@keywaysh/cli 0.0.1 → 0.0.3

package/dist/cli.js

@@ -1,138 +1,1337 @@
 #!/usr/bin/env node
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 
 // src/cli.ts
-var import_commander = require("commander");
-var import_chalk = __toESM(require("chalk"));
-var import_child_process = require("child_process");
-var program = new import_commander.Command();
-var COMING_SOON_MESSAGE = import_chalk.default.cyan(`
-\u{1F6A7} Keyway is coming soon!
-
-We're building the simplest way to manage your team's secrets.
-One link in your README = instant access to all secrets.
-
-${import_chalk.default.white("Get early access:")} ${import_chalk.default.underline("https://keyway.sh")}
-${import_chalk.default.white("Contact:")} ${import_chalk.default.underline("unlock@keyway.sh")}
-`);
-program.name("keyway").description("One link to all your secrets (Coming Soon)").version("0.0.1");
-program.command("init").description("Initialize Keyway in your project").action(async () => {
-  console.log(import_chalk.default.cyan("\n\u{1F511} Keyway Init (Preview)\n"));
-  try {
-    const gitRemote = (0, import_child_process.execSync)("git remote get-url origin", { encoding: "utf-8" }).trim();
-    let repoPath;
-    if (gitRemote.includes("github.com")) {
-      const match = gitRemote.match(/github\.com[:/](.+?)(\.git)?$/);
+import { Command } from "commander";
+import chalk7 from "chalk";
+
+// src/cmds/init.ts
+import chalk3 from "chalk";
+
+// src/utils/git.ts
+import { execSync } from "child_process";
+function getCurrentRepoFullName() {
+  try {
+    if (!isGitRepository()) {
+      throw new Error("Not in a git repository");
+    }
+    const remoteUrl = execSync("git config --get remote.origin.url", {
+      encoding: "utf-8"
+    }).trim();
+    return parseGitHubUrl(remoteUrl);
+  } catch (error) {
+    throw new Error("Failed to get repository name. Make sure you are in a git repository with a GitHub remote.");
+  }
+}
+function isGitRepository() {
+  try {
+    execSync("git rev-parse --is-inside-work-tree", {
+      encoding: "utf-8",
+      stdio: "pipe"
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function detectGitRepo() {
+  try {
+    const remoteUrl = execSync("git remote get-url origin", {
+      encoding: "utf-8",
+      stdio: "pipe"
+    }).trim();
+    return parseGitHubUrl(remoteUrl);
+  } catch {
+    return null;
+  }
+}
+function parseGitHubUrl(url) {
+  const sshMatch = url.match(/git@github\.com:(.+)\/(.+)\.git/);
+  if (sshMatch) {
+    return `${sshMatch[1]}/${sshMatch[2]}`;
+  }
+  const httpsMatch = url.match(/https:\/\/github\.com\/(.+)\/(.+)\.git/);
+  if (httpsMatch) {
+    return `${httpsMatch[1]}/${httpsMatch[2]}`;
+  }
+  const httpsMatch2 = url.match(/https:\/\/github\.com\/(.+)\/(.+)/);
+  if (httpsMatch2) {
+    return `${httpsMatch2[1]}/${httpsMatch2[2]}`;
+  }
+  throw new Error(`Invalid GitHub URL: ${url}`);
+}
+
+// src/config/internal.ts
+var INTERNAL_API_URL = "https://api.keyway.sh";
+var INTERNAL_POSTHOG_KEY = "phc_duG0qqI5z8LeHrS9pNxR5KaD4djgD0nmzUxuD3zP0ov";
+var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
+
+// src/utils/api.ts
+var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
+var APIError = class extends Error {
+  constructor(statusCode, error, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.error = error;
+    this.name = "APIError";
+  }
+};
+async function handleResponse(response) {
+  const contentType = response.headers.get("content-type") || "";
+  const text = await response.text();
+  if (!response.ok) {
+    if (contentType.includes("application/json")) {
+      try {
+        const error = JSON.parse(text);
+        throw new APIError(response.status, error.error, error.message);
+      } catch {
