitSecretsManagementLinearEditorOnlyFocusedSelectChangesAndShowsCaret(
 	}
 	for _, unfocusedSelected := range []string{
 		"> [x] Work secrets (Encrypted file)",
-		"> [x] No, keep the current default secrets-management profile",
-		"> [x] Stage secrets-management settings",
+		"> [x] Stage secrets-storage settings",
 	} {
 		if strings.Contains(model.layout.Content, unfocusedSelected) {
 			t.Fatalf("content shows active caret on unfocused selected row %q:\n%s", unfocusedSelected, model.layout.Content)
@@ -11804,8 +11573,7 @@ func TestInitSecretsManagementLinearEditorCreateBackendTargetLocksBackend(t *tes
 		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
 	}
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 	}
 	editor := initSecretsManagementLinearEditor(cfg)
 	model := newInitLinearEditorModel(editor, 180, 32)
@@ -11822,69 +11590,606 @@ func TestInitSecretsManagementLinearEditorCreateBackendTargetLocksBackend(t *tes
 	if !backend.Hidden {
 		t.Fatalf("backend field hidden = false, want create-new target to hide redundant backend selector")
 	}
-	sectionIndex := model.document.fieldIndexByID(initSecretsManagementSectionProfile)
-	if sectionIndex < 0 {
-		t.Fatal("profile section missing")
+	sectionIndex := model.document.fieldIndexByID(initSecretsManagementSectionProfile)
+	if sectionIndex < 0 {
+		t.Fatal("profile section missing")
+	}
+	if !strings.Contains(model.document[sectionIndex].Description, "Selected target: Configure new 1Password service account profile") {
+		t.Fatalf("profile section description = %q, want selected-target context", model.document[sectionIndex].Description)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopTargetSeedsFriendlyLabel(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditor(cfg)
+	model := newInitLinearEditorModel(editor, 180, 32)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+
+	if got := model.document.fieldValue(initSecretsManagementFieldLabel); got != "1Password" {
+		t.Fatalf("profile label = %q, want friendly 1Password default", got)
+	}
+	if got := model.document.selectedValue(initSecretsManagementFieldBackend); got != string(credstore.BackendOPDesktop) {
+		t.Fatalf("selected backend = %q, want op-desktop", got)
+	}
+	for _, hidden := range []initLinearFieldID{
+		initSecretsManagementFieldBackend,
+	} {
+		index := model.document.fieldIndexByID(hidden)
+		if index < 0 {
+			t.Fatalf("field %q missing", hidden)
+		}
+		if !model.document[index].Hidden {
+			t.Fatalf("field %q hidden = false, want hidden for create-new desktop profile", hidden)
+		}
+	}
+	out := model.layout.Content
+	for _, want := range []string{
+		"1Password account URL",
+		"1Password account id (advanced)",
+		"1Password vault name or id",
+		"1Password request timeout",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("desktop content missing %q:\n%s", want, out)
+		}
+	}
+	for _, hiddenText := range []string{
+		"Credential store backend",
+		"1Password details",
+		"Desktop app account and vault routing",
+		"Tokens are referenced by environment variable name",
+		"1Password item title prefix",
+		"1Password secret name",
+		"1Password item tag",
+	} {
+		if strings.Contains(out, hiddenText) {
+			t.Fatalf("desktop content includes hidden advanced field %q:\n%s", hiddenText, out)
+		}
+	}
+	if strings.Contains(out, "\n1Password desktop\n") {
+		t.Fatalf("desktop content includes redundant section heading:\n%s", out)
+	}
+	assertContentOrder(t, out, "1Password account URL", "1Password account id (advanced)", "1Password vault name or id", "1Password request timeout")
+}
+
+func TestInitOnePasswordDesktopDiscoveryListsAccountsAndVaults(t *testing.T) {
+	var calls []string
+	runner := func(_ context.Context, name string, args ...string) ([]byte, error) {
+		calls = append(calls, name+" "+strings.Join(args, " "))
+		switch strings.Join(args, " ") {
+		case "account list --format=json":
+			return []byte(`[
+				{"account_uuid":"acct-1","account_name":"SignalFT","url":"signalft.1password.com"},
+				{"account_uuid":"acct-2","account_name":"Personal","url":"my.1password.com"}
+			]`), nil
+		case "vault list --account acct-1 --format=json":
+			return []byte(`[{"id":"vault-emp","name":"Employee"}]`), nil
+		case "vault list --account acct-2 --format=json":
+			return []byte(`[{"id":"vault-personal","name":"Personal"}]`), nil
+		default:
+			return nil, fmt.Errorf("unexpected op command %q", strings.Join(args, " "))
+		}
+	}
+
+	discovery := newInitOnePasswordDiscovery(runner).DiscoverDesktop(context.Background())
+	if discovery.Err != nil {
+		t.Fatalf("DiscoverDesktop error = %v", discovery.Err)
+	}
+	if !discovery.HasVaultChoices() {
+		t.Fatalf("discovery = %#v, want vault choices", discovery)
+	}
+	selection, ok := discovery.Selection("0:0")
+	if !ok {
+		t.Fatalf("selection missing from discovery: %#v", discovery)
+	}
+	if selection.AccountID != "acct-1" || selection.AccountURL != "signalft.1password.com" || selection.VaultID != "vault-emp" || selection.VaultName != "Employee" {
+		t.Fatalf("selection = %#v, want account/vault metadata", selection)
+	}
+	if got, want := calls, []string{
+		"op account list --format=json",
+		"op vault list --account acct-1 --format=json",
+		"op vault list --account acct-2 --format=json",
+	}; !reflect.DeepEqual(got, want) {
+		t.Fatalf("op calls = %#v, want %#v", got, want)
+	}
+}
+
+func TestParseInitOnePasswordVaultsPrioritizesOwnedVaultsThenAlphabetizes(t *testing.T) {
+	vaults, err := parseInitOnePasswordVaults([]byte(`[
+		{"id":"vault-shared","name":"Shared"},
+		{"id":"vault-zeta","name":"Zeta"},
+		{"id":"vault-private","name":"Private"},
+		{"id":"vault-alpha","name":"Alpha"},
+		{"id":"vault-employee","name":"Employee"},
+		{"id":"vault-beta","name":"beta"}
+	]`))
+	if err != nil {
+		t.Fatalf("parseInitOnePasswordVaults: %v", err)
+	}
+	got := make([]string, 0, len(vaults))
+	for _, vault := range vaults {
+		got = append(got, vault.Name)
+	}
+	want := []string{"Employee", "Private", "Alpha", "beta", "Shared", "Zeta"}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("vault names = %#v, want %#v", got, want)
+	}
+}
+
+func TestInitOnePasswordDesktopDiscoveryUsesFreshTimeoutPerCommand(t *testing.T) {
+	var calls []string
+	runner := func(ctx context.Context, name string, args ...string) ([]byte, error) {
+		calls = append(calls, name+" "+strings.Join(args, " "))
+		select {
+		case <-time.After(60 * time.Millisecond):
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+		switch strings.Join(args, " ") {
+		case "account list --format=json":
+			return []byte(`[
+				{"account_uuid":"acct-1","url":"my.1password.com"},
+				{"account_uuid":"acct-2","url":"signalft.1password.com"}
+			]`), nil
+		case "vault list --account acct-1 --format=json":
+			return []byte(`[{"id":"vault-personal","name":"Personal"}]`), nil
+		case "vault list --account acct-2 --format=json":
+			return []byte(`[{"id":"vault-emp","name":"Employee"}]`), nil
+		default:
+			return nil, fmt.Errorf("unexpected op command %q", strings.Join(args, " "))
+		}
+	}
+
+	discovery := initOnePasswordDiscovery{run: runner, timeout: 100 * time.Millisecond}.DiscoverDesktop(context.Background())
+	if discovery.Err != nil {
+		t.Fatalf("DiscoverDesktop error = %v", discovery.Err)
+	}
+	accounts, vaults := discovery.Counts()
+	if accounts != 2 || vaults != 2 {
+		t.Fatalf("counts = %d accounts, %d vaults; want 2 accounts, 2 vaults; discovery=%#v", accounts, vaults, discovery)
+	}
+	selection, ok := discovery.AccountVaultSelection(initOnePasswordDesktopAccountSelectionValue(1), initOnePasswordDesktopVaultSelectionValue(0))
+	if !ok {
+		t.Fatalf("second account vault selection missing; discovery=%#v", discovery)
+	}
+	if selection.AccountURL != "signalft.1password.com" || selection.VaultName != "Employee" {
+		t.Fatalf("second account selection = %#v, want SignalFT Employee vault", selection)
+	}
+	if got, want := calls, []string{
+		"op account list --format=json",
+		"op vault list --account acct-1 --format=json",
+		"op vault list --account acct-2 --format=json",
+	}; !reflect.DeepEqual(got, want) {
+		t.Fatalf("op calls = %#v, want %#v", got, want)
+	}
+}
+
+func TestInitOnePasswordDesktopDiscoveryFailureFallsBackToManual(t *testing.T) {
+	runner := func(context.Context, string, ...string) ([]byte, error) {
+		return nil, os.ErrNotExist
+	}
+	discovery := newInitOnePasswordDiscovery(runner).DiscoverDesktop(context.Background())
+	if discovery.Err == nil {
+		t.Fatal("DiscoverDesktop error = nil, want missing-op error")
+	}
+	if discovery.HasVaultChoices() {
+		t.Fatalf("discovery = %#v, want no vault choices after op failure", discovery)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopDiscoverySelectsAccountVault(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{{
+		ID:  "acct-1",
+		URL: "signalft.1password.com",
+		Vaults: []initOnePasswordDiscoveredVault{{
+			ID:   "vault-emp",
+			Name: "Employee",
+		}},
+	}}}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 32)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+	out := model.layout.Content
+	for _, want := range []string{
+		"1Password account",
+		"signalft.1password.com",
+		"Account: signalft.1password.com. Choose a vault below:",
+		"1Password vault",
+		"Employee",
+		"Credential store name",
+		"1Password-signalft",
+		"1Password request timeout",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("desktop discovery content missing %q:\n%s", want, out)
+		}
+	}
+	if strings.Contains(out, "only discovered account") {
+		t.Fatalf("desktop discovery content still hides the account selector behind stale copy:\n%s", out)
+	}
+	for _, hidden := range []string{
+		"Desktop app account and vault routing",
+		"1Password account URL",
+		"1Password account id (advanced)",
+		"1Password vault name or id",
+	} {
+		if strings.Contains(out, hidden) {
+			t.Fatalf("desktop discovery content includes manual field %q:\n%s", hidden, out)
+		}
+	}
+	if strings.Contains(out, "\n1Password desktop\n") {
+		t.Fatalf("desktop discovery content includes redundant section heading:\n%s", out)
+	}
+
+	edit, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, discovery)
+	if err != nil {
+		t.Fatalf("initSecretsManagementEditFromDocumentWithDiscovery: %v", err)
+	}
+	profile := edit.Config.Secrets.Stores["1password-signalft"]
+	if profile.Backend.OnePassword == nil {
+		t.Fatal("saved onepassword config = nil")
+	}
+	got := profile.Backend.OnePassword
+	if got.AccountID != "acct-1" || got.AccountURL != "signalft.1password.com" || got.VaultID != "vault-emp" || got.VaultName != "Employee" {
+		t.Fatalf("saved onepassword config = %#v, want discovered account/vault metadata", got)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorCanCreateStoreBeforeReviewProfile(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{{
+		ID:  "acct-1",
+		URL: "my.1password.com",
+		Vaults: []initOnePasswordDiscoveredVault{{
+			ID:   "vault-private",
+			Name: "Private",
+		}},
+	}}}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(config.File{}, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 40)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+	model = focusInitLinearField(t, model, initSecretsManagementFieldAction)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldAction, initDetailActionEdit)
+	updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+	next, ok := updated.(initLinearEditorModel)
+	if !ok {
+		t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+	}
+	if next.document[next.focused].Error != "" {
+		t.Fatalf("stage action error = %q", next.document[next.focused].Error)
+	}
+	if next.resultAction != initDetailActionEdit {
+		t.Fatalf("result action = %q, want edit", next.resultAction)
+	}
+	edit, err := initSecretsManagementEditFromDocumentWithDiscovery(config.File{}, next.document, discovery)
+	if err != nil {
+		t.Fatalf("initSecretsManagementEditFromDocumentWithDiscovery: %v", err)
+	}
+	if len(edit.Config.Profiles) != 0 {
+		t.Fatalf("edit config unexpectedly added review profile data: %#v", edit.Config)
+	}
+	profile := edit.Config.Secrets.Stores["1password-personal"]
+	if profile.Backend.OnePassword == nil || profile.Backend.OnePassword.VaultName != "Private" {
+		t.Fatalf("created credential store = %#v, want private 1Password store", profile)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopDiscoverySelectsAccountThenVault(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{
+		{
+			ID:   "acct-1",
+			Name: "SignalFT",
+			URL:  "signalft.1password.com",
+			Vaults: []initOnePasswordDiscoveredVault{{
+				ID:   "vault-emp",
+				Name: "Employee",
+			}},
+		},
+		{
+			ID:   "acct-2",
+			Name: "Personal",
+			URL:  "my.1password.com",
+			Vaults: []initOnePasswordDiscoveredVault{{
+				ID:   "vault-personal",
+				Name: "Personal",
+			}},
+		},
+	}}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 40)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+
+	out := model.layout.Content
+	for _, want := range []string{
+		"1Password account",
+		"signalft.1password.com",
+		"my.1password.com",
+		"1Password vault",
+		"Employee",
+		"Credential store name",
+		"1Password-signalft",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("desktop discovery content missing %q:\n%s", want, out)
+		}
+	}
+
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldDesktopAccount, initOnePasswordDesktopAccountSelectionValue(1))
+	out = model.layout.Content
+	if !strings.Contains(out, "[x] Personal") {
+		t.Fatalf("vault list did not switch to selected account's vaults:\n%s", out)
+	}
+	if strings.Contains(out, "[x] Employee") {
+		t.Fatalf("vault list still selected first account vault after switching accounts:\n%s", out)
+	}
+	if !strings.Contains(out, "Account: my.1password.com. Choose a vault below:") {
+		t.Fatalf("vault description did not switch to selected account:\n%s", out)
+	}
+	if !strings.Contains(out, "1Password-Personal") {
+		t.Fatalf("credential store name did not update for selected account:\n%s", out)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopDiscoveryIncludesAccountWithoutVaultChoices(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{
+		{
+			ID:   "acct-1",
+			Name: "Personal",
+			URL:  "my.1password.com",
+			Vaults: []initOnePasswordDiscoveredVault{{
+				ID:   "vault-personal",
+				Name: "Personal",
+			}},
+		},
+		{
+			ID:   "acct-2",
+			Name: "SignalFT",
+			URL:  "signalft.1password.com",
+		},
+	}}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 40)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+
+	out := model.layout.Content
+	for _, want := range []string{
+		"my.1password.com",
+		"signalft.1password.com",
+		"Personal",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("desktop discovery content missing account or vault %q:\n%s", want, out)
+		}
+	}
+
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldDesktopAccount, initOnePasswordDesktopAccountSelectionValue(1))
+	out = model.layout.Content
+	for _, want := range []string{
+		"[x] signalft.1password.com",
+		"Account: signalft.1password.com. No vaults were discovered; enter a vault manually.",
+		"[x] Enter vault manually",
+		"1Password vault name or id",
+		"1Password-signalft",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("desktop discovery content missing no-vault account behavior %q:\n%s", want, out)
+		}
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopDiscoveryAllowsManualVaultInSelectedAccount(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{{
+		ID:   "acct-1",
+		Name: "SignalFT",
+		URL:  "signalft.1password.com",
+		Vaults: []initOnePasswordDiscoveredVault{{
+			ID:   "vault-emp",
+			Name: "Employee",
+		}},
+	}}}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 40)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldDesktopVault, initOnePasswordManualSelection)
+	model.setFieldValue(initSecretsManagementFieldVaultID, "ExternalConfidential")
+
+	edit, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, discovery)
+	if err != nil {
+		t.Fatalf("initSecretsManagementEditFromDocumentWithDiscovery: %v", err)
+	}
+	profile := edit.Config.Secrets.Stores["1password-signalft"]
+	if profile.Backend.OnePassword == nil {
+		t.Fatal("saved onepassword config = nil")
+	}
+	got := profile.Backend.OnePassword
+	if got.AccountID != "acct-1" || got.AccountURL != "signalft.1password.com" || got.VaultID != "ExternalConfidential" || got.VaultName != "" {
+		t.Fatalf("saved onepassword config = %#v, want selected account and manual vault", got)
+	}
+}
+
+func TestInitSecretsManagementLinearEditorDesktopDiscoveryAllowsManualAccount(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	discovery := initOnePasswordDesktopDiscovery{Accounts: []initOnePasswordDiscoveredAccount{
+		{
+			ID:   "acct-1",
+			Name: "SignalFT",
+			URL:  "signalft.1password.com",
+			Vaults: []initOnePasswordDiscoveredVault{{
+				ID:   "vault-emp",
+				Name: "Employee",
+			}},
+		},
+		{
+			ID:   "acct-2",
+			Name: "Personal",
+			URL:  "my.1password.com",
+			Vaults: []initOnePasswordDiscoveredVault{{
+				ID:   "vault-personal",
+				Name: "Personal",
+			}},
+		},
+	}}
+	cfg := config.File{
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
+	}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
+	model := newInitLinearEditorModel(editor, 180, 40)
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
+	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldDesktopAccount, initOnePasswordManualSelection)
+	out := model.layout.Content
+	for _, want := range []string{
+		"[x] Enter account and vault manually",
+		"1Password account URL",
+		"1Password account id (advanced)",
+		"1Password vault name or id",
+	} {
+		if !strings.Contains(out, want) {
+			t.Fatalf("manual account content missing %q:\n%s", want, out)
+		}
+	}
+	model.setFieldValue(initSecretsManagementFieldDesktopAccountURL, "example.1password.com")
+	model.setFieldValue(initSecretsManagementFieldDesktopAccountID, "acct-manual")
+	model.setFieldValue(initSecretsManagementFieldVaultID, "Engineering")
+
+	edit, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, discovery)
+	if err != nil {
+		t.Fatalf("initSecretsManagementEditFromDocumentWithDiscovery: %v", err)
+	}
+	profile := edit.Config.Secrets.Stores["1password-signalft"]
+	if profile.Backend.OnePassword == nil {
+		t.Fatal("saved onepassword config = nil")
+	}
+	got := profile.Backend.OnePassword
+	if got.AccountID != "acct-manual" || got.AccountURL != "example.1password.com" || got.VaultID != "Engineering" || got.VaultName != "" {
+		t.Fatalf("saved onepassword config = %#v, want manual account and vault", got)
+	}
+}
+
+func TestHuhInitKeyringBackendPrompterDesktopDiscoveryCreatesProfile(t *testing.T) {
+	if !initOnePasswordBackendsAvailable() {
+		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
+	}
+	t.Setenv("TERM", "dumb")
+	callCount := 0
+	prompter := huhInitKeyringBackendPrompter{
+		stdin:  strings.NewReader(strings.Repeat("\n", 8)),
+		stderr: &bytes.Buffer{},
+		onePasswordCmdRunner: func(_ context.Context, _ string, args ...string) ([]byte, error) {
+			switch strings.Join(args, " ") {
+			case "account list --format=json":
+				return []byte(`[{"account_uuid":"acct-1","account_name":"SignalFT","url":"signalft.1password.com"}]`), nil
+			case "vault list --account acct-1 --format=json":
+				return []byte(`[{"id":"vault-emp","name":"Employee"}]`), nil
+			default:
+				return nil, fmt.Errorf("unexpected op command %q", strings.Join(args, " "))
+			}
+		},
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			callCount++
+			switch callCount {
+			case 1:
+				return initInventoryResult{
+					Action: initInventoryActionCommand,
+					Row:    initInventoryRow{ID: initConfigureSecretsProfileSelectionPrefix + string(credstore.BackendOPDesktop)},
+				}, nil
+			case 2:
+				return initInventoryResult{
+					Action: initInventoryActionBack,
+					Row:    initInventoryRow{ID: initBackSelection},
+				}, nil
+			default:
+				t.Fatalf("unexpected inventory call %d", callCount)
+				return initInventoryResult{}, nil
+			}
+		},
+	}
+
+	edit, err := prompter.EditKeyringBackend(initKeyringBackendPrompt{
+		Config: config.File{Profiles: map[string]config.Profile{"default": basicProfile("default")}},
+	})
+	if err != nil {
+		t.Fatalf("EditKeyringBackend: %v", err)
+	}
+	profile := edit.Config.Secrets.Stores["1password"]
+	if profile.Backend.OnePassword == nil {
+		t.Fatal("saved onepassword config = nil")
 	}
-	if !strings.Contains(model.document[sectionIndex].Description, "Selected target: Configure new 1password service account profile") {
-		t.Fatalf("profile section description = %q, want selected-target context", model.document[sectionIndex].Description)
+	got := profile.Backend.OnePassword
+	if got.AccountID != "acct-1" || got.AccountURL != "signalft.1password.com" || got.VaultID != "vault-emp" || got.VaultName != "Employee" {
+		t.Fatalf("saved onepassword config = %#v, want discovered account/vault metadata", got)
 	}
 }
 
-func TestInitSecretsManagementLinearEditorDesktopTargetSeedsFriendlyLabel(t *testing.T) {
+func TestInitSecretsManagementLinearEditorDesktopDiscoveryFailureAllowsManualProfile(t *testing.T) {
 	if !initOnePasswordBackendsAvailable() {
 		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
 	}
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 	}
-	editor := initSecretsManagementLinearEditor(cfg)
+	discovery := initOnePasswordDesktopDiscovery{Err: os.ErrNotExist}
+	editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, nil, nil, discovery)
 	model := newInitLinearEditorModel(editor, 180, 32)
 	model = selectInitLinearFieldValue(t, model, initSecretsManagementFieldTarget, initConfigureSecretsProfileSelectionPrefix+string(credstore.BackendOPDesktop))
-
-	if got := model.document.fieldValue(initSecretsManagementFieldLabel); got != "1Password" {
-		t.Fatalf("profile label = %q, want friendly 1Password default", got)
-	}
-	if got := model.document.selectedValue(initSecretsManagementFieldBackend); got != string(credstore.BackendOPDesktop) {
-		t.Fatalf("selected backend = %q, want op-desktop", got)
-	}
-	for _, hidden := range []initLinearFieldID{
-		initSecretsManagementFieldBackend,
-		initSecretsManagementFieldItemTitlePrefix,
-		initSecretsManagementSectionDesktop,
-		initSecretsManagementFieldDesktopAccountID,
-	} {
-		index := model.document.fieldIndexByID(hidden)
-		if index < 0 {
-			t.Fatalf("field %q missing", hidden)
-		}
-		if !model.document[index].Hidden {
-			t.Fatalf("field %q hidden = false, want hidden for create-new desktop profile", hidden)
-		}
-	}
 	out := model.layout.Content
 	for _, want := range []string{
+		"1Password account URL",
+		"1Password account id (advanced)",
 		"1Password vault name or id",
-		"1Password secret name",
-		"1Password item tag",
-		"1Password request timeout",
 	} {
 		if !strings.Contains(out, want) {
-			t.Fatalf("desktop content missing %q:\n%s", want, out)
+			t.Fatalf("manual desktop content missing %q:\n%s", want, out)
 		}
 	}
-	for _, hiddenText := range []string{
-		"Secrets-management backend",
-		"1Password item title prefix",
-		"1Password desktop",
-		"1Password desktop account id",
-	} {
-		if strings.Contains(out, hiddenText) {
-			t.Fatalf("desktop content includes hidden advanced field %q:\n%s", hiddenText, out)
-		}
+	model.setFieldValue(initSecretsManagementFieldDesktopAccountURL, "signalft.1password.com")
+	model.setFieldValue(initSecretsManagementFieldDesktopAccountID, "acct-manual")
+	model.setFieldValue(initSecretsManagementFieldVaultID, "Employee")
+
+	edit, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, discovery)
+	if err != nil {
+		t.Fatalf("initSecretsManagementEditFromDocumentWithDiscovery: %v", err)
+	}
+	profile := edit.Config.Secrets.Stores["1password"]
+	if profile.Backend.OnePassword == nil {
+		t.Fatal("saved onepassword config = nil")
+	}
+	got := profile.Backend.OnePassword
+	if got.AccountID != "acct-manual" || got.AccountURL != "signalft.1password.com" || got.VaultID != "Employee" || got.VaultName != "" {
+		t.Fatalf("saved onepassword config = %#v, want manual account/vault metadata", got)
 	}
-	assertContentOrder(t, out, "1Password vault name or id", "1Password secret name", "1Password item tag", "1Password request timeout")
 }
 
 func TestInitSecretsManagementLinearEditorShowsOnePasswordBackendRolloverDescriptions(t *testing.T) {
@@ -11892,8 +12197,7 @@ func TestInitSecretsManagementLinearEditorShowsOnePasswordBackendRolloverDescrip
 		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
 	}
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 	}
 	tests := []struct {
 		name string
@@ -11926,8 +12230,7 @@ func TestInitSecretsManagementEditStoresOnePasswordVaultNameOrIDAsEntered(t *tes
 		t.Skip("1Password create targets are not selectable in keyring_no1password builds")
 	}
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 	}
 	editor := initSecretsManagementLinearEditor(cfg)
 	model := newInitLinearEditorModel(editor, 180, 32)
@@ -11948,8 +12251,7 @@ func TestInitSecretsManagementEditStoresOnePasswordVaultNameOrIDAsEntered(t *tes
 
 func TestInitSecretsManagementLinearEditorConfiguredProfileKeepsBackendEditable(t *testing.T) {
 	cfg := config.File{
-		Profiles:       map[string]config.Profile{"default": basicProfile("default")},
-		DefaultProfile: "default",
+		Profiles: map[string]config.Profile{"default": basicProfile("default")},
 		Secrets: config.SecretsConfig{
 			Profiles: map[string]config.SecretsProfile{
 				"work-secrets": {
@@ -11978,18 +12280,17 @@ func TestInitSecretsManagementLinearEditorConfiguredProfileKeepsBackendEditable(
 }
 
 func TestInitSecretsProfileBackendFromInputsSwitchingAwayFromOnePasswordClearsBackendFields(t *testing.T) {
-	backend := initSecretsProfileBackendFromInputs(
-		string(credstore.BackendFile),
-		"5s",
-		"vault-123",
-		"title-prefix",
-		"item-tag",
-		"field-title",
-		"https://connect.example",
-		"OP_CONNECT_TOKEN",
-		"OP_SERVICE_ACCOUNT_TOKEN",
-		"desktop-account",
-	)
+	backend := initSecretsProfileBackendFromInputs(initSecretsProfileBackendInput{ // #nosec G101 -- fixture values are account/env-var names, not secret values.
+		KindValue:       string(credstore.BackendFile),
+		Timeout:         "5s",
+		AccountID:       "desktop-account",
+		AccountURL:      "signalft.1password.com",
+		VaultID:         "vault-123",
+		VaultName:       "Employee",
+		ConnectHost:     "https://connect.example",
+		ConnectTokenEnv: "OP_CONNECT_TOKEN",
+		ServiceTokenEnv: "OP_SERVICE_ACCOUNT_TOKEN",
+	})
 	if backend.Kind != config.SecretsBackendKind(credstore.BackendFile) {
 		t.Fatalf("backend kind = %q, want file", backend.Kind)
 	}
@@ -12002,14 +12303,39 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceDisablesProfileDependentAction
 	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
 		cfg: config.File{Profiles: map[string]config.Profile{}},
 	})
-	if prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM/reviewer/save disabled without a workspace", prompt)
+	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without a workspace", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want zero counts without a workspace", prompt)
 	}
 }
 
+func TestBuildInteractiveInitMenuPromptNoWorkspaceCanSaveStagedCredentialStore(t *testing.T) {
+	original := config.File{Profiles: map[string]config.Profile{}}
+	next := cloneInitConfigFile(original)
+	next.Secrets = config.SecretsConfig{
+		Stores: map[string]config.SecretsStore{
+			"personal-file": {
+				DisplayName: "Personal file",
+				Backend: config.SecretsStoreBackend{
+					Kind: config.SecretsBackendKind(credstore.BackendFile),
+				},
+			},
+		},
+	}
+	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
+		originalCfg: original,
+		cfg:         next,
+	})
+	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer {
+		t.Fatalf("prompt = %#v, want LLM enabled and reviewer disabled without a workspace", prompt)
+	}
+	if !prompt.CanSave {
+		t.Fatalf("prompt = %#v, want store-only staged changes to enable commit", prompt)
+	}
+}
+
 func TestBuildInteractiveInitMenuPromptAfterDeletingLastProfileDisablesSaveAndFocusedEditors(t *testing.T) {
 	session := initSessionDraft{
 		cfg:                          config.File{Profiles: map[string]config.Profile{}},
@@ -12019,21 +12345,23 @@ func TestBuildInteractiveInitMenuPromptAfterDeletingLastProfileDisablesSaveAndFo
 	}
 
 	prompt := buildInteractiveInitMenuPrompt(session)
-	if prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want save/focused editors disabled with zero-profile draft", prompt)
+	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM enabled and save/reviewer disabled with zero-profile draft", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want effective inventory counts at zero after deleting last profile", prompt)
 	}
 }
 
-func TestValidateInteractiveInitGlobalConfigWithoutProfilesStillValidatesKeyringBackend(t *testing.T) {
+func TestValidateInteractiveInitGlobalConfigWithoutProfilesStillValidatesSecretsStores(t *testing.T) {
 	err := validateInteractiveInitGlobalConfig(config.File{
-		Keyring:  config.KeyringConfig{Backend: "definitely-not-a-backend"},
+		Secrets: config.SecretsConfig{Stores: map[string]config.SecretsStore{
+			"broken": {Backend: config.SecretsStoreBackend{Kind: "definitely-not-a-backend"}},
+		}},
 		Profiles: map[string]config.Profile{},
 	})
 	if !errors.Is(err, config.ErrInvalid) {
-		t.Fatalf("error = %v, want ErrInvalid for bad keyring backend without profiles", err)
+		t.Fatalf("error = %v, want ErrInvalid for bad credential store without profiles", err)
 	}
 }
 
@@ -12050,16 +12378,18 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceStillShowsExistingInventoryCou
 		Adapter:       config.LLMAdapterOpenAIAPI,
 		CredentialRef: "codereview/home-llm",
 	}
-	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
-		cfg: config.File{
-			Profiles: map[string]config.Profile{
-				"home": home,
-				"work": work,
-			},
+	cfg := config.File{
+		Profiles: map[string]config.Profile{
+			"home": home,
+			"work": work,
 		},
+	}
+	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
+		originalCfg: cloneInitConfigFile(cfg),
+		cfg:         cfg,
 	})
-	if prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want actions disabled without active workspace", prompt)
+	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without active workspace", prompt)
 	}
 	if prompt.LLMRuntimeCount != 2 || prompt.ReviewerEntityCount != 1 || prompt.ReviewProfileCount != 2 {
 		t.Fatalf("prompt counts = %#v, want existing inventory counts from session cfg", prompt)
@@ -12100,7 +12430,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 		t.Fatalf("actions = %#v, want %#v", actions, wantActions)
 	}
 	assertContentOrder(t, strings.Join(titles, "\n"),
-		"Configure secrets management",
+		"Configure secrets storage",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12120,6 +12450,28 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	}
 }
 
+func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *testing.T) {
+	items := initMenuItems(initMenuPrompt{
+		CanConfigureLLM:      true,
+		CanConfigureReviewer: true,
+		CanSave:              true,
+	})
+	descriptions := map[initMenuAction]string{}
+	for _, item := range items {
+		descriptions[item.Action] = item.Description
+	}
+	tests := map[initMenuAction]string{
+		initMenuActionLLMRuntimes:      "Model providers and runtime credentials",
+		initMenuActionReviewerEntities: "Reviewer identities and posting credentials",
+		initMenuActionReviewProfiles:   "Repository routing and review composition",
+	}
+	for action, want := range tests {
+		if descriptions[action] != want {
+			t.Fatalf("%s description = %q, want %q", action, descriptions[action], want)
+		}
+	}
+}
+
 func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{
 		HasWorkspace:         true,
@@ -12135,8 +12487,9 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	assertContentOrder(t, out,
 		"cr init",
 		"Active profile: default",
-		"Configure secrets management",
-		"Credential-store profiles and default destination",
+		"Actions",
+		"Configure secrets storage",
+		"Credential stores for tokens and keys",
 		"Configure LLM runtimes",
 		"2 runtimes configured",
 		"Configure reviewer entities",
@@ -12153,11 +12506,22 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	if !strings.Contains(out, ">") {
 		t.Fatalf("view missing selected-row caret:\n%s", out)
 	}
+	plainOut := stripANSITest(out)
+	if !strings.Contains(plainOut, "> [x] Configure secrets storage") {
+		t.Fatalf("view missing selected option marker:\n%s", out)
+	}
+	if !strings.Contains(plainOut, "  [ ] Configure LLM runtimes") {
+		t.Fatalf("view missing unselected option marker:\n%s", out)
+	}
 	if strings.Contains(out, "Configure LLM runtimes (2)") || strings.Contains(out, "Configure review profiles (1)") {
 		t.Fatalf("view contains old inline count suffix:\n%s", out)
 	}
 }
 
+func stripANSITest(value string) string {
+	return regexp.MustCompile(`\x1b\[[0-9;]*m`).ReplaceAllString(value, "")
+}
+
 func TestInitMenuQDiscardsAndExits(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{HasWorkspace: true})
 	next, cmd := model.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'q'}})
@@ -12189,17 +12553,13 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 		action initMenuAction
 		reason string
 	}{
-		{
-			action: initMenuActionLLMRuntimes,
-			reason: "configure a review profile before editing LLM runtimes",
-		},
 		{
 			action: initMenuActionReviewerEntities,
 			reason: "configure a review profile before editing reviewer entities",
 		},
 		{
 			action: initMenuActionSave,
-			reason: "configure a review profile before committing changes",
+			reason: "stage changes before committing",
 		},
 	}
 	for _, tt := range tests {
@@ -12221,6 +12581,32 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 		if !strings.Contains(result.View(), "! "+tt.reason) {
 			t.Fatalf("%s: view missing rendered error:\n%s", tt.action, result.View())
 		}
+		if !strings.Contains(result.View(), "Prerequisite: "+tt.reason) {
+			t.Fatalf("%s: view missing prerequisite description:\n%s", tt.action, result.View())
+		}
+		if strings.Contains(result.View(), "Unavailable:") {
+			t.Fatalf("%s: view contains old unavailable wording:\n%s", tt.action, result.View())
+		}
+	}
+}
+
+func TestInitMenuNavigationSkipsDisabledRows(t *testing.T) {
+	model := newInitMenuModel(initMenuPrompt{})
+	if got := model.items[model.selected].Action; got != initMenuActionReviewProfiles {
+		t.Fatalf("initial action = %q, want review profiles", got)
+	}
+
+	model.selected = initMenuSelectedIndex(model.items, initMenuActionSecretsManagement)
+	next, _ := model.Update(tea.KeyMsg{Type: tea.KeyDown})
+	result := next.(initMenuModel)
+	if got := result.items[result.selected].Action; got != initMenuActionLLMRuntimes {
+		t.Fatalf("after down selected action = %q, want LLM runtimes", got)
+	}
+
+	result.selected = initMenuSelectedIndex(result.items, initMenuActionReviewerEntities)
+	out := result.View()
+	if strings.Contains(out, "\x1b[38;5;42mConfigure reviewer entities") {
+		t.Fatalf("disabled selected row rendered with active selected color:\n%s", out)
 	}
 }
 
@@ -12272,7 +12658,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"Configure secrets management",
+		"Configure secrets storage",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12294,7 +12680,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 		t.Fatalf("stderr = %q, want fallback labels without old inline count suffixes", out)
 	}
 	assertContentOrder(t, out,
-		"Configure secrets management",
+		"Configure secrets storage",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12402,7 +12788,7 @@ func TestHuhInitMenuPrompterDefaultStartsAtProfileSetupBeforeWorkspace(t *testin
 	}
 }
 
-func TestHuhInitMenuPrompterAccessibleRejectsDisabledSaveUntilProfileExists(t *testing.T) {
+func TestHuhInitMenuPrompterAccessibleRejectsDisabledSaveUntilChangesStaged(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
@@ -12420,31 +12806,27 @@ func TestHuhInitMenuPrompterAccessibleRejectsDisabledSaveUntilProfileExists(t *t
 	if action == initMenuActionSave {
 		t.Fatalf("action = %q, want disabled save selection to be rejected", action)
 	}
-	if !strings.Contains(stderr.String(), "configure a review profile before committing changes") {
+	if !strings.Contains(stderr.String(), "stage changes before committing") {
 		t.Fatalf("stderr = %q, want disabled-save validation message", stderr.String())
 	}
 }
 
-func TestHuhInitMenuPrompterAccessibleRejectsDisabledLLMUntilProfileExists(t *testing.T) {
+func TestHuhInitMenuPrompterAccessibleAllowsLLMBeforeProfileExists(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin: strings.NewReader(strings.Join([]string{
-			"2", // Configure LLM runtimes (disabled)
-			"7", // Discard staged changes and exit
-			"",
-		}, "\n")),
+		stdin:  strings.NewReader("2\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
 	if err != nil {
 		t.Fatalf("ChooseAction: %v", err)
 	}
-	if action == initMenuActionLLMRuntimes {
-		t.Fatalf("action = %q, want disabled LLM selection to be rejected", action)
+	if action != initMenuActionLLMRuntimes {
+		t.Fatalf("action = %q, want LLM runtimes", action)
 	}
-	if !strings.Contains(stderr.String(), "configure a review profile before editing LLM runtimes") {
-		t.Fatalf("stderr = %q, want disabled-llm validation message", stderr.String())
+	if strings.Contains(stderr.String(), "configure a review profile before editing LLM runtimes") {
+		t.Fatalf("stderr = %q, want no disabled-LLM validation message", stderr.String())
 	}
 }
 
@@ -12479,11 +12861,11 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 	}
 	profile.Git.Host = "github.enterprise"
 	profile.Git.AuthMode = config.GitAuthModeGitHubApp
-	profile.Git.CredentialRef = "codereview/custom-git"
+	profile.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/custom-git"}
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: reviewerRef,
-		DisplayName:   "OCC reviewer",
+		AuthMode:    config.GitAuthModeGitHubApp,
+		Credential:  config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: reviewerRef},
+		DisplayName: "OCC reviewer",
 	}
 	profile.LLM.ModelMap = config.ModelMap{
 		string(config.ModelTierLarge): "claude-opus-4-7",
@@ -12526,6 +12908,7 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 	}
 
 	for _, want := range []string{
+		"Review profile",
 		"Profile name",
 		"> open-cli-collective",
 		"Automatic profile selection",
@@ -12543,12 +12926,15 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		"claude-opus-4-7",
 		"Additional reviewer-agent directories (optional)",
 		"/opt/codereview/agents",
-		"Review Policy",
+		"Review policy",
 		"Request changes",
 		"Enable self-approve",
 		"Auto-resolve",
 		"24h",
-		"Git secrets storage label",
+		"Git credentials",
+		"Git credential store",
+		initBuiltInOSCredentialStoreTitle(),
+		"Git credential name",
 		"codereview/custom-git",
 		"Profile action",
 		"Stage profile settings",
@@ -12583,8 +12969,8 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		"Minimum reviewer model tier",
 		"Model tier mapping",
 		"Additional reviewer-agent directories (optional)",
-		"Review Policy",
-		"Git secrets storage label",
+		"Review policy",
+		"Git credentials",
 		"Profile action",
 	)
 }
@@ -12622,8 +13008,8 @@ func TestInitProfileV2ReadOnlyModelFocusNavigationPreservesRouteGuidance(t *test
 			}
 			for _, want := range []string{
 				"Automatic profile selection",
-				"Accepted route formats",
 				"Route entries",
+				"Examples: github.com/YourOrg; github.com/YourOrg/repo",
 				"github.com/open-cli-collective",
 			} {
 				if !strings.Contains(model.View(), want) {
@@ -12768,7 +13154,7 @@ func TestInitProfileV2LayoutWrapsAndMeasuresSmallViewport(t *testing.T) {
 	document.addSection("Profile", "This section has enough words to wrap across multiple lines in a narrow terminal.")
 	document.addInput("Profile name", "Short field that should remain measurable.", "monit")
 	document.addInput("Route entries", "Routes tell cr when to use this profile automatically in a narrow viewport.", "github.com/SignalFT")
-	document.addInput("Git secrets storage label", "Useful for advanced deployment scenarios. Leave unchanged if unsure.", "codereview/monit")
+	document.addInput("Git credential name", "Full credential name under the selected store.", "codereview/monit")
 
 	layout := initProfileV2LayoutDocument(document, 32, document.firstFocusableField())
 	if len(layout.Bounds) != len(document) {
@@ -12994,10 +13380,11 @@ func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 	// #nosec G101 -- test fixture credential reference, not a secret.
 	reviewerEntities := map[string]initReviewerEntityDraft{
 		"app-reviewer": {
-			Kind:          initReviewerEntityKindGitHubApp,
-			AuthMode:      config.GitAuthModeGitHubApp,
-			CredentialRef: "codereview/app-reviewer",
-			DisplayName:   "enterprise/reviewer-bot",
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+			DisplayName:     "enterprise/reviewer-bot",
 		},
 	}
 	llmRuntimes := map[string]initLLMRuntimeDraft{
@@ -13008,11 +13395,12 @@ func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 			Adapter:  config.LLMAdapterClaudeCLI,
 		},
 		"openai-work": {
-			Preset:        initLLMRuntimePresetOpenAIAPIKey,
-			Provider:      config.LLMProviderOpenAI,
-			Auth:          config.LLMAuthAPIKey,
-			Adapter:       config.LLMAdapterOpenAIAPI,
-			CredentialRef: "codereview/openai-work",
+			Preset:          initLLMRuntimePresetOpenAIAPIKey,
+			Provider:        config.LLMProviderOpenAI,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterOpenAIAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/openai-work",
 		},
 	}
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, llmRuntimes), 160, 24)
@@ -13236,12 +13624,13 @@ func TestInitProfileV2ReviewPolicyRejectsInvalidDuration(t *testing.T) {
 	}
 }
 
-func TestInitProfileV2GitStorageLabelDraftsCustomLabel(t *testing.T) {
+func TestInitProfileV2GitCredentialNameDraftsCustomName(t *testing.T) {
 	gitScopes := map[string]initGitScopeDraft{
 		"github-work": {
-			Host:          "github.com",
-			AuthMode:      config.GitAuthModePAT,
-			CredentialRef: "codereview/monit",
+			Host:            "github.com",
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/monit",
 		},
 	}
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
@@ -13253,7 +13642,7 @@ func TestInitProfileV2GitStorageLabelDraftsCustomLabel(t *testing.T) {
 		gitScopes,
 		"github-work",
 	), 160, 40)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitStorageLabel)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
 	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
 	model = typeInitProfileV2Text(t, model, "codereview/custom-monit-git")
 
@@ -13262,14 +13651,14 @@ func TestInitProfileV2GitStorageLabelDraftsCustomLabel(t *testing.T) {
 		t.Fatalf("validatedDraft: %v", err)
 	}
 	if draft.GitCredentialRef != "codereview/custom-monit-git" {
-		t.Fatalf("draft.GitCredentialRef = %q, want custom label", draft.GitCredentialRef)
+		t.Fatalf("draft.GitCredentialRef = %q, want custom credential name", draft.GitCredentialRef)
 	}
-	if !draft.AdvancedStorageLabels {
-		t.Fatal("draft.AdvancedStorageLabels = false, want true for custom Git label")
+	if draft.GitCredentialStore != config.LocalOSCredentialStoreID {
+		t.Fatalf("draft.GitCredentialStore = %q, want local-os", draft.GitCredentialStore)
 	}
 }
 
-func TestInitProfileV2GitStorageLabelRejectsInvalidCredentialRef(t *testing.T) {
+func TestInitProfileV2GitCredentialNameRejectsInvalidCredentialRef(t *testing.T) {
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
 		"monit",
 		"github.com/SignalFT",
@@ -13279,14 +13668,14 @@ func TestInitProfileV2GitStorageLabelRejectsInvalidCredentialRef(t *testing.T) {
 		nil,
 		initCustomGitScopeSelection,
 	), 160, 24)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitStorageLabel)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
 	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
 	model = typeInitProfileV2Text(t, model, "not-a-ref")
 
 	if !strings.Contains(model.View(), "credential ref") {
-		index := model.document.fieldIndexByID(initProfileV2FieldGitStorageLabel)
+		index := model.document.fieldIndexByID(initProfileV2FieldGitCredentialName)
 		if index < 0 || !strings.Contains(model.document[index].Error, "credential ref") {
-			t.Fatalf("git storage label field error = %q, want credential-ref validation", model.document[index].Error)
+			t.Fatalf("git credential name field error = %q, want credential-ref validation", model.document[index].Error)
 		}
 	}
 	if _, err := model.validatedDraft(); err == nil {
@@ -13294,17 +13683,19 @@ func TestInitProfileV2GitStorageLabelRejectsInvalidCredentialRef(t *testing.T) {
 	}
 }
 
-func TestInitProfileV2GitStorageLabelFollowsChangedScopeDefaultWhenUnedited(t *testing.T) {
+func TestInitProfileV2GitCredentialNameFollowsChangedScopeDefaultWhenUnedited(t *testing.T) {
 	gitScopes := map[string]initGitScopeDraft{
 		"old-git": {
-			Host:          "github.com",
-			AuthMode:      config.GitAuthModePAT,
-			CredentialRef: "codereview/old-git",
+			Host:            "github.com",
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/old-git",
 		},
 		"new-git": {
-			Host:          "github.com",
-			AuthMode:      config.GitAuthModePAT,
-			CredentialRef: "codereview/new-git",
+			Host:            "github.com",
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/new-git",
 		},
 	}
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
@@ -13325,9 +13716,6 @@ func TestInitProfileV2GitStorageLabelFollowsChangedScopeDefaultWhenUnedited(t *t
 	if draft.GitCredentialRef != "codereview/new-git" {
 		t.Fatalf("draft.GitCredentialRef = %q, want changed Git scope default", draft.GitCredentialRef)
 	}
-	if draft.AdvancedStorageLabels {
-		t.Fatal("draft.AdvancedStorageLabels = true, want false for unchanged default label")
-	}
 }
 
 func TestInitProfileV2ProfileActionStagesValidatedDraft(t *testing.T) {
@@ -13437,6 +13825,41 @@ func TestBubbleTeaInitProfileV2PrompterReturnsStagedDraft(t *testing.T) {
 	}
 }
 
+func TestBubbleTeaInitProfileV2PrompterSkipsChooserWhenNoProfilesExist(t *testing.T) {
+	inventoryCalled := false
+	editorCalls := 0
+	prompter := bubbleTeaInitProfileV2Prompter{
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			inventoryCalled = true
+			return initInventoryResult{}, nil
+		},
+		profileEditorRunner: func(editor initProfileV2Editor) (initProfileV2EditorResult, error) {
+			editorCalls++
+			if editor.Draft.ProfileName != "default" {
+				t.Fatalf("editor profile name = %q, want requested create seed", editor.Draft.ProfileName)
+			}
+			if editor.Draft.OriginalProfileName != "" {
+				t.Fatalf("editor original profile name = %q, want create draft", editor.Draft.OriginalProfileName)
+			}
+			return initProfileV2EditorResult{}, nil
+		},
+	}
+
+	_, err := prompter.Run(initPromptContext{
+		RequestedProfileName: "default",
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
+	})
+	if !errors.Is(err, errInitNavigateBack) {
+		t.Fatalf("Run error = %v, want direct create back to main menu", err)
+	}
+	if inventoryCalled {
+		t.Fatal("inventory runner was called for zero-profile create flow")
+	}
+	if editorCalls != 1 {
+		t.Fatalf("editorCalls = %d, want direct editor entry", editorCalls)
+	}
+}
+
 func TestBubbleTeaInitProfileV2PrompterBootstrapsRuntimeBeforeStaging(t *testing.T) {
 	profile := basicProfile("monit")
 	editorCalls := 0
@@ -13730,6 +14153,9 @@ func newTestInitProfileV2EditorWithSelections(profileName string, routeText stri
 		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
 	}
 	llmRuntimeOptions, selectedLLMRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, "", draft)
+	storeOptions := []huh.Option[string]{
+		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	}
 	var document initProfileV2Document
 	document.addSection("Profile", "")
 	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
@@ -13742,12 +14168,14 @@ func newTestInitProfileV2EditorWithSelections(profileName string, routeText stri
 		string(initReviewerEntityKindUseGitIdentity),
 	)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
+	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	return initProfileV2Editor{
-		Draft:            draft,
-		ReviewerEntities: reviewerEntities,
-		LLMRuntimes:      llmRuntimes,
-		Document:         document,
+		Draft:                  draft,
+		ReviewerEntities:       reviewerEntities,
+		LLMRuntimes:            llmRuntimes,
+		CredentialStoreOptions: storeOptions,
+		Document:               document,
 	}
 }
 
@@ -13787,6 +14215,11 @@ func newTestInitProfileV2EditorWithRuntimeAndModelMap(profileName string, routeT
 		draft.LLMProvider = string(runtime.Provider)
 		draft.LLMAuth = string(runtime.Auth)
 		draft.LLMAdapter = string(runtime.Adapter)
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
+		draft.LLMCredentialRef = runtime.CredentialRef
+	}
+	storeOptions := []huh.Option[string]{
+		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
 	}
 	var document initProfileV2Document
 	document.addSection("Profile", "")
@@ -13794,11 +14227,13 @@ func newTestInitProfileV2EditorWithRuntimeAndModelMap(profileName string, routeT
 	initProfileV2AppendRouteSection(&document, routeText)
 	llmRuntimeOptions, normalizedRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, selectedRuntime, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, normalizedRuntime)
+	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(normalizedRuntime, llmRuntimes))
 	initProfileV2AppendModelMapSection(&document, initProfileEditorModelMapLLM(draft, normalizedRuntime, llmRuntimes), draft.ModelMap)
 	return initProfileV2Editor{
-		Draft:       draft,
-		LLMRuntimes: llmRuntimes,
-		Document:    document,
+		Draft:                  draft,
+		LLMRuntimes:            llmRuntimes,
+		CredentialStoreOptions: storeOptions,
+		Document:               document,
 	}
 }
 
@@ -13830,12 +14265,16 @@ func newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(profileName string,
 		ProfileName:         profileName,
 		GitHost:             "github.com",
 		GitAuth:             string(config.GitAuthModePAT),
+		GitCredentialStore:  config.LocalOSCredentialStoreID,
 		GitCredentialRef:    strings.TrimSpace(gitStorageLabel),
 		LLMProvider:         string(config.LLMProviderAnthropic),
 		LLMAuth:             string(config.LLMAuthSubscription),
 		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
 		ReviewPolicy:        policy,
 	}
+	storeOptions := []huh.Option[string]{
+		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	}
 	var document initProfileV2Document
 	document.addSection("Profile", "")
 	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
@@ -13844,10 +14283,11 @@ func newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(profileName string,
 		initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
 	}
 	initProfileV2AppendReviewPolicySection(&document, policy)
-	initProfileV2AppendGitStorageSection(&document, gitStorageLabel)
+	initProfileV2AppendGitStorageSection(&document, storeOptions, config.LocalOSCredentialStoreID, gitStorageLabel)
 	return initProfileV2Editor{
 		Draft:                      draft,
 		GitScopes:                  gitScopes,
+		CredentialStoreOptions:     storeOptions,
 		SelectedGitScope:           selectedGitScope,
 		InitialGitStorageLabel:     gitStorageLabel,
 		GitStorageLabelUsesDefault: gitLabelUsesDefault,
@@ -13872,8 +14312,7 @@ func newTestInitProfileV2EditorWithGitScope(profileName string, routeText string
 func TestInitInteractiveMenuExitWithoutSaveLeavesConfigUntouched(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	original := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	}
 	saveCredentialTestConfig(t, path, original)
 	wantCfg, err := config.Load(path)
@@ -13951,7 +14390,6 @@ func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T)
 			}
 			return initDraft{
 				ProfileName:          "default",
-				MakeDefault:          true,
 				GitHost:              "github.com",
 				GitAuth:              string(config.GitAuthModePAT),
 				LLMProvider:          string(config.LLMProviderAnthropic),
@@ -13966,7 +14404,7 @@ func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T)
 			return initRetentionEdit{Apply: true, Retention: retention}, nil
 		}),
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, Backend: "file"}, nil
+			return initKeyringBackendEdit{Apply: true}, nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{
 			actions: []initCredentialSecretAction{initCredentialSecretActionKeep},
@@ -13990,11 +14428,11 @@ func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T)
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "default" {
-		t.Fatalf("default profile = %q, want default", cfg.DefaultProfile)
+	if _, ok := cfg.Profiles["default"]; !ok {
+		t.Fatalf("profiles = %#v, want suggested profile", cfg.Profiles)
 	}
-	if cfg.Keyring.Backend != "file" {
-		t.Fatalf("keyring.backend = %q, want file", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 	}
 	if cfg.Data.Retention.MaxAgeDaysValue() != 45 || cfg.Data.Retention.Enforcement != config.RetentionManualOnly {
 		t.Fatalf("retention = %#v, want 45/manual_only", cfg.Data.Retention)
@@ -14031,7 +14469,6 @@ func TestInitInteractiveMenuCanCreateMultipleProfilesBeforeSave(t *testing.T) {
 				}
 				return initDraft{
 					ProfileName: "home",
-					MakeDefault: true,
 					GitHost:     "github.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -14055,7 +14492,6 @@ func TestInitInteractiveMenuCanCreateMultipleProfilesBeforeSave(t *testing.T) {
 				}
 				return initDraft{
 					ProfileName: "work",
-					MakeDefault: false,
 					GitHost:     "github.company.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -14097,9 +14533,6 @@ func TestInitInteractiveMenuCanCreateMultipleProfilesBeforeSave(t *testing.T) {
 	if got := sortedProfileNames(cfg.Profiles); !reflect.DeepEqual(got, []string{"home", "work"}) {
 		t.Fatalf("profiles = %#v, want [home work]", got)
 	}
-	if cfg.DefaultProfile != "home" {
-		t.Fatalf("default profile = %q, want home", cfg.DefaultProfile)
-	}
 	if cfg.Profiles["work"].Git.Host != "github.company.com" {
 		t.Fatalf("work git.host = %q, want github.company.com", cfg.Profiles["work"].Git.Host)
 	}
@@ -14133,7 +14566,6 @@ func TestInitInteractiveMenuResumesUnsavedProfileAfterSwitchingProfiles(t *testi
 			case 1:
 				return initDraft{
 					ProfileName: "work",
-					MakeDefault: true,
 					GitHost:     "github.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -14149,15 +14581,11 @@ func TestInitInteractiveMenuResumesUnsavedProfileAfterSwitchingProfiles(t *testi
 				if ctx.RequestedProfileName != "work" || ctx.ExistingProfileName != "work" {
 					t.Fatalf("third prompt active profile = (%q, %q), want work/work", ctx.RequestedProfileName, ctx.ExistingProfileName)
 				}
-				if ctx.DefaultProfileName != "work" {
-					t.Fatalf("third prompt DefaultProfileName = %q, want work", ctx.DefaultProfileName)
-				}
 				if ctx.ExistingConfig.Profiles["work"].Git.Host != "github.com" {
 					t.Fatalf("third prompt work profile = %#v, want first unsaved work draft in session cfg", ctx.ExistingConfig.Profiles["work"])
 				}
 				return initDraft{
 					ProfileName: "home",
-					MakeDefault: false,
 					GitHost:     "gitlab.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -14181,7 +14609,6 @@ func TestInitInteractiveMenuResumesUnsavedProfileAfterSwitchingProfiles(t *testi
 				return initDraft{
 					OriginalProfileName: "work",
 					ProfileName:         "work",
-					MakeDefault:         true,
 					GitHost:             "github.enterprise.local",
 					GitAuth:             string(config.GitAuthModePAT),
 					LLMProvider:         string(config.LLMProviderAnthropic),
@@ -14221,9 +14648,6 @@ func TestInitInteractiveMenuResumesUnsavedProfileAfterSwitchingProfiles(t *testi
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "work" {
-		t.Fatalf("default profile = %q, want work", cfg.DefaultProfile)
-	}
 	if cfg.Profiles["work"].Git.Host != "github.enterprise.local" {
 		t.Fatalf("work git.host = %q, want resumed update", cfg.Profiles["work"].Git.Host)
 	}
@@ -14235,7 +14659,6 @@ func TestInitInteractiveMenuResumesUnsavedProfileAfterSwitchingProfiles(t *testi
 func TestInitInteractiveMenuFallbackDefaultPreservedWhenCreatingAnotherProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -14269,7 +14692,6 @@ func TestInitInteractiveMenuFallbackDefaultPreservedWhenCreatingAnotherProfile(t
 				}
 				return initDraft{
 					ProfileName: "home",
-					MakeDefault: false,
 					GitHost:     "github.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -14307,18 +14729,14 @@ func TestInitInteractiveMenuFallbackDefaultPreservedWhenCreatingAnotherProfile(t
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "work" {
-		t.Fatalf("default profile = %q, want existing fallback default preserved", cfg.DefaultProfile)
-	}
 	if got := sortedProfileNames(cfg.Profiles); !reflect.DeepEqual(got, []string{"home", "work"}) {
 		t.Fatalf("profiles = %#v, want [home work]", got)
 	}
 }
 
-func TestInitInteractiveMenuRenameDefaultProfileReconcilesRoutes(t *testing.T) {
+func TestInitInteractiveMenuRenameProfileReconcilesRoutes(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{
 			{
 				Profile: "work",
@@ -14346,6 +14764,7 @@ func TestInitInteractiveMenuRenameDefaultProfileReconcilesRoutes(t *testing.T) {
 		Stdout:     &bytes.Buffer{},
 		Stderr:     &bytes.Buffer{},
 		ConfigPath: path,
+		Profile:    "work",
 	}
 	prompterCalls := 0
 	deps := initDeps{
@@ -14363,12 +14782,11 @@ func TestInitInteractiveMenuRenameDefaultProfileReconcilesRoutes(t *testing.T) {
 			switch prompterCalls {
 			case 1:
 				if ctx.ExistingProfileName != "work" {
-					t.Fatalf("prompt context = %#v, want default work profile selected for rename", ctx)
+					t.Fatalf("prompt context = %#v, want selected work profile for rename", ctx)
 				}
 				return initDraft{
 					OriginalProfileName: "work",
 					ProfileName:         "office",
-					MakeDefault:         true,
 					GitHost:             "gitlab.com",
 					GitAuth:             string(config.GitAuthModePAT),
 					GitCredentialRef:    "codereview/custom-office-git",
@@ -14419,9 +14837,6 @@ func TestInitInteractiveMenuRenameDefaultProfileReconcilesRoutes(t *testing.T) {
 	if _, ok := cfg.Profiles["work"]; ok {
 		t.Fatalf("old profile still exists after rename: %#v", cfg.Profiles)
 	}
-	if cfg.DefaultProfile != "office" {
-		t.Fatalf("default profile = %q, want renamed office default", cfg.DefaultProfile)
-	}
 	if len(cfg.RepositoryProfiles) != 2 {
 		t.Fatalf("RepositoryProfiles = %#v, want renamed route plus unrelated preserved route", cfg.RepositoryProfiles)
 	}
@@ -14468,7 +14883,6 @@ func TestInitInteractiveMenuFocusedLLMRuntimeRebuildsSecretPlanning(t *testing.T
 			}
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -14481,7 +14895,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeRebuildsSecretPlanning(t *testing.T
 			if llmPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.LLMProvider = string(config.LLMProviderOpenAI)
 			draft.LLMAuth = string(config.LLMAuthAPIKey)
 			draft.LLMAdapter = string(config.LLMAdapterOpenAIAPI)
@@ -14494,7 +14908,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeRebuildsSecretPlanning(t *testing.T
 			}}, nil
 		}),
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, Backend: "file"}, nil
+			return initKeyringBackendEdit{Apply: true}, nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{
 			actions: []initCredentialSecretAction{
@@ -14502,7 +14916,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeRebuildsSecretPlanning(t *testing.T
 				initCredentialSecretActionKeep,
 			},
 		},
-		openStore: func(string, bool, config.File) (initStore, error) {
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
 			return newFakeInitStore(map[string]map[string]string{
 				"default":     {credentials.GitTokenKey: "existing-token"},
 				"default-llm": {credentials.OpenAIAPIKeyKey: "existing-openai-key"},
@@ -14529,8 +14943,8 @@ func TestInitInteractiveMenuFocusedLLMRuntimeRebuildsSecretPlanning(t *testing.T
 	if profile.LLM.CredentialRef == "" {
 		t.Fatalf("llm credential ref = %q, want generated ref after runtime rebuild", profile.LLM.CredentialRef)
 	}
-	if cfg.Keyring.Backend != "file" || cfg.Data.Retention.MaxAgeDaysValue() != 30 || cfg.Data.Retention.Enforcement != config.RetentionManualOnly {
-		t.Fatalf("global settings after runtime rebuild = %#v / %#v, want file + 30/manual_only", cfg.Keyring, cfg.Data.Retention)
+	if cfg.Keyring.Backend != "" || cfg.Data.Retention.MaxAgeDaysValue() != 30 || cfg.Data.Retention.Enforcement != config.RetentionManualOnly {
+		t.Fatalf("global settings after runtime rebuild = %#v / %#v, want empty backend + 30/manual_only", cfg.Keyring, cfg.Data.Retention)
 	}
 }
 
@@ -14538,11 +14952,11 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 	path := filepath.Join(t.TempDir(), "config.yml")
 	profile := basicProfile("work")
 	profile.Git.Host = "gitlab.example.com"
-	profile.Git.CredentialRef = "codereview/work-git"
+	profile.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-git"}
 	profile.Git.IdentityCache = "git-cache"
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/work-reviewer",
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 		IdentityCache: "reviewer-cache",
 	}
 	profile.LLM.ModelMap = config.ModelMap{"medium": "claude-custom"}
@@ -14563,10 +14977,10 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 		},
 	}}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile:     "work",
 		RepositoryProfiles: wantRoutes,
 		Profiles:           map[string]config.Profile{"work": profile},
 	})
+	profile = normalizeTestProfile(profile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -14589,7 +15003,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 			if llmPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.LLMProvider = string(config.LLMProviderOpenAI)
 			draft.LLMAuth = string(config.LLMAuthSubscription)
 			draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
@@ -14653,9 +15067,9 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	path := filepath.Join(t.TempDir(), "config.yml")
 	wantProfile := basicProfile("work")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": wantProfile},
+		Profiles: map[string]config.Profile{"work": wantProfile},
 	})
+	wantProfile = normalizeTestProfile(wantProfile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -14681,7 +15095,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 			if llmPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile), nil
+			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile), nil
 		}),
 		retentionPrompter: initRetentionPrompterFunc(func(initRetentionPrompt) (initRetentionEdit, error) {
 			return initRetentionEdit{Apply: true, Retention: config.RetentionConfig{
@@ -14690,7 +15104,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 			}}, nil
 		}),
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, Backend: "memory"}, nil
+			return initKeyringBackendEdit{Apply: true}, nil
 		}),
 		openStore: func(string, bool, config.File) (initStore, error) {
 			openStoreCalls++
@@ -14711,8 +15125,8 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.Keyring.Backend != "memory" {
-		t.Fatalf("keyring backend = %q, want memory", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring backend = %q, want empty", cfg.Keyring.Backend)
 	}
 	if cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 14/at_write", cfg.Data.Retention)
@@ -14726,8 +15140,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 func TestInitInteractiveMenuFocusedLLMRuntimeDoesNotOpenStoreForPromptContext(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -14748,7 +15161,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeDoesNotOpenStoreForPromptContext(t
 			if llmPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile), nil
+			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile), nil
 		}),
 		openStore: func(string, bool, config.File) (initStore, error) {
 			t.Fatal("openStore should not run for focused llm prompt context")
@@ -14767,8 +15180,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeDoesNotOpenStoreForPromptContext(t
 func TestInitInteractiveMenuFocusedBackKeepsSessionUntouched(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	original := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	}
 	saveCredentialTestConfig(t, path, original)
 	wantCfg, err := config.Load(path)
@@ -14853,7 +15265,6 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 			}
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -14866,7 +15277,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			return draft, nil
@@ -14878,7 +15289,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 			}}, nil
 		}),
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, Backend: "memory"}, nil
+			return initKeyringBackendEdit{Apply: true}, nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{
 			actions: []initCredentialSecretAction{
@@ -14886,7 +15297,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 				initCredentialSecretActionKeep,
 			},
 		},
-		openStore: func(string, bool, config.File) (initStore, error) {
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
 			return newFakeInitStore(map[string]map[string]string{
 				"default": {
 					credentials.GitTokenKey: "existing-token",
@@ -14921,8 +15332,8 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 	if profile.ReviewerCredentials.CredentialRef == "" {
 		t.Fatalf("reviewer credential ref = %q, want generated ref after reviewer rebuild", profile.ReviewerCredentials.CredentialRef)
 	}
-	if cfg.Keyring.Backend != "memory" || cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
-		t.Fatalf("global settings after reviewer rebuild = %#v / %#v, want memory + 14/at_write", cfg.Keyring, cfg.Data.Retention)
+	if cfg.Keyring.Backend != "" || cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
+		t.Fatalf("global settings after reviewer rebuild = %#v / %#v, want empty backend + 14/at_write", cfg.Keyring, cfg.Data.Retention)
 	}
 }
 
@@ -14998,11 +15409,11 @@ func TestInitCredentialDestinationDescriptionLegacyAutoUsesPlatformCopy(t *testi
 	entry := initCredentialPlanEntry{
 		Ref: config.CredentialRef{Purpose: "git", Ref: "codereview/work"},
 		SecretsProfile: credentials.ResolvedSecretsProfile{
-			ID:              config.LegacyProjectedSecretsProfileID,
-			Label:           "Legacy default",
-			Backend:         config.ProjectedLegacySecretsBackendKind,
+			ID:              config.LocalOSCredentialStoreID,
+			Label:           "OS credential store",
+			Backend:         config.ProjectedOSCredentialStoreBackendKind,
 			Source:          config.EffectiveSecretsProfileSourceProjectedLegacy,
-			SelectionSource: credentials.SecretsProfileSelectionLegacyDefault,
+			SelectionSource: credentials.SecretsProfileSelectionBuiltInOS,
 		},
 	}
 
