npm - @envpilot/cli - Versions diffs - 1.3.0 → 1.3.2 - Mend

@envpilot/cli 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +1450 -514
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -9,7 +9,7 @@ function initSentry() {
   Sentry.init({
     dsn,
     environment: "cli",
-    release: true ? "1.3.0" : "0.0.0",
+    release: true ? "1.3.2" : "0.0.0",
     // Free tier: disable performance monitoring
     tracesSampleRate: 0,
     beforeSend(event) {
@@ -49,12 +49,10 @@ async function flushSentry() {
 }
 // src/index.ts
-import { Command as Command10 } from "commander";
+import { Command as Command12 } from "commander";
 // src/commands/login.ts
 import { Command } from "commander";
-import chalk3 from "chalk";
-import open from "open";
 // src/lib/ui.ts
 import chalk from "chalk";
@@ -189,6 +187,91 @@ function projectRoleNotice(projectRole) {
   }
 }
+// src/lib/errors.ts
+import chalk2 from "chalk";
+var CLIError = class extends Error {
+  constructor(message, code, suggestion) {
+    super(message);
+    this.code = code;
+    this.suggestion = suggestion;
+    this.name = "CLIError";
+  }
+};
+var ErrorCodes = {
+  NOT_AUTHENTICATED: "NOT_AUTHENTICATED",
+  NOT_INITIALIZED: "NOT_INITIALIZED",
+  PROJECT_NOT_FOUND: "PROJECT_NOT_FOUND",
+  ORGANIZATION_NOT_FOUND: "ORGANIZATION_NOT_FOUND",
+  VARIABLE_NOT_FOUND: "VARIABLE_NOT_FOUND",
+  INVALID_CONFIG: "INVALID_CONFIG",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  PERMISSION_DENIED: "PERMISSION_DENIED",
+  TIER_LIMIT_EXCEEDED: "TIER_LIMIT_EXCEEDED",
+  FILE_NOT_FOUND: "FILE_NOT_FOUND",
+  INVALID_INPUT: "INVALID_INPUT",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR"
+};
+function formatError(error2) {
+  if (error2 instanceof CLIError) {
+    let message = chalk2.red(`Error: ${error2.message}`);
+    if (error2.suggestion) {
+      message += `
+${chalk2.yellow("Suggestion:")} ${error2.suggestion}`;
+    }
+    return message;
+  }
+  if (error2 instanceof Error) {
+    return chalk2.red(`Error: ${error2.message}`);
+  }
+  return chalk2.red(`Error: ${String(error2)}`);
+}
+async function handleError(error2) {
+  console.error(formatError(error2));
+  const skipCodes = /* @__PURE__ */ new Set([
+    ErrorCodes.NOT_AUTHENTICATED,
+    ErrorCodes.INVALID_INPUT,
+    ErrorCodes.NOT_INITIALIZED
+  ]);
+  if (error2 instanceof CLIError) {
+    if (!skipCodes.has(error2.code)) {
+      captureError(error2, { errorCode: error2.code });
+    }
+  } else {
+    captureError(error2);
+  }
+  await flushSentry();
+  if (error2 instanceof CLIError) {
+    switch (error2.code) {
+      case ErrorCodes.NOT_AUTHENTICATED:
+        process.exit(2);
+      case ErrorCodes.PERMISSION_DENIED:
+        process.exit(3);
+      case ErrorCodes.TIER_LIMIT_EXCEEDED:
+        process.exit(4);
+      default:
+        process.exit(1);
+    }
+  }
+  process.exit(1);
+}
+function notAuthenticated() {
+  return new CLIError(
+    "You are not authenticated.",
+    ErrorCodes.NOT_AUTHENTICATED,
+    "Run `envpilot login` to authenticate."
+  );
+}
+function notInitialized() {
+  return new CLIError(
+    "This directory is not initialized with Envpilot.",
+    ErrorCodes.NOT_INITIALIZED,
+    "Run `envpilot init` to initialize."
+  );
+}
+function fileNotFound(path) {
+  return new CLIError(`File not found: ${path}`, ErrorCodes.FILE_NOT_FOUND);
+}
 // src/lib/config.ts
 import Conf from "conf";
 var DEFAULT_API_URL = "https://www.envpilot.dev";
@@ -261,6 +344,11 @@ function getConfigPath() {
   return config.path;
 }
+// src/lib/auth-flow.ts
+import open from "open";
+import chalk3 from "chalk";
+import { hostname } from "os";
 // src/lib/api.ts
 var APIError = class extends Error {
   constructor(message, statusCode, code) {
@@ -546,174 +634,84 @@ function createAPIClient() {
   return new APIClient();
 }
-// src/lib/errors.ts
-import chalk2 from "chalk";
-var CLIError = class extends Error {
-  constructor(message, code, suggestion) {
-    super(message);
-    this.code = code;
-    this.suggestion = suggestion;
-    this.name = "CLIError";
-  }
-};
-var ErrorCodes = {
-  NOT_AUTHENTICATED: "NOT_AUTHENTICATED",
-  NOT_INITIALIZED: "NOT_INITIALIZED",
-  PROJECT_NOT_FOUND: "PROJECT_NOT_FOUND",
-  ORGANIZATION_NOT_FOUND: "ORGANIZATION_NOT_FOUND",
-  VARIABLE_NOT_FOUND: "VARIABLE_NOT_FOUND",
-  INVALID_CONFIG: "INVALID_CONFIG",
-  NETWORK_ERROR: "NETWORK_ERROR",
-  PERMISSION_DENIED: "PERMISSION_DENIED",
-  TIER_LIMIT_EXCEEDED: "TIER_LIMIT_EXCEEDED",
-  FILE_NOT_FOUND: "FILE_NOT_FOUND",
-  INVALID_INPUT: "INVALID_INPUT",
-  UNKNOWN_ERROR: "UNKNOWN_ERROR"
-};
-function formatError(error2) {
-  if (error2 instanceof CLIError) {
-    let message = chalk2.red(`Error: ${error2.message}`);
-    if (error2.suggestion) {
-      message += `
-${chalk2.yellow("Suggestion:")} ${error2.suggestion}`;
-    }
-    return message;
-  }
-  if (error2 instanceof Error) {
-    return chalk2.red(`Error: ${error2.message}`);
-  }
-  return chalk2.red(`Error: ${String(error2)}`);
+// src/lib/auth-flow.ts
+var POLL_INTERVAL_MS = 2e3;
+var MAX_POLL_ATTEMPTS = 150;
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
-async function handleError(error2) {
-  console.error(formatError(error2));
-  const skipCodes = /* @__PURE__ */ new Set([
-    ErrorCodes.NOT_AUTHENTICATED,
-    ErrorCodes.INVALID_INPUT,
-    ErrorCodes.NOT_INITIALIZED
-  ]);
-  if (error2 instanceof CLIError) {
-    if (!skipCodes.has(error2.code)) {
-      captureError(error2, { errorCode: error2.code });
+async function performLogin(options) {
+  const api = createAPIClient();
+  const deviceName = `CLI - ${hostname()}`;
+  info("Starting authentication flow...");
+  const spinner = createSpinner("Generating authentication code...");
+  spinner.start();
+  const initResponse = await api.post("/api/cli/auth?action=initiate", { deviceName });
+  spinner.stop();
+  console.log();
+  console.log(chalk3.bold("Your authentication code:"));
+  console.log();
+  console.log(chalk3.cyan.bold(`    ${initResponse.code}`));
+  console.log();
+  console.log(`Open this URL to authenticate:`);
+  console.log(chalk3.dim(initResponse.url));
+  console.log();
+  if (options?.browser !== false) {
+    info("Opening browser...");
+    await open(initResponse.url);
+  }
+  const pollSpinner = createSpinner("Waiting for authentication...");
+  pollSpinner.start();
+  for (let attempts = 0; attempts < MAX_POLL_ATTEMPTS; attempts++) {
+    await sleep(POLL_INTERVAL_MS);
+    const pollResponse = await api.get("/api/cli/auth", { action: "poll", code: initResponse.code });
+    if (pollResponse.status === "authenticated") {
+      pollSpinner.stop();
+      if (pollResponse.accessToken) {
+        setAccessToken(pollResponse.accessToken);
+      }
+      if (pollResponse.refreshToken) {
+        setRefreshToken(pollResponse.refreshToken);
+      }
+      if (pollResponse.user) {
+        setUser({
+          id: pollResponse.user.id,
+          email: pollResponse.user.email,
+          name: pollResponse.user.name
+        });
+      }
+      console.log();
+      success(`Logged in as ${chalk3.bold(pollResponse.user?.email)}`);
+      return { email: pollResponse.user?.email || "" };
     }
-  } else {
-    captureError(error2);
-  }
-  await flushSentry();
-  if (error2 instanceof CLIError) {
-    switch (error2.code) {
-      case ErrorCodes.NOT_AUTHENTICATED:
-        process.exit(2);
-      case ErrorCodes.PERMISSION_DENIED:
-        process.exit(3);
-      case ErrorCodes.TIER_LIMIT_EXCEEDED:
-        process.exit(4);
-      default:
-        process.exit(1);
+    if (pollResponse.status === "expired" || pollResponse.status === "not_found") {
+      pollSpinner.stop();
+      throw new Error("Authentication code expired. Please try again.");
     }
   }
-  process.exit(1);
-}
-function notAuthenticated() {
-  return new CLIError(
-    "You are not authenticated.",
-    ErrorCodes.NOT_AUTHENTICATED,
-    "Run `envpilot login` to authenticate."
-  );
-}
-function notInitialized() {
-  return new CLIError(
-    "This directory is not initialized with Envpilot.",
-    ErrorCodes.NOT_INITIALIZED,
-    "Run `envpilot init` to initialize."