+        throw new APIError(response.status, "http_error", text || `HTTP ${response.status}`);
+      }
+    }
+    throw new APIError(response.status, "http_error", text || `HTTP ${response.status}`);
+  }
+  if (!text) {
+    return {};
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      return JSON.parse(text);
+    } catch {
+    }
+  }
+  return { content: text };
+}
+async function initVault(repoFullName, accessToken) {
+  const body = { repoFullName };
+  const headers = { "Content-Type": "application/json" };
+  if (accessToken) {
+    headers.Authorization = `Bearer ${accessToken}`;
+  }
+  const response = await fetch(`${API_BASE_URL}/vaults/init`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
+  });
+  return handleResponse(response);
+}
+async function pushSecrets(repoFullName, environment, content, accessToken) {
+  const body = { content };
+  const headers = { "Content-Type": "application/json" };
+  if (accessToken) {
+    headers.Authorization = `Bearer ${accessToken}`;
+  }
+  const encodedRepo = encodeURIComponent(repoFullName);
+  const response = await fetch(
+    `${API_BASE_URL}/vaults/${encodedRepo}/${environment}/push`,
+    {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    }
+  );
+  return handleResponse(response);
+}
+async function pullSecrets(repoFullName, environment, accessToken) {
+  const encodedRepo = encodeURIComponent(repoFullName);
+  const headers = { "Content-Type": "application/json" };
+  if (accessToken) {
+    headers.Authorization = `Bearer ${accessToken}`;
+  }
+  const response = await fetch(
+    `${API_BASE_URL}/vaults/${encodedRepo}/${environment}/pull`,
+    {
+      method: "GET",
+      headers
+    }
+  );
+  return handleResponse(response);
+}
+async function startDeviceLogin(repository) {
+  const response = await fetch(`${API_BASE_URL}/auth/device/start`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(repository ? { repository } : {})
+  });
+  return handleResponse(response);
+}
+async function pollDeviceLogin(deviceCode) {
+  const response = await fetch(`${API_BASE_URL}/auth/device/poll`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ deviceCode })
+  });
+  return handleResponse(response);
+}
+async function validateToken(token) {
+  const response = await fetch(`${API_BASE_URL}/auth/token/validate`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`
+    },
+    body: JSON.stringify({})
+  });
+  return handleResponse(response);
+}
+
+// src/utils/analytics.ts
+import { PostHog } from "posthog-node";
+import crypto from "crypto";
+import path from "path";
+import os from "os";
+import fs from "fs";
+
+// package.json
+var package_default = {
+  name: "@keywaysh/cli",
+  version: "0.0.3",
+  description: "One link to all your secrets",
+  type: "module",
+  bin: {
+    keyway: "./dist/cli.js"
+  },
+  main: "./dist/cli.js",
+  files: [
+    "dist"
+  ],
+  scripts: {
+    dev: "pnpm exec tsx src/cli.ts",
+    build: "pnpm exec tsup",
+    "build:watch": "pnpm exec tsup --watch",
+    prepublishOnly: "pnpm run build",
+    test: "pnpm exec vitest run",
+    "test:watch": "pnpm exec vitest"
+  },
+  keywords: [
+    "secrets",
+    "env",
+    "keyway",
+    "cli",
+    "devops"
+  ],
+  author: "Nicolas Ritouet",
+  license: "MIT",
+  homepage: "https://keyway.sh",
+  repository: {
+    type: "git",
+    url: "https://github.com/keywaysh/cli.git"
+  },
+  bugs: {
+    url: "https://github.com/keywaysh/cli/issues"
+  },
+  packageManager: "pnpm@10.6.1",
+  engines: {
+    node: ">=18.0.0"
+  },
+  dependencies: {
+    chalk: "^4.1.2",
+    commander: "^14.0.0",
+    conf: "^15.0.2",
+    open: "^11.0.0",
+    "posthog-node": "^3.5.0",
+    prompts: "^2.4.2"
+  },
+  devDependencies: {