@@ -15014,9 +15425,10 @@ func TestInitCredentialDestinationDescriptionLegacyAutoUsesPlatformCopy(t *testi
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/work via Legacy default",
-		initAutomaticOSDefaultSecretsBackendLabel(),
-		"Change destination by configuring/selecting a secrets-management profile",
+		"Destination: " + initBuiltInOSCredentialStoreTitle() + " / codereview/work",
+		"Credential store: " + config.LocalOSCredentialStoreID,
+		"Backend kind: auto",
+		"Secret values are collected separately.",
 	} {
 		if !strings.Contains(description, want) {
 			t.Fatalf("description = %q, want %q", description, want)
@@ -15031,12 +15443,12 @@ func TestInitCredentialDestinationDescriptionNamedOnePasswordShowsRoutingWithout
 	t.Setenv(connectTokenEnv, "sentinel-connect-token-value")
 	cfg := config.File{
 		Secrets: config.SecretsConfig{
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"team-vault": {
-					Label: "Team Vault",
-					Backend: config.SecretsProfileBackend{
+					DisplayName: "Team Vault",
+					Backend: config.SecretsStoreBackend{
 						Kind: config.SecretsBackendKind(credstore.BackendOP),
-						OnePassword: &config.SecretsProfileOnePasswordConfig{
+						OnePassword: &config.SecretsStoreOnePasswordConfig{
 							VaultID:         "Engineering",
 							ItemTitlePrefix: "cr-",
 							ItemTag:         "code-review",
@@ -15062,18 +15474,25 @@ func TestInitCredentialDestinationDescriptionNamedOnePasswordShowsRoutingWithout
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/rianjs-bot via Team Vault (1Password service account)",
-		"Secrets profile: team-vault",
+		"Destination: Team Vault / Engineering / codereview/rianjs-bot",
+		"Credential store: team-vault",
+		"Backend kind: op",
 		"1Password vault: Engineering",
-		"1Password item title prefix: cr-",
-		"1Password item tag: code-review",
-		"1Password item field title: credential",
 		"1Password service account token env var: " + serviceTokenEnv,
 	} {
 		if !strings.Contains(description, want) {
 			t.Fatalf("description = %q, want %q", description, want)
 		}
 	}
+	for _, removed := range []string{
+		"1Password item title prefix",
+		"1Password item tag",
+		"1Password item field title",
+	} {
+		if strings.Contains(description, removed) {
+			t.Fatalf("description contains removed item-control copy %q: %s", removed, description)
+		}
+	}
 	for _, leaked := range []string{"sentinel-service-token-value", "sentinel-connect-token-value"} {
 		if strings.Contains(description, leaked) {
 			t.Fatalf("description leaked token value %q: %s", leaked, description)
@@ -15086,12 +15505,12 @@ func TestInitCredentialDestinationDescriptionOnePasswordConnectDoesNotReadTokenV
 	t.Setenv(connectTokenEnv, "sentinel-connect-token-value")
 	cfg := config.File{
 		Secrets: config.SecretsConfig{
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"connect-vault": {
-					Label: "Connect Vault",
-					Backend: config.SecretsProfileBackend{
+					DisplayName: "Connect Vault",
+					Backend: config.SecretsStoreBackend{
 						Kind: config.SecretsBackendKind(credstore.BackendOPConnect),
-						OnePassword: &config.SecretsProfileOnePasswordConfig{
+						OnePassword: &config.SecretsStoreOnePasswordConfig{
 							VaultID:         "Engineering",
 							ConnectHost:     "https://connect.example",
 							ConnectTokenEnv: connectTokenEnv,
@@ -15115,7 +15534,8 @@ func TestInitCredentialDestinationDescriptionOnePasswordConnectDoesNotReadTokenV
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/work-llm via Connect Vault (1Password Connect)",
+		"Destination: Connect Vault / Engineering / codereview/work-llm",
+		"Backend kind: op-connect",
 		"1Password Connect host: https://connect.example",
 		"1Password Connect token env var: " + connectTokenEnv,
 	} {
@@ -15131,12 +15551,12 @@ func TestInitCredentialDestinationDescriptionOnePasswordConnectDoesNotReadTokenV
 func TestInitCredentialDestinationDescriptionOnePasswordDesktopShowsAccountID(t *testing.T) {
 	cfg := config.File{
 		Secrets: config.SecretsConfig{
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"desktop-vault": {
-					Label: "Desktop Vault",
-					Backend: config.SecretsProfileBackend{
+					DisplayName: "Desktop Vault",
+					Backend: config.SecretsStoreBackend{
 						Kind: config.SecretsBackendKind(credstore.BackendOPDesktop),
-						OnePassword: &config.SecretsProfileOnePasswordConfig{
+						OnePassword: &config.SecretsStoreOnePasswordConfig{
 							VaultID:          "Engineering",
 							DesktopAccountID: "account-123",
 						},
@@ -15159,7 +15579,8 @@ func TestInitCredentialDestinationDescriptionOnePasswordDesktopShowsAccountID(t
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/work via Desktop Vault (1Password desktop app)",
+		"Destination: Desktop Vault / Engineering / codereview/work",
+		"Backend kind: op-desktop",
 		"1Password vault: Engineering",
 		"1Password desktop account id: account-123",
 	} {
@@ -15184,9 +15605,11 @@ func TestInitCredentialDestinationDescriptionUnavailableIsNonFatal(t *testing.T)
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/work-llm",
+		"Destination: Missing Profile / codereview/work-llm",
+		"Credential store: missing-profile",
+		"Backend kind: op-connect",
 		"credential destination unavailable",
-		"Change destination by configuring/selecting a secrets-management profile",
+		"Secret values are collected separately.",
 	} {
 		if !strings.Contains(description, want) {
 			t.Fatalf("description = %q, want %q", description, want)
@@ -15211,12 +15634,12 @@ func TestHuhInitSecretPrompterAccessibleShowsCredentialDestination(t *testing.T)
 				Source:  config.EffectiveSecretsProfileSourceConfigured,
 			},
 		},
-		Destination: "Destination: codereview/work via Team Vault (Encrypted file)",
+		Destination: "Destination: Team Vault / codereview/work",
 	})
 	if err != nil {
 		t.Fatalf("ChooseCredentialAction: %v", err)
 	}
-	if got := stderr.String(); !strings.Contains(got, "Destination: codereview/work via Team Vault (Encrypted file)") {
+	if got := stderr.String(); !strings.Contains(got, "Destination: Team Vault / codereview/work") {
 		t.Fatalf("stderr = %q, want credential destination note", got)
 	}
 }
@@ -15233,12 +15656,12 @@ func TestHuhInitSecretPrompterAccessibleSecretSourceShowsCredentialDestination(t
 			Ref: config.CredentialRef{Purpose: "git", Ref: "codereview/work"},
 		},
 		Key:         credentials.GitTokenKey,
-		Destination: "Destination: codereview/work via Team Vault (Encrypted file)",
+		Destination: "Destination: Team Vault / codereview/work",
 	})
 	if err != nil {
 		t.Fatalf("ChooseSecretSource: %v", err)
 	}
-	if got := stderr.String(); !strings.Contains(got, "Destination: codereview/work via Team Vault (Encrypted file)") {
+	if got := stderr.String(); !strings.Contains(got, "Destination: Team Vault / codereview/work") {
 		t.Fatalf("stderr = %q, want credential destination note", got)
 	}
 }
@@ -15246,11 +15669,11 @@ func TestHuhInitSecretPrompterAccessibleSecretSourceShowsCredentialDestination(t
 func TestInitSecretPasteDescriptionKeepsDestinationForGitHubAppPrivateKey(t *testing.T) {
 	description := initSecretPasteDescription(initSecretValuePrompt{
 		Key:         credentials.GitHubAppPrivateKeyKey,
-		Destination: "Destination: codereview/rianjs-bot via Team Vault (Encrypted file)",
+		Destination: "Destination: Team Vault / codereview/rianjs-bot",
 	})
 
 	for _, want := range []string{
-		"Destination: codereview/rianjs-bot via Team Vault (Encrypted file)",
+		"Destination: Team Vault / codereview/rianjs-bot",
 		"Clipboard is recommended for multi-line private keys",
 	} {
 		if !strings.Contains(description, want) {
@@ -15324,7 +15747,6 @@ func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
 	ctx := initPromptContext{
 		RequestedProfileName: "work",
 		ExistingProfileName:  "work",
-		DefaultProfileName:   "work",
 		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": basicProfile("work")}},
 		ReviewerCredentialStatuses: []initReviewerCredentialStatus{
 			{
@@ -15350,9 +15772,9 @@ func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
 			},
 		},
 	}
-	seed := seedInteractiveInitDraft("work", "work", "work", nil)
+	seed := seedInteractiveInitDraft("work", "work", nil)
 
-	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seed, string(initReviewerEntityKindPAT), "codereview/work-reviewer")
+	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seed, string(initReviewerEntityKindPAT), config.LocalOSCredentialStoreID, "codereview/work-reviewer")
 	if !ok {
 		t.Fatal("PAT status missing")
 	}
@@ -15372,8 +15794,7 @@ func TestInitReviewerCredentialStatusBackendUnavailableDoesNotLeakOrBlock(t *tes
 	}
 	session := initSessionDraft{
 		cfg: config.File{
-			DefaultProfile: "work",
-			Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+			Profiles: map[string]config.Profile{"work": basicProfile("work")},
 		},
 		workspace: &initWorkspaceDraft{
 			profileName:    "work",
@@ -15406,21 +15827,18 @@ func TestInitReviewerCredentialStatusBackendUnavailableDoesNotLeakOrBlock(t *tes
 
 func TestInitReviewerCredentialStatusShowsExistingPATAndSecretsProfileDestination(t *testing.T) {
 	profile := basicProfile("work")
-	profile.SecretsProfile = "work-1password"
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModePAT,
-		CredentialRef: "codereview/work-reviewer",
+		AuthMode:   config.GitAuthModePAT,
+		Credential: config.CredentialLocation{Store: "work-1password", Name: "codereview/work-reviewer"},
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-1password",
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"work-1password": {
-					Label: "Work Vault",
-					Backend: config.SecretsProfileBackend{
+					DisplayName: "Work Vault",
+					Backend: config.SecretsStoreBackend{
 						Kind: config.SecretsBackendKind(credstore.BackendOPDesktop),
-						OnePassword: &config.SecretsProfileOnePasswordConfig{
+						OnePassword: &config.SecretsStoreOnePasswordConfig{
 							VaultID:          "Engineering",
 							ItemTitlePrefix:  "cr-",
 							ItemTag:          "code-review",
@@ -15468,18 +15886,25 @@ func TestInitReviewerCredentialStatusShowsExistingPATAndSecretsProfileDestinatio
 		t.Fatalf("status.Destination is empty; description fell back to legacy formatter: %q", description)
 	}
 	for _, want := range []string{
-		"Destination: codereview/work-reviewer via Work Vault (1Password desktop app)",
-		string(credstore.BackendOPDesktop),
+		"Destination: Work Vault / Engineering / codereview/work-reviewer",
+		"Credential store: work-1password",
+		"Backend kind: op-desktop",
 		"1Password vault: Engineering",
-		"1Password item title prefix: cr-",
-		"1Password item tag: code-review",
-		"1Password item field title: credential",
 		"1Password desktop account id: account-123",
 	} {
 		if !strings.Contains(description, want) {
 			t.Fatalf("description = %q, want %q", description, want)
 		}
 	}
+	for _, removed := range []string{
+		"1Password item title prefix",
+		"1Password item tag",
+		"1Password item field title",
+	} {
+		if strings.Contains(description, removed) {
+			t.Fatalf("description contains removed item-control copy %q: %s", removed, description)
+		}
+	}
 	if strings.Contains(description, "existing-token") {
 		t.Fatalf("description leaked secret value: %s", description)
 	}
@@ -15488,23 +15913,21 @@ func TestInitReviewerCredentialStatusShowsExistingPATAndSecretsProfileDestinatio
 func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t *testing.T) {
 	originalProfile := basicProfile("work")
 	originalProfile.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/work-reviewer",
+		AuthMode:   config.GitAuthModeGitHubApp,
+		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
 	}
-	originalCfg := config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{"work": originalProfile}}
+	originalCfg := config.File{Profiles: map[string]config.Profile{"work": originalProfile}}
 	originalResolved, err := credentials.ResolveSecretsProfileForProfile(originalCfg, originalProfile)
 	if err != nil {
 		t.Fatalf("Resolve original secrets profile: %v", err)
 	}
 	profile := originalProfile
-	profile.SecretsProfile = "work-file"
+	profile.ReviewerCredentials.Credential.Store = "work-file"
 	cfg := config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"work-file": {
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+					Backend: config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
 				},
 			},
 		},
@@ -15553,7 +15976,6 @@ func TestInitReviewerCredentialStatusIncludesSelectableReviewerEntities(t *testi
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": work,
 			"bot":  bot,
@@ -15572,7 +15994,7 @@ func TestInitReviewerCredentialStatusIncludesSelectableReviewerEntities(t *testi
 		credentialDecisions: map[initCredentialDecisionKey]initCredentialDecisionKind{},
 	}
 	deps := initDeps{
-		openStore: func(string, bool, config.File) (initStore, error) {
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
 			return store, nil
 		},
 	}
@@ -15588,8 +16010,7 @@ func TestInitReviewerCredentialStatusIncludesSelectableReviewerEntities(t *testi
 func TestInitReviewerCredentialStatusIncludesStandardTemplateRefs(t *testing.T) {
 	work := basicProfile("work")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": work},
+		Profiles: map[string]config.Profile{"work": work},
 	}
 	store := newFakeInitStore(map[string]map[string]string{
 		"work-reviewer": {credentials.GitTokenKey: "existing-token"},
@@ -15610,7 +16031,7 @@ func TestInitReviewerCredentialStatusIncludesStandardTemplateRefs(t *testing.T)
 	}
 
 	ctx := currentInteractiveInitReviewerEntityPromptContext(&root.Options{}, deps, session)
-	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seedInteractiveInitDraft("work", "work", "work", &work), string(initReviewerEntityKindPAT), "")
+	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seedInteractiveInitDraft("work", "work", &work), string(initReviewerEntityKindPAT), config.LocalOSCredentialStoreID, "")
 	if !ok {
 		t.Fatal("PAT template status missing")
 	}
@@ -15650,8 +16071,20 @@ func testReviewerGitHubAppPrivateKey() string {
 	}, "\n")
 }
 
+func testLocalOSResolvedCredentialStore() credentials.ResolvedSecretsProfile {
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		panic(err)
+	}
+	return resolved
+}
+
 func stageDraftInlineGitHubAppReviewerCredentials(draft *initDraft, ref string, appID string, privateKey string) {
+	if strings.TrimSpace(draft.ReviewerCredentialStore) == "" {
+		draft.ReviewerCredentialStore = config.LocalOSCredentialStoreID
+	}
 	draft.ReviewerCredentialWriteRef = ref
+	draft.ReviewerCredentialWriteStore = testLocalOSResolvedCredentialStore()
 	draft.ReviewerCredentialWrites = map[string]string{
 		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
@@ -15660,7 +16093,11 @@ func stageDraftInlineGitHubAppReviewerCredentials(draft *initDraft, ref string,
 }
 
 func stageDraftInlinePATReviewerCredential(draft *initDraft, ref string, token string) {
+	if strings.TrimSpace(draft.ReviewerCredentialStore) == "" {
+		draft.ReviewerCredentialStore = config.LocalOSCredentialStoreID
+	}
 	draft.ReviewerCredentialWriteRef = ref
+	draft.ReviewerCredentialWriteStore = testLocalOSResolvedCredentialStore()
 	draft.ReviewerCredentialWrites = map[string]string{
 		credentials.GitTokenKey: token,
 	}
@@ -15762,7 +16199,6 @@ func TestMergeReviewerCredentialDraftWritesPreservesOverwriteFlagOnNoSecretReent
 func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHints(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": {
 				Git: config.GitConfig{
@@ -15810,7 +16246,7 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = "codereview/rianjs-bot"
@@ -15858,7 +16294,7 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 	if !strings.Contains(stdout.String(), "- work: ready") {
 		t.Fatalf("stdout = %q, want ready profile after inline reviewer credentials", stdout.String())
 	}
-	if strings.Contains(stdout.String(), "reviewer deferred") || strings.Contains(stderr.String(), "set-credential --ref codereview/rianjs-bot") {
+	if strings.Contains(stdout.String(), "reviewer deferred") || strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stdout/stderr kept follow-up hint:\nstdout=%s\nstderr=%s", stdout.String(), stderr.String())
 	}
 }
@@ -15866,7 +16302,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndDoesNotRepeat(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -15902,7 +16337,7 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = "codereview/rianjs-bot"
@@ -15937,7 +16372,7 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppInstallationIDKey]; ok {
 		t.Fatalf("installation id stored unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref codereview/rianjs-bot") {
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stderr = %q, want no follow-up hints after set-now reviewer flow", stderr.String())
 	}
 	if !strings.Contains(stdout.String(), "- work: ready") {
@@ -15948,7 +16383,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredExistingBundle(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -15981,7 +16415,7 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 			return initFinalizeActionSave, nil
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
-			seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			model := newInitLinearEditorModel(initReviewerEntityLinearEditor(prompt.Context, seed), 160, 60)
 			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 			model.setFieldValue(initReviewerEntityFieldLabel, "rianjs-bot")
@@ -16033,7 +16467,6 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistingBundle(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -16066,7 +16499,7 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 			return initFinalizeActionSave, nil
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
-			seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			model := newInitLinearEditorModel(initReviewerEntityLinearEditor(prompt.Context, seed), 160, 60)
 			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindGitHubApp))
 			model.setFieldValue(initReviewerEntityFieldSecretLocation, "codereview/manual-reviewer")
@@ -16118,8 +16551,7 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 func TestInitInteractiveMenuFocusedPATReviewerPromptsForGitTokenOnly(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -16144,7 +16576,7 @@ func TestInitInteractiveMenuFocusedPATReviewerPromptsForGitTokenOnly(t *testing.
 			return initFinalizeActionSave, nil
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModePAT)
 			draft.ReviewerCredentialRef = "codereview/work-reviewer"
@@ -16177,8 +16609,7 @@ func TestInitInteractiveMenuFocusedPATReviewerPromptsForGitTokenOnly(t *testing.
 func TestInitInteractiveMenuFocusedUseGitReviewerSkipsReviewerCredentialPrompt(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -16197,7 +16628,7 @@ func TestInitInteractiveMenuFocusedUseGitReviewerSkipsReviewerCredentialPrompt(t
 			return initFinalizeActionSave, nil
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = false
 			return draft, nil
 		}),
@@ -16220,8 +16651,7 @@ func TestInitInteractiveMenuFocusedUseGitReviewerSkipsReviewerCredentialPrompt(t
 func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -16255,7 +16685,7 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
 			reviewerPrompterCalls++
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			switch reviewerPrompterCalls {
 			case 1:
 				draft.ReviewerEnabled = true
@@ -16299,8 +16729,7 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChanges(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -16328,7 +16757,7 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 		}),
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
 			reviewerPrompterCalls++
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			switch reviewerPrompterCalls {
@@ -16362,7 +16791,7 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 	if strings.Contains(out, "old-reviewer") {
 		t.Fatalf("output kept stale reviewer ref:\n%s", out)
 	}
-	if strings.Contains(out, "set-credential --ref codereview/new-reviewer") {
+	if strings.Contains(out, "set-credential --store local-os --name codereview/new-reviewer") {
 		t.Fatalf("output kept follow-up hint for inline reviewer ref:\n%s", out)
 	}
 	if _, ok := store.bundles["old-reviewer"]; ok {
@@ -16383,9 +16812,9 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	}
+	cfg = config.Normalize(cfg)
 	saveCredentialTestConfig(t, path, cfg)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -16408,7 +16837,7 @@ func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials
 			},
 		},
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(prompt initReviewerEntityPrompt) (initDraft, error) {
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = "codereview/rianjs-bot"
@@ -16453,9 +16882,9 @@ func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials
 func TestInitInteractiveMenuReviewerBackWithoutStagingDiscardsInlineSecretWrites(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	}
+	cfg = config.Normalize(cfg)
 	saveCredentialTestConfig(t, path, cfg)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -16515,8 +16944,7 @@ func TestInitInteractiveMenuReviewerBackWithoutStagingDiscardsInlineSecretWrites
 func TestInitInteractiveMenuReviewerCredentialStatusShowsStagedOnReentry(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -16544,7 +16972,7 @@ func TestInitInteractiveMenuReviewerCredentialStatusShowsStagedOnReentry(t *test
 			reviewerPrompterCalls++
 			switch reviewerPrompterCalls {
 			case 1:
-				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 				draft.ReviewerEnabled = true
 				draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 				draft.ReviewerCredentialRef = "codereview/rianjs-bot"
@@ -16608,7 +17036,6 @@ func findReviewerCredentialStatusForTest(t *testing.T, statuses []initReviewerCr
 func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRef(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -16652,7 +17079,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile), nil
+			return seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile), nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{
 			actions: []initCredentialSecretAction{
@@ -16695,7 +17122,6 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWrite(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": {
 				Git: config.GitConfig{
@@ -16752,7 +17178,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerDisplayName = "OC Collective bot"
@@ -16788,7 +17214,6 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRefWhenDraftClearsCustomRef(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": {
 				Git: config.GitConfig{
@@ -16832,7 +17257,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 			if reviewerPrompterCalls > 1 {
 				return initDraft{}, errInitNavigateBack
 			}
-			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = ""
@@ -16887,8 +17312,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 func TestInitInteractiveMenuFocusedReviewerEntityPromptContextIncludesCredentialStatus(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -16931,9 +17355,9 @@ func TestInitInteractiveMenuFocusedReviewerEntityPromptContextIncludesCredential
 func TestInitInteractiveMenuFocusedReviewProfilesDoesNotOpenStoreForPromptContext(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	}
+	cfg = config.Normalize(cfg)
 	saveCredentialTestConfig(t, path, cfg)
 	existing := cfg.Profiles["work"]
 	expectedPrompt := buildInteractiveInitInventoryPromptContext(initPromptContext{
@@ -16941,7 +17365,6 @@ func TestInitInteractiveMenuFocusedReviewProfilesDoesNotOpenStoreForPromptContex
 		ExistingProfileName:  "work",
 		ExistingProfile:      &existing,
 		ExistingProfileNames: []string{"work"},
-		DefaultProfileName:   "work",
 		ExistingConfig:       cfg,
 	})
 	opts := &root.Options{
@@ -16959,8 +17382,7 @@ func TestInitInteractiveMenuFocusedReviewProfilesDoesNotOpenStoreForPromptContex
 		},
 		profileV2Prompter: initPrompterFunc(func(prompt initPromptContext) (initDraft, error) {
 			if prompt.RequestedProfileName != expectedPrompt.RequestedProfileName ||
-				prompt.ExistingProfileName != expectedPrompt.ExistingProfileName ||
-				prompt.DefaultProfileName != expectedPrompt.DefaultProfileName {
+				prompt.ExistingProfileName != expectedPrompt.ExistingProfileName {
 				t.Fatalf("prompt identity = %#v, want %#v", prompt, expectedPrompt)
 			}
 			if prompt.ExistingProfile == nil {
@@ -17003,7 +17425,6 @@ func TestInitInteractiveMenuFocusedReviewProfilesDoesNotOpenStoreForPromptContex
 func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": func() config.Profile {
 				profile := basicProfile("work")
@@ -17076,8 +17497,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *test
 func TestInitInteractiveMenuFocusedReviewerEntityStageReturnsToMenu(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17098,7 +17518,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityStageReturnsToMenu(t *testing.T
 			reviewerCalls++
 			switch reviewerCalls {
 			case 1:
-				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 				draft.ReviewerEnabled = true
 				draft.ReviewerAuth = string(config.GitAuthModePAT)
 				return draft, nil
@@ -17135,8 +17555,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityStageReturnsToMenu(t *testing.T
 func TestInitInteractiveMenuFocusedLLMRuntimeStageReturnsToMenu(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17157,7 +17576,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeStageReturnsToMenu(t *testing.T) {
 			llmCalls++
 			switch llmCalls {
 			case 1:
-				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+				draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 				draft.LLMProvider = string(config.LLMProviderOpenAI)
 				draft.LLMAuth = string(config.LLMAuthSubscription)
 				draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
@@ -17186,11 +17605,78 @@ func TestInitInteractiveMenuFocusedLLMRuntimeStageReturnsToMenu(t *testing.T) {
 	}
 }
 
+func TestInitInteractiveMenuCanCommitLLMRuntimeBeforeReviewProfile(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionLLMRuntimes,
+			initMenuActionSave,
+		},
+	}
+	llmCalls := 0
+	deps := initDeps{
+		menuPrompter: menu,
+		llmRuntimePrompter: initLLMRuntimePrompterFunc(func(prompt initLLMRuntimePrompt) (initDraft, error) {
+			llmCalls++
+			if len(prompt.Context.ExistingConfig.Profiles) != 0 {
+				t.Fatalf("prompt profiles = %#v, want no review profiles", prompt.Context.ExistingConfig.Profiles)
+			}
+			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+			draft.LLMProvider = string(config.LLMProviderOpenAI)
+			draft.LLMAuth = string(config.LLMAuthSubscription)
+			draft.LLMAdapter = string(config.LLMAdapterCodexCLI)
+			return draft, nil
+		}),
+		finalizePrompter: initFinalizePrompterFunc(func(prompt initFinalizePrompt) (initFinalizeAction, error) {
+			t.Fatalf("finalize prompter should not run for profileless LLM-runtime commit: %#v", prompt)
+			return initFinalizeActionCancel, nil
+		}),
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: loadConfigForInit,
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if llmCalls != 1 {
+		t.Fatalf("llmCalls = %d, want one staged runtime edit", llmCalls)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %#v, want main menu before category entry and after stage", menu.prompts)
+	}
+	if !menu.prompts[0].CanConfigureLLM || menu.prompts[0].CanConfigureReviewer || menu.prompts[0].CanSave {
+		t.Fatalf("initial prompt = %#v, want LLM enabled and reviewer/save disabled", menu.prompts[0])
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("post-stage menu prompt = %#v, want staged runtime edit to be saveable", menu.prompts[1])
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if len(cfg.Profiles) != 0 {
+		t.Fatalf("profiles = %#v, want none", cfg.Profiles)
+	}
+	runtime, ok := cfg.LLMRuntimes["codex-cli"]
+	if !ok {
+		t.Fatalf("llm_runtimes = %#v, want codex-cli", cfg.LLMRuntimes)
+	}
+	if runtime.Provider != config.LLMProviderOpenAI || runtime.Auth != config.LLMAuthSubscription || runtime.Adapter != config.LLMAdapterCodexCLI {
+		t.Fatalf("codex-cli runtime = %#v, want OpenAI subscription Codex CLI", runtime)
+	}
+}
+
 func TestInitInteractiveMenuFocusedLLMRuntimeDeleteUndoReturnsToMenu(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17255,8 +17741,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeDeleteUndoReturnsToMenu(t *testing.
 func TestInitInteractiveLLMRuntimeDeletePersistsReplacementAndReloadsCleanly(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17362,8 +17847,7 @@ func TestInitInteractiveLLMRuntimeDeletePersistsReplacementAndReloadsCleanly(t *
 func TestInitInteractiveMenuFocusedReviewProfileStageStaysInCategoryUntilBack(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17384,7 +17868,7 @@ func TestInitInteractiveMenuFocusedReviewProfileStageStaysInCategoryUntilBack(t
 			profileCalls++
 			switch profileCalls {
 			case 1:
-				draft := seedInteractiveInitDraft(prompt.RequestedProfileName, prompt.ExistingProfileName, prompt.DefaultProfileName, prompt.ExistingProfile)
+				draft := seedInteractiveInitDraft(prompt.RequestedProfileName, prompt.ExistingProfileName, prompt.ExistingProfile)
 				draft.GitHost = "gitlab.com"
 				draft.RoutesSet = true
 				draft.Routes = []configedit.RepositoryRouteSpec{{
@@ -17443,8 +17927,7 @@ func TestInitInteractiveMenuFocusedReviewProfileStageStaysInCategoryUntilBack(t
 func TestInitInteractiveMenuFocusedReviewProfileDoesNotRunRouteSubprompt(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -17465,7 +17948,7 @@ func TestInitInteractiveMenuFocusedReviewProfileDoesNotRunRouteSubprompt(t *test
 			profileCalls++
 			switch profileCalls {
 			case 1:
-				draft := seedInteractiveInitDraft(prompt.RequestedProfileName, prompt.ExistingProfileName, prompt.DefaultProfileName, prompt.ExistingProfile)
+				draft := seedInteractiveInitDraft(prompt.RequestedProfileName, prompt.ExistingProfileName, prompt.ExistingProfile)
 				draft.GitHost = "gitlab.com"
 				draft.RoutesSet = true
 				draft.Routes = []configedit.RepositoryRouteSpec{{
@@ -17521,7 +18004,6 @@ func TestInitInteractiveLegacyInjectedPathProfileEditRemainsOneShot(t *testing.T
 			prompterCalls++
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -17552,8 +18034,8 @@ func TestInitInteractiveLegacyInjectedPathProfileEditRemainsOneShot(t *testing.T
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "default" {
-		t.Fatalf("default profile = %q, want default", cfg.DefaultProfile)
+	if _, ok := cfg.Profiles["default"]; !ok {
+		t.Fatalf("profiles = %#v, want suggested profile", cfg.Profiles)
 	}
 }
 
@@ -17570,7 +18052,6 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -17582,6 +18063,7 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 		Stdout:     &stdout,
 		Stderr:     &bytes.Buffer{},
 		ConfigPath: path,
+		Profile:    "work",
 	}
 	menu := &fakeInitMenuPrompter{
 		actions: []initMenuAction{
@@ -17748,7 +18230,6 @@ func TestInitInteractiveMenuFinalSaveSummarizesDeferredNonActiveProfile(t *testi
 			case 1:
 				return initDraft{
 					ProfileName: "home",
-					MakeDefault: true,
 					GitHost:     "github.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -17760,7 +18241,6 @@ func TestInitInteractiveMenuFinalSaveSummarizesDeferredNonActiveProfile(t *testi
 			case 3:
 				return initDraft{
 					ProfileName: "work",
-					MakeDefault: false,
 					GitHost:     "gitlab.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -17814,7 +18294,7 @@ func TestInitInteractiveMenuFinalSaveSummarizesDeferredNonActiveProfile(t *testi
 	if !strings.Contains(stdout.String(), "Saved staged init changes") || !strings.Contains(stdout.String(), "- review profiles: 2") || !strings.Contains(stdout.String(), "- home: needs follow-up") || !strings.Contains(stdout.String(), "- work: needs follow-up") {
 		t.Fatalf("stdout = %q, want readiness summary for both profiles", stdout.String())
 	}
-	if !strings.Contains(stderr.String(), "set-credential --ref codereview/home --key "+credentials.GitTokenKey) || !strings.Contains(stderr.String(), "set-credential --ref codereview/work --key "+credentials.GitTokenKey) {
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/home --key "+credentials.GitTokenKey) || !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/work --key "+credentials.GitTokenKey) {
 		t.Fatalf("stderr = %q, want follow-up hints for both deferred profiles", stderr.String())
 	}
 }
@@ -17851,7 +18331,6 @@ func TestInitInteractiveMenuFinalSaveSetNowWritesCredentialsAndMarksProfileReady
 			}
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -17882,7 +18361,7 @@ func TestInitInteractiveMenuFinalSaveSetNowWritesCredentialsAndMarksProfileReady
 	}
 	profileReadiness := finalizePrompt.Profiles[0]
 	if profileReadiness.ProfileName != "default" || !profileReadiness.Ready || len(profileReadiness.Notes) != 0 {
-		t.Fatalf("profile readiness = %#v, want ready default profile with no notes", profileReadiness)
+		t.Fatalf("profile readiness = %#v, want ready suggested profile with no notes", profileReadiness)
 	}
 	if got := store.bundles["default"][credentials.GitTokenKey]; got != "git-token" {
 		t.Fatalf("stored git token = %q, want git-token from interactive SetNow flow", got)
@@ -17891,16 +18370,13 @@ func TestInitInteractiveMenuFinalSaveSetNowWritesCredentialsAndMarksProfileReady
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile != "default" {
-		t.Fatalf("default profile = %q, want default", cfg.DefaultProfile)
-	}
 	if cfg.Profiles["default"].Git.CredentialRef != "codereview/default" {
-		t.Fatalf("default profile git ref = %q, want codereview/default", cfg.Profiles["default"].Git.CredentialRef)
+		t.Fatalf("suggested profile git ref = %q, want codereview/default", cfg.Profiles["default"].Git.CredentialRef)
 	}
-	if !strings.Contains(stdout.String(), "Saved staged init changes") || !strings.Contains(stdout.String(), "- review profiles: 1") || !strings.Contains(stdout.String(), "- credential secrets: 1 ref") || !strings.Contains(stdout.String(), "- default: ready") {
-		t.Fatalf("stdout = %q, want ready summary for default profile", stdout.String())
+	if !strings.Contains(stdout.String(), "Saved staged init changes") || !strings.Contains(stdout.String(), "- review profiles: 1") || !strings.Contains(stdout.String(), "- credential secrets: 1 name") || !strings.Contains(stdout.String(), "- default: ready") {
+		t.Fatalf("stdout = %q, want ready summary for suggested profile", stdout.String())
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref") {
+	if strings.Contains(stderr.String(), "set-credential --store") {
 		t.Fatalf("stderr = %q, want no follow-up credential hints after SetNow flow", stderr.String())
 	}
 }
@@ -17937,7 +18413,6 @@ func TestInitInteractiveMenuFinalSaveMixedReadinessSummarizesPerProfileState(t *
 			case 1:
 				return initDraft{
 					ProfileName: "home",
-					MakeDefault: true,
 					GitHost:     "github.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -17949,7 +18424,6 @@ func TestInitInteractiveMenuFinalSaveMixedReadinessSummarizesPerProfileState(t *
 			case 3:
 				return initDraft{
 					ProfileName: "work",
-					MakeDefault: false,
 					GitHost:     "gitlab.com",
 					GitAuth:     string(config.GitAuthModePAT),
 					LLMProvider: string(config.LLMProviderAnthropic),
@@ -18012,10 +18486,10 @@ func TestInitInteractiveMenuFinalSaveMixedReadinessSummarizesPerProfileState(t *
 	if !strings.Contains(stdout.String(), "- home: ready") || !strings.Contains(stdout.String(), "- work: needs follow-up") {
 		t.Fatalf("stdout = %q, want mixed readiness summary", stdout.String())
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref codereview/home --key "+credentials.GitTokenKey) {
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/home --key "+credentials.GitTokenKey) {
 		t.Fatalf("stderr = %q, want no follow-up hint for ready home profile", stderr.String())
 	}
-	if !strings.Contains(stderr.String(), "set-credential --ref codereview/work --key "+credentials.GitTokenKey) {
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/work --key "+credentials.GitTokenKey) {
 		t.Fatalf("stderr = %q, want follow-up hint for deferred work profile", stderr.String())
 	}
 }
@@ -18023,8 +18497,7 @@ func TestInitInteractiveMenuFinalSaveMixedReadinessSummarizesPerProfileState(t *
 func TestInitInteractiveMenuGlobalSettingsOnlySaveDoesNotFinalizeBootstrappedProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Keyring: config.KeyringConfig{Backend: "memory"},
 		Data: config.DataConfig{
 			Retention: config.RetentionConfig{
 				MaxAgeDays:  intPtr(14),
@@ -18061,8 +18534,7 @@ func TestInitInteractiveMenuGlobalSettingsOnlySaveDoesNotFinalizeBootstrappedPro
 		}),
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
 			return initKeyringBackendEdit{
-				Apply:   true,
-				Backend: "file",
+				Apply: true,
 			}, nil
 		}),
 		finalizePrompter: initFinalizePrompterFunc(func(prompt initFinalizePrompt) (initFinalizeAction, error) {
@@ -18095,8 +18567,8 @@ func TestInitInteractiveMenuGlobalSettingsOnlySaveDoesNotFinalizeBootstrappedPro
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.Keyring.Backend != "memory" {
-		t.Fatalf("keyring.backend = %q, want preserved memory", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 	}
 	if cfg.Data.Retention.MaxAgeDaysValue() != 30 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 30/at_write", cfg.Data.Retention)
@@ -18119,8 +18591,7 @@ func TestInitInteractiveMenuGlobalSettingsOnlySaveDoesNotFinalizeBootstrappedPro
 func TestInitInteractiveMenuSecretsManagementOnlySaveDoesNotFinalizeBootstrappedProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Keyring: config.KeyringConfig{Backend: "memory"},
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -18142,8 +18613,7 @@ func TestInitInteractiveMenuSecretsManagementOnlySaveDoesNotFinalizeBootstrapped
 		},
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
 			return initKeyringBackendEdit{
-				Apply:   true,
-				Backend: "file",
+				Apply: true,
 			}, nil
 		}),
 		finalizePrompter: initFinalizePrompterFunc(func(prompt initFinalizePrompt) (initFinalizeAction, error) {
@@ -18176,8 +18646,8 @@ func TestInitInteractiveMenuSecretsManagementOnlySaveDoesNotFinalizeBootstrapped
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.Keyring.Backend != "file" {
-		t.Fatalf("keyring.backend = %q, want file", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 	}
 	work := cfg.Profiles["work"]
 	if work.Git.Host != "github.com" || work.Git.AuthMode != config.GitAuthModePAT || work.Git.CredentialRef != "codereview/work" {
@@ -18194,8 +18664,7 @@ func TestInitInteractiveMenuSecretsManagementOnlySaveDoesNotFinalizeBootstrapped
 func TestInitInteractiveMenuFinalizeBackReturnsToMenu(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": basicProfile("work")},
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
 	})
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
@@ -18262,7 +18731,6 @@ func TestInitInteractiveMenuCancelAfterSecretEntryBeforeFinalSaveWritesNothing(t
 			}
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -18315,7 +18783,6 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 		profileV2Prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -18345,6 +18812,166 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 	}
 }
 
+func TestInitInteractiveMenuCanCommitSecretsStorageBeforeReviewProfile(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionSecretsManagement,
+			initMenuActionSave,
+		},
+	}
+	keyringCalls := 0
+	deps := initDeps{
+		menuPrompter: menu,
+		keyringPrompter: initKeyringBackendPrompterFunc(func(prompt initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
+			keyringCalls++
+			next := cloneInitConfigFile(prompt.Config)
+			next.Secrets = config.SecretsConfig{
+				Stores: map[string]config.SecretsStore{
+					"personal-file": {
+						DisplayName: "Personal file",
+						Backend: config.SecretsStoreBackend{
+							Kind: config.SecretsBackendKind(credstore.BackendFile),
+						},
+					},
+				},
+			}
+			return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: next}, nil
+		}),
+		finalizePrompter: initFinalizePrompterFunc(func(prompt initFinalizePrompt) (initFinalizeAction, error) {
+			t.Fatalf("finalize prompter should not run for profileless secrets-storage commit: %#v", prompt)
+			return initFinalizeActionCancel, nil
+		}),
+		openStore: func(string, bool, config.File) (initStore, error) {
+			t.Fatal("openStore should not run when only credential-store config changed")
+			return nil, nil
+		},
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: loadConfigForInit,
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if keyringCalls != 1 {
+		t.Fatalf("keyringCalls = %d, want 1", keyringCalls)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %#v, want before and after secrets-storage edit", menu.prompts)
+	}
+	if menu.prompts[0].CanSave {
+		t.Fatalf("initial prompt = %#v, want commit disabled before staged changes", menu.prompts[0])
+	}
+	if !menu.prompts[1].CanSave || !menu.prompts[1].CanConfigureLLM || menu.prompts[1].CanConfigureReviewer {
+		t.Fatalf("post-edit prompt = %#v, want commit and LLM runtime configuration enabled without workspace", menu.prompts[1])
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if len(cfg.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", cfg.Profiles)
+	}
+	store, ok := cfg.Secrets.Stores["personal-file"]
+	if !ok {
+		t.Fatalf("stores = %#v, want personal-file", cfg.Secrets.Stores)
+	}
+	if store.DisplayName != "Personal file" || store.Backend.Kind != config.SecretsBackendKind(credstore.BackendFile) {
+		t.Fatalf("store = %#v, want named file backend", store)
+	}
+	body, err := os.ReadFile(path) // #nosec G304 -- test reads the temp config file it just saved.
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+	legacyProfileKey := "default" + "_profile"
+	if strings.Contains(string(body), legacyProfileKey) || strings.Contains(string(body), "profiles:") {
+		t.Fatalf("saved profileless secrets-storage config contains profile fields:\n%s", string(body))
+	}
+}
+
+func TestInitInteractiveMenuCanCommitDeletingLastSecretsStore(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	saveCredentialTestConfig(t, path, config.File{
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				"personal-file": {
+					DisplayName: "Personal file",
+					Backend: config.SecretsStoreBackend{
+						Kind: config.SecretsBackendKind(credstore.BackendFile),
+					},
+				},
+			},
+		},
+		Profiles: map[string]config.Profile{},
+	})
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionSecretsManagement,
+			initMenuActionSave,
+		},
+	}
+	keyringCalls := 0
+	deps := initDeps{
+		menuPrompter: menu,
+		keyringPrompter: initKeyringBackendPrompterFunc(func(prompt initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
+			keyringCalls++
+			next := cloneInitConfigFile(prompt.Config)
+			next.Secrets = config.SecretsConfig{}
+			return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: next}, nil
+		}),
+		finalizePrompter: initFinalizePrompterFunc(func(prompt initFinalizePrompt) (initFinalizeAction, error) {
+			t.Fatalf("finalize prompter should not run for profileless secrets-storage deletion: %#v", prompt)
+			return initFinalizeActionCancel, nil
+		}),
+		openStore: func(string, bool, config.File) (initStore, error) {
+			t.Fatal("openStore should not run when only credential-store config changed")
+			return nil, nil
+		},
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: loadConfigForInit,
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if keyringCalls != 1 {
+		t.Fatalf("keyringCalls = %d, want 1", keyringCalls)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %#v, want before and after secrets-storage delete", menu.prompts)
+	}
+	if menu.prompts[0].CanSave {
+		t.Fatalf("initial prompt = %#v, want commit disabled before staged changes", menu.prompts[0])
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("post-delete prompt = %#v, want commit enabled after deleting credential store", menu.prompts[1])
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if len(cfg.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", cfg.Profiles)
+	}
+	if len(cfg.Secrets.Stores) != 0 {
+		t.Fatalf("loaded stores = %#v, want deleted store removed", cfg.Secrets.Stores)
+	}
+}
+
 func TestApplyInteractiveInitSessionPlanRejectsInvalidConfigBeforeKeyringWrite(t *testing.T) {
 	opts := &root.Options{
 		Stdout: &bytes.Buffer{},
@@ -18354,12 +18981,12 @@ func TestApplyInteractiveInitSessionPlanRejectsInvalidConfigBeforeKeyringWrite(t
 	plan := initSessionPlan{
 		cfg: config.File{
 			Profiles: map[string]config.Profile{
-				"default": basicProfile("default"),
+				"broken": {},
 			},
 		},
-		profileNames: []string{"default"},
+		profileNames: []string{"broken"},
 		writes: map[string]map[string]string{
-			"codereview/default": {credentials.GitTokenKey: "git-token"},
+			"codereview/broken": {credentials.GitTokenKey: "git-token"},
 		},
 	}
 	err := applyInteractiveInitSessionPlan(opts, initDeps{
@@ -18372,7 +18999,7 @@ func TestApplyInteractiveInitSessionPlanRejectsInvalidConfigBeforeKeyringWrite(t
 			return nil
 		},
 	}, plan)
-	if err == nil || !strings.Contains(err.Error(), "default_profile") {
+	if err == nil || !strings.Contains(err.Error(), "profiles.broken.git.host is required") {
 		t.Fatalf("error = %v, want config validation failure", err)
 	}
 	if storeOpened {
@@ -18393,7 +19020,7 @@ func TestApplyInteractiveInitSessionPlanConfigSaveFailureAfterKeyringWritesRepor
 	}
 	plan := initSessionPlan{
 		path:         filepath.Join(t.TempDir(), "config.yml"),
-		cfg:          config.File{DefaultProfile: "default", Profiles: map[string]config.Profile{"default": profile}},
+		cfg:          config.File{Profiles: map[string]config.Profile{"default": profile}},
 		profileNames: []string{"default"},
 		profileRefs:  map[string][]config.CredentialRef{"default": refs},
 		writes: map[string]map[string]string{
@@ -18406,7 +19033,7 @@ func TestApplyInteractiveInitSessionPlanConfigSaveFailureAfterKeyringWritesRepor
 			return errors.New("disk full")
 		},
 	}, plan)
-	if err == nil || !strings.Contains(err.Error(), "credential refs needing cleanup: [codereview/default]") {
+	if err == nil || !strings.Contains(err.Error(), "credential names needing cleanup: [codereview/default]") {
 		t.Fatalf("error = %v, want cleanup hint after config save failure", err)
 	}
 	if got := store.bundles["default"][credentials.GitTokenKey]; got != "git-token" {
@@ -18414,7 +19041,7 @@ func TestApplyInteractiveInitSessionPlanConfigSaveFailureAfterKeyringWritesRepor
 	}
 }
 
-func TestApplyInteractiveInitSessionPlanSummarizesSecretsManagementOnlyChanges(t *testing.T) {
+func TestApplyInteractiveInitSessionPlanSummarizesSecretsStorageOnlyChanges(t *testing.T) {
 	var stdout bytes.Buffer
 	opts := &root.Options{
 		Stdout: &stdout,
@@ -18422,12 +19049,10 @@ func TestApplyInteractiveInitSessionPlanSummarizesSecretsManagementOnlyChanges(t
 	}
 	profile := basicProfile("default")
 	original := config.File{
-		DefaultProfile: "default",
-		Profiles:       map[string]config.Profile{"default": profile},
+		Profiles: map[string]config.Profile{"default": profile},
 	}
 	next := original
 	next.Secrets = config.SecretsConfig{
-		DefaultProfile: "one-password",
 		Profiles: map[string]config.SecretsProfile{
 			"one-password": {
 				Label: "1Password",
@@ -18452,8 +19077,8 @@ func TestApplyInteractiveInitSessionPlanSummarizesSecretsManagementOnlyChanges(t
 		t.Fatalf("applyInteractiveInitSessionPlan: %v", err)
 	}
 	out := stdout.String()
-	if !strings.Contains(out, "Saved staged init changes") || !strings.Contains(out, "- secrets management: 1 profile") {
-		t.Fatalf("stdout = %q, want secrets-management summary", out)
+	if !strings.Contains(out, "Saved staged init changes") || !strings.Contains(out, "- secrets storage: 1 store") {
+		t.Fatalf("stdout = %q, want secrets-storage summary", out)
 	}
 	if strings.Contains(out, "Initialized 0 profile(s)") {
 		t.Fatalf("stdout = %q, want no profile-only initialization summary", out)
@@ -18480,7 +19105,6 @@ func TestApplyInteractiveInitSessionPlanPartialKeyringWriteFailureReportsCleanup
 	}
 	plan := initSessionPlan{
 		cfg: config.File{
-			DefaultProfile: "a",
 			Profiles: map[string]config.Profile{
 				"a": basicProfile("a"),
 				"b": basicProfile("b"),
@@ -18499,7 +19123,7 @@ func TestApplyInteractiveInitSessionPlanPartialKeyringWriteFailureReportsCleanup
 			return nil
 		},
 	}, plan)
-	if err == nil || !strings.Contains(err.Error(), "credential refs needing cleanup: [codereview/a codereview/b]") {
+	if err == nil || !strings.Contains(err.Error(), "credential names needing cleanup: [codereview/a codereview/b]") {
 		t.Fatalf("error = %v, want cleanup refs after partial keyring write failure", err)
 	}
 }
@@ -18514,7 +19138,6 @@ func TestApplyInteractiveInitSessionPlanOverwriteConflictFailsBeforeWrite(t *tes
 	}
 	plan := initSessionPlan{
 		cfg: config.File{
-			DefaultProfile: "default",
 			Profiles: map[string]config.Profile{
 				"default": basicProfile("default"),
 			},
@@ -18548,9 +19171,7 @@ func TestApplyInteractiveInitSessionPlanWritesSeparateSecretsProfilesIndependent
 		Stderr: &bytes.Buffer{},
 	}
 	cfg := config.File{
-		DefaultProfile: "home",
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
 			Profiles: map[string]config.SecretsProfile{
 				"personal-memory": {
 					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendMemory)},
@@ -18566,7 +19187,11 @@ func TestApplyInteractiveInitSessionPlanWritesSeparateSecretsProfilesIndependent
 				p.SecretsProfile = "personal-memory"
 				return p
 			}(),
-			"work": basicProfile("work"),
+			"work": func() config.Profile {
+				p := basicProfile("work")
+				p.SecretsProfile = "work-file"
+				return p
+			}(),
 		},
 	}
 	homeResolved, err := credentials.ResolveSecretsProfileForProfile(cfg, cfg.Profiles["home"])
@@ -18633,9 +19258,7 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
 			Profiles: map[string]config.SecretsProfile{
 				"work-file": {
 					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
@@ -18708,9 +19331,7 @@ func TestApplyInteractiveInitSessionPlanNamedSecretsProfileWriteFailureStopsConf
 		Stderr: &bytes.Buffer{},
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-1password",
 			Profiles: map[string]config.SecretsProfile{
 				"work-1password": {
 					Label: "Work 1Password",
@@ -18724,7 +19345,11 @@ func TestApplyInteractiveInitSessionPlanNamedSecretsProfileWriteFailureStopsConf
 			},
 		},
 		Profiles: map[string]config.Profile{
-			"work": basicProfile("work"),
+			"work": func() config.Profile {
+				p := basicProfile("work")
+				p.SecretsProfile = "work-1password"
+				return p
+			}(),
 		},
 	}
 	resolved, err := credentials.ResolveSecretsProfileForProfile(cfg, cfg.Profiles["work"])
@@ -18802,9 +19427,12 @@ func TestInitNonInteractiveBypassesInteractiveMenuPath(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.DefaultProfile == "" || len(cfg.Profiles) != 1 {
+	if len(cfg.Profiles) != 1 {
 		t.Fatalf("config = %#v, want non-interactive profile saved", cfg)
 	}
+	if _, ok := cfg.Profiles["default"]; !ok {
+		t.Fatalf("profiles = %#v, want suggested profile saved", cfg.Profiles)
+	}
 }
 
 func TestInitInteractiveRoutesCreateEditRemoveAndDeriveFromPRURL(t *testing.T) {
@@ -18889,7 +19517,6 @@ func TestInitInteractiveRoutesCreateEditRemoveAndDeriveFromPRURL(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			path := filepath.Join(t.TempDir(), "config.yml")
 			saveCredentialTestConfig(t, path, config.File{
-				DefaultProfile:     "work",
 				RepositoryProfiles: tt.existingRoutes,
 				Profiles: map[string]config.Profile{
 					"work": basicProfile("work"),
@@ -18907,7 +19534,6 @@ func TestInitInteractiveRoutesCreateEditRemoveAndDeriveFromPRURL(t *testing.T) {
 					return initDraft{
 						OriginalProfileName: "work",
 						ProfileName:         "work",
-						MakeDefault:         true,
 						GitHost:             "github.com",
 						GitAuth:             string(config.GitAuthModePAT),
 						GitCredentialRef:    "codereview/work",
@@ -18942,7 +19568,6 @@ func TestInitInteractiveRoutesCreateEditRemoveAndDeriveFromPRURL(t *testing.T) {
 func TestInitInteractiveProfileDraftRoutesSkipRouteSubprompt(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
 		},
@@ -18955,7 +19580,7 @@ func TestInitInteractiveProfileDraftRoutesSkipRouteSubprompt(t *testing.T) {
 	}
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
-			draft := seedInteractiveInitDraft("work", "work", "work", nil)
+			draft := seedInteractiveInitDraft("work", "work", nil)
 			draft.GitHost = "github.com"
 			draft.GitAuth = string(config.GitAuthModePAT)
 			draft.GitCredentialRef = "codereview/work"
@@ -19012,7 +19637,6 @@ func TestInitInteractiveRouteEditorPreservesExistingRoutesWhenLeftUnchanged(t *t
 		},
 	}}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile:     "work",
 		RepositoryProfiles: wantRoutes,
 		Profiles: map[string]config.Profile{
 			"work": basicProfile("work"),
@@ -19029,7 +19653,6 @@ func TestInitInteractiveRouteEditorPreservesExistingRoutesWhenLeftUnchanged(t *t
 			return initDraft{
 				OriginalProfileName: "work",
 				ProfileName:         "work",
-				MakeDefault:         true,
 				GitHost:             "github.com",
 				GitAuth:             string(config.GitAuthModePAT),
 				GitCredentialRef:    "codereview/work",
@@ -19148,7 +19771,6 @@ func TestInitInteractiveRouteParsersAcceptSemicolonsNewlinesAndDeduplicate(t *te
 func TestInitInteractiveReconcilesRouteHostChangeBeforeSave(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -19228,7 +19850,6 @@ func TestInitInteractiveReconcilesRouteHostChangeFromSelectedGitScope(t *testing
 	office.Git.Host = "gitlab.com"
 	office.Git.CredentialRef = "codereview/office"
 	cfg := config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -19243,7 +19864,6 @@ func TestInitInteractiveReconcilesRouteHostChangeFromSelectedGitScope(t *testing
 		},
 	}
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile:     cfg.DefaultProfile,
 		RepositoryProfiles: cfg.RepositoryProfiles,
 		Profiles:           cfg.Profiles,
 	})
@@ -19256,7 +19876,7 @@ func TestInitInteractiveReconcilesRouteHostChangeFromSelectedGitScope(t *testing
 	}
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
-			draft := seedInteractiveInitDraft("work", "work", "work", &work)
+			draft := seedInteractiveInitDraft("work", "work", &work)
 			applyGitScopeSelection(&draft, profileScopeNames["office"], scopes)
 			return draft, nil
 		}),
@@ -19308,7 +19928,6 @@ func TestInitInteractiveReconcilesRouteHostChangeFromSelectedGitScope(t *testing
 func TestInitInteractiveReconcilesRouteHostChangeDuringRename(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -19375,7 +19994,6 @@ func TestInitInteractiveReconcilesRouteHostChangeDuringRename(t *testing.T) {
 func TestInitInteractiveRejectsUnchangedStaleRoutesAfterHostChange(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	saveCredentialTestConfig(t, path, config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{{
 			Profile: "work",
 			Match: config.RepositoryProfileMatch{
@@ -19479,13 +20097,6 @@ func TestInitInteractiveRejectsNonInteractiveParityFlagsBeforePrompt(t *testing.
 				disableReviewer: true,
 			},
 		},
-		{
-			name: "string keyring backend",
-			args: []string{"--keyring-backend", "file"},
-			flags: initOptions{
-				keyringBackend: "file",
-			},
-		},
 	}
 
 	for _, tt := range tests {
@@ -19526,16 +20137,9 @@ func TestInitInteractiveRejectsNonInteractiveParityFlagsBeforePrompt(t *testing.
 	}
 }
 
-func TestInitInteractivePersistsExplicitBackendForDeferredLLM(t *testing.T) {
-	hermeticFileBackend(t)
+func TestInitInteractiveDeferredLLMHintUsesExplicitLocalOSStore(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	cmd := &cobra.Command{}
-	cmd.Flags().String(credstore.BackendFlagName, "", "")
-	if err := cmd.Flags().Set(credstore.BackendFlagName, "file"); err != nil {
-		t.Fatalf("set backend flag: %v", err)
-	}
 	opts := &root.Options{
-		Backend:    "file",
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
 		Stderr:     &bytes.Buffer{},
@@ -19547,7 +20151,6 @@ func TestInitInteractivePersistsExplicitBackendForDeferredLLM(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName:          "default",
-				MakeDefault:          true,
 				GitHost:              "github.com",
 				GitAuth:              string(config.GitAuthModePAT),
 				GitCredentialRef:     "codereview/default",
@@ -19573,7 +20176,7 @@ func TestInitInteractivePersistsExplicitBackendForDeferredLLM(t *testing.T) {
 		loadConfig: loadConfigForInit,
 		saveConfig: config.Save,
 		keyringPrompter: initKeyringBackendPrompterFunc(func(initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-			return initKeyringBackendEdit{Apply: true, Backend: "file"}, nil
+			return initKeyringBackendEdit{Apply: true}, nil
 		}),
 		openStore: func(string, bool, config.File) (initStore, error) {
 			return newFakeInitStore(nil), nil
@@ -19584,7 +20187,7 @@ func TestInitInteractivePersistsExplicitBackendForDeferredLLM(t *testing.T) {
 		},
 	}
 
-	err := runInitWithDeps(cmd, opts, initOptions{}, deps)
+	err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
 	if err != nil {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
@@ -19592,13 +20195,13 @@ func TestInitInteractivePersistsExplicitBackendForDeferredLLM(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if cfg.Keyring.Backend != "file" {
-		t.Fatalf("keyring.backend = %q, want file", cfg.Keyring.Backend)
+	if cfg.Keyring.Backend != "" {
+		t.Fatalf("keyring.backend = %q, want empty", cfg.Keyring.Backend)
 	}
-	if strings.Contains(stderr.String(), "cr --backend file set-credential") {
-		t.Fatalf("stderr = %q, want persisted backend to drop explicit backend hint", stderr.String())
+	if strings.Contains(stderr.String(), "--backend") {
+		t.Fatalf("stderr = %q, want no backend flag in deferred credential hint", stderr.String())
 	}
-	if !strings.Contains(stderr.String(), "cr set-credential --ref codereview/default-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
+	if !strings.Contains(stderr.String(), "cr set-credential --store local-os --name codereview/default-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want deferred llm follow-up hint without backend flag", stderr.String())
 	}
 }
@@ -19618,7 +20221,6 @@ func TestInitInteractiveCollectsClipboardGitSecretWithoutHint(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19653,12 +20255,9 @@ func TestInitInteractiveCollectsClipboardGitSecretWithoutHint(t *testing.T) {
 	if strings.Contains(stdout.String()+stderr.String(), "clipboard-token") {
 		t.Fatalf("interactive init leaked secret: stdout=%q stderr=%q", stdout.String(), stderr.String())
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref codereview/default --key "+credentials.GitTokenKey) {
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/default --key "+credentials.GitTokenKey) {
 		t.Fatalf("stderr = %q, want no stale follow-up hint after collected secret", stderr.String())
 	}
-	if savedCfg.DefaultProfile != "default" {
-		t.Fatalf("default_profile = %q, want default", savedCfg.DefaultProfile)
-	}
 	if savedCfg.Profiles["default"].Git.CredentialRef != "codereview/default" {
 		t.Fatalf("git ref = %q, want codereview/default", savedCfg.Profiles["default"].Git.CredentialRef)
 	}
@@ -19676,7 +20275,6 @@ func TestInitInteractiveDeferDoesNotRequireKeyringAccess(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19707,7 +20305,7 @@ func TestInitInteractiveDeferDoesNotRequireKeyringAccess(t *testing.T) {
 	if err != nil {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
-	if !strings.Contains(stderr.String(), "set-credential --ref codereview/default --key "+credentials.GitTokenKey+" --stdin") {
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/default --key "+credentials.GitTokenKey+" --stdin") {
 		t.Fatalf("stderr = %q, want deferred git follow-up hint", stderr.String())
 	}
 }
@@ -19726,7 +20324,6 @@ func TestInitInteractiveSetNowOverwritesExistingTargetRef(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19779,7 +20376,6 @@ func TestInitInteractiveCanKeepExistingSecretsAfterInspectingTargetRef(t *testin
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19813,7 +20409,7 @@ func TestInitInteractiveCanKeepExistingSecretsAfterInspectingTargetRef(t *testin
 	if got := store.bundles["default"][credentials.GitTokenKey]; got != "existing-token" {
 		t.Fatalf("stored git token = %q, want existing-token", got)
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref codereview/default --key "+credentials.GitTokenKey) {
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/default --key "+credentials.GitTokenKey) {
 		t.Fatalf("stderr = %q, want no follow-up hint after keeping existing secret", stderr.String())
 	}
 }
@@ -19830,7 +20426,6 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModeGitHubApp),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19886,7 +20481,6 @@ func TestInitInteractiveCollectsProviderSpecificLLMKey(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName:      "default",
-				MakeDefault:      true,
 				GitHost:          "github.com",
 				GitAuth:          string(config.GitAuthModePAT),
 				LLMProvider:      string(config.LLMProviderOpenAI),
@@ -19919,7 +20513,7 @@ func TestInitInteractiveCollectsProviderSpecificLLMKey(t *testing.T) {
 	if got := store.bundles["default-llm"][credentials.OpenAIAPIKeyKey]; got != "openai-key" {
 		t.Fatalf("openai api key = %q, want openai-key", got)
 	}
-	if strings.Contains(stderr.String(), "set-credential --ref codereview/default-llm --key "+credentials.OpenAIAPIKeyKey) {
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/default-llm --key "+credentials.OpenAIAPIKeyKey) {
 		t.Fatalf("stderr = %q, want no stale llm follow-up hint after collected key", stderr.String())
 	}
 }
@@ -19935,7 +20529,6 @@ func TestInitInteractiveEmptyClipboardSecretDoesNotLeak(t *testing.T) {
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
 			return initDraft{
 				ProfileName: "default",
-				MakeDefault: true,
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModePAT),
 				LLMProvider: string(config.LLMProviderAnthropic),
@@ -19986,7 +20579,6 @@ func TestInitInteractiveRejectsKeepForChangedRefWithoutTargetBundle(t *testing.T
 			return initDraft{
 				OriginalProfileName: "work",
 				ProfileName:         "work",
-				MakeDefault:         true,
 				GitHost:             "github.com",
 				GitAuth:             string(config.GitAuthModePAT),
 				GitCredentialRef:    "codereview/work-new",
@@ -20003,7 +20595,6 @@ func TestInitInteractiveRejectsKeepForChangedRefWithoutTargetBundle(t *testing.T
 		configPath:         func(*root.Options) (string, error) { return opts.ConfigPath, nil },
 		loadConfig: func(string) (config.File, bool, error) {
 			return config.File{
-				DefaultProfile: "work",
 				Profiles: map[string]config.Profile{
 					"work": basicProfile("work"),
 				},
@@ -20045,8 +20636,8 @@ func TestInitRejectsInvalidSecretAndProfileInputs(t *testing.T) {
 		{name: "llm ingress under subscription auth", args: []string{"init", "--non-interactive", "--llm-api-key-from-env", "CR_LLM_KEY"}},
 		{name: "invalid reviewer model tier", args: []string{"init", "--non-interactive", "--llm-reviewer-model-tier", "flagship"}},
 		{name: "set and clear reviewer model tier", args: []string{"init", "--non-interactive", "--llm-reviewer-model-tier", string(config.ModelTierMedium), "--clear-llm-reviewer-model-tier"}},
-		{name: "set and reset keyring backend", args: []string{"init", "--non-interactive", "--keyring-backend", "file", "--reset-keyring-backend"}},
-		{name: "runtime and durable backend conflict", args: []string{"--backend", "memory", "init", "--non-interactive", "--keyring-backend", "file"}},
+		{name: "obsolete keyring backend flags", args: []string{"init", "--non-interactive", "--keyring-backend", "file", "--reset-keyring-backend"}},
+		{name: "runtime backend with obsolete durable backend flag", args: []string{"--backend", "memory", "init", "--non-interactive", "--keyring-backend", "file"}},
 		{name: "pi rpc adapter without pi provider", args: []string{"init", "--non-interactive", "--llm-adapter", string(config.LLMAdapterPiRPC)}},
 		{name: "codex cli adapter without openai provider", args: []string{"init", "--non-interactive", "--llm-adapter", string(config.LLMAdapterCodexCLI)}},
 	}
@@ -20088,7 +20679,7 @@ func TestWriteBundlesReportsPreviouslyWrittenRefsForCleanup(t *testing.T) {
 	if len(written) != 1 || written[0] != "codereview/a" {
 		t.Fatalf("written refs = %#v, want codereview/a", written)
 	}
-	if !strings.Contains(err.Error(), "credential refs needing cleanup: [codereview/a]") {
+	if !strings.Contains(err.Error(), "credential names needing cleanup: [codereview/a]") {
 		t.Fatalf("error = %v, want cleanup ref", err)
 	}
 }
@@ -20166,8 +20757,7 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 		DisplayName:   "work bot",
 	}
 	cfg := config.File{
-		DefaultProfile: "work",
-		Profiles:       map[string]config.Profile{"work": profile},
+		Profiles: map[string]config.Profile{"work": profile},
 	}
 	resolved, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
 	if err != nil {
@@ -20243,7 +20833,7 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 		AuthMode:      config.GitAuthModeGitHubApp,
 		CredentialRef: "codereview/work-reviewer",
 	}
-	cfg := config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{"work": profile}}
+	cfg := config.File{Profiles: map[string]config.Profile{"work": profile}}
 	resolved, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
 	if err != nil {
 		t.Fatalf("ResolveSecretsProfileForProfile: %v", err)
@@ -20300,7 +20890,6 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "app",
 		Profiles: map[string]config.Profile{
 			"app": appProfile,
 			"pat": patProfile,
@@ -20370,7 +20959,7 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "work bot",
 	}
-	cfg := config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{"work": profile}}
+	cfg := config.File{Profiles: map[string]config.Profile{"work": profile}}
 	resolved, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
 	if err != nil {
 		t.Fatalf("ResolveSecretsProfileForProfile: %v", err)
@@ -20455,7 +21044,6 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	cfg := config.File{
-		DefaultProfile: "app",
 		Profiles: map[string]config.Profile{
 			"app": appProfile,
 			"pat": patProfile,
@@ -20485,65 +21073,6 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 	}
 }
 