-  );
-}
-function fileNotFound(path) {
-  return new CLIError(`File not found: ${path}`, ErrorCodes.FILE_NOT_FOUND);
+  pollSpinner.stop();
+  throw new Error("Authentication timed out. Please try again.");
 }
 // src/commands/login.ts
-import { hostname } from "os";
-var POLL_INTERVAL_MS = 2e3;
-var MAX_POLL_ATTEMPTS = 150;
 var loginCommand = new Command("login").description("Authenticate with Envpilot").option("--api-url <url>", "API URL (default: http://localhost:3000)").option("--no-browser", "Do not automatically open the browser").action(async (options) => {
   try {
     if (options.apiUrl) {
       setApiUrl(options.apiUrl);
     }
-    const api = createAPIClient();
-    const deviceName = `CLI - ${hostname()}`;
-    info("Starting authentication flow...");
-    const spinner = createSpinner("Generating authentication code...");
-    spinner.start();
-    const initResponse = await api.post("/api/cli/auth?action=initiate", { deviceName });
-    spinner.stop();
-    console.log();
-    console.log(chalk3.bold("Your authentication code:"));
-    console.log();
-    console.log(chalk3.cyan.bold(`    ${initResponse.code}`));
+    await performLogin({
+      browser: options.browser !== false
+    });
     console.log();
-    console.log(`Open this URL to authenticate:`);
-    console.log(chalk3.dim(initResponse.url));
+    console.log("Next steps:");
+    info("  envpilot init     Initialize a project in the current directory");
+    info("  envpilot list     List your projects and organizations");
+    info("  envpilot sync     Login, select project, and pull \u2014 all at once");
     console.log();
-    if (options.browser !== false) {
-      info("Opening browser...");
-      await open(initResponse.url);
-    }
-    const pollSpinner = createSpinner("Waiting for authentication...");
-    pollSpinner.start();
-    let authenticated = false;
-    let attempts = 0;
-    while (!authenticated && attempts < MAX_POLL_ATTEMPTS) {
-      await sleep(POLL_INTERVAL_MS);
-      const pollResponse = await api.get("/api/cli/auth", { action: "poll", code: initResponse.code });
-      if (pollResponse.status === "authenticated") {
-        pollSpinner.stop();
-        if (pollResponse.accessToken) {
-          setAccessToken(pollResponse.accessToken);
-        }
-        if (pollResponse.refreshToken) {
-          setRefreshToken(pollResponse.refreshToken);
-        }
-        if (pollResponse.user) {
-          setUser({
-            id: pollResponse.user.id,
-            email: pollResponse.user.email,
-            name: pollResponse.user.name
-          });
-        }
-        authenticated = true;
-        console.log();
-        success(`Logged in as ${chalk3.bold(pollResponse.user?.email)}`);
-        console.log();
-        console.log("Next steps:");
-        console.log(
-          `  ${chalk3.cyan("envpilot init")}     Initialize a project in the current directory`
-        );
-        console.log(
-          `  ${chalk3.cyan("envpilot list")}     List your projects and organizations`
-        );
-        console.log();
-        break;
-      }
-      if (pollResponse.status === "expired" || pollResponse.status === "not_found") {
-        pollSpinner.stop();
-        error("Authentication code expired. Please try again.");
-        process.exit(1);
-      }
-      attempts++;
-    }
-    if (!authenticated) {
-      pollSpinner.stop();
-      error("Authentication timed out. Please try again.");
-      process.exit(1);
-    }
   } catch (err) {
     await handleError(err);
   }
 });
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
 // src/commands/init.ts
 import { Command as Command2 } from "commander";
@@ -779,6 +777,18 @@ var projectConfigSchema = z.object({
   organizationId: z.string(),
   environment: environmentSchema.default("development")
 });
+var projectEntrySchema = z.object({
+  projectId: z.string(),
+  organizationId: z.string(),
+  projectName: z.string().default(""),
+  organizationName: z.string().default(""),
+  environment: environmentSchema.default("development")
+});
+var projectConfigV2Schema = z.object({
+  version: z.literal(1),
+  activeProjectId: z.string(),
+  projects: z.array(projectEntrySchema).min(1)
+});
 // src/lib/project-config.ts
 var CONFIG_FILE_NAME = ".envpilot";
@@ -788,51 +798,173 @@ function getProjectConfigPath(directory = process.cwd()) {
 function hasProjectConfig(directory = process.cwd()) {
   return existsSync(getProjectConfigPath(directory));
 }
-function readProjectConfig(directory = process.cwd()) {
+function readRawConfig(directory = process.cwd()) {
   const configPath = getProjectConfigPath(directory);
-  if (!existsSync(configPath)) {
+  if (!existsSync(configPath)) return null;
+  try {
+    return JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
     return null;
   }
+}
+function migrateV1toV2(v1) {
+  return {
+    version: 1,
+    activeProjectId: v1.projectId,
+    projects: [
+      {
+        projectId: v1.projectId,
+        organizationId: v1.organizationId,
+        projectName: "",
+        organizationName: "",
+        environment: v1.environment
+      }
+    ]
+  };
+}
+function readProjectConfigV2(directory = process.cwd()) {
+  const raw = readRawConfig(directory);
+  if (!raw || typeof raw !== "object") return null;
+  const rawVersion = raw.version;
+  if (rawVersion === 1 || rawVersion === 2) {
+    try {
+      const normalized = { ...raw, version: 1 };
+      const parsed = projectConfigV2Schema.parse(normalized);
+      if (rawVersion === 2) {
+        writeProjectConfigV2(parsed, directory);
+      }
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
   try {
-    const content = readFileSync(configPath, "utf-8");
-    const parsed = JSON.parse(content);
-    return projectConfigSchema.parse(parsed);
+    const v1 = projectConfigSchema.parse(raw);
+    const v2 = migrateV1toV2(v1);
+    writeProjectConfigV2(v2, directory);
+    return v2;
   } catch {
     return null;
   }
 }
-function writeProjectConfig(config2, directory = process.cwd()) {
+function writeProjectConfigV2(config2, directory = process.cwd()) {
   const configPath = getProjectConfigPath(directory);
-  const content = JSON.stringify(config2, null, 2) + "\n";
-  writeFileSync(configPath, content, "utf-8");
+  writeFileSync(configPath, JSON.stringify(config2, null, 2) + "\n", "utf-8");
 }
-function updateProjectConfig(updates, directory = process.cwd()) {
-  const existing = readProjectConfig(directory);
-  if (!existing) {
-    throw new Error("No project config found. Run `envpilot init` first.");
-  }
-  const updated = { ...existing, ...updates };
-  writeProjectConfig(updated, directory);
+function getActiveProject(config2) {
+  return config2.projects.find((p) => p.projectId === config2.activeProjectId) || config2.projects[0] || null;
 }
-function ensureEnvInGitignore(directory = process.cwd()) {
-  const gitignorePath = join(directory, ".gitignore");
-  if (!existsSync(gitignorePath)) {
-    writeFileSync(gitignorePath, ".env\n.env.local\n", "utf-8");
-    return;
+function resolveProject(config2, identifier) {
+  if (!identifier) return getActiveProject(config2);
+  return config2.projects.find(
+    (p) => p.projectId === identifier || p.projectName.toLowerCase() === identifier.toLowerCase()
+  ) || null;
+}
+function addProjectToConfig(config2, entry) {
+  if (config2.projects.some((p) => p.projectId === entry.projectId)) {
+    throw new Error("Project already linked");
   }
-  const content = readFileSync(gitignorePath, "utf-8");
-  const lines = content.split("\n");
-  if (lines.some((line) => line.trim() === ".env")) {
-    return;
+  return { ...config2, projects: [...config2.projects, entry] };
+}
+function removeProjectFromConfig(config2, projectId) {
+  const filtered = config2.projects.filter((p) => p.projectId !== projectId);
+  if (filtered.length === 0) return null;
+  const activeId = config2.activeProjectId === projectId ? filtered[0].projectId : config2.activeProjectId;
+  return { ...config2, activeProjectId: activeId, projects: filtered };
+}
+function setActiveProjectInConfig(config2, projectId) {
+  if (!config2.projects.some((p) => p.projectId === projectId)) {
+    throw new Error("Project not found in config");
   }
-  const newContent = content.endsWith("\n") ? content + ".env\n" : content + "\n.env\n";
-  writeFileSync(gitignorePath, newContent, "utf-8");
+  return { ...config2, activeProjectId: projectId };
 }
-function getTrackedEnvFiles(directory = process.cwd()) {
-  try {
-    const result = execSync("git ls-files --cached .env .env.* .env.local", {
-      cwd: directory,
-      encoding: "utf-8",
+function updateProjectInConfig(config2, projectId, updates) {
+  return {
+    ...config2,
+    projects: config2.projects.map(
+      (p) => p.projectId === projectId ? { ...p, ...updates } : p
+    )
+  };
+}
+function readProjectConfig(directory = process.cwd()) {
+  const v2 = readProjectConfigV2(directory);
+  if (!v2) return null;
+  const active = getActiveProject(v2);
+  if (!active) return null;
+  return {
+    projectId: active.projectId,
+    organizationId: active.organizationId,
+    environment: active.environment
+  };
+}
+function writeProjectConfig(config2, directory = process.cwd()) {
+  const existing = readProjectConfigV2(directory);
+  if (existing) {
+    const updated = updateProjectInConfig(existing, existing.activeProjectId, {
+      projectId: config2.projectId,
+      organizationId: config2.organizationId,
+      environment: config2.environment
+    });
+    writeProjectConfigV2(
+      { ...updated, activeProjectId: config2.projectId },
+      directory
+    );
+  } else {
+    writeProjectConfigV2(