+    "@types/node": "^24.2.0",
+    "@types/prompts": "^2.4.9",
+    tsup: "^8.5.0",
+    tsx: "^4.20.3",
+    typescript: "^5.9.2",
+    vitest: "^3.2.4"
+  }
+};
+
+// src/utils/analytics.ts
+var posthog = null;
+var distinctId = null;
+var CONFIG_DIR = path.join(os.homedir(), ".config", "keyway");
+var ID_FILE = path.join(CONFIG_DIR, "id.json");
+var TELEMETRY_DISABLED = process.env.KEYWAY_DISABLE_TELEMETRY === "1";
+var CI = process.env.CI === "true" || process.env.CI === "1";
+function getDistinctId() {
+  if (distinctId) return distinctId;
+  try {
+    if (!fs.existsSync(CONFIG_DIR)) {
+      fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    if (fs.existsSync(ID_FILE)) {
+      const content = fs.readFileSync(ID_FILE, "utf-8");
+      const config2 = JSON.parse(content);
+      distinctId = config2.distinctId;
+      return distinctId;
+    }
+    distinctId = crypto.randomUUID();
+    const config = { distinctId };
+    fs.writeFileSync(ID_FILE, JSON.stringify(config, null, 2), { encoding: "utf-8", mode: 384 });
+    try {
+      fs.chmodSync(ID_FILE, 384);
+    } catch {
+    }
+    return distinctId;
+  } catch (error) {
+    console.warn("Failed to persist distinct ID, using session-based ID");
+    distinctId = `session-${crypto.randomUUID()}`;
+    return distinctId;
+  }
+}
+function initPostHog() {
+  if (posthog) return;
+  if (TELEMETRY_DISABLED) return;
+  const apiKey = process.env.KEYWAY_POSTHOG_KEY || INTERNAL_POSTHOG_KEY;
+  if (!apiKey) return;
+  posthog = new PostHog(apiKey, {
+    host: process.env.KEYWAY_POSTHOG_HOST || INTERNAL_POSTHOG_HOST
+  });
+}
+function trackEvent(event, properties) {
+  try {
+    if (TELEMETRY_DISABLED) return;
+    if (!posthog) initPostHog();
+    if (!posthog) return;
+    const id = getDistinctId();
+    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
+    posthog.capture({
+      distinctId: id,
+      event,
+      properties: {
+        ...sanitizedProperties,
+        source: "cli",
+        platform: process.platform,
+        nodeVersion: process.version,
+        version: package_default.version,
+        ci: CI
+      }
+    });
+  } catch (error) {
+    console.debug("Analytics error:", error);
+  }
+}
+function sanitizeProperties(properties) {
+  const sanitized = {};
+  for (const [key, value] of Object.entries(properties)) {
+    if (key.toLowerCase().includes("secret") || key.toLowerCase().includes("token") || key.toLowerCase().includes("password") || key.toLowerCase().includes("content") || key.toLowerCase().includes("key") || key.toLowerCase().includes("value")) {
+      continue;
+    }
+    if (value && typeof value === "string" && value.length > 500) {
+      sanitized[key] = `${value.slice(0, 200)}...`;
+      continue;
+    }
+    sanitized[key] = value;
+  }
+  return sanitized;
+}
+async function shutdownAnalytics() {
+  if (posthog) {
+    await posthog.shutdown();
+  }
+}
+var AnalyticsEvents = {
+  CLI_INIT: "cli_init",
+  CLI_PUSH: "cli_push",
+  CLI_PULL: "cli_pull",
+  CLI_ERROR: "cli_error",
+  CLI_LOGIN: "cli_login",
+  CLI_DOCTOR: "cli_doctor"
+};
+
+// src/cmds/login.ts
+import chalk from "chalk";
+import readline from "readline";
+import open from "open";
+import prompts from "prompts";
+
+// src/utils/auth.ts
+import Conf from "conf";
+var store = new Conf({
+  projectName: "keyway",
+  configName: "config",
+  fileMode: 384
+});
+function isExpired(auth) {
+  if (!auth.expiresAt) return false;
+  const expires = Date.parse(auth.expiresAt);
+  if (Number.isNaN(expires)) return false;
+  return expires <= Date.now();
+}
+function getStoredAuth() {
+  const auth = store.get("auth");
+  if (auth && isExpired(auth)) {
+    clearAuth();
+    return null;
+  }