-func TestBuildInteractiveInitSessionPlanDropsReviewerWritesWhenSecretsStoreChanges(t *testing.T) {
-	originalProfile := basicProfile("work")
-	originalProfile.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/work-reviewer",
-	}
-	originalCfg := config.File{DefaultProfile: "work", Profiles: map[string]config.Profile{
-		"work": originalProfile,
-	}}
-	originalResolved, err := credentials.ResolveSecretsProfileForProfile(originalCfg, originalProfile)
-	if err != nil {
-		t.Fatalf("Resolve original secrets profile: %v", err)
-	}
-	nextProfile := originalProfile
-	nextCfg := config.File{
-		DefaultProfile: "work",
-		Secrets: config.SecretsConfig{
-			DefaultProfile: "vault",
-			Profiles: map[string]config.SecretsProfile{
-				"vault": {
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
-				},
-			},
-		},
-		Profiles: map[string]config.Profile{"work": nextProfile},
-	}
-	session := initSessionDraft{
-		path:            filepath.Join(t.TempDir(), "config.yml"),
-		originalCfg:     originalCfg,
-		cfg:             nextCfg,
-		touchedProfiles: map[string]string{"work": "work"},
-		writes: map[string]map[string]string{
-			"codereview/work-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
-				credentials.GitHubAppPrivateKeyKey: "private-key",
-			},
-		},
-		credentialWriteStores: map[string]credentials.ResolvedSecretsProfile{
-			"codereview/work-reviewer": originalResolved,
-		},
-		overwriteRefs: map[string]bool{"codereview/work-reviewer": true},
-		satisfiedRefs: map[string]bool{"codereview/work-reviewer": true},
-	}
-
-	plan, err := buildInteractiveInitSessionPlan(&root.Options{}, session)
-	if err != nil {
-		t.Fatalf("buildInteractiveInitSessionPlan: %v", err)
-	}
-	if _, ok := plan.writes["codereview/work-reviewer"]; ok {
-		t.Fatalf("reviewer writes = %#v, want dropped after secrets store changed", plan.writes)
-	}
-	if plan.overwriteRefs["codereview/work-reviewer"] {
-		t.Fatalf("overwrite ref retained after secrets store changed")
-	}
-	if plan.satisfiedRefs["codereview/work-reviewer"] {
-		t.Fatalf("satisfied ref retained after secrets store changed")
-	}
-}
-
 type fakeInitSecretPrompter struct {
 	actions       []initCredentialSecretAction
 	sources       []initSecretSource
@@ -20659,6 +21188,25 @@ func (s *fakeInitStore) Delete(profile, key string) error {
 
 func (s *fakeInitStore) Close() error { return nil }
 
+func assertFakeStored(t *testing.T, store *fakeInitStore, profile, key, want string) {
+	t.Helper()
+	if got := store.bundles[profile][key]; got != want {
+		t.Fatalf("fake store %s/%s = %q, want %q", profile, key, got, want)
+	}
+}
+
+func assertFakeBundleKeys(t *testing.T, store *fakeInitStore, profile string, want []string) {
+	t.Helper()
+	got := make([]string, 0, len(store.bundles[profile]))
+	for key := range store.bundles[profile] {
+		got = append(got, key)
+	}
+	sort.Strings(got)
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("fake store %s keys = %#v, want %#v", profile, got, want)
+	}
+}
+
 func newTestCommand(path string, stdin io.Reader) (*cobra.Command, *bytes.Buffer, *bytes.Buffer) {
 	var stdout, stderr bytes.Buffer
 	cmd, opts := root.NewCommandWithOptions(&root.Options{
@@ -20841,6 +21389,86 @@ func openFileStore(t *testing.T) *credstore.Store {
 	return store
 }
 
+const testFileCredentialStoreID = "test-file"
+
+type initFlagChange struct {
+	name  string
+	value string
+}
+
+func defaultNonInteractiveInitOptionsForTest() initOptions {
+	return initOptions{
+		nonInteractive: true,
+		gitHost:        "github.com",
+		gitAuth:        string(config.GitAuthModePAT),
+		reviewerAuth:   string(config.GitAuthModePAT),
+		llmProvider:    string(config.LLMProviderAnthropic),
+		llmAuth:        string(config.LLMAuthSubscription),
+		llmAdapter:     string(config.LLMAdapterClaudeCLI),
+		majorEvent:     string(config.ReviewMajorEventComment),
+	}
+}
+
+func runNonInteractiveInitWithFakeStore(t *testing.T, path string, profile string, stdin io.Reader, flags initOptions, store *fakeInitStore, changes ...initFlagChange) (*bytes.Buffer, *bytes.Buffer, error) {
+	t.Helper()
+	out := &bytes.Buffer{}
+	errOut := &bytes.Buffer{}
+	opts := &root.Options{
+		Profile:    profile,
+		Stdin:      stdin,
+		Stdout:     out,
+		Stderr:     errOut,
+		ConfigPath: path,
+	}
+	cmd := newInitCommand(opts)
+	for _, change := range changes {
+		if err := cmd.Flags().Set(change.name, change.value); err != nil {
+			t.Fatalf("set %s flag: %v", change.name, err)
+		}
+	}
+	deps := initDeps{
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: loadConfigForInit,
+		saveConfig: config.Save,
+		openResolvedStore: func(credentials.ResolvedSecretsProfile, string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
+	}
+	return out, errOut, runInitWithDeps(cmd, opts, flags, deps)
+}
+
+func testFileSecretsConfig() config.SecretsConfig {
+	return config.SecretsConfig{
+		Stores: map[string]config.SecretsStore{
+			testFileCredentialStoreID: {
+				DisplayName: "Test File Store",
+				Backend: config.SecretsStoreBackend{
+					Kind: config.SecretsBackendKind(credstore.BackendFile),
+				},
+			},
+		},
+	}
+}
+
+func testFileCredentialStoreConfig(profileName string) config.File {
+	profile := profileWithCredentialStore(basicProfile(profileName), testFileCredentialStoreID)
+	return config.File{
+		Secrets:  testFileSecretsConfig(),
+		Profiles: map[string]config.Profile{profileName: profile},
+	}
+}
+
+func profileWithCredentialStore(profile config.Profile, storeID string) config.Profile {
+	profile.Git.Credential.Store = storeID
+	if profile.ReviewerCredentials != nil {
+		profile.ReviewerCredentials.Credential.Store = storeID
+	}
+	if profile.LLM.Credential.Name != "" {
+		profile.LLM.Credential.Store = storeID
+	}
+	return profile
+}
+
 func basicProfile(profile string) config.Profile {
 	ref, err := credentials.FormatRef(profile)
 	if err != nil {
@@ -20850,6 +21478,7 @@ func basicProfile(profile string) config.Profile {
 		Git: config.GitConfig{
 			Host:          "github.com",
 			AuthMode:      config.GitAuthModePAT,
+			Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: ref},
 			CredentialRef: ref,
 		},
 		LLM: config.LLMConfig{
@@ -20860,13 +21489,24 @@ func basicProfile(profile string) config.Profile {
 	}
 }
 
+func normalizeTestProfile(profile config.Profile) config.Profile {
+	cfg := config.Normalize(config.File{
+		Profiles: map[string]config.Profile{
+			"test": profile,
+		},
+	})
+	return cfg.Profiles["test"]
+}
+
 func apiKeyProfile(profile string, provider config.LLMProvider) config.Profile {
 	p := basicProfile(profile)
+	ref := "codereview/" + profile + "-llm"
 	p.LLM = config.LLMConfig{
 		Provider:      provider,
 		Auth:          config.LLMAuthAPIKey,
 		Adapter:       config.LLMAdapterAnthropicAPI,
-		CredentialRef: "codereview/" + profile + "-llm",
+		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: ref},
+		CredentialRef: ref,
 	}
 	if provider == config.LLMProviderOpenAI {
 		p.LLM.Adapter = config.LLMAdapterOpenAIAPI
diff --git a/internal/cmd/credentialcmd/init_credential_destination.go b/internal/cmd/credentialcmd/init_credential_destination.go
index 80c01db0..b20e10df 100644
--- a/internal/cmd/credentialcmd/init_credential_destination.go
+++ b/internal/cmd/credentialcmd/init_credential_destination.go
@@ -18,6 +18,7 @@ type initCredentialDestinationContext struct {
 }
 
 func initCredentialDestinationDescription(ctx initCredentialDestinationContext) string {
+	ctx.Config = config.Normalize(ctx.Config)
 	ref := strings.TrimSpace(ctx.Entry.Ref.Ref)
 	if ref == "" {
 		ref = "(standard credential location)"
@@ -25,49 +26,50 @@ func initCredentialDestinationDescription(ctx initCredentialDestinationContext)
 	destination, details := initCredentialDestinationDetails(ctx, ref)
 	lines := []string{"Destination: " + destination}
 	lines = append(lines, details...)
-	lines = append(lines, "Change destination by configuring/selecting a secrets-management profile; secret values are collected separately.")
+	lines = append(lines, "Secret values are collected separately.")
 	return strings.Join(lines, "\n")
 }
 
 func initCredentialDestinationDetails(ctx initCredentialDestinationContext, ref string) (string, []string) {
-	resolved := ctx.Entry.SecretsProfile
-	if resolved.IsNamed() {
-		return initNamedCredentialDestinationDetails(ctx, ref)
+	storeID := strings.TrimSpace(ctx.Entry.Ref.Store)
+	if storeID == "" {
+		storeID = strings.TrimSpace(ctx.Entry.SecretsProfile.ID)
 	}
-	return initLegacyCredentialDestinationDetails(ctx, ref)
-}
-
-func initNamedCredentialDestinationDetails(ctx initCredentialDestinationContext, ref string) (string, []string) {
-	resolved := ctx.Entry.SecretsProfile
-	displayName := strings.TrimSpace(resolved.DisplayName())
-	if displayName == "" {
-		displayName = "selected secrets-management profile"
-	}
-	profile, ok := ctx.Config.Secrets.Profiles[strings.TrimSpace(resolved.ID)]
-	if !ok {
-		return fmt.Sprintf("%s via %s", ref, displayName), []string{"credential destination unavailable."}
-	}
-	backendKind := profile.Backend.Kind
-	if strings.TrimSpace(string(backendKind)) == "" {
-		backendKind = config.SecretsBackendKind(resolved.Backend)
+	if storeID == "" {
+		return initLegacyCredentialDestinationDetails(ctx, ref)
 	}
-	backendLabel := initSecretsBackendDisplayLabel(backendKind)
+	location := config.CredentialLocation{Store: storeID, Name: ref}
 	lines := []string{}
-	if value := strings.TrimSpace(resolved.ID); value != "" {
-		lines = append(lines, "Secrets profile: "+value)
+	if value := strings.TrimSpace(storeID); value != "" {
+		lines = append(lines, "Credential store: "+value)
 	}
-	if value := strings.TrimSpace(string(backendKind)); value != "" {
+	if value := strings.TrimSpace(ctx.Entry.SecretsProfile.Backend); value != "" {
 		lines = append(lines, "Backend kind: "+value)
 	}
-	lines = append(lines, initOnePasswordDestinationDetails(profile.Backend)...)
-	return fmt.Sprintf("%s via %s (%s)", ref, displayName, backendLabel), lines
+	destination := initCredentialDestinationLabel(ctx.Config, location)
+	if storeID == config.LocalOSCredentialStoreID && ctx.BackendFlagSet {
+		if backend, _, err := credentials.BackendMetadata(ctx.BackendArg, ctx.BackendFlagSet, ctx.Config); err == nil && strings.TrimSpace(string(backend)) != "" {
+			for i, line := range lines {
+				if strings.HasPrefix(line, "Backend kind: ") {
+					lines[i] = "Backend kind: " + string(backend)
+					break
+				}
+			}
+		}
+	}
+	if profile, ok := ctx.Config.Secrets.Stores[storeID]; ok {
+		lines = append(lines, initOnePasswordDestinationDetails(profile.Backend)...)
+	} else if storeID != config.LocalOSCredentialStoreID {
+		if displayName := strings.TrimSpace(ctx.Entry.SecretsProfile.DisplayName()); displayName != "" {
+			destination = strings.Join([]string{displayName, ref}, " / ")
+		}
+		lines = append(lines, "credential destination unavailable.")
+	}
+	return destination, lines
 }
 
 func initLegacyCredentialDestinationDetails(ctx initCredentialDestinationContext, ref string) (string, []string) {
-	displayName := strings.TrimSpace(ctx.Entry.SecretsProfile.DisplayName())
-	if displayName == "" {
-		displayName = "Legacy default"
-	}
+	displayName := initBuiltInOSCredentialStoreTitle()
 	backend, source, err := credentials.BackendMetadata(ctx.BackendArg, ctx.BackendFlagSet, ctx.Config)
 	if err != nil {
 		return fmt.Sprintf("%s via %s", ref, displayName), []string{"credential destination unavailable."}
@@ -91,17 +93,17 @@ func initOnePasswordDestinationDetails(backend config.SecretsProfileBackend) []s
 	}
 	onePassword := backend.OnePassword
 	lines := []string{}
-	if value := strings.TrimSpace(onePassword.VaultID); value != "" {
+	if value := strings.TrimSpace(onePassword.VaultName); value != "" {
 		lines = append(lines, "1Password vault: "+value)
 	}
-	if value := strings.TrimSpace(onePassword.ItemTitlePrefix); value != "" {
-		lines = append(lines, "1Password item title prefix: "+value)
+	if value := strings.TrimSpace(onePassword.VaultID); value != "" {
+		lines = append(lines, "1Password vault: "+value)
 	}
-	if value := strings.TrimSpace(onePassword.ItemTag); value != "" {
-		lines = append(lines, "1Password item tag: "+value)
+	if value := strings.TrimSpace(onePassword.AccountURL); value != "" {
+		lines = append(lines, "1Password account: "+value)
 	}
-	if value := strings.TrimSpace(onePassword.ItemFieldTitle); value != "" {
-		lines = append(lines, "1Password item field title: "+value)
+	if value := strings.TrimSpace(onePassword.AccountID); value != "" {
+		lines = append(lines, "1Password account id: "+value)
 	}
 	if value := strings.TrimSpace(onePassword.ConnectHost); value != "" {
 		lines = append(lines, "1Password Connect host: "+value)
diff --git a/internal/cmd/credentialcmd/init_credential_stores.go b/internal/cmd/credentialcmd/init_credential_stores.go
new file mode 100644
index 00000000..b4ba2c1b
--- /dev/null
+++ b/internal/cmd/credentialcmd/init_credential_stores.go
@@ -0,0 +1,123 @@
+package credentialcmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/charmbracelet/huh"
+
+	"github.com/open-cli-collective/codereview-cli/internal/config"
+)
+
+func initCredentialStoreDefaultID() string {
+	return config.LocalOSCredentialStoreID
+}
+
+func initCredentialStoreDraftValue(current string) string {
+	current = strings.TrimSpace(current)
+	if current == "" {
+		return initCredentialStoreDefaultID()
+	}
+	return current
+}
+
+func initCredentialStoreOptions(cfg config.File) []huh.Option[string] {
+	stores := config.EffectiveSecretsStores(cfg)
+	options := make([]huh.Option[string], 0, len(stores))
+	for _, store := range stores {
+		options = append(options, huh.NewOption(initCredentialStoreOptionLabel(cfg, store.ID), store.ID))
+	}
+	return options
+}
+
+func initCredentialStoreOptionLabel(cfg config.File, storeID string) string {
+	storeID = strings.TrimSpace(storeID)
+	if storeID == config.LocalOSCredentialStoreID {
+		description := strings.TrimSpace(initBuiltInOSCredentialStoreDescription())
+		if description == "" {
+			return initBuiltInOSCredentialStoreTitle()
+		}
+		return fmt.Sprintf("%s - %s", initBuiltInOSCredentialStoreTitle(), description)
+	}
+	store, ok := cfg.Secrets.Stores[storeID]
+	if !ok {
+		return storeID
+	}
+	name := strings.TrimSpace(store.DisplayName)
+	if name == "" {
+		name = storeID
+	}
+	parts := []string{name}
+	if detail := initCredentialConfiguredStoreDetail(store); detail != "" {
+		parts = append(parts, detail)
+	} else if backend := initSecretsBackendDisplayLabel(store.Backend.Kind); backend != "" {
+		parts = append(parts, backend)
+	}
+	return strings.Join(parts, " - ")
+}
+
+func initCredentialConfiguredStoreDetail(store config.SecretsStore) string {
+	if store.Backend.OnePassword != nil && config.IsOnePasswordSecretsBackend(store.Backend.Kind) {
+		var parts []string
+		if vault := firstNonEmpty(store.Backend.OnePassword.VaultName, store.Backend.OnePassword.VaultID); vault != "" {
+			parts = append(parts, vault+" vault")
+		}
+		if account := firstNonEmpty(store.Backend.OnePassword.AccountURL, store.Backend.OnePassword.AccountID); account != "" {
+			parts = append(parts, account)
+		}
+		return strings.Join(parts, ", ")
+	}
+	return ""
+}
+
+func initCredentialStoreDisplayName(cfg config.File, storeID string) string {
+	storeID = strings.TrimSpace(storeID)
+	if storeID == "" || storeID == config.LocalOSCredentialStoreID {
+		return initBuiltInOSCredentialStoreTitle()
+	}
+	if store, ok := cfg.Secrets.Stores[storeID]; ok {
+		if displayName := strings.TrimSpace(store.DisplayName); displayName != "" {
+			return displayName
+		}
+	}
+	return storeID
+}
+
+func initCredentialDestinationLabel(cfg config.File, location config.CredentialLocation) string {
+	location.Store = strings.TrimSpace(location.Store)
+	location.Name = strings.TrimSpace(location.Name)
+	if location.Store == "" {
+		location.Store = initCredentialStoreDefaultID()
+	}
+	parts := []string{initCredentialStoreDisplayName(cfg, location.Store)}
+	if store, ok := cfg.Secrets.Stores[location.Store]; ok {
+		if store.Backend.OnePassword != nil && config.IsOnePasswordSecretsBackend(store.Backend.Kind) {
+			if vault := firstNonEmpty(store.Backend.OnePassword.VaultName, store.Backend.OnePassword.VaultID); vault != "" {
+				parts = append(parts, vault)
+			}
+		}
+	}
+	if location.Name != "" {
+		parts = append(parts, location.Name)
+	}
+	return strings.Join(parts, " / ")
+}
+
+func initCredentialLocation(storeID, name string) config.CredentialLocation {
+	storeID = strings.TrimSpace(storeID)
+	if storeID == "" {
+		storeID = initCredentialStoreDefaultID()
+	}
+	return config.CredentialLocation{
+		Store: storeID,
+		Name:  strings.TrimSpace(name),
+	}
+}
+
+func initCredentialLocationIfName(storeID, name string) config.CredentialLocation {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return config.CredentialLocation{}
+	}
+	return initCredentialLocation(storeID, name)
+}
diff --git a/internal/cmd/credentialcmd/init_inventory_test.go b/internal/cmd/credentialcmd/init_inventory_test.go
index 5fa06422..aeeaf211 100644
--- a/internal/cmd/credentialcmd/init_inventory_test.go
+++ b/internal/cmd/credentialcmd/init_inventory_test.go
@@ -451,9 +451,7 @@ func TestInitProfileInventoryRowsSetExpectedCapabilities(t *testing.T) {
 func TestInitProfileInventoryRowsShowRoutesAndSortBySpecificity(t *testing.T) {
 	rows := initProfileInventoryRows(initPromptContext{
 		ExistingProfileNames: []string{"default", "unrouted", "namespace", "repo"},
-		DefaultProfileName:   "default",
 		ExistingConfig: config.File{
-			DefaultProfile: "default",
 			Profiles: map[string]config.Profile{
 				"default":   {Git: config.GitConfig{Host: "github.com"}},
 				"unrouted":  {Git: config.GitConfig{Host: "github.com"}},
@@ -491,7 +489,7 @@ func TestInitProfileInventoryRowsShowRoutesAndSortBySpecificity(t *testing.T) {
 	for _, row := range rows[:4] {
 		got = append(got, row.ID)
 	}
-	want := []string{"repo", "namespace", "unrouted", "default"}
+	want := []string{"repo", "namespace", "default", "unrouted"}
 	if !reflect.DeepEqual(got, want) {
 		t.Fatalf("profile row order = %#v, want %#v", got, want)
 	}
@@ -502,10 +500,10 @@ func TestInitProfileInventoryRowsShowRoutesAndSortBySpecificity(t *testing.T) {
 		t.Fatalf("namespace description = %q, want %q", got, want)
 	}
 	if got := rows[2].Description; got != "" {
-		t.Fatalf("unrouted description = %q, want empty", got)
+		t.Fatalf("default description = %q, want empty", got)
 	}
-	if got, want := rows[3].Description, "Everything else"; got != want {
-		t.Fatalf("default description = %q, want %q", got, want)
+	if got := rows[3].Description; got != "" {
+		t.Fatalf("unrouted description = %q, want empty", got)
 	}
 	if !strings.Contains(rows[0].FilterValue, "github.com/OtherMonitOrg") {
 		t.Fatalf("route summary missing from filter value: %q", rows[0].FilterValue)
diff --git a/internal/cmd/credentialcmd/init_llm_runtime_editor.go b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
index da2f5054..5d534e49 100644
--- a/internal/cmd/credentialcmd/init_llm_runtime_editor.go
+++ b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
@@ -10,17 +10,20 @@ import (
 	"github.com/charmbracelet/huh"
 
 	"github.com/open-cli-collective/codereview-cli/internal/config"
+	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type initLLMRuntimeEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
 
 const (
-	initLLMRuntimeFieldSelection   initLinearFieldID = "llm_runtime_selection"
-	initLLMRuntimeFieldProvider    initLinearFieldID = "llm_runtime_provider"
-	initLLMRuntimeFieldAuth        initLinearFieldID = "llm_runtime_auth"
-	initLLMRuntimeFieldAdapter     initLinearFieldID = "llm_runtime_adapter"
-	initLLMRuntimeFieldReplacement initLinearFieldID = "llm_runtime_replacement"
-	initLLMRuntimeFieldAction      initLinearFieldID = "llm_runtime_action"
+	initLLMRuntimeFieldSelection       initLinearFieldID = "llm_runtime_selection"
+	initLLMRuntimeFieldProvider        initLinearFieldID = "llm_runtime_provider"
+	initLLMRuntimeFieldAuth            initLinearFieldID = "llm_runtime_auth"
+	initLLMRuntimeFieldAdapter         initLinearFieldID = "llm_runtime_adapter"
+	initLLMRuntimeFieldCredentialStore initLinearFieldID = "llm_runtime_credential_store" // #nosec G101 -- field ID, not a secret.
+	initLLMRuntimeFieldCredentialName  initLinearFieldID = "llm_runtime_credential_name"  // #nosec G101 -- field ID, not a secret.
+	initLLMRuntimeFieldReplacement     initLinearFieldID = "llm_runtime_replacement"
+	initLLMRuntimeFieldAction          initLinearFieldID = "llm_runtime_action"
 )
 
 const (
@@ -31,7 +34,7 @@ const (
 const initLLMRuntimeRestoreSelectionPrefix = "__restore_llm_runtime__:"
 
 func (p huhInitLLMRuntimePrompter) editLLMRuntimeLinear(prompt initLLMRuntimePrompt) (initDraft, error) {
-	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	editor := initLLMRuntimeLinearEditor(prompt.Context, seed, p.runtimeAvailabilityNote)
 	model, err := p.runLLMRuntimeEditor(editor)
 	if err != nil {
@@ -140,7 +143,7 @@ func initLLMRuntimeLinearEditor(ctx initPromptContext, seed initDraft, availabil
 	replacementOptions := initLLMRuntimeReplacementOptions(ctx, selection)
 
 	var document initLinearDocument
-	document.addSection("LLM runtime", "Choose how reviewer agents run for this profile. Configured runtimes can be reused by multiple profiles; templates seed common runtime shapes.")
+	document.addSection("LLM runtime", "Choose how reviewer agents run. Configured runtimes can be reused by review profiles; templates seed common runtime shapes.")
 	document.addEditableSelect(initLLMRuntimeFieldSelection, "Runtime", "", selectionOptions, selection)
 	document.addSection("Runtime details", "")
 	document.addEditableSelect(initLLMRuntimeFieldProvider, "LLM provider", "", []huh.Option[string]{
@@ -159,6 +162,22 @@ func initLLMRuntimeLinearEditor(ctx initPromptContext, seed initDraft, availabil
 		huh.NewOption("OpenAI API", string(config.LLMAdapterOpenAIAPI)),
 		huh.NewOption("Pi RPC", string(config.LLMAdapterPiRPC)),
 	}, seed.LLMAdapter)
+	document.addEditableSelect(
+		initLLMRuntimeFieldCredentialStore,
+		"LLM credential store",
+		"Where this runtime's API key is stored.",
+		initCredentialStoreOptions(ctx.ExistingConfig),
+		initCredentialStoreDraftValue(seed.LLMCredentialStore),
+		initLinearFieldOptions{Hidden: true},
+	)
+	document.addEditableInput(
+		initLLMRuntimeFieldCredentialName,
+		"LLM credential name",
+		"Full credential name under the selected store.",
+		"",
+		validateRequiredCredentialRef,
+		initLinearFieldOptions{Hidden: true},
+	)
 	document.addEditableSelect(initLLMRuntimeFieldReplacement, "Replacement LLM runtime", "Choose the runtime that should replace this deleted runtime for every affected profile.", replacementOptions, normalizeInitStringSelectionValue("", replacementOptions), initLinearFieldOptions{Hidden: true})
 	document.addEditableSelect(initLLMRuntimeFieldAction, "Runtime action", "", initLLMRuntimeActionOptions(ctx, selection, false), initDetailActionEdit)
 	editor := initLinearEditor{
@@ -175,6 +194,12 @@ func initLLMRuntimeLinearEditor(ctx initPromptContext, seed initDraft, availabil
 				id == initLLMRuntimeFieldAction ||
 				id == initLLMRuntimeFieldReplacement {
 				initLLMRuntimeSyncLinearFields(model, ctx, seed, availabilityNote, true)
+				return
+			}
+			if id == initLLMRuntimeFieldProvider ||
+				id == initLLMRuntimeFieldAuth ||
+				id == initLLMRuntimeFieldAdapter {
+				initLLMRuntimeSyncLinearFields(model, ctx, seed, availabilityNote, false)
 			}
 		},
 		OnDelete: func(model *initLinearEditorModel, index int) (bool, tea.Cmd) {
@@ -212,6 +237,12 @@ func initLLMRuntimeLinearEditor(ctx initPromptContext, seed initDraft, availabil
 				model.resultAction = initDetailActionBack
 				return true, tea.Quit
 			case initDetailActionEdit:
+				if err := validateLLMRuntimeLinearDocument(model.document); err != nil {
+					model.document[model.focused].Error = err.Error()
+					model.relayout()
+					model.ensureFocusedVisible()
+					return true, nil
+				}
 				model.resultAction = initDetailActionEdit
 				return true, tea.Quit
 			case initLLMRuntimeActionDelete:
@@ -276,6 +307,13 @@ func initLLMRuntimeDraftFromLinearDocument(seed initDraft, ctx initPromptContext
 	draft.LLMAdapter = document.selectedValue(initLLMRuntimeFieldAdapter)
 	resolvedRuntimePreset := string(initLLMRuntimeDraftFromSeedDraft(draft).Preset)
 	applyLLMRuntimeSelection(&draft, resolvedRuntimePreset)
+	if config.LLMAuth(draft.LLMAuth) == config.LLMAuthAPIKey {
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initLLMRuntimeFieldCredentialStore))
+		draft.LLMCredentialRef = strings.TrimSpace(document.fieldValue(initLLMRuntimeFieldCredentialName))
+	} else {
+		draft.LLMCredentialStore = initCredentialStoreDefaultID()
+		draft.LLMCredentialRef = ""
+	}
 	return draft
 }
 
@@ -414,9 +452,59 @@ func initLLMRuntimeSyncLinearFields(model *initLinearEditorModel, ctx initPrompt
 		model.selectFieldValue(initLLMRuntimeFieldAuth, draft.LLMAuth)
 		model.selectFieldValue(initLLMRuntimeFieldAdapter, draft.LLMAdapter)
 	}
+	initLLMRuntimeSyncCredentialFields(model, ctx, draft, detailSelection, resetDetails)
 	initLLMRuntimeSetDetailsDescription(model, draft, availabilityNote)
 }
 
+func initLLMRuntimeSyncCredentialFields(model *initLinearEditorModel, ctx initPromptContext, draft initDraft, selection string, reset bool) {
+	auth := config.LLMAuth(model.document.selectedValue(initLLMRuntimeFieldAuth))
+	if auth == "" {
+		auth = config.LLMAuth(draft.LLMAuth)
+	}
+	needsCredential := auth == config.LLMAuthAPIKey
+	model.setFieldHidden(initLLMRuntimeFieldCredentialStore, !needsCredential)
+	model.setFieldHidden(initLLMRuntimeFieldCredentialName, !needsCredential)
+	if !needsCredential {
+		return
+	}
+	if reset || strings.TrimSpace(model.document.fieldValue(initLLMRuntimeFieldCredentialName)) == "" {
+		store := initCredentialStoreDraftValue(draft.LLMCredentialStore)
+		if store == "" {
+			store = initCredentialStoreDefaultID()
+		}
+		model.selectFieldValue(initLLMRuntimeFieldCredentialStore, store)
+		name := strings.TrimSpace(draft.LLMCredentialRef)
+		if name == "" {
+			name = initLLMRuntimeDefaultCredentialName(ctx, draft, selection)
+		}
+		model.setFieldValue(initLLMRuntimeFieldCredentialName, name)
+	}
+	model.validateField(model.document.fieldIndexByID(initLLMRuntimeFieldCredentialName))
+}
+
+func initLLMRuntimeDefaultCredentialName(ctx initPromptContext, draft initDraft, selection string) string {
+	runtime := initLLMRuntimeDraftFromSeedDraft(draft)
+	nameSeed := runtime.suggestedName()
+	if _, configured := ctx.LLMRuntimes[selection]; configured {
+		nameSeed = strings.TrimSpace(selection)
+	}
+	ref, err := credentials.FormatRef(nameSeed)
+	if err != nil {
+		return ""
+	}
+	return ref
+}
+
+func validateLLMRuntimeLinearDocument(document initLinearDocument) error {
+	if config.LLMAuth(document.selectedValue(initLLMRuntimeFieldAuth)) != config.LLMAuthAPIKey {
+		return nil
+	}
+	if strings.TrimSpace(document.selectedValue(initLLMRuntimeFieldCredentialStore)) == "" {
+		return fmt.Errorf("LLM credential store is required")
+	}
+	return validateRequiredCredentialRef(document.fieldValue(initLLMRuntimeFieldCredentialName))
+}
+
 func initLLMRuntimeDraftForDeleteFromLinearDocument(seed initDraft, ctx initPromptContext, document initLinearDocument) initDraft {
 	draft := seed
 	replacement := document.selectedValue(initLLMRuntimeFieldReplacement)
@@ -431,6 +519,10 @@ func initLLMRuntimeDraftForDeleteFromLinearDocument(seed initDraft, ctx initProm
 	draft.LLMAdapter = document.selectedValue(initLLMRuntimeFieldAdapter)
 	resolvedRuntimePreset := string(initLLMRuntimeDraftFromSeedDraft(draft).Preset)
 	applyLLMRuntimeSelection(&draft, resolvedRuntimePreset)
+	if config.LLMAuth(draft.LLMAuth) == config.LLMAuthAPIKey {
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initLLMRuntimeFieldCredentialStore))
+		draft.LLMCredentialRef = strings.TrimSpace(document.fieldValue(initLLMRuntimeFieldCredentialName))
+	}
 	return draft
 }
 
diff --git a/internal/cmd/credentialcmd/init_menu.go b/internal/cmd/credentialcmd/init_menu.go
index ed2d71a0..223ea18d 100644
--- a/internal/cmd/credentialcmd/init_menu.go
+++ b/internal/cmd/credentialcmd/init_menu.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	tea "github.com/charmbracelet/bubbletea"
-	"github.com/charmbracelet/lipgloss"
 	"golang.org/x/term"
 )
 
@@ -79,23 +78,23 @@ func initMenuItems(prompt initMenuPrompt) []initMenuItem {
 	items := []initMenuItem{
 		{
 			Action:      initMenuActionSecretsManagement,
-			Title:       "Configure secrets management",
-			Description: "Credential-store profiles and default destination",
+			Title:       "Configure secrets storage",
+			Description: "Credential stores for tokens and keys",
 		},
 		{
 			Action:      initMenuActionLLMRuntimes,
 			Title:       "Configure LLM runtimes",
-			Description: initMenuCountDescription(prompt.LLMRuntimeCount, "runtime", "runtimes"),
+			Description: initMenuConfiguredDescription(prompt.LLMRuntimeCount, "runtime", "runtimes", "Model providers and runtime credentials"),
 		},
 		{
 			Action:      initMenuActionReviewerEntities,
 			Title:       "Configure reviewer entities",
-			Description: initMenuCountDescription(prompt.ReviewerEntityCount, "reviewer entity", "reviewer entities"),
+			Description: initMenuConfiguredDescription(prompt.ReviewerEntityCount, "reviewer entity", "reviewer entities", "Reviewer identities and posting credentials"),
 		},
 		{
 			Action:      initMenuActionReviewProfiles,
 			Title:       "Configure review profiles",
-			Description: initMenuCountDescription(prompt.ReviewProfileCount, "profile", "profiles"),
+			Description: initMenuConfiguredDescription(prompt.ReviewProfileCount, "profile", "profiles", "Repository routing and review composition"),
 		},
 		{
 			Action:      initMenuActionGlobalSettings,
@@ -116,12 +115,19 @@ func initMenuItems(prompt initMenuPrompt) []initMenuItem {
 	for index := range items {
 		items[index].Disabled = initMenuDisabledReason(prompt, items[index].Action)
 		if items[index].Disabled != "" {
-			items[index].Description = "Unavailable: " + items[index].Disabled
+			items[index].Description = "Prerequisite: " + items[index].Disabled
 		}
 	}
 	return items
 }
 
+func initMenuConfiguredDescription(count int, singular, plural, zero string) string {
+	if count == 0 {
+		return zero
+	}
+	return initMenuCountDescription(count, singular, plural)
+}
+
 func initMenuCountDescription(count int, singular, plural string) string {
 	if count == 1 {
 		return fmt.Sprintf("1 %s configured", singular)
@@ -131,19 +137,15 @@ func initMenuCountDescription(count int, singular, plural string) string {
 
 func initMenuDisabledReason(prompt initMenuPrompt, action initMenuAction) string {
 	switch action {
-	case initMenuActionLLMRuntimes:
-		if !prompt.CanConfigureLLM {
-			return "configure a review profile before editing LLM runtimes"
-		}
 	case initMenuActionReviewerEntities:
 		if !prompt.CanConfigureReviewer {
 			return "configure a review profile before editing reviewer entities"
 		}
 	case initMenuActionSave:
 		if !prompt.CanSave {
-			return "configure a review profile before committing changes"
+			return "stage changes before committing"
 		}
-	case initMenuActionSecretsManagement, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
+	case initMenuActionSecretsManagement, initMenuActionLLMRuntimes, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
 	}
 	return ""
 }
@@ -187,7 +189,13 @@ func (m *initMenuModel) move(delta int) {
 		return
 	}
 	m.err = ""
-	m.selected = (m.selected + delta + len(m.items)) % len(m.items)
+	for step := 0; step < len(m.items); step++ {
+		next := (m.selected + delta + len(m.items)) % len(m.items)
+		m.selected = next
+		if m.items[next].Disabled == "" {
+			return
+		}
+	}
 }
 
 func (m initMenuModel) View() string {
@@ -199,7 +207,7 @@ func (m initMenuModel) View() string {
 	if strings.TrimSpace(m.desc) != "" {
 		lines = append(lines, initLinearTheme.help.Render(m.desc))
 	}
-	lines = append(lines, "")
+	lines = append(lines, "", initLinearTheme.title.Render("Actions"))
 	for index, item := range m.items {
 		lines = append(lines, m.renderItem(index, item)...)
 	}
@@ -212,19 +220,18 @@ func (m initMenuModel) View() string {
 
 func (m initMenuModel) renderItem(index int, item initMenuItem) []string {
 	selected := index == m.selected
-	titleStyle := lipgloss.NewStyle()
-	if item.Disabled != "" {
-		titleStyle = initLinearTheme.help
-	}
+	prefix := "  [ ] "
 	if selected {
-		titleStyle = initLinearTheme.selected
+		prefix = "> [x] "
 	}
-	caret := " "
-	if selected {
-		caret = initLinearTheme.caret.Render(">")
+	title := prefix + item.Title
+	if item.Disabled != "" {
+		title = initLinearTheme.help.Render(title)
+	} else if selected {
+		title = initLinearStyleSelectedLine(title)
 	}
 	return []string{
-		fmt.Sprintf("%s %s", caret, titleStyle.Render(item.Title)),
-		"  " + initLinearTheme.help.Render(item.Description),
+		title,
+		"      " + initLinearTheme.help.Render(item.Description),
 	}
 }
diff --git a/internal/cmd/credentialcmd/init_onepassword_discovery.go b/internal/cmd/credentialcmd/init_onepassword_discovery.go
new file mode 100644
index 00000000..1df32bdb
--- /dev/null
+++ b/internal/cmd/credentialcmd/init_onepassword_discovery.go
@@ -0,0 +1,589 @@
+package credentialcmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/charmbracelet/huh"
+)
+
+const initOnePasswordManualSelection = "__manual_1password__"
+const initOnePasswordDiscoveryCommandTimeout = 30 * time.Second
+
+type initOnePasswordCommandRunner func(context.Context, string, ...string) ([]byte, error)
+
+type initOnePasswordDiscovery struct {
+	run     initOnePasswordCommandRunner
+	timeout time.Duration
+}
+
+type initOnePasswordDesktopDiscovery struct {
+	Accounts []initOnePasswordDiscoveredAccount
+	Err      error
+}
+
+type initOnePasswordDiscoveredAccount struct {
+	ID        string
+	Name      string
+	URL       string
+	Shorthand string
+	Email     string
+	Vaults    []initOnePasswordDiscoveredVault
+}
+
+type initOnePasswordDiscoveredVault struct {
+	ID   string
+	Name string
+}
+
+type initOnePasswordDesktopSelection struct {
+	AccountID  string
+	AccountURL string
+	VaultID    string
+	VaultName  string
+}
+
+func newInitOnePasswordDiscovery(run initOnePasswordCommandRunner) initOnePasswordDiscovery {
+	if run == nil {
+		run = runInitOnePasswordCommand
+	}
+	return initOnePasswordDiscovery{run: run, timeout: initOnePasswordDiscoveryCommandTimeout}
+}
+
+func (p huhInitKeyringBackendPrompter) discoverOnePasswordDesktop() initOnePasswordDesktopDiscovery {
+	return newInitOnePasswordDiscovery(p.onePasswordCmdRunner).DiscoverDesktop(context.Background())
+}
+
+func runInitOnePasswordCommand(ctx context.Context, name string, args ...string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, name, args...) // #nosec G204 -- this probe intentionally shells out to the configured 1Password CLI executable.
+	return cmd.Output()
+}
+
+func (d initOnePasswordDiscovery) DiscoverDesktop(ctx context.Context) initOnePasswordDesktopDiscovery {
+	if d.timeout <= 0 {
+		d.timeout = initOnePasswordDiscoveryCommandTimeout
+	}
+
+	accountOutput, err := d.runWithTimeout(ctx, "op", "account", "list", "--format=json")
+	if err != nil {
+		return initOnePasswordDesktopDiscovery{Err: err}
+	}
+	accounts, err := parseInitOnePasswordAccounts(accountOutput)
+	if err != nil {
+		return initOnePasswordDesktopDiscovery{Err: err}
+	}
+	for index := range accounts {
+		accountArg := accounts[index].CommandValue()
+		if accountArg == "" {
+			continue
+		}
+		vaultOutput, err := d.runWithTimeout(ctx, "op", "vault", "list", "--account", accountArg, "--format=json")
+		if err != nil {
+			if accounts[index].Vaults == nil {
+				accounts[index].Vaults = []initOnePasswordDiscoveredVault{}
+			}
+			continue
+		}
+		vaults, err := parseInitOnePasswordVaults(vaultOutput)
+		if err == nil {
+			accounts[index].Vaults = vaults
+		}
+	}
+	return initOnePasswordDesktopDiscovery{Accounts: accounts}
+}
+
+func (d initOnePasswordDiscovery) runWithTimeout(ctx context.Context, name string, args ...string) ([]byte, error) {
+	commandCtx, cancel := context.WithTimeout(ctx, d.timeout)
+	defer cancel()
+	return d.run(commandCtx, name, args...)
+}
+
+func parseInitOnePasswordAccounts(data []byte) ([]initOnePasswordDiscoveredAccount, error) {
+	var raw []map[string]any
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return nil, err
+	}
+	accounts := make([]initOnePasswordDiscoveredAccount, 0, len(raw))
+	for _, item := range raw {
+		account := initOnePasswordDiscoveredAccount{
+			ID:        initOnePasswordStringField(item, "account_uuid", "id", "uuid"),
+			Name:      initOnePasswordStringField(item, "account_name", "name"),
+			URL:       initOnePasswordStringField(item, "url", "account_url", "signin_address"),
+			Shorthand: initOnePasswordStringField(item, "shorthand"),
+			Email:     initOnePasswordStringField(item, "email"),
+		}
+		if account.CommandValue() == "" && account.DisplayName() == "" {
+			continue
+		}
+		accounts = append(accounts, account)
+	}
+	return accounts, nil
+}
+
+func parseInitOnePasswordVaults(data []byte) ([]initOnePasswordDiscoveredVault, error) {
+	var raw []map[string]any
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return nil, err
+	}
+	vaults := make([]initOnePasswordDiscoveredVault, 0, len(raw))
+	for _, item := range raw {
+		vault := initOnePasswordDiscoveredVault{
+			ID:   initOnePasswordStringField(item, "id", "uuid"),
+			Name: initOnePasswordStringField(item, "name"),
+		}
+		if vault.ID == "" && vault.Name == "" {
+			continue
+		}
+		vaults = append(vaults, vault)
+	}
+	sort.SliceStable(vaults, func(i, j int) bool {
+		return initOnePasswordVaultLess(vaults[i], vaults[j])
+	})
+	return vaults, nil
+}
+
+func initOnePasswordVaultLess(left, right initOnePasswordDiscoveredVault) bool {
+	leftRank := initOnePasswordVaultPriorityRank(left)
+	rightRank := initOnePasswordVaultPriorityRank(right)
+	if leftRank != rightRank {
+		return leftRank < rightRank
+	}
+	leftName := strings.ToLower(left.DisplayName())
+	rightName := strings.ToLower(right.DisplayName())
+	if leftName != rightName {
+		return leftName < rightName
+	}
+	return left.DisplayName() < right.DisplayName()
+}
+
+func initOnePasswordVaultPriorityRank(vault initOnePasswordDiscoveredVault) int {
+	switch strings.ToLower(strings.TrimSpace(vault.DisplayName())) {
+	case "employee":
+		return 0
+	case "private":
+		return 1
+	default:
+		return 2
+	}
+}
+
+func initOnePasswordStringField(item map[string]any, names ...string) string {
+	for _, name := range names {
+		value, ok := item[name]
+		if !ok {
+			continue
+		}
+		switch typed := value.(type) {
+		case string:
+			if trimmed := strings.TrimSpace(typed); trimmed != "" {
+				return trimmed
+			}
+		case fmt.Stringer:
+			if trimmed := strings.TrimSpace(typed.String()); trimmed != "" {
+				return trimmed
+			}
+		}
+	}
+	return ""
+}
+
+func (a initOnePasswordDiscoveredAccount) CommandValue() string {
+	for _, value := range []string{a.ID, a.URL, a.Shorthand, a.Email, a.Name} {
+		if trimmed := strings.TrimSpace(value); trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
+func (a initOnePasswordDiscoveredAccount) DisplayName() string {
+	for _, value := range []string{a.URL, a.Name, a.Shorthand, a.Email, a.ID} {
+		if trimmed := strings.TrimSpace(value); trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
+func (a initOnePasswordDiscoveredAccount) Label() string {
+	return a.DisplayName()
+}
+
+func (v initOnePasswordDiscoveredVault) DisplayName() string {
+	for _, value := range []string{v.Name, v.ID} {
+		if trimmed := strings.TrimSpace(value); trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
+func (d initOnePasswordDesktopDiscovery) HasVaultChoices() bool {
+	for _, account := range d.Accounts {
+		if len(account.Vaults) > 0 {
+			return true
+		}
+	}
+	return false
+}
+
+func (d initOnePasswordDesktopDiscovery) HasAccountChoices() bool {
+	return d.AccountChoiceCount() > 0
+}
+
+func (d initOnePasswordDesktopDiscovery) Counts() (int, int) {
+	vaults := 0
+	for _, account := range d.Accounts {
+		vaults += len(account.Vaults)
+	}
+	return len(d.Accounts), vaults
+}
+
+func (d initOnePasswordDesktopDiscovery) AccountChoiceCount() int {
+	count := 0
+	for _, account := range d.Accounts {
+		if account.Label() != "" {
+			count++
+		}
+	}
+	return count
+}
+
+func (d initOnePasswordDesktopDiscovery) AccountOptions() []huh.Option[string] {
+	if !d.HasAccountChoices() {
+		return []huh.Option[string]{huh.NewOption("Enter account and vault manually", initOnePasswordManualSelection)}
+	}
+	options := []huh.Option[string]{}
+	for accountIndex, account := range d.Accounts {
+		label := account.Label()
+		if label == "" {
+			continue
+		}
+		options = append(options, huh.NewOption(label, initOnePasswordDesktopAccountSelectionValue(accountIndex)))
+	}
+	if len(options) != 1 {
+		options = append(options, huh.NewOption("Enter account and vault manually", initOnePasswordManualSelection))
+	}
+	return options
+}
+
+func (d initOnePasswordDesktopDiscovery) LinearAccountOptions(selected string) []initLinearOption {
+	selected = d.normalizeAccountSelection(selected)
+	options := initLinearOptionsFromHuh(d.AccountOptions(), selected)
+	if len(options) == 0 {
+		return []initLinearOption{{
+			Label:    "Enter account and vault manually",
+			Value:    initOnePasswordManualSelection,
+			Selected: true,
+		}}
+	}
+	return options
+}
+
+func (d initOnePasswordDesktopDiscovery) VaultOptions(accountSelection string) []huh.Option[string] {
+	account, ok := d.Account(accountSelection)
+	if !ok || len(account.Vaults) == 0 {
+		return []huh.Option[string]{huh.NewOption("Enter vault manually", initOnePasswordManualSelection)}
+	}
+	options := []huh.Option[string]{}
+	for vaultIndex, vault := range account.Vaults {
+		label := vault.DisplayName()
+		if label == "" {
+			continue
+		}
+		options = append(options, huh.NewOption(label, initOnePasswordDesktopVaultSelectionValue(vaultIndex)))
+	}
+	options = append(options, huh.NewOption("Enter vault manually", initOnePasswordManualSelection))
+	return options
+}
+
+func (d initOnePasswordDesktopDiscovery) LinearVaultOptions(accountSelection, selected string) []initLinearOption {
+	accountSelection = d.normalizeAccountSelection(accountSelection)
+	selected = d.normalizeVaultSelection(accountSelection, selected)
+	options := initLinearOptionsFromHuh(d.VaultOptions(accountSelection), selected)
+	if len(options) == 0 {
+		return []initLinearOption{{
+			Label:    "Enter vault manually",
+			Value:    initOnePasswordManualSelection,
+			Selected: true,
+		}}
+	}
+	return options
+}
+
+func (d initOnePasswordDesktopDiscovery) Options() []huh.Option[string] {
+	if !d.HasVaultChoices() {
+		return []huh.Option[string]{huh.NewOption("Enter account and vault manually", initOnePasswordManualSelection)}
+	}
+	options := []huh.Option[string]{}
+	for accountIndex, account := range d.Accounts {
+		accountLabel := account.DisplayName()
+		for vaultIndex, vault := range account.Vaults {
+			vaultLabel := vault.DisplayName()
+			if vaultLabel == "" {
+				continue
+			}
+			label := vaultLabel
+			if accountLabel != "" {
+				label = fmt.Sprintf("%s (%s)", vaultLabel, accountLabel)
+			}
+			options = append(options, huh.NewOption(label, initOnePasswordDesktopSelectionValue(accountIndex, vaultIndex)))
+		}
+	}
+	options = append(options, huh.NewOption("Enter account and vault manually", initOnePasswordManualSelection))
+	return options
+}
+
+func (d initOnePasswordDesktopDiscovery) LinearOptions(selected string) []initLinearOption {
+	return initLinearOptionsFromHuh(d.Options(), selected)
+}
+
+func (d initOnePasswordDesktopDiscovery) Account(value string) (initOnePasswordDiscoveredAccount, bool) {
+	accountIndex, ok := parseInitOnePasswordDesktopAccountSelectionValue(value)
+	if !ok || accountIndex < 0 || accountIndex >= len(d.Accounts) {
+		return initOnePasswordDiscoveredAccount{}, false
+	}
+	account := d.Accounts[accountIndex]
+	return account, true
+}
+
+func (d initOnePasswordDesktopDiscovery) AccountVaultSelection(accountSelection, vaultSelection string) (initOnePasswordDesktopSelection, bool) {
+	accountIndex, ok := parseInitOnePasswordDesktopAccountSelectionValue(accountSelection)
+	if !ok || accountIndex < 0 || accountIndex >= len(d.Accounts) {
+		return initOnePasswordDesktopSelection{}, false
+	}
+	account := d.Accounts[accountIndex]
+	vaultIndex, ok := parseInitOnePasswordDesktopVaultSelectionValue(vaultSelection)
+	if !ok || vaultIndex < 0 || vaultIndex >= len(account.Vaults) {
+		return initOnePasswordDesktopSelection{}, false
+	}
+	vault := account.Vaults[vaultIndex]
+	return initOnePasswordDesktopSelection{
+		AccountID:  account.ID,
+		AccountURL: account.URL,
+		VaultID:    vault.ID,
+		VaultName:  vault.Name,
+	}, true
+}
+
+func (d initOnePasswordDesktopDiscovery) AccountSelection(accountSelection string) (initOnePasswordDesktopSelection, bool) {
+	accountIndex, ok := parseInitOnePasswordDesktopAccountSelectionValue(accountSelection)
+	if !ok || accountIndex < 0 || accountIndex >= len(d.Accounts) {
+		return initOnePasswordDesktopSelection{}, false
+	}
+	account := d.Accounts[accountIndex]
+	return initOnePasswordDesktopSelection{
+		AccountID:  account.ID,
+		AccountURL: account.URL,
+	}, true
+}
+
+func (d initOnePasswordDesktopDiscovery) Selection(value string) (initOnePasswordDesktopSelection, bool) {
+	accountIndex, vaultIndex, ok := parseInitOnePasswordDesktopSelectionValue(value)
+	if !ok || accountIndex < 0 || accountIndex >= len(d.Accounts) {
+		return initOnePasswordDesktopSelection{}, false
+	}
+	account := d.Accounts[accountIndex]
+	if vaultIndex < 0 || vaultIndex >= len(account.Vaults) {
+		return initOnePasswordDesktopSelection{}, false
+	}
+	vault := account.Vaults[vaultIndex]
+	return initOnePasswordDesktopSelection{
+		AccountID:  account.ID,
+		AccountURL: account.URL,
+		VaultID:    vault.ID,
+		VaultName:  vault.Name,
+	}, true
+}
+
+func (d initOnePasswordDesktopDiscovery) AccountSelectionFor(accountID, accountURL string) string {
+	accountID = strings.TrimSpace(accountID)
+	accountURL = strings.TrimSpace(accountURL)
+	for accountIndex, account := range d.Accounts {
+		if accountID != "" && account.ID == accountID {
+			return initOnePasswordDesktopAccountSelectionValue(accountIndex)
+		}
+		if accountURL != "" && account.URL == accountURL {
+			return initOnePasswordDesktopAccountSelectionValue(accountIndex)
+		}
+	}
+	if accountID == "" && accountURL == "" {
+		for accountIndex, account := range d.Accounts {
+			if account.Label() != "" {
+				return initOnePasswordDesktopAccountSelectionValue(accountIndex)
+			}
+		}
+	}
+	return initOnePasswordManualSelection
+}
+
+func (d initOnePasswordDesktopDiscovery) VaultSelectionFor(accountSelection, vaultID, vaultName string) string {
+	account, ok := d.Account(accountSelection)
+	if !ok {
+		return initOnePasswordManualSelection
+	}
+	vaultID = strings.TrimSpace(vaultID)
+	vaultName = strings.TrimSpace(vaultName)
+	for vaultIndex, vault := range account.Vaults {
+		if vaultID != "" && vault.ID == vaultID {
+			return initOnePasswordDesktopVaultSelectionValue(vaultIndex)
+		}
+		if vaultName != "" && vault.Name == vaultName {
+			return initOnePasswordDesktopVaultSelectionValue(vaultIndex)
+		}
+	}
+	if vaultID == "" && vaultName == "" && len(account.Vaults) > 0 {
+		return initOnePasswordDesktopVaultSelectionValue(0)
+	}
+	return initOnePasswordManualSelection
+}
+
+func (d initOnePasswordDesktopDiscovery) GeneratedDesktopCredentialStoreLabel(value string) bool {
+	value = strings.TrimSpace(value)
+	if value == "" || value == "1Password" {
+		return true
+	}
+	for _, account := range d.Accounts {
+		if value == initOnePasswordDesktopCredentialStoreLabel(account) {
+			return true
+		}
+	}
+	return false
+}
+
+func initOnePasswordDesktopCredentialStoreLabel(account initOnePasswordDiscoveredAccount) string {
+	token := initOnePasswordAccountLabelToken(account.URL)
+	if token == "" {
+		token = initOnePasswordAccountLabelToken(account.DisplayName())
+	}
+	if token == "" {
+		return "1Password"
+	}
+	if strings.EqualFold(token, "my") {
+		token = "Personal"
+	}
+	return "1Password-" + token
+}
+
+func initOnePasswordAccountLabelToken(value string) string {
+	host := strings.TrimSpace(value)
+	host = strings.TrimPrefix(strings.TrimPrefix(host, "https://"), "http://")
+	if slash := strings.Index(host, "/"); slash >= 0 {
+		host = host[:slash]
+	}
+	host = strings.TrimSpace(host)
+	if host == "" {
+		return ""
+	}
+	if colon := strings.Index(host, ":"); colon >= 0 {
+		host = host[:colon]
+	}
+	if dot := strings.Index(host, "."); dot >= 0 {
+		host = host[:dot]
+	}
+	return strings.TrimSpace(host)
+}
+
+func (d initOnePasswordDesktopDiscovery) SelectionFor(accountID, accountURL, vaultID, vaultName string) string {
+	accountID = strings.TrimSpace(accountID)
+	accountURL = strings.TrimSpace(accountURL)
+	vaultID = strings.TrimSpace(vaultID)
+	vaultName = strings.TrimSpace(vaultName)
+	for accountIndex, account := range d.Accounts {
+		accountMatches := accountID == "" && accountURL == ""
+		if accountID != "" && account.ID == accountID {
+			accountMatches = true
+		}
+		if accountURL != "" && account.URL == accountURL {
+			accountMatches = true
+		}
+		if !accountMatches {
+			continue
+		}
+		for vaultIndex, vault := range account.Vaults {
+			if vaultID != "" && vault.ID == vaultID {
+				return initOnePasswordDesktopSelectionValue(accountIndex, vaultIndex)
+			}
+			if vaultName != "" && vault.Name == vaultName {
+				return initOnePasswordDesktopSelectionValue(accountIndex, vaultIndex)
+			}
+		}
+	}
+	return initOnePasswordManualSelection
+}
+
+func (d initOnePasswordDesktopDiscovery) normalizeAccountSelection(selected string) string {
+	if selected == initOnePasswordManualSelection && d.AccountChoiceCount() != 1 {
+		return selected
+	}
+	if _, ok := d.Account(selected); ok {
+		return selected
+	}
+	return d.AccountSelectionFor("", "")
+}
+
+func (d initOnePasswordDesktopDiscovery) normalizeVaultSelection(accountSelection, selected string) string {
+	if selected == initOnePasswordManualSelection {
+		return selected
+	}
+	if _, ok := d.AccountVaultSelection(accountSelection, selected); ok {
+		return selected
+	}
+	return d.VaultSelectionFor(accountSelection, "", "")
+}
+
+func initOnePasswordDesktopSelectionValue(accountIndex, vaultIndex int) string {
+	return strconv.Itoa(accountIndex) + ":" + strconv.Itoa(vaultIndex)
+}
+
+func initOnePasswordDesktopAccountSelectionValue(accountIndex int) string {
+	return strconv.Itoa(accountIndex)
+}
+
+func initOnePasswordDesktopVaultSelectionValue(vaultIndex int) string {
+	return strconv.Itoa(vaultIndex)
+}
+
+func parseInitOnePasswordDesktopAccountSelectionValue(value string) (int, bool) {
+	if strings.TrimSpace(value) == "" || value == initOnePasswordManualSelection {
+		return 0, false
+	}
+	accountIndex, err := strconv.Atoi(value)
+	if err != nil {
+		return 0, false
+	}
+	return accountIndex, true
+}
+
+func parseInitOnePasswordDesktopVaultSelectionValue(value string) (int, bool) {
+	if strings.TrimSpace(value) == "" || value == initOnePasswordManualSelection {
+		return 0, false
+	}
+	vaultIndex, err := strconv.Atoi(value)
+	if err != nil {
+		return 0, false
+	}
+	return vaultIndex, true
+}
+
+func parseInitOnePasswordDesktopSelectionValue(value string) (int, int, bool) {
+	parts := strings.Split(value, ":")
+	if len(parts) != 2 {
+		return 0, 0, false
+	}
+	accountIndex, err := strconv.Atoi(parts[0])
+	if err != nil {
+		return 0, 0, false
+	}
+	vaultIndex, err := strconv.Atoi(parts[1])
+	if err != nil {
+		return 0, 0, false
+	}
+	return accountIndex, vaultIndex, true
+}
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 5e4549a3..ba2fd801 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
 	"github.com/open-cli-collective/codereview-cli/internal/config"
+	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type bubbleTeaInitProfileV2Prompter struct {
@@ -32,6 +33,17 @@ func newBubbleTeaInitProfileV2Prompter(opts *root.Options) initPrompter {
 }
 
 func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, error) {
+	if initProfileV2ShouldCreateDirectly(ctx) {
+		draft, staged, err := p.runProfileEditor(ctx, initCreateProfileSentinel)
+		if err != nil {
+			return initDraft{}, err
+		}
+		if staged {
+			return draft, nil
+		}
+		return initDraft{}, errInitNavigateBack
+	}
+
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
 			Title:       "Review Profile",
@@ -64,6 +76,10 @@ func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, e
 	}
 }
 
+func initProfileV2ShouldCreateDirectly(ctx initPromptContext) bool {
+	return len(ctx.ExistingProfileNames) == 0 && len(ctx.PendingProfileDeletes) == 0
+}
+
 func (p bubbleTeaInitProfileV2Prompter) runInventory(prompt initInventoryPrompt) (initInventoryResult, error) {
 	runner := p.inventoryRunner
 	if runner == nil {
@@ -163,6 +179,7 @@ type initProfileV2ReadOnlyModel struct {
 	gitScopes                  map[string]initGitScopeDraft
 	reviewerEntities           map[string]initReviewerEntityDraft
 	llmRuntimes                map[string]initLLMRuntimeDraft
+	credentialStoreOptions     []huh.Option[string]
 	selectedGitScope           string
 	initialGitStorageLabel     string
 	gitStorageLabelUsesDefault bool
@@ -188,6 +205,7 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 		gitScopes:                  maps.Clone(editor.GitScopes),
 		reviewerEntities:           maps.Clone(editor.ReviewerEntities),
 		llmRuntimes:                maps.Clone(editor.LLMRuntimes),
+		credentialStoreOptions:     append([]huh.Option[string](nil), editor.CredentialStoreOptions...),
 		selectedGitScope:           editor.SelectedGitScope,
 		initialGitStorageLabel:     editor.InitialGitStorageLabel,
 		gitStorageLabelUsesDefault: editor.GitStorageLabelUsesDefault,
@@ -195,6 +213,7 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 		focused:                    editor.Document.firstFocusableField(),
 	}
 	model.syncGitScopeFields()
+	model.syncLLMCredentialFields(false)
 	model.syncModelMapFields()
 	model.validateAll()
 	model.relayout()
@@ -304,7 +323,7 @@ func initProfileV2ReadOnlyDocument(ctx initPromptContext, selection string) (ini
 
 func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initProfileV2Editor, error) {
 	selectedProfileName, selectedExistingProfile, requestedProfileName := initProfileV2Selection(ctx, selection)
-	draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, ctx.DefaultProfileName, selectedExistingProfile)
+	draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, selectedExistingProfile)
 	routeText := formatInitRouteSpecs(currentProfileRouteSpecs(ctx.ExistingConfig.RepositoryProfiles, selectedProfileName))
 
 	selectedGitScope := ctx.ProfileGitScopes[selectedProfileName]
@@ -312,9 +331,10 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 		selectedGitScope = initCustomGitScopeSelection
 	}
 	selectedGit := initGitScopeDraft{
-		Host:          draft.GitHost,
-		AuthMode:      config.GitAuthMode(draft.GitAuth),
-		CredentialRef: strings.TrimSpace(draft.GitCredentialRef),
+		Host:            draft.GitHost,
+		AuthMode:        config.GitAuthMode(draft.GitAuth),
+		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
+		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
 	}
 	if scopeName := ctx.ProfileGitScopes[selectedProfileName]; scopeName != "" {
 		if scope, ok := ctx.GitScopes[scopeName]; ok {
@@ -344,25 +364,35 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	}
 	gitStorageLabel := initEffectiveStorageLabelValue(draft.GitCredentialRef, standardGitCredentialRef)
 	gitStorageLabelUsesDefault := initStorageLabelUsesDefault(gitStorageLabel, standardGitCredentialRef)
+	standardLLMCredentialRef, err := initStandardLLMCredentialRef(draft.ProfileName, selectedLLMRuntime, llmRuntimes)
+	if err != nil {
+		return initProfileV2Editor{}, err
+	}
+	if strings.TrimSpace(draft.LLMCredentialRef) == "" {
+		draft.LLMCredentialRef = standardLLMCredentialRef
+	}
+	storeOptions := initCredentialStoreOptions(ctx.ExistingConfig)
 
 	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", draft.ProfileName, validateProfileName)
+	document.addSection("Review profile", "Repository routing and review composition.")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", draft.ProfileName, validateProfileName)
 	initProfileV2AppendRouteSection(&document, routeText)
 	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(ctx.GitScopes), draft, selectedGitScope == initCustomGitScopeSelection || len(ctx.GitScopes) > 1)
 	document.addEditableSelect(initProfileV2FieldReviewerEntity, "Reviewer entity", reviewerEntitySelectionDescription(), reviewerEntityOptions, selectedReviewerEntity)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
+	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	initProfileV2AppendModelMapSection(&document, modelMapLLM, draft.ModelMap)
 	initProfileV2AppendAgentSourcesSection(&document, draft.AgentSources)
 	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy)
-	initProfileV2AppendGitStorageSection(&document, gitStorageLabel)
+	initProfileV2AppendGitStorageSection(&document, storeOptions, draft.GitCredentialStore, gitStorageLabel)
 	initProfileV2AppendProfileActionSection(&document)
 	return initProfileV2Editor{
 		Draft:                      draft,
 		GitScopes:                  maps.Clone(ctx.GitScopes),
 		ReviewerEntities:           maps.Clone(ctx.ReviewerEntities),
 		LLMRuntimes:                maps.Clone(llmRuntimes),
+		CredentialStoreOptions:     storeOptions,
 		SelectedGitScope:           selectedGitScope,
 		InitialGitStorageLabel:     gitStorageLabel,
 		GitStorageLabelUsesDefault: gitStorageLabelUsesDefault,
@@ -390,21 +420,25 @@ const (
 )
 
 const (
-	initProfileV2FieldProfileName       initProfileV2FieldID = "profile_name"
-	initProfileV2FieldRoutes            initProfileV2FieldID = "routes"
-	initProfileV2FieldGitScope          initProfileV2FieldID = "git_scope"
-	initProfileV2FieldGitHost           initProfileV2FieldID = "git_host"
-	initProfileV2FieldGitAuth           initProfileV2FieldID = "git_auth"
-	initProfileV2FieldReviewerEntity    initProfileV2FieldID = "reviewer_entity"
-	initProfileV2FieldLLMRuntime        initProfileV2FieldID = "llm_runtime"
-	initProfileV2FieldReviewerModelTier initProfileV2FieldID = "reviewer_model_tier"
-	initProfileV2FieldAgentSources      initProfileV2FieldID = "agent_sources"
-	initProfileV2FieldReviewMajorEvent  initProfileV2FieldID = "review_major_event"
-	initProfileV2FieldSelfApprove       initProfileV2FieldID = "self_approve"
-	initProfileV2FieldResolveThreads    initProfileV2FieldID = "resolve_threads"
-	initProfileV2FieldResolveAfter      initProfileV2FieldID = "resolve_after"
-	initProfileV2FieldGitStorageLabel   initProfileV2FieldID = "git_storage_label"
-	initProfileV2FieldProfileAction     initProfileV2FieldID = "profile_action"
+	initProfileV2FieldProfileName          initProfileV2FieldID = "profile_name"
+	initProfileV2FieldRoutes               initProfileV2FieldID = "routes"
+	initProfileV2FieldGitScope             initProfileV2FieldID = "git_scope"
+	initProfileV2FieldGitHost              initProfileV2FieldID = "git_host"
+	initProfileV2FieldGitAuth              initProfileV2FieldID = "git_auth"
+	initProfileV2FieldReviewerEntity       initProfileV2FieldID = "reviewer_entity"
+	initProfileV2FieldLLMRuntime           initProfileV2FieldID = "llm_runtime"
+	initProfileV2FieldReviewerModelTier    initProfileV2FieldID = "reviewer_model_tier"
+	initProfileV2FieldAgentSources         initProfileV2FieldID = "agent_sources"
+	initProfileV2FieldReviewMajorEvent     initProfileV2FieldID = "review_major_event"
+	initProfileV2FieldSelfApprove          initProfileV2FieldID = "self_approve"
+	initProfileV2FieldResolveThreads       initProfileV2FieldID = "resolve_threads"
+	initProfileV2FieldResolveAfter         initProfileV2FieldID = "resolve_after"
+	initProfileV2FieldGitCredentialStore   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldGitCredentialName    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialSection initProfileV2FieldID = "llm_credentials_section"
+	initProfileV2FieldLLMCredentialStore   initProfileV2FieldID = "llm_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialName    initProfileV2FieldID = "llm_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldProfileAction        initProfileV2FieldID = "profile_action"
 )
 
 func initProfileV2FieldModelMap(tier config.ModelTier) initProfileV2FieldID {
@@ -416,6 +450,7 @@ type initProfileV2Editor struct {
 	GitScopes                  map[string]initGitScopeDraft
 	ReviewerEntities           map[string]initReviewerEntityDraft
 	LLMRuntimes                map[string]initLLMRuntimeDraft
+	CredentialStoreOptions     []huh.Option[string]
 	SelectedGitScope           string
 	InitialGitStorageLabel     string
 	GitStorageLabelUsesDefault bool
@@ -429,9 +464,8 @@ type initProfileV2Layout = initLinearLayout
 type initProfileV2FieldBounds = initLinearFieldBounds
 
 func initProfileV2AppendRouteSection(document *initProfileV2Document, routeText string) {
-	document.addSection("Automatic profile selection", "Routes tell cr when to use this profile automatically. Explicit --profile still wins; otherwise matching routes beat the default profile.")
-	document.addSection("Accepted route formats", "host/namespace, host/namespace/repo, host/namespace [repo1, repo2], or a GitHub PR URL. Leave blank to remove all routes for this profile. Examples:\ngithub.com/YourOrg\ngithub.com/YourUsername [RepoA, RepoB] (will not match on RepoC)\ngithub.com/YourOrg/org-repo/pull/123\nSeparate multiple entries with ;.")
-	document.addEditableInput(initProfileV2FieldRoutes, "Route entries", "", routeText, validateInitProfileV2RouteText)
+	document.addSection("Automatic profile selection", "Routes tell cr when to use this profile automatically. Explicit --profile still wins.")
+	document.addEditableInput(initProfileV2FieldRoutes, "Route entries", "Examples: github.com/YourOrg; github.com/YourOrg/repo; github.com/YourOrg [RepoA, RepoB]. Leave blank for explicit --profile selection only.", routeText, validateInitProfileV2RouteText)
 }
 
 func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selectedScope string, scopeOptions []huh.Option[string], draft initDraft, visible bool) {
@@ -439,9 +473,9 @@ func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selecte
 		return
 	}
 	customHidden := selectedScope != initCustomGitScopeSelection
-	document.addSection("Git scope", "Choose an existing Git scope for this profile or configure custom Git host/auth settings.")
+	document.addSection("Git scope", "Choose an existing Git scope or configure host/auth settings for this profile.")
 	document.addEditableSelect(initProfileV2FieldGitScope, "Git scope", "", scopeOptions, selectedScope)
-	document.addEditableInput(initProfileV2FieldGitHost, "Git scope host", "The Git host this review profile applies to, such as github.com or github.mycompany.com.", draft.GitHost, validateRequiredText("git host is required"), initProfileV2FieldOptions{Hidden: customHidden})
+	document.addEditableInput(initProfileV2FieldGitHost, "Git scope host", "Git host this review profile applies to, such as github.com or github.mycompany.com.", draft.GitHost, validateRequiredText("git host is required"), initProfileV2FieldOptions{Hidden: customHidden})
 	document.addEditableSelect(initProfileV2FieldGitAuth, "Git scope auth mode", "", []huh.Option[string]{
 		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
 		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
@@ -461,7 +495,7 @@ func initProfileV2AppendModelMapSection(document *initProfileV2Document, llm con
 }
 
 func initProfileV2AppendAgentSourcesSection(document *initProfileV2Document, sources []string) {
-	document.addSection("Additional reviewer-agent directories (optional)", "Add local directories that contain custom reviewer agent definitions for this profile. These profile-specific directories are loaded alongside repo-local agents under <repo>/.codereview/agents and any per-run --agents-dir sources.")
+	document.addSection("Additional reviewer-agent directories (optional)", "Profile-specific reviewer agent directories loaded alongside repo-local and per-run agent sources.")
 	document.addEditableTextarea(initProfileV2FieldAgentSources, "Additional trusted reviewer-agent directories", "Paths are deduplicated and normalized before save.", strings.Join(sources, "\n"))
 }
 