+      {
+        version: 1,
+        activeProjectId: config2.projectId,
+        projects: [
+          {
+            projectId: config2.projectId,
+            organizationId: config2.organizationId,
+            projectName: "",
+            organizationName: "",
+            environment: config2.environment
+          }
+        ]
+      },
+      directory
+    );
+  }
+}
+function updateProjectConfig(updates, directory = process.cwd()) {
+  const v2 = readProjectConfigV2(directory);
+  if (!v2) {
+    throw new Error("No project config found. Run `envpilot init` first.");
+  }
+  const active = getActiveProject(v2);
+  if (!active) {
+    throw new Error("No active project found.");
+  }
+  const updated = updateProjectInConfig(v2, active.projectId, updates);
+  writeProjectConfigV2(updated, directory);
+}
+function deleteProjectConfig(directory = process.cwd()) {
+  const configPath = getProjectConfigPath(directory);
+  if (!existsSync(configPath)) return false;
+  unlinkSync(configPath);
+  return true;
+}
+function ensureEnvInGitignore(directory = process.cwd()) {
+  const gitignorePath = join(directory, ".gitignore");
+  if (!existsSync(gitignorePath)) {
+    writeFileSync(gitignorePath, ".env\n.env.local\n", "utf-8");
+    return;
+  }
+  const content = readFileSync(gitignorePath, "utf-8");
+  const lines = content.split("\n");
+  if (lines.some((line) => line.trim() === ".env")) {
+    return;
+  }
+  const newContent = content.endsWith("\n") ? content + ".env\n" : content + "\n.env\n";
+  writeFileSync(gitignorePath, newContent, "utf-8");
+}
+function getTrackedEnvFiles(directory = process.cwd()) {
+  try {
+    const result = execSync("git ls-files --cached .env .env.* .env.local", {
+      cwd: directory,
+      encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     });
     return result.trim().split("\n").filter((f) => f.length > 0);
@@ -841,199 +973,8 @@ function getTrackedEnvFiles(directory = process.cwd()) {
   }
 }
-// src/commands/init.ts
-var initCommand = new Command2("init").description("Initialize Envpilot in the current directory").option("-o, --organization <id>", "Organization ID").option("-p, --project <id>", "Project ID").option(
-  "-e, --environment <env>",
-  "Default environment (development, staging, production)"
-).option("-f, --force", "Overwrite existing configuration").action(async (options) => {
-  try {
-    if (!isAuthenticated()) {
-      throw notAuthenticated();
-    }
-    if (hasProjectConfig() && !options.force) {
-      warning("This directory is already initialized with Envpilot.");
-      const { proceed } = await inquirer.prompt([
-        {
-          type: "confirm",
-          name: "proceed",
-          message: "Do you want to reinitialize?",
-          default: false
-        }
-      ]);
-      if (!proceed) {
-        info("Initialization cancelled.");
-        return;
-      }
-    }
-    const api = createAPIClient();
-    const organizations = await withSpinner(
-      "Fetching organizations...",
-      async () => {
-        const response = await api.get("/api/cli/organizations");
-        return response.data || [];
-      }
-    );
-    if (organizations.length === 0) {
-      error("No organizations found. Please create an organization first.");
-      process.exit(1);
-    }
-    let selectedOrg;
-    if (options.organization) {
-      const org = organizations.find(
-        (o) => o._id === options.organization || o.slug === options.organization
-      );
-      if (!org) {
-        error(`Organization not found: ${options.organization}`);
-        process.exit(1);
-      }
-      selectedOrg = org;
-    } else if (organizations.length === 1) {
-      selectedOrg = organizations[0];
-      info(`Using organization: ${chalk4.bold(selectedOrg.name)}`);
-    } else {
-      const { orgId } = await inquirer.prompt([
-        {
-          type: "list",
-          name: "orgId",
-          message: "Select an organization:",
-          choices: organizations.map((org) => ({
-            name: `${org.name} ${org.tier === "pro" ? chalk4.green("(Pro)") : chalk4.dim("(Free)")}`,
-            value: org._id
-          }))
-        }
-      ]);
-      selectedOrg = organizations.find((o) => o._id === orgId);
-    }
-    const projects = await withSpinner("Fetching projects...", async () => {
-      const response = await api.get(
-        "/api/cli/projects",
-        { organizationId: selectedOrg._id }
-      );
-      return response.data || [];
-    });
-    if (projects.length === 0) {
-      error("No projects found. Please create a project first.");
-      process.exit(1);
-    }
-    let selectedProject;
-    if (options.project) {
-      const project = projects.find(
-        (p) => p._id === options.project || p.slug === options.project
-      );
-      if (!project) {
-        error(`Project not found: ${options.project}`);
-        process.exit(1);
-      }
-      selectedProject = project;
-    } else if (projects.length === 1) {
-      selectedProject = projects[0];
-      info(`Using project: ${chalk4.bold(selectedProject.name)}`);
-    } else {
-      const { projectId } = await inquirer.prompt([
-        {
-          type: "list",
-          name: "projectId",
-          message: "Select a project:",
-          choices: projects.map((project) => ({
-            name: `${project.icon || "\u{1F4E6}"} ${project.name}`,
-            value: project._id
-          }))
-        }
-      ]);
-      selectedProject = projects.find((p) => p._id === projectId);
-    }
-    let selectedEnvironment = "development";
-    if (options.environment) {
-      if (!["development", "staging", "production"].includes(
-        options.environment
-      )) {
-        error(
-          "Invalid environment. Must be: development, staging, or production"
-        );
-        process.exit(1);
-      }
-      selectedEnvironment = options.environment;
-    } else {
-      const { environment } = await inquirer.prompt([
-        {
-          type: "list",
-          name: "environment",
-          message: "Select default environment:",
-          choices: [
-            { name: "Development", value: "development" },
-            { name: "Staging", value: "staging" },
-            { name: "Production", value: "production" }
-          ],
-          default: "development"
-        }
-      ]);
-      selectedEnvironment = environment;
-    }
-    writeProjectConfig({
-      projectId: selectedProject._id,
-      organizationId: selectedOrg._id,
-      environment: selectedEnvironment
-    });
-    setActiveOrganizationId(selectedOrg._id);
-    setActiveProjectId(selectedProject._id);
-    if (selectedOrg.role) {
-      setRole(selectedOrg.role);
-    }
-    ensureEnvInGitignore();
-    const trackedFiles = getTrackedEnvFiles();
-    if (trackedFiles.length > 0) {
-      console.log();
-      warning("Security risk: .env files are tracked by git!");
-      for (const file of trackedFiles) {
-        console.log(chalk4.red(`  tracked: ${file}`));
-      }
-      console.log();
-      console.log(
-        chalk4.yellow(
-          "  Run the following to untrack them (without deleting the files):"
-        )
-      );
-      for (const file of trackedFiles) {
-        console.log(chalk4.cyan(`    git rm --cached ${file}`));
-      }
-    }
-    console.log();
-    success("Project initialized!");
-    console.log();
-    console.log(chalk4.dim("Configuration saved to .envpilot"));
-    if (selectedOrg.role) {
-      console.log(chalk4.dim(`  Org role: ${formatRole(selectedOrg.role)}`));
-      roleNotice(selectedOrg.role);
-    }
-    if (selectedProject.projectRole) {
-      console.log(
-        chalk4.dim(
-          `  Project role: ${formatProjectRole(selectedProject.projectRole)}`
-        )
-      );
-      projectRoleNotice(selectedProject.projectRole);
-    }
-    console.log();
-    console.log("Next steps:");
-    console.log(
-      `  ${chalk4.cyan("envpilot pull")}     Download environment variables`
-    );
-    console.log(
-      `  ${chalk4.cyan("envpilot push")}     Upload local .env to cloud`
-    );
-    console.log();
-  } catch (err) {
-    await handleError(err);
-  }
-});
-// src/commands/pull.ts
-import { Command as Command3 } from "commander";
-import chalk5 from "chalk";
-import inquirer2 from "inquirer";
 // src/lib/env-file.ts
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, chmodSync } from "fs";
 import { join as join2 } from "path";
 function parseEnvFile(content) {
   const result = {};
@@ -1132,136 +1073,543 @@ function writeEnvFile(filePath, vars, options) {
 }
 function getEnvPathForEnvironment(environment, directory = process.cwd()) {
   if (environment === "development") {
-    return join2(directory, ".env");
+    return join2(directory, ".env.local");
   }
   return join2(directory, `.env.${environment}`);
 }
+function applyFileProtection(filePath, role, projectRole) {
+  if (!existsSync2(filePath)) return;
+  const isWritable = role === "admin" || role === "team_lead" || projectRole === "manager";
+  if (isWritable) {
+    chmodSync(filePath, 420);
+  } else {
+    chmodSync(filePath, 292);
+  }
+}
-// src/commands/pull.ts
-var pullCommand = new Command3("pull").description("Download environment variables to local .env file").option(
-  "-e, --env <environment>",
-  "Environment (development, staging, production)"
-).option("-f, --file <path>", "Output file path (default: .env)").option("--force", "Overwrite without confirmation").option("--format <format>", "Output format: env, json", "env").option("--dry-run", "Show what would be downloaded without writing").action(async (options) => {
+// src/commands/init.ts
