I didn't want to jump in with this earlier since comfy is the main topic here but https://configrd.io will do the inheritance you are asking about. It's not cli but also has an API, handles secrets and deploys on prem.
thanks! actually looks really cool, love the integrated support for storing encrypted secrets (even if not supporting many providers yet). Will explore it more.