@@ -469,7 +503,7 @@ func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, pol
 	if policy.MajorEvent == "" {
 		policy.MajorEvent = config.ReviewMajorEventComment
 	}
-	document.addSection("Review Policy", "")
+	document.addSection("Review policy", "Choose how cr posts major findings and handles review threads.")
 	document.addEditableSelect(initProfileV2FieldReviewMajorEvent, "Major findings event", "", []huh.Option[string]{
 		huh.NewOption("Comment", string(config.ReviewMajorEventComment)),
 		huh.NewOption("Request changes", string(config.ReviewMajorEventRequestChanges)),
@@ -483,13 +517,41 @@ func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, pol
 	document.addEditableInput(initProfileV2FieldResolveAfter, "Resolve-after duration", "Optional. Leave blank to clear. Example: 24h or 30m.", policy.ResolveAfter, validateOptionalDuration)
 }
 
-func initProfileV2AppendGitStorageSection(document *initProfileV2Document, gitStorageLabel string) {
+func initProfileV2AppendGitStorageSection(document *initProfileV2Document, storeOptions []huh.Option[string], storeID string, credentialName string) {
+	document.addSection("Git credentials", "Choose where this profile's Git credentials are stored. The credential name is the full codereview/... path written to the selected store.")
+	document.addEditableSelect(
+		initProfileV2FieldGitCredentialStore,
+		"Git credential store",
+		"",
+		storeOptions,
+		normalizeInitStringSelectionValue(initCredentialStoreDraftValue(storeID), storeOptions),
+	)
+	document.addEditableInput(
+		initProfileV2FieldGitCredentialName,
+		"Git credential name",
+		"Full credential name under the selected store.",
+		credentialName,
+		validateRequiredCredentialRef,
+	)
+}
+
+func initProfileV2AppendLLMStorageSection(document *initProfileV2Document, storeOptions []huh.Option[string], storeID string, credentialName string, hidden bool) {
+	document.addSectionField(initProfileV2FieldLLMCredentialSection, "LLM API key credentials", "Choose where this profile's LLM API key is stored.", initLinearFieldOptions{Hidden: hidden})
+	document.addEditableSelect(
+		initProfileV2FieldLLMCredentialStore,
+		"LLM credential store",
+		"",
+		storeOptions,
+		normalizeInitStringSelectionValue(initCredentialStoreDraftValue(storeID), storeOptions),
+		initLinearFieldOptions{Hidden: hidden},
+	)
 	document.addEditableInput(
-		initProfileV2FieldGitStorageLabel,
-		"Git secrets storage label",
-		"Edit only if this profile should use a different Git secret location than the selected Git scope's default. Useful for advanced deployment scenarios. Leave unchanged if you're unsure.",
-		gitStorageLabel,
-		validateOptionalCredentialRef,
+		initProfileV2FieldLLMCredentialName,
+		"LLM credential name",
+		"Full credential name under the selected store.",
+		credentialName,
+		validateRequiredCredentialRef,
+		initLinearFieldOptions{Hidden: hidden},
 	)
 }
 
@@ -642,6 +704,7 @@ func (m *initProfileV2ReadOnlyModel) afterFieldChange(index int) {
 		return
 	}
 	if id == initProfileV2FieldLLMRuntime {
+		m.syncLLMCredentialFields(true)
 		m.syncModelMapFields()
 	}
 }
@@ -696,6 +759,14 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 	} else {
 		applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
 	}
+	if m.document.fieldIndexByID(initProfileV2FieldGitCredentialName) >= 0 {
+		gitName := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldGitCredentialName))
+		if err := validateRequiredCredentialRef(gitName); err != nil {
+			return draft, err
+		}
+		draft.GitCredentialStore = initCredentialStoreDraftValue(m.document.selectedValue(initProfileV2FieldGitCredentialStore))
+		draft.GitCredentialRef = gitName
+	}
 	if _, err := applyInitProfileRoutes(nil, draft.ProfileName, draft.GitHost, routes); err != nil {
 		return draft, err
 	}
@@ -714,6 +785,17 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 		selectedRuntimePreset := string(initLLMRuntimeDraftFromSeedDraft(draft).Preset)
 		applyLLMRuntimeSelection(&draft, selectedRuntimePreset)
 	}
+	if config.LLMAuth(draft.LLMAuth) == config.LLMAuthAPIKey {
+		llmName := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldLLMCredentialName))
+		if err := validateRequiredCredentialRef(llmName); err != nil {
+			return draft, err
+		}
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(m.document.selectedValue(initProfileV2FieldLLMCredentialStore))
+		draft.LLMCredentialRef = llmName
+	} else {
+		draft.LLMCredentialStore = initCredentialStoreDefaultID()
+		draft.LLMCredentialRef = ""
+	}
 	if err := m.normalizeStorageLabels(&draft, selectedGitScope, selectedReviewerEntity, selectedLLMRuntime); err != nil {
 		return draft, err
 	}
@@ -750,44 +832,8 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 	return draft, nil
 }
 
-func (m initProfileV2ReadOnlyModel) normalizeStorageLabels(draft *initDraft, selectedGitScope, selectedReviewerEntity, selectedLLMRuntime string) error {
-	if m.document.fieldIndexByID(initProfileV2FieldGitStorageLabel) < 0 {
-		return nil
-	}
-	gitValue := m.document.fieldValue(initProfileV2FieldGitStorageLabel)
-	if err := validateOptionalCredentialRef(gitValue); err != nil {
-		return err
-	}
-	standardGitRef, err := initStandardGitCredentialRef(draft.ProfileName, selectedGitScope, m.gitScopes)
-	if err != nil {
-		return err
-	}
-	gitUsesDefault := initStorageLabelUsesDefault(gitValue, standardGitRef)
-	if !gitUsesDefault && m.gitStorageLabelUsesDefault && strings.TrimSpace(gitValue) == strings.TrimSpace(m.initialGitStorageLabel) {
-		gitUsesDefault = true
-	}
-	standardReviewerRef, err := initStandardReviewerCredentialRef(draft.ProfileName, selectedReviewerEntity, m.reviewerEntities)
-	if err != nil {
-		return err
-	}
-	standardLLMRef, err := initStandardLLMCredentialRef(draft.ProfileName, selectedLLMRuntime, m.llmRuntimes)
-	if err != nil {
-		return err
-	}
-	return normalizeInitProfileStorageLabels(draft, selectedGitScope, selectedReviewerEntity, selectedLLMRuntime, m.gitScopes, m.reviewerEntities, m.llmRuntimes, initStorageLabelNormalizationInput{
-		Git: initStorageLabelFieldState{
-			Value:       gitValue,
-			UsesDefault: gitUsesDefault,
-		},
-		Reviewer: initStorageLabelFieldState{
-			Value:       draft.ReviewerCredentialRef,
-			UsesDefault: initStorageLabelUsesDefault(draft.ReviewerCredentialRef, standardReviewerRef),
-		},
-		LLM: initStorageLabelFieldState{
-			Value:       draft.LLMCredentialRef,
-			UsesDefault: initStorageLabelUsesDefault(draft.LLMCredentialRef, standardLLMRef),
-		},
-	})
+func (m initProfileV2ReadOnlyModel) normalizeStorageLabels(*initDraft, string, string, string) error {
+	return nil
 }
 
 func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
@@ -804,6 +850,10 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 		if scope, ok := m.gitScopes[selectedGitScope]; ok {
 			m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
 			m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
+			m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
+			if strings.TrimSpace(scope.CredentialRef) != "" {
+				m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
+			}
 		}
 	}
 	m.setFieldHidden(initProfileV2FieldGitHost, !custom)
@@ -817,6 +867,34 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	m.validateAll()
 }
 
+func (m *initProfileV2ReadOnlyModel) syncLLMCredentialFields(reset bool) {
+	selectedLLMRuntime := m.document.selectedValue(initProfileV2FieldLLMRuntime)
+	draft := m.draft
+	if selectedLLMRuntime != "" && selectedLLMRuntime != initConfigureNewLLMRuntimeSelection {
+		applyLLMRuntimeInventorySelection(&draft, selectedLLMRuntime, m.llmRuntimes)
+		selectedRuntimePreset := string(initLLMRuntimeDraftFromSeedDraft(draft).Preset)
+		applyLLMRuntimeSelection(&draft, selectedRuntimePreset)
+	}
+	needsCredential := config.LLMAuth(draft.LLMAuth) == config.LLMAuthAPIKey
+	m.setFieldHidden(initProfileV2FieldLLMCredentialSection, !needsCredential)
+	m.setFieldHidden(initProfileV2FieldLLMCredentialStore, !needsCredential)
+	m.setFieldHidden(initProfileV2FieldLLMCredentialName, !needsCredential)
+	if !needsCredential {
+		return
+	}
+	if reset {
+		if strings.TrimSpace(draft.LLMCredentialRef) == "" {
+			ref, err := credentials.FormatRef(strings.TrimSpace(m.document.fieldValue(initProfileV2FieldProfileName)) + "-llm")
+			if err == nil {
+				draft.LLMCredentialRef = ref
+			}
+		}
+		m.selectFieldValue(initProfileV2FieldLLMCredentialStore, initCredentialStoreDraftValue(draft.LLMCredentialStore))
+		m.setFieldValue(initProfileV2FieldLLMCredentialName, draft.LLMCredentialRef)
+	}
+	m.validateField(m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName))
+}
+
 func (m *initProfileV2ReadOnlyModel) syncModelMapFields() {
 	if !initProfileV2HasModelMapFields(m.document) {
 		return
@@ -965,9 +1043,6 @@ func initProfileV2LayoutDocument(document initProfileV2Document, width int, focu
 
 func initProfileV2AppendFieldLines(lines *[]string, field initProfileV2Field, focused bool, width int) {
 	titlePrefix := ""
-	if field.Focusable {
-		titlePrefix = "  "
-	}
 	initProfileV2AppendWrappedWithPrefix(lines, titlePrefix, field.Title, width)
 	initProfileV2AppendWrappedWithPrefix(lines, titlePrefix, field.Description, width)
 	if strings.TrimSpace(field.Error) != "" {
@@ -1000,26 +1075,7 @@ func initProfileV2AppendFieldLines(lines *[]string, field initProfileV2Field, fo
 }
 
 func initProfileV2AppendWrappedWithPrefix(lines *[]string, prefix string, text string, width int) {
-	available := max(width-len([]rune(prefix)), 1)
-	remaining := []rune(strings.TrimSpace(text))
-	if len(remaining) == 0 {
-		*lines = append(*lines, prefix)
-		return
-	}
-	for len(remaining) > available {
-		cut := available
-		for cut > 0 && remaining[cut] != ' ' {
-			cut--
-		}
-		if cut <= 0 {
-			cut = available
-		}
-		*lines = append(*lines, prefix+strings.TrimSpace(string(remaining[:cut])))
-		remaining = []rune(strings.TrimSpace(string(remaining[cut:])))
-		prefix = strings.Repeat(" ", len([]rune(prefix)))
-		available = max(width-len([]rune(prefix)), 1)
-	}
-	*lines = append(*lines, prefix+string(remaining))
+	initLinearAppendWrappedWithPrefix(lines, prefix, text, width)
 }
 
 func (m initProfileV2ReadOnlyModel) styleVisibleViewport() string {
@@ -1058,10 +1114,9 @@ func initProfileV2StyleViewportLine(line string, active bool) string {
 
 var initProfileV2HeadingSet = func() map[string]bool {
 	headings := map[string]bool{
-		"Profile":                     true,
+		"Review profile":              true,
 		"Profile name":                true,
 		"Automatic profile selection": true,
-		"Accepted route formats":      true,
 		"Route entries":               true,
 		"Git scope":                   true,
 		"Git scope host":              true,
@@ -1072,13 +1127,18 @@ var initProfileV2HeadingSet = func() map[string]bool {
 		"Model tier mapping":          true,
 		"Additional reviewer-agent directories (optional)": true,
 		"Additional trusted reviewer-agent directories":    true,
-		"Review Policy":             true,
-		"Major findings event":      true,
-		"Allow self-approve":        true,
-		"Resolve threads":           true,
-		"Resolve-after duration":    true,
-		"Git secrets storage label": true,
-		"Profile action":            true,
+		"Review policy":           true,
+		"Major findings event":    true,
+		"Allow self-approve":      true,
+		"Resolve threads":         true,
+		"Resolve-after duration":  true,
+		"Git credentials":         true,
+		"Git credential store":    true,
+		"Git credential name":     true,
+		"LLM API key credentials": true,
+		"LLM credential store":    true,
+		"LLM credential name":     true,
+		"Profile action":          true,
 	}
 	for _, tier := range config.ModelTiers() {
 		headings[fmt.Sprintf("%s model", tier)] = true
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index 7153fc7a..2b1c10b0 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -118,7 +118,7 @@ func canOpenInitStoreForReviewerStatus(deps initDeps, entry initCredentialPlanEn
 	if entry.SecretsProfile.IsNamed() {
 		return deps.openResolvedStore != nil
 	}
-	return deps.openStore != nil
+	return deps.openResolvedStore != nil || deps.openStore != nil
 }
 
 func interactiveInitReviewerCredentialPlanEntries(session initSessionDraft, plannedWriteKeys map[string][]string) []initCredentialPlanEntry {
@@ -144,7 +144,13 @@ func hasInitReviewerCredentialPlanEntry(entries []initCredentialPlanEntry) bool
 }
 
 func appendSelectableReviewerCredentialPlanEntries(session initSessionDraft, profile config.Profile, plannedWriteKeys map[string][]string, entries []initCredentialPlanEntry) []initCredentialPlanEntry {
-	resolved, err := credentials.ResolveSecretsProfileForProfile(session.cfg, profile)
+	var reviewerStoreID string
+	if profile.ReviewerCredentials != nil {
+		reviewerStoreID = initCredentialStoreDraftValue(profile.ReviewerCredentials.Credential.Store)
+	} else {
+		reviewerStoreID = initCredentialStoreDraftValue(profile.Git.Credential.Store)
+	}
+	resolved, err := credentials.ResolveCredentialStore(session.cfg, reviewerStoreID)
 	if err != nil {
 		return entries
 	}
@@ -155,11 +161,13 @@ func appendSelectableReviewerCredentialPlanEntries(session initSessionDraft, pro
 	if standardRef, err := credentials.FormatRef(session.workspace.profileName + "-reviewer"); err == nil {
 		entries = appendReviewerCredentialPlanEntry(entries, seen, resolved, plannedWriteKeys, config.CredentialRef{
 			Purpose: "reviewer_credentials",
+			Store:   reviewerStoreID,
 			Ref:     standardRef,
 			Mode:    string(config.GitAuthModePAT),
 		})
 		entries = appendReviewerCredentialPlanEntry(entries, seen, resolved, plannedWriteKeys, config.CredentialRef{
 			Purpose: "reviewer_credentials",
+			Store:   reviewerStoreID,
 			Ref:     standardRef,
 			Mode:    string(config.GitAuthModeGitHubApp),
 		})
@@ -171,6 +179,7 @@ func appendSelectableReviewerCredentialPlanEntries(session initSessionDraft, pro
 		}
 		ref := config.CredentialRef{
 			Purpose: "reviewer_credentials",
+			Store:   initCredentialStoreDraftValue(entity.CredentialStore),
 			Ref:     strings.TrimSpace(entity.CredentialRef),
 			Mode:    string(entity.AuthMode),
 		}
@@ -244,11 +253,12 @@ func deriveInitReviewerCredentialKeyState(entry initCredentialPlanEntry, spec cr
 	return initReviewerCredentialKeyOptional
 }
 
-func initReviewerCredentialStatusForSelectionRef(ctx initPromptContext, seed initDraft, selection string, reviewerSecretLocation string) (initReviewerCredentialStatus, bool) {
+func initReviewerCredentialStatusForSelectionRef(ctx initPromptContext, seed initDraft, selection string, storeID string, reviewerSecretLocation string) (initReviewerCredentialStatus, bool) {
 	state, err := reviewerEntityEditorStateForSelection(ctx, seed, selection)
 	if err != nil || state.kind == initReviewerEntityKindUseGitIdentity {
 		return initReviewerCredentialStatus{}, false
 	}
+	storeID = initCredentialStoreDraftValue(storeID)
 	effectiveCredentialRef := strings.TrimSpace(reviewerSecretLocation)
 	if effectiveCredentialRef == "" {
 		effectiveCredentialRef = strings.TrimSpace(state.seed.ReviewerCredentialRef)
@@ -262,11 +272,15 @@ func initReviewerCredentialStatusForSelectionRef(ctx initPromptContext, seed ini
 	authMode := reviewerCredentialAuthModeForKind(state.kind)
 	statusRef := config.CredentialRef{
 		Purpose: "reviewer_credentials",
+		Store:   storeID,
 		Ref:     effectiveCredentialRef,
 		Mode:    string(authMode),
 	}
 	for _, status := range ctx.ReviewerCredentialStatuses {
-		if status.Ref.Purpose == statusRef.Purpose && status.Ref.Ref == statusRef.Ref && status.Ref.Mode == statusRef.Mode {
+		if status.Ref.Purpose == statusRef.Purpose &&
+			initCredentialStoreDraftValue(status.Ref.Store) == initCredentialStoreDraftValue(statusRef.Store) &&
+			status.Ref.Ref == statusRef.Ref &&
+			status.Ref.Mode == statusRef.Mode {
 			return status, true
 		}
 	}
@@ -279,12 +293,12 @@ func initReviewerCredentialStatusForSelectionRef(ctx initPromptContext, seed ini
 
 func synthesizeReviewerCredentialStatus(ctx initPromptContext, ref config.CredentialRef) initReviewerCredentialStatus {
 	status := initReviewerCredentialStatus{Ref: ref}
-	if ctx.ExistingProfile != nil {
-		if resolved, err := credentials.ResolveSecretsProfileForProfile(ctx.ExistingConfig, *ctx.ExistingProfile); err == nil {
-			status.SecretsProfile = resolved
-		} else {
-			status.Unavailable = "credential backend status unavailable"
-		}
+	storeID := initCredentialStoreDraftValue(ref.Store)
+	status.Ref.Store = storeID
+	if resolved, err := credentials.ResolveCredentialStore(ctx.ExistingConfig, storeID); err == nil {
+		status.SecretsProfile = resolved
+	} else if ctx.ExistingProfile != nil {
+		status.Unavailable = "credential backend status unavailable"
 	}
 	specs, err := credentials.KeySpecsForPurpose(ref)
 	if err != nil {
@@ -347,7 +361,7 @@ func initReviewerCredentialStatusDescription(status initReviewerCredentialStatus
 		}
 		lines = append(lines, trimmed)
 	}
-	lines = append(lines, "This is a credential-store ref, not a PAT, GitHub App ID, private key, or installation ID.")
+	lines = append(lines, "This is a credential name, not a PAT, GitHub App ID, private key, or installation ID.")
 	if strings.TrimSpace(status.Unavailable) != "" {
 		lines = append(lines, strings.TrimSpace(status.Unavailable)+".")
 	}
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index 19e28574..8da8a17d 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -19,6 +19,7 @@ type initReviewerEntityEditorRunner func(initLinearEditor, io.Reader, io.Writer)
 const (
 	initReviewerEntityFieldSelection               initLinearFieldID = "reviewer_entity_selection"
 	initReviewerEntityFieldLabel                   initLinearFieldID = "reviewer_entity_label"
+	initReviewerEntityFieldCredentialStore         initLinearFieldID = "reviewer_entity_credential_store"
 	initReviewerEntityFieldSecretLocation          initLinearFieldID = "reviewer_entity_secret_location"
 	initReviewerEntityFieldCredentialStatus        initLinearFieldID = "reviewer_entity_credential_status"
 	initReviewerEntityFieldCredentialValues        initLinearFieldID = "reviewer_entity_credential_values"
@@ -37,7 +38,7 @@ const (
 const initReviewerEntityRestoreSelectionPrefix = "__restore_reviewer_entity__:"
 
 func (p huhInitReviewerEntityPrompter) editReviewerEntityLinear(prompt initReviewerEntityPrompt) (initDraft, error) {
-	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.DefaultProfileName, prompt.Context.ExistingProfile)
+	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	editor := initReviewerEntityLinearEditor(prompt.Context, seed)
 	model, err := p.runReviewerEntityEditor(editor)
 	if err != nil {
@@ -168,6 +169,13 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 			labelInput,
 			validateOptionalDisplayName,
 		)
+		document.addEditableSelect(
+			initReviewerEntityFieldCredentialStore,
+			"Reviewer credential store",
+			"",
+			initCredentialStoreOptions(ctx.ExistingConfig),
+			normalizeInitStringSelectionValue(initCredentialStoreDraftValue(s.seed.ReviewerCredentialStore), initCredentialStoreOptions(ctx.ExistingConfig)),
+		)
 		document.addEditableInput(
 			initReviewerEntityFieldSecretLocation,
 			"Reviewer secret location",
@@ -180,6 +188,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 		}
 		status := synthesizeReviewerCredentialStatus(ctx, config.CredentialRef{
 			Purpose: "reviewer_credentials",
+			Store:   initCredentialStoreDraftValue(s.seed.ReviewerCredentialStore),
 			Ref:     firstNonEmpty(reviewerSecretLocation, s.standardReviewerRef),
 			Mode:    string(reviewerCredentialAuthModeForKind(s.kind)),
 		})
@@ -233,6 +242,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 				initReviewerEntityMaybeUpdateAutoSecretLocation(model, s)
 			}
 			if id == initReviewerEntityFieldLabel ||
+				id == initReviewerEntityFieldCredentialStore ||
 				id == initReviewerEntityFieldSecretLocation ||
 				initReviewerEntityCredentialFieldKey(id) != "" {
 				initReviewerEntityRefreshCredentialStatus(model, ctx, s.seed, s)
@@ -255,6 +265,7 @@ func (s reviewerEntityEditorState) draftFromDocument(ctx initPromptContext, docu
 	if err := validateOptionalCredentialRef(reviewerSecretLocation); err != nil {
 		return initDraft{}, err
 	}
+	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
 	if err := validateReviewerEntityInlineCredentials(ctx, s.seed, s, document); err != nil {
 		return initDraft{}, err
 	}
@@ -291,6 +302,13 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 		"",
 		validateOptionalDisplayName,
 	)
+	document.addEditableSelect(
+		initReviewerEntityFieldCredentialStore,
+		"Reviewer credential store",
+		"",
+		initCredentialStoreOptions(ctx.ExistingConfig),
+		normalizeInitStringSelectionValue(initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore), initCredentialStoreOptions(ctx.ExistingConfig)),
+	)
 	document.addEditableInput(
 		initReviewerEntityFieldSecretLocation,
 		"Reviewer secret location",
@@ -317,6 +335,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 			}
 			if id == initReviewerEntityFieldAction ||
 				id == initReviewerEntityFieldLabel ||
+				id == initReviewerEntityFieldCredentialStore ||
 				id == initReviewerEntityFieldSecretLocation ||
 				initReviewerEntityCredentialFieldKey(id) != "" {
 				initReviewerEntitySyncLinearFields(model, ctx, seed, false)
@@ -562,6 +581,9 @@ func validateReviewerEntityInlineCredentials(ctx initPromptContext, seed initDra
 	if ref == "" {
 		return fmt.Errorf("reviewer secret location is required")
 	}
+	if strings.TrimSpace(document.selectedValue(initReviewerEntityFieldCredentialStore)) == "" {
+		return fmt.Errorf("reviewer credential store is required")
+	}
 	status, ok := reviewerCredentialStatusForDocument(ctx, seed, state, document)
 	if !ok {
 		return fmt.Errorf("reviewer credential status unavailable")
@@ -583,8 +605,12 @@ func reviewerEntityPreservesExistingCredentialRefWithoutWrites(state reviewerEnt
 	if strings.TrimSpace(document.fieldValue(initReviewerEntityFieldSecretLocation)) != strings.TrimSpace(state.seed.ReviewerCredentialRef) {
 		return false
 	}
+	if initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore)) != initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore) {
+		return false
+	}
 	writes, _ := reviewerEntityCredentialWritesFromDocument(synthesizeReviewerCredentialStatus(initPromptContext{}, config.CredentialRef{
 		Purpose: "reviewer_credentials",
+		Store:   initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore),
 		Ref:     strings.TrimSpace(state.seed.ReviewerCredentialRef),
 		Mode:    string(reviewerCredentialAuthModeForKind(state.kind)),
 	}), document)
@@ -600,7 +626,7 @@ func reviewerCredentialStatusForDocument(ctx initPromptContext, seed initDraft,
 }
 
 func baseReviewerCredentialStatusForDocument(ctx initPromptContext, seed initDraft, state reviewerEntityEditorState, document initLinearDocument) (initReviewerCredentialStatus, bool) {
-	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seed, string(state.kind), document.fieldValue(initReviewerEntityFieldSecretLocation))
+	status, ok := initReviewerCredentialStatusForSelectionRef(ctx, seed, string(state.kind), document.selectedValue(initReviewerEntityFieldCredentialStore), document.fieldValue(initReviewerEntityFieldSecretLocation))
 	if !ok {
 		return initReviewerCredentialStatus{}, false
 	}
@@ -627,7 +653,11 @@ func initReviewerEntityUsesAutoDefaultSecretLocation(state reviewerEntityEditorS
 
 func initReviewerCredentialStatusListContains(statuses []initReviewerCredentialStatus, ref config.CredentialRef) bool {
 	for _, status := range statuses {
-		if status.Ref.Purpose == ref.Purpose && status.Ref.Ref == ref.Ref && status.Ref.Mode == ref.Mode && status.Ref.Provider == ref.Provider {
+		if status.Ref.Purpose == ref.Purpose &&
+			initCredentialStoreDraftValue(status.Ref.Store) == initCredentialStoreDraftValue(ref.Store) &&
+			status.Ref.Ref == ref.Ref &&
+			status.Ref.Mode == ref.Mode &&
+			status.Ref.Provider == ref.Provider {
 			return true
 		}
 	}
@@ -671,6 +701,7 @@ func missingReviewerEntityInlineCredentialKeys(state reviewerEntityEditorState,
 
 func reviewerEntityKeepsCurrentCredentialRef(state reviewerEntityEditorState, document initLinearDocument) bool {
 	return state.preserveCurrentLocation &&
+		initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore)) == initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore) &&
 		strings.TrimSpace(document.fieldValue(initReviewerEntityFieldSecretLocation)) == strings.TrimSpace(state.seed.ReviewerCredentialRef)
 }
 
@@ -689,6 +720,7 @@ func applyReviewerEntityCredentialDraftFromDocument(editDraft *initDraft, ctx in
 	}
 	writes, overwrite := reviewerEntityCredentialWritesFromDocument(originalStatus, document)
 	editDraft.ReviewerCredentialWriteRef = ref
+	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(status.Ref.Store)
 	editDraft.ReviewerCredentialWriteStore = status.SecretsProfile
 	editDraft.ReviewerCredentialWrites = writes
 	editDraft.ReviewerCredentialOverwrite = overwrite
@@ -748,6 +780,7 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 		}
 	}
 	model.setFieldHidden(initReviewerEntityFieldLabel, hideDetails)
+	model.setFieldHidden(initReviewerEntityFieldCredentialStore, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldSecretLocation, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldCredentialStatus, hideDetails)
 	initReviewerEntitySetCredentialFieldsHidden(model, state.kind, hideDetails)
@@ -775,6 +808,7 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 			reviewerSecretLocation = initReviewerEntityDefaultSecretLocation(state, labelInput)
 		}
 		model.setFieldValue(initReviewerEntityFieldLabel, labelInput)
+		model.selectFieldValue(initReviewerEntityFieldCredentialStore, initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore))
 		model.setFieldValue(initReviewerEntityFieldSecretLocation, reviewerSecretLocation)
 		if locationIndex := model.document.fieldIndexByID(initReviewerEntityFieldSecretLocation); locationIndex >= 0 {
 			model.document[locationIndex].AutoManaged = !state.preserveCurrentLocation
@@ -836,12 +870,12 @@ func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
 }
 
 func reviewerEntitySecretLocationDescription(kind initReviewerEntityKind) string {
-	base := "Credential-store ref for this reviewer. This is where cr stores secret values; it is not a PAT, GitHub App ID, private key, or installation ID. Change it only if you need a custom credential-store location."
+	base := "Credential name for this reviewer. This is where cr stores secret values in the selected credential store; it is not a PAT, GitHub App ID, private key, or installation ID. Change it only if you need a custom credential-store location."
 	if kind == initReviewerEntityKindPAT {
-		return base + " Store required secret " + credentials.GitTokenKey + " at this ref."
+		return base + " Store required secret " + credentials.GitTokenKey + " at this name."
 	}
 	if kind == initReviewerEntityKindGitHubApp {
-		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this ref; " + credentials.GitHubAppInstallationIDKey + " is optional."
+		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this name; " + credentials.GitHubAppInstallationIDKey + " is optional."
 	}
 	return base
 }
@@ -865,6 +899,7 @@ func initReviewerEntityDraftFromDocument(ctx initPromptContext, seed initDraft,
 	if err := validateOptionalCredentialRef(reviewerSecretLocation); err != nil {
 		return initDraft{}, err
 	}
+	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
 	if err := validateReviewerEntityInlineCredentials(ctx, seed, state, document); err != nil {
 		return initDraft{}, err
 	}
diff --git a/internal/cmd/credentialcmd/init_secrets_management.go b/internal/cmd/credentialcmd/init_secrets_management.go
index 0905a872..67eed82a 100644
--- a/internal/cmd/credentialcmd/init_secrets_management.go
+++ b/internal/cmd/credentialcmd/init_secrets_management.go
@@ -14,7 +14,6 @@ import (
 )
 
 const (
-	initSecretsManagementLegacySelection = "__legacy_secrets_management__"
 	// #nosec G101 -- selection sentinel, not a credential.
 	initConfigureSecretsProfileSelectionPrefix = "__configure_secrets_profile__:"
 )
@@ -32,24 +31,27 @@ type initSecretsProfileEditorResult struct {
 	Label       string
 	StoredLabel string
 	Backend     config.SecretsProfileBackend
-	UseDefault  bool
 }
 
-type initLegacySecretsManagementEditorResult struct {
-	Apply   bool
-	Backend string
+type initSecretsProfileBackendInput struct {
+	KindValue       string
+	Timeout         string
+	AccountID       string
+	AccountURL      string
+	VaultID         string
+	VaultName       string
+	ConnectHost     string
+	ConnectTokenEnv string
+	ServiceTokenEnv string
 }
 
 func initSecretsBackendCatalog() []initSecretsBackendPresentation {
 	order := []config.SecretsBackendKind{
-		config.SecretsBackendKind(credstore.BackendKeychain),
-		config.SecretsBackendKind(credstore.BackendWinCred),
-		config.SecretsBackendKind(credstore.BackendSecretService),
-		config.SecretsBackendKind(credstore.BackendPass),
-		config.SecretsBackendKind(credstore.BackendFile),
 		config.SecretsBackendKind(credstore.BackendOPDesktop),
 		config.SecretsBackendKind(credstore.BackendOP),
 		config.SecretsBackendKind(credstore.BackendOPConnect),
+		config.SecretsBackendKind(credstore.BackendPass),
+		config.SecretsBackendKind(credstore.BackendFile),
 		config.SecretsBackendKind(credstore.BackendMemory),
 	}
 	items := make([]initSecretsBackendPresentation, 0, len(order))
@@ -144,54 +146,69 @@ func initSecretsBackendByKind(kind config.SecretsBackendKind) (initSecretsBacken
 }
 
 func initSecretsManagementInventoryDescription() string {
-	return "Choose how cr should store credentials. Secrets-management profiles are reusable store definitions that review profiles can choose later."
+	return "Choose where cr stores credentials. The built-in OS credential store is always available; configured stores are reusable destinations for secrets."
 }
 
-func initAutomaticOSDefaultSecretsBackendLabel() string {
-	return initAutomaticOSDefaultSecretsBackendLabelForGOOS(runtime.GOOS)
+func initBuiltInOSCredentialStoreTitle() string {
+	title, _ := initBuiltInOSCredentialStoreLabelsForGOOS(runtime.GOOS)
+	return title
 }
 
-func initAutomaticOSDefaultSecretsBackendLabelForGOOS(goos string) string {
+func initBuiltInOSCredentialStoreDescription() string {
+	_, description := initBuiltInOSCredentialStoreLabelsForGOOS(runtime.GOOS)
+	return description
+}
+
+func initBuiltInOSCredentialStoreLabelsForGOOS(goos string) (string, string) {
 	switch goos {
 	case "darwin":
-		return "Automatic OS default (macOS Keychain)"
+		return "macOS Login Keychain", "current macOS user"
 	case "windows":
-		return "Automatic OS default (Windows Credential Manager)"
+		return "Windows Credential Manager", "current Windows user"
 	case "linux":
-		return "Automatic OS default (Linux Secret Service)"
+		return "Linux Secret Service", "current Linux user"
 	default:
-		return "Automatic OS default"
+		return "OS credential store", "current OS user"
 	}
 }
 
+func initAutomaticOSDefaultSecretsBackendLabel() string {
+	return initBuiltInOSCredentialStoreTitle()
+}
+
+func initAutomaticOSDefaultSecretsBackendLabelForGOOS(goos string) string {
+	title, _ := initBuiltInOSCredentialStoreLabelsForGOOS(goos)
+	return title
+}
+
 func initSecretsManagementInventoryRows(cfg config.File) []initInventoryRow {
-	effective := config.EffectiveSecretsProfiles(cfg)
+	effective := config.EffectiveSecretsStores(cfg)
 	rows := make([]initInventoryRow, 0, len(effective)+len(initSecretsBackendCatalog())+2)
-	for _, profile := range effective {
-		if profile.Source != config.EffectiveSecretsProfileSourceConfigured {
+	for _, store := range effective {
+		if store.ID == config.LocalOSCredentialStoreID {
+			rows = append(rows, initInventoryRow{
+				ID:          store.ID,
+				Title:       initBuiltInOSCredentialStoreTitle(),
+				Description: initBuiltInOSCredentialStoreDescription(),
+				Kind:        initInventoryRowKindActive,
+				Selectable:  true,
+				FilterValue: strings.TrimSpace(strings.Join([]string{store.ID, initBuiltInOSCredentialStoreTitle(), initBuiltInOSCredentialStoreDescription()}, " ")),
+			})
 			continue
 		}
-		title := initSecretsProfileInventoryTitle(profile)
+		title := initSecretsProfileInventoryTitle(store)
 		rows = append(rows, initInventoryRow{
-			ID:          profile.ID,
+			ID:          store.ID,
 			Title:       title,
 			Kind:        initInventoryRowKindActive,
 			Selectable:  true,
-			FilterValue: strings.TrimSpace(strings.Join([]string{profile.ID, profile.Label, profile.Backend, title}, " ")),
+			Deletable:   true,
+			FilterValue: strings.TrimSpace(strings.Join([]string{store.ID, store.DisplayName, store.Backend, title}, " ")),
 		})
 	}
-	rows = append(rows, initInventoryRow{
-		ID:            initSecretsManagementLegacySelection,
-		Title:         initLegacySecretsManagementInventoryTitle(cfg),
-		Description:   "Legacy fallback credential store used only by profiles that do not choose a named secrets-management profile.",
-		Kind:          initInventoryRowKindActive,
-		PrimaryAction: initInventoryActionCommand,
-		Selectable:    true,
-		FilterValue:   strings.TrimSpace(strings.Join([]string{"fallback compatibility legacy credential store keyring backend", strings.TrimSpace(cfg.Keyring.Backend)}, " ")),
-	})
 
 	for _, backend := range initSecretsBackendCatalog() {
-		title := fmt.Sprintf("Configure new %s profile", strings.ToLower(initSecretsBackendDisplayLabel(backend.Kind)))
+		title := initConfigureSecretsStoreTitle(backend.Kind)
 		desc := backend.Description
 		if !backend.Available {
 			desc = strings.TrimSpace(strings.Join([]string{desc, "Unavailable in this build."}, " "))
@@ -216,35 +233,36 @@ func initSecretsManagementInventoryRows(cfg config.File) []initInventoryRow {
 	return rows
 }
 
+func initConfigureSecretsStoreTitle(kind config.SecretsBackendKind) string {
+	switch kind {
+	case config.SecretsBackendKind(credstore.BackendOPDesktop):
+		return "Configure new 1Password desktop app profile"
+	case config.SecretsBackendKind(credstore.BackendOP):
+		return "Configure new 1Password service account profile"
+	case config.SecretsBackendKind(credstore.BackendOPConnect):
+		return "Configure new 1Password Connect profile"
+	case config.SecretsBackendKind(credstore.BackendPass):
+		return "Configure new pass password store profile"
+	case config.SecretsBackendKind(credstore.BackendFile):
+		return "Configure new encrypted file profile"
+	case config.SecretsBackendKind(credstore.BackendMemory):
+		return "Configure new in-memory store profile"
+	default:
+		return fmt.Sprintf("Configure new %s profile", strings.ToLower(initSecretsBackendDisplayLabel(kind)))
+	}
+}
+
 func initSecretsProfileInventoryTitle(profile config.EffectiveSecretsProfile) string {
 	backendLabel := profile.Backend
 	if item, ok := initSecretsBackendByKind(config.SecretsBackendKind(profile.Backend)); ok {
 		backendLabel = item.Label
+	} else if profile.Backend != "" {
+		backendLabel = initSecretsBackendDisplayLabel(config.SecretsBackendKind(profile.Backend))
 	}
 	title := fmt.Sprintf("%s (%s)", initSecretsProfileDisplayName(profile.ID, profile.Label), backendLabel)
-	if profile.IsDefault {
-		title += " [default]"
-	}
 	return title
 }
 
-func initLegacySecretsManagementInventoryTitle(cfg config.File) string {
-	backend := strings.TrimSpace(cfg.Keyring.Backend)
-	if backend == "" {
-		backend = config.ProjectedLegacySecretsBackendKind
-	}
-	backendLabel := backend
-	if backend != config.ProjectedLegacySecretsBackendKind {
-		if item, ok := initSecretsBackendByKind(config.SecretsBackendKind(backend)); ok {
-			backendLabel = item.Label
-		}
-	}
-	if backend == config.ProjectedLegacySecretsBackendKind {
-		backendLabel = initAutomaticOSDefaultSecretsBackendLabel()
-	}
-	return fmt.Sprintf("Fallback credential store: %s", backendLabel)
-}
-
 func initSecretsProfileDisplayName(id string, label string) string {
 	if trimmed := strings.TrimSpace(label); trimmed != "" {
 		return trimmed
@@ -304,43 +322,22 @@ func initSecretsProfileBackendOptions(current config.SecretsBackendKind) []huh.O
 	return options
 }
 
-func initLegacySecretsBackendOptions(current string) []huh.Option[string] {
-	options := []huh.Option[string]{
-		huh.NewOption(initAutomaticOSDefaultSecretsBackendLabel(), ""),
-	}
-	for _, backend := range initSecretsBackendCatalog() {
-		if !backend.LegacyCompatible {
-			continue
-		}
-		if !backend.Available && string(backend.Kind) != strings.TrimSpace(current) {
-			continue
-		}
-		label := backend.Label
-		if !backend.Available && string(backend.Kind) == strings.TrimSpace(current) {
-			label += " (unavailable in this build; existing config)"
-		}
-		options = append(options, huh.NewOption(label, string(backend.Kind)))
-	}
-	return options
-}
-
-func initSecretsProfileBackendFromInputs(kindValue string, timeout string, vaultID string, itemTitlePrefix string, itemTag string, itemFieldTitle string, connectHost string, connectTokenEnv string, serviceTokenEnv string, desktopAccountID string) config.SecretsProfileBackend {
+func initSecretsProfileBackendFromInputs(input initSecretsProfileBackendInput) config.SecretsProfileBackend {
 	backend := config.SecretsProfileBackend{
-		Kind: config.SecretsBackendKind(strings.TrimSpace(kindValue)),
+		Kind: config.SecretsBackendKind(strings.TrimSpace(input.KindValue)),
 	}
 	if !config.IsOnePasswordSecretsBackend(backend.Kind) {
 		return normalizeInitSecretsProfileBackend(backend)
 	}
 	backend.OnePassword = &config.SecretsProfileOnePasswordConfig{
-		Timeout:          strings.TrimSpace(timeout),
-		VaultID:          strings.TrimSpace(vaultID),
-		ItemTitlePrefix:  strings.TrimSpace(itemTitlePrefix),
-		ItemTag:          strings.TrimSpace(itemTag),
-		ItemFieldTitle:   strings.TrimSpace(itemFieldTitle),
-		ConnectHost:      strings.TrimSpace(connectHost),
-		ConnectTokenEnv:  strings.TrimSpace(connectTokenEnv),
-		ServiceTokenEnv:  strings.TrimSpace(serviceTokenEnv),
-		DesktopAccountID: strings.TrimSpace(desktopAccountID),
+		Timeout:         strings.TrimSpace(input.Timeout),
+		AccountID:       strings.TrimSpace(input.AccountID),
+		AccountURL:      strings.TrimSpace(input.AccountURL),
+		VaultID:         strings.TrimSpace(input.VaultID),
+		VaultName:       strings.TrimSpace(input.VaultName),
+		ConnectHost:     strings.TrimSpace(input.ConnectHost),
+		ConnectTokenEnv: strings.TrimSpace(input.ConnectTokenEnv),
+		ServiceTokenEnv: strings.TrimSpace(input.ServiceTokenEnv),
 	}
 	return normalizeInitSecretsProfileBackend(backend)
 }
@@ -368,7 +365,7 @@ func initSecretsProfileIDFromLabel(label string, kind config.SecretsBackendKind,
 	if base == "" {
 		base = "secrets-profile"
 	}
-	if base == config.LegacyProjectedSecretsProfileID {
+	if base == config.LocalOSCredentialStoreID {
 		base = "secrets-profile"
 	}
 	candidate := base
@@ -410,7 +407,6 @@ func normalizeInitSecretsProfileBackend(backend config.SecretsProfileBackend) co
 				"seed": {Backend: backend},
 			},
 		},
-		DefaultProfile: "default",
 	}
 	return config.Normalize(working).Secrets.Profiles["seed"].Backend
 }
@@ -439,12 +435,12 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 	if p.inventoryRunner == nil {
 		return p.editKeyringBackendLinear(prompt)
 	}
-	working := cloneInitConfigFile(prompt.Config)
-	original := cloneInitConfigFile(prompt.Config)
+	working := config.Normalize(cloneInitConfigFile(prompt.Config))
+	original := config.Normalize(cloneInitConfigFile(prompt.Config))
 
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
-			Title:       "Secrets Management",
+			Title:       "Secrets Storage",
 			Description: initSecretsManagementInventoryDescription(),
 			Rows:        initSecretsManagementInventoryRows(working),
 			Width:       88,
@@ -463,16 +459,8 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 			return initKeyringBackendEdit{}, fmt.Errorf("unsupported secrets-management inventory action %q", result.Action)
 		case initInventoryActionCommand, initInventoryActionEdit:
 			switch {
-			case result.Row.ID == initSecretsManagementLegacySelection:
-				edit, err := p.editLegacySecretsManagement(working.Keyring.Backend)
-				if err != nil {
-					return initKeyringBackendEdit{}, err
-				}
-				if !edit.Apply {
-					continue
-				}
-				working.Keyring.Backend = strings.TrimSpace(edit.Backend)
-				working = config.Normalize(working)
+			case result.Row.ID == config.LocalOSCredentialStoreID:
+				continue
 			case strings.HasPrefix(result.Row.ID, initConfigureSecretsProfileSelectionPrefix):
 				kind, ok := initSecretsProfileSelectionKind(result.Row.ID)
 				if !ok {
@@ -497,14 +485,6 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 				if err != nil {
 					return initKeyringBackendEdit{}, err
 				}
-				if edit.UseDefault {
-					nextCfg, _, err = configedit.SetDefaultSecretsProfile(nextCfg, id)
-				} else if strings.TrimSpace(working.Secrets.DefaultProfile) == id {
-					nextCfg, _, err = configedit.UnsetDefaultSecretsProfile(nextCfg)
-				}
-				if err != nil {
-					return initKeyringBackendEdit{}, err
-				}
 				working = nextCfg
 			case result.Row.ID == initBackSelection:
 				if initConfigsEqual(original, working) {
@@ -512,11 +492,12 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 				}
 				return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: working}, nil
 			default:
-				existing, ok := working.Secrets.Profiles[result.Row.ID]
+				working = config.Normalize(working)
+				existing, ok := working.Secrets.Stores[result.Row.ID]
 				if !ok {
 					return initKeyringBackendEdit{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, result.Row.ID)
 				}
-				edit, err := p.editSecretsProfile(existing, result.Row.ID, strings.TrimSpace(working.Secrets.DefaultProfile) == result.Row.ID, false)
+				edit, err := p.editSecretsProfile(existing, result.Row.ID, false, false)
 				if err != nil {
 					return initKeyringBackendEdit{}, err
 				}
@@ -536,14 +517,6 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 				if err != nil {
 					return initKeyringBackendEdit{}, err
 				}
-				if edit.UseDefault {
-					nextCfg, _, err = configedit.SetDefaultSecretsProfile(nextCfg, result.Row.ID)
-				} else if strings.TrimSpace(working.Secrets.DefaultProfile) == result.Row.ID {
-					nextCfg, _, err = configedit.UnsetDefaultSecretsProfile(nextCfg)
-				}
-				if err != nil {
-					return initKeyringBackendEdit{}, err
-				}
 				working = nextCfg
 			}
 		case initInventoryActionNone:
@@ -554,7 +527,7 @@ func (p huhInitKeyringBackendPrompter) EditKeyringBackend(prompt initKeyringBack
 	}
 }
 
-func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.SecretsProfile, id string, isDefault bool, creating bool) (initSecretsProfileEditorResult, error) {
+func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.SecretsProfile, id string, _ bool, creating bool) (initSecretsProfileEditorResult, error) {
 	seedProfile := profile
 	if strings.TrimSpace(string(seedProfile.Backend.Kind)) == "" {
 		seedProfile.Backend = normalizeInitSecretsProfileBackend(config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)})
@@ -570,39 +543,88 @@ func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.Secrets
 		onePassword = &copyValue
 	}
 	action := initDetailActionEdit
-	useDefault := isDefault
 	timeout := onePassword.Timeout
 	vaultID := onePassword.VaultID
-	itemTitlePrefix := onePassword.ItemTitlePrefix
-	itemTag := onePassword.ItemTag
-	itemFieldTitle := onePassword.ItemFieldTitle
+	vaultName := onePassword.VaultName
+	accountID := onePassword.AccountID
+	accountURL := onePassword.AccountURL
 	connectHost := onePassword.ConnectHost
 	connectTokenEnv := onePassword.ConnectTokenEnv
 	serviceTokenEnv := onePassword.ServiceTokenEnv
-	desktopAccountID := onePassword.DesktopAccountID
+	if accountID == "" {
+		accountID = onePassword.DesktopAccountID
+	}
+	desktopDiscovery := initOnePasswordDesktopDiscovery{}
+	desktopSelection := initOnePasswordManualSelection
+	if seedProfile.Backend.Kind == config.SecretsBackendKind(credstore.BackendOPDesktop) {
+		discoveryMode := p.resolvedDiscoveryMode()
+		p.writeSecretsStorageDiscoveryNotice(discoveryMode)
+		desktopDiscovery = p.discoverOnePasswordDesktopForMode(discoveryMode)
+		p.writeSecretsStorageDiscoveryResults(discoveryMode, desktopDiscovery)
+		desktopSelection = desktopDiscovery.SelectionFor(accountID, accountURL, vaultID, vaultName)
+		if desktopSelection == initOnePasswordManualSelection && creating && accountID == "" && accountURL == "" && vaultID == "" && vaultName == "" {
+			if options := desktopDiscovery.Options(); len(options) > 0 {
+				desktopSelection = options[0].Value
+			}
+		}
+	}
 
-	form := huh.NewForm(
+	groups := []*huh.Group{
 		huh.NewGroup(
 			huh.NewInput().
-				Title("Secrets-management profile label").
-				Description("Choose a human-friendly label for this secrets-management profile. This is what the init menus will show later.").
+				Title("Credential store name").
+				Description("Choose a human-friendly name for this credential store.").
 				Value(&labelInput).
 				Validate(validateOptionalDisplayName),
 			huh.NewSelect[string]().
-				Title("Secrets-management backend").
+				Title("Credential store backend").
 				Options(initSecretsProfileBackendOptions(seedProfile.Backend.Kind)...).
 				Value(&kindValue),
-		).Title("Secrets Management Profile Details"),
+		).Title("Credential Store Details"),
+	}
+	if desktopDiscovery.HasVaultChoices() {
+		groups = append(groups, huh.NewGroup(
+			huh.NewSelect[string]().
+				Title("1Password account and vault").
+				Description("Discovered from the local 1Password desktop app. Choose manual entry if this list is incomplete.").
+				Options(desktopDiscovery.Options()...).
+				Value(&desktopSelection),
+		).WithHideFunc(func() bool {
+			return config.SecretsBackendKind(kindValue) != config.SecretsBackendKind(credstore.BackendOPDesktop)
+		}).Title("1Password Desktop Discovery"))
+	}
+	groups = append(groups,
 		huh.NewGroup(
 			huh.NewInput().
-				Title("1Password vault id").
-				Description("Required for every 1Password-backed secrets-management profile.").
+				Title("1Password account URL").
+				Description("Account sign-in address such as myorg.1password.com for organizational 1Password accounts, or my.1password.com for personal or family accounts. Required only when desktop discovery is unavailable or manual entry is selected.").
+				Value(&accountURL).
+				Validate(validateOptionalDisplayName),
+			huh.NewInput().
+				Title("1Password account id").
+				Description("Advanced. Optional account id when you need to pin this profile to one signed-in 1Password desktop account.").
+				Value(&accountID).
+				Validate(validateOptionalDisplayName),
+		).WithHideFunc(func() bool {
+			return config.SecretsBackendKind(kindValue) != config.SecretsBackendKind(credstore.BackendOPDesktop) || (desktopDiscovery.HasVaultChoices() && desktopSelection != initOnePasswordManualSelection)
+		}).Title("1Password Desktop Manual Account"),
+		huh.NewGroup(
+			huh.NewInput().
+				Title("1Password vault name or id").
+				Description("Required for every 1Password-backed credential store.").
 				Value(&vaultID).
 				Validate(func(value string) error {
-					return validateInitSecretsRequiredSingleLine(value, config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue)), "1Password vault id")
+					requiresVault := config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue))
+					if config.SecretsBackendKind(kindValue) == config.SecretsBackendKind(credstore.BackendOPDesktop) && desktopDiscovery.HasVaultChoices() && desktopSelection != initOnePasswordManualSelection {
+						requiresVault = false
+					}
+					return validateInitSecretsRequiredSingleLine(value, requiresVault, "1Password vault name or id")
 				}),
 		).WithHideFunc(func() bool {
-			return !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue))
+			if !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue)) {
+				return true
+			}
+			return config.SecretsBackendKind(kindValue) == config.SecretsBackendKind(credstore.BackendOPDesktop) && desktopDiscovery.HasVaultChoices() && desktopSelection != initOnePasswordManualSelection
 		}).Title("1Password Details"),
 		huh.NewGroup(
 			huh.NewInput().
@@ -614,33 +636,6 @@ func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.Secrets
 			kind := config.SecretsBackendKind(kindValue)
 			return kind != config.SecretsBackendKind(credstore.BackendOP) && kind != config.SecretsBackendKind(credstore.BackendOPDesktop)
 		}),
-		huh.NewGroup(
-			huh.NewInput().
-				Title("1Password item title prefix").
-				Description("Optional prefix added to stored 1Password item titles.").
-				Value(&itemTitlePrefix).
-				Validate(validateOptionalDisplayName),
-		).WithHideFunc(func() bool {
-			return !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue))
-		}),
-		huh.NewGroup(
-			huh.NewInput().
-				Title("1Password item tag").
-				Description("Optional 1Password item tag for credentials created through this profile.").
-				Value(&itemTag).
-				Validate(validateOptionalDisplayName),
-		).WithHideFunc(func() bool {
-			return !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue))
-		}),
-		huh.NewGroup(
-			huh.NewInput().
-				Title("1Password item field title").
-				Description("Optional 1Password field title override.").
-				Value(&itemFieldTitle).
-				Validate(validateOptionalDisplayName),
-		).WithHideFunc(func() bool {
-			return !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kindValue))
-		}),
 		huh.NewGroup(
 			huh.NewInput().
 				Title("1Password Connect host").
@@ -671,31 +666,16 @@ func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.Secrets
 			return config.SecretsBackendKind(kindValue) != config.SecretsBackendKind(credstore.BackendOP)
 		}),
 		huh.NewGroup(
-			huh.NewInput().
-				Title("1Password desktop account id").
-				Description("Optional desktop-account id when you want to pin this profile to one 1Password desktop account.").
-				Value(&desktopAccountID).
-				Validate(validateOptionalDisplayName),
-		).WithHideFunc(func() bool {
-			return config.SecretsBackendKind(kindValue) != config.SecretsBackendKind(credstore.BackendOPDesktop)
-		}),
-		huh.NewGroup(
-			huh.NewSelect[bool]().
-				Title("Use this as the default secrets-management profile").
-				Options(
-					huh.NewOption("No", false),
-					huh.NewOption("Yes", true),
-				).
-				Value(&useDefault),
 			huh.NewSelect[string]().
-				Title("Secrets-management detail action").
+				Title("Credential store action").
 				Options(
-					huh.NewOption("Stage secrets-management settings", initDetailActionEdit),
+					huh.NewOption("Stage secrets-storage settings", initDetailActionEdit),
 					huh.NewOption("Back without staging", initDetailActionBack),
 				).
 				Value(&action),
-		).Title("Secrets Management Profile Details"),
+		).Title("Credential Store Details"),
 	)
+	form := huh.NewForm(groups...)
 	back, err := runBackableInitForm(form, p.stdin, p.stderr)
 	if err != nil {
 		return initSecretsProfileEditorResult{}, err
@@ -703,41 +683,30 @@ func (p huhInitKeyringBackendPrompter) editSecretsProfile(profile config.Secrets
 	if back || action == initDetailActionBack {
 		return initSecretsProfileEditorResult{}, nil
 	}
-	backend := initSecretsProfileBackendFromInputs(kindValue, timeout, vaultID, itemTitlePrefix, itemTag, itemFieldTitle, connectHost, connectTokenEnv, serviceTokenEnv, desktopAccountID)
+	if config.SecretsBackendKind(kindValue) == config.SecretsBackendKind(credstore.BackendOPDesktop) && desktopDiscovery.HasVaultChoices() && desktopSelection != initOnePasswordManualSelection {
+		if selection, ok := desktopDiscovery.Selection(desktopSelection); ok {
+			accountID = selection.AccountID
+			accountURL = selection.AccountURL
+			vaultID = selection.VaultID
+			vaultName = selection.VaultName
+		}
+	}
+	backend := initSecretsProfileBackendFromInputs(initSecretsProfileBackendInput{
+		KindValue:       kindValue,
+		Timeout:         timeout,
+		AccountID:       accountID,
+		AccountURL:      accountURL,
+		VaultID:         vaultID,
+		VaultName:       vaultName,
+		ConnectHost:     connectHost,
+		ConnectTokenEnv: connectTokenEnv,
+		ServiceTokenEnv: serviceTokenEnv,
+	})
 	storedLabel := normalizeInitSecretsProfileStoredLabel(labelInput, labelSeed.FallbackValue, labelSeed.StoredLabel, creating)
 	return initSecretsProfileEditorResult{
 		Apply:       true,
 		Label:       strings.TrimSpace(labelInput),
 		StoredLabel: storedLabel,
 		Backend:     backend,
-		UseDefault:  useDefault,
 	}, nil
 }
-
-func (p huhInitKeyringBackendPrompter) editLegacySecretsManagement(currentBackend string) (initLegacySecretsManagementEditorResult, error) {
-	backend := strings.TrimSpace(currentBackend)
-	action := initDetailActionEdit
-	form := huh.NewForm(
-		huh.NewGroup(
-			huh.NewSelect[string]().
-				Title("Legacy fallback credential store backend").
-				Options(initLegacySecretsBackendOptions(currentBackend)...).
-				Value(&backend),
-			huh.NewSelect[string]().
-				Title("Fallback credential-store action").
-				Options(
-					huh.NewOption("Stage fallback credential-store settings", initDetailActionEdit),
-					huh.NewOption("Back without staging", initDetailActionBack),
-				).
-				Value(&action),
-		).Title("Legacy Fallback Credential Store"),
-	)
-	back, err := runBackableInitForm(form, p.stdin, p.stderr)
-	if err != nil {
-		return initLegacySecretsManagementEditorResult{}, err
-	}
-	if back || action == initDetailActionBack {
-		return initLegacySecretsManagementEditorResult{}, nil
-	}
-	return initLegacySecretsManagementEditorResult{Apply: true, Backend: strings.TrimSpace(backend)}, nil
-}
diff --git a/internal/cmd/credentialcmd/init_secrets_management_editor.go b/internal/cmd/credentialcmd/init_secrets_management_editor.go
index d4bce630..cbc4c30a 100644
--- a/internal/cmd/credentialcmd/init_secrets_management_editor.go
+++ b/internal/cmd/credentialcmd/init_secrets_management_editor.go
@@ -17,30 +17,24 @@ import (
 type initSecretsManagementEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
 
 const (
-	initSecretsManagementFieldTarget           initLinearFieldID = "secrets_management_target"
-	initSecretsManagementFieldLegacyBackend    initLinearFieldID = "secrets_management_legacy_backend"
-	initSecretsManagementFieldLabel            initLinearFieldID = "secrets_management_label"
-	initSecretsManagementFieldBackend          initLinearFieldID = "secrets_management_backend"
-	initSecretsManagementFieldVaultID          initLinearFieldID = "secrets_management_1password_vault_id"
-	initSecretsManagementFieldTimeout          initLinearFieldID = "secrets_management_1password_timeout"
-	initSecretsManagementFieldItemTitlePrefix  initLinearFieldID = "secrets_management_1password_item_title_prefix"
-	initSecretsManagementFieldItemTag          initLinearFieldID = "secrets_management_1password_item_tag"
-	initSecretsManagementFieldItemFieldTitle   initLinearFieldID = "secrets_management_1password_item_field_title"
-	initSecretsManagementFieldConnectHost      initLinearFieldID = "secrets_management_1password_connect_host"
-	initSecretsManagementFieldConnectTokenEnv  initLinearFieldID = "secrets_management_1password_connect_token_env"
-	initSecretsManagementFieldServiceTokenEnv  initLinearFieldID = "secrets_management_1password_service_token_env"
-	initSecretsManagementFieldDesktopAccountID initLinearFieldID = "secrets_management_1password_desktop_account_id"
-	initSecretsManagementFieldDefault          initLinearFieldID = "secrets_management_default"
-	initSecretsManagementFieldAction           initLinearFieldID = "secrets_management_action"
-	initSecretsManagementSectionLegacy         initLinearFieldID = "secrets_management_section_legacy"
-	initSecretsManagementSectionProfile        initLinearFieldID = "secrets_management_section_profile"
-	initSecretsManagementSectionOnePassword    initLinearFieldID = "secrets_management_section_1password"
-	initSecretsManagementSectionConnect        initLinearFieldID = "secrets_management_section_connect"
-	initSecretsManagementSectionServiceAccount initLinearFieldID = "secrets_management_section_service_account"
-	initSecretsManagementSectionDesktop        initLinearFieldID = "secrets_management_section_desktop"
-	initSecretsManagementDefaultNo             string            = "no"
-	initSecretsManagementDefaultYes            string            = "yes"
-	initSecretsManagementActionDelete          string            = "delete"
+	initSecretsManagementFieldTarget            initLinearFieldID = "secrets_management_target"
+	initSecretsManagementFieldLabel             initLinearFieldID = "secrets_management_label"
+	initSecretsManagementFieldBackend           initLinearFieldID = "secrets_management_backend"
+	initSecretsManagementFieldVaultID           initLinearFieldID = "secrets_management_1password_vault_id"
+	initSecretsManagementFieldTimeout           initLinearFieldID = "secrets_management_1password_timeout"
+	initSecretsManagementFieldDesktopAccount    initLinearFieldID = "secrets_management_1password_desktop_account"
+	initSecretsManagementFieldDesktopVault      initLinearFieldID = "secrets_management_1password_desktop_vault"
+	initSecretsManagementFieldDesktopAccountURL initLinearFieldID = "secrets_management_1password_desktop_account_url"
+	initSecretsManagementFieldConnectHost       initLinearFieldID = "secrets_management_1password_connect_host"
+	initSecretsManagementFieldConnectTokenEnv   initLinearFieldID = "secrets_management_1password_connect_token_env"
+	initSecretsManagementFieldServiceTokenEnv   initLinearFieldID = "secrets_management_1password_service_token_env"
+	initSecretsManagementFieldDesktopAccountID  initLinearFieldID = "secrets_management_1password_desktop_account_id"
+	initSecretsManagementFieldAction            initLinearFieldID = "secrets_management_action"
+	initSecretsManagementSectionBuiltIn         initLinearFieldID = "secrets_management_section_builtin"
+	initSecretsManagementSectionProfile         initLinearFieldID = "secrets_management_section_profile"
+	initSecretsManagementSectionConnect         initLinearFieldID = "secrets_management_section_connect"
+	initSecretsManagementSectionServiceAccount  initLinearFieldID = "secrets_management_section_service_account"
+	initSecretsManagementActionDelete           string            = "delete"
 )
 
 const initSecretsManagementRestoreSelectionPrefix = "__restore_secrets_management__:"
@@ -51,31 +45,28 @@ type initPendingSecretsManagementDelete struct {
 }
 
 func (p huhInitKeyringBackendPrompter) editKeyringBackendLinear(prompt initKeyringBackendPrompt) (initKeyringBackendEdit, error) {
-	working := cloneInitConfigFile(prompt.Config)
+	working := config.Normalize(cloneInitConfigFile(prompt.Config))
+	discoveryMode := p.resolvedDiscoveryMode()
+	p.writeSecretsStorageDiscoveryNotice(discoveryMode)
+	desktopDiscovery := p.discoverOnePasswordDesktopForMode(discoveryMode)
+	p.writeSecretsStorageDiscoveryResults(discoveryMode, desktopDiscovery)
 	pendingDeletes := map[string]initPendingSecretsManagementDelete{}
 	pendingDeleteOrder := []string{}
 	for {
-		editor := initSecretsManagementLinearEditorWithPendingOrder(working, pendingDeletes, pendingDeleteOrder)
+		editor := initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(working, pendingDeletes, pendingDeleteOrder, desktopDiscovery)
 		model, err := p.runSecretsManagementEditor(editor)
 		if err != nil {
 			return initKeyringBackendEdit{}, err
 		}
 		switch model.resultAction {
 		case initDetailActionEdit:
-			return initSecretsManagementEditFromDocument(working, model.document)
+			return initSecretsManagementEditFromDocumentWithDiscovery(working, model.document, desktopDiscovery)
 		case initLinearResultActionDelete:
-			selection := model.document.selectedValue(initSecretsManagementFieldTarget)
-			profile, ok := working.Secrets.Profiles[selection]
-			if !ok {
-				return initKeyringBackendEdit{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, selection)
-			}
-			nextCfg, _, err := configedit.RemoveSecretsProfile(working, selection)
+			edit, err := initSecretsManagementDeleteEditFromDocument(working, model.document)
 			if err != nil {
 				return initKeyringBackendEdit{}, err
 			}
-			pendingDeletes[selection] = initPendingSecretsManagementDelete{ID: selection, Profile: profile}
-			pendingDeleteOrder = appendInitSecretsManagementPendingDeleteOrder(pendingDeleteOrder, selection)
-			working = nextCfg
+			return edit, nil
 		case initLinearResultActionRestore:
 			selection := model.document.selectedValue(initSecretsManagementFieldTarget)
 			id, ok := initSecretsManagementRestoreSelectionName(selection)
@@ -104,6 +95,26 @@ func (p huhInitKeyringBackendPrompter) editKeyringBackendLinear(prompt initKeyri
 	}
 }
 