+var initCommand = new Command2("init").description("Initialize Envpilot in the current directory").option("-o, --organization <id>", "Organization ID").option("-p, --project <id>", "Project ID").option(
+  "-e, --environment <env>",
+  "Default environment (development, staging, production)"
+).option("-f, --force", "Overwrite existing configuration").option("--add", "Add another project to existing config").action(async (options) => {
   try {
     if (!isAuthenticated()) {
       throw notAuthenticated();
     }
-    const projectConfig = readProjectConfig();
-    if (!projectConfig) {
-      throw notInitialized();
-    }
-    const trackedFiles = getTrackedEnvFiles();
-    if (trackedFiles.length > 0) {
-      error("Security risk: .env files are tracked by git!");
-      console.log();
-      for (const file of trackedFiles) {
-        console.log(chalk5.red(`  tracked: ${file}`));
+    const existingConfig = readProjectConfigV2();
+    if (options.add) {
+      if (!existingConfig) {
+        error("No existing config. Run `envpilot init` first.");
+        process.exit(1);
       }
-      console.log();
-      console.log(
-        chalk5.yellow(
-          "  Run the following to untrack them (without deleting the files):"
-        )
-      );
-      for (const file of trackedFiles) {
-        console.log(chalk5.cyan(`    git rm --cached ${file}`));
+      await addProject(existingConfig, options);
+      return;
+    }
+    if (hasProjectConfig() && !options.force) {
+      warning("This directory is already initialized with Envpilot.");
+      const { proceed } = await inquirer.prompt([
+        {
+          type: "confirm",
+          name: "proceed",
+          message: "Do you want to reinitialize?",
+          default: false
+        }
+      ]);
+      if (!proceed) {
+        info("Initialization cancelled.");
+        return;
       }
-      console.log();
+    }
+    const { selectedOrg, selectedProject, selectedEnvironment } = await selectOrgProjectEnv(options);
+    writeProjectConfigV2({
+      version: 1,
+      activeProjectId: selectedProject._id,
+      projects: [
+        {
+          projectId: selectedProject._id,
+          organizationId: selectedOrg._id,
+          projectName: selectedProject.name,
+          organizationName: selectedOrg.name,
+          environment: selectedEnvironment
+        }
+      ]
+    });
+    setActiveOrganizationId(selectedOrg._id);
+    setActiveProjectId(selectedProject._id);
+    if (selectedOrg.role) {
+      setRole(selectedOrg.role);
+    }
+    ensureEnvInGitignore();
+    warnTrackedFiles();
+    console.log();
+    success("Project initialized!");
+    printPostInit(selectedOrg, selectedProject);
+  } catch (err) {
+    await handleError(err);
+  }
+});
+async function addProject(existingConfig, options) {
+  const api = createAPIClient();
+  let role = getRole();
+  if (role !== "admin" && role !== "team_lead") {
+    const orgs = await withSpinner("Checking permissions...", async () => {
+      const response = await api.get("/api/cli/organizations");
+      return response.data || [];
+    });
+    const freshRole = orgs.find(
+      (o) => o._id === existingConfig.projects[0]?.organizationId
+    )?.role;
+    if (freshRole) {
+      setRole(freshRole);
+      role = freshRole;
+    }
+    if (role !== "admin" && role !== "team_lead") {
+      error("Only admins and team leads can link multiple projects.");
+      info("Unlink the current project first with `envpilot unlink`.");
       process.exit(1);
     }
-    const environment = options.env || projectConfig.environment || "development";
-    const outputPath = options.file || getEnvPathForEnvironment(environment);
-    const api = createAPIClient();
-    let metaProjectRole;
-    const variables = await withSpinner(
-      `Fetching ${chalk5.bold(environment)} variables...`,
-      async () => {
-        const response = await api.get("/api/cli/variables", {
-          projectId: projectConfig.projectId,
-          environment,
-          ...projectConfig.organizationId && {
-            organizationId: projectConfig.organizationId
-          }
-        });
-        metaProjectRole = response.meta?.projectRole;
-        return response.data || [];
-      }
+  }
+  const { selectedOrg, selectedProject, selectedEnvironment } = await selectOrgProjectEnv(options);
+  if (existingConfig.projects.some((p) => p.projectId === selectedProject._id)) {
+    error(`"${selectedProject.name}" is already linked.`);
+    process.exit(1);
+  }
+  const envFile = getEnvPathForEnvironment(selectedEnvironment);
+  const conflicting = existingConfig.projects.find(
+    (p) => p.environment === selectedEnvironment
+  );
+  if (conflicting) {
+    warning(
+      `"${conflicting.projectName || conflicting.projectId}" already syncs to ${envFile} (${selectedEnvironment}). Both projects will write to the same file \u2014 consider using a different environment.`
     );
-    if (variables.length === 0) {
-      warning(`No variables found for ${environment} environment.`);
-      return;
+  }
+  const newEntry = {
+    projectId: selectedProject._id,
+    organizationId: selectedOrg._id,
+    projectName: selectedProject.name,
+    organizationName: selectedOrg.name,
+    environment: selectedEnvironment
+  };
+  let updatedConfig = addProjectToConfig(existingConfig, newEntry);
+  const { setActive } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "setActive",
+      message: `Set "${selectedProject.name}" as the active project?`,
+      default: false
     }
-    const remoteVars = {};
-    for (const variable of variables) {
-      remoteVars[variable.key] = variable.value;
+  ]);
+  if (setActive) {
+    updatedConfig = {
+      ...updatedConfig,
+      activeProjectId: selectedProject._id
+    };
+    setActiveProjectId(selectedProject._id);
+    setActiveOrganizationId(selectedOrg._id);
+  }
+  updatedConfig = backfillNames(updatedConfig);
+  writeProjectConfigV2(updatedConfig);
+  console.log();
+  success(`Added "${selectedProject.name}" to linked projects!`);
+  console.log(
+    chalk4.dim(`  ${existingConfig.projects.length + 1} projects now linked`)
+  );
+  console.log();
+  console.log("Next steps:");
+  console.log(
+    `  ${chalk4.cyan("envpilot pull --all")}         Pull all projects`
+  );
+  console.log(
+    `  ${chalk4.cyan(`envpilot pull --project "${selectedProject.name}"`)}  Pull this project`
+  );
+  console.log(
+    `  ${chalk4.cyan("envpilot list linked")}        See all linked projects`
+  );
+  console.log();
+}
+async function selectOrgProjectEnv(options) {
+  const api = createAPIClient();
+  const organizations = await withSpinner(
+    "Fetching organizations...",
+    async () => {
+      const response = await api.get("/api/cli/organizations");
+      return response.data || [];
     }
-    const localVars = readEnvFile(outputPath) || {};
-    const diffResult = diffEnvVars(remoteVars, localVars);
-    const hasChanges = Object.keys(diffResult.added).length > 0 || Object.keys(diffResult.removed).length > 0 || Object.keys(diffResult.changed).length > 0;
-    if (!hasChanges) {
-      success("Local file is up to date.");
-      return;
+  );
+  if (organizations.length === 0) {
+    error("No organizations found. Please create an organization first.");
+    process.exit(1);
+  }
+  let selectedOrg;
+  if (options.organization) {
+    const org = organizations.find(
+      (o) => o._id === options.organization || o.slug === options.organization
+    );
+    if (!org) {
+      error(`Organization not found: ${options.organization}`);
+      process.exit(1);
     }
+    selectedOrg = org;
+  } else if (organizations.length === 1) {
+    selectedOrg = organizations[0];
+    info(`Using organization: ${chalk4.bold(selectedOrg.name)}`);
+  } else {
+    const { orgId } = await inquirer.prompt([
+      {
+        type: "list",
+        name: "orgId",
+        message: "Select an organization:",
+        choices: organizations.map((org) => ({
+          name: `${org.name} ${org.tier === "pro" ? chalk4.green("(Pro)") : chalk4.dim("(Free)")}`,
+          value: org._id
+        }))
+      }
+    ]);
+    selectedOrg = organizations.find((o) => o._id === orgId);
+  }
+  const projects = await withSpinner("Fetching projects...", async () => {
+    const response = await api.get(
+      "/api/cli/projects",
+      { organizationId: selectedOrg._id }
+    );
+    return response.data || [];
+  });
+  if (projects.length === 0) {
+    error("No projects found. Please create a project first.");
+    process.exit(1);
+  }
+  let selectedProject;
+  if (options.project) {
+    const project = projects.find(
+      (p) => p._id === options.project || p.slug === options.project
+    );
+    if (!project) {
+      error(`Project not found: ${options.project}`);
+      process.exit(1);
+    }
+    selectedProject = project;
+  } else if (projects.length === 1) {
+    selectedProject = projects[0];
+    info(`Using project: ${chalk4.bold(selectedProject.name)}`);
+  } else {
+    const { projectId } = await inquirer.prompt([
+      {
+        type: "list",
+        name: "projectId",
+        message: "Select a project:",
+        choices: projects.map((project) => ({
+          name: `${project.icon || "\u{1F4E6}"} ${project.name}`,
+          value: project._id
+        }))
+      }
+    ]);
+    selectedProject = projects.find((p) => p._id === projectId);
+  }
+  let selectedEnvironment = "development";
+  if (options.environment) {
+    if (!["development", "staging", "production"].includes(options.environment)) {
+      error(
+        "Invalid environment. Must be: development, staging, or production"