+  return auth ?? null;
+}
+function saveAuthToken(token, meta) {
+  const auth = {
+    keywayToken: token,
+    githubLogin: meta?.githubLogin,
+    expiresAt: meta?.expiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  store.set("auth", auth);
+}
+function clearAuth() {
+  store.delete("auth");
+}
+function getAuthFilePath() {
+  return store.path;
+}
+
+// src/cmds/login.ts
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isInteractive() {
+  return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI);
+}
+async function promptYesNo(question, defaultYes = true) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(question, (answer) => {
+      rl.close();
+      const normalized = answer.trim().toLowerCase();
+      if (!normalized) return resolve(defaultYes);
+      if (["y", "yes"].includes(normalized)) return resolve(true);
+      if (["n", "no"].includes(normalized)) return resolve(false);
+      return resolve(defaultYes);
+    });
+  });
+}
+async function runLoginFlow() {
+  console.log(chalk.blue("\u{1F510} Starting Keyway login...\n"));
+  const repoName = detectGitRepo();
+  const start = await startDeviceLogin(repoName);
+  const verifyUrl = start.verificationUriComplete || start.verificationUri;
+  if (!verifyUrl) {
+    throw new Error("Missing verification URL from the auth server.");
+  }
+  console.log(`Code: ${chalk.green.bold(start.userCode)}`);
+  console.log("Waiting for auth...");
+  open(verifyUrl).catch(() => {
+    console.log(chalk.gray(`Open this URL in your browser: ${verifyUrl}`));
+  });
+  const pollIntervalMs = (start.interval ?? 5) * 1e3;
+  while (true) {
+    await sleep(pollIntervalMs);
+    const result = await pollDeviceLogin(start.deviceCode);
+    if (result.status === "pending") {
+      continue;
+    }
+    if (result.status === "approved" && result.keywayToken) {
+      saveAuthToken(result.keywayToken, {
+        githubLogin: result.githubLogin,
+        expiresAt: result.expiresAt
+      });
+      trackEvent(AnalyticsEvents.CLI_LOGIN, {
+        method: "device",
+        repo: repoName
+      });
+      console.log(chalk.green("\n\u2713 Login successful"));
+      if (result.githubLogin) {
+        console.log(`Authenticated GitHub user: ${chalk.cyan(result.githubLogin)}`);
+      }
+      return result.keywayToken;
+    }
+    throw new Error(result.message || "Authentication failed");
+  }
+}
+async function ensureLogin(options = {}) {
+  const envToken = process.env.KEYWAY_TOKEN || process.env.GITHUB_TOKEN;
+  if (envToken) {
+    return envToken;
+  }
+  const stored = getStoredAuth();
+  if (stored?.keywayToken) {
+    return stored.keywayToken;
+  }
+  const allowPrompt = options.allowPrompt !== false;
+  const canPrompt = allowPrompt && isInteractive();
+  if (!canPrompt) {
+    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
+  }
+  const proceed = await promptYesNo("No Keyway session found. Open the browser to sign in now? (Y/n) ");
+  if (!proceed) {
+    throw new Error("Login required. Aborting.");
+  }
+  return runLoginFlow();
+}
+async function runTokenLogin() {
+  const repoName = detectGitRepo();
+  if (repoName) {
+    console.log(`\u{1F4C1} Detected: ${chalk.cyan(repoName)}`);
+  }
+  const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
+  const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
+  console.log("Opening GitHub...");
+  open(url).catch(() => {
+    console.log(chalk.gray(`Open this URL in your browser: ${url}`));
+  });
+  console.log(chalk.gray("Select the detected repo (or scope manually)."));
+  console.log(chalk.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
+  const { token } = await prompts(
+    {
+      type: "password",
+      name: "token",