+func (p huhInitKeyringBackendPrompter) writeSecretsStorageDiscoveryNotice(mode initSecretsBackendDiscoveryMode) {
+	if p.stderr == nil {
+		return
+	}
+	switch mode {
+	case initSecretsBackendDiscoveryModeSafe:
+		_, _ = fmt.Fprintln(p.stderr, "Checking available secrets storage backends.")
+		_, _ = fmt.Fprintln(p.stderr, "Only passive discovery is enabled; inventory probes are skipped.")
+	case initSecretsBackendDiscoveryModeOff:
+		_, _ = fmt.Fprintln(p.stderr, "Secrets backend discovery is disabled.")
+	case initSecretsBackendDiscoveryModeFull:
+		_, _ = fmt.Fprintln(p.stderr, "Checking available secrets storage backends.")
+		_, _ = fmt.Fprintln(p.stderr, "You may see permission prompts from 1Password, macOS, or your terminal app.")
+	default:
+		_, _ = fmt.Fprintln(p.stderr, "Checking available secrets storage backends.")
+		_, _ = fmt.Fprintln(p.stderr, "You may see permission prompts from 1Password, macOS, or your terminal app.")
+	}
+	_, _ = fmt.Fprintln(p.stderr)
+}
+
 func (p huhInitKeyringBackendPrompter) runSecretsManagementEditor(editor initLinearEditor) (initLinearEditorModel, error) {
 	if p.editorRunner != nil {
 		return p.editorRunner(editor, p.stdin, p.stderr)
@@ -129,41 +140,38 @@ func initSecretsManagementLinearEditorWithPending(cfg config.File, pendingDelete
 }
 
 func initSecretsManagementLinearEditorWithPendingOrder(cfg config.File, pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string) initLinearEditor {
+	return initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg, pendingDeletes, pendingDeleteOrder, initOnePasswordDesktopDiscovery{})
+}
+
+func initSecretsManagementLinearEditorWithPendingOrderAndDiscovery(cfg config.File, pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string, desktopDiscovery initOnePasswordDesktopDiscovery) initLinearEditor {
 	targetOptions := initSecretsManagementTargetOptions(cfg, pendingDeletes, pendingDeleteOrder)
 	selectedTarget := normalizeInitStringSelectionValue("", targetOptions)
 	var document initLinearDocument
-	document.addSection("Secrets management", initSecretsManagementInventoryDescription())
-	document.addEditableSelect(initSecretsManagementFieldTarget, "Secrets-management target", "", targetOptions, selectedTarget)
-	document.addSectionField(initSecretsManagementSectionLegacy, "Legacy fallback credential store", "Compatibility path for profiles that do not choose a named secrets-management profile.")
-	document.addEditableSelect(initSecretsManagementFieldLegacyBackend, "Fallback persistent backend", initLegacySecretsBackendFieldDescription(cfg.Keyring.Backend), initLegacySecretsBackendOptions(cfg.Keyring.Backend), strings.TrimSpace(cfg.Keyring.Backend))
-	document.addSectionField(initSecretsManagementSectionProfile, "Secrets-management profile", "Secrets-management profiles are reusable credential-store definitions that review profiles can choose later.")
+	document.addSection("Secrets storage", initSecretsManagementInventoryDescription())
+	document.addSectionField(initSecretsManagementSectionBuiltIn, "Built in", initSecretsManagementBuiltInSectionDescription())
+	document.addEditableSelect(initSecretsManagementFieldTarget, "Actions", "Configure a new credential store or edit a configured store.", targetOptions, selectedTarget)
+	document.addSectionField(initSecretsManagementSectionProfile, "Credential store details", "Configured credential stores are reusable destinations for secrets.")
+	document.addEditableSelect(initSecretsManagementFieldBackend, "Credential store backend", "", initSecretsProfileBackendOptions(config.SecretsBackendKind(credstore.BackendFile)), string(credstore.BackendFile))
+	document.addEditableSelect(initSecretsManagementFieldDesktopAccount, "1Password account", "Discovered from the local 1Password desktop app.", desktopDiscovery.AccountOptions(), initOnePasswordManualSelection)
+	document.addEditableSelect(initSecretsManagementFieldDesktopVault, "1Password vault", "Vaults available in the selected 1Password account. Choose manual entry if this list is incomplete.", desktopDiscovery.VaultOptions(initOnePasswordManualSelection), initOnePasswordManualSelection)
+	document.addEditableInput(initSecretsManagementFieldDesktopAccountURL, "1Password account URL", "Account sign-in address such as myorg.1password.com for organizational 1Password accounts, or my.1password.com for personal or family accounts. Required only when desktop discovery is unavailable or manual entry is selected.", "", validateOptionalDisplayName)
+	document.addEditableInput(initSecretsManagementFieldDesktopAccountID, "1Password account id (advanced)", "Advanced. Optional account id when you need to pin this profile to one signed-in 1Password desktop account.", "", validateOptionalDisplayName)
+	document.addEditableInput(initSecretsManagementFieldVaultID, "1Password vault name or id", "Required for every 1Password-backed credential store. Enter a vault name such as Personal, Employee, or My Vault, or enter a stable vault ID.", "", nil)
 	document.addEditableInput(
 		initSecretsManagementFieldLabel,
-		"Secrets-management profile label",
-		"Choose a human-friendly label for this secrets-management profile. This is what the init menus will show later.",
+		"Credential store name",
+		"Choose a human-friendly name for this credential store.",
 		"",
 		validateOptionalDisplayName,
 	)
-	document.addEditableSelect(initSecretsManagementFieldBackend, "Secrets-management backend", "", initSecretsProfileBackendOptions(config.SecretsBackendKind(credstore.BackendKeychain)), string(credstore.BackendKeychain))
-	document.addSectionField(initSecretsManagementSectionOnePassword, "1Password details", "These are non-secret 1Password settings. Tokens are referenced by environment variable name, not collected here.")
-	document.addEditableInput(initSecretsManagementFieldVaultID, "1Password vault name or id", "Required for every 1Password-backed secrets-management profile. Enter a vault name such as Personal, Employee, or My Vault, or enter a stable vault ID. If you have the 1Password CLI installed, `op vault list --format=json` can help inspect available vaults.", "", nil)
-	document.addEditableInput(initSecretsManagementFieldItemFieldTitle, "1Password secret name", "Optional name for the field that stores the secret inside each cr-managed 1Password item. Leave blank to use the backend default.", "", validateOptionalDisplayName)
-	document.addEditableInput(initSecretsManagementFieldItemTag, "1Password item tag", "Optional tag added to cr-managed 1Password items so the backend can find only the items it owns.", "", validateOptionalDisplayName)
-	document.addEditableInput(initSecretsManagementFieldItemTitlePrefix, "1Password item title prefix (advanced)", "Advanced. Prefix for generated 1Password item titles. Leave blank to use the backend default naming convention.", "", validateOptionalDisplayName)
 	document.addEditableInput(initSecretsManagementFieldTimeout, "1Password request timeout", "How long cr waits for one 1Password backend request before failing. Leave the default unless your 1Password integration is unusually slow.", "", validateOptionalDuration)
 	document.addSectionField(initSecretsManagementSectionConnect, "1Password Connect", "Required only for 1Password Connect profiles.")
 	document.addEditableInput(initSecretsManagementFieldConnectHost, "1Password Connect host", "Required only for 1Password Connect profiles.", "", nil)
 	document.addEditableInput(initSecretsManagementFieldConnectTokenEnv, "1Password Connect token env var", "Environment variable that holds the 1Password Connect token.", "", validateOptionalDisplayName)
 	document.addSectionField(initSecretsManagementSectionServiceAccount, "1Password service account", "Required only for 1Password service-account profiles.")
 	document.addEditableInput(initSecretsManagementFieldServiceTokenEnv, "1Password service token env var", "Environment variable that holds the 1Password service-account token.", "", validateOptionalDisplayName)
-	document.addSectionField(initSecretsManagementSectionDesktop, "1Password desktop", "Optional desktop integration settings.")
-	document.addEditableInput(initSecretsManagementFieldDesktopAccountID, "1Password desktop account id (advanced)", "Advanced. Optional account id when you need to pin this profile to one signed-in 1Password desktop account. Most users should leave this blank.", "", validateOptionalDisplayName)
-	document.addEditableSelect(initSecretsManagementFieldDefault, "Default secrets-management profile", "", []huh.Option[string]{
-		huh.NewOption("No, keep the current default secrets-management profile", initSecretsManagementDefaultNo),
-		huh.NewOption("Yes, make this the default secrets-management profile", initSecretsManagementDefaultYes),
-	}, initSecretsManagementDefaultNo)
-	document.addEditableSelect(initSecretsManagementFieldAction, "Secrets-management action", "", []huh.Option[string]{
-		huh.NewOption("Stage secrets-management settings", initDetailActionEdit),
+	document.addEditableSelect(initSecretsManagementFieldAction, "Secrets-storage action", "", []huh.Option[string]{
+		huh.NewOption("Stage secrets-storage settings", initDetailActionEdit),
 		huh.NewOption("Back without staging", initDetailActionBack),
 	}, initDetailActionEdit)
 	editor := initLinearEditor{
@@ -174,15 +182,11 @@ func initSecretsManagementLinearEditorWithPendingOrder(cfg config.File, pendingD
 			}
 			id := model.document[index].ID
 			if id == initSecretsManagementFieldTarget {
-				initSecretsManagementSyncLinearFields(model, cfg, pendingDeletes, pendingDeleteOrder, true)
+				initSecretsManagementSyncLinearFields(model, cfg, pendingDeletes, pendingDeleteOrder, desktopDiscovery, true)
 				return
 			}
-			if id == initSecretsManagementFieldBackend {
-				initSecretsManagementSyncLinearFields(model, cfg, pendingDeletes, pendingDeleteOrder, false)
-				return
-			}
-			if id == initSecretsManagementFieldLegacyBackend {
-				initSecretsManagementSyncLinearFields(model, cfg, pendingDeletes, pendingDeleteOrder, false)
+			if id == initSecretsManagementFieldBackend || id == initSecretsManagementFieldDesktopAccount || id == initSecretsManagementFieldDesktopVault {
+				initSecretsManagementSyncLinearFields(model, cfg, pendingDeletes, pendingDeleteOrder, desktopDiscovery, false)
 			}
 		},
 		OnEnter: func(model *initLinearEditorModel) (bool, tea.Cmd) {
@@ -198,7 +202,7 @@ func initSecretsManagementLinearEditorWithPendingOrder(cfg config.File, pendingD
 				model.resultAction = initDetailActionBack
 				return true, tea.Quit
 			case initDetailActionEdit:
-				if _, err := initSecretsManagementEditFromDocument(cfg, model.document); err != nil {
+				if _, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, desktopDiscovery); err != nil {
 					model.document[model.focused].Error = err.Error()
 					model.relayout()
 					model.ensureFocusedVisible()
@@ -207,7 +211,7 @@ func initSecretsManagementLinearEditorWithPendingOrder(cfg config.File, pendingD
 				model.resultAction = initDetailActionEdit
 				return true, tea.Quit
 			case initSecretsManagementActionDelete:
-				if _, err := initSecretsManagementEditFromDocument(cfg, model.document); err != nil {
+				if _, err := initSecretsManagementEditFromDocumentWithDiscovery(cfg, model.document, desktopDiscovery); err != nil {
 					model.document[model.focused].Error = err.Error()
 					model.relayout()
 					model.ensureFocusedVisible()
@@ -221,7 +225,7 @@ func initSecretsManagementLinearEditorWithPendingOrder(cfg config.File, pendingD
 		},
 	}
 	model := newInitLinearEditorModel(editor, 100, 28)
-	initSecretsManagementSyncLinearFields(&model, cfg, pendingDeletes, pendingDeleteOrder, true)
+	initSecretsManagementSyncLinearFields(&model, cfg, pendingDeletes, pendingDeleteOrder, desktopDiscovery, true)
 	editor.Document = model.document
 	return editor
 }
@@ -231,11 +235,11 @@ func initSecretsManagementTargetOptions(cfg config.File, pendingDeletes map[stri
 	options := make([]huh.Option[string], 0, len(rows)+len(pendingDeletes))
 	commandOptions := make([]huh.Option[string], 0, len(rows))
 	for _, row := range rows {
-		if row.ID == initBackSelection || !row.Selectable {
+		if row.ID == initBackSelection || row.ID == config.LocalOSCredentialStoreID || !row.Selectable {
 			continue
 		}
 		option := huh.NewOption(row.Title, row.ID)
-		if row.Kind == initInventoryRowKindActive && row.ID != initSecretsManagementLegacySelection {
+		if row.Kind == initInventoryRowKindActive {
 			options = append(options, option)
 			continue
 		}
@@ -250,6 +254,15 @@ func initSecretsManagementTargetOptions(cfg config.File, pendingDeletes map[stri
 	return dedupeInitStringOptions(options)
 }
 
+func initSecretsManagementBuiltInSectionDescription() string {
+	description := strings.TrimSpace(initBuiltInOSCredentialStoreDescription())
+	prefix := "These built-in credential stores are always available and cannot be deleted:\n\n"
+	if description == "" {
+		return prefix + initBuiltInOSCredentialStoreTitle()
+	}
+	return fmt.Sprintf("%s%s        %s", prefix, initBuiltInOSCredentialStoreTitle(), description)
+}
+
 func orderedInitSecretsManagementPendingDeleteIDs(pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string) []string {
 	if len(pendingDeletes) == 0 {
 		return nil
@@ -272,11 +285,6 @@ func orderedInitSecretsManagementPendingDeleteIDs(pendingDeletes map[string]init
 	return append(ordered, remainder...)
 }
 
-func appendInitSecretsManagementPendingDeleteOrder(order []string, id string) []string {
-	order = removeInitSecretsManagementPendingDeleteOrder(order, id)
-	return append(order, id)
-}
-
 func removeInitSecretsManagementPendingDeleteOrder(order []string, id string) []string {
 	next := order[:0]
 	for _, existing := range order {
@@ -288,12 +296,11 @@ func removeInitSecretsManagementPendingDeleteOrder(order []string, id string) []
 }
 
 type initSecretsManagementSelectionState struct {
-	Profile   config.SecretsProfile
-	ID        string
-	IsDefault bool
-	Creating  bool
-	Legacy    bool
-	Pending   bool
+	Profile  config.SecretsProfile
+	ID       string
+	Creating bool
+	BuiltIn  bool
+	Pending  bool
 }
 
 func initSecretsManagementSelectionStateForDocument(cfg config.File, document initLinearDocument) (initSecretsManagementSelectionState, error) {
@@ -301,8 +308,9 @@ func initSecretsManagementSelectionStateForDocument(cfg config.File, document in
 }
 
 func initSecretsManagementSelectionStateForSelection(cfg config.File, selection string) (initSecretsManagementSelectionState, error) {
-	if selection == initSecretsManagementLegacySelection {
-		return initSecretsManagementSelectionState{Legacy: true}, nil
+	cfg = config.Normalize(cfg)
+	if selection == config.LocalOSCredentialStoreID {
+		return initSecretsManagementSelectionState{ID: config.LocalOSCredentialStoreID, BuiltIn: true}, nil
 	}
 	if kind, ok := initSecretsProfileSelectionKind(selection); ok {
 		return initSecretsManagementSelectionState{
@@ -313,40 +321,37 @@ func initSecretsManagementSelectionStateForSelection(cfg config.File, selection
 	if id, ok := initSecretsManagementRestoreSelectionName(selection); ok {
 		return initSecretsManagementSelectionState{ID: id, Pending: true}, nil
 	}
-	profile, ok := cfg.Secrets.Profiles[selection]
+	profile, ok := cfg.Secrets.Stores[selection]
 	if !ok {
 		return initSecretsManagementSelectionState{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, selection)
 	}
 	return initSecretsManagementSelectionState{
-		Profile:   profile,
-		ID:        selection,
-		IsDefault: strings.TrimSpace(cfg.Secrets.DefaultProfile) == selection,
+		Profile: profile,
+		ID:      selection,
 	}, nil
 }
 
-func initSecretsManagementSyncLinearFields(model *initLinearEditorModel, cfg config.File, pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string, resetDetails bool) {
+func initSecretsManagementSyncLinearFields(model *initLinearEditorModel, cfg config.File, pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string, desktopDiscovery initOnePasswordDesktopDiscovery, resetDetails bool) {
 	state, err := initSecretsManagementSelectionStateForDocument(cfg, model.document)
 	if err != nil {
 		return
 	}
 	initSecretsManagementSetTargetOptions(model, cfg, pendingDeletes, pendingDeleteOrder, model.document.selectedValue(initSecretsManagementFieldTarget))
-	profileSectionVisible := !state.Legacy
-	profileVisible := profileSectionVisible && !state.Pending
-	model.setFieldHidden(initSecretsManagementSectionLegacy, !state.Legacy)
-	model.setFieldHidden(initSecretsManagementFieldLegacyBackend, !state.Legacy)
-	model.setFieldHidden(initSecretsManagementSectionProfile, !profileSectionVisible)
+	profileVisible := !state.Pending && !state.BuiltIn
+	allowEdit := profileVisible || state.Pending
+	model.setFieldHidden(initSecretsManagementSectionProfile, false)
 	model.setFieldHidden(initSecretsManagementFieldLabel, !profileVisible)
 	model.setFieldHidden(initSecretsManagementFieldBackend, !profileVisible || state.Creating)
-	model.setFieldHidden(initSecretsManagementFieldDefault, !profileVisible)
-	initSecretsManagementSetActionOptions(model, !state.Creating && !state.Legacy && !state.Pending)
-	if state.Legacy {
-		model.setFieldDescription(initSecretsManagementFieldLegacyBackend, initLegacySecretsBackendFieldDescription(model.document.selectedValue(initSecretsManagementFieldLegacyBackend)))
+	initSecretsManagementSetActionOptions(model, allowEdit)
+	if state.BuiltIn {
+		model.setFieldDescription(initSecretsManagementSectionProfile, initSecretsManagementProfileSectionDescription(model.document, state))
 		initSecretsManagementSetOnePasswordHidden(model, true, true, true, true)
+		model.selectFieldValue(initSecretsManagementFieldAction, initDetailActionBack)
 		return
 	}
 	if state.Pending {
 		model.setFieldHidden(initSecretsManagementFieldAction, false)
-		model.setFieldDescription(initSecretsManagementSectionProfile, "This secrets-management profile is staged for deletion. Press r while it is selected to restore it.")
+		model.setFieldDescription(initSecretsManagementSectionProfile, "This credential store is staged for deletion. Press r while it is selected to restore it.")
 		initSecretsManagementSetOnePasswordHidden(model, true, true, true, true)
 		return
 	}
@@ -362,24 +367,24 @@ func initSecretsManagementSyncLinearFields(model *initLinearEditorModel, cfg con
 		model.setFieldValue(initSecretsManagementFieldLabel, labelSeed.DisplayValue)
 		initSecretsManagementSetBackendOptions(model, profile.Backend.Kind, state.Creating)
 		model.selectFieldValue(initSecretsManagementFieldBackend, string(profile.Backend.Kind))
-		useDefault := initSecretsManagementDefaultNo
-		if state.IsDefault {
-			useDefault = initSecretsManagementDefaultYes
-		}
-		model.selectFieldValue(initSecretsManagementFieldDefault, useDefault)
 		onePassword := config.SecretsProfileOnePasswordConfig{}
 		if profile.Backend.OnePassword != nil {
 			onePassword = *profile.Backend.OnePassword
 		}
 		model.setFieldValue(initSecretsManagementFieldVaultID, onePassword.VaultID)
 		model.setFieldValue(initSecretsManagementFieldTimeout, onePassword.Timeout)
-		model.setFieldValue(initSecretsManagementFieldItemTitlePrefix, onePassword.ItemTitlePrefix)
-		model.setFieldValue(initSecretsManagementFieldItemTag, onePassword.ItemTag)
-		model.setFieldValue(initSecretsManagementFieldItemFieldTitle, onePassword.ItemFieldTitle)
+		model.setFieldValue(initSecretsManagementFieldDesktopAccountURL, onePassword.AccountURL)
+		accountID := onePassword.AccountID
+		if accountID == "" {
+			accountID = onePassword.DesktopAccountID
+		}
+		model.setFieldValue(initSecretsManagementFieldDesktopAccountID, accountID)
+		accountSelection := desktopDiscovery.AccountSelectionFor(accountID, onePassword.AccountURL)
+		vaultSelection := desktopDiscovery.VaultSelectionFor(accountSelection, onePassword.VaultID, onePassword.VaultName)
+		initSecretsManagementSetDesktopDiscoveryOptions(model, desktopDiscovery, accountSelection, vaultSelection)
 		model.setFieldValue(initSecretsManagementFieldConnectHost, onePassword.ConnectHost)
 		model.setFieldValue(initSecretsManagementFieldConnectTokenEnv, onePassword.ConnectTokenEnv)
 		model.setFieldValue(initSecretsManagementFieldServiceTokenEnv, onePassword.ServiceTokenEnv)
-		model.setFieldValue(initSecretsManagementFieldDesktopAccountID, onePassword.DesktopAccountID)
 	}
 	kind := config.SecretsBackendKind(model.document.selectedValue(initSecretsManagementFieldBackend))
 	if state.Creating {
@@ -393,14 +398,26 @@ func initSecretsManagementSyncLinearFields(model *initLinearEditorModel, cfg con
 	opService := kind == config.SecretsBackendKind(credstore.BackendOP)
 	opDesktop := kind == config.SecretsBackendKind(credstore.BackendOPDesktop)
 	initSecretsManagementSetOnePasswordHidden(model, !onePassword, !opConnect, !opService, !opDesktop)
-	model.setFieldHidden(initSecretsManagementFieldTimeout, !opService && !opDesktop)
-	if onePassword && strings.TrimSpace(model.document.fieldValue(initSecretsManagementFieldItemTitlePrefix)) == "" {
-		model.setFieldHidden(initSecretsManagementFieldItemTitlePrefix, true)
+	if opDesktop {
+		initSecretsManagementSetDesktopDiscoveryOptions(model, desktopDiscovery, model.document.selectedValue(initSecretsManagementFieldDesktopAccount), model.document.selectedValue(initSecretsManagementFieldDesktopVault))
 	}
-	if opDesktop && strings.TrimSpace(model.document.fieldValue(initSecretsManagementFieldDesktopAccountID)) == "" {
-		model.setFieldHidden(initSecretsManagementFieldDesktopAccountID, true)
+	model.setFieldHidden(initSecretsManagementFieldTimeout, !opService && !opDesktop)
+	discoveredDesktop := opDesktop && desktopDiscovery.HasAccountChoices()
+	accountSelection := model.document.selectedValue(initSecretsManagementFieldDesktopAccount)
+	vaultSelection := model.document.selectedValue(initSecretsManagementFieldDesktopVault)
+	manualAccount := opDesktop && (!discoveredDesktop || accountSelection == initOnePasswordManualSelection)
+	manualVault := manualAccount || vaultSelection == initOnePasswordManualSelection
+	if opDesktop && state.Creating {
+		initSecretsManagementSyncDesktopLabel(model, desktopDiscovery)
+	}
+	model.setFieldHidden(initSecretsManagementFieldDesktopAccount, !discoveredDesktop)
+	model.setFieldHidden(initSecretsManagementFieldDesktopVault, !discoveredDesktop || manualAccount)
+	model.setFieldHidden(initSecretsManagementFieldDesktopAccountURL, !manualAccount)
+	model.setFieldHidden(initSecretsManagementFieldDesktopAccountID, !manualAccount)
+	model.setFieldHidden(initSecretsManagementFieldVaultID, !onePassword || (discoveredDesktop && !manualVault))
+	if opDesktop {
+		model.setFieldDescription(initSecretsManagementFieldDesktopVault, initSecretsManagementDesktopVaultDescription(desktopDiscovery, accountSelection))
 	}
-	model.setFieldHidden(initSecretsManagementSectionDesktop, !opDesktop || model.document.fieldHidden(initSecretsManagementFieldDesktopAccountID))
 }
 
 func initSecretsManagementSetTargetOptions(model *initLinearEditorModel, cfg config.File, pendingDeletes map[string]initPendingSecretsManagementDelete, pendingDeleteOrder []string, selected string) {
@@ -408,11 +425,12 @@ func initSecretsManagementSetTargetOptions(model *initLinearEditorModel, cfg con
 	if index < 0 {
 		return
 	}
+	cfg = config.Normalize(cfg)
 	options := initLinearOptionsFromHuh(initSecretsManagementTargetOptions(cfg, pendingDeletes, pendingDeleteOrder), selected)
 	for optionIndex := range options {
 		option := &options[optionIndex]
-		if _, configured := cfg.Secrets.Profiles[option.Value]; configured {
-			option.Deletable = strings.TrimSpace(cfg.Secrets.DefaultProfile) != option.Value
+		if _, configured := cfg.Secrets.Stores[option.Value]; configured {
+			option.Deletable = option.Value != config.LocalOSCredentialStoreID
 		}
 		if _, restorable := initSecretsManagementRestoreSelectionName(option.Value); restorable {
 			option.Restorable = true
@@ -441,16 +459,60 @@ func initSecretsManagementSetBackendOptions(model *initLinearEditorModel, curren
 	model.document[index].Options = initLinearOptionsFromHuh(initSecretsProfileBackendOptions(current), selected)
 }
 
-func initSecretsManagementSetActionOptions(model *initLinearEditorModel, _ bool) {
+func initSecretsManagementSetDesktopDiscoveryOptions(model *initLinearEditorModel, discovery initOnePasswordDesktopDiscovery, accountSelection, vaultSelection string) {
+	accountIndex := model.document.fieldIndexByID(initSecretsManagementFieldDesktopAccount)
+	if accountIndex >= 0 {
+		model.document[accountIndex].Options = discovery.LinearAccountOptions(accountSelection)
+		accountSelection = model.document.selectedValue(initSecretsManagementFieldDesktopAccount)
+	}
+	vaultIndex := model.document.fieldIndexByID(initSecretsManagementFieldDesktopVault)
+	if vaultIndex >= 0 {
+		model.document[vaultIndex].Options = discovery.LinearVaultOptions(accountSelection, vaultSelection)
+	}
+}
+
+func initSecretsManagementDesktopVaultDescription(discovery initOnePasswordDesktopDiscovery, accountSelection string) string {
+	if discovery.HasAccountChoices() {
+		if account, ok := discovery.Account(accountSelection); ok {
+			if len(account.Vaults) == 0 {
+				return fmt.Sprintf("Account: %s. No vaults were discovered; enter a vault manually.", account.Label())
+			}
+			return fmt.Sprintf("Account: %s. Choose a vault below:", account.Label())
+		}
+	}
+	return "Vaults available in the selected 1Password account. Choose manual entry if this list is incomplete."
+}
+
+func initSecretsManagementSyncDesktopLabel(model *initLinearEditorModel, discovery initOnePasswordDesktopDiscovery) {
+	account, ok := discovery.Account(model.document.selectedValue(initSecretsManagementFieldDesktopAccount))
+	if !ok {
+		return
+	}
+	next := initOnePasswordDesktopCredentialStoreLabel(account)
+	if next == "" {
+		return
+	}
+	current := strings.TrimSpace(model.document.fieldValue(initSecretsManagementFieldLabel))
+	if current != "" && current != "1Password" && current != next && !discovery.GeneratedDesktopCredentialStoreLabel(current) {
+		return
+	}
+	model.setFieldValue(initSecretsManagementFieldLabel, next)
+}
+
+func initSecretsManagementSetActionOptions(model *initLinearEditorModel, allowEdit bool) {
 	index := model.document.fieldIndexByID(initSecretsManagementFieldAction)
 	if index < 0 {
 		return
 	}
 	selected := model.document.selectedValue(initSecretsManagementFieldAction)
 	options := []huh.Option[string]{
-		huh.NewOption("Stage secrets-management settings", initDetailActionEdit),
 		huh.NewOption("Back without staging", initDetailActionBack),
 	}
+	if allowEdit {
+		options = append([]huh.Option[string]{
+			huh.NewOption("Stage secrets-storage settings", initDetailActionEdit),
+		}, options...)
+	}
 	if selected == initSecretsManagementActionDelete {
 		selected = initDetailActionEdit
 	}
@@ -471,15 +533,22 @@ func initSecretsManagementBackendOptionLabel(kind config.SecretsBackendKind) str
 func initSecretsManagementProfileSectionDescription(document initLinearDocument, state initSecretsManagementSelectionState) string {
 	target := initSecretsManagementSelectedOptionLabel(document, initSecretsManagementFieldTarget)
 	if state.Pending && target != "" {
-		return fmt.Sprintf("Selected target: %s. This profile is staged for deletion. Press r to restore it.", target)
+		return fmt.Sprintf("Selected target: %s. This credential store is staged for deletion. Press r to restore it.", target)
+	}
+	if state.BuiltIn && target != "" {
+		description := strings.TrimSpace(initBuiltInOSCredentialStoreDescription())
+		if description != "" {
+			return fmt.Sprintf("Selected target: %s, %s. This built-in credential store is always available and cannot be deleted.", target, description)
+		}
+		return fmt.Sprintf("Selected target: %s. This built-in credential store is always available and cannot be deleted.", target)
 	}
 	if state.Creating && target != "" {
-		return fmt.Sprintf("Selected target: %s. Fields below configure that new secrets-management profile.", target)
+		return fmt.Sprintf("Selected target: %s. Fields below configure that new credential store.", target)
 	}
 	if state.ID != "" && target != "" {
-		return fmt.Sprintf("Selected target: %s. Fields below edit this configured secrets-management profile.", target)
+		return fmt.Sprintf("Selected target: %s. Fields below edit this configured credential store.", target)
 	}
-	return "Secrets-management profiles are reusable credential-store definitions that review profiles can choose later."
+	return "Configured credential stores are reusable destinations for secrets."
 }
 
 func initSecretsManagementRestoreSelectionName(selection string) (string, bool) {
@@ -492,7 +561,7 @@ func initSecretsManagementRestoreSelectionName(selection string) (string, bool)
 func initSecretsProfilePendingDeleteTitle(id string, profile config.SecretsProfile) string {
 	return initSecretsProfileInventoryTitle(config.EffectiveSecretsProfile{
 		ID:      id,
-		Label:   profile.Label,
+		Label:   profile.DisplayName,
 		Backend: string(profile.Backend.Kind),
 		Source:  config.EffectiveSecretsProfileSourceConfigured,
 	})
@@ -503,19 +572,7 @@ func initSecretsManagementBackendFieldDescription(kind config.SecretsBackendKind
 	if locked {
 		return strings.TrimSpace(description + " This backend is fixed by the selected create-new target; choose a different target above to create a different backend type.")
 	}
-	return strings.TrimSpace(description + " Use Up/Down here to change the backend for this configured secrets-management profile.")
-}
-
-func initLegacySecretsBackendFieldDescription(backend string) string {
-	trimmed := strings.TrimSpace(backend)
-	if trimmed == "" {
-		return "Use the platform credential store chosen by the OS, such as macOS Keychain on macOS, Windows Credential Manager on Windows, or Linux Secret Service on Linux."
-	}
-	description := strings.TrimSpace(initSecretsBackendDescription(config.SecretsBackendKind(trimmed)))
-	if description == "" {
-		return "Compatibility backend used only by profiles that do not choose a named secrets-management profile."
-	}
-	return strings.TrimSpace(description + " This is the legacy fallback backend for profiles without a named secrets-management profile.")
+	return strings.TrimSpace(description + " Use Up/Down here to change the backend for this configured credential store.")
 }
 
 func initSecretsManagementSelectedOptionLabel(document initLinearDocument, id initLinearFieldID) string {
@@ -532,37 +589,54 @@ func initSecretsManagementSelectedOptionLabel(document initLinearDocument, id in
 }
 
 func initSecretsManagementSetOnePasswordHidden(model *initLinearEditorModel, hideOnePassword bool, hideConnect bool, hideService bool, hideDesktop bool) {
-	model.setFieldHidden(initSecretsManagementSectionOnePassword, hideOnePassword)
 	model.setFieldHidden(initSecretsManagementFieldVaultID, hideOnePassword)
-	model.setFieldHidden(initSecretsManagementFieldItemTitlePrefix, hideOnePassword)
-	model.setFieldHidden(initSecretsManagementFieldItemTag, hideOnePassword)
-	model.setFieldHidden(initSecretsManagementFieldItemFieldTitle, hideOnePassword)
 	model.setFieldHidden(initSecretsManagementSectionConnect, hideOnePassword || hideConnect)
 	model.setFieldHidden(initSecretsManagementFieldConnectHost, hideOnePassword || hideConnect)
 	model.setFieldHidden(initSecretsManagementFieldConnectTokenEnv, hideOnePassword || hideConnect)
 	model.setFieldHidden(initSecretsManagementSectionServiceAccount, hideOnePassword || hideService)
 	model.setFieldHidden(initSecretsManagementFieldServiceTokenEnv, hideOnePassword || hideService)
-	model.setFieldHidden(initSecretsManagementSectionDesktop, hideOnePassword || hideDesktop)
+	model.setFieldHidden(initSecretsManagementFieldDesktopAccount, hideOnePassword || hideDesktop)
+	model.setFieldHidden(initSecretsManagementFieldDesktopVault, hideOnePassword || hideDesktop)
+	model.setFieldHidden(initSecretsManagementFieldDesktopAccountURL, hideOnePassword || hideDesktop)
 	model.setFieldHidden(initSecretsManagementFieldDesktopAccountID, hideOnePassword || hideDesktop)
 	model.setFieldHidden(initSecretsManagementFieldTimeout, hideOnePassword)
 }
 
 func initSecretsManagementEditFromDocument(cfg config.File, document initLinearDocument) (initKeyringBackendEdit, error) {
+	return initSecretsManagementEditFromDocumentWithDiscovery(cfg, document, initOnePasswordDesktopDiscovery{})
+}
+
+func initSecretsManagementDeleteEditFromDocument(cfg config.File, document initLinearDocument) (initKeyringBackendEdit, error) {
 	state, err := initSecretsManagementSelectionStateForDocument(cfg, document)
 	if err != nil {
 		return initKeyringBackendEdit{}, err
 	}
-	working := cloneInitConfigFile(cfg)
-	if state.Legacy {
-		working.Keyring.Backend = strings.TrimSpace(document.selectedValue(initSecretsManagementFieldLegacyBackend))
-		return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: config.Normalize(working)}, nil
+	if state.Creating || state.BuiltIn || state.Pending || state.ID == "" {
+		return initKeyringBackendEdit{}, fmt.Errorf("only configured credential stores can be deleted")
+	}
+	working := config.Normalize(cloneInitConfigFile(cfg))
+	nextCfg, _, err := configedit.RemoveSecretsProfile(working, state.ID)
+	if err != nil {
+		return initKeyringBackendEdit{}, err
+	}
+	return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: nextCfg}, nil
+}
+
+func initSecretsManagementEditFromDocumentWithDiscovery(cfg config.File, document initLinearDocument, desktopDiscovery initOnePasswordDesktopDiscovery) (initKeyringBackendEdit, error) {
+	state, err := initSecretsManagementSelectionStateForDocument(cfg, document)
+	if err != nil {
+		return initKeyringBackendEdit{}, err
+	}
+	working := config.Normalize(cloneInitConfigFile(cfg))
+	if state.BuiltIn {
+		return initKeyringBackendEdit{}, nil
 	}
 	if state.Pending {
 		return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: config.Normalize(working)}, nil
 	}
 	if document.selectedValue(initSecretsManagementFieldAction) == initSecretsManagementActionDelete {
 		if state.Creating || state.ID == "" {
-			return initKeyringBackendEdit{}, fmt.Errorf("only configured secrets-management profiles can be deleted")
+			return initKeyringBackendEdit{}, fmt.Errorf("only configured credential stores can be deleted")
 		}
 		nextCfg, _, err := configedit.RemoveSecretsProfile(working, state.ID)
 		if err != nil {
@@ -570,7 +644,7 @@ func initSecretsManagementEditFromDocument(cfg config.File, document initLinearD
 		}
 		return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: nextCfg}, nil
 	}
-	edit, err := initSecretsManagementProfileEditFromDocument(state, document)
+	edit, err := initSecretsManagementProfileEditFromDocument(state, document, desktopDiscovery)
 	if err != nil {
 		return initKeyringBackendEdit{}, err
 	}
@@ -585,12 +659,6 @@ func initSecretsManagementEditFromDocument(cfg config.File, document initLinearD
 		if err != nil {
 			return initKeyringBackendEdit{}, err
 		}
-		if edit.UseDefault {
-			nextCfg, _, err = configedit.SetDefaultSecretsProfile(nextCfg, id)
-		}
-		if err != nil {
-			return initKeyringBackendEdit{}, err
-		}
 		return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: nextCfg}, nil
 	}
 	patch := configedit.SecretsProfilePatch{Backend: &edit.Backend}
@@ -604,18 +672,10 @@ func initSecretsManagementEditFromDocument(cfg config.File, document initLinearD
 	if err != nil {
 		return initKeyringBackendEdit{}, err
 	}
-	if edit.UseDefault {
-		nextCfg, _, err = configedit.SetDefaultSecretsProfile(nextCfg, state.ID)
-	} else if strings.TrimSpace(working.Secrets.DefaultProfile) == state.ID {
-		nextCfg, _, err = configedit.UnsetDefaultSecretsProfile(nextCfg)
-	}
-	if err != nil {
-		return initKeyringBackendEdit{}, err
-	}
 	return initKeyringBackendEdit{Apply: true, HasConfigEdit: true, Config: nextCfg}, nil
 }
 
-func initSecretsManagementProfileEditFromDocument(state initSecretsManagementSelectionState, document initLinearDocument) (initSecretsProfileEditorResult, error) {
+func initSecretsManagementProfileEditFromDocument(state initSecretsManagementSelectionState, document initLinearDocument, desktopDiscovery initOnePasswordDesktopDiscovery) (initSecretsProfileEditorResult, error) {
 	profile := state.Profile
 	if strings.TrimSpace(string(profile.Backend.Kind)) == "" {
 		profile.Backend = normalizeInitSecretsProfileBackend(config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)})
@@ -630,8 +690,32 @@ func initSecretsManagementProfileEditFromDocument(state initSecretsManagementSel
 	kindValue := document.selectedValue(initSecretsManagementFieldBackend)
 	kind := config.SecretsBackendKind(kindValue)
 	vaultValue := document.fieldValue(initSecretsManagementFieldVaultID)
+	vaultName := ""
+	accountID := document.fieldValue(initSecretsManagementFieldDesktopAccountID)
+	accountURL := document.fieldValue(initSecretsManagementFieldDesktopAccountURL)
+	accountSelection := document.selectedValue(initSecretsManagementFieldDesktopAccount)
+	vaultSelection := document.selectedValue(initSecretsManagementFieldDesktopVault)
+	discoveredDesktop := kind == config.SecretsBackendKind(credstore.BackendOPDesktop) && desktopDiscovery.HasVaultChoices()
+	if discoveredDesktop && accountSelection != initOnePasswordManualSelection {
+		if selection, ok := desktopDiscovery.AccountSelection(accountSelection); ok {
+			accountID = selection.AccountID
+			accountURL = selection.AccountURL
+		}
+		if vaultSelection != initOnePasswordManualSelection {
+			if selection, ok := desktopDiscovery.AccountVaultSelection(accountSelection, vaultSelection); ok {
+				accountID = selection.AccountID
+				accountURL = selection.AccountURL
+				vaultValue = selection.VaultID
+				vaultName = selection.VaultName
+			}
+		}
+	}
 	if config.IsOnePasswordSecretsBackend(kind) {
-		if err := validateInitSecretsRequiredSingleLine(vaultValue, true, "1Password vault name or id"); err != nil {
+		requiresVault := true
+		if discoveredDesktop && accountSelection != initOnePasswordManualSelection && vaultSelection != initOnePasswordManualSelection {
+			requiresVault = false
+		}
+		if err := validateInitSecretsRequiredSingleLine(vaultValue, requiresVault, "1Password vault name or id"); err != nil {
 			return initSecretsProfileEditorResult{}, err
 		}
 	}
@@ -645,34 +729,30 @@ func initSecretsManagementProfileEditFromDocument(state initSecretsManagementSel
 		validate func(string) error
 	}{
 		{initSecretsManagementFieldTimeout, validateOptionalDuration},
-		{initSecretsManagementFieldItemTitlePrefix, validateOptionalDisplayName},
-		{initSecretsManagementFieldItemTag, validateOptionalDisplayName},
-		{initSecretsManagementFieldItemFieldTitle, validateOptionalDisplayName},
 		{initSecretsManagementFieldConnectTokenEnv, validateOptionalDisplayName},
 		{initSecretsManagementFieldServiceTokenEnv, validateOptionalDisplayName},
+		{initSecretsManagementFieldDesktopAccountURL, validateOptionalDisplayName},
 		{initSecretsManagementFieldDesktopAccountID, validateOptionalDisplayName},
 	} {
 		if err := field.validate(document.fieldValue(field.id)); err != nil {
 			return initSecretsProfileEditorResult{}, err
 		}
 	}
-	backend := initSecretsProfileBackendFromInputs(
-		kindValue,
-		document.fieldValue(initSecretsManagementFieldTimeout),
-		vaultValue,
-		document.fieldValue(initSecretsManagementFieldItemTitlePrefix),
-		document.fieldValue(initSecretsManagementFieldItemTag),
-		document.fieldValue(initSecretsManagementFieldItemFieldTitle),
-		document.fieldValue(initSecretsManagementFieldConnectHost),
-		document.fieldValue(initSecretsManagementFieldConnectTokenEnv),
-		document.fieldValue(initSecretsManagementFieldServiceTokenEnv),
-		document.fieldValue(initSecretsManagementFieldDesktopAccountID),
-	)
+	backend := initSecretsProfileBackendFromInputs(initSecretsProfileBackendInput{
+		KindValue:       kindValue,
+		Timeout:         document.fieldValue(initSecretsManagementFieldTimeout),
+		AccountID:       accountID,
+		AccountURL:      accountURL,
+		VaultID:         vaultValue,
+		VaultName:       vaultName,
+		ConnectHost:     document.fieldValue(initSecretsManagementFieldConnectHost),
+		ConnectTokenEnv: document.fieldValue(initSecretsManagementFieldConnectTokenEnv),
+		ServiceTokenEnv: document.fieldValue(initSecretsManagementFieldServiceTokenEnv),
+	})
 	return initSecretsProfileEditorResult{
 		Apply:       true,
 		Label:       strings.TrimSpace(labelInput),
 		StoredLabel: normalizeInitSecretsProfileStoredLabel(labelInput, labelSeed.FallbackValue, labelSeed.StoredLabel, state.Creating),
 		Backend:     backend,
-		UseDefault:  document.selectedValue(initSecretsManagementFieldDefault) == initSecretsManagementDefaultYes,
 	}, nil
 }
diff --git a/internal/cmd/credentialcmd/init_secrets_management_probe.go b/internal/cmd/credentialcmd/init_secrets_management_probe.go
new file mode 100644
index 00000000..1b7e6e61
--- /dev/null
+++ b/internal/cmd/credentialcmd/init_secrets_management_probe.go
@@ -0,0 +1,180 @@
+package credentialcmd
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/open-cli-collective/cli-common/credstore"
+
+	"github.com/open-cli-collective/codereview-cli/internal/config"
+)
+
+const initSecretsBackendDiscoveryEnv = "CR_SECRET_BACKEND_DISCOVERY" // #nosec G101 -- environment variable name, not a credential.
+
+type initExecutableLookPath func(string) (string, error)
+
+type initSecretsBackendDiscoveryMode string
+
+const (
+	initSecretsBackendDiscoveryModeFull initSecretsBackendDiscoveryMode = "full"
+	initSecretsBackendDiscoveryModeSafe initSecretsBackendDiscoveryMode = "safe"
+	initSecretsBackendDiscoveryModeOff  initSecretsBackendDiscoveryMode = "off"
+)
+
+type initSecretsProbeStatus string
+
+const (
+	initSecretsProbeAvailable   initSecretsProbeStatus = "available"
+	initSecretsProbeNotFound    initSecretsProbeStatus = "not found"
+	initSecretsProbeSkipped     initSecretsProbeStatus = "skipped"
+	initSecretsProbeUnavailable initSecretsProbeStatus = "unavailable"
+)
+
+type initSecretsProbeResult struct {
+	Label  string
+	Status initSecretsProbeStatus
+	Detail string
+}
+
+func (r initSecretsProbeResult) Line() string {
+	if r.Detail == "" {
+		return fmt.Sprintf("%s: %s", r.Label, r.Status)
+	}
+	return fmt.Sprintf("%s: %s (%s)", r.Label, r.Status, r.Detail)
+}
+
+func (p huhInitKeyringBackendPrompter) resolvedDiscoveryMode() initSecretsBackendDiscoveryMode {
+	mode := p.discoveryMode
+	if mode == "" {
+		return initSecretsBackendDiscoveryModeFull
+	}
+	return mode
+}
+
+func parseInitSecretsBackendDiscoveryMode(value string) (initSecretsBackendDiscoveryMode, error) {
+	switch initSecretsBackendDiscoveryMode(strings.TrimSpace(strings.ToLower(value))) {
+	case "", initSecretsBackendDiscoveryModeFull:
+		return initSecretsBackendDiscoveryModeFull, nil
+	case initSecretsBackendDiscoveryModeSafe:
+		return initSecretsBackendDiscoveryModeSafe, nil
+	case initSecretsBackendDiscoveryModeOff:
+		return initSecretsBackendDiscoveryModeOff, nil
+	default:
+		return "", fmt.Errorf("secret backend discovery %q is invalid; valid values are full, safe, off", value)
+	}
+}
+
+func (p huhInitKeyringBackendPrompter) discoverOnePasswordDesktopForMode(mode initSecretsBackendDiscoveryMode) initOnePasswordDesktopDiscovery {
+	if mode != initSecretsBackendDiscoveryModeFull {
+		return initOnePasswordDesktopDiscovery{}
+	}
+	return p.discoverOnePasswordDesktop()
+}
+
+func (p huhInitKeyringBackendPrompter) writeSecretsStorageDiscoveryResults(mode initSecretsBackendDiscoveryMode, discovery initOnePasswordDesktopDiscovery) {
+	if p.stderr == nil {
+		return
+	}
+	for _, result := range []initSecretsProbeResult{
+		{
+			Label:  initBuiltInOSCredentialStoreTitle(),
+			Status: initSecretsProbeAvailable,
+		},
+		p.onePasswordDesktopProbeResult(mode, discovery),
+		p.passPasswordStoreProbeResult(mode),
+	} {
+		_, _ = fmt.Fprintln(p.stderr, result.Line())
+	}
+	_, _ = fmt.Fprintln(p.stderr)
+}
+
+func (p huhInitKeyringBackendPrompter) onePasswordDesktopProbeResult(mode initSecretsBackendDiscoveryMode, discovery initOnePasswordDesktopDiscovery) initSecretsProbeResult {
+	result := initSecretsProbeResult{
+		Label: initSecretsBackendDisplayLabel(config.SecretsBackendKind(credstore.BackendOPDesktop)),
+	}
+	if mode != initSecretsBackendDiscoveryModeFull {
+		result.Status = initSecretsProbeSkipped
+		return result
+	}
+	if discovery.Err != nil {
+		result.Status = initSecretsProbeStatusForError(discovery.Err)
+		result.Detail = initSecretsProbeDetailForError(discovery.Err, result.Status)
+		return result
+	}
+	accounts, vaults := discovery.Counts()
+	result.Status = initSecretsProbeAvailable
+	result.Detail = fmt.Sprintf("%d %s, %d %s", accounts, initSecretsPlural(accounts, "account", "accounts"), vaults, initSecretsPlural(vaults, "vault", "vaults"))
+	return result
+}
+
+func (p huhInitKeyringBackendPrompter) passPasswordStoreProbeResult(mode initSecretsBackendDiscoveryMode) initSecretsProbeResult {
+	result := initSecretsProbeResult{
+		Label: initSecretsBackendDisplayLabel(config.SecretsBackendKind(credstore.BackendPass)),
+	}
+	if mode == initSecretsBackendDiscoveryModeOff {
+		result.Status = initSecretsProbeSkipped
+		return result
+	}
+	_, err := p.lookPath("pass")
+	if err != nil {
+		result.Status = initSecretsProbeStatusForError(err)
+		result.Detail = initSecretsProbeDetailForError(err, result.Status)
+		return result
+	}
+	result.Status = initSecretsProbeAvailable
+	return result
+}
+
+func (p huhInitKeyringBackendPrompter) lookPath(name string) (string, error) {
+	if p.executableLookPath != nil {
+		return p.executableLookPath(name)
+	}
+	return exec.LookPath(name)
+}
+
+func initSecretsProbeStatusForError(err error) initSecretsProbeStatus {
+	if err == nil {
+		return initSecretsProbeAvailable
+	}
+	if errors.Is(err, exec.ErrNotFound) || errors.Is(err, os.ErrNotExist) {
+		return initSecretsProbeNotFound
+	}
+	return initSecretsProbeUnavailable
+}
+
+func initSecretsProbeDetailForError(err error, status initSecretsProbeStatus) string {
+	if status != initSecretsProbeUnavailable {
+		return ""
+	}
+	switch {
+	case errors.Is(err, context.DeadlineExceeded):
+		return "timed out"
+	case errors.Is(err, os.ErrPermission):
+		return "permission denied"
+	}
+	var exitErr *exec.ExitError
+	if errors.As(err, &exitErr) {
+		return "command failed"
+	}
+	var syntaxErr *json.SyntaxError
+	if errors.As(err, &syntaxErr) {
+		return "invalid JSON"
+	}
+	var typeErr *json.UnmarshalTypeError
+	if errors.As(err, &typeErr) {
+		return "invalid JSON"
+	}
+	return ""
+}
+
+func initSecretsPlural(count int, singular, plural string) string {
+	if count == 1 {
+		return singular
+	}
+	return plural
+}
diff --git a/internal/cmd/datacmd/datacmd_test.go b/internal/cmd/datacmd/datacmd_test.go
index 8bd8a44a..4f91cf70 100644
--- a/internal/cmd/datacmd/datacmd_test.go
+++ b/internal/cmd/datacmd/datacmd_test.go
@@ -218,8 +218,7 @@ func TestDataPruneDefaultIgnoresConfiguredRetention(t *testing.T) {
 		t.Fatalf("config.Path: %v", err)
 	}
 	if err := config.Save(configPath, config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Keyring: config.KeyringConfig{Backend: "memory"},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
diff --git a/internal/cmd/mecmd/mecmd_test.go b/internal/cmd/mecmd/mecmd_test.go
index 77c6205b..c9e65088 100644
--- a/internal/cmd/mecmd/mecmd_test.go
+++ b/internal/cmd/mecmd/mecmd_test.go
@@ -32,14 +32,14 @@ import (
 	"github.com/open-cli-collective/codereview-cli/internal/view"
 )
 
-func TestMeDefaultProfileUpdatesGitCacheAndRendersText(t *testing.T) {
+func TestMeSelectedProfileUpdatesGitCacheAndRendersText(t *testing.T) {
 	path := saveTestConfig(t, testConfig())
 	resolver := &fakeResolver{identities: map[string]gitprovider.Identity{
 		"codereview/home": {Login: "live-home", ID: "1", DisplayName: "Live Home"},
 	}}
 	cmd, out := newTestCommand(path, resolver)
 
-	if err := root.Execute(cmd, []string{"me"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "me"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if got := out.String(); !strings.Contains(got, "Profile: home") || !strings.Contains(got, "Login: live-home") || !strings.Contains(got, "Identity cache updated: true") {
@@ -58,7 +58,7 @@ func TestMeJSONDoesNotLeakTokenMaterial(t *testing.T) {
 	if _, err := store.SetBundle("home", map[string]string{credentials.GitTokenKey: token}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
 	}
-	path := saveTestConfig(t, testConfig())
+	path := saveTestConfig(t, fileBackendConfig(t))
 	var auths []string
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		auths = append(auths, r.Header.Get("Authorization"))
@@ -67,9 +67,7 @@ func TestMeJSONDoesNotLeakTokenMaterial(t *testing.T) {
 	defer server.Close()
 	cmd, out := newTestCommandWithFactory(path, func(_ *cobra.Command, _ *root.Options, cfg config.File) (identity.Resolver, func(), error) {
 		return &githubResolver{
-			cfg:                cfg,
-			backend:            string(credstore.BackendFile),
-			backendFlagChanged: true,
+			cfg: cfg,
 			options: githubprovider.Options{
 				BaseURL:    server.URL,
 				GraphQLURL: server.URL + "/graphql",
@@ -77,7 +75,7 @@ func TestMeJSONDoesNotLeakTokenMaterial(t *testing.T) {
 		}, nil, nil
 	})
 
-	if err := root.Execute(cmd, []string{"me", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "me", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if len(auths) != 1 || auths[0] != "Bearer "+token {
@@ -103,16 +101,11 @@ func TestMeUsesNamedSecretsProfileStoreWithoutBackendOverride(t *testing.T) {
 		t.Fatalf("SetBundle home: %v", err)
 	}
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
-	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
-			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
-			},
-		},
+	cfg.Secrets.Stores[testFileCredentialStoreID] = config.SecretsStore{
+		DisplayName: "Work File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
 	}
+	cfg = withCredentialStore(cfg, testFileCredentialStoreID)
 	path := saveTestConfig(t, cfg)
 	var auths []string
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -130,7 +123,7 @@ func TestMeUsesNamedSecretsProfileStoreWithoutBackendOverride(t *testing.T) {
 		}, nil, nil
 	})
 
-	if err := root.Execute(cmd, []string{"me", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "me", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if len(auths) != 1 || auths[0] != "Bearer "+token {
@@ -181,7 +174,11 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 		t.Fatalf("SetBundle reviewer: %v", err)
 	}
 	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg.Secrets.Stores[testFileCredentialStoreID] = config.SecretsStore{
+		DisplayName: "Test File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+	}
+	cfg = withCredentialStore(cfg, testFileCredentialStoreID)
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
 	cfg.Profiles["work"] = work
@@ -209,9 +206,7 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	defer server.Close()
 	cmd, out := newTestCommandWithFactory(path, func(_ *cobra.Command, _ *root.Options, cfg config.File) (identity.Resolver, func(), error) {
 		return &githubResolver{
-			cfg:                cfg,
-			backend:            string(credstore.BackendFile),
-			backendFlagChanged: true,
+			cfg: cfg,
 			options: githubprovider.Options{
 				BaseURL:    server.URL,
 				GraphQLURL: server.URL + "/graphql",
@@ -316,7 +311,7 @@ func TestMeEmptyLoginDoesNotClearCache(t *testing.T) {
 	}}
 	cmd, _ := newTestCommand(path, resolver)
 
-	err := root.Execute(cmd, []string{"me"})
+	err := root.Execute(cmd, []string{"--profile", "home", "me"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want empty login failure")
 	}
@@ -338,7 +333,7 @@ func TestMeUnchangedCacheDoesNotRewriteConfig(t *testing.T) {
 	}}
 	saveCalled := false
 
-	result, err := runMeWithSaver(context.Background(), &cobra.Command{}, &root.Options{ConfigPath: path}, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
+	result, err := runMeWithSaver(context.Background(), &cobra.Command{}, &root.Options{ConfigPath: path, Profile: "home"}, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
 		return resolver, nil, nil
 	}, false, func(string, config.File) error {
 		saveCalled = true
@@ -396,7 +391,7 @@ func TestMeMissingProfileDoesNotOpenResolverFactory(t *testing.T) {
 func TestMeMissingConfigExitCode(t *testing.T) {
 	cmd, _ := newTestCommand(filepath.Join(t.TempDir(), "missing.yml"), &fakeResolver{})
 
-	err := root.Execute(cmd, []string{"me"})
+	err := root.Execute(cmd, []string{"--profile", "home", "me"})
 	if !errors.Is(err, config.ErrNotConfigured) {
 		t.Fatalf("Execute error = %v, want ErrNotConfigured", err)
 	}
@@ -410,13 +405,14 @@ func TestMeProductionMissingGitCredentialExitCode(t *testing.T) {
 	var out bytes.Buffer
 	cmd, opts := root.NewCommandWithOptions(&root.Options{
 		ConfigPath: path,
+		Profile:    "home",
 		Stdin:      strings.NewReader(""),
 		Stdout:     &out,
 		Stderr:     &out,
 	})
 	Register(cmd, opts)
 
-	err := root.Execute(cmd, []string{"me"})
+	err := root.Execute(cmd, []string{"--profile", "home", "me"})
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("Execute error = %v, want ErrAuth", err)
 	}
@@ -434,8 +430,7 @@ func TestMeProductionMissingReviewerCredentialUsesReviewerRef(t *testing.T) {
 	if _, err := store.SetBundle("work", map[string]string{credentials.GitTokenKey: "git-token"}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle work: %v", err)
 	}
-	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg := fileBackendConfig(t)
 	work := cfg.Profiles["work"]
 	work.Git.Host = "localhost:1"
 	cfg.Profiles["work"] = work
@@ -471,8 +466,7 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
 	}
-	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
 	cfg.Profiles["home"] = home
@@ -510,8 +504,7 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
 	}
-	cfg := testConfig()
-	cfg.Keyring.Backend = "file"
+	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
 	home.ReviewerCredentials = nil
@@ -540,9 +533,7 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	defer server.Close()
 	cmd, out := newTestCommandWithFactory(path, func(_ *cobra.Command, _ *root.Options, cfg config.File) (identity.Resolver, func(), error) {
 		return &githubResolver{
-			cfg:                cfg,
-			backend:            string(credstore.BackendFile),
-			backendFlagChanged: true,
+			cfg: cfg,
 			options: githubprovider.Options{
 				BaseURL:    server.URL,
 				GraphQLURL: server.URL + "/graphql",
@@ -550,7 +541,7 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 		}, nil, nil
 	})
 
-	if err := root.Execute(cmd, []string{"me", "--json"}); err != nil {
+	if err := root.Execute(cmd, []string{"--profile", "home", "me", "--json"}); err != nil {
 		t.Fatalf("Execute: %v", err)
 	}
 	if len(appJWTs) != 2 || !strings.HasPrefix(appJWTs[0], "Bearer ") || !strings.HasPrefix(appJWTs[1], "Bearer ") {
@@ -571,15 +562,19 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 }
 
 func TestMeReservedAuthModeExitCode(t *testing.T) {
-	path := writeRawTestConfig(t, `default_profile: home
-keyring:
-  backend: memory
+	path := writeRawTestConfig(t, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   home:
     git:
       host: github.com
       auth_mode: oauth_device
-      credential_ref: codereview/home
+      credential:
+        store: test-memory
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -591,7 +586,7 @@ profiles:
 		return &fakeResolver{}, nil, nil
 	})
 
-	err := root.Execute(cmd, []string{"me"})
+	err := root.Execute(cmd, []string{"--profile", "home", "me"})
 	if !errors.Is(err, config.ErrUnsupported) {
 		t.Fatalf("Execute error = %v, want ErrUnsupported", err)
 	}
@@ -604,18 +599,24 @@ profiles:
 }
 
 func TestMeReviewerGitHubAppAuthModeUsesResolver(t *testing.T) {
-	path := writeRawTestConfig(t, `default_profile: work
-keyring:
-  backend: memory
+	path := writeRawTestConfig(t, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   work:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/work
+      credential:
+        store: test-memory
+        name: codereview/work
     reviewer_credentials:
       auth_mode: github_app
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: test-memory
+        name: codereview/work-reviewer
     llm:
       provider: anthropic
       auth: subscription
@@ -641,15 +642,19 @@ profiles:
 }
 
 func TestMeAllReservedAuthModeDoesNotOpenResolverFactory(t *testing.T) {
-	path := writeRawTestConfig(t, `default_profile: home
-keyring:
-  backend: memory
+	path := writeRawTestConfig(t, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: test-memory
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -658,10 +663,14 @@ profiles:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/work
+      credential:
+        store: test-memory
+        name: codereview/work
     reviewer_credentials:
       auth_mode: oauth_device
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: test-memory
+        name: codereview/work-reviewer
     llm:
       provider: anthropic
       auth: subscription
@@ -683,15 +692,19 @@ profiles:
 }
 
 func TestMeAllReservedGitAuthModeWithReviewerDoesNotOpenResolverFactory(t *testing.T) {
-	path := writeRawTestConfig(t, `default_profile: home
-keyring:
-  backend: memory
+	path := writeRawTestConfig(t, `secrets:
+  stores:
+    test-memory:
+      backend:
+        kind: memory
 profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: test-memory
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -700,10 +713,14 @@ profiles:
     git:
       host: github.com
       auth_mode: oauth_device
-      credential_ref: codereview/work
+      credential:
+        store: test-memory
+        name: codereview/work
     reviewer_credentials:
       auth_mode: pat
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: test-memory
+        name: codereview/work-reviewer
     llm:
       provider: anthropic
       auth: subscription
@@ -745,7 +762,7 @@ func TestMeProviderErrorExitCode(t *testing.T) {
 	}}
 	cmd, _ := newTestCommand(path, resolver)
 
-	err := root.Execute(cmd, []string{"me"})
+	err := root.Execute(cmd, []string{"--profile", "home", "me"})
 	if !errors.Is(err, gitprovider.ErrRetryable) {
 		t.Fatalf("Execute error = %v, want ErrRetryable", err)
 	}
@@ -782,31 +799,10 @@ func TestGitHubResolverUsesCR08FactoryAndCredentialStore(t *testing.T) {
 	}))
 	defer server.Close()
 
+	resolverCfg := fileBackendConfig(t)
+	resolverCfg.Profiles = map[string]config.Profile{"work": resolverCfg.Profiles["work"]}
 	resolver := &githubResolver{
-		cfg: config.File{
-			DefaultProfile: "work",
-			Keyring:        config.KeyringConfig{Backend: "file"},
-			Profiles: map[string]config.Profile{
-				"work": {
-					Git: config.GitConfig{
-						Host:          "github.com",
-						AuthMode:      config.GitAuthModePAT,
-						CredentialRef: "codereview/work",
-					},
-					ReviewerCredentials: &config.ReviewerCredentials{
-						AuthMode:      config.GitAuthModePAT,
-						CredentialRef: "codereview/work-reviewer",
-					},
-					LLM: config.LLMConfig{
-						Provider: config.LLMProviderAnthropic,
-						Auth:     config.LLMAuthSubscription,
-						Adapter:  config.LLMAdapterClaudeCLI,
-					},
-				},
-			},
-		},
-		backend:            string(credstore.BackendFile),
-		backendFlagChanged: true,
+		cfg: resolverCfg,
 		options: githubprovider.Options{
 			BaseURL:    server.URL,
 			GraphQLURL: server.URL + "/graphql",
@@ -839,57 +835,46 @@ func TestGitHubResolverUsesCR08FactoryAndCredentialStore(t *testing.T) {
 func TestOrgDeploymentPrestagedMultiRefCredentialsHealthChecks(t *testing.T) {
 	t.Setenv("XDG_DATA_HOME", t.TempDir())
 	t.Setenv("CODEREVIEW_KEYRING_PASSPHRASE", "test-passphrase")
-	path := saveTestConfig(t, config.File{
-		DefaultProfile: "work",
-		Keyring:        config.KeyringConfig{Backend: "file"},
-		Profiles: map[string]config.Profile{
-			"work": {
-				Git: config.GitConfig{
-					Host:          "github.com",
-					AuthMode:      config.GitAuthModePAT,
-					CredentialRef: "codereview/work",
-				},
-				ReviewerCredentials: &config.ReviewerCredentials{
-					AuthMode:      config.GitAuthModePAT,
-					CredentialRef: "codereview/work-reviewer",
-				},
-				LLM: config.LLMConfig{
-					Provider:      config.LLMProviderAnthropic,
-					Auth:          config.LLMAuthAPIKey,
-					Adapter:       config.LLMAdapterAnthropicAPI,
-					CredentialRef: "codereview/work-llm",
-				},
-				AgentSources: []string{"~/.config/codereview/agents"},
-				ReviewPolicy: config.ReviewPolicy{
-					MajorEvent: config.ReviewMajorEventComment,
-				},
-			},
-		},
-	})
+	cfg := fileBackendConfig(t)
+	work := cfg.Profiles["work"]
+	work.LLM = config.LLMConfig{
+		Provider:      config.LLMProviderAnthropic,
+		Auth:          config.LLMAuthAPIKey,
+		Adapter:       config.LLMAdapterAnthropicAPI,
+		Credential:    config.CredentialLocation{Store: testFileCredentialStoreID, Name: "codereview/work-llm"},
+		CredentialRef: "codereview/work-llm",
+	}
+	work.AgentSources = []string{"~/.config/codereview/agents"}
+	work.ReviewPolicy = config.ReviewPolicy{MajorEvent: config.ReviewMajorEventComment}
+	cfg.Profiles = map[string]config.Profile{"work": work}
+	path := saveTestConfig(t, cfg)
 
 	runOrgDeploymentCommand(t, path, strings.NewReader("user-token"), nil, []string{
 		"set-credential",
-		"--ref", "codereview/work",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work",
 		"--key", credentials.GitTokenKey,
 		"--stdin",
 		"--overwrite",
 	})
 	runOrgDeploymentCommand(t, path, strings.NewReader("reviewer-token"), nil, []string{
 		"set-credential",
-		"--ref", "codereview/work-reviewer",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work-reviewer",
 		"--key", credentials.GitTokenKey,
 		"--stdin",
 		"--overwrite",
 	})
 	runOrgDeploymentCommand(t, path, strings.NewReader("llm-token"), nil, []string{
 		"set-credential",
-		"--ref", "codereview/work-llm",
+		"--store", testFileCredentialStoreID,
+		"--name", "codereview/work-llm",
 		"--key", credentials.AnthropicAPIKeyKey,
 		"--stdin",
 		"--overwrite",
 	})
 