+      );
+      process.exit(1);
+    }
+    selectedEnvironment = options.environment;
+  } else {
+    const { environment } = await inquirer.prompt([
+      {
+        type: "list",
+        name: "environment",
+        message: "Select default environment:",
+        choices: [
+          { name: "Development", value: "development" },
+          { name: "Staging", value: "staging" },
+          { name: "Production", value: "production" }
+        ],
+        default: "development"
+      }
+    ]);
+    selectedEnvironment = environment;
+  }
+  return { selectedOrg, selectedProject, selectedEnvironment };
+}
+function backfillNames(config2) {
+  return config2;
+}
+function warnTrackedFiles() {
+  const trackedFiles = getTrackedEnvFiles();
+  if (trackedFiles.length > 0) {
     console.log();
-    console.log(chalk5.bold("Changes:"));
-    console.log();
-    diff(diffResult.added, diffResult.removed, diffResult.changed);
+    warning("Security risk: .env files are tracked by git!");
+    for (const file of trackedFiles) {
+      console.log(chalk4.red(`  tracked: ${file}`));
+    }
     console.log();
-    if (options.dryRun) {
-      info("Dry run - no changes written.");
+    console.log(
+      chalk4.yellow(
+        "  Run the following to untrack them (without deleting the files):"
+      )
+    );
+    for (const file of trackedFiles) {
+      console.log(chalk4.cyan(`    git rm --cached ${file}`));
+    }
+  }
+}
+function printPostInit(selectedOrg, selectedProject) {
+  console.log();
+  console.log(chalk4.dim("Configuration saved to .envpilot"));
+  if (selectedOrg.role) {
+    console.log(chalk4.dim(`  Org role: ${formatRole(selectedOrg.role)}`));
+    roleNotice(selectedOrg.role);
+  }
+  if (selectedProject.projectRole) {
+    console.log(
+      chalk4.dim(
+        `  Project role: ${formatProjectRole(selectedProject.projectRole)}`
+      )
+    );
+    projectRoleNotice(selectedProject.projectRole);
+  }
+  console.log();
+  console.log("Next steps:");
+  console.log(
+    `  ${chalk4.cyan("envpilot pull")}     Download environment variables`
+  );
+  console.log(
+    `  ${chalk4.cyan("envpilot push")}     Upload local .env to cloud`
+  );
+  console.log();
+}
+// src/commands/pull.ts
+import { Command as Command3 } from "commander";
+import chalk5 from "chalk";
+import inquirer2 from "inquirer";
+var pullCommand = new Command3("pull").description("Download environment variables to local .env file").option(
+  "-e, --env <environment>",
+  "Environment (development, staging, production)"
+).option("-f, --file <path>", "Output file path (default: .env)").option("--force", "Overwrite without confirmation").option("--format <format>", "Output format: env, json", "env").option("--dry-run", "Show what would be downloaded without writing").option("--project <name-or-id>", "Pull a specific linked project").option("--all", "Pull all linked projects").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      throw notAuthenticated();
+    }
+    if (options.all) {
+      if (options.env || options.file) {
+        error("Cannot use --env or --file with --all.");
+        process.exit(1);
+      }
+      await pullAllProjects(options);
       return;
     }
-    if (!options.force && Object.keys(localVars).length > 0) {
-      const { proceed } = await inquirer2.prompt([
-        {
-          type: "confirm",
-          name: "proceed",
-          message: `Overwrite ${outputPath}?`,
-          default: true
+    if (options.project) {
+      const configV2 = readProjectConfigV2();
+      if (!configV2) throw notInitialized();
+      const project = resolveProject(configV2, options.project);
+      if (!project) {
+        error(`Project not found: ${options.project}`);
+        console.log();
+        console.log("Linked projects:");
+        for (const p of configV2.projects) {
+          console.log(`  ${p.projectName || p.projectId} (${p.environment})`);
         }
-      ]);
-      if (!proceed) {
-        info("Pull cancelled.");
-        return;
+        process.exit(1);
       }
+      await pullSingleProject(project, options);
+      return;
     }
-    if (options.format === "json") {
-      const fs = await import("fs");
-      fs.writeFileSync(
+    const projectConfig = readProjectConfig();
+    if (!projectConfig) throw notInitialized();
+    checkTrackedFiles();
+    const environment = options.env || projectConfig.environment || "development";
+    const outputPath = options.file || getEnvPathForEnvironment(environment);
+    await pullProject(
+      {
+        projectId: projectConfig.projectId,
+        organizationId: projectConfig.organizationId,
+        environment
+      },
+      outputPath,
+      options
+    );
+  } catch (err) {
+    await handleError(err);
+  }
+});
+async function pullAllProjects(options) {
+  const configV2 = readProjectConfigV2();
+  if (!configV2) throw notInitialized();
+  checkTrackedFiles();
+  let totalPulled = 0;
+  let totalFailed = 0;
+  for (const project of configV2.projects) {
+    const outputPath = getEnvPathForEnvironment(project.environment);
+    const displayName = project.projectName || project.projectId;
+    console.log();
+    console.log(
+      chalk5.bold(
+        `Pulling "${displayName}" (${project.environment}) \u2192 ${outputPath}`
+      )
+    );
+    try {
+      await pullProject(
+        {
+          projectId: project.projectId,
+          organizationId: project.organizationId,
+          environment: project.environment
+        },
         outputPath,
-        JSON.stringify(remoteVars, null, 2) + "\n"
+        options
       );
-    } else {
-      const comments = {};
-      for (const variable of variables) {
-        if (variable.description) {
-          comments[variable.key] = variable.description;
+      totalPulled++;
+    } catch (err) {
+      totalFailed++;
+      if (err instanceof Error) {
+        error(`  Failed: ${err.message}`);
+      }
+    }
+  }
+  console.log();
+  if (totalFailed === 0) {
+    success(`Pulled ${totalPulled} project${totalPulled !== 1 ? "s" : ""}`);
+  } else {
+    warning(
+      `Pulled ${totalPulled}/${totalPulled + totalFailed} projects. ${totalFailed} failed.`
+    );
+  }
+}
+async function pullSingleProject(project, options) {
+  checkTrackedFiles();
+  const environment = options.env || project.environment;
+  const outputPath = options.file || getEnvPathForEnvironment(environment);
+  await pullProject(
+    {
+      projectId: project.projectId,
+      organizationId: project.organizationId,
+      environment
+    },
+    outputPath,
+    options
+  );
+}
+async function pullProject(project, outputPath, options) {
+  const api = createAPIClient();
+  let metaProjectRole;
+  const variables = await withSpinner(
+    `Fetching ${chalk5.bold(project.environment)} variables...`,
+    async () => {
+      const response = await api.get("/api/cli/variables", {
+        projectId: project.projectId,
+        environment: project.environment,
+        ...project.organizationId && {
+          organizationId: project.organizationId
         }
+      });
+      metaProjectRole = response.meta?.projectRole;
+      return response.data || [];
+    }
+  );
+  if (variables.length === 0) {
+    warning(`No variables found for ${project.environment} environment.`);
+    return;
+  }
+  const remoteVars = {};
+  for (const variable of variables) {
+    remoteVars[variable.key] = variable.value;
+  }
+  const localVars = readEnvFile(outputPath) || {};
+  const diffResult = diffEnvVars(remoteVars, localVars);
+  const hasChanges = Object.keys(diffResult.added).length > 0 || Object.keys(diffResult.removed).length > 0 || Object.keys(diffResult.changed).length > 0;
+  if (!hasChanges) {
+    success("Local file is up to date.");
+    return;
+  }
+  console.log();
+  console.log(chalk5.bold("Changes:"));
+  console.log();
+  diff(diffResult.added, diffResult.removed, diffResult.changed);
+  console.log();
+  if (options.dryRun) {
+    info("Dry run - no changes written.");
+    return;
+  }
+  if (!options.force && Object.keys(localVars).length > 0) {
+    const { proceed } = await inquirer2.prompt([
+      {
+        type: "confirm",
+        name: "proceed",
+        message: `Overwrite ${outputPath}?`,
+        default: true
       }
-      writeEnvFile(outputPath, remoteVars, { sort: true, comments });
+    ]);
+    if (!proceed) {
+      info("Pull cancelled.");
+      return;
     }
-    success(
-      `Downloaded ${variables.length} variables to ${chalk5.bold(outputPath)}`
+  }
+  try {
+    const fs = await import("fs");
+    if (fs.existsSync(outputPath)) {
+      fs.chmodSync(outputPath, 420);
+    }
+  } catch {
+  }
+  if (options.format === "json") {
+    const fs = await import("fs");
+    fs.writeFileSync(outputPath, JSON.stringify(remoteVars, null, 2) + "\n");
+  } else {
+    const comments = {};
+    for (const variable of variables) {
+      if (variable.description) {
+        comments[variable.key] = variable.description;
+      }
+    }
+    writeEnvFile(outputPath, remoteVars, { sort: true, comments });
+  }
+  const role = getRole();
+  applyFileProtection(outputPath, role, metaProjectRole);
+  success(
+    `Downloaded ${variables.length} variables to ${chalk5.bold(outputPath)}`
+  );
+  if (metaProjectRole === "viewer") {
+    info(
+      "You have Viewer access to this project. You may only see variables you have been explicitly granted access to."
     );
-    if (metaProjectRole === "viewer") {
-      info(
-        "You have Viewer access to this project. You may only see variables you have been explicitly granted access to."