+      message: "Paste token:",
+      validate: (value) => {
+        if (!value || typeof value !== "string") return "Token is required";
+        if (!value.startsWith("github_pat_")) return "Token must start with github_pat_";
+        return true;
+      }
+    },
+    {
+      onCancel: () => {
+        throw new Error("Login cancelled.");
+      }
+    }
+  );
+  if (!token || typeof token !== "string") {
+    throw new Error("Token is required.");
+  }
+  const trimmedToken = token.trim();
+  if (!trimmedToken.startsWith("github_pat_")) {
+    throw new Error("Token must start with github_pat_.");
+  }
+  const validation = await validateToken(trimmedToken);
+  saveAuthToken(trimmedToken, {
+    githubLogin: validation.username
+  });
+  trackEvent(AnalyticsEvents.CLI_LOGIN, {
+    method: "pat",
+    repo: repoName
+  });
+  console.log(chalk.green("\u2705 Authenticated"), `as ${chalk.cyan(`@${validation.username}`)}`);
+  return trimmedToken;
+}
+async function loginCommand(options = {}) {
+  try {
+    if (options.token) {
+      await runTokenLogin();
+    } else {
+      await runLoginFlow();
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unexpected login error";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "login",
+      error: message.slice(0, 200)
+    });
+    console.error(chalk.red(`
+\u2717 ${message}`));
+    process.exit(1);
+  }
+}
+async function logoutCommand() {
+  clearAuth();
+  console.log(chalk.green("\u2713 Logged out of Keyway"));
+  console.log(chalk.gray(`Auth cache cleared: ${getAuthFilePath()}`));
+}
+
+// src/cmds/readme.ts
+import fs2 from "fs";
+import path2 from "path";
+import prompts2 from "prompts";
+import chalk2 from "chalk";
+function generateBadge(repo) {
+  return `[![Keyway Secrets](https://keyway.sh/badge.svg?repo=${repo})](https://keyway.sh/repo/${repo})`;
+}
+function insertBadgeIntoReadme(readmeContent, badge) {
+  if (readmeContent.includes("keyway.sh/badge.svg")) {
+    return readmeContent;
+  }
+  const lines = readmeContent.split(/\r?\n/);
+  const titleIndex = lines.findIndex((line) => /^#\s+/.test(line.trim()));
+  if (titleIndex !== -1) {
+    const before = lines.slice(0, titleIndex + 1);
+    const after = lines.slice(titleIndex + 1);
+    const newLines = [...before, "", badge, "", ...after];
+    return newLines.join("\n");
+  }
+  return `${badge}
+
+${readmeContent}`;
+}
+function findReadmePath(cwd) {
+  const candidates = ["README.md", "readme.md", "Readme.md"];
+  for (const candidate of candidates) {
+    const candidatePath = path2.join(cwd, candidate);
+    if (fs2.existsSync(candidatePath)) {
+      return candidatePath;
+    }
+  }
+  return null;
+}
+async function ensureReadme(repoName, cwd) {
+  const existing = findReadmePath(cwd);
+  if (existing) return existing;
+  const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
+  if (!isInteractive2) {
+    console.log(chalk2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
+    return null;
+  }
+  const { confirm } = await prompts2(
+    {
+      type: "confirm",
+      name: "confirm",
+      message: "No README found. Create a default README.md?",
+      initial: false
+    },
+    {
+      onCancel: () => ({ confirm: false })
+    }
+  );
+  if (!confirm) {
+    console.log(chalk2.yellow("Skipping badge insertion (no README)."));
+    return null;
+  }
+  const defaultPath = path2.join(cwd, "README.md");
+  const content = `# ${repoName}
+
+`;
+  fs2.writeFileSync(defaultPath, content, "utf-8");
+  return defaultPath;
+}
+async function addBadgeToReadme() {
+  const repo = detectGitRepo();
+  if (!repo) {
+    throw new Error("This directory is not a Git repository.");
+  }
+  const cwd = process.cwd();
+  const readmePath = await ensureReadme(repo, cwd);