-	configOut := runOrgDeploymentCommand(t, path, strings.NewReader(""), nil, []string{"config", "show", "--json"})
+	configOut := runOrgDeploymentCommand(t, path, strings.NewReader(""), nil, []string{"--profile", "work", "config", "show", "--json"})
 	for _, secret := range []string{"user-token", "reviewer-token", "llm-token"} {
 		if strings.Contains(configOut.String(), secret) {
 			t.Fatalf("config show leaked %s: %q", secret, configOut.String())
@@ -1008,6 +993,7 @@ func runOrgDeploymentCommand(t *testing.T, path string, stdin *strings.Reader, f
 	var out bytes.Buffer
 	cmd, opts := root.NewCommandWithOptions(&root.Options{
 		ConfigPath: path,
+		Profile:    "work",
 		Stdin:      stdin,
 		Stdout:     &out,
 		Stderr:     &out,
@@ -1076,6 +1062,34 @@ func openFileStore(t *testing.T) *credstore.Store {
 	return store
 }
 
+const testFileCredentialStoreID = "test-file"
+
+func fileBackendConfig(t *testing.T) config.File {
+	t.Helper()
+	cfg := testConfig()
+	cfg.Secrets.Stores[testFileCredentialStoreID] = config.SecretsStore{
+		DisplayName: "Test File Store",
+		Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+	}
+	return withCredentialStore(cfg, testFileCredentialStoreID)
+}
+
+func withCredentialStore(cfg config.File, storeID string) config.File {
+	for name, profile := range cfg.Profiles {
+		if profile.Git.Credential.Name != "" {
+			profile.Git.Credential.Store = storeID
+		}
+		if profile.ReviewerCredentials != nil && profile.ReviewerCredentials.Credential.Name != "" {
+			profile.ReviewerCredentials.Credential.Store = storeID
+		}
+		if profile.LLM.Credential.Name != "" {
+			profile.LLM.Credential.Store = storeID
+		}
+		cfg.Profiles[name] = profile
+	}
+	return cfg
+}
+
 func testPrivateKeyPEM(t *testing.T) string {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
@@ -1088,13 +1102,20 @@ func testPrivateKeyPEM(t *testing.T) string {
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				"test-memory": {
+					DisplayName: "Test Memory Store",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendMemory)},
+				},
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/home"},
 					CredentialRef: "codereview/home",
 					IdentityCache: "old-home",
 				},
@@ -1109,11 +1130,13 @@ func testConfig() config.File {
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/work"},
 					CredentialRef: "codereview/work",
 					IdentityCache: "work-user-cache",
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory", Name: "codereview/work-reviewer"},
 					CredentialRef: "codereview/work-reviewer",
 					IdentityCache: "old-bot",
 				},
diff --git a/internal/cmd/noleak/noleak_test.go b/internal/cmd/noleak/noleak_test.go
index 92c1dd14..6db5de8e 100644
--- a/internal/cmd/noleak/noleak_test.go
+++ b/internal/cmd/noleak/noleak_test.go
@@ -55,9 +55,10 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 
 	cases := []commandCase{
 		{
-			name: "init with env credential ingress",
+			name: "init rejects ambient backend env credential ingress",
 			args: func(h *auditHarness) []string {
 				return []string{
+					"--backend", string(credstore.BackendFile),
 					"init",
 					"--non-interactive",
 					"--git-token-from-env", "CR_NOLEAK_GIT",
@@ -68,13 +69,14 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 					"--agent-source", h.agentDir,
 				}
 			},
-			env: secretEnv,
+			env:     secretEnv,
+			wantErr: true,
 		},
 		{
 			name:    "set credential text",
 			prepare: saveConfigOnly,
 			args: func(*auditHarness) []string {
-				return []string{"set-credential", "--ref", "codereview/default", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_GIT", "--overwrite"}
+				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_GIT", "--overwrite"}
 			},
 			env: secretEnv,
 		},
@@ -82,7 +84,7 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			name:    "set credential json",
 			prepare: saveConfigOnly,
 			args: func(*auditHarness) []string {
-				return []string{"set-credential", "--ref", "codereview/default-reviewer", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_REVIEWER", "--overwrite", "--json"}
+				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default-reviewer", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_REVIEWER", "--overwrite", "--json"}
 			},
 			env: secretEnv,
 		},
@@ -90,7 +92,7 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			name:    "set github app private key json",
 			prepare: saveGitHubAppReviewerConfigOnly,
 			args: func(*auditHarness) []string {
-				return []string{"set-credential", "--ref", "codereview/default-reviewer-app", "--key", credentials.GitHubAppPrivateKeyKey, "--from-env", "CR_NOLEAK_APP_PRIVATE_KEY", "--overwrite", "--json"}
+				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default-reviewer-app", "--key", credentials.GitHubAppPrivateKeyKey, "--from-env", "CR_NOLEAK_APP_PRIVATE_KEY", "--overwrite", "--json"}
 			},
 			env: secretEnv,
 		},
@@ -98,7 +100,7 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			name:    "set github app installation id text",
 			prepare: saveGitHubAppReviewerConfigOnly,
 			args: func(*auditHarness) []string {
-				return []string{"set-credential", "--ref", "codereview/default-reviewer-app", "--key", credentials.GitHubAppInstallationIDKey, "--from-env", "CR_NOLEAK_APP_INSTALLATION_ID", "--overwrite"}
+				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default-reviewer-app", "--key", credentials.GitHubAppInstallationIDKey, "--from-env", "CR_NOLEAK_APP_INSTALLATION_ID", "--overwrite"}
 			},
 			env: secretEnv,
 		},
@@ -106,7 +108,7 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			name:    "set credential duplicate failure",
 			prepare: seedConfiguredCredentials,
 			args: func(*auditHarness) []string {
-				return []string{"set-credential", "--ref", "codereview/default", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_GIT"}
+				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default", "--key", credentials.GitTokenKey, "--from-env", "CR_NOLEAK_GIT"}
 			},
 			env:     secretEnv,
 			wantErr: true,
@@ -376,6 +378,7 @@ func newAuditHarness(t *testing.T) *auditHarness {
 
 func (h *auditHarness) run(args []string) (string, string, error) {
 	var stdout, stderr bytes.Buffer
+	args = auditArgsWithExplicitProfile(args)
 	cmd, opts := root.NewCommandWithOptions(&root.Options{
 		ConfigPath: h.configPath,
 		Stdin:      strings.NewReader(""),
@@ -390,31 +393,81 @@ func (h *auditHarness) run(args []string) (string, string, error) {
 	agentscmd.RegisterWithFactory(cmd, opts, h.providerFactory)
 	reviewcmd.RegisterWithFactory(cmd, opts, h.reviewRuntimeFactory)
 
-	args = append([]string{"--backend", string(credstore.BackendFile)}, args...)
 	err := root.Execute(cmd, args)
 	return stdout.String(), stderr.String(), err
 }
 
+func auditArgsWithExplicitProfile(args []string) []string {
+	if len(args) == 0 || auditArgsIncludeProfile(args) {
+		return args
+	}
+	command := auditRootCommand(args)
+	switch command {
+	case "config", "me", "agents", "review":
+		out := []string{"--profile", "default"}
+		out = append(out, args...)
+		return out
+	default:
+		return args
+	}
+}
+
+func auditArgsIncludeProfile(args []string) bool {
+	for _, arg := range args {
+		if arg == "--profile" || strings.HasPrefix(arg, "--profile=") {
+			return true
+		}
+	}
+	return false
+}
+
+func auditRootCommand(args []string) string {
+	for index := 0; index < len(args); index++ {
+		arg := args[index]
+		if arg == "" {
+			continue
+		}
+		if arg[0] != '-' {
+			return arg
+		}
+		if arg == "--backend" || arg == "--config" || arg == "--profile" {
+			index++
+		}
+	}
+	return ""
+}
+
+const auditCredentialStoreID = "test-file"
+
 func (h *auditHarness) config() config.File {
 	maxAgeDays := 30
 	return config.File{
-		DefaultProfile: "default",
-		Keyring:        config.KeyringConfig{Backend: string(credstore.BackendFile)},
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				auditCredentialStoreID: {
+					DisplayName: "No-leak file store",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+				},
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"default": {
 				Git: config.GitConfig{
 					Host:          h.prRef.Host,
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default"},
 					CredentialRef: "codereview/default",
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-reviewer"},
 					CredentialRef: "codereview/default-reviewer",
 				},
 				LLM: config.LLMConfig{
 					Provider:      config.LLMProviderAnthropic,
 					Auth:          config.LLMAuthAPIKey,
 					Adapter:       config.LLMAdapterAnthropicAPI,
+					Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-llm"},
 					CredentialRef: "codereview/default-llm",
 					ModelMap:      config.ModelMap{"medium": "claude-sonnet-4-6"},
 				},
@@ -437,6 +490,7 @@ func (h *auditHarness) githubAppReviewerConfig() config.File {
 	profile := cfg.Profiles["default"]
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-reviewer-app"},
 		CredentialRef: "codereview/default-reviewer-app",
 	}
 	cfg.Profiles["default"] = profile
@@ -447,6 +501,7 @@ func (h *auditHarness) githubAppGitConfig() config.File {
 	cfg := h.config()
 	profile := cfg.Profiles["default"]
 	profile.Git.AuthMode = config.GitAuthModeGitHubApp
+	profile.Git.Credential = config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-app"}
 	profile.Git.CredentialRef = "codereview/default-app"
 	profile.ReviewerCredentials = nil
 	cfg.Profiles["default"] = profile
@@ -528,9 +583,9 @@ func (h *auditHarness) seedGitHubAppReviewerCredentials(t *testing.T) {
 func (h *auditHarness) seedCredentialWrites(t *testing.T, cfg config.File, writes []credentialSeed) {
 	t.Helper()
 	h.saveConfigFile(t, cfg)
-	store, err := credentials.OpenStore(string(credstore.BackendFile), true, cfg)
+	store, err := h.openCredentialStore()
 	if err != nil {
-		t.Fatalf("OpenStore: %v", err)
+		t.Fatalf("open credential store: %v", err)
 	}
 	defer store.Close()
 	for _, write := range writes {
@@ -544,16 +599,16 @@ func (h *auditHarness) seedCredentialWrites(t *testing.T, cfg config.File, write
 	}
 }
 
-func (h *auditHarness) identityFactory(_ *cobra.Command, _ *root.Options, cfg config.File) (identity.Resolver, func(), error) {
-	store, err := credentials.OpenStore(string(credstore.BackendFile), true, cfg)
+func (h *auditHarness) identityFactory(_ *cobra.Command, _ *root.Options, _ config.File) (identity.Resolver, func(), error) {
+	store, err := h.openCredentialStore()
 	if err != nil {
 		return nil, nil, err
 	}
 	return realIdentityResolver{h: h, store: store}, func() { _ = store.Close() }, nil
 }
 
-func (h *auditHarness) providerFactory(_ *cobra.Command, _ *root.Options, cfg config.File, profile config.Profile) (gitprovider.GitProvider, func(), error) {
-	store, err := credentials.OpenStore(string(credstore.BackendFile), true, cfg)
+func (h *auditHarness) providerFactory(_ *cobra.Command, _ *root.Options, _ config.File, profile config.Profile) (gitprovider.GitProvider, func(), error) {
+	store, err := h.openCredentialStore()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -565,8 +620,8 @@ func (h *auditHarness) providerFactory(_ *cobra.Command, _ *root.Options, cfg co
 	return provider, func() { _ = store.Close() }, nil
 }
 
-func (h *auditHarness) reviewRuntimeFactory(cmd *cobra.Command, opts *root.Options, cfg config.File, profile config.Profile, runtimeOpts reviewcmd.RuntimeOptions) (reviewcmd.Runtime, error) {
-	store, err := credentials.OpenStore(string(credstore.BackendFile), true, cfg)
+func (h *auditHarness) reviewRuntimeFactory(cmd *cobra.Command, opts *root.Options, _ config.File, profile config.Profile, runtimeOpts reviewcmd.RuntimeOptions) (reviewcmd.Runtime, error) {
+	store, err := h.openCredentialStore()
 	if err != nil {
 		return reviewcmd.Runtime{}, err
 	}
@@ -631,6 +686,13 @@ func (h *auditHarness) reviewRuntimeFactory(cmd *cobra.Command, opts *root.Optio
 	}, nil
 }
 
+func (h *auditHarness) openCredentialStore() (*credstore.Store, error) {
+	return credstore.Open(credentials.ServiceName, &credstore.Options{
+		AllowedKeys: credentials.AllowedKeys(),
+		Backend:     credstore.BackendFile,
+	})
+}
+
 func (h *auditHarness) newGitHubProvider(git config.GitConfig, store githubprovider.TokenStore, lookup *githubprovider.InstallationLookup) (*githubprovider.Client, gitprovider.Credential, error) {
 	return githubprovider.NewFromGitConfig(git, store, githubprovider.Options{
 		BaseURL:            h.githubURL,
@@ -646,6 +708,7 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		Credential:    profile.ReviewerCredentials.Credential,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}
diff --git a/internal/cmd/reviewcmd/reviewcmd.go b/internal/cmd/reviewcmd/reviewcmd.go
index dc50322d..1620f12e 100644
--- a/internal/cmd/reviewcmd/reviewcmd.go
+++ b/internal/cmd/reviewcmd/reviewcmd.go
@@ -682,22 +682,21 @@ func mapRunError(err error) error {
 }
 
 func newRuntime(cmd *cobra.Command, opts *root.Options, cfg config.File, profile config.Profile, runtimeOpts RuntimeOptions) (Runtime, error) {
-	resolvedSecretsProfile, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
-	if err != nil {
-		return Runtime{}, mapRunError(err)
-	}
-	store, err := credentials.OpenResolvedStore(opts.Backend, cmderr.BackendFlagChanged(cmd), cfg, resolvedSecretsProfile)
+	profile = normalizeRuntimeProfile(profile)
+	stores := newRuntimeCredentialStores(cfg, opts.Backend, cmderr.BackendFlagChanged(cmd))
+	cleanup := stores.Close
+	providerGit := gitConfigForReviewerAuth(profile)
+	providerStore, err := stores.Open(providerGit.Credential)
 	if err != nil {
+		cleanup()
 		return Runtime{}, mapRunError(err)
 	}
-	cleanup := func() { _ = store.Close() }
-	providerGit := gitConfigForReviewerAuth(profile)
-	provider, credential, err := newGitProvider(providerGit, store, gitProviderOptions(runtimeOpts.PRRef))
+	provider, credential, err := newGitProvider(providerGit, providerStore, gitProviderOptions(runtimeOpts.PRRef))
 	if err != nil {
 		cleanup()
 		return Runtime{}, mapRunError(err)
 	}
-	postingIdentity, err := resolvePostingIdentityForRuntime(cmd.Context(), provider, credential, store, profile)
+	postingIdentity, err := resolvePostingIdentityForRuntime(cmd.Context(), provider, credential, providerStore, profile)
 	if err != nil {
 		cleanup()
 		return Runtime{}, mapRunError(err)
@@ -714,7 +713,7 @@ func newRuntime(cmd *cobra.Command, opts *root.Options, cfg config.File, profile
 	}
 	cleanup = func() {
 		_ = ledgerStore.Close()
-		_ = store.Close()
+		stores.Close()
 	}
 	limiter, err := outbox.NewTokenBucket(livePostLimiterInterval, livePostLimiterBurst)
 	if err != nil {
@@ -722,7 +721,15 @@ func newRuntime(cmd *cobra.Command, opts *root.Options, cfg config.File, profile
 		return Runtime{}, err
 	}
 	adapter := newLazyAdapter(func() (llm.Adapter, error) {
-		adapter, err := newAdapterForRuntime(profile.LLM, store)
+		adapterStore := providerStore
+		if profile.LLM.Auth == config.LLMAuthAPIKey {
+			var err error
+			adapterStore, err = stores.Open(profile.LLM.Credential)
+			if err != nil {
+				return nil, mapRunError(err)
+			}
+		}
+		adapter, err := newAdapterForRuntime(profile.LLM, adapterStore)
 		if err != nil {
 			return nil, err
 		}
@@ -743,11 +750,57 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		Credential:    profile.ReviewerCredentials.Credential,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}
 }
 
+type runtimeCredentialStores struct {
+	cfg                config.File
+	backend            string
+	backendFlagChanged bool
+	stores             map[string]*credstore.Store
+}
+
+func newRuntimeCredentialStores(cfg config.File, backend string, backendFlagChanged bool) *runtimeCredentialStores {
+	return &runtimeCredentialStores{
+		cfg:                cfg,
+		backend:            backend,
+		backendFlagChanged: backendFlagChanged,
+		stores:             map[string]*credstore.Store{},
+	}
+}
+
+func (s *runtimeCredentialStores) Open(location config.CredentialLocation) (*credstore.Store, error) {
+	resolved, err := credentials.ResolveCredentialStoreForLocation(s.cfg, location)
+	if err != nil {
+		return nil, err
+	}
+	if store := s.stores[resolved.ID]; store != nil {
+		return store, nil
+	}
+	store, err := credentials.OpenResolvedStore(s.backend, s.backendFlagChanged, s.cfg, resolved)
+	if err != nil {
+		return nil, err
+	}
+	s.stores[resolved.ID] = store
+	return store, nil
+}
+
+func (s *runtimeCredentialStores) Close() {
+	for id, store := range s.stores {
+		_ = store.Close()
+		delete(s.stores, id)
+	}
+}
+
+func normalizeRuntimeProfile(profile config.Profile) config.Profile {
+	return config.Normalize(config.File{
+		Profiles: map[string]config.Profile{"runtime": profile},
+	}).Profiles["runtime"]
+}
+
 func gitProviderOptions(ref gitprovider.PRRef) githubprovider.Options {
 	if strings.TrimSpace(ref.Owner) == "" || strings.TrimSpace(ref.Repo) == "" {
 		return githubprovider.Options{}
diff --git a/internal/cmd/reviewcmd/reviewcmd_test.go b/internal/cmd/reviewcmd/reviewcmd_test.go
index f513c8bb..27cba18d 100644
--- a/internal/cmd/reviewcmd/reviewcmd_test.go
+++ b/internal/cmd/reviewcmd/reviewcmd_test.go
@@ -154,7 +154,7 @@ func TestReviewExplicitProfileBypassesRepositoryRoute(t *testing.T) {
 	}
 }
 
-func TestReviewExplicitEmptyProfileBypassesRepositoryRoute(t *testing.T) {
+func TestReviewExplicitEmptyProfileFailsBeforeRepositoryRoute(t *testing.T) {
 	cfg := testConfig()
 	work := cfg.Profiles["home"]
 	work.Git.CredentialRef = "codereview/work"
@@ -168,22 +168,18 @@ func TestReviewExplicitEmptyProfileBypassesRepositoryRoute(t *testing.T) {
 		},
 	}}
 	runner := &fakeRunner{result: testPipelineResult(false)}
-	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, profile config.Profile, _ RuntimeOptions) (Runtime, error) {
-		if profile.Git.CredentialRef != "codereview/home" {
-			t.Fatalf("runtime profile credential ref = %q, want default home", profile.Git.CredentialRef)
-		}
+	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, _ config.Profile, _ RuntimeOptions) (Runtime, error) {
+		t.Fatal("runtime factory should not be called for an empty explicit profile")
 		return Runtime{Runner: runner, PostingIdentity: gitprovider.Identity{Login: "review-bot", ID: "bot-id"}}, nil
 	})
 
-	if err := root.Execute(cmd, []string{"--profile", "", "review", "https://github.com/rianjs/bar/pull/29", "--dry-run"}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	if len(runner.requests) != 1 || runner.requests[0].ProfileName != "home" {
-		t.Fatalf("request profile = %#v, want default home", runner.requests)
+	err := root.Execute(cmd, []string{"--profile", "", "review", "https://github.com/rianjs/bar/pull/29", "--dry-run"})
+	if err == nil || !strings.Contains(err.Error(), "no profile selected") {
+		t.Fatalf("Execute error = %v, want empty profile failure", err)
 	}
 }
 
-func TestReviewUnmatchedRepositoryFallsBackToDefaultProfile(t *testing.T) {
+func TestReviewUnmatchedRepositoryRequiresProfileOrRoute(t *testing.T) {
 	cfg := testConfig()
 	work := cfg.Profiles["home"]
 	work.Git.CredentialRef = "codereview/work"
@@ -197,44 +193,33 @@ func TestReviewUnmatchedRepositoryFallsBackToDefaultProfile(t *testing.T) {
 		},
 	}}
 	runner := &fakeRunner{result: testPipelineResult(false)}
-	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, profile config.Profile, _ RuntimeOptions) (Runtime, error) {
-		if profile.Git.CredentialRef != "codereview/home" {
-			t.Fatalf("runtime profile credential ref = %q, want default home", profile.Git.CredentialRef)
-		}
+	cmd, _ := newTestCommand(t, cfg, func(_ *cobra.Command, _ *root.Options, _ config.File, _ config.Profile, _ RuntimeOptions) (Runtime, error) {
+		t.Fatal("runtime factory should not be called for an unmatched repository")
 		return Runtime{Runner: runner, PostingIdentity: gitprovider.Identity{Login: "review-bot", ID: "bot-id"}}, nil
 	})
 
-	if err := root.Execute(cmd, []string{"review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run"}); err != nil {
-		t.Fatalf("Execute: %v", err)
-	}
-	if len(runner.requests) != 1 || runner.requests[0].ProfileName != "home" {
-		t.Fatalf("request profile = %#v, want home", runner.requests)
+	err := root.Execute(cmd, []string{"review", "https://github.com/example/missing/pull/29", "--dry-run"})
+	if err == nil || !strings.Contains(err.Error(), "no repository profile route matched") {
+		t.Fatalf("Execute error = %v, want unmatched route failure", err)
 	}
 }
 
-func TestReviewImplicitDefaultProfileHostMismatch(t *testing.T) {
+func TestReviewExplicitProfileHostMismatch(t *testing.T) {
 	cfg := testConfig()
 	home := cfg.Profiles["home"]
 	home.Git.Host = "gitlab.com"
 	cfg.Profiles["home"] = home
+	cfg.RepositoryProfiles = nil
 	work := home
 	work.Git.Host = "github.com"
 	work.Git.CredentialRef = "codereview/work"
 	cfg.Profiles["work"] = work
-	cfg.RepositoryProfiles = []config.RepositoryProfile{{
-		Profile: "work",
-		Match: config.RepositoryProfileMatch{
-			Host:      "github.com",
-			Namespace: "rianjs",
-			Repos:     []string{"bar"},
-		},
-	}}
 	cmd, _ := newTestCommand(t, cfg, func(*cobra.Command, *root.Options, config.File, config.Profile, RuntimeOptions) (Runtime, error) {
-		t.Fatal("runtime factory should not be called when fallback profile host mismatches")
+		t.Fatal("runtime factory should not be called when route profile host mismatches")
 		return Runtime{}, nil
 	})
 
-	err := root.Execute(cmd, []string{"review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run"})
+	err := root.Execute(cmd, []string{"--profile", "home", "review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run"})
 	if err == nil {
 		t.Fatal("Execute error = nil, want host mismatch")
 	}
@@ -427,6 +412,7 @@ func TestNewRuntimeUsesReviewerCredentialsAsRuntimeProvider(t *testing.T) {
 	profile := cfg.Profiles["work"]
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModePAT,
+		Credential:    config.CredentialLocation{Store: "test-memory"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg.Profiles["work"] = profile
@@ -508,16 +494,17 @@ func TestNewRuntimePassesPRRefForGitHubAppInstallationLookup(t *testing.T) {
 
 func TestNewRuntimeRejectsBackendOverrideForNamedSecretsProfile(t *testing.T) {
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
 	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
+		Stores: map[string]config.SecretsStore{
 			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
+				DisplayName: "Work File Store",
+				Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 			},
 		},
 	}
+	home := cfg.Profiles["home"]
+	home.Git.Credential.Store = "work-file"
+	cfg.Profiles["home"] = home
 	profile := cfg.Profiles["home"]
 	cmd := &cobra.Command{}
 	cmd.Flags().String(credstore.BackendFlagName, "", "")
@@ -551,16 +538,17 @@ func TestNewRuntimeUsesNamedSecretsProfileStoreWithoutBackendOverride(t *testing
 	}
 
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
 	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
+		Stores: map[string]config.SecretsStore{
 			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
+				DisplayName: "Work File Store",
+				Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 			},
 		},
 	}
+	home := cfg.Profiles["home"]
+	home.Git.Credential.Store = "work-file"
+	cfg.Profiles["home"] = home
 	profile := cfg.Profiles["home"]
 	identity := gitprovider.Identity{Login: "review-bot", ID: "bot-id"}
 	withReviewRuntimeSeams(t,
@@ -595,16 +583,17 @@ func TestNewRuntimeUsesNamedSecretsProfileStoreWithoutBackendOverride(t *testing
 
 func TestOpenSelectionRuntimeRejectsBackendOverrideForNamedSecretsProfile(t *testing.T) {
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
 	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
+		Stores: map[string]config.SecretsStore{
 			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
+				DisplayName: "Work File Store",
+				Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 			},
 		},
 	}
+	home := cfg.Profiles["home"]
+	home.Git.Credential.Store = "work-file"
+	cfg.Profiles["home"] = home
 
 	_, err := OpenSelectionRuntime(context.Background(), "memory", true, cfg, cfg.Profiles["home"])
 	if !errors.Is(err, config.ErrInvalid) {
@@ -631,16 +620,17 @@ func TestOpenSelectionRuntimeUsesNamedSecretsProfileStoreWithoutBackendOverride(
 	}
 
 	cfg := testConfig()
-	cfg.Keyring.Backend = "memory"
 	cfg.Secrets = config.SecretsConfig{
-		DefaultProfile: "work-file",
-		Profiles: map[string]config.SecretsProfile{
+		Stores: map[string]config.SecretsStore{
 			"work-file": {
-				Label:   "Work File Store",
-				Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind("file")},
+				DisplayName: "Work File Store",
+				Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind("file")},
 			},
 		},
 	}
+	home := cfg.Profiles["home"]
+	home.Git.Credential.Store = "work-file"
+	cfg.Profiles["home"] = home
 	withReviewRuntimeSeams(t,
 		func(_ config.GitConfig, tokenStore githubprovider.TokenStore, _ githubprovider.Options) (gitprovider.GitProvider, gitprovider.Credential, error) {
 			token, err := tokenStore.Get("home", credentials.GitTokenKey)
@@ -1694,7 +1684,7 @@ func TestReviewRejectsInvalidInputs(t *testing.T) {
 	}{
 		{name: "missing pr", args: []string{"review", "--dry-run"}},
 		{name: "bad url", args: []string{"review", "not-a-url", "--dry-run"}},
-		{name: "wrong host", args: []string{"review", "https://gitlab.com/open-cli-collective/codereview-cli/pull/29", "--dry-run"}},
+		{name: "wrong host", args: []string{"--profile", "home", "review", "https://gitlab.com/open-cli-collective/codereview-cli/pull/29", "--dry-run"}},
 		{name: "bad fail on", args: []string{"review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run", "--fail-on", "urgent"}},
 		{name: "negative agents", args: []string{"review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run", "--max-agents", "-1"}},
 		{name: "negative concurrency", args: []string{"review", "https://github.com/open-cli-collective/codereview-cli/pull/29", "--dry-run", "--max-concurrency", "-1"}},
@@ -1989,13 +1979,29 @@ func newTestCommand(t *testing.T, cfg config.File, factory RuntimeFactory) (*cob
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
+		Keyring: config.KeyringConfig{Backend: "memory"},
+		Secrets: config.SecretsConfig{
+			Stores: map[string]config.SecretsStore{
+				"test-memory": {
+					DisplayName: "Test Memory Store",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendMemory)},
+				},
+			},
+		},
+		RepositoryProfiles: []config.RepositoryProfile{{
+			Profile: "home",
+			Match: config.RepositoryProfileMatch{
+				Host:      "github.com",
+				Namespace: "open-cli-collective",
+				Repos:     []string{"codereview-cli"},
+			},
+		}},
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
 					Host:          "github.com",
 					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: "test-memory"},
 					CredentialRef: "codereview/home",
 				},
 				LLM: config.LLMConfig{
diff --git a/internal/cmd/reviewcmd/runtime_selection.go b/internal/cmd/reviewcmd/runtime_selection.go
index 11283dcb..be1d59a7 100644
--- a/internal/cmd/reviewcmd/runtime_selection.go
+++ b/internal/cmd/reviewcmd/runtime_selection.go
@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 	"github.com/open-cli-collective/codereview-cli/internal/gitprovider"
 	githubprovider "github.com/open-cli-collective/codereview-cli/internal/gitprovider/github"
 	"github.com/open-cli-collective/codereview-cli/internal/llm"
@@ -21,24 +20,31 @@ type SelectionRuntime struct {
 // OpenSelectionRuntime resolves provider and adapter setup using the same
 // semantics as the real review command.
 func OpenSelectionRuntime(_ context.Context, backend string, backendFlagChanged bool, cfg config.File, profile config.Profile) (SelectionRuntime, error) {
-	resolvedSecretsProfile, err := credentials.ResolveSecretsProfileForProfile(cfg, profile)
-	if err != nil {
-		return SelectionRuntime{}, mapRunError(err)
-	}
-	store, err := credentials.OpenResolvedStore(backend, backendFlagChanged, cfg, resolvedSecretsProfile)
+	profile = normalizeRuntimeProfile(profile)
+	stores := newRuntimeCredentialStores(cfg, backend, backendFlagChanged)
+	cleanup := stores.Close
+	gitStore, err := stores.Open(profile.Git.Credential)
 	if err != nil {
+		cleanup()
 		return SelectionRuntime{}, mapRunError(err)
 	}
-	cleanup := func() { _ = store.Close() }
 	// Selection-only paths read with the profile git credential. Reviewer
 	// credentials are applied by the review runtime where posting identity and
 	// PR-scoped GitHub App installation lookup are available.
-	provider, _, err := newGitProvider(profile.Git, store, githubprovider.Options{})
+	provider, _, err := newGitProvider(profile.Git, gitStore, githubprovider.Options{})
 	if err != nil {
 		cleanup()
 		return SelectionRuntime{}, mapRunError(err)
 	}
-	adapter, err := newAdapterForRuntime(profile.LLM, store)
+	adapterStore := gitStore
+	if profile.LLM.Auth == config.LLMAuthAPIKey {
+		adapterStore, err = stores.Open(profile.LLM.Credential)
+		if err != nil {
+			cleanup()
+			return SelectionRuntime{}, mapRunError(err)
+		}
+	}
+	adapter, err := newAdapterForRuntime(profile.LLM, adapterStore)
 	if err != nil {
 		cleanup()
 		return SelectionRuntime{}, mapRunError(err)
diff --git a/internal/config/config.go b/internal/config/config.go
index 9b8d9547..4bc08a5e 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,6 +2,7 @@
 package config
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"io"
@@ -30,8 +31,10 @@ var (
 	ErrNotConfigured = errors.New("config: not configured")
 	// ErrProfileNotFound means the requested profile is absent.
 	ErrProfileNotFound = errors.New("config: profile not found")
-	// ErrSecretsProfileNotFound means the requested secrets-management profile is absent.
-	ErrSecretsProfileNotFound = errors.New("config: secrets-management profile not found")
+	// ErrSecretsStoreNotFound means the requested credential store is absent.
+	ErrSecretsStoreNotFound = errors.New("config: credential store not found")
+	// ErrSecretsProfileNotFound is the old name for ErrSecretsStoreNotFound.
+	ErrSecretsProfileNotFound = ErrSecretsStoreNotFound
 	// ErrInvalid means the config file is malformed or violates the schema.
 	ErrInvalid = errors.New("config: invalid")
 	// ErrUnsupported means the config uses a known v2-only option.
@@ -40,12 +43,15 @@ var (
 
 // File is the root config.yml schema.
 type File struct {
-	DefaultProfile     string              `yaml:"default_profile" json:"default_profile"`
-	Keyring            KeyringConfig       `yaml:"keyring,omitempty" json:"keyring"`
-	Secrets            SecretsConfig       `yaml:"secrets,omitempty" json:"secrets,omitempty"`
-	RepositoryProfiles []RepositoryProfile `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
-	Profiles           map[string]Profile  `yaml:"profiles" json:"profiles"`
-	Data               DataConfig          `yaml:"data,omitempty" json:"data"`
+	Secrets            SecretsConfig        `yaml:"secrets,omitempty" json:"secrets,omitempty"`
+	LLMRuntimes        map[string]LLMConfig `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
+	RepositoryProfiles []RepositoryProfile  `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
+	Profiles           map[string]Profile   `yaml:"profiles,omitempty" json:"profiles,omitempty"`
+	Data               DataConfig           `yaml:"data,omitempty" json:"data"`
+
+	// Keyring is retained as an ignored in-memory compatibility field while
+	// credential-store runtime selection is rewritten. It is not config schema.
+	Keyring KeyringConfig `yaml:"-" json:"-"`
 }
 
 // KeyringConfig carries non-secret keyring backend preferences.
@@ -53,95 +59,138 @@ type KeyringConfig struct {
 	Backend string `yaml:"backend,omitempty" json:"backend,omitempty"`
 }
 
-// SecretsConfig carries named secrets-management profile configuration.
+// SecretsConfig carries named credential store configuration.
 type SecretsConfig struct {
-	DefaultProfile string                    `yaml:"default_profile,omitempty" json:"default_profile,omitempty"`
-	Profiles       map[string]SecretsProfile `yaml:"profiles,omitempty" json:"profiles,omitempty"`
+	Stores map[string]SecretsStore `yaml:"stores,omitempty" json:"stores,omitempty"`
+
+	// Deprecated compatibility alias. It is intentionally not part of the
+	// YAML/JSON schema.
+	Profiles map[string]SecretsProfile `yaml:"-" json:"-"`
 }
 
-// SecretsProfile is one named secrets-management profile.
-type SecretsProfile struct {
-	Label   string                `yaml:"label,omitempty" json:"label,omitempty"`
-	Backend SecretsProfileBackend `yaml:"backend" json:"backend"`
+// SecretsStore is one named configured credential store.
+type SecretsStore struct {
+	DisplayName string              `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	Backend     SecretsStoreBackend `yaml:"backend" json:"backend"`
+
+	// Label is an ignored compatibility alias for DisplayName.
+	Label string `yaml:"-" json:"-"`
 }
 
-// SecretsProfileBackend carries one typed backend choice.
-type SecretsProfileBackend struct {
-	Kind        SecretsBackendKind               `yaml:"kind" json:"kind"`
-	OnePassword *SecretsProfileOnePasswordConfig `yaml:"onepassword,omitempty" json:"onepassword,omitempty"`
+// SecretsProfile is the old in-memory name for SecretsStore.
+type SecretsProfile = SecretsStore
+
+// SecretsStoreBackend carries one typed backend choice.
+type SecretsStoreBackend struct {
+	Kind        SecretsBackendKind             `yaml:"kind" json:"kind"`
+	OnePassword *SecretsStoreOnePasswordConfig `yaml:"onepassword,omitempty" json:"onepassword,omitempty"`
 }
 
-// SecretsProfileOnePasswordConfig carries non-secret 1Password backend settings.
-type SecretsProfileOnePasswordConfig struct {
-	Timeout          string `yaml:"timeout,omitempty" json:"timeout,omitempty"`
-	VaultID          string `yaml:"vault_id,omitempty" json:"vault_id,omitempty"`
-	ItemTitlePrefix  string `yaml:"item_title_prefix,omitempty" json:"item_title_prefix,omitempty"`
-	ItemTag          string `yaml:"item_tag,omitempty" json:"item_tag,omitempty"`
-	ItemFieldTitle   string `yaml:"item_field_title,omitempty" json:"item_field_title,omitempty"`
-	ConnectHost      string `yaml:"connect_host,omitempty" json:"connect_host,omitempty"`
-	ConnectTokenEnv  string `yaml:"connect_token_env,omitempty" json:"connect_token_env,omitempty"`
-	ServiceTokenEnv  string `yaml:"service_token_env,omitempty" json:"service_token_env,omitempty"`
-	DesktopAccountID string `yaml:"desktop_account_id,omitempty" json:"desktop_account_id,omitempty"`
+// SecretsProfileBackend is the old in-memory name for SecretsStoreBackend.
+type SecretsProfileBackend = SecretsStoreBackend
+
+// SecretsStoreOnePasswordConfig carries non-secret 1Password backend settings.
+type SecretsStoreOnePasswordConfig struct {
+	Timeout         string `yaml:"timeout,omitempty" json:"timeout,omitempty"`
+	AccountID       string `yaml:"account_id,omitempty" json:"account_id,omitempty"`
+	AccountURL      string `yaml:"account_url,omitempty" json:"account_url,omitempty"`
+	VaultID         string `yaml:"vault_id,omitempty" json:"vault_id,omitempty"`
+	VaultName       string `yaml:"vault_name,omitempty" json:"vault_name,omitempty"`
+	ConnectHost     string `yaml:"connect_host,omitempty" json:"connect_host,omitempty"`
+	ConnectTokenEnv string `yaml:"connect_token_env,omitempty" json:"connect_token_env,omitempty"`
+	ServiceTokenEnv string `yaml:"service_token_env,omitempty" json:"service_token_env,omitempty"`
+
+	// Ignored compatibility aliases while callers are rewritten.
+	ItemTitlePrefix  string `yaml:"-" json:"-"`
+	ItemTag          string `yaml:"-" json:"-"`
+	ItemFieldTitle   string `yaml:"-" json:"-"`
+	DesktopAccountID string `yaml:"-" json:"-"`
 }
 
-// SecretsBackendKind is the durable non-secret backend selector for a
-// named secrets-management profile.
+// SecretsProfileOnePasswordConfig is the old in-memory name for
+// SecretsStoreOnePasswordConfig.
+type SecretsProfileOnePasswordConfig = SecretsStoreOnePasswordConfig
+
+// SecretsBackendKind is the durable non-secret backend selector for a named
+// credential store.
 type SecretsBackendKind string
 
-// EffectiveSecretsProfileSource distinguishes configured profiles from the
-// read-only projected legacy compatibility entry.
-type EffectiveSecretsProfileSource string
+// Credential store constants.
+const (
+	LocalOSCredentialStoreID  = "local-os"
+	defaultOnePasswordTimeout = "5s"
+)
+
+// EffectiveSecretsStoreSource distinguishes configured stores from the read-only
+// projected built-in OS store.
+type EffectiveSecretsStoreSource string
 
+// Effective credential-store inventory sources.
 const (
-	// LegacyProjectedSecretsProfileID is the reserved effective id used when an
-	// old config still relies on legacy keyring.backend behavior.
-	LegacyProjectedSecretsProfileID = "legacy-default"
-	// ProjectedLegacySecretsBackendKind is the effective backend summary when the
-	// old config omits keyring.backend and still relies on auto/env resolution.
-	ProjectedLegacySecretsBackendKind = "auto"
-	defaultOnePasswordTimeout         = "5s"
+	EffectiveSecretsStoreSourceBuiltIn    EffectiveSecretsStoreSource = "built_in"
+	EffectiveSecretsStoreSourceConfigured EffectiveSecretsStoreSource = "configured"
 )
 
-// Effective secrets-profile inventory sources.
+// EffectiveSecretsProfileSource is a compatibility alias retained during the staged rewrite.
+type EffectiveSecretsProfileSource = EffectiveSecretsStoreSource
+
 const (
-	EffectiveSecretsProfileSourceConfigured      EffectiveSecretsProfileSource = "configured"
-	EffectiveSecretsProfileSourceProjectedLegacy EffectiveSecretsProfileSource = "projected_legacy"
+	// EffectiveSecretsProfileSourceConfigured is the compatibility name for a configured credential store.
+	EffectiveSecretsProfileSourceConfigured EffectiveSecretsProfileSource = EffectiveSecretsStoreSourceConfigured
+	// EffectiveSecretsProfileSourceProjectedLegacy is the compatibility name for the built-in OS store.
+	EffectiveSecretsProfileSourceProjectedLegacy EffectiveSecretsProfileSource = EffectiveSecretsStoreSourceBuiltIn
+	// ProjectedOSCredentialStoreBackendKind is the presentation backend for the built-in OS store.
+	ProjectedOSCredentialStoreBackendKind = "auto"
 )
 
-// EffectiveSecretsProfile is the presentation-safe effective secrets-management
-// inventory shape used by callers that need to summarize the config.
-type EffectiveSecretsProfile struct {
-	ID        string                        `json:"id"`
-	Label     string                        `json:"label,omitempty"`
-	Backend   string                        `json:"backend"`
-	IsDefault bool                          `json:"is_default,omitempty"`
-	Source    EffectiveSecretsProfileSource `json:"source"`
+// EffectiveSecretsStore is the presentation-safe credential-store inventory
+// shape used by callers that need to summarize the config.
+type EffectiveSecretsStore struct {
+	ID          string                      `json:"id"`
+	DisplayName string                      `json:"display_name,omitempty"`
+	Backend     string                      `json:"backend"`
+	ReadOnly    bool                        `json:"read_only,omitempty"`
+	Source      EffectiveSecretsStoreSource `json:"source"`
+
+	// Compatibility fields for old callers while UI/runtime are rewritten.
+	Label string `json:"label,omitempty"`
 }
 
+// EffectiveSecretsProfile is the old in-memory name for EffectiveSecretsStore.
+type EffectiveSecretsProfile = EffectiveSecretsStore
+
 // Profile is one named review profile.
 type Profile struct {
 	Git                 GitConfig            `yaml:"git" json:"git"`
-	SecretsProfile      string               `yaml:"secrets_profile,omitempty" json:"secrets_profile,omitempty"`
 	ReviewerCredentials *ReviewerCredentials `yaml:"reviewer_credentials,omitempty" json:"reviewer_credentials,omitempty"`
 	LLM                 LLMConfig            `yaml:"llm" json:"llm"`
 	AgentSources        []string             `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
 	ReviewPolicy        ReviewPolicy         `yaml:"review_policy,omitempty" json:"review_policy"`
+
+	// SecretsProfile is retained as an ignored in-memory compatibility field.
+	SecretsProfile string `yaml:"-" json:"-"`
 }
 
 // GitConfig identifies the user's git-host credentials.
 type GitConfig struct {
-	Host          string      `yaml:"host" json:"host"`
-	AuthMode      GitAuthMode `yaml:"auth_mode" json:"auth_mode"`
-	CredentialRef string      `yaml:"credential_ref" json:"credential_ref"`
-	IdentityCache string      `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+	Host          string             `yaml:"host" json:"host"`
+	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
+	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+
+	// CredentialRef is retained as an ignored in-memory compatibility field.
+	CredentialRef string `yaml:"-" json:"-"`
 }
 
 // ReviewerCredentials optionally identifies separate posting credentials.
 type ReviewerCredentials struct {
-	AuthMode      GitAuthMode `yaml:"auth_mode" json:"auth_mode"`
-	CredentialRef string      `yaml:"credential_ref" json:"credential_ref"`
-	DisplayName   string      `yaml:"display_name,omitempty" json:"display_name,omitempty"`
-	IdentityCache string      `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
+	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+
+	// CredentialRef is retained as an ignored in-memory compatibility field.
+	CredentialRef string `yaml:"-" json:"-"`
 }
 
 // RepositoryProfile routes repositories to profiles when --profile is omitted.
@@ -159,12 +208,15 @@ type RepositoryProfileMatch struct {
 
 // LLMConfig identifies the LLM provider and adapter.
 type LLMConfig struct {
-	Provider          LLMProvider `yaml:"provider" json:"provider"`
-	Auth              LLMAuth     `yaml:"auth" json:"auth"`
-	Adapter           LLMAdapter  `yaml:"adapter" json:"adapter"`
-	CredentialRef     string      `yaml:"credential_ref,omitempty" json:"credential_ref,omitempty"`
-	ModelMap          ModelMap    `yaml:"model_map,omitempty" json:"model_map,omitempty"`
-	ReviewerModelTier ModelTier   `yaml:"reviewer_model_tier,omitempty" json:"reviewer_model_tier,omitempty"`
+	Provider          LLMProvider        `yaml:"provider" json:"provider"`
+	Auth              LLMAuth            `yaml:"auth" json:"auth"`
+	Adapter           LLMAdapter         `yaml:"adapter" json:"adapter"`
+	Credential        CredentialLocation `yaml:"credential,omitempty" json:"credential,omitempty"`
+	ModelMap          ModelMap           `yaml:"model_map,omitempty" json:"model_map,omitempty"`
+	ReviewerModelTier ModelTier          `yaml:"reviewer_model_tier,omitempty" json:"reviewer_model_tier,omitempty"`
+
+	// CredentialRef is retained as an ignored in-memory compatibility field.
+	CredentialRef string `yaml:"-" json:"-"`
 }
 
 // ModelMap maps portable model tiers to provider-specific model identifiers.
@@ -424,9 +476,27 @@ func (e RetentionEnforcement) Valid() bool {
 	}
 }
 
-// CredentialRef is one declared non-secret pointer into the credential store.
+// CredentialLocation names where one credential bundle is stored.
+type CredentialLocation struct {
+	Store string `yaml:"store" json:"store"`
+	Name  string `yaml:"name" json:"name"`
+}
+
+func (c CredentialLocation) normalized() CredentialLocation {
+	c.Store = strings.TrimSpace(c.Store)
+	c.Name = strings.TrimSpace(c.Name)
+	return c
+}
+
+func (c CredentialLocation) empty() bool {
+	return strings.TrimSpace(c.Store) == "" && strings.TrimSpace(c.Name) == ""
+}
+
+// CredentialRef is one declared non-secret pointer into a credential store.
+// It is derived from CredentialLocation for readiness/status helpers.
 type CredentialRef struct {
 	Purpose  string `json:"purpose"`
+	Store    string `json:"store,omitempty"`
 	Ref      string `json:"ref"`
 	Mode     string `json:"mode"`
 	Provider string `json:"provider,omitempty"`
@@ -450,9 +520,6 @@ const (
 	// RepositoryProfileResolutionSourceRoute means a repository_profiles route
 	// selected the profile.
 	RepositoryProfileResolutionSourceRoute RepositoryProfileResolutionSource = "repository_route"
-	// RepositoryProfileResolutionSourceDefault means routing did not match and
-	// the default profile was used.
-	RepositoryProfileResolutionSourceDefault RepositoryProfileResolutionSource = "default_profile"
 )
 
 // RepositoryProfileResolution describes the resolved profile plus the source of
@@ -476,16 +543,21 @@ func Path() (string, error) {
 // Load reads and validates config.yml.
 func Load(path string) (File, error) {
 	// #nosec G304 -- path is the resolved cr config path or an injected test path.
-	file, err := os.Open(path)
+	body, err := os.ReadFile(path)
 	if os.IsNotExist(err) {
 		return File{}, fmt.Errorf("%w: %s", ErrNotConfigured, path)
 	}
 	if err != nil {
 		return File{}, fmt.Errorf("config: open %s: %w", path, err)
 	}
-	defer file.Close()
+	if len(bytes.TrimSpace(body)) == 0 {
+		return File{}, invalid("empty config")
+	}
+	if yamlDocumentHasMappingPath(body, "secrets", "profiles") {
+		return File{}, invalid("secrets.profiles is no longer supported; use secrets.stores")
+	}
 
-	decoder := yaml.NewDecoder(file)
+	decoder := yaml.NewDecoder(bytes.NewReader(body))
 	decoder.KnownFields(true)
 	var cfg File
 	if err := decoder.Decode(&cfg); err != nil {
@@ -501,10 +573,10 @@ func Load(path string) (File, error) {
 		return File{}, invalid("parse %s: multiple YAML documents are not supported", path)
 	}
 
-	cfg = cfg.normalized()
 	if err := Validate(cfg); err != nil {
 		return File{}, err
 	}
+	cfg = cfg.normalized()
 	return cfg, nil
 }
 
@@ -513,10 +585,13 @@ func Save(path string, cfg File) error {
 	if strings.TrimSpace(path) == "" {
 		return invalid("path is required")
 	}
-	cfg = cfg.normalized()
+	if fileHasNoExplicitContent(cfg) {
+		return invalid("config is empty")
+	}
 	if err := Validate(cfg); err != nil {
 		return err
 	}
+	cfg = cfg.normalized()
 
 	dir := filepath.Dir(path)
 	if err := os.MkdirAll(dir, dirPerm); err != nil {
@@ -558,6 +633,48 @@ func Save(path string, cfg File) error {
 	return nil
 }
 
+func fileHasNoExplicitContent(cfg File) bool {
+	return cfg.Secrets.Stores == nil &&
+		cfg.Secrets.Profiles == nil &&
+		cfg.LLMRuntimes == nil &&
+		cfg.RepositoryProfiles == nil &&
+		cfg.Profiles == nil &&
+		cfg.Data.Retention.MaxAgeDays == nil &&
+		cfg.Data.Retention.Enforcement == "" &&
+		cfg.Keyring.Backend == ""
+}
+
+func yamlDocumentHasMappingPath(body []byte, path ...string) bool {
+	decoder := yaml.NewDecoder(bytes.NewReader(body))
+	var node yaml.Node
+	if err := decoder.Decode(&node); err != nil {
+		return false
+	}
+	current := &node
+	if current.Kind == yaml.DocumentNode && len(current.Content) > 0 {
+		current = current.Content[0]
+	}
+	for _, key := range path {
+		current = yamlMappingValue(current, key)
+		if current == nil {
+			return false
+		}
+	}
+	return true
+}
+
+func yamlMappingValue(node *yaml.Node, key string) *yaml.Node {
+	if node == nil || node.Kind != yaml.MappingNode {
+		return nil
+	}
+	for index := 0; index+1 < len(node.Content); index += 2 {
+		if node.Content[index].Value == key {
+			return node.Content[index+1]
+		}
+	}
+	return nil
+}
+
 // Normalize returns cfg with the same normalization pass Validate and Save apply.
 func Normalize(cfg File) File {
 	return cfg.normalized()
@@ -566,99 +683,92 @@ func Normalize(cfg File) File {
 // Validate checks a config file after defaults have been applied.
 func Validate(cfg File) error {
 	cfg = cfg.normalized()
-	if strings.TrimSpace(cfg.DefaultProfile) == "" {
-		return invalid("default_profile is required")
+	if err := ValidateSecrets(cfg.Secrets); err != nil {
+		return err
+	}
+	if err := ValidateRetention(cfg.Data.Retention); err != nil {
+		return err
+	}
+	for name, runtime := range cfg.LLMRuntimes {
+		if strings.TrimSpace(name) == "" {
+			return invalid("llm_runtimes name is required")
+		}
+		if err := validateLLMConfig(fmt.Sprintf("llm_runtimes.%s", name), runtime); err != nil {
+			return err
+		}
+		if runtime.Auth == LLMAuthAPIKey {
+			if err := validateCredentialStoreSelection(cfg.Secrets, fmt.Sprintf("llm_runtimes.%s.credential.store", name), runtime.Credential.Store); err != nil {
+				return err
+			}
+		}
 	}
 	if len(cfg.Profiles) == 0 {
-		return invalid("profiles is required")
+		if len(cfg.RepositoryProfiles) > 0 {
+			return invalid("profiles is required")
+		}
+		return nil
 	}
 	for name, profile := range cfg.Profiles {
 		if strings.TrimSpace(name) == "" {
 			return invalid("profile name is required")
 		}
-		profile = profile.normalized()
 		if err := validateProfile(name, profile); err != nil {
 			return err
 		}
-		if err := validateProfileSecretsProfileSelection(cfg.Secrets, name, profile); err != nil {
+		if err := validateProfileCredentialStoreSelections(cfg.Secrets, name, profile); err != nil {
 			return err
 		}
 	}
-	if _, ok := cfg.Profiles[cfg.DefaultProfile]; !ok {
-		return fmt.Errorf("%w: %s", ErrProfileNotFound, cfg.DefaultProfile)
-	}
 	if err := validateRepositoryProfiles(cfg); err != nil {
 		return err
 	}
-	if err := ValidateKeyring(cfg.Keyring); err != nil {
-		return err
-	}
-	if err := ValidateSecrets(cfg.Secrets); err != nil {
-		return err
-	}
-	if err := ValidateRetention(cfg.Data.Retention); err != nil {
-		return err
-	}
 	return nil
 }
 
-// EffectiveSecretsProfiles returns the configured secrets-management profiles or
-// a projected read-only legacy profile when config still relies on the old
-// keyring.backend model.
-func EffectiveSecretsProfiles(cfg File) []EffectiveSecretsProfile {
+// EffectiveSecretsStores returns the read-only built-in OS credential store
+// followed by configured credential stores in stable order.
+func EffectiveSecretsStores(cfg File) []EffectiveSecretsStore {
 	cfg = cfg.normalized()
-	if len(cfg.Secrets.Profiles) == 0 {
-		backend := strings.TrimSpace(cfg.Keyring.Backend)
-		if backend == "" {
-			backend = ProjectedLegacySecretsBackendKind
-		}
-		return []EffectiveSecretsProfile{{
-			ID:        LegacyProjectedSecretsProfileID,
-			Label:     "Legacy default",
-			Backend:   backend,
-			IsDefault: true,
-			Source:    EffectiveSecretsProfileSourceProjectedLegacy,
-		}}
-	}
-
-	ids := make([]string, 0, len(cfg.Secrets.Profiles))
-	for id := range cfg.Secrets.Profiles {
+	out := []EffectiveSecretsStore{{
+		ID:          LocalOSCredentialStoreID,
+		DisplayName: "OS credential store",
+		Label:       "OS credential store",
+		Backend:     ProjectedOSCredentialStoreBackendKind,
+		ReadOnly:    true,
+		Source:      EffectiveSecretsStoreSourceBuiltIn,
+	}}
+
+	ids := make([]string, 0, len(cfg.Secrets.Stores))
+	for id := range cfg.Secrets.Stores {
 		ids = append(ids, id)
 	}
 	sort.Strings(ids)
 
-	profiles := make([]EffectiveSecretsProfile, 0, len(ids))
 	for _, id := range ids {
-		profile := cfg.Secrets.Profiles[id]
-		label := strings.TrimSpace(profile.Label)
-		profiles = append(profiles, EffectiveSecretsProfile{
-			ID:        id,
-			Label:     label,
-			Backend:   string(profile.Backend.Kind),
-			IsDefault: strings.TrimSpace(cfg.Secrets.DefaultProfile) == id,
-			Source:    EffectiveSecretsProfileSourceConfigured,
+		store := cfg.Secrets.Stores[id]
+		displayName := strings.TrimSpace(store.DisplayName)
+		out = append(out, EffectiveSecretsStore{
+			ID:          id,
+			DisplayName: displayName,
+			Label:       displayName,
+			Backend:     string(store.Backend.Kind),
+			Source:      EffectiveSecretsStoreSourceConfigured,
 		})
 	}
-	return profiles
+	return out
 }
 
-// EffectiveDefaultSecretsProfile returns the effective default secrets profile, if any.
-func EffectiveDefaultSecretsProfile(cfg File) (EffectiveSecretsProfile, bool) {
-	for _, profile := range EffectiveSecretsProfiles(cfg) {
-		if profile.IsDefault {
-			return profile, true
-		}
-	}
-	return EffectiveSecretsProfile{}, false
+// EffectiveSecretsProfiles is the old in-memory name for EffectiveSecretsStores.
+func EffectiveSecretsProfiles(cfg File) []EffectiveSecretsProfile {
+	return EffectiveSecretsStores(cfg)
 }
 
-// ResolveProfile returns the requested profile, or the default profile when
-// requestedName is empty.
+// ResolveProfile returns the requested profile.
 func ResolveProfile(cfg File, requestedName string) (string, Profile, error) {
 	cfg = cfg.normalized()
 	name := strings.TrimSpace(requestedName)
 	if name == "" {
-		name = cfg.DefaultProfile
+		return "", Profile{}, fmt.Errorf("%w: no profile selected; pass --profile or configure a repository route", ErrProfileNotFound)
 	}
 	profile, ok := cfg.Profiles[name]
 	if !ok {
@@ -743,15 +853,7 @@ func ResolveProfileForRepositoryWithSource(cfg File, requestedName string, expli
 			MatchedRoute: namespaceRoute,
 		}, nil
 	}
-	name, profile, err := ResolveProfile(cfg, "")
-	if err != nil {
-		return RepositoryProfileResolution{}, err
-	}
-	return RepositoryProfileResolution{
-		ProfileName: name,
-		Profile:     profile,
-		Source:      RepositoryProfileResolutionSourceDefault,
-	}, nil
+	return RepositoryProfileResolution{}, fmt.Errorf("%w: no repository profile route matched %s/%s/%s; pass --profile or configure a repository route", ErrProfileNotFound, targetHost, targetNamespace, targetRepo)
 }
 
 // CredentialRefs returns all credential-store refs declared by profile.
@@ -762,14 +864,14 @@ func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	}
 
 	refs := []CredentialRef{}
-	gitRef, err := gitCredentialRef("git", profile.Git.AuthMode, profile.Git.CredentialRef)
+	gitRef, err := gitCredentialRef("git", profile.Git.AuthMode, profile.Git.Credential)
 	if err != nil {
 		return nil, err
 	}
 	refs = append(refs, gitRef)
 
 	if profile.ReviewerCredentials != nil {
-		reviewerRef, err := gitCredentialRef("reviewer_credentials", profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.CredentialRef)
+		reviewerRef, err := gitCredentialRef("reviewer_credentials", profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.Credential)
 		if err != nil {
 			return nil, err
 		}
@@ -779,7 +881,8 @@ func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	if profile.LLM.Auth == LLMAuthAPIKey {
 		refs = append(refs, CredentialRef{
 			Purpose:  "llm",
-			Ref:      profile.LLM.CredentialRef,
+			Store:    profile.LLM.Credential.Store,
+			Ref:      profile.LLM.Credential.Name,
 			Mode:     string(LLMAuthAPIKey),
 			Provider: string(profile.LLM.Provider),
 		})
@@ -787,11 +890,11 @@ func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	return refs, nil
 }
 
-func gitCredentialRef(purpose string, mode GitAuthMode, ref string) (CredentialRef, error) {
+func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLocation) (CredentialRef, error) {
 	if !mode.Supported() {
 		return CredentialRef{}, fmt.Errorf("%w: %s auth_mode %q", ErrUnsupported, purpose, mode)
 	}
-	return CredentialRef{Purpose: purpose, Ref: ref, Mode: string(mode)}, nil
+	return CredentialRef{Purpose: purpose, Store: credential.Store, Ref: credential.Name, Mode: string(mode)}, nil
 }
 
 func validateProfile(name string, profile Profile) error {
@@ -804,10 +907,7 @@ func validateProfile(name string, profile Profile) error {
 	if !profile.Git.AuthMode.Supported() {
 		return fmt.Errorf("%w: profiles.%s.git.auth_mode %q", ErrUnsupported, name, profile.Git.AuthMode)
 	}
-	if strings.TrimSpace(profile.Git.CredentialRef) == "" {
-		return invalid("profiles.%s.git.credential_ref is required", name)
-	}
-	if err := validateCredentialRef(fmt.Sprintf("profiles.%s.git.credential_ref", name), profile.Git.CredentialRef); err != nil {
+	if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.git.credential", name), profile.Git.Credential); err != nil {
 		return err
 	}
 	if profile.ReviewerCredentials != nil {
@@ -817,101 +917,144 @@ func validateProfile(name string, profile Profile) error {
 		if !profile.ReviewerCredentials.AuthMode.Supported() {
 			return fmt.Errorf("%w: profiles.%s.reviewer_credentials.auth_mode %q", ErrUnsupported, name, profile.ReviewerCredentials.AuthMode)
 		}
-		if strings.TrimSpace(profile.ReviewerCredentials.CredentialRef) == "" {
-			return invalid("profiles.%s.reviewer_credentials.credential_ref is required", name)
-		}
-		if err := validateCredentialRef(fmt.Sprintf("profiles.%s.reviewer_credentials.credential_ref", name), profile.ReviewerCredentials.CredentialRef); err != nil {
+		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.reviewer_credentials.credential", name), profile.ReviewerCredentials.Credential); err != nil {
 			return err
 		}
-		if profile.ReviewerCredentials.CredentialRef == profile.Git.CredentialRef {
-			return invalid("profiles.%s.reviewer_credentials.credential_ref must differ from git.credential_ref", name)
+		if sameCredentialLocation(profile.ReviewerCredentials.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.reviewer_credentials.credential must differ from git.credential when store and name match", name)
 		}
 		if err := validateOptionalSingleLine(fmt.Sprintf("profiles.%s.reviewer_credentials.display_name", name), profile.ReviewerCredentials.DisplayName); err != nil {
 			return err
 		}
 	}
-	if !profile.LLM.Provider.Valid() {
-		return invalid("profiles.%s.llm.provider %q is invalid", name, profile.LLM.Provider)
+	if err := validateLLMConfig(fmt.Sprintf("profiles.%s.llm", name), profile.LLM); err != nil {
+		return err
+	}
+	if profile.LLM.Auth == LLMAuthAPIKey {
+		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.llm.credential", name), profile.LLM.Credential); err != nil {
+			return err
+		}
+		if sameCredentialLocation(profile.LLM.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.llm.credential must differ from git.credential when store and name match", name)
+		}
+		if profile.ReviewerCredentials != nil && sameCredentialLocation(profile.LLM.Credential, profile.ReviewerCredentials.Credential) {
+			return invalid("profiles.%s.llm.credential must differ from reviewer_credentials.credential when store and name match", name)
+		}
+	}
+	for index, source := range profile.AgentSources {
+		if strings.TrimSpace(source) == "" {
+			return invalid("profiles.%s.agent_sources[%d] is required", name, index)
+		}
+	}
+	if !profile.ReviewPolicy.MajorEvent.Valid() {
+		return invalid("profiles.%s.review_policy.major_event %q is invalid", name, profile.ReviewPolicy.MajorEvent)
 	}
-	if !profile.LLM.Auth.Valid() {
-		return invalid("profiles.%s.llm.auth %q is invalid", name, profile.LLM.Auth)
+	if profile.ReviewPolicy.ResolveThreads != "" && !profile.ReviewPolicy.ResolveThreads.Valid() {
+		return invalid("profiles.%s.review_policy.resolve_threads %q is invalid", name, profile.ReviewPolicy.ResolveThreads)
 	}
-	if !profile.LLM.Adapter.Valid() {
-		return invalid("profiles.%s.llm.adapter %q is invalid", name, profile.LLM.Adapter)
+	if profile.ReviewPolicy.ResolveAfter != "" {
+		if _, err := time.ParseDuration(profile.ReviewPolicy.ResolveAfter); err != nil {
+			return invalid("profiles.%s.review_policy.resolve_after %q is invalid: %v", name, profile.ReviewPolicy.ResolveAfter, err)
+		}
 	}
-	if profile.LLM.Provider == LLMProviderPi {
-		if profile.LLM.Auth != LLMAuthSubscription || profile.LLM.Adapter != LLMAdapterPiRPC {
-			return invalid("profiles.%s.llm provider pi requires auth subscription and adapter pi_rpc", name)
+	return nil
+}
+
+func validateLLMConfig(field string, llm LLMConfig) error {
+	if !llm.Provider.Valid() {
+		return invalid("%s.provider %q is invalid", field, llm.Provider)
+	}
+	if !llm.Auth.Valid() {
+		return invalid("%s.auth %q is invalid", field, llm.Auth)
+	}
+	if !llm.Adapter.Valid() {
+		return invalid("%s.adapter %q is invalid", field, llm.Adapter)
+	}
+	if llm.Provider == LLMProviderPi {
+		if llm.Auth != LLMAuthSubscription || llm.Adapter != LLMAdapterPiRPC {
+			return invalid("%s provider pi requires auth subscription and adapter pi_rpc", field)
 		}
 	}
-	if profile.LLM.Adapter == LLMAdapterPiRPC {
-		if profile.LLM.Provider != LLMProviderPi || profile.LLM.Auth != LLMAuthSubscription {
-			return invalid("profiles.%s.llm adapter pi_rpc requires provider pi and auth subscription", name)
+	if llm.Adapter == LLMAdapterPiRPC {
+		if llm.Provider != LLMProviderPi || llm.Auth != LLMAuthSubscription {
+			return invalid("%s adapter pi_rpc requires provider pi and auth subscription", field)
 		}
 	}
-	if profile.LLM.Adapter == LLMAdapterCodexCLI {
-		if profile.LLM.Provider != LLMProviderOpenAI || profile.LLM.Auth != LLMAuthSubscription {
-			return invalid("profiles.%s.llm adapter codex_cli requires provider openai and auth subscription", name)
+	if llm.Adapter == LLMAdapterCodexCLI {
+		if llm.Provider != LLMProviderOpenAI || llm.Auth != LLMAuthSubscription {
+			return invalid("%s adapter codex_cli requires provider openai and auth subscription", field)
 		}
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey && strings.TrimSpace(profile.LLM.CredentialRef) == "" {
-		return invalid("profiles.%s.llm.credential_ref is required for api_key auth", name)
+	if llm.Auth == LLMAuthAPIKey && llm.Credential.empty() {
+		return invalid("%s.credential is required for api_key auth", field)
 	}
-	if profile.LLM.Auth == LLMAuthSubscription && strings.TrimSpace(profile.LLM.CredentialRef) != "" {
-		return invalid("profiles.%s.llm.credential_ref must be empty for subscription auth", name)
+	if llm.Auth == LLMAuthSubscription && !llm.Credential.empty() {
+		return invalid("%s.credential must be empty for subscription auth", field)
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey {
-		if err := validateCredentialRef(fmt.Sprintf("profiles.%s.llm.credential_ref", name), profile.LLM.CredentialRef); err != nil {
+	if llm.Auth == LLMAuthAPIKey {
+		if err := validateCredentialLocation(field+".credential", llm.Credential); err != nil {
 			return err
 		}
-		if profile.LLM.CredentialRef == profile.Git.CredentialRef {
-			return invalid("profiles.%s.llm.credential_ref must differ from git.credential_ref", name)
-		}
-		if profile.ReviewerCredentials != nil && profile.LLM.CredentialRef == profile.ReviewerCredentials.CredentialRef {
-			return invalid("profiles.%s.llm.credential_ref must differ from reviewer_credentials.credential_ref", name)
-		}
 	}
-	for tier, model := range profile.LLM.ModelMap {
+	for tier, model := range llm.ModelMap {
 		modelTier := ModelTier(tier)
 		if !modelTier.Valid() {
-			return invalid("profiles.%s.llm.model_map tier %q is invalid", name, tier)
+			return invalid("%s.model_map tier %q is invalid", field, tier)
 		}
 		if strings.TrimSpace(model) == "" {
-			return invalid("profiles.%s.llm.model_map.%s is required", name, tier)
+			return invalid("%s.model_map.%s is required", field, tier)
 		}
 	}
-	if profile.LLM.ReviewerModelTier != "" && !profile.LLM.ReviewerModelTier.Valid() {
-		return invalid("profiles.%s.llm.reviewer_model_tier %q is invalid; must be one of small, medium, large", name, profile.LLM.ReviewerModelTier)
+	if llm.ReviewerModelTier != "" && !llm.ReviewerModelTier.Valid() {
+		return invalid("%s.reviewer_model_tier %q is invalid; must be one of small, medium, large", field, llm.ReviewerModelTier)
 	}
-	for index, source := range profile.AgentSources {
-		if strings.TrimSpace(source) == "" {
-			return invalid("profiles.%s.agent_sources[%d] is required", name, index)
+	return nil
+}
+
+func validateProfileCredentialStoreSelections(secrets SecretsConfig, name string, profile Profile) error {
+	for _, credential := range profileCredentialLocations(profile) {
+		if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
+			return err
 		}
 	}
-	if !profile.ReviewPolicy.MajorEvent.Valid() {
-		return invalid("profiles.%s.review_policy.major_event %q is invalid", name, profile.ReviewPolicy.MajorEvent)
-	}
-	if profile.ReviewPolicy.ResolveThreads != "" && !profile.ReviewPolicy.ResolveThreads.Valid() {
-		return invalid("profiles.%s.review_policy.resolve_threads %q is invalid", name, profile.ReviewPolicy.ResolveThreads)
+	return nil
+}
+
+type profileCredentialLocation struct {
+	path     string
+	location CredentialLocation
+}
+
+func profileCredentialLocations(profile Profile) []profileCredentialLocation {
+	locations := []profileCredentialLocation{{
+		path:     "git",
+		location: profile.Git.Credential,
+	}}
+	if profile.ReviewerCredentials != nil {
+		locations = append(locations, profileCredentialLocation{
+			path:     "reviewer_credentials",
+			location: profile.ReviewerCredentials.Credential,
+		})
 	}
-	if profile.ReviewPolicy.ResolveAfter != "" {
-		if _, err := time.ParseDuration(profile.ReviewPolicy.ResolveAfter); err != nil {
-			return invalid("profiles.%s.review_policy.resolve_after %q is invalid: %v", name, profile.ReviewPolicy.ResolveAfter, err)
-		}
+	if profile.LLM.Auth == LLMAuthAPIKey {
+		locations = append(locations, profileCredentialLocation{
+			path:     "llm",
+			location: profile.LLM.Credential,
+		})
 	}
-	return nil
+	return locations
 }
 