-      );
+  }
+  const isProtected = role !== "admin" && role !== "team_lead" && metaProjectRole !== "manager";
+  if (isProtected) {
+    info(
+      `File is read-only (your role: ${role || metaProjectRole || "member"}).`
+    );
+  }
+  console.log();
+  console.log(chalk5.dim(`  Added:   ${Object.keys(diffResult.added).length}`));
+  console.log(
+    chalk5.dim(`  Changed: ${Object.keys(diffResult.changed).length}`)
+  );
+  console.log(
+    chalk5.dim(`  Removed: ${Object.keys(diffResult.removed).length}`)
+  );
+}
+function checkTrackedFiles() {
+  const trackedFiles = getTrackedEnvFiles();
+  if (trackedFiles.length > 0) {
+    error("Security risk: .env files are tracked by git!");
+    console.log();
+    for (const file of trackedFiles) {
+      console.log(chalk5.red(`  tracked: ${file}`));
     }
     console.log();
     console.log(
-      chalk5.dim(`  Added:   ${Object.keys(diffResult.added).length}`)
-    );
-    console.log(
-      chalk5.dim(`  Changed: ${Object.keys(diffResult.changed).length}`)
-    );
-    console.log(
-      chalk5.dim(`  Removed: ${Object.keys(diffResult.removed).length}`)
+      chalk5.yellow(
+        "  Run the following to untrack them (without deleting the files):"
+      )
     );
-  } catch (err) {
-    await handleError(err);
+    for (const file of trackedFiles) {
+      console.log(chalk5.cyan(`    git rm --cached ${file}`));
+    }
+    console.log();
+    process.exit(1);
   }
-});
+}
 // src/commands/push.ts
 import { Command as Command4 } from "commander";
@@ -1310,14 +1658,36 @@ function validateEnvVars(vars) {
 var pushCommand = new Command4("push").description("Upload local .env file to cloud").option(
   "-e, --env <environment>",
   "Target environment (development, staging, production)"
-).option("-f, --file <path>", "Input file path (default: .env)").option("--merge", "Merge with existing variables (default)").option("--replace", "Replace all existing variables").option("--dry-run", "Show what would be uploaded without making changes").option("--force", "Skip confirmation").action(async (options) => {
+).option("-f, --file <path>", "Input file path (default: .env)").option("--merge", "Merge with existing variables (default)").option("--replace", "Replace all existing variables").option("--dry-run", "Show what would be uploaded without making changes").option("--force", "Skip confirmation").option("--project <name-or-id>", "Push to a specific linked project").action(async (options) => {
   try {
     if (!isAuthenticated()) {
       throw notAuthenticated();
     }
-    const projectConfig = readProjectConfig();
-    if (!projectConfig) {
-      throw notInitialized();
+    let projectId;
+    let organizationId;
+    let defaultEnvironment;
+    if (options.project) {
+      const configV2 = readProjectConfigV2();
+      if (!configV2) throw notInitialized();
+      const resolved = resolveProject(configV2, options.project);
+      if (!resolved) {
+        error(`Project not found: ${options.project}`);
+        console.log();
+        console.log("Linked projects:");
+        for (const p of configV2.projects) {
+          console.log(`  ${p.projectName || p.projectId} (${p.environment})`);
+        }
+        process.exit(1);
+      }
+      projectId = resolved.projectId;
+      organizationId = resolved.organizationId;
+      defaultEnvironment = resolved.environment;
+    } else {
+      const projectConfig = readProjectConfig();
+      if (!projectConfig) throw notInitialized();
+      projectId = projectConfig.projectId;
+      organizationId = projectConfig.organizationId;
+      defaultEnvironment = projectConfig.environment;
     }
     const trackedFiles = getTrackedEnvFiles();
     if (trackedFiles.length > 0) {
@@ -1339,10 +1709,8 @@ var pushCommand = new Command4("push").description("Upload local .env file to cl
       process.exit(1);
     }
     const api = createAPIClient();
-    const projects = await api.get("/api/cli/projects", { organizationId: projectConfig.organizationId });
-    const currentProject = projects.data?.find(
-      (p) => p._id === projectConfig.projectId
-    );
+    const projects = await api.get("/api/cli/projects", { organizationId });
+    const currentProject = projects.data?.find((p) => p._id === projectId);
     const projectRole = currentProject?.projectRole;
     if (projectRole === "viewer") {
       error(
@@ -1371,7 +1739,7 @@ var pushCommand = new Command4("push").description("Upload local .env file to cl
         }
       }
     }
-    const environment = options.env || projectConfig.environment || "development";
+    const environment = options.env || defaultEnvironment || "development";
     const inputPath = options.file || getEnvPathForEnvironment(environment);
     const mode = options.replace ? "replace" : "merge";
     const localVars = readEnvFile(inputPath);
@@ -1398,11 +1766,11 @@ var pushCommand = new Command4("push").description("Upload local .env file to cl
       "Fetching current variables...",
       async () => {
         const params = {
-          projectId: projectConfig.projectId,
+          projectId,
           environment
         };
-        if (projectConfig.organizationId) {
-          params.organizationId = projectConfig.organizationId;
+        if (organizationId) {
+          params.organizationId = organizationId;
         }
         const response = await api.get("/api/cli/variables", params);
         return response.data || [];
@@ -1466,16 +1834,14 @@ var pushCommand = new Command4("push").description("Upload local .env file to cl
       `Pushing variables to ${chalk6.bold(environment)}...`,
       async () => {
         const response = await api.post("/api/cli/variables/bulk", {
-          projectId: projectConfig.projectId,
+          projectId,
           environment,
           variables: Object.entries(valid).map(([key, value]) => ({
             key,
             value
           })),
           mode,
-          ...projectConfig.organizationId && {
-            organizationId: projectConfig.organizationId
-          }
+          ...organizationId && { organizationId }
         });
         return response.data;
       }
@@ -1515,16 +1881,48 @@ var pushCommand = new Command4("push").description("Upload local .env file to cl
 import { Command as Command5 } from "commander";
 import chalk7 from "chalk";
 import inquirer4 from "inquirer";
-var switchCommand = new Command5("switch").description("Switch project or environment").argument("[target]", "project slug or environment name").option("-o, --organization <id>", "Switch organization").option("-p, --project <id>", "Switch project").option(
+var switchCommand = new Command5("switch").description("Switch project, environment, or active linked project").argument("[target]", "project slug or environment name").option("-o, --organization <id>", "Switch organization").option("-p, --project <id>", "Switch project").option(
   "-e, --env <environment>",
   "Switch environment (development, staging, production)"
-).action(async (target, options) => {
+).option("--active <name-or-id>", "Set a linked project as active").action(async (target, options) => {
   try {
     if (!isAuthenticated()) {
       throw notAuthenticated();
     }
     const api = createAPIClient();
     const projectConfig = readProjectConfig();
+    if (options.active) {
+      const configV2 = readProjectConfigV2();
+      if (!configV2 || configV2.projects.length < 2) {
+        error(
+          "No multiple projects linked. Use `envpilot init --add` to link another project."
+        );
+        process.exit(1);
+      }
+      const target2 = configV2.projects.find(
+        (p) => p.projectId === options.active || p.projectName.toLowerCase() === options.active.toLowerCase()
+      );
+      if (!target2) {
+        error(`Project not found: ${options.active}`);
+        console.log();
+        console.log("Linked projects:");
+        for (const p of configV2.projects) {
+          const mark = p.projectId === configV2.activeProjectId ? chalk7.green(" *") : "";
+          console.log(
+            `  ${p.projectName || p.projectId} (${p.environment})${mark}`
+          );
+        }
+        process.exit(1);
+      }
+      const updated = setActiveProjectInConfig(configV2, target2.projectId);
+      writeProjectConfigV2(updated);
+      setActiveProjectId(target2.projectId);
+      setActiveOrganizationId(target2.organizationId);
+      success(
+        `Active project: ${chalk7.bold(target2.projectName || target2.projectId)}`
+      );
+      return;
+    }
     if (options.env || target && ["development", "staging", "production"].includes(target)) {
       const environment = options.env || target;
       if (!projectConfig) {
@@ -1566,6 +1964,25 @@ var switchCommand = new Command5("switch").description("Switch project or enviro
     }
     if (options.project || target) {
       const projectIdentifier = options.project || target;
+      const configV2 = readProjectConfigV2();
+      if (configV2) {
+        const linked = configV2.projects.find(
+          (p) => p.projectId === projectIdentifier || p.projectName.toLowerCase() === projectIdentifier.toLowerCase()
+        );
+        if (linked) {
+          const updated = setActiveProjectInConfig(
+            configV2,
+            linked.projectId
+          );
+          writeProjectConfigV2(updated);
+          setActiveProjectId(linked.projectId);
+          setActiveOrganizationId(linked.organizationId);
+          success(
+            `Switched to project: ${chalk7.bold(linked.projectName || linked.projectId)}`
+          );
+          return;
+        }
+      }
       let organizationId = projectConfig?.organizationId;
       if (!organizationId) {
         const organizations = await withSpinner(
@@ -1604,10 +2021,7 @@ var switchCommand = new Command5("switch").description("Switch project or enviro
         }
       }
       const projects = await withSpinner("Fetching projects...", async () => {
-        const response = await api.get(
-          "/api/cli/projects",
-          { organizationId }
-        );
+        const response = await api.get("/api/cli/projects", { organizationId });
         return response.data || [];
       });
       const project = projects.find(
@@ -1641,19 +2055,57 @@ var switchCommand = new Command5("switch").description("Switch project or enviro
       }
       return;
     }
-    if (!target && !options.project && !options.organization && !options.env) {
+    if (!target && !options.project && !options.organization && !options.env && !options.active) {
+      const configV2 = readProjectConfigV2();
+      const hasMultipleProjects = configV2 && configV2.projects.length > 1;
+      const choices = [];
+      if (hasMultipleProjects) {
+        choices.push({
+          name: "Active project",
+          value: "active"
+        });
+      }
+      choices.push(
+        { name: "Environment", value: "environment" },
+        { name: "Project", value: "project" },
+        { name: "Organization", value: "organization" }
+      );
       const { switchType } = await inquirer4.prompt([
         {
           type: "list",
           name: "switchType",
           message: "What would you like to switch?",
-          choices: [
-            { name: "Environment", value: "environment" },
-            { name: "Project", value: "project" },
-            { name: "Organization", value: "organization" }
-          ]
+          choices
         }
       ]);
+      if (switchType === "active" && configV2) {
+        const { projectId } = await inquirer4.prompt([
+          {
+            type: "list",
+            name: "projectId",
+            message: "Select active project:",
+            choices: configV2.projects.map((p) => {
+              const isActive = p.projectId === configV2.activeProjectId;
+              return {
+                name: `${p.projectName || p.projectId} (${p.environment})${isActive ? chalk7.green(" *current") : ""}`,
+                value: p.projectId
+              };
+            }),
+            default: configV2.activeProjectId
+          }
+        ]);
+        const selected = configV2.projects.find(
+          (p) => p.projectId === projectId
+        );
+        const updated = setActiveProjectInConfig(configV2, projectId);
+        writeProjectConfigV2(updated);
+        setActiveProjectId(projectId);
+        setActiveOrganizationId(selected.organizationId);
+        success(
+          `Active project: ${chalk7.bold(selected.projectName || selected.projectId)}`
+        );
+        return;
+      }
       if (switchType === "environment") {
         if (!projectConfig) {
           error("No project initialized. Run `envpilot init` first.");
@@ -1770,7 +2222,7 @@ import { Command as Command6 } from "commander";
 import chalk8 from "chalk";
 var listCommand = new Command6("list").description("List resources").argument(
   "[resource]",
-  "Resource type: projects, organizations, variables",
+  "Resource type: projects, organizations, variables, linked",
   "projects"
 ).option("-o, --organization <id>", "Organization ID (for projects/variables)").option("-p, --project <id>", "Project ID (for variables)").option("-e, --env <environment>", "Environment filter (for variables)").option("--show-values", "Show actual variable values (masked by default)").option("--json", "Output as JSON").action(async (resource, options) => {
   try {
@@ -1791,6 +2243,9 @@ var listCommand = new Command6("list").description("List resources").argument(
       case "variables":
         await listVariables(api, projectConfig, options);
         break;
+      case "linked":
+        listLinked();
+        break;
       default:
         error(`Unknown resource: ${resource}`);
         console.log();
@@ -1800,12 +2255,43 @@ var listCommand = new Command6("list").description("List resources").argument(
           "  projects              List projects in an organization"
         );
         console.log("  variables (vars)      List variables in a project");
+        console.log(
+          "  linked                List projects linked in this directory"
+        );
         process.exit(1);
     }
   } catch (err) {
     await handleError(err);
   }
 });
+function listLinked() {
+  const configV2 = readProjectConfigV2();
+  if (!configV2) {
+    info("No projects linked. Run `envpilot init` to get started.");
+    return;
+  }
+  header(`Linked Projects (${configV2.projects.length})`);
+  console.log();
+  for (const project of configV2.projects) {
+    const isActive = project.projectId === configV2.activeProjectId;
+    const marker = isActive ? chalk8.green("*") : " ";
+    const envFile = getEnvPathForEnvironment(project.environment);
+    console.log(
+      `  ${marker} ${chalk8.bold(project.projectName || project.projectId)} ${chalk8.dim(`(${project.organizationName || project.organizationId})`)}`
+    );
+    console.log(`    ${project.environment} ${chalk8.dim("\u2192")} ${envFile}`);
+    console.log();
+  }
+  if (configV2.projects.length > 1) {
+    console.log(chalk8.dim("  (* = active project)"));
+    console.log();
+    console.log(
+      chalk8.dim(
+        '  Use `envpilot switch --active "<name>"` to change the active project'
+      )
+    );
+  }
+}
 async function listOrganizations(api, options) {
   const organizations = await withSpinner(
     "Fetching organizations...",
@@ -2105,8 +2591,8 @@ async function handlePath() {
   ]);
 }
 async function handleReset() {
-  const inquirer5 = await import("inquirer");
-  const { confirm } = await inquirer5.default.prompt([
+  const inquirer6 = await import("inquirer");
+  const { confirm } = await inquirer6.default.prompt([
     {
       type: "confirm",
       name: "confirm",
@@ -2143,21 +2629,421 @@ var logoutCommand = new Command8("logout").description("Log out from Envpilot").
   }
 });
-// src/commands/usage.ts
+// src/commands/unlink.ts
 import { Command as Command9 } from "commander";
 import chalk10 from "chalk";
+import inquirer5 from "inquirer";
+var unlinkCommand = new Command9("unlink").description("Remove a linked project from this directory").argument("[project]", "Project name or ID to unlink").option("--force", "Skip confirmation").action(async (projectArg, options) => {
+  try {
+    if (!isAuthenticated()) {
+      throw notAuthenticated();
+    }
+    const config2 = readProjectConfigV2();
+    if (!config2 || config2.projects.length === 0) {
+      error("No projects linked. Run `envpilot init` first.");
+      process.exit(1);
+    }
+    let targetProject;
+    if (projectArg) {
+      targetProject = resolveProject(config2, projectArg);
+      if (!targetProject) {
+        error(`Project not found: ${projectArg}`);
+        console.log();
+        console.log("Linked projects:");
+        for (const p of config2.projects) {
+          console.log(
+            `  ${p.projectName || p.projectId} (${p.organizationName || p.organizationId})`
+          );
+        }
+        process.exit(1);
+      }
+    } else if (config2.projects.length > 1) {
+      const { projectId } = await inquirer5.prompt([
+        {
+          type: "list",
+          name: "projectId",
+          message: "Select a project to unlink:",
+          choices: config2.projects.map((p) => {
+            const isActive = p.projectId === config2.activeProjectId;
+            return {
+              name: `${p.projectName || p.projectId} (${p.organizationName || p.organizationId})${isActive ? chalk10.green(" *active") : ""}`,
+              value: p.projectId
+            };
+          })
+        }
+      ]);
+      targetProject = config2.projects.find((p) => p.projectId === projectId);
+    } else {
+      targetProject = config2.projects[0];
+    }
+    const displayName = targetProject.projectName || targetProject.projectId;
+    if (!options.force) {
+      const { proceed } = await inquirer5.prompt([
+        {
+          type: "confirm",
+          name: "proceed",
+          message: `Unlink "${displayName}"? Your .env files won't be deleted.`,
+          default: false
+        }
+      ]);
+      if (!proceed) {
+        info("Unlink cancelled.");
+        return;
+      }
+    }
+    const updated = removeProjectFromConfig(config2, targetProject.projectId);
+    if (!updated) {
+      deleteProjectConfig();
+      success(`Unlinked "${displayName}". No projects remaining.`);
+      info("Run `envpilot init` to link a new project.");
+    } else {
+      writeProjectConfigV2(updated);
+      const newActive = getActiveProject(updated);
+      if (newActive) {
+        setActiveProjectId(newActive.projectId);
+      }
+      success(`Unlinked "${displayName}".`);
+      if (config2.activeProjectId === targetProject.projectId && newActive) {
+        info(
+          `Active project switched to "${newActive.projectName || newActive.projectId}".`
+        );
+      }
+      console.log(
+        chalk10.dim(
+          `  ${updated.projects.length} project${updated.projects.length !== 1 ? "s" : ""} remaining`
+        )
+      );
+    }
+  } catch (err) {
+    await handleError(err);
+  }
+});
+// src/commands/sync.ts
+import { Command as Command10 } from "commander";
+import chalk11 from "chalk";
+// src/lib/commit-guard.ts
+import {
+  existsSync as existsSync3,
+  readFileSync as readFileSync3,
+  writeFileSync as writeFileSync3,
+  mkdirSync,
+  chmodSync as chmodSync2,
+  unlinkSync as unlinkSync2,
+  statSync
+} from "fs";
+import { join as join3, resolve } from "path";
+import { execSync as execSync2 } from "child_process";
+var HOOK_START_MARKER = "# ENVPILOT_GUARD_START";
+var HOOK_END_MARKER = "# ENVPILOT_GUARD_END";
+var HOOK_BLOCK = `${HOOK_START_MARKER} - Do not remove. Installed by Envpilot CLI.
+ENV_FILES=$(git diff --cached --name-only | grep -E '(^|/)\\.env($|\\.)' || true)
+if [ -n "$ENV_FILES" ]; then
+  echo ""
+  echo "\\033[1;31mERROR:\\033[0m Envpilot commit guard blocked this commit."
+  echo ""
+  echo "The following .env files were staged:"
+  echo "$ENV_FILES" | while IFS= read -r f; do echo "  - $f"; done
+  echo ""
+  echo "Remove them with: git reset HEAD <file>"
+  echo "To bypass (not recommended): git commit --no-verify"
+  exit 1
+fi
+${HOOK_END_MARKER}`;
+function findGitRoot(startDir) {
+  let dir = startDir || process.cwd();
+  while (true) {
+    if (existsSync3(join3(dir, ".git"))) {
+      return dir;
+    }
+    const parent = resolve(dir, "..");
+    if (parent === dir) {
+      return null;
+    }
+    dir = parent;
+  }
+}
+function resolveGitDir(repoRoot) {
+  const gitPath = join3(repoRoot, ".git");
+  try {
+    const stat = statSync(gitPath);
+    if (stat.isDirectory()) {
+      return gitPath;
+    }
+  } catch {
+    return gitPath;
+  }
+  try {
+    const content = readFileSync3(gitPath, "utf-8").trim();
+    const match = content.match(/^gitdir:\s*(.+)$/);
+    if (match) {
+      const gitdir = resolve(repoRoot, match[1]);
+      const commonDir = resolve(gitdir, "..", "..");
+      if (existsSync3(join3(commonDir, "hooks")) || existsSync3(commonDir)) {
+        return commonDir;
+      }
+      return gitdir;
+    }
+  } catch {
+  }
+  return gitPath;
+}
+function getHooksDir(repoRoot) {
+  try {
+    const customPath = execSync2("git config core.hooksPath", {
+      cwd: repoRoot,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (customPath) {
+      return resolve(repoRoot, customPath);
+    }
+  } catch {
+  }
+  const gitDir = resolveGitDir(repoRoot);
+  return join3(gitDir, "hooks");
+}
+function installCommitGuard(repoRoot) {
+  const root = repoRoot || findGitRoot();
+  if (!root) {
+    return {
+      installed: false,
+      hookPath: null,
+      message: "Not a git repository"
+    };
+  }
+  try {
+    const hooksDir = getHooksDir(root);
+    const hookPath = join3(hooksDir, "pre-commit");
+    mkdirSync(hooksDir, { recursive: true });
+    let existingContent = "";
+    try {
+      existingContent = readFileSync3(hookPath, "utf-8");
+    } catch {
+    }
+    if (existingContent.includes(HOOK_START_MARKER)) {
+      const startIdx = existingContent.indexOf(HOOK_START_MARKER);
+      const endIdx = existingContent.indexOf(HOOK_END_MARKER) + HOOK_END_MARKER.length;
+      const updated = existingContent.substring(0, startIdx) + HOOK_BLOCK + existingContent.substring(endIdx);
+      writeFileSync3(hookPath, updated, "utf-8");
+      chmodSync2(hookPath, 493);
+      return {
+        installed: true,
+        hookPath,
+        message: "Pre-commit hook updated"
+      };
+    }
+    let newContent;
+    if (existingContent.trim()) {
+      newContent = existingContent.trimEnd() + "\n\n" + HOOK_BLOCK + "\n";
+    } else {
+      newContent = "#!/bin/sh\n\n" + HOOK_BLOCK + "\n";
+    }
+    writeFileSync3(hookPath, newContent, "utf-8");
+    chmodSync2(hookPath, 493);
+    return {
+      installed: true,
+      hookPath,
+      message: "Pre-commit hook installed"
+    };
+  } catch (err) {
+    return {
+      installed: false,
+      hookPath: null,
+      message: `Failed to install hook: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+}
+// src/commands/sync.ts
+var syncCommand = new Command10("sync").description(
+  "Login, select project, pull variables, and protect files \u2014 all in one command"
+).option("-o, --organization <id>", "Organization ID").option("-p, --project <id>", "Project ID or name").option(
+  "-e, --env <environment>",
+  "Environment (development, staging, production)"
+).option("--force", "Overwrite without confirmation").option("--no-guard", "Skip pre-commit hook installation").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      console.log();
+      info("Not logged in. Starting authentication...");
+      console.log();
+      await performLogin();
+      console.log();
+    } else {
+      info("Already authenticated.");
+    }
+    ensureEnvInGitignore();
+    if (options.guard !== false) {
+      const guardResult = installCommitGuard();
+      if (guardResult.installed) {
+        success(guardResult.message);
+        info("Staged .env files will be blocked from commits.");
+      } else if (guardResult.message !== "Not a git repository") {
+        warning(guardResult.message);
+      }
+    }
+    console.log();
+    let projectId;
+    let organizationId;
+    let environment;
+    let projectName;
+    let organizationName;
+    const existingConfig = readProjectConfigV2();
+    if (existingConfig && !options.organization && !options.project && !options.env) {