-func validateProfileSecretsProfileSelection(secrets SecretsConfig, name string, profile Profile) error {
-	selection := strings.TrimSpace(profile.SecretsProfile)
-	if selection == "" {
-		return nil
+func validateCredentialStoreSelection(secrets SecretsConfig, field, store string) error {
+	store = strings.TrimSpace(store)
+	if store == "" {
+		return invalid("%s is required", field)
 	}
-	if selection == LegacyProjectedSecretsProfileID {
-		return invalid("profiles.%s.secrets_profile %q is reserved", name, LegacyProjectedSecretsProfileID)
+	if store == LocalOSCredentialStoreID {
+		return nil
 	}
-	if _, ok := secrets.Profiles[selection]; !ok {
-		return fmt.Errorf("%w: profiles.%s.secrets_profile %q", ErrSecretsProfileNotFound, name, selection)
+	if _, ok := secrets.Stores[store]; !ok {
+		return fmt.Errorf("%w: %s %q", ErrSecretsStoreNotFound, field, store)
 	}
 	return nil
 }
@@ -973,87 +1116,68 @@ func validateRepositoryProfiles(cfg File) error {
 	return nil
 }
 
-// ValidateKeyring checks non-secret keyring backend preferences.
-func ValidateKeyring(keyring KeyringConfig) error {
-	backend := strings.TrimSpace(keyring.Backend)
-	if backend == "" {
-		return nil
-	}
-	parsed, err := credstore.ParseBackend(backend)
-	if err != nil {
-		return fmt.Errorf("%w: keyring.backend %q is invalid: %w", ErrInvalid, backend, err)
-	}
-	if IsOnePasswordSecretsBackend(SecretsBackendKind(parsed)) {
-		return invalid("keyring.backend %q is not supported; configure 1Password through a named secrets-management profile instead", backend)
-	}
+// ValidateKeyring is retained for in-memory compatibility during the staged
+// rewrite. keyring.backend is no longer part of the config schema.
+func ValidateKeyring(_ KeyringConfig) error {
 	return nil
 }
 
-// ValidateSecrets checks non-secret named secrets-management profile config.
+// ValidateSecrets checks non-secret named credential store config.
 func ValidateSecrets(secrets SecretsConfig) error {
 	secrets = secrets.normalized()
-	if strings.TrimSpace(secrets.DefaultProfile) != "" {
-		if secrets.DefaultProfile == LegacyProjectedSecretsProfileID {
-			return invalid("secrets.default_profile %q is reserved", LegacyProjectedSecretsProfileID)
-		}
-		if _, ok := secrets.Profiles[secrets.DefaultProfile]; !ok {
-			return fmt.Errorf("%w: secrets.default_profile %q", ErrProfileNotFound, secrets.DefaultProfile)
-		}
-	}
-	for id, profile := range secrets.Profiles {
+	for id, store := range secrets.Stores {
 		trimmedID := strings.TrimSpace(id)
 		if trimmedID == "" {
-			return invalid("secrets.profiles key is required")
+			return invalid("secrets.stores key is required")
 		}
 		if trimmedID != id {
-			return invalid("secrets.profiles.%s id must not contain surrounding whitespace", id)
+			return invalid("secrets.stores.%s id must not contain surrounding whitespace", id)
 		}
-		if id == LegacyProjectedSecretsProfileID {
-			return invalid("secrets.profiles.%s is reserved", LegacyProjectedSecretsProfileID)
+		if id == LocalOSCredentialStoreID {
+			return invalid("secrets.stores.%s is reserved", LocalOSCredentialStoreID)
 		}
-		if err := validateSecretsProfile(id, profile); err != nil {
+		if err := validateSecretsStore(id, store); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-func validateSecretsProfile(id string, profile SecretsProfile) error {
-	if err := validateOptionalSingleLine(fmt.Sprintf("secrets.profiles.%s.label", id), profile.Label); err != nil {
+func validateSecretsStore(id string, store SecretsStore) error {
+	if err := validateOptionalSingleLine(fmt.Sprintf("secrets.stores.%s.display_name", id), store.DisplayName); err != nil {
 		return err
 	}
-	if strings.TrimSpace(string(profile.Backend.Kind)) == "" {
-		return invalid("secrets.profiles.%s.backend.kind is required", id)
+	if strings.TrimSpace(string(store.Backend.Kind)) == "" {
+		return invalid("secrets.stores.%s.backend.kind is required", id)
 	}
-	if _, err := credstore.ParseBackend(string(profile.Backend.Kind)); err != nil {
-		return fmt.Errorf("%w: secrets.profiles.%s.backend.kind %q is invalid: %w", ErrInvalid, id, profile.Backend.Kind, err)
+	if _, err := credstore.ParseBackend(string(store.Backend.Kind)); err != nil {
+		return fmt.Errorf("%w: secrets.stores.%s.backend.kind %q is invalid: %w", ErrInvalid, id, store.Backend.Kind, err)
 	}
-	if err := validateSecretsProfileBackend(id, profile.Backend); err != nil {
+	if err := validateSecretsStoreBackend(id, store.Backend); err != nil {
 		return err
 	}
 	return nil
 }
 
-func validateSecretsProfileBackend(id string, backend SecretsProfileBackend) error {
+func validateSecretsStoreBackend(id string, backend SecretsStoreBackend) error {
 	if !IsOnePasswordSecretsBackend(backend.Kind) {
 		return nil
 	}
 	onePassword := backend.OnePassword
 	if onePassword == nil {
-		onePassword = &SecretsProfileOnePasswordConfig{}
+		onePassword = &SecretsStoreOnePasswordConfig{}
 	}
 	field := func(suffix string) string {
-		return fmt.Sprintf("secrets.profiles.%s.backend.onepassword.%s", id, suffix)
+		return fmt.Sprintf("secrets.stores.%s.backend.onepassword.%s", id, suffix)
 	}
 	for suffix, value := range map[string]string{
-		"vault_id":           onePassword.VaultID,
-		"item_title_prefix":  onePassword.ItemTitlePrefix,
-		"item_tag":           onePassword.ItemTag,
-		"item_field_title":   onePassword.ItemFieldTitle,
-		"connect_host":       onePassword.ConnectHost,
-		"connect_token_env":  onePassword.ConnectTokenEnv,
-		"service_token_env":  onePassword.ServiceTokenEnv,
-		"desktop_account_id": onePassword.DesktopAccountID,
+		"account_id":        onePassword.AccountID,
+		"account_url":       onePassword.AccountURL,
+		"vault_id":          onePassword.VaultID,
+		"vault_name":        onePassword.VaultName,
+		"connect_host":      onePassword.ConnectHost,
+		"connect_token_env": onePassword.ConnectTokenEnv,
+		"service_token_env": onePassword.ServiceTokenEnv,
 	} {
 		if err := validateOptionalSingleLine(field(suffix), value); err != nil {
 			return err
@@ -1097,6 +1221,23 @@ func validateCredentialRef(field, ref string) error {
 	return nil
 }
 
+func validateCredentialLocation(field string, credential CredentialLocation) error {
+	credential = credential.normalized()
+	if credential.Store == "" {
+		return invalid("%s.store is required", field)
+	}
+	if credential.Name == "" {
+		return invalid("%s.name is required", field)
+	}
+	return validateCredentialRef(field+".name", credential.Name)
+}
+
+func sameCredentialLocation(left, right CredentialLocation) bool {
+	left = left.normalized()
+	right = right.normalized()
+	return left.Store == right.Store && left.Name == right.Name
+}
+
 func validateOptionalSingleLine(field, value string) error {
 	trimmed := strings.TrimSpace(value)
 	if trimmed == "" {
@@ -1134,6 +1275,13 @@ func (cfg File) normalized() File {
 		profiles[name] = profile.normalized()
 	}
 	cfg.Profiles = profiles
+	if cfg.LLMRuntimes != nil {
+		runtimes := make(map[string]LLMConfig, len(cfg.LLMRuntimes))
+		for name, runtime := range cfg.LLMRuntimes {
+			runtimes[strings.TrimSpace(name)] = runtime.normalized()
+		}
+		cfg.LLMRuntimes = runtimes
+	}
 	if len(cfg.RepositoryProfiles) > 0 {
 		routes := make([]RepositoryProfile, len(cfg.RepositoryProfiles))
 		for index, route := range cfg.RepositoryProfiles {
@@ -1157,31 +1305,41 @@ func (cfg File) normalized() File {
 }
 
 func (s SecretsConfig) normalized() SecretsConfig {
-	s.DefaultProfile = strings.TrimSpace(s.DefaultProfile)
-	if s.Profiles == nil {
-		s.Profiles = map[string]SecretsProfile{}
+	if s.Stores == nil {
+		s.Stores = map[string]SecretsStore{}
 	}
-	profiles := make(map[string]SecretsProfile, len(s.Profiles))
 	for id, profile := range s.Profiles {
-		profiles[id] = profile.normalized()
+		if _, ok := s.Stores[id]; !ok {
+			s.Stores[id] = profile
+		}
+	}
+	stores := make(map[string]SecretsStore, len(s.Stores))
+	for id, store := range s.Stores {
+		stores[id] = store.normalized()
 	}
-	s.Profiles = profiles
+	s.Stores = stores
+	s.Profiles = stores
 	return s
 }
 
-func (p SecretsProfile) normalized() SecretsProfile {
-	p.Label = strings.TrimSpace(p.Label)
-	p.Backend = p.Backend.normalized()
-	return p
+func (s SecretsStore) normalized() SecretsStore {
+	s.DisplayName = strings.TrimSpace(s.DisplayName)
+	s.Label = strings.TrimSpace(s.Label)
+	if s.DisplayName == "" {
+		s.DisplayName = s.Label
+	}
+	s.Label = s.DisplayName
+	s.Backend = s.Backend.normalized()
+	return s
 }
 
-func (b SecretsProfileBackend) normalized() SecretsProfileBackend {
+func (b SecretsStoreBackend) normalized() SecretsStoreBackend {
 	b.Kind = SecretsBackendKind(strings.TrimSpace(string(b.Kind)))
 	if !IsOnePasswordSecretsBackend(b.Kind) {
 		b.OnePassword = nil
 		return b
 	}
-	onePassword := SecretsProfileOnePasswordConfig{}
+	onePassword := SecretsStoreOnePasswordConfig{}
 	if b.OnePassword != nil {
 		onePassword = b.OnePassword.normalized()
 	}
@@ -1211,16 +1369,23 @@ func (b SecretsProfileBackend) normalized() SecretsProfileBackend {
 	return b
 }
 
-func (c SecretsProfileOnePasswordConfig) normalized() SecretsProfileOnePasswordConfig {
+func (c SecretsStoreOnePasswordConfig) normalized() SecretsStoreOnePasswordConfig {
 	c.Timeout = strings.TrimSpace(c.Timeout)
+	c.AccountID = strings.TrimSpace(c.AccountID)
+	c.AccountURL = strings.TrimSpace(c.AccountURL)
 	c.VaultID = strings.TrimSpace(c.VaultID)
-	c.ItemTitlePrefix = strings.TrimSpace(c.ItemTitlePrefix)
-	c.ItemTag = strings.TrimSpace(c.ItemTag)
-	c.ItemFieldTitle = strings.TrimSpace(c.ItemFieldTitle)
+	c.VaultName = strings.TrimSpace(c.VaultName)
 	c.ConnectHost = strings.TrimSpace(c.ConnectHost)
 	c.ConnectTokenEnv = strings.TrimSpace(c.ConnectTokenEnv)
 	c.ServiceTokenEnv = strings.TrimSpace(c.ServiceTokenEnv)
+	c.ItemTitlePrefix = strings.TrimSpace(c.ItemTitlePrefix)
+	c.ItemTag = strings.TrimSpace(c.ItemTag)
+	c.ItemFieldTitle = strings.TrimSpace(c.ItemFieldTitle)
 	c.DesktopAccountID = strings.TrimSpace(c.DesktopAccountID)
+	if c.AccountID == "" {
+		c.AccountID = c.DesktopAccountID
+	}
+	c.DesktopAccountID = c.AccountID
 	return c
 }
 
@@ -1237,13 +1402,52 @@ func IsOnePasswordSecretsBackend(kind SecretsBackendKind) bool {
 
 func (p Profile) normalized() Profile {
 	p.SecretsProfile = strings.TrimSpace(p.SecretsProfile)
+	p.Git = p.Git.normalized()
+	if p.ReviewerCredentials != nil {
+		reviewer := p.ReviewerCredentials.normalized()
+		p.ReviewerCredentials = &reviewer
+	}
 	p.LLM = p.LLM.normalized()
 	p.ReviewPolicy = p.ReviewPolicy.normalized()
 	return p
 }
 
+func (g GitConfig) normalized() GitConfig {
+	g.CredentialRef = strings.TrimSpace(g.CredentialRef)
+	g.Credential = g.Credential.normalized()
+	if g.Credential.Name == "" && g.CredentialRef != "" {
+		if g.Credential.Store == "" {
+			g.Credential.Store = LocalOSCredentialStoreID
+		}
+		g.Credential.Name = g.CredentialRef
+	}
+	g.CredentialRef = g.Credential.Name
+	return g
+}
+
+func (r ReviewerCredentials) normalized() ReviewerCredentials {
+	r.CredentialRef = strings.TrimSpace(r.CredentialRef)
+	r.Credential = r.Credential.normalized()
+	if r.Credential.Name == "" && r.CredentialRef != "" {
+		if r.Credential.Store == "" {
+			r.Credential.Store = LocalOSCredentialStoreID
+		}
+		r.Credential.Name = r.CredentialRef
+	}
+	r.CredentialRef = r.Credential.Name
+	return r
+}
+
 func (l LLMConfig) normalized() LLMConfig {
 	l.CredentialRef = strings.TrimSpace(l.CredentialRef)
+	l.Credential = l.Credential.normalized()
+	if l.Credential.Name == "" && l.CredentialRef != "" {
+		if l.Credential.Store == "" {
+			l.Credential.Store = LocalOSCredentialStoreID
+		}
+		l.Credential.Name = l.CredentialRef
+	}
+	l.CredentialRef = l.Credential.Name
 	l.ReviewerModelTier = ModelTier(strings.TrimSpace(string(l.ReviewerModelTier)))
 	if len(l.ModelMap) > 0 {
 		modelMap := make(ModelMap, len(l.ModelMap))
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 3e78f845..446eba5b 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -109,10 +109,8 @@ func TestLoadRejectsEmptyAndMultipleDocuments(t *testing.T) {
 		body string
 	}{
 		{name: "empty", body: ""},
-		{name: "multiple documents", body: `default_profile: home
-profiles: {}
+		{name: "multiple documents", body: `profiles: {}
 ---
-default_profile: other
 profiles: {}
 `},
 	}
@@ -131,13 +129,14 @@ profiles: {}
 
 func TestLoadRejectsUnknownFields(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: home
-profiles:
+	writeFile(t, path, `profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: local-os
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -154,13 +153,14 @@ profiles:
 
 func TestLoadRejectsInvalidEnums(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: home
-profiles:
+	writeFile(t, path, `profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: local-os
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -174,13 +174,14 @@ profiles:
 
 func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: pi
-profiles:
+	writeFile(t, path, `profiles:
   pi:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/pi
+      credential:
+        store: local-os
+        name: codereview/pi
     llm:
       provider: pi
       auth: subscription
@@ -205,13 +206,14 @@ profiles:
 
 func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: codex
-profiles:
+	writeFile(t, path, `profiles:
   codex:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/codex
+      credential:
+        store: local-os
+        name: codereview/codex
     llm:
       provider: openai
       auth: subscription
@@ -455,18 +457,12 @@ func TestValidateRejectsInvalidModelMap(t *testing.T) {
 func TestResolveProfile(t *testing.T) {
 	cfg := validFile().normalized()
 
-	name, profile, err := ResolveProfile(cfg, "")
-	if err != nil {
-		t.Fatalf("ResolveProfile default: %v", err)
-	}
-	if name != "home" {
-		t.Fatalf("default profile name = %q, want home", name)
-	}
-	if profile.Git.CredentialRef != "codereview/home" {
-		t.Fatalf("default profile ref = %q, want codereview/home", profile.Git.CredentialRef)
+	_, _, err := ResolveProfile(cfg, "")
+	if !errors.Is(err, ErrProfileNotFound) || !strings.Contains(err.Error(), "pass --profile or configure a repository route") {
+		t.Fatalf("ResolveProfile empty error = %v, want actionable ErrProfileNotFound", err)
 	}
 
-	name, profile, err = ResolveProfile(cfg, "work")
+	name, profile, err := ResolveProfile(cfg, "work")
 	if err != nil {
 		t.Fatalf("ResolveProfile work: %v", err)
 	}
@@ -540,12 +536,6 @@ func TestRepositoryProfileRoutesRoundTripAndResolve(t *testing.T) {
 			wantProfile: "home",
 			wantCredRef: "codereview/home",
 		},
-		{
-			name:        "default fallback",
-			target:      RepositoryTarget{Host: "github.com", Namespace: "open-cli-collective", Repo: "codereview-cli"},
-			wantProfile: "home",
-			wantCredRef: "codereview/home",
-		},
 		{
 			name:        "explicit profile bypasses route",
 			requested:   "work",
@@ -561,8 +551,8 @@ func TestRepositoryProfileRoutesRoundTripAndResolve(t *testing.T) {
 			wantCredRef: "codereview/home",
 		},
 		{
-			name:        "namespace case-sensitive",
-			target:      RepositoryTarget{Host: "github.com", Namespace: "Rianjs", Repo: "baz"},
+			name:        "repo case-sensitive falls back to namespace route",
+			target:      RepositoryTarget{Host: "github.com", Namespace: "rianjs", Repo: "Baz"},
 			wantProfile: "home",
 			wantCredRef: "codereview/home",
 		},
@@ -603,6 +593,16 @@ func TestRepositoryProfileRoutesRoundTripAndResolve(t *testing.T) {
 	if name != "work" || profile.Git.CredentialRef != "codereview/work" {
 		t.Fatalf("inverse-order resolved (%q,%q), want work route", name, profile.Git.CredentialRef)
 	}
+
+	_, _, err = ResolveProfileForRepository(loaded, "", false, RepositoryTarget{Host: "github.com", Namespace: "open-cli-collective", Repo: "codereview-cli"})
+	if !errors.Is(err, ErrProfileNotFound) || !strings.Contains(err.Error(), "no repository profile route matched github.com/open-cli-collective/codereview-cli") {
+		t.Fatalf("ResolveProfileForRepository unmatched error = %v, want actionable ErrProfileNotFound", err)
+	}
+
+	_, _, err = ResolveProfileForRepository(loaded, "", false, RepositoryTarget{Host: "github.com", Namespace: "Rianjs", Repo: "baz"})
+	if !errors.Is(err, ErrProfileNotFound) || !strings.Contains(err.Error(), "no repository profile route matched github.com/Rianjs/baz") {
+		t.Fatalf("ResolveProfileForRepository case-sensitive unmatched error = %v, want actionable ErrProfileNotFound", err)
+	}
 }
 
 func TestResolveProfileForRepositoryWithSource(t *testing.T) {
@@ -668,20 +668,6 @@ func TestResolveProfileForRepositoryWithSource(t *testing.T) {
 				},
 			},
 		},
-		{
-			name:        "default source",
-			target:      RepositoryTarget{Host: "github.com", Namespace: "open-cli-collective", Repo: "codereview-cli"},
-			wantProfile: "home",
-			wantSource:  RepositoryProfileResolutionSourceDefault,
-		},
-		{
-			name:        "explicit empty profile still bypasses route",
-			requested:   "",
-			explicit:    true,
-			target:      RepositoryTarget{Host: "github.com", Namespace: "rianjs", Repo: "baz"},
-			wantProfile: "home",
-			wantSource:  RepositoryProfileResolutionSourceExplicit,
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -700,6 +686,16 @@ func TestResolveProfileForRepositoryWithSource(t *testing.T) {
 			}
 		})
 	}
+
+	_, err := ResolveProfileForRepositoryWithSource(cfg, "", true, RepositoryTarget{Host: "github.com", Namespace: "rianjs", Repo: "baz"})
+	if !errors.Is(err, ErrProfileNotFound) || !strings.Contains(err.Error(), "no profile selected") {
+		t.Fatalf("ResolveProfileForRepositoryWithSource explicit empty error = %v, want actionable ErrProfileNotFound", err)
+	}
+
+	_, err = ResolveProfileForRepositoryWithSource(cfg, "", false, RepositoryTarget{Host: "github.com", Namespace: "open-cli-collective", Repo: "codereview-cli"})
+	if !errors.Is(err, ErrProfileNotFound) || !strings.Contains(err.Error(), "no repository profile route matched github.com/open-cli-collective/codereview-cli") {
+		t.Fatalf("ResolveProfileForRepositoryWithSource unmatched error = %v, want actionable ErrProfileNotFound", err)
+	}
 }
 
 func TestSaveOmitsEmptyRepositoryProfiles(t *testing.T) {
@@ -708,7 +704,7 @@ func TestSaveOmitsEmptyRepositoryProfiles(t *testing.T) {
 		t.Fatalf("Save: %v", err)
 	}
 	// #nosec G304 -- test path is controlled by t.TempDir.
-	body, err := os.ReadFile(path)
+	body, err := os.ReadFile(path) // #nosec G304 -- test reads the temp config file it just saved.
 	if err != nil {
 		t.Fatalf("ReadFile: %v", err)
 	}
@@ -828,9 +824,9 @@ func TestCredentialRefs(t *testing.T) {
 		t.Fatalf("CredentialRefs: %v", err)
 	}
 	want := []CredentialRef{
-		{Purpose: "git", Ref: "codereview/work", Mode: "pat"},
-		{Purpose: "reviewer_credentials", Ref: "codereview/work-reviewer", Mode: "pat"},
-		{Purpose: "llm", Ref: "codereview/work-llm", Mode: "api_key", Provider: "anthropic"},
+		{Purpose: "git", Store: LocalOSCredentialStoreID, Ref: "codereview/work", Mode: "pat"},
+		{Purpose: "reviewer_credentials", Store: LocalOSCredentialStoreID, Ref: "codereview/work-reviewer", Mode: "pat"},
+		{Purpose: "llm", Store: LocalOSCredentialStoreID, Ref: "codereview/work-llm", Mode: "api_key", Provider: "anthropic"},
 	}
 	if !reflect.DeepEqual(refs, want) {
 		t.Fatalf("CredentialRefs = %#v, want %#v", refs, want)
@@ -847,25 +843,126 @@ func TestCredentialRefsIncludesGitHubAppModes(t *testing.T) {
 		t.Fatalf("CredentialRefs: %v", err)
 	}
 	want := []CredentialRef{
-		{Purpose: "git", Ref: "codereview/work", Mode: "github_app"},
-		{Purpose: "reviewer_credentials", Ref: "codereview/work-reviewer", Mode: "github_app"},
-		{Purpose: "llm", Ref: "codereview/work-llm", Mode: "api_key", Provider: "anthropic"},
+		{Purpose: "git", Store: LocalOSCredentialStoreID, Ref: "codereview/work", Mode: "github_app"},
+		{Purpose: "reviewer_credentials", Store: LocalOSCredentialStoreID, Ref: "codereview/work-reviewer", Mode: "github_app"},
+		{Purpose: "llm", Store: LocalOSCredentialStoreID, Ref: "codereview/work-llm", Mode: "api_key", Provider: "anthropic"},
 	}
 	if !reflect.DeepEqual(refs, want) {
 		t.Fatalf("CredentialRefs = %#v, want %#v", refs, want)
 	}
 }
 
-func TestValidateRejectsMissingDefaultProfile(t *testing.T) {
-	cfg := validFile()
-	cfg.DefaultProfile = "missing"
+func TestValidateAllowsCredentialStoresWithoutReviewProfiles(t *testing.T) {
+	cfg := File{
+		Secrets: SecretsConfig{
+			Stores: map[string]SecretsStore{
+				"personal-file": {
+					DisplayName: "Personal file",
+					Backend: SecretsStoreBackend{
+						Kind: SecretsBackendKind(credstore.BackendFile),
+					},
+				},
+			},
+		},
+	}
+	if err := Validate(cfg); err != nil {
+		t.Fatalf("Validate store-only config: %v", err)
+	}
+
+	path := filepath.Join(t.TempDir(), "config.yml")
+	if err := Save(path, cfg); err != nil {
+		t.Fatalf("Save store-only config: %v", err)
+	}
+	// #nosec G304 -- test path is controlled by t.TempDir.
+	body, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+	legacyProfileKey := "default" + "_profile"
+	if strings.Contains(string(body), legacyProfileKey) || strings.Contains(string(body), "profiles:") {
+		t.Fatalf("saved store-only config contains review-profile fields:\n%s", string(body))
+	}
+	loaded, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load store-only config: %v", err)
+	}
+	if len(loaded.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", loaded.Profiles)
+	}
+	if _, ok := loaded.Secrets.Stores["personal-file"]; !ok {
+		t.Fatalf("loaded stores = %#v, want personal-file", loaded.Secrets.Stores)
+	}
+}
+
+func TestValidateAllowsEmptyConfig(t *testing.T) {
+	cfg := File{}
+	if err := Validate(cfg); err != nil {
+		t.Fatalf("Validate empty config: %v", err)
+	}
+	if err := Save(filepath.Join(t.TempDir(), "config.yml"), cfg); !errors.Is(err, ErrInvalid) {
+		t.Fatalf("Save literal empty config error = %v, want ErrInvalid", err)
+	}
+
+	cfg = File{Profiles: map[string]Profile{}}
+	path := filepath.Join(t.TempDir(), "config.yml")
+	if err := Save(path, cfg); err != nil {
+		t.Fatalf("Save explicit profileless config: %v", err)
+	}
+	loaded, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load explicit profileless config: %v", err)
+	}
+	if len(loaded.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", loaded.Profiles)
+	}
+	if len(loaded.Secrets.Stores) != 0 {
+		t.Fatalf("loaded stores = %#v, want none", loaded.Secrets.Stores)
+	}
+}
+
+func TestValidateAllowsLLMRuntimesWithoutReviewProfiles(t *testing.T) {
+	cfg := File{
+		LLMRuntimes: map[string]LLMConfig{
+			"codex-cli": {
+				Provider: LLMProviderOpenAI,
+				Auth:     LLMAuthSubscription,
+				Adapter:  LLMAdapterCodexCLI,
+			},
+			"openai-api-key": {
+				Provider: LLMProviderOpenAI,
+				Auth:     LLMAuthAPIKey,
+				Adapter:  LLMAdapterOpenAIAPI,
+				Credential: CredentialLocation{
+					Store: LocalOSCredentialStoreID,
+					Name:  "codereview/openai-api-key",
+				},
+			},
+		},
+	}
+	if err := Validate(cfg); err != nil {
+		t.Fatalf("Validate runtime-only config: %v", err)
+	}
 
-	if err := Validate(cfg); !errors.Is(err, ErrProfileNotFound) {
-		t.Fatalf("Validate error = %v, want ErrProfileNotFound", err)
+	path := filepath.Join(t.TempDir(), "config.yml")
+	if err := Save(path, cfg); err != nil {
+		t.Fatalf("Save runtime-only config: %v", err)
+	}
+	loaded, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load runtime-only config: %v", err)
+	}
+	if len(loaded.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", loaded.Profiles)
+	}
+	if loaded.LLMRuntimes["codex-cli"].Adapter != LLMAdapterCodexCLI {
+		t.Fatalf("loaded runtimes = %#v, want codex-cli", loaded.LLMRuntimes)
+	}
+	if got := loaded.LLMRuntimes["openai-api-key"].Credential.Name; got != "codereview/openai-api-key" {
+		t.Fatalf("openai runtime credential name = %q, want codereview/openai-api-key", got)
 	}
 }
 
-func TestValidateSecretsProfiles(t *testing.T) {
+func TestValidateSecretsStores(t *testing.T) {
 	tests := []struct {
 		name    string
 		mutate  func(*File)
@@ -873,14 +970,13 @@ func TestValidateSecretsProfiles(t *testing.T) {
 		wantMsg string
 	}{
 		{
-			name: "valid configured secrets profile",
+			name: "valid configured credential store",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					DefaultProfile: "personal",
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"personal": {
-							Label: "Personal Keychain",
-							Backend: SecretsProfileBackend{
+							DisplayName: "Personal Keychain",
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendKeychain),
 							},
 						},
@@ -888,53 +984,29 @@ func TestValidateSecretsProfiles(t *testing.T) {
 				}
 			},
 		},
-		{
-			name: "missing configured default secrets profile",
-			mutate: func(cfg *File) {
-				cfg.Secrets = SecretsConfig{DefaultProfile: "missing"}
-			},
-			wantErr: ErrProfileNotFound,
-			wantMsg: `secrets.default_profile "missing"`,
-		},
-		{
-			name: "configured default secrets profile trims surrounding whitespace",
-			mutate: func(cfg *File) {
-				cfg.Secrets = SecretsConfig{
-					DefaultProfile: " work-vault ",
-					Profiles: map[string]SecretsProfile{
-						"work-vault": {
-							Label: "Work File Store",
-							Backend: SecretsProfileBackend{
-								Kind: SecretsBackendKind(credstore.BackendFile),
-							},
-						},
-					},
-				}
-			},
-		},
 		{
 			name: "invalid secrets backend kind",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"broken": {
-							Backend: SecretsProfileBackend{Kind: "bogus"},
+							Backend: SecretsStoreBackend{Kind: "bogus"},
 						},
 					},
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `secrets.profiles.broken.backend.kind "bogus" is invalid`,
+			wantMsg: `secrets.stores.broken.backend.kind "bogus" is invalid`,
 		},
 		{
-			name: "valid 1password service account profile defaults token env and timeout",
+			name: "valid 1password service account store defaults token env and timeout",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"work-op": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendOP),
-								OnePassword: &SecretsProfileOnePasswordConfig{
+								OnePassword: &SecretsStoreOnePasswordConfig{
 									VaultID: "vault-123",
 								},
 							},
@@ -944,14 +1016,14 @@ func TestValidateSecretsProfiles(t *testing.T) {
 			},
 		},
 		{
-			name: "valid 1password connect profile requires host and defaults token env",
+			name: "valid 1password connect store requires host and defaults token env",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"work-connect": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendOPConnect),
-								OnePassword: &SecretsProfileOnePasswordConfig{
+								OnePassword: &SecretsStoreOnePasswordConfig{
 									VaultID:     "vault-123",
 									ConnectHost: "https://connect.example",
 								},
@@ -962,14 +1034,14 @@ func TestValidateSecretsProfiles(t *testing.T) {
 			},
 		},
 		{
-			name: "valid 1password desktop profile permits env fallback account id",
+			name: "valid 1password desktop store permits env fallback account id",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"work-desktop": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendOPDesktop),
-								OnePassword: &SecretsProfileOnePasswordConfig{
+								OnePassword: &SecretsStoreOnePasswordConfig{
 									VaultID: "vault-123",
 								},
 							},
@@ -982,28 +1054,28 @@ func TestValidateSecretsProfiles(t *testing.T) {
 			name: "1password service account missing vault id invalid",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"broken": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind:        SecretsBackendKind(credstore.BackendOP),
-								OnePassword: &SecretsProfileOnePasswordConfig{},
+								OnePassword: &SecretsStoreOnePasswordConfig{},
 							},
 						},
 					},
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "secrets.profiles.broken.backend.onepassword.vault_id is required",
+			wantMsg: "secrets.stores.broken.backend.onepassword.vault_id is required",
 		},
 		{
 			name: "1password connect missing host invalid",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"broken": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendOPConnect),
-								OnePassword: &SecretsProfileOnePasswordConfig{
+								OnePassword: &SecretsStoreOnePasswordConfig{
 									VaultID: "vault-123",
 								},
 							},
@@ -1012,17 +1084,17 @@ func TestValidateSecretsProfiles(t *testing.T) {
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "secrets.profiles.broken.backend.onepassword.connect_host is required",
+			wantMsg: "secrets.stores.broken.backend.onepassword.connect_host is required",
 		},
 		{
 			name: "1password timeout must parse",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"broken": {
-							Backend: SecretsProfileBackend{
+							Backend: SecretsStoreBackend{
 								Kind: SecretsBackendKind(credstore.BackendOP),
-								OnePassword: &SecretsProfileOnePasswordConfig{
+								OnePassword: &SecretsStoreOnePasswordConfig{
 									VaultID: "vault-123",
 									Timeout: "later",
 								},
@@ -1032,98 +1104,182 @@ func TestValidateSecretsProfiles(t *testing.T) {
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `secrets.profiles.broken.backend.onepassword.timeout "later" is invalid`,
+			wantMsg: `secrets.stores.broken.backend.onepassword.timeout "later" is invalid`,
 		},
 		{
-			name: "multiline label invalid",
+			name: "multiline display name invalid",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						"broken": {
-							Label:   "line one\nline two",
-							Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
+							DisplayName: "line one\nline two",
+							Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
 						},
 					},
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "secrets.profiles.broken.label must be a single line",
+			wantMsg: "secrets.stores.broken.display_name must be a single line",
 		},
 		{
-			name: "reserved projected legacy id is rejected",
+			name: "reserved built-in store id is rejected",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
-						LegacyProjectedSecretsProfileID: {
-							Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
+					Stores: map[string]SecretsStore{
+						LocalOSCredentialStoreID: {
+							Backend: SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
 						},
 					},
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `secrets.profiles.legacy-default is reserved`,
+			wantMsg: `secrets.stores.local-os is reserved`,
 		},
 		{
 			name: "surrounding whitespace in id is rejected",
 			mutate: func(cfg *File) {
 				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
+					Stores: map[string]SecretsStore{
 						" work ": {
-							Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
+							Backend: SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendMemory)},
 						},
 					},
 				}
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `secrets.profiles. work  id must not contain surrounding whitespace`,
+			wantMsg: `secrets.stores. work  id must not contain surrounding whitespace`,
 		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := validFile()
+			tt.mutate(&cfg)
+			err := Validate(cfg)
+			if tt.wantErr == nil {
+				if err != nil {
+					t.Fatalf("Validate: %v", err)
+				}
+				return
+			}
+			if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("Validate error = %v, want %v", err, tt.wantErr)
+			}
+			if tt.wantMsg != "" && !strings.Contains(err.Error(), tt.wantMsg) {
+				t.Fatalf("Validate error = %v, want message containing %q", err, tt.wantMsg)
+			}
+		})
+	}
+}
+
+func TestValidateCredentialLocations(t *testing.T) {
+	tests := []struct {
+		name    string
+		mutate  func(*File)
+		wantErr error
+		wantMsg string
+	}{
 		{
-			name: "profile may select configured secrets profile",
+			name: "configured store selection",
 			mutate: func(cfg *File) {
-				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
-						"work-file": {
-							Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
-						},
-					},
+				cfg.Secrets.Stores["work-file"] = SecretsStore{
+					DisplayName: "Work File",
+					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				}
 				profile := cfg.Profiles["home"]
-				profile.SecretsProfile = "work-file"
+				profile.Git.Credential = CredentialLocation{Store: "work-file", Name: "codereview/home"}
+				profile.Git.CredentialRef = ""
 				cfg.Profiles["home"] = profile
 			},
 		},
 		{
-			name: "profile rejects projected legacy selection",
+			name: "missing store",
 			mutate: func(cfg *File) {
 				profile := cfg.Profiles["home"]
-				profile.SecretsProfile = LegacyProjectedSecretsProfileID
+				profile.Git.Credential = CredentialLocation{Name: "codereview/home"}
+				profile.Git.CredentialRef = ""
 				cfg.Profiles["home"] = profile
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `profiles.home.secrets_profile "legacy-default" is reserved`,
+			wantMsg: "profiles.home.git.credential.store is required",
 		},
 		{
-			name: "profile rejects missing configured secrets profile",
+			name: "missing name",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["home"]
+				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID}
+				profile.Git.CredentialRef = ""
+				cfg.Profiles["home"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "profiles.home.git.credential.name is required",
+		},
+		{
+			name: "unknown configured store",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["home"]
+				profile.Git.Credential = CredentialLocation{Store: "missing", Name: "codereview/home"}
+				profile.Git.CredentialRef = ""
+				cfg.Profiles["home"] = profile
+			},
+			wantErr: ErrSecretsStoreNotFound,
+			wantMsg: `profiles.home.git.credential.store "missing"`,
+		},
+		{
+			name: "credential name invalid grammar",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["home"]
+				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/bad.profile"}
+				profile.Git.CredentialRef = ""
+				cfg.Profiles["home"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "profiles.home.git.credential.name is invalid",
+		},
+		{
+			name: "credential name wrong service",
 			mutate: func(cfg *File) {
-				cfg.Secrets = SecretsConfig{
-					Profiles: map[string]SecretsProfile{
-						"personal": {
-							Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendKeychain)},
-						},
-					},
-				}
 				profile := cfg.Profiles["home"]
-				profile.SecretsProfile = "missing"
+				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "other/home"}
+				profile.Git.CredentialRef = ""
 				cfg.Profiles["home"] = profile
 			},
-			wantErr: ErrSecretsProfileNotFound,
-			wantMsg: `profiles.home.secrets_profile "missing"`,
+			wantErr: ErrInvalid,
+			wantMsg: `profiles.home.git.credential.name must use service "codereview"`,
+		},
+		{
+			name: "same credential name in different stores",
+			mutate: func(cfg *File) {
+				cfg.Secrets.Stores["work-file"] = SecretsStore{
+					DisplayName: "Work File",
+					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
+				}
+				profile := cfg.Profiles["work"]
+				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
+				profile.Git.CredentialRef = ""
+				profile.ReviewerCredentials.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
+				profile.ReviewerCredentials.CredentialRef = ""
+				cfg.Profiles["work"] = profile
+			},
+		},
+		{
+			name: "same credential name in same store",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["work"]
+				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
+				profile.Git.CredentialRef = ""
+				profile.ReviewerCredentials.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
+				profile.ReviewerCredentials.CredentialRef = ""
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "reviewer_credentials.credential must differ from git.credential",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg := validFile()
+			cfg := validFile().normalized()
 			tt.mutate(&cfg)
 			err := Validate(cfg)
 			if tt.wantErr == nil {
@@ -1142,15 +1298,6 @@ func TestValidateSecretsProfiles(t *testing.T) {
 	}
 }
 
-func TestValidateKeyringRejectsLegacyOnePasswordBackends(t *testing.T) {
-	for _, backend := range []string{"op", "op-connect", "op-desktop"} {
-		err := ValidateKeyring(KeyringConfig{Backend: backend})
-		if !errors.Is(err, ErrInvalid) {
-			t.Fatalf("ValidateKeyring(%q) error = %v, want ErrInvalid", backend, err)
-		}
-	}
-}
-
 func TestSecretsProfileBackendNormalizedOnePasswordDefaults(t *testing.T) {
 	service := SecretsProfileBackend{
 		Kind: SecretsBackendKind(credstore.BackendOP),
@@ -1196,122 +1343,124 @@ func TestSecretsProfileBackendNormalizedOnePasswordDefaults(t *testing.T) {
 	}
 }
 
-func TestEffectiveSecretsProfiles(t *testing.T) {
-	t.Run("configured secrets profiles win inventory", func(t *testing.T) {
+func TestEffectiveSecretsStores(t *testing.T) {
+	t.Run("built-in plus configured stores", func(t *testing.T) {
 		cfg := validFile()
-		cfg.Keyring.Backend = string(credstore.BackendMemory)
 		cfg.Secrets = SecretsConfig{
-			DefaultProfile: "work-vault",
-			Profiles: map[string]SecretsProfile{
+			Stores: map[string]SecretsStore{
 				"personal": {
-					Label:   "Personal Keychain",
-					Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendKeychain)},
+					DisplayName: "Personal Keychain",
+					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendKeychain)},
 				},
 				"work-vault": {
-					Label:   "Work File Store",
-					Backend: SecretsProfileBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
+					DisplayName: "Work File Store",
+					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				},
 			},
 		}
 
-		got := EffectiveSecretsProfiles(cfg)
-		want := []EffectiveSecretsProfile{
+		got := EffectiveSecretsStores(cfg)
+		want := []EffectiveSecretsStore{
 			{
-				ID:      "personal",
-				Label:   "Personal Keychain",
-				Backend: string(credstore.BackendKeychain),
-				Source:  EffectiveSecretsProfileSourceConfigured,
+				ID:          LocalOSCredentialStoreID,
+				DisplayName: "OS credential store",
+				Label:       "OS credential store",
+				Backend:     ProjectedOSCredentialStoreBackendKind,
+				ReadOnly:    true,
+				Source:      EffectiveSecretsStoreSourceBuiltIn,
 			},
 			{
-				ID:        "work-vault",
-				Label:     "Work File Store",
-				Backend:   string(credstore.BackendFile),
-				IsDefault: true,
-				Source:    EffectiveSecretsProfileSourceConfigured,
+				ID:          "personal",
+				DisplayName: "Personal Keychain",
+				Label:       "Personal Keychain",
+				Backend:     string(credstore.BackendKeychain),
+				Source:      EffectiveSecretsStoreSourceConfigured,
+			},
+			{
+				ID:          "work-vault",
+				DisplayName: "Work File Store",
+				Label:       "Work File Store",
+				Backend:     string(credstore.BackendFile),
+				Source:      EffectiveSecretsStoreSourceConfigured,
 			},
 		}
 		if !reflect.DeepEqual(got, want) {
-			t.Fatalf("EffectiveSecretsProfiles = %#v, want %#v", got, want)
+			t.Fatalf("EffectiveSecretsStores = %#v, want %#v", got, want)
 		}
 	})
 
-	t.Run("legacy keyring backend projects deterministic default", func(t *testing.T) {
+	t.Run("virgin config projects built-in store", func(t *testing.T) {
 		cfg := validFile()
-		cfg.Keyring.Backend = string(credstore.BackendMemory)
-
-		got := EffectiveSecretsProfiles(cfg)
-		want := []EffectiveSecretsProfile{{
-			ID:        LegacyProjectedSecretsProfileID,
-			Label:     "Legacy default",
-			Backend:   string(credstore.BackendMemory),
-			IsDefault: true,
-			Source:    EffectiveSecretsProfileSourceProjectedLegacy,
-		}}
-		if !reflect.DeepEqual(got, want) {
-			t.Fatalf("EffectiveSecretsProfiles = %#v, want %#v", got, want)
-		}
-	})
 
-	t.Run("omitted legacy backend still projects auto default", func(t *testing.T) {
-		cfg := validFile()
-		cfg.Keyring.Backend = ""
-
-		got := EffectiveSecretsProfiles(cfg)
-		want := []EffectiveSecretsProfile{{
-			ID:        LegacyProjectedSecretsProfileID,
-			Label:     "Legacy default",
-			Backend:   ProjectedLegacySecretsBackendKind,
-			IsDefault: true,
-			Source:    EffectiveSecretsProfileSourceProjectedLegacy,
+		got := EffectiveSecretsStores(cfg)
+		want := []EffectiveSecretsStore{{
+			ID:          LocalOSCredentialStoreID,
+			DisplayName: "OS credential store",
+			Label:       "OS credential store",
+			Backend:     ProjectedOSCredentialStoreBackendKind,
+			ReadOnly:    true,
+			Source:      EffectiveSecretsStoreSourceBuiltIn,
 		}}
 		if !reflect.DeepEqual(got, want) {
-			t.Fatalf("EffectiveSecretsProfiles = %#v, want %#v", got, want)
+			t.Fatalf("EffectiveSecretsStores = %#v, want %#v", got, want)
 		}
 	})
 }
 
-func TestKeyringBackendRoundTripAndValidation(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "config.yml")
-	cfg := validFile()
-	cfg.Keyring.Backend = "memory"
-	if err := Save(path, cfg); err != nil {
-		t.Fatalf("Save: %v", err)
-	}
-	got, err := Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if got.Keyring.Backend != "memory" {
-		t.Fatalf("keyring.backend = %q, want memory", got.Keyring.Backend)
-	}
-
-	cfg.Keyring.Backend = "bogus"
-	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
-		t.Fatalf("Validate invalid backend error = %v, want ErrInvalid", err)
+func TestLoadRejectsOldCredentialStoreSchema(t *testing.T) {
+	tests := []struct {
+		name string
+		body string
+	}{
+		{name: "keyring backend", body: `keyring:
+  backend: memory
+profiles: {}
+`},
+		{name: "secrets legacy selection", body: `secrets: work
+profiles: {}
+`},
+		{name: "secrets profiles", body: `secrets:
+  profiles:
+    work:
+      backend:
+        kind: memory
+profiles: {}
+`},
+		{name: "profile secrets profile", body: `profiles:
+  home:
+    secrets_profile: work
+    git:
+      host: github.com
+      auth_mode: pat
+      credential:
+        store: local-os
+        name: codereview/home
+    llm:
+      provider: anthropic
+      auth: subscription
+      adapter: claude_cli
+`},
+		{name: "credential ref", body: `profiles:
+  home:
+    git:
+      host: github.com
+      auth_mode: pat
+      credential_ref: codereview/home
+    llm:
+      provider: anthropic
+      auth: subscription
+      adapter: claude_cli
+`},
 	}
-}
 
-func TestSaveLegacyConfigDoesNotPersistProjectedSecretsProfiles(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "config.yml")
-	cfg := validFile()
-	cfg.Keyring.Backend = string(credstore.BackendMemory)
-
-	if err := Save(path, cfg); err != nil {
-		t.Fatalf("Save: %v", err)
-	}
-	got, err := Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if len(got.Secrets.Profiles) != 0 {
-		t.Fatalf("secrets.profiles = %#v, want omitted explicit profiles for legacy config", got.Secrets.Profiles)
-	}
-	if got.Secrets.DefaultProfile != "" {
-		t.Fatalf("secrets.default_profile = %q, want empty for legacy config", got.Secrets.DefaultProfile)
-	}
-	effective := EffectiveSecretsProfiles(got)
-	if len(effective) != 1 || effective[0].ID != LegacyProjectedSecretsProfileID || effective[0].Source != EffectiveSecretsProfileSourceProjectedLegacy {
-		t.Fatalf("EffectiveSecretsProfiles = %#v, want projected legacy default", effective)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := filepath.Join(t.TempDir(), "config.yml")
+			writeFile(t, path, tt.body)
+			if _, err := Load(path); !errors.Is(err, ErrInvalid) {
+				t.Fatalf("Load error = %v, want ErrInvalid", err)
+			}
+		})
 	}
 }
 
@@ -1408,30 +1557,32 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
 		name string
 		body string
 	}{
-		{name: "git oauth_device", body: `default_profile: home
-keyring: {}
-profiles:
+		{name: "git oauth_device", body: `profiles:
   home:
     git:
       host: github.com
       auth_mode: oauth_device
-      credential_ref: codereview/home
+      credential:
+        store: local-os
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
       adapter: claude_cli
 `},
-		{name: "reviewer oauth_device", body: `default_profile: work
-keyring: {}
-profiles:
+		{name: "reviewer oauth_device", body: `profiles:
   work:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/work
+      credential:
+        store: local-os
+        name: codereview/work
     reviewer_credentials:
       auth_mode: oauth_device
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: local-os
+        name: codereview/work-reviewer
     llm:
       provider: anthropic
       auth: subscription
@@ -1453,17 +1604,19 @@ profiles:
 
 func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: work
-keyring: {}
-profiles:
+	writeFile(t, path, `profiles:
   work:
     git:
       host: github.com
       auth_mode: github_app
-      credential_ref: codereview/work
+      credential:
+        store: local-os
+        name: codereview/work
     reviewer_credentials:
       auth_mode: github_app
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: local-os
+        name: codereview/work-reviewer
     llm:
       provider: anthropic
       auth: subscription
@@ -1481,17 +1634,19 @@ profiles:
 
 func TestLoadRejectsMultilineReviewerDisplayName(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `default_profile: work
-keyring: {}
-profiles:
+	writeFile(t, path, `profiles:
   work:
     git:
       host: github.com
       auth_mode: github_app
-      credential_ref: codereview/work
+      credential:
+        store: local-os
+        name: codereview/work
     reviewer_credentials:
       auth_mode: github_app
-      credential_ref: codereview/work-reviewer
+      credential:
+        store: local-os
+        name: codereview/work-reviewer
       display_name: |
         line one
         line two
@@ -1550,7 +1705,7 @@ func TestSubscriptionLLMCredentialsAreAdapterManaged(t *testing.T) {
 	if err != nil {
 		t.Fatalf("CredentialRefs: %v", err)
 	}
-	want := []CredentialRef{{Purpose: "git", Ref: "codereview/home", Mode: "pat"}}
+	want := []CredentialRef{{Purpose: "git", Store: LocalOSCredentialStoreID, Ref: "codereview/home", Mode: "pat"}}
 	if !reflect.DeepEqual(refs, want) {
 		t.Fatalf("CredentialRefs = %#v, want %#v", refs, want)
 	}
@@ -1560,6 +1715,7 @@ func TestAPIKeyLLMRequiresCredentialRef(t *testing.T) {
 	cfg := validFile()
 	profile := cfg.Profiles["work"]
 	profile.LLM.CredentialRef = ""
+	profile.LLM.Credential = CredentialLocation{}
 	cfg.Profiles["work"] = profile
 
 	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
@@ -1580,6 +1736,7 @@ func TestValidateRejectsInvalidCredentialRefs(t *testing.T) {
 		{name: "empty reviewer credential ref", mutate: func(cfg *File) {
 			profile := cfg.Profiles["work"]
 			profile.ReviewerCredentials.CredentialRef = ""
+			profile.ReviewerCredentials.Credential = CredentialLocation{}
 			cfg.Profiles["work"] = profile
 		}},
 		{name: "reviewer credential ref matches git credential ref", mutate: func(cfg *File) {
@@ -1660,13 +1817,14 @@ func TestValidationCoversAgentSourcesReviewPolicyAndRetention(t *testing.T) {
 func TestRetentionMaxAgeDefaultAndExplicitZero(t *testing.T) {
 	t.Run("omitted defaults to 90", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `default_profile: home
-profiles:
+		writeFile(t, path, `profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: local-os
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -1686,13 +1844,14 @@ data:
 
 	t.Run("explicit zero means keep forever", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `default_profile: home
-profiles:
+		writeFile(t, path, `profiles:
   home:
     git:
       host: github.com
       auth_mode: pat
-      credential_ref: codereview/home
+      credential:
+        store: local-os
+        name: codereview/home
     llm:
       provider: anthropic
       auth: subscription
@@ -1735,7 +1894,6 @@ func TestValidateRetentionAppliesDefaultsAndPreservesExplicitZero(t *testing.T)
 
 func validFile() File {
 	return File{
-		DefaultProfile: "home",
 		Profiles: map[string]Profile{
 			"home": {
 				Git: GitConfig{
diff --git a/internal/configedit/configedit.go b/internal/configedit/configedit.go
index 64c36d51..2c574034 100644
--- a/internal/configedit/configedit.go
+++ b/internal/configedit/configedit.go
@@ -257,23 +257,7 @@ func FirstProfileName(profiles map[string]config.Profile) string {
 	return names[0]
 }
 
-// SetDefaultProfile updates cfg.default_profile after verifying the profile exists.
-func SetDefaultProfile(cfg config.File, profileName string) (config.File, bool, error) {
-	name := strings.TrimSpace(profileName)
-	if name == "" {
-		return cfg, false, ErrProfileNameRequired
-	}
-	if _, ok := cfg.Profiles[name]; !ok {
-		return cfg, false, fmt.Errorf("%w: %s", config.ErrProfileNotFound, name)
-	}
-	if cfg.DefaultProfile == name {
-		return cfg, false, nil
-	}
-	cfg.DefaultProfile = name
-	return cfg, true, nil
-}
-
-// RenameProfile renames a profile and updates default-profile and route references.
+// RenameProfile renames a profile and updates route references.
 func RenameProfile(cfg config.File, oldName string, newName string) (config.File, bool, error) {
 	oldName = strings.TrimSpace(oldName)
 	newName = strings.TrimSpace(newName)
@@ -300,9 +284,6 @@ func RenameProfile(cfg config.File, oldName string, newName string) (config.File
 	}
 	profiles[newName] = profile
 	cfg.Profiles = profiles
-	if cfg.DefaultProfile == oldName {
-		cfg.DefaultProfile = newName
-	}
 	cfg.RepositoryProfiles, _ = UpdateRepositoryProfileReferences(cfg.RepositoryProfiles, oldName, newName)
 	return cfg, true, nil
 }
diff --git a/internal/configedit/configedit_test.go b/internal/configedit/configedit_test.go
index 701cce1d..0416ec82 100644
--- a/internal/configedit/configedit_test.go
+++ b/internal/configedit/configedit_test.go
@@ -237,7 +237,7 @@ func TestAgentSourceHelpersRejectBlankPath(t *testing.T) {
 	}
 }
 
-func TestRenameProfileUpdatesReferencesAndPreservesProfileValues(t *testing.T) {
+func TestRenameProfileUpdatesRoutesAndPreservesProfileValues(t *testing.T) {
 	cfg := testConfig()
 
 	got, changed, err := configedit.RenameProfile(cfg, "work", "office")
@@ -251,9 +251,6 @@ func TestRenameProfileUpdatesReferencesAndPreservesProfileValues(t *testing.T) {
 		t.Fatal("old profile still exists after rename")
 	}
 	office := got.Profiles["office"]
-	if got.DefaultProfile != "office" {
-		t.Fatalf("DefaultProfile = %q, want office", got.DefaultProfile)
-	}
 	if office.Git.CredentialRef != "codereview/custom-work" || office.Git.IdentityCache != "work-user" {
 		t.Fatalf("git fields = %#v, want preserved credential ref and identity cache", office.Git)
 	}
@@ -284,23 +281,14 @@ func TestRenameProfileUpdatesReferencesAndPreservesProfileValues(t *testing.T) {
 	if !reflect.DeepEqual(got.RepositoryProfiles, wantRoutes) {
 		t.Fatalf("RepositoryProfiles = %#v, want %#v", got.RepositoryProfiles, wantRoutes)
 	}
-	if cfg.DefaultProfile != "work" {
-		t.Fatalf("original config default mutated to %q", cfg.DefaultProfile)
-	}
 	if _, ok := cfg.Profiles["work"]; !ok {
 		t.Fatal("original config profile map was mutated")
 	}
 }
 
-func TestProfileHelpersRejectInvalidDefaultAndRename(t *testing.T) {
+func TestProfileHelpersRejectInvalidRename(t *testing.T) {
 	cfg := testConfig()
 
-	if _, _, err := configedit.SetDefaultProfile(cfg, "missing"); !errors.Is(err, config.ErrProfileNotFound) {
-		t.Fatalf("SetDefaultProfile missing error = %v, want ErrProfileNotFound", err)
-	}
-	if _, _, err := configedit.SetDefaultProfile(cfg, " "); !errors.Is(err, configedit.ErrProfileNameRequired) {
-		t.Fatalf("SetDefaultProfile blank error = %v, want ErrProfileNameRequired", err)
-	}
 	if _, _, err := configedit.RenameProfile(cfg, "missing", "office"); !errors.Is(err, config.ErrProfileNotFound) {
 		t.Fatalf("RenameProfile missing error = %v, want ErrProfileNotFound", err)
 	}
@@ -517,6 +505,35 @@ func TestSecretsProfileHelpers(t *testing.T) {
 		}
 	})
 
+	t.Run("set allows stores before review profiles exist", func(t *testing.T) {
+		backend := config.SecretsProfileBackend{
+			Kind: config.SecretsBackendKind("op-desktop"),
+			OnePassword: &config.SecretsProfileOnePasswordConfig{
+				AccountURL: "my.1password.com",
+				VaultID:    "vault-private",
+				VaultName:  "Private",
+			},
+		}
+		label := "1Password-Personal"
+		updated, changed, created, err := configedit.SetSecretsProfile(config.File{}, "1password-personal", configedit.SecretsProfilePatch{
+			Backend: &backend,
+			Label:   &label,
+		})
+		if err != nil {
+			t.Fatalf("SetSecretsProfile store-only create: %v", err)
+		}
+		if !changed || !created {
+			t.Fatalf("SetSecretsProfile store-only create = changed:%t created:%t, want true,true", changed, created)
+		}
+		if len(updated.Profiles) != 0 {
+			t.Fatalf("updated config unexpectedly added review profile data: %#v", updated)
+		}
+		got := updated.Secrets.Profiles["1password-personal"]
+		if got.Label != "1Password-Personal" || got.Backend.OnePassword == nil || got.Backend.OnePassword.VaultName != "Private" {
+			t.Fatalf("created store = %#v, want named 1Password store", got)
+		}
+	})
+
 	t.Run("set validates edge cases", func(t *testing.T) {
 		cfg := testConfig()
 		backend := config.SecretsProfileBackend{Kind: config.SecretsBackendKind("keychain")}
@@ -529,7 +546,7 @@ func TestSecretsProfileHelpers(t *testing.T) {
 			want  error
 		}{
 			{name: "missing id", id: " ", patch: configedit.SecretsProfilePatch{Backend: &backend}, want: configedit.ErrSecretsProfileIDRequired},
-			{name: "reserved id", id: config.LegacyProjectedSecretsProfileID, patch: configedit.SecretsProfilePatch{Backend: &backend}, want: configedit.ErrSecretsProfileReserved},
+			{name: "reserved id", id: config.LocalOSCredentialStoreID, patch: configedit.SecretsProfilePatch{Backend: &backend}, want: configedit.ErrSecretsProfileReserved},
 			{name: "create missing backend", id: "personal", patch: configedit.SecretsProfilePatch{}, want: configedit.ErrSecretsProfileBackendRequired},
 			{name: "conflicting label flags", id: "personal", patch: configedit.SecretsProfilePatch{Backend: &backend, Label: &label, ClearLabel: true}, want: configedit.ErrSecretsProfileLabelConflict},
 			{name: "blank label", id: "personal", patch: configedit.SecretsProfilePatch{Backend: &backend, Label: &spaceLabel}, want: configedit.ErrSecretsProfileLabelRequired},
@@ -566,51 +583,16 @@ func TestSecretsProfileHelpers(t *testing.T) {
 		}
 	})
 
-	t.Run("default set and unset validate configured profiles only", func(t *testing.T) {
+	t.Run("remove is idempotent but blocks reserved id", func(t *testing.T) {
 		cfg := testConfig()
 		cfg.Secrets.Profiles = map[string]config.SecretsProfile{
 			"work": {Backend: config.SecretsProfileBackend{Kind: "file"}},
 		}
-		updated, changed, err := configedit.SetDefaultSecretsProfile(cfg, " work ")
-		if err != nil {
-			t.Fatalf("SetDefaultSecretsProfile: %v", err)
-		}
-		if !changed || updated.Secrets.DefaultProfile != "work" {
-			t.Fatalf("SetDefaultSecretsProfile = changed:%t default:%q, want true/work", changed, updated.Secrets.DefaultProfile)
-		}
-		updated, changed, err = configedit.UnsetDefaultSecretsProfile(updated)
-		if err != nil {
-			t.Fatalf("UnsetDefaultSecretsProfile: %v", err)
-		}
-		if !changed || updated.Secrets.DefaultProfile != "" {
-			t.Fatalf("UnsetDefaultSecretsProfile = changed:%t default:%q, want true/empty", changed, updated.Secrets.DefaultProfile)
-		}
-		_, _, err = configedit.SetDefaultSecretsProfile(cfg, "missing")
-		if !errors.Is(err, config.ErrSecretsProfileNotFound) {
-			t.Fatalf("SetDefaultSecretsProfile missing error = %v, want ErrSecretsProfileNotFound", err)
-		}
-		_, _, err = configedit.SetDefaultSecretsProfile(cfg, config.LegacyProjectedSecretsProfileID)
-		if !errors.Is(err, configedit.ErrSecretsProfileReserved) {
-			t.Fatalf("SetDefaultSecretsProfile reserved error = %v, want ErrSecretsProfileReserved", err)
-		}
-	})
-
-	t.Run("remove is idempotent but blocks configured default and reserved id", func(t *testing.T) {
-		cfg := testConfig()
-		cfg.Secrets.DefaultProfile = "work"
-		cfg.Secrets.Profiles = map[string]config.SecretsProfile{
-			"work": {Backend: config.SecretsProfileBackend{Kind: "file"}},
-		}
-		_, _, err := configedit.RemoveSecretsProfile(cfg, "work")
-		if !errors.Is(err, configedit.ErrSecretsProfileDefaultConfigured) {
-			t.Fatalf("RemoveSecretsProfile default error = %v, want ErrSecretsProfileDefaultConfigured", err)
-		}
-		_, _, err = configedit.RemoveSecretsProfile(cfg, config.LegacyProjectedSecretsProfileID)
+		_, _, err := configedit.RemoveSecretsProfile(cfg, config.LocalOSCredentialStoreID)
 		if !errors.Is(err, configedit.ErrSecretsProfileReserved) {
 			t.Fatalf("RemoveSecretsProfile reserved error = %v, want ErrSecretsProfileReserved", err)
 		}
 
-		cfg.Secrets.DefaultProfile = ""
 		updated, changed, err := configedit.RemoveSecretsProfile(cfg, "work")
 		if err != nil {
 			t.Fatalf("RemoveSecretsProfile existing: %v", err)
@@ -633,7 +615,6 @@ func TestSecretsProfileHelpers(t *testing.T) {
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "work",
 		RepositoryProfiles: []config.RepositoryProfile{
 			{
 				Profile: "work",
diff --git a/internal/configedit/secrets_profiles.go b/internal/configedit/secrets_profiles.go
index aa150ad6..09da00fb 100644
--- a/internal/configedit/secrets_profiles.go
+++ b/internal/configedit/secrets_profiles.go
@@ -2,7 +2,6 @@ package configedit
 
 import (
 	"errors"
-	"fmt"
 	"reflect"
 	"strings"
 
@@ -22,8 +21,6 @@ var (
 	ErrSecretsProfileLabelConflict = errors.New("secrets-profile label flags conflict")
 	// ErrSecretsProfileLabelRequired means a provided label was blank after trim.
 	ErrSecretsProfileLabelRequired = errors.New("secrets-profile label is required")
-	// ErrSecretsProfileDefaultConfigured means the target profile is still the configured default.
-	ErrSecretsProfileDefaultConfigured = errors.New("secrets-profile is the configured default")
 )
 