+      const active = getActiveProject(existingConfig);
+      if (active) {
+        projectId = active.projectId;
+        organizationId = active.organizationId;
+        environment = active.environment;
+        projectName = active.projectName;
+        organizationName = active.organizationName;
+        info(
+          `Using project ${chalk11.bold(projectName || projectId)} (${environment})`
+        );
+      } else {
+        const selection = await selectOrgProjectEnv(options);
+        projectId = selection.selectedProject._id;
+        organizationId = selection.selectedOrg._id;
+        environment = selection.selectedEnvironment;
+        projectName = selection.selectedProject.name;
+        organizationName = selection.selectedOrg.name;
+      }
+    } else {
+      const selection = await selectOrgProjectEnv({
+        organization: options.organization,
+        project: options.project,
+        environment: options.env
+      });
+      projectId = selection.selectedProject._id;
+      organizationId = selection.selectedOrg._id;
+      environment = selection.selectedEnvironment;
+      projectName = selection.selectedProject.name;
+      organizationName = selection.selectedOrg.name;
+      if (selection.selectedOrg.role) {
+        setRole(selection.selectedOrg.role);
+      }
+      writeProjectConfigV2({
+        version: 1,
+        activeProjectId: projectId,
+        projects: existingConfig ? [
+          ...existingConfig.projects.filter(
+            (p) => p.projectId !== projectId
+          ),
+          {
+            projectId,
+            organizationId,
+            projectName,
+            organizationName,
+            environment
+          }
+        ] : [
+          {
+            projectId,
+            organizationId,
+            projectName,
+            organizationName,
+            environment
+          }
+        ]
+      });
+      setActiveOrganizationId(organizationId);
+      setActiveProjectId(projectId);
+    }
+    console.log();
+    let metaProjectRole;
+    const variables = await withSpinner(
+      `Fetching ${chalk11.bold(environment)} variables...`,
+      async () => {
+        const api = createAPIClient();
+        const response = await api.get("/api/cli/variables", {
+          projectId,
+          environment,
+          ...organizationId && { organizationId }
+        });
+        metaProjectRole = response.meta?.projectRole;
+        return response.data || [];
+      }
+    );
+    const outputPath = getEnvPathForEnvironment(environment);
+    if (variables.length === 0) {
+      warning(`No variables found for ${environment} environment.`);
+      console.log();
+      return;
+    }
+    const remoteVars = {};
+    for (const variable of variables) {
+      remoteVars[variable.key] = variable.value;
+    }
+    const localVars = readEnvFile(outputPath) || {};
+    const diffResult = diffEnvVars(remoteVars, localVars);
+    const hasChanges = Object.keys(diffResult.added).length > 0 || Object.keys(diffResult.removed).length > 0 || Object.keys(diffResult.changed).length > 0;
+    if (!hasChanges) {
+      success(`${chalk11.bold(outputPath)} is up to date.`);
+      console.log();
+      return;
+    }
+    console.log();
+    console.log(chalk11.bold("Changes:"));
+    console.log();
+    diff(diffResult.added, diffResult.removed, diffResult.changed);
+    console.log();
+    try {
+      const fs = await import("fs");
+      if (fs.existsSync(outputPath)) {
+        fs.chmodSync(outputPath, 420);
+      }
+    } catch {
+    }
+    const comments = {};
+    for (const variable of variables) {
+      if (variable.description) {
+        comments[variable.key] = variable.description;
+      }
+    }
+    writeEnvFile(outputPath, remoteVars, { sort: true, comments });
+    const role = getRole();
+    applyFileProtection(outputPath, role, metaProjectRole);
+    success(
+      `Synced ${variables.length} variables to ${chalk11.bold(outputPath)}`
+    );
+    const isProtected = role !== "admin" && role !== "team_lead" && metaProjectRole !== "manager";
+    if (isProtected) {
+      info(
+        `File is read-only (your role: ${role || metaProjectRole || "member"}).`
+      );
+    }
+    console.log();
+    console.log(
+      chalk11.dim(`  Added:   ${Object.keys(diffResult.added).length}`)
+    );
+    console.log(
+      chalk11.dim(`  Changed: ${Object.keys(diffResult.changed).length}`)
+    );
+    console.log(
+      chalk11.dim(`  Removed: ${Object.keys(diffResult.removed).length}`)
+    );
+    console.log();
+  } catch (err) {
+    await handleError(err);
+  }
+});
+// src/commands/usage.ts
+import { Command as Command11 } from "commander";
+import chalk12 from "chalk";
 function formatUsage(current, limit) {
   const limitStr = limit === null ? "unlimited" : String(limit);
   const ratio = `${current}/${limitStr}`;
-  if (limit === null) return chalk10.green(ratio);
-  if (current >= limit) return chalk10.red(ratio);
-  if (current >= limit * 0.8) return chalk10.yellow(ratio);
-  return chalk10.green(ratio);
+  if (limit === null) return chalk12.green(ratio);
+  if (current >= limit) return chalk12.red(ratio);
+  if (current >= limit * 0.8) return chalk12.yellow(ratio);
+  return chalk12.green(ratio);
 }
 function featureStatus(enabled) {
-  return enabled ? chalk10.green("Enabled") : chalk10.dim("Disabled (Pro)");
+  return enabled ? chalk12.green("Enabled") : chalk12.dim("Disabled (Pro)");
 }
-var usageCommand = new Command9("usage").description("Show plan usage and limits for the active organization").option("-o, --organization <id>", "Organization ID").option("--json", "Output as JSON").action(async (options) => {
+var usageCommand = new Command11("usage").description("Show plan usage and limits for the active organization").option("-o, --organization <id>", "Organization ID").option("--json", "Output as JSON").action(async (options) => {
   try {
     if (!isAuthenticated()) {
       throw notAuthenticated();
@@ -2200,7 +3086,7 @@ var usageCommand = new Command9("usage").description("Show plan usage and limits
       console.log(JSON.stringify(usage, null, 2));
       return;
     }
-    const tierLabel = usage.tier === "pro" ? chalk10.green("Pro") : chalk10.white("Free");
+    const tierLabel = usage.tier === "pro" ? chalk12.green("Pro") : chalk12.white("Free");
     header(`Plan: ${tierLabel}`);
     blank();
     if (!usage.enforcementEnabled) {
@@ -2252,10 +3138,55 @@ var usageCommand = new Command9("usage").description("Show plan usage and limits
   }
 });
+// src/lib/version-check.ts
+import chalk13 from "chalk";
+import Conf2 from "conf";
+var CLI_VERSION = "1.3.1";
+var CHECK_INTERVAL = 60 * 60 * 1e3;
+var _cache = null;
+function getCache() {
+  if (!_cache) {
+    _cache = new Conf2({
+      projectName: "envpilot",
+      configName: "version-cache"
+    });
+  }
+  return _cache;
+}
+function checkForUpdate() {
+  const cache = getCache();
+  const lastCheck = cache.get("lastVersionCheck");
+  if (lastCheck && Date.now() - lastCheck < CHECK_INTERVAL) return;
+  const apiUrl = getApiUrl();
+  fetch(`${apiUrl}/api/version`, { signal: AbortSignal.timeout(5e3) }).then((res) => {
+    if (!res.ok) return;
+    return res.json();
+  }).then((data) => {
+    if (!data?.cli) return;
+    cache.set("lastVersionCheck", Date.now());
+    if (data.cli !== CLI_VERSION) {
+      console.log();
+      console.log(
+        chalk13.yellow("  Update available:"),
+        chalk13.dim(CLI_VERSION),
+        chalk13.yellow("\u2192"),
+        chalk13.green(data.cli)
+      );
+      console.log(
+        chalk13.dim("  Run"),
+        chalk13.cyan("npm update -g @envpilot/cli"),
+        chalk13.dim("to update")
+      );
+      console.log();
+    }
+  }).catch(() => {
+  });
+}
 // src/index.ts
 initSentry();
-var program = new Command10();
-program.name("envpilot").description("Envpilot CLI - Sync, secure, and share environment variables").version("1.3.0");
+var program = new Command12();
+program.name("envpilot").description("Envpilot CLI - Sync, secure, and share environment variables").version("1.3.2");
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
 program.addCommand(initCommand);
@@ -2264,5 +3195,10 @@ program.addCommand(pushCommand);
 program.addCommand(switchCommand);
 program.addCommand(listCommand);
 program.addCommand(configCommand);
+program.addCommand(unlinkCommand);
+program.addCommand(syncCommand);
 program.addCommand(usageCommand);
+program.hook("postAction", () => {
+  checkForUpdate();
+});
 program.parse();