 // SecretsProfilePatch describes a config-only update to one named secrets-management profile.
@@ -39,7 +36,7 @@ func NormalizeSecretsProfileID(raw string) (string, error) {
 	if id == "" {
 		return "", ErrSecretsProfileIDRequired
 	}
-	if id == config.LegacyProjectedSecretsProfileID {
+	if id == config.LocalOSCredentialStoreID {
 		return "", ErrSecretsProfileReserved
 	}
 	return id, nil
@@ -62,12 +59,16 @@ func SetSecretsProfile(cfg config.File, rawID string, patch SecretsProfilePatch)
 		}
 		normalizedLabel = &trimmed
 	}
-	working := cfg
-	working.Secrets.Profiles = cloneSecretsProfiles(cfg.Secrets.Profiles)
+	working := config.Normalize(cfg)
+	working.Secrets.Profiles = cloneSecretsProfiles(working.Secrets.Profiles)
+	working.Secrets.Stores = cloneSecretsProfiles(working.Secrets.Stores)
 	if working.Secrets.Profiles == nil {
 		working.Secrets.Profiles = map[string]config.SecretsProfile{}
 	}
-	existing, existed := working.Secrets.Profiles[id]
+	if working.Secrets.Stores == nil {
+		working.Secrets.Stores = map[string]config.SecretsStore{}
+	}
+	existing, existed := working.Secrets.Stores[id]
 	if !existed && patch.Backend == nil {
 		return config.File{}, false, false, ErrSecretsProfileBackendRequired
 	}
@@ -79,9 +80,11 @@ func SetSecretsProfile(cfg config.File, rawID string, patch SecretsProfilePatch)
 		updated.Backend = *patch.Backend
 	}
 	if normalizedLabel != nil {
+		updated.DisplayName = *normalizedLabel
 		updated.Label = *normalizedLabel
 	}
 	if patch.ClearLabel {
+		updated.DisplayName = ""
 		updated.Label = ""
 	}
 	if !existed && strings.TrimSpace(string(updated.Backend.Kind)) == "" {
@@ -91,67 +94,48 @@ func SetSecretsProfile(cfg config.File, rawID string, patch SecretsProfilePatch)
 		return cfg, false, false, nil
 	}
 	working.Secrets.Profiles[id] = updated
-	if err := config.Validate(working); err != nil {
+	working.Secrets.Stores[id] = updated
+	if err := validateConfigAfterSecretsProfileEdit(working); err != nil {
 		return config.File{}, false, false, err
 	}
 	return config.Normalize(working), true, !existed, nil
 }
 
-// SetDefaultSecretsProfile updates cfg.secrets.default_profile after verifying the profile exists.
-func SetDefaultSecretsProfile(cfg config.File, rawID string) (config.File, bool, error) {
+// RemoveSecretsProfile removes one explicit named credential store.
+func RemoveSecretsProfile(cfg config.File, rawID string) (config.File, bool, error) {
 	id, err := NormalizeSecretsProfileID(rawID)
 	if err != nil {
 		return config.File{}, false, err
 	}
-	if _, ok := cfg.Secrets.Profiles[id]; !ok {
-		return config.File{}, false, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, id)
-	}
-	if cfg.Secrets.DefaultProfile == id {
+	working := config.Normalize(cfg)
+	if _, ok := working.Secrets.Stores[id]; !ok {
 		return cfg, false, nil
 	}
-	working := cfg
-	working.Secrets.DefaultProfile = id
-	if err := config.Validate(working); err != nil {
-		return config.File{}, false, err
+	working.Secrets.Profiles = cloneSecretsProfiles(working.Secrets.Profiles)
+	working.Secrets.Stores = cloneSecretsProfiles(working.Secrets.Stores)
+	delete(working.Secrets.Profiles, id)
+	delete(working.Secrets.Stores, id)
+	if len(working.Secrets.Profiles) == 0 {
+		working.Secrets.Profiles = nil
 	}
-	return config.Normalize(working), true, nil
-}
-
-// UnsetDefaultSecretsProfile clears cfg.secrets.default_profile.
-func UnsetDefaultSecretsProfile(cfg config.File) (config.File, bool, error) {
-	if strings.TrimSpace(cfg.Secrets.DefaultProfile) == "" {
-		return cfg, false, nil
+	if len(working.Secrets.Stores) == 0 {
+		working.Secrets.Stores = nil
 	}
-	working := cfg
-	working.Secrets.DefaultProfile = ""
-	if err := config.Validate(working); err != nil {
+	if err := validateConfigAfterSecretsProfileEdit(working); err != nil {
 		return config.File{}, false, err
 	}
 	return config.Normalize(working), true, nil
 }
 
-// RemoveSecretsProfile removes one explicit named secrets-management profile.
-func RemoveSecretsProfile(cfg config.File, rawID string) (config.File, bool, error) {
-	id, err := NormalizeSecretsProfileID(rawID)
-	if err != nil {
-		return config.File{}, false, err
-	}
-	if cfg.Secrets.DefaultProfile == id {
-		return config.File{}, false, fmt.Errorf("%w: %s", ErrSecretsProfileDefaultConfigured, id)
-	}
-	if _, ok := cfg.Secrets.Profiles[id]; !ok {
-		return cfg, false, nil
+func validateConfigAfterSecretsProfileEdit(cfg config.File) error {
+	cfg = config.Normalize(cfg)
+	if len(cfg.Profiles) > 0 || len(cfg.RepositoryProfiles) > 0 {
+		return config.Validate(cfg)
 	}
-	working := cfg
-	working.Secrets.Profiles = cloneSecretsProfiles(cfg.Secrets.Profiles)
-	delete(working.Secrets.Profiles, id)
-	if len(working.Secrets.Profiles) == 0 {
-		working.Secrets.Profiles = nil
+	if err := config.ValidateSecrets(cfg.Secrets); err != nil {
+		return err
 	}
-	if err := config.Validate(working); err != nil {
-		return config.File{}, false, err
-	}
-	return config.Normalize(working), true, nil
+	return config.ValidateRetention(cfg.Data.Retention)
 }
 
 func cloneSecretsProfiles(in map[string]config.SecretsProfile) map[string]config.SecretsProfile {
diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
index a57f253d..2d211ba4 100644
--- a/internal/credentials/credentials.go
+++ b/internal/credentials/credentials.go
@@ -19,9 +19,13 @@ const (
 	// ServiceName is the credential-ref service segment owned by cr.
 	ServiceName = "codereview"
 
-	// BackendSourceSecretsProfile records that a named secrets-management
-	// profile selected the active credential backend.
+	// BackendSourceSecretsProfile is retained for old callers that still use
+	// the previous secrets-profile naming.
 	BackendSourceSecretsProfile credstore.Source = "secrets_profile"
+	// BackendSourceCredentialStore records that an explicit credential-store
+	// destination selected the active credential backend.
+	// #nosec G101 -- this is a backend source label, not a secret value.
+	BackendSourceCredentialStore credstore.Source = "credential_store"
 
 	// GitTokenKey stores the Git host access token for PAT auth.
 	GitTokenKey = "git_token"
@@ -47,8 +51,8 @@ const (
 )
 
 var (
-	// ErrWrongService means a credential ref points at another CLI's keyring namespace.
-	ErrWrongService = errors.New("credentials: credential ref uses wrong service")
+	// ErrWrongService means a credential name points at another CLI's keyring namespace.
+	ErrWrongService = errors.New("credentials: credential name uses wrong service")
 	// ErrInvalidBackendSelection means a CLI/config backend selector was malformed.
 	ErrInvalidBackendSelection = errors.New("credentials: invalid backend selection")
 )
@@ -58,26 +62,23 @@ func AllowedKeys() []string {
 	return []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, GitHubAppInstallationIDKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 }
 
-// Ref is a parsed cr credential ref.
+// Ref is a parsed cr credential name.
 type Ref struct {
 	Service string
 	Profile string
 	Full    string
 }
 
-// SecretsProfileSelectionSource identifies why a secrets-management profile was selected.
+// SecretsProfileSelectionSource identifies why a credential store was selected.
 type SecretsProfileSelectionSource string
 
 const (
-	// SecretsProfileSelectionExplicit means the active profile selected a named
-	// secrets-management profile directly.
+	// SecretsProfileSelectionExplicit means the credential location selected a
+	// configured store directly.
 	SecretsProfileSelectionExplicit SecretsProfileSelectionSource = "profile"
-	// SecretsProfileSelectionDefault means the configured global default
-	// secrets-management profile selected the store.
-	SecretsProfileSelectionDefault SecretsProfileSelectionSource = "default_profile"
-	// SecretsProfileSelectionLegacyDefault means no named secrets-management
-	// profile applied, so legacy backend fallback rules selected the store.
-	SecretsProfileSelectionLegacyDefault SecretsProfileSelectionSource = "legacy_fallback"
+	// SecretsProfileSelectionBuiltInOS means the credential location selected
+	// the built-in OS credential store.
+	SecretsProfileSelectionBuiltInOS SecretsProfileSelectionSource = "local_os"
 )
 
 // ResolvedSecretsProfile is the typed runtime store-selection result.
@@ -89,6 +90,9 @@ type ResolvedSecretsProfile struct {
 	SelectionSource SecretsProfileSelectionSource
 }
 
+// ResolvedCredentialStore is the current name for ResolvedSecretsProfile.
+type ResolvedCredentialStore = ResolvedSecretsProfile
+
 // DisplayName returns the best user-facing label for the resolved store.
 func (r ResolvedSecretsProfile) DisplayName() string {
 	if strings.TrimSpace(r.Label) != "" {
@@ -125,21 +129,81 @@ func ParseRef(ref string) (Ref, error) {
 	return Ref{Service: service, Profile: profile, Full: ref}, nil
 }
 
-// ResolveSecretsProfileForProfile resolves the effective secrets-management
-// profile for one review profile.
-func ResolveSecretsProfileForProfile(cfg config.File, profile config.Profile) (ResolvedSecretsProfile, error) {
-	selection := strings.TrimSpace(profile.SecretsProfile)
-	if selection != "" {
-		return resolveConfiguredSecretsProfile(cfg, selection, SecretsProfileSelectionExplicit)
+// PlatformOSBackend returns the non-configurable OS credential backend for goos.
+func PlatformOSBackend(goos string) (credstore.Backend, error) {
+	switch goos {
+	case "darwin":
+		return credstore.BackendKeychain, nil
+	case "windows":
+		return credstore.BackendWinCred, nil
+	case "linux":
+		return credstore.BackendSecretService, nil
+	default:
+		return "", credstore.ErrBackendNotImplemented
+	}
+}
+
+// ResolveCredentialStore resolves one explicit credential-store ID.
+func ResolveCredentialStore(cfg config.File, storeID string) (ResolvedCredentialStore, error) {
+	cfg = config.Normalize(cfg)
+	storeID = strings.TrimSpace(storeID)
+	if storeID == "" {
+		return ResolvedCredentialStore{}, fmt.Errorf("%w: credential store is required", config.ErrInvalid)
+	}
+	if storeID == config.LocalOSCredentialStoreID {
+		backend, err := PlatformOSBackend(runtime.GOOS)
+		if err != nil {
+			return ResolvedCredentialStore{}, fmt.Errorf("%w: no OS credential store backend for GOOS %q", err, runtime.GOOS)
+		}
+		return ResolvedCredentialStore{
+			ID:              config.LocalOSCredentialStoreID,
+			Label:           "OS credential store",
+			Backend:         string(backend),
+			Source:          config.EffectiveSecretsStoreSourceBuiltIn,
+			SelectionSource: SecretsProfileSelectionBuiltInOS,
+		}, nil
 	}
-	if effectiveDefault, ok := config.EffectiveDefaultSecretsProfile(cfg); ok && effectiveDefault.Source == config.EffectiveSecretsProfileSourceConfigured {
-		return resolvedSecretsProfileFromEffective(effectiveDefault, SecretsProfileSelectionDefault), nil
+	store, ok := cfg.Secrets.Stores[storeID]
+	if !ok {
+		return ResolvedCredentialStore{}, fmt.Errorf("%w: %s", config.ErrSecretsStoreNotFound, storeID)
 	}
-	return resolveLegacySecretsProfile(cfg), nil
+	backend, err := credstore.ParseBackend(string(store.Backend.Kind))
+	if err != nil {
+		return ResolvedCredentialStore{}, fmt.Errorf("%w: %w", ErrInvalidBackendSelection, err)
+	}
+	label := strings.TrimSpace(store.DisplayName)
+	if label == "" {
+		label = storeID
+	}
+	return ResolvedCredentialStore{
+		ID:              storeID,
+		Label:           label,
+		Backend:         string(backend),
+		Source:          config.EffectiveSecretsStoreSourceConfigured,
+		SelectionSource: SecretsProfileSelectionExplicit,
+	}, nil
+}
+
+// ResolveCredentialStoreForLocation resolves the credential store referenced
+// by one configured credential location.
+func ResolveCredentialStoreForLocation(cfg config.File, location config.CredentialLocation) (ResolvedCredentialStore, error) {
+	return ResolveCredentialStore(cfg, location.Store)
 }
 
-// ResolveSecretsProfileForRef resolves the effective secrets-management profile
-// for a low-level credential ref write/read, optionally narrowed by the global
+// ResolveSecretsProfileForProfile resolves the effective credential store for
+// one review profile.
+func ResolveSecretsProfileForProfile(cfg config.File, profile config.Profile) (ResolvedSecretsProfile, error) {
+	if selection := strings.TrimSpace(profile.SecretsProfile); selection != "" {
+		return ResolveCredentialStore(cfg, selection)
+	}
+	profile = config.Normalize(config.File{
+		Profiles: map[string]config.Profile{"profile": profile},
+	}).Profiles["profile"]
+	return ResolveCredentialStoreForLocation(cfg, profile.Git.Credential)
+}
+
+// ResolveSecretsProfileForRef resolves the effective credential store for a
+// low-level credential-name write/read, optionally narrowed by the global
 // --profile selection.
 func ResolveSecretsProfileForRef(cfg config.File, ref string, selectedProfile string) (ResolvedSecretsProfile, error) {
 	selectedProfile = strings.TrimSpace(selectedProfile)
@@ -148,26 +212,29 @@ func ResolveSecretsProfileForRef(cfg config.File, ref string, selectedProfile st
 		if !ok {
 			return ResolvedSecretsProfile{}, fmt.Errorf("%w: %s", config.ErrProfileNotFound, selectedProfile)
 		}
-		if len(matchingCredentialRefs(profile, ref)) > 0 {
-			return ResolveSecretsProfileForProfile(cfg, profile)
-		}
-		owners := profilesDeclaringCredentialRef(cfg, ref)
-		if len(owners) == 0 {
-			return ResolveSecretsProfileForProfile(cfg, profile)
+		matches := matchingCredentialRefs(profile, ref)
+		if len(matches) == 0 {
+			owners := profilesDeclaringCredentialRef(cfg, ref)
+			if len(owners) == 0 {
+				return ResolvedSecretsProfile{}, fmt.Errorf("%w: credential name %q is not declared by selected profile %q", config.ErrInvalid, ref, selectedProfile)
+			}
+			return ResolvedSecretsProfile{}, fmt.Errorf("%w: credential name %q is not declared by selected profile %q; declared by %s", config.ErrInvalid, ref, selectedProfile, strings.Join(ownerNames(owners), ", "))
 		}
-		return ResolvedSecretsProfile{}, fmt.Errorf("%w: credential ref %q is not declared by selected profile %q; declared by %s", config.ErrInvalid, ref, selectedProfile, strings.Join(ownerNames(owners), ", "))
+		return ResolveCredentialStore(cfg, matches[0].Store)
 	}
 
 	owners := profilesDeclaringCredentialRef(cfg, ref)
 	if len(owners) == 0 {
-		return resolveLegacySecretsProfile(cfg), nil
+		return ResolvedSecretsProfile{}, fmt.Errorf("%w: credential name %q is not declared by any profile", config.ErrInvalid, ref)
 	}
-	resolved, err := ResolveSecretsProfileForProfile(cfg, owners[0].Profile)
+	matches := matchingCredentialRefs(owners[0].Profile, ref)
+	resolved, err := ResolveCredentialStore(cfg, matches[0].Store)
 	if err != nil {
 		return ResolvedSecretsProfile{}, err
 	}
 	for _, owner := range owners[1:] {
-		next, err := ResolveSecretsProfileForProfile(cfg, owner.Profile)
+		nextMatches := matchingCredentialRefs(owner.Profile, ref)
+		next, err := ResolveCredentialStore(cfg, nextMatches[0].Store)
 		if err != nil {
 			return ResolvedSecretsProfile{}, err
 		}
@@ -180,33 +247,40 @@ func ResolveSecretsProfileForRef(cfg config.File, ref string, selectedProfile st
 }
 
 // StoreOptionsForResolvedProfile builds credstore options for one resolved
-// secrets-management profile.
+// credential store.
 func StoreOptionsForResolvedProfile(flagValue string, flagSet bool, cfg config.File, resolved ResolvedSecretsProfile) (credstore.Options, error) {
-	if resolved.IsNamed() {
-		if flagSet {
-			return credstore.Options{}, fmt.Errorf("%w: --backend conflicts with named secrets-management profile %q", config.ErrInvalid, resolved.DisplayName())
-		}
-		profile, ok := cfg.Secrets.Profiles[resolved.ID]
-		if !ok {
-			return credstore.Options{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, resolved.ID)
-		}
-		backend, err := credstore.ParseBackend(resolved.Backend)
+	return StoreOptionsForResolvedStore(flagValue, flagSet, cfg, resolved)
+}
+
+// StoreOptionsForResolvedStore builds credstore options for one resolved
+// credential store.
+func StoreOptionsForResolvedStore(_ string, flagSet bool, cfg config.File, resolved ResolvedCredentialStore) (credstore.Options, error) {
+	if flagSet {
+		return credstore.Options{}, fmt.Errorf("%w: --backend conflicts with credential store %q", config.ErrInvalid, resolved.DisplayName())
+	}
+	backend, err := credstore.ParseBackend(resolved.Backend)
+	if err != nil {
+		return credstore.Options{}, fmt.Errorf("%w: %w", ErrInvalidBackendSelection, err)
+	}
+	options := credstore.Options{
+		AllowedKeys: AllowedKeys(),
+		Backend:     backend,
+	}
+	if resolved.Source != config.EffectiveSecretsStoreSourceConfigured {
+		return options, nil
+	}
+	cfg = config.Normalize(cfg)
+	store, ok := cfg.Secrets.Stores[resolved.ID]
+	if !ok {
+		return credstore.Options{}, fmt.Errorf("%w: %s", config.ErrSecretsStoreNotFound, resolved.ID)
+	}
+	if config.IsOnePasswordSecretsBackend(store.Backend.Kind) {
+		options.OnePassword, err = onePasswordOptionsFromConfig(store.Backend)
 		if err != nil {
-			return credstore.Options{}, fmt.Errorf("%w: %w", ErrInvalidBackendSelection, err)
-		}
-		options := credstore.Options{
-			AllowedKeys: AllowedKeys(),
-			Backend:     backend,
-		}
-		if config.IsOnePasswordSecretsBackend(profile.Backend.Kind) {
-			options.OnePassword, err = onePasswordOptionsFromConfig(profile.Backend)
-			if err != nil {
-				return credstore.Options{}, fmt.Errorf("%w: %w", config.ErrInvalid, err)
-			}
+			return credstore.Options{}, fmt.Errorf("%w: %w", config.ErrInvalid, err)
 		}
-		return options, nil
 	}
-	return StoreOptions(flagValue, flagSet, cfg)
+	return options, nil
 }
 
 // OpenResolvedStore opens the resolved service-scoped keyring store.
@@ -217,15 +291,15 @@ func OpenResolvedStore(flagValue string, flagSet bool, cfg config.File, resolved
 	}
 	store, err := credstore.Open(ServiceName, &opts)
 	if err != nil {
-		return nil, fmt.Errorf("credentials: opening secrets-management profile %q (%s): %w", resolved.DisplayName(), resolved.Backend, err)
+		return nil, fmt.Errorf("credentials: opening credential store %q (%s): %w", resolved.DisplayName(), resolved.Backend, err)
 	}
 	return store, nil
 }
 
 // StoreOptions validates backend selectors and returns credstore options.
-func StoreOptions(flagValue string, flagSet bool, cfg config.File) (credstore.Options, error) {
+func StoreOptions(flagValue string, flagSet bool, _ config.File) (credstore.Options, error) {
 	opts := credstore.Options{AllowedKeys: AllowedKeys()}
-	if err := credstore.BindBackendFlag(&opts, flagValue, flagSet, cfg.Keyring.Backend); err != nil {
+	if err := credstore.BindBackendFlag(&opts, flagValue, flagSet, ""); err != nil {
 		return credstore.Options{}, fmt.Errorf("%w: %w", ErrInvalidBackendSelection, err)
 	}
 	if err := rejectLegacyOnePasswordBackend(opts.Backend); err != nil {
@@ -289,44 +363,6 @@ func onePasswordOptionsFromConfig(backend config.SecretsProfileBackend) (*credst
 	return options, nil
 }
 
-func resolvedSecretsProfileFromEffective(profile config.EffectiveSecretsProfile, selectionSource SecretsProfileSelectionSource) ResolvedSecretsProfile {
-	return ResolvedSecretsProfile{
-		ID:              profile.ID,
-		Label:           strings.TrimSpace(profile.Label),
-		Backend:         profile.Backend,
-		Source:          profile.Source,
-		SelectionSource: selectionSource,
-	}
-}
-
-func resolveConfiguredSecretsProfile(cfg config.File, id string, selectionSource SecretsProfileSelectionSource) (ResolvedSecretsProfile, error) {
-	id = strings.TrimSpace(id)
-	for _, profile := range config.EffectiveSecretsProfiles(cfg) {
-		if profile.ID != id {
-			continue
-		}
-		if profile.Source != config.EffectiveSecretsProfileSourceConfigured {
-			break
-		}
-		return resolvedSecretsProfileFromEffective(profile, selectionSource), nil
-	}
-	return ResolvedSecretsProfile{}, fmt.Errorf("%w: %s", config.ErrSecretsProfileNotFound, id)
-}
-
-func resolveLegacySecretsProfile(cfg config.File) ResolvedSecretsProfile {
-	backend := strings.TrimSpace(cfg.Keyring.Backend)
-	if backend == "" {
-		backend = config.ProjectedLegacySecretsBackendKind
-	}
-	return ResolvedSecretsProfile{
-		ID:              config.LegacyProjectedSecretsProfileID,
-		Label:           "Legacy default",
-		Backend:         backend,
-		Source:          config.EffectiveSecretsProfileSourceProjectedLegacy,
-		SelectionSource: SecretsProfileSelectionLegacyDefault,
-	}
-}
-
 type credentialRefOwner struct {
 	Name    string
 	Profile config.Profile
@@ -366,7 +402,7 @@ func ambiguousSecretsProfileError(ref string, cfg config.File, owners []credenti
 		}
 		details = append(details, fmt.Sprintf("%s -> %s (%s)", owner.Name, resolved.DisplayName(), resolved.ID))
 	}
-	return fmt.Errorf("%w: credential ref %q is declared by profiles using different secrets-management profiles; pass --profile to disambiguate: %s", config.ErrInvalid, ref, strings.Join(details, "; "))
+	return fmt.Errorf("%w: credential name %q is declared by profiles using different credential stores; pass --profile to disambiguate: %s", config.ErrInvalid, ref, strings.Join(details, "; "))
 }
 
 // BackendMetadata reports the selected backend/source without opening the store.
@@ -414,7 +450,7 @@ func rejectLegacyOnePasswordBackend(kind credstore.Backend) error {
 	if !config.IsOnePasswordSecretsBackend(config.SecretsBackendKind(kind)) {
 		return nil
 	}
-	return fmt.Errorf("%w: backend %q is only supported through named secrets-management profiles", ErrInvalidBackendSelection, kind)
+	return fmt.Errorf("%w: backend %q is only supported through configured credential stores", ErrInvalidBackendSelection, kind)
 }
 
 // KeyStatus reports the presence state for one declared keyring key.
@@ -446,7 +482,7 @@ type KeySpec struct {
 	Required bool
 }
 
-// KeySpecsForPurpose returns the exact keyring keys expected for a config credential ref.
+// KeySpecsForPurpose returns the exact keyring keys expected for a configured credential location.
 func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error) {
 	switch ref.Purpose {
 	case "git", "reviewer_credentials":
@@ -482,7 +518,7 @@ func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error) {
 	}
 }
 
-// KeyForPurpose returns the single required keyring key expected for a config credential ref.
+// KeyForPurpose returns the single required keyring key expected for a configured credential location.
 func KeyForPurpose(ref config.CredentialRef) (string, error) {
 	specs, err := KeySpecsForPurpose(ref)
 	if err != nil {
@@ -644,24 +680,32 @@ func ExpectedKeysForConfigRef(cfg config.File, ref string) ([]string, error) {
 
 func matchingCredentialRefs(profile config.Profile, ref string) []config.CredentialRef {
 	refs := []config.CredentialRef{}
-	if profile.Git.CredentialRef == ref {
+	gitCredential := normalizedCredentialLocation(profile.Git.Credential, profile.Git.CredentialRef)
+	if gitCredential.Name == ref {
 		refs = append(refs, config.CredentialRef{
 			Purpose: "git",
-			Ref:     profile.Git.CredentialRef,
+			Store:   gitCredential.Store,
+			Ref:     gitCredential.Name,
 			Mode:    string(profile.Git.AuthMode),
 		})
 	}
-	if profile.ReviewerCredentials != nil && profile.ReviewerCredentials.CredentialRef == ref {
-		refs = append(refs, config.CredentialRef{
-			Purpose: "reviewer_credentials",
-			Ref:     profile.ReviewerCredentials.CredentialRef,
-			Mode:    string(profile.ReviewerCredentials.AuthMode),
-		})
+	if profile.ReviewerCredentials != nil {
+		reviewerCredential := normalizedCredentialLocation(profile.ReviewerCredentials.Credential, profile.ReviewerCredentials.CredentialRef)
+		if reviewerCredential.Name == ref {
+			refs = append(refs, config.CredentialRef{
+				Purpose: "reviewer_credentials",
+				Store:   reviewerCredential.Store,
+				Ref:     reviewerCredential.Name,
+				Mode:    string(profile.ReviewerCredentials.AuthMode),
+			})
+		}
 	}
-	if profile.LLM.Auth == config.LLMAuthAPIKey && profile.LLM.CredentialRef == ref {
+	llmCredential := normalizedCredentialLocation(profile.LLM.Credential, profile.LLM.CredentialRef)
+	if profile.LLM.Auth == config.LLMAuthAPIKey && llmCredential.Name == ref {
 		refs = append(refs, config.CredentialRef{
 			Purpose:  "llm",
-			Ref:      profile.LLM.CredentialRef,
+			Store:    llmCredential.Store,
+			Ref:      llmCredential.Name,
 			Mode:     string(profile.LLM.Auth),
 			Provider: string(profile.LLM.Provider),
 		})
@@ -669,6 +713,19 @@ func matchingCredentialRefs(profile config.Profile, ref string) []config.Credent
 	return refs
 }
 
+func normalizedCredentialLocation(location config.CredentialLocation, legacyRef string) config.CredentialLocation {
+	location.Store = strings.TrimSpace(location.Store)
+	location.Name = strings.TrimSpace(location.Name)
+	legacyRef = strings.TrimSpace(legacyRef)
+	if legacyRef != "" {
+		if location.Store == "" {
+			location.Store = config.LocalOSCredentialStoreID
+		}
+		location.Name = legacyRef
+	}
+	return location
+}
+
 // ValidateAllowedKey fails when key is not in cr's write allowlist.
 func ValidateAllowedKey(key string) error {
 	allowed := AllowedKeys()
diff --git a/internal/credentials/credentials_test.go b/internal/credentials/credentials_test.go
index e914020a..5a23a0e3 100644
--- a/internal/credentials/credentials_test.go
+++ b/internal/credentials/credentials_test.go
@@ -3,6 +3,7 @@ package credentials
 import (
 	"errors"
 	"reflect"
+	"runtime"
 	"testing"
 	"time"
 
@@ -29,22 +30,19 @@ func TestParseRefEnforcesCodereviewService(t *testing.T) {
 func TestStoreOptionsBackendPrecedenceMetadata(t *testing.T) {
 	t.Setenv(BackendEnvVar(), "")
 
-	cfg := config.File{Keyring: config.KeyringConfig{Backend: "memory"}}
-	store, err := OpenStore("", false, cfg)
+	opts, err := StoreOptions("", false, config.File{Keyring: config.KeyringConfig{Backend: "memory"}})
 	if err != nil {
-		t.Fatalf("OpenStore config backend: %v", err)
+		t.Fatalf("StoreOptions: %v", err)
 	}
-	backend, source := store.Backend()
-	_ = store.Close()
-	if backend != credstore.BackendMemory || source != credstore.SourceConfig {
-		t.Fatalf("Backend = (%s,%s), want (memory,config)", backend, source)
+	if opts.Backend != "" || opts.ConfigBackend != "" {
+		t.Fatalf("StoreOptions legacy config backend = (%s,%s), want ignored", opts.Backend, opts.ConfigBackend)
 	}
 
-	store, err = OpenStore("memory", true, config.File{})
+	store, err := OpenStore("memory", true, config.File{})
 	if err != nil {
 		t.Fatalf("OpenStore explicit backend: %v", err)
 	}
-	backend, source = store.Backend()
+	backend, source := store.Backend()
 	_ = store.Close()
 	if backend != credstore.BackendMemory || source != credstore.SourceExplicit {
 		t.Fatalf("Backend = (%s,%s), want (memory,explicit)", backend, source)
@@ -70,7 +68,6 @@ func TestStoreOptionsRejectsLegacyOnePasswordBackends(t *testing.T) {
 		cfg     config.File
 	}{
 		{name: "flag", flag: "op", flagSet: true, cfg: config.File{}},
-		{name: "config", cfg: config.File{Keyring: config.KeyringConfig{Backend: "op-connect"}}},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			_, err := StoreOptions(tc.flag, tc.flagSet, tc.cfg)
@@ -183,7 +180,6 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 
 func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 	cfg := config.File{
-		DefaultProfile: "anthropic",
 		Profiles: map[string]config.Profile{
 			"anthropic": matrixProfile("codereview/git-a", "codereview/shared-llm", config.LLMProviderAnthropic),
 			"openai":    matrixProfile("codereview/git-b", "codereview/shared-llm", config.LLMProviderOpenAI),
@@ -249,7 +245,6 @@ func githubAppMatrixProfile(ref string) config.Profile {
 
 func TestExpectedKeysForConfigRefIgnoresUnrelatedUnsupportedProfiles(t *testing.T) {
 	cfg := config.File{
-		DefaultProfile: "work",
 		Profiles: map[string]config.Profile{
 			"work":       matrixProfile("codereview/work", "codereview/work-llm", config.LLMProviderAnthropic),
 			"shared-pat": matrixProfile("codereview/shared-git", "codereview/shared-llm", config.LLMProviderOpenAI),
@@ -294,31 +289,31 @@ func TestExpectedKeysForConfigRefIgnoresUnrelatedUnsupportedProfiles(t *testing.
 	}
 }
 
-func TestResolveSecretsProfileForProfileAndRef(t *testing.T) {
+func TestResolveCredentialStoreForProfileAndRef(t *testing.T) {
 	cfg := config.File{
-		DefaultProfile: "home",
-		Keyring:        config.KeyringConfig{Backend: "memory"},
 		Secrets: config.SecretsConfig{
-			DefaultProfile: "work-file",
-			Profiles: map[string]config.SecretsProfile{
+			Stores: map[string]config.SecretsStore{
 				"personal-keychain": {
-					Label:   "Personal Keychain",
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)},
+					DisplayName: "Personal Keychain",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendKeychain)},
 				},
 				"work-file": {
-					Label:   "Work File Store",
-					Backend: config.SecretsProfileBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
+					DisplayName: "Work File Store",
+					Backend:     config.SecretsStoreBackend{Kind: config.SecretsBackendKind(credstore.BackendFile)},
 				},
 			},
 		},
 		Profiles: map[string]config.Profile{
 			"home": func() config.Profile {
 				p := matrixProfile("codereview/shared-git", "codereview/home-llm", config.LLMProviderAnthropic)
-				p.SecretsProfile = "personal-keychain"
+				p.Git.Credential.Store = "personal-keychain"
+				p.LLM.Credential.Store = "personal-keychain"
 				return p
 			}(),
 			"work": func() config.Profile {
 				p := matrixProfile("codereview/shared-git", "codereview/work-llm", config.LLMProviderOpenAI)
+				p.Git.Credential.Store = "work-file"
+				p.LLM.Credential.Store = "work-file"
 				return p
 			}(),
 		},
@@ -351,7 +346,7 @@ func TestResolveSecretsProfileForProfileAndRef(t *testing.T) {
 		Label:           "Work File Store",
 		Backend:         "file",
 		Source:          config.EffectiveSecretsProfileSourceConfigured,
-		SelectionSource: SecretsProfileSelectionDefault,
+		SelectionSource: SecretsProfileSelectionExplicit,
 	}
 	if !reflect.DeepEqual(workResolved, wantWork) {
 		t.Fatalf("work resolved secrets profile = %#v, want %#v", workResolved, wantWork)
@@ -367,25 +362,24 @@ func TestResolveSecretsProfileForProfileAndRef(t *testing.T) {
 	if !reflect.DeepEqual(selectedResolved, wantHome) {
 		t.Fatalf("selected resolved secrets profile = %#v, want %#v", selectedResolved, wantHome)
 	}
-	undeclaredResolved, err := ResolveSecretsProfileForRef(cfg, "codereview/custom-ref", "work")
-	if err != nil {
-		t.Fatalf("ResolveSecretsProfileForRef(custom-ref, work): %v", err)
+	if _, err := ResolveSecretsProfileForRef(cfg, "codereview/custom-ref", "work"); !errors.Is(err, config.ErrInvalid) {
+		t.Fatalf("ResolveSecretsProfileForRef(custom-ref, work) error = %v, want ErrInvalid", err)
 	}
-	if !reflect.DeepEqual(undeclaredResolved, wantWork) {
-		t.Fatalf("undeclared resolved secrets profile = %#v, want %#v", undeclaredResolved, wantWork)
+	localProfile := matrixProfile("codereview/local-git", "codereview/local-llm", config.LLMProviderAnthropic)
+	legacyResolved, err := ResolveSecretsProfileForProfile(cfg, localProfile)
+	if err != nil {
+		t.Fatalf("ResolveSecretsProfileForProfile(local-os): %v", err)
 	}
-
-	cfg.Secrets.DefaultProfile = ""
-	legacyResolved, err := ResolveSecretsProfileForProfile(cfg, cfg.Profiles["work"])
+	platformBackend, err := PlatformOSBackend(runtime.GOOS)
 	if err != nil {
-		t.Fatalf("ResolveSecretsProfileForProfile(work legacy): %v", err)
+		t.Fatalf("PlatformOSBackend(%s): %v", runtime.GOOS, err)
 	}
 	wantLegacy := ResolvedSecretsProfile{
-		ID:              config.LegacyProjectedSecretsProfileID,
-		Label:           "Legacy default",
-		Backend:         "memory",
+		ID:              config.LocalOSCredentialStoreID,
+		Label:           "OS credential store",
+		Backend:         string(platformBackend),
 		Source:          config.EffectiveSecretsProfileSourceProjectedLegacy,
-		SelectionSource: SecretsProfileSelectionLegacyDefault,
+		SelectionSource: SecretsProfileSelectionBuiltInOS,
 	}
 	if !reflect.DeepEqual(legacyResolved, wantLegacy) {
 		t.Fatalf("legacy resolved secrets profile = %#v, want %#v", legacyResolved, wantLegacy)
@@ -498,7 +492,6 @@ func TestStoreOptionsForResolvedProfile_OnePasswordBackend(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := config.File{
-				DefaultProfile: "home",
 				Secrets: config.SecretsConfig{
 					Profiles: map[string]config.SecretsProfile{
 						"work-op": tt.profile,
diff --git a/internal/identity/identity_test.go b/internal/identity/identity_test.go
index 682ce3f3..7814c9b1 100644
--- a/internal/identity/identity_test.go
+++ b/internal/identity/identity_test.go
@@ -93,7 +93,6 @@ func TestRefreshAllSortedAndAtomicOnFailure(t *testing.T) {
 
 func TestRefreshAllReviewerCredentialsRollbackOnFailure(t *testing.T) {
 	cfg := config.File{
-		DefaultProfile: "reviewer",
 		Profiles: map[string]config.Profile{
 			"reviewer": {
 				Git: config.GitConfig{
@@ -238,7 +237,6 @@ func (f *fakeResolver) ResolveIdentity(_ context.Context, _ string, git config.G
 
 func testConfig() config.File {
 	return config.File{
-		DefaultProfile: "home",
 		Profiles: map[string]config.Profile{
 			"home": {
 				Git: config.GitConfig{
diff --git a/internal/view/config.go b/internal/view/config.go
index ebde4869..6516bcf4 100644
--- a/internal/view/config.go
+++ b/internal/view/config.go
@@ -72,34 +72,30 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 		return err
 	}
 	if show.Backend != "" {
-		if err := writeKV(w, "Keyring backend", show.Backend); err != nil {
+		if err := writeKV(w, "Credential backend", show.Backend); err != nil {
 			return err
 		}
 	}
 	if show.BackendSource != "" {
-		if err := writeKV(w, "Keyring backend source", show.BackendSource); err != nil {
+		if err := writeKV(w, "Credential backend source", show.BackendSource); err != nil {
 			return err
 		}
 	}
 	if show.ActiveSecretsProfile != nil {
-		if err := writeKV(w, "Selected secrets management", fmt.Sprintf("%s (%s)", show.ActiveSecretsProfile.DisplayName(), show.ActiveSecretsProfile.Backend)); err != nil {
+		if err := writeKV(w, "Selected credential store", fmt.Sprintf("%s (%s)", show.ActiveSecretsProfile.DisplayName(), show.ActiveSecretsProfile.Backend)); err != nil {
 			return err
 		}
-		if err := writeKV(w, "Selected secrets management source", show.ActiveSecretsProfile.Source); err != nil {
+		if err := writeKV(w, "Selected credential store source", show.ActiveSecretsProfile.Source); err != nil {
 			return err
 		}
 	}
 	if len(show.SecretsProfiles) > 0 {
-		if _, err := fmt.Fprintln(w, "Secrets management profiles:"); err != nil {
+		if _, err := fmt.Fprintln(w, "Credential stores:"); err != nil {
 			return err
 		}
 		for _, profile := range show.SecretsProfiles {
 			label := ConfigSecretsProfile{ID: profile.ID, Label: profile.Label}.DisplayName()
-			suffix := ""
-			if profile.IsDefault {
-				suffix = " [default]"
-			}
-			if _, err := fmt.Fprintf(w, "  - %s: %s (%s)%s\n", profile.ID, label, profile.Backend, suffix); err != nil {
+			if _, err := fmt.Fprintf(w, "  - %s: %s (%s)\n", profile.ID, label, profile.Backend); err != nil {
 				return err
 			}
 			if err := writeKV(w, "    Source", string(profile.Source)); err != nil {
@@ -116,7 +112,7 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 	if err := writeKV(w, "  Auth mode", string(show.Profile.Git.AuthMode)); err != nil {
 		return err
 	}
-	if err := writeKV(w, "  Credential ref", show.Profile.Git.CredentialRef); err != nil {
+	if err := writeKV(w, "  Credential name", show.Profile.Git.CredentialRef); err != nil {
 		return err
 	}
 	if err := writeOptionalKV(w, "  Identity cache", show.Profile.Git.IdentityCache); err != nil {
@@ -134,7 +130,7 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 		if err := writeKV(w, "  Auth mode", string(show.Profile.ReviewerCredentials.AuthMode)); err != nil {
 			return err
 		}
-		if err := writeKV(w, "  Credential ref", show.Profile.ReviewerCredentials.CredentialRef); err != nil {
+		if err := writeKV(w, "  Credential name", show.Profile.ReviewerCredentials.CredentialRef); err != nil {
 			return err
 		}
 		if err := writeOptionalKV(w, "  Identity cache", show.Profile.ReviewerCredentials.IdentityCache); err != nil {
@@ -155,10 +151,10 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 		return err
 	}
 	if show.LLMCredential.Mode == "stored_ref" {
-		if err := writeKV(w, "  Credential ref", show.LLMCredential.Ref); err != nil {
+		if err := writeKV(w, "  Credential name", show.LLMCredential.Ref); err != nil {
 			return err
 		}
-	} else if err := writeKV(w, "  Credential ref", "adapter-managed; not stored by cr"); err != nil {
+	} else if err := writeKV(w, "  Credential name", "adapter-managed; not stored by cr"); err != nil {
 		return err
 	}
 	if err := renderConfigModelMap(w, show.Profile.LLM); err != nil {
@@ -282,23 +278,6 @@ func RenderConfigPathJSON(w io.Writer, result ConfigPath) error {
 	return encoder.Encode(result)
 }
 
-// ConfigDefault is the presentation model for `cr config default get/set`.
-type ConfigDefault struct {
-	DefaultProfile string `json:"default_profile"`
-}
-
-// RenderConfigDefaultText writes a stable human-readable default-profile summary.
-func RenderConfigDefaultText(w io.Writer, result ConfigDefault) error {
-	return writeKV(w, "Default profile", result.DefaultProfile)
-}
-
-// RenderConfigDefaultJSON writes the default-profile summary as indented JSON.
-func RenderConfigDefaultJSON(w io.Writer, result ConfigDefault) error {
-	encoder := json.NewEncoder(w)
-	encoder.SetIndent("", "  ")
-	return encoder.Encode(result)
-}
-
 // ConfigRetention is the presentation model for `cr config retention`.
 type ConfigRetention struct {
 	MaxAgeDays  int    `json:"max_age_days"`
@@ -340,23 +319,23 @@ type ConfigRoutes struct {
 	Routes []ConfigRoute `json:"routes"`
 }
 
-// ConfigSecretsProfiles is the presentation model for `cr config secrets-profile list`.
+// ConfigSecretsProfiles is the presentation model for `cr config credential-store list`.
 type ConfigSecretsProfiles struct {
 	Profiles []ConfigSecretsProfile `json:"profiles"`
 }
 
-// ConfigSecretsProfile is one effective secrets-management profile summary.
+// ConfigSecretsProfile is one effective credential store summary.
 type ConfigSecretsProfile struct {
 	ID          string                              `json:"id"`
 	Label       string                              `json:"label,omitempty"`
 	Backend     string                              `json:"backend"`
 	BackendInfo *ConfigSecretsProfileBackendDetails `json:"backend_info,omitempty"`
-	IsDefault   bool                                `json:"is_default,omitempty"`
+	ReadOnly    bool                                `json:"read_only,omitempty"`
 	Source      string                              `json:"source"`
 }
 
 // ConfigSecretsProfileBackendDetails is the safe presentation wrapper for
-// backend-specific non-secret secrets-profile metadata.
+// backend-specific non-secret credential-store metadata.
 type ConfigSecretsProfileBackendDetails struct {
 	OnePassword *ConfigSecretsProfileOnePassword `json:"onepassword,omitempty"`
 }
@@ -376,7 +355,7 @@ type ConfigSecretsProfileOnePassword struct {
 	DesktopAccountEnv      string `json:"desktop_account_env,omitempty"`
 }
 
-// DisplayName returns the best user-facing secrets-profile label.
+// DisplayName returns the best user-facing credential-store label.
 func (p ConfigSecretsProfile) DisplayName() string {
 	if strings.TrimSpace(p.Label) != "" {
 		return strings.TrimSpace(p.Label)
@@ -384,46 +363,37 @@ func (p ConfigSecretsProfile) DisplayName() string {
 	return strings.TrimSpace(p.ID)
 }
 
-// ConfigSecretsProfileDefault is the presentation model for `cr config secrets-profile default get`.
-type ConfigSecretsProfileDefault struct {
-	DefaultProfile *ConfigSecretsProfile `json:"default_profile,omitempty"`
-}
-
-// RenderConfigSecretsProfilesText writes a stable human-readable secrets-profile listing.
+// RenderConfigSecretsProfilesText writes a stable human-readable credential-store listing.
 func RenderConfigSecretsProfilesText(w io.Writer, result ConfigSecretsProfiles) error {
 	if len(result.Profiles) == 0 {
-		_, err := fmt.Fprintln(w, "Secrets management profiles: none")
+		_, err := fmt.Fprintln(w, "Credential stores: none")
 		return err
 	}
-	if _, err := fmt.Fprintln(w, "Secrets management profiles:"); err != nil {
+	if _, err := fmt.Fprintln(w, "Credential stores:"); err != nil {
 		return err
 	}
 	for _, profile := range result.Profiles {
 		label := profile.DisplayName()
-		suffix := ""
-		if profile.IsDefault {
-			suffix = " [default]"
-		}
-		if _, err := fmt.Fprintf(w, "  - %s: %s (%s, %s)%s\n", profile.ID, label, profile.Backend, profile.Source, suffix); err != nil {
+		if _, err := fmt.Fprintf(w, "  - %s: %s (%s, %s)\n", profile.ID, label, profile.Backend, profile.Source); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-// RenderConfigSecretsProfilesJSON writes the secrets-profile listing as indented JSON.
+// RenderConfigSecretsProfilesJSON writes the credential-store listing as indented JSON.
 func RenderConfigSecretsProfilesJSON(w io.Writer, result ConfigSecretsProfiles) error {
 	encoder := json.NewEncoder(w)
 	encoder.SetIndent("", "  ")
 	return encoder.Encode(result)
 }
 
-// RenderConfigSecretsProfileText writes one stable human-readable secrets-profile summary.
+// RenderConfigSecretsProfileText writes one stable human-readable credential-store summary.
 func RenderConfigSecretsProfileText(w io.Writer, profile ConfigSecretsProfile) error {
-	if err := writeKV(w, "Secrets profile", profile.ID); err != nil {
+	if err := writeKV(w, "Credential store", profile.ID); err != nil {
 		return err
 	}
-	if err := writeOptionalKV(w, "Label", profile.Label); err != nil {
+	if err := writeOptionalKV(w, "Display name", profile.Label); err != nil {
 		return err
 	}
 	if err := writeKV(w, "Backend", profile.Backend); err != nil {
@@ -437,15 +407,6 @@ func RenderConfigSecretsProfileText(w io.Writer, profile ConfigSecretsProfile) e
 		if err := writeOptionalKV(w, "1Password vault id", onePassword.VaultID); err != nil {
 			return err
 		}
-		if err := writeOptionalKV(w, "1Password item title prefix", onePassword.ItemTitlePrefix); err != nil {
-			return err
-		}
-		if err := writeOptionalKV(w, "1Password item tag", onePassword.ItemTag); err != nil {
-			return err
-		}
-		if err := writeOptionalKV(w, "1Password item field title", onePassword.ItemFieldTitle); err != nil {
-			return err
-		}
 		if err := writeOptionalKV(w, "1Password Connect host", onePassword.ConnectHost); err != nil {
 			return err
 		}
@@ -465,41 +426,16 @@ func RenderConfigSecretsProfileText(w io.Writer, profile ConfigSecretsProfile) e
 	if err := writeKV(w, "Source", profile.Source); err != nil {
 		return err
 	}
-	return writeKV(w, "Default", fmt.Sprint(profile.IsDefault))
+	return nil
 }
 
-// RenderConfigSecretsProfileJSON writes one secrets-profile summary as indented JSON.
+// RenderConfigSecretsProfileJSON writes one credential-store summary as indented JSON.
 func RenderConfigSecretsProfileJSON(w io.Writer, profile ConfigSecretsProfile) error {
 	encoder := json.NewEncoder(w)
 	encoder.SetIndent("", "  ")
 	return encoder.Encode(profile)
 }
 
-// RenderConfigSecretsProfileDefaultText writes the default secrets-profile summary.
-func RenderConfigSecretsProfileDefaultText(w io.Writer, result ConfigSecretsProfileDefault) error {
-	if result.DefaultProfile == nil {
-		_, err := fmt.Fprintln(w, "Default secrets profile: none")
-		return err
-	}
-	if err := writeKV(w, "Default secrets profile", result.DefaultProfile.ID); err != nil {
-		return err
-	}
-	if err := writeOptionalKV(w, "Label", result.DefaultProfile.Label); err != nil {
-		return err
-	}
-	if err := writeKV(w, "Backend", result.DefaultProfile.Backend); err != nil {
-		return err
-	}
-	return writeKV(w, "Source", result.DefaultProfile.Source)
-}
-
-// RenderConfigSecretsProfileDefaultJSON writes the default secrets-profile summary as indented JSON.
-func RenderConfigSecretsProfileDefaultJSON(w io.Writer, result ConfigSecretsProfileDefault) error {
-	encoder := json.NewEncoder(w)
-	encoder.SetIndent("", "  ")
-	return encoder.Encode(result)
-}
-
 // ConfigRoute is one repository-profile route.
 type ConfigRoute struct {
 	Profile   string   `json:"profile"`
@@ -616,7 +552,6 @@ type ConfigClear struct {
 	DryRun               bool                   `json:"dry_run"`
 	Cleared              []ClearedCredentialRef `json:"cleared"`
 	ConfigProfileRemoved string                 `json:"config_profile_removed,omitempty"`
-	DefaultProfile       string                 `json:"default_profile,omitempty"`
 	ConfigPathRemoved    string                 `json:"config_path_removed,omitempty"`
 	Cache                *CacheClear            `json:"cache,omitempty"`
 }
@@ -636,17 +571,17 @@ type CacheClear struct {
 
 // RenderConfigClearText writes a stable human-readable clear summary.
 func RenderConfigClearText(w io.Writer, result ConfigClear) error {
-	if err := writeKV(w, "Keyring backend", result.Backend); err != nil {
+	if err := writeKV(w, "Credential backend", result.Backend); err != nil {
 		return err
 	}
-	if err := writeKV(w, "Keyring backend source", result.BackendSource); err != nil {
+	if err := writeKV(w, "Credential backend source", result.BackendSource); err != nil {
 		return err
 	}
 	if result.ActiveSecretsProfile != nil {
-		if err := writeKV(w, "Selected secrets management", fmt.Sprintf("%s (%s)", result.ActiveSecretsProfile.DisplayName(), result.ActiveSecretsProfile.Backend)); err != nil {
+		if err := writeKV(w, "Selected credential store", fmt.Sprintf("%s (%s)", result.ActiveSecretsProfile.DisplayName(), result.ActiveSecretsProfile.Backend)); err != nil {
 			return err
 		}
-		if err := writeKV(w, "Selected secrets management source", result.ActiveSecretsProfile.Source); err != nil {
+		if err := writeKV(w, "Selected credential store source", result.ActiveSecretsProfile.Source); err != nil {
 			return err
 		}
 	}
@@ -672,11 +607,6 @@ func RenderConfigClearText(w io.Writer, result ConfigClear) error {
 			return err
 		}
 	}
-	if result.DefaultProfile != "" {
-		if err := writeKV(w, "Default profile", result.DefaultProfile); err != nil {
-			return err
-		}
-	}
 	if result.ConfigPathRemoved != "" {
 		if err := writeKV(w, "Config path removed", result.ConfigPathRemoved); err != nil {
 			return err
@@ -709,7 +639,9 @@ func RenderConfigClearJSON(w io.Writer, result ConfigClear) error {
 
 // CredentialWrite is the JSON envelope for `cr set-credential`.
 type CredentialWrite struct {
-	Ref           string `json:"ref"`
+	Ref           string `json:"ref,omitempty"`
+	Store         string `json:"store,omitempty"`
+	Name          string `json:"name,omitempty"`
 	Key           string `json:"key"`
 	Backend       string `json:"backend,omitempty"`
 	BackendSource string `json:"backend_source,omitempty"`
diff --git a/internal/view/config_test.go b/internal/view/config_test.go
index b4ffe4a3..3da99c1d 100644
--- a/internal/view/config_test.go
+++ b/internal/view/config_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/open-cli-collective/codereview-cli/internal/config"
 )
 
-func TestRenderConfigTextStoredCredentialRefs(t *testing.T) {
+func TestRenderConfigTextStoredCredentialNames(t *testing.T) {
 	var out bytes.Buffer
 	show := NewConfigShow("work", workProfile(), dataConfig(), []CredentialStatus{
 		credentialStatus("git", "codereview/work", "pat", "git_token", true),
@@ -25,9 +25,9 @@ func TestRenderConfigTextStoredCredentialRefs(t *testing.T) {
 	got := out.String()
 	for _, want := range []string{
 		"Profile: work",
-		"Credential ref: codereview/work",
-		"Credential ref: codereview/work-reviewer",
-		"Credential ref: codereview/work-llm",
+		"Credential name: codereview/work",
+		"Credential name: codereview/work-reviewer",
+		"Credential name: codereview/work-llm",
 		"git_token: present",
 		"anthropic_api_key: present",
 		"Allow self approve: true",
@@ -56,7 +56,7 @@ func TestRenderConfigTextSubscriptionCredentialIsAdapterManaged(t *testing.T) {
 	if !strings.Contains(got, "Reviewer credentials: self-review uses git credentials") {
 		t.Fatalf("text output missing self-review note:\n%s", got)
 	}
-	if !strings.Contains(got, "Credential ref: adapter-managed; not stored by cr") {
+	if !strings.Contains(got, "Credential name: adapter-managed; not stored by cr") {
 		t.Fatalf("text output missing adapter-managed credential note:\n%s", got)
 	}
 }
@@ -82,18 +82,17 @@ func TestRenderConfigTextOpenAIAPIKeyStatus(t *testing.T) {
 	}
 }
 
-func TestRenderConfigTextSecretsManagementProfiles(t *testing.T) {
+func TestRenderConfigTextCredentialStores(t *testing.T) {
 	var out bytes.Buffer
 	show := NewConfigShow("work", workProfile(), dataConfig(), nil)
 	show.Backend = "memory"
-	show.BackendSource = "config"
+	show.BackendSource = "credential_store"
 	show.SecretsProfiles = []config.EffectiveSecretsProfile{
 		{
-			ID:        config.LegacyProjectedSecretsProfileID,
-			Label:     "Legacy default",
-			Backend:   "memory",
-			IsDefault: true,
-			Source:    config.EffectiveSecretsProfileSourceProjectedLegacy,
+			ID:      config.LocalOSCredentialStoreID,
+			Label:   "macOS Login Keychain",
+			Backend: "memory",
+			Source:  config.EffectiveSecretsStoreSourceBuiltIn,
 		},
 		{
 			ID:      "personal-keychain",
@@ -108,11 +107,11 @@ func TestRenderConfigTextSecretsManagementProfiles(t *testing.T) {
 	}
 	got := out.String()
 	for _, want := range []string{
-		"Keyring backend: memory",
-		"Keyring backend source: config",
-		"Secrets management profiles:",
-		"  - legacy-default: Legacy default (memory) [default]",
-		"    Source: projected_legacy",
+		"Credential backend: memory",
+		"Credential backend source: credential_store",
+		"Credential stores:",
+		"  - local-os: macOS Login Keychain (memory)",
+		"    Source: built_in",
 		"  - personal-keychain: Personal Keychain (keychain)",
 		"    Source: configured",
 	} {
@@ -122,7 +121,7 @@ func TestRenderConfigTextSecretsManagementProfiles(t *testing.T) {
 	}
 }
 
-func TestRenderConfigTextSelectedSecretsManagement(t *testing.T) {
+func TestRenderConfigTextSelectedCredentialStore(t *testing.T) {
 	var out bytes.Buffer
 	show := NewConfigShow("work", workProfile(), dataConfig(), nil)
 	show.ActiveSecretsProfile = &ConfigSecretsProfile{
@@ -137,8 +136,8 @@ func TestRenderConfigTextSelectedSecretsManagement(t *testing.T) {
 	}
 	got := out.String()
 	for _, want := range []string{
-		"Selected secrets management: Work File Store (file)",
-		"Selected secrets management source: configured",
+		"Selected credential store: Work File Store (file)",
+		"Selected credential store source: configured",
 	} {
 		if !strings.Contains(got, want) {
 			t.Fatalf("text output missing %q:\n%s", want, got)
@@ -202,13 +201,13 @@ func TestRenderConfigTextExactHomeShape(t *testing.T) {
 Git:
   Host: github.com
   Auth mode: pat
-  Credential ref: codereview/home
+  Credential name: codereview/home
 Reviewer credentials: self-review uses git credentials
 LLM:
   Provider: anthropic
   Auth: subscription
   Adapter: claude_cli
-  Credential ref: adapter-managed; not stored by cr
+  Credential name: adapter-managed; not stored by cr
   Model map:
     small: <unset> (unset)
     medium: claude-sonnet-4-6 (built_in)
@@ -287,35 +286,6 @@ func TestRenderConfigPathJSON(t *testing.T) {
 	}
 }
 
-func TestRenderConfigDefaultText(t *testing.T) {
-	var out bytes.Buffer
-	result := ConfigDefault{DefaultProfile: "work"}
-
-	if err := RenderConfigDefaultText(&out, result); err != nil {
-		t.Fatalf("RenderConfigDefaultText: %v", err)
-	}
-	want := "Default profile: work\n"
-	if out.String() != want {
-		t.Fatalf("text output = %q, want %q", out.String(), want)
-	}
-}
-
-func TestRenderConfigDefaultJSON(t *testing.T) {
-	var out bytes.Buffer
-	result := ConfigDefault{DefaultProfile: "work"}
-
-	if err := RenderConfigDefaultJSON(&out, result); err != nil {
-		t.Fatalf("RenderConfigDefaultJSON: %v", err)
-	}
-	var decoded ConfigDefault
-	if err := json.Unmarshal(out.Bytes(), &decoded); err != nil {
-		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
-	}
-	if decoded != result {
-		t.Fatalf("decoded = %#v, want %#v", decoded, result)
-	}
-}
-
 func TestRenderConfigRetentionText(t *testing.T) {
 	var out bytes.Buffer
 	result := NewConfigRetention(config.RetentionConfig{
@@ -405,7 +375,7 @@ func TestRenderConfigSecretsProfilesText(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigSecretsProfiles{
 		Profiles: []ConfigSecretsProfile{
-			{ID: "legacy-default", Label: "Legacy default", Backend: "memory", Source: "projected_legacy", IsDefault: true},
+			{ID: "local-os", Label: "macOS Login Keychain", Backend: "memory", Source: "built_in"},
 			{ID: "work", Label: "Work Keychain", Backend: "keychain", Source: "configured"},
 		},
 	}
@@ -413,7 +383,7 @@ func TestRenderConfigSecretsProfilesText(t *testing.T) {
 	if err := RenderConfigSecretsProfilesText(&out, result); err != nil {
 		t.Fatalf("RenderConfigSecretsProfilesText: %v", err)
 	}
-	want := "Secrets management profiles:\n  - legacy-default: Legacy default (memory, projected_legacy) [default]\n  - work: Work Keychain (keychain, configured)\n"
+	want := "Credential stores:\n  - local-os: macOS Login Keychain (memory, built_in)\n  - work: Work Keychain (keychain, configured)\n"
 	if out.String() != want {
 		t.Fatalf("text output = %q, want %q", out.String(), want)
 	}
@@ -442,17 +412,16 @@ func TestRenderConfigSecretsProfilesJSON(t *testing.T) {
 func TestRenderConfigSecretsProfileText(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigSecretsProfile{
-		ID:        "legacy-default",
-		Label:     "Legacy default",
-		Backend:   "memory",
-		Source:    "projected_legacy",
-		IsDefault: true,
+		ID:      "local-os",
+		Label:   "macOS Login Keychain",
+		Backend: "memory",
+		Source:  "built_in",
 	}
 
 	if err := RenderConfigSecretsProfileText(&out, result); err != nil {
 		t.Fatalf("RenderConfigSecretsProfileText: %v", err)
 	}
-	want := "Secrets profile: legacy-default\nLabel: Legacy default\nBackend: memory\nSource: projected_legacy\nDefault: true\n"
+	want := "Credential store: local-os\nDisplay name: macOS Login Keychain\nBackend: memory\nSource: built_in\n"
 	if out.String() != want {
 		t.Fatalf("text output = %q, want %q", out.String(), want)
 	}
@@ -478,13 +447,12 @@ func TestRenderConfigSecretsProfileTextWithOnePasswordDetails(t *testing.T) {
 		t.Fatalf("RenderConfigSecretsProfileText with 1Password: %v", err)
 	}
 	want := "" +
-		"Secrets profile: work-op\n" +
+		"Credential store: work-op\n" +
 		"Backend: op\n" +
 		"1Password timeout: 5s\n" +
 		"1Password vault id: vault-123\n" +
 		"1Password service token env: OP_SERVICE_ACCOUNT_TOKEN\n" +
-		"Source: configured\n" +
-		"Default: false\n"
+		"Source: configured\n"
 	if out.String() != want {
 		t.Fatalf("text output = %q, want %q", out.String(), want)
 	}
@@ -538,60 +506,6 @@ func TestRenderConfigSecretsProfileJSONWithOnePasswordDetails(t *testing.T) {
 	}
 }
 
-func TestRenderConfigSecretsProfileDefaultText(t *testing.T) {
-	var out bytes.Buffer
-	result := ConfigSecretsProfileDefault{
-		DefaultProfile: &ConfigSecretsProfile{
-			ID:      "work",
-			Label:   "Work Keychain",
-			Backend: "keychain",
-			Source:  "configured",
-		},
-	}
-
-	if err := RenderConfigSecretsProfileDefaultText(&out, result); err != nil {
-		t.Fatalf("RenderConfigSecretsProfileDefaultText: %v", err)
-	}
-	want := "Default secrets profile: work\nLabel: Work Keychain\nBackend: keychain\nSource: configured\n"
-	if out.String() != want {
-		t.Fatalf("text output = %q, want %q", out.String(), want)
-	}
-}
-
-func TestRenderConfigSecretsProfileDefaultTextNone(t *testing.T) {
-	var out bytes.Buffer
-
-	if err := RenderConfigSecretsProfileDefaultText(&out, ConfigSecretsProfileDefault{}); err != nil {
-		t.Fatalf("RenderConfigSecretsProfileDefaultText: %v", err)
-	}
-	if out.String() != "Default secrets profile: none\n" {
-		t.Fatalf("text output = %q, want none text", out.String())
-	}
-}
-
-func TestRenderConfigSecretsProfileDefaultJSON(t *testing.T) {
-	var out bytes.Buffer
-	result := ConfigSecretsProfileDefault{
-		DefaultProfile: &ConfigSecretsProfile{
-			ID:      "work",
-			Label:   "Work Keychain",
-			Backend: "keychain",
-			Source:  "configured",
-		},
-	}
-
-	if err := RenderConfigSecretsProfileDefaultJSON(&out, result); err != nil {
-		t.Fatalf("RenderConfigSecretsProfileDefaultJSON: %v", err)
-	}
-	var decoded ConfigSecretsProfileDefault
-	if err := json.Unmarshal(out.Bytes(), &decoded); err != nil {
-		t.Fatalf("Unmarshal JSON: %v\n%s", err, out.String())
-	}
-	if !reflect.DeepEqual(decoded, result) {
-		t.Fatalf("decoded = %#v, want %#v", decoded, result)
-	}
-}
-
 func TestRenderConfigResolveProfileText(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigResolveProfile{
@@ -621,7 +535,7 @@ func TestRenderConfigResolveProfileJSON(t *testing.T) {
 	result := ConfigResolveProfile{
 		PRURL:           "https://github.com/open-cli-collective/codereview-cli/pull/1",
 		ResolvedProfile: "home",
-		Source:          "default_profile",
+		Source:          "repository_route",
 		GitHost:         "github.com",
 	}
 
@@ -716,10 +630,9 @@ func TestRenderConfigClearTextIncludesResetFields(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigClear{
 		Backend:              "file",
-		BackendSource:        "config",
+		BackendSource:        "credential_store",
 		Cleared:              []ClearedCredentialRef{{Ref: "codereview/work", Keys: []string{"git_token"}}},
 		ConfigProfileRemoved: "work",
-		DefaultProfile:       "home",
 		ConfigPathRemoved:    "/tmp/codereview/config.yml",
 		Cache:                &CacheClear{Path: "/tmp/codereview-cache", Status: "removed"},
 	}
@@ -730,7 +643,6 @@ func TestRenderConfigClearTextIncludesResetFields(t *testing.T) {
 	got := out.String()
 	for _, want := range []string{
 		"Config profile removed: work",
-		"Default profile: home",
 		"Config path removed: /tmp/codereview/config.yml",
 		"Cache path: /tmp/codereview-cache",
 		"Cache status: removed",
@@ -745,7 +657,7 @@ func TestRenderConfigClearTextIncludesDryRun(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigClear{
 		Backend:       "file",
-		BackendSource: "config",
+		BackendSource: "credential_store",
 		DryRun:        true,
 		Cleared:       []ClearedCredentialRef{{Ref: "codereview/work", Keys: []string{"git_token"}}},
 	}
@@ -768,11 +680,11 @@ func TestRenderConfigClearTextIncludesDryRun(t *testing.T) {
 	}
 }
 
-func TestRenderConfigClearTextIncludesSelectedSecretsManagement(t *testing.T) {
+func TestRenderConfigClearTextIncludesSelectedCredentialStore(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigClear{
 		Backend:       "file",
-		BackendSource: "secrets_profile",
+		BackendSource: "credential_store",
 		ActiveSecretsProfile: &ConfigSecretsProfile{
 			ID:      "work-file",
 			Label:   "Work File Store",
@@ -786,8 +698,8 @@ func TestRenderConfigClearTextIncludesSelectedSecretsManagement(t *testing.T) {
 	}
 	got := out.String()
 	for _, want := range []string{
-		"Selected secrets management: Work File Store (file)",
-		"Selected secrets management source: configured",
+		"Selected credential store: Work File Store (file)",
+		"Selected credential store source: configured",
 	} {
 		if !strings.Contains(got, want) {
 			t.Fatalf("text output missing %q:\n%s", want, got)
@@ -799,7 +711,7 @@ func TestRenderConfigClearTextIncludesCacheErrorWithoutPath(t *testing.T) {
 	var out bytes.Buffer
 	result := ConfigClear{
 		Backend:       "file",
-		BackendSource: "config",
+		BackendSource: "credential_store",
 		Cache:         &CacheClear{Status: "error", Error: "xdg cache unavailable"},
 	}
 
diff --git a/packaging/identity.yml b/packaging/identity.yml
index fea141a3..909e687b 100644
--- a/packaging/identity.yml
+++ b/packaging/identity.yml
@@ -27,7 +27,6 @@ keychain_probe:
     base: native_user_config
     path: "codereview/config.yml"
     content: |
-      default_profile: default
       profiles:
         default:
           git:
diff --git a/scripts/probe-credential-store.go b/scripts/probe-credential-store.go
index 7abf1e99..6a5d6600 100644
--- a/scripts/probe-credential-store.go
+++ b/scripts/probe-credential-store.go
@@ -23,7 +23,7 @@ func main() {
 	var ref string
 	var keep bool
 	flag.StringVar(&configPath, "config", "", "cr config path; defaults to the standard cr config path")
-	flag.StringVar(&reviewProfile, "profile", "", "review profile whose resolved secrets-management profile should be probed; defaults to cr's default profile")
+	flag.StringVar(&reviewProfile, "profile", "", "review profile whose resolved secrets-management profile should be probed")
 	flag.StringVar(&secretsProfile, "secrets-profile", "", "configured secrets-management profile id to probe directly")
 	flag.StringVar(&ref, "ref", "", "temporary credential ref to write; defaults to codereview/probe-<timestamp>")
 	flag.BoolVar(&keep, "keep", false, "leave the probe credential behind instead of deleting it")
diff --git a/version.txt b/version.txt
index bd73f470..5a2a5806 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.4
+0.6