+  if (!readmePath) return;
+  const badge = generateBadge(repo);
+  const content = fs2.readFileSync(readmePath, "utf-8");
+  const updated = insertBadgeIntoReadme(content, badge);
+  if (updated === content) {
+    console.log(chalk2.gray("Keyway badge already present in README."));
+    return;
+  }
+  fs2.writeFileSync(readmePath, updated, "utf-8");
+  console.log(chalk2.green(`\u2713 Keyway badge added to ${path2.basename(readmePath)}`));
+}
+
+// src/cmds/init.ts
+async function initCommand(options = {}) {
+  try {
+    console.log(chalk3.blue("\u{1F510} Initializing Keyway vault...\n"));
+    const repoFullName = getCurrentRepoFullName();
+    console.log(`Repository: ${chalk3.cyan(repoFullName)}`);
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName });
+    console.log("\nInitializing vault...");
+    const response = await initVault(repoFullName, accessToken);
+    console.log(chalk3.green("\n\u2713 " + response.message));
+    console.log(`
+Vault ID: ${chalk3.gray(response.vaultId)}`);
+    console.log("\nNext steps:");
+    console.log(`  1. Create a ${chalk3.cyan(".env")} file with your secrets`);
+    console.log(`  2. Run ${chalk3.cyan("keyway push")} to upload your secrets`);
+    try {
+      await addBadgeToReadme();
+    } catch (badgeError) {
+      console.log(chalk3.yellow("Badge insertion skipped:"), badgeError instanceof Error ? badgeError.message : String(badgeError));
+    }
+    await shutdownAnalytics();
+  } catch (error) {
+    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "init",
+      error: message
+    });
+    await shutdownAnalytics();
+    console.error(chalk3.red(`
+\u2717 Error: ${message}`));
+    process.exit(1);
+  }
+}
+
+// src/cmds/push.ts
+import chalk4 from "chalk";
+import fs3 from "fs";
+import path3 from "path";
+import prompts3 from "prompts";
+function deriveEnvFromFile(file) {
+  const base = path3.basename(file);
+  const match = base.match(/\.env(?:\.(.+))?$/);
+  if (match) {
+    return match[1] || "development";
+  }
+  return "development";
+}
+function discoverEnvCandidates(cwd) {
+  try {
+    const entries = fs3.readdirSync(cwd);
+    const hasEnvLocal = entries.includes(".env.local");
+    if (hasEnvLocal) {
+      console.log(chalk4.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
+    }
+    const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
+      const fullPath = path3.join(cwd, name);
+      try {
+        const stat = fs3.statSync(fullPath);
+        if (!stat.isFile()) return null;
+        return { file: name, env: deriveEnvFromFile(name) };
+      } catch {
+        return null;
+      }
+    }).filter((c) => Boolean(c));
+    const seen = /* @__PURE__ */ new Set();
+    const unique = [];
+    for (const c of candidates) {
+      if (seen.has(c.file)) continue;
+      seen.add(c.file);
+      unique.push(c);
+    }
+    return unique;
+  } catch {
+    return [];
+  }
+}
+async function pushCommand(options) {
+  try {
+    console.log(chalk4.blue("\u{1F510} Pushing secrets to Keyway...\n"));
+    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
+    let environment = options.env;
+    let envFile = options.file;
+    const candidates = discoverEnvCandidates(process.cwd());
+    if (environment && !envFile) {
+      const match = candidates.find((c) => c.env === environment);
       if (match) {
-        repoPath = match[1].replace(".git", "");
+        envFile = match.file;
+      }
+    }
+    if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
+      const { choice } = await prompts3(
+        {
+          type: "select",
+          name: "choice",
+          message: "Select an env file to push:",
+          choices: [
+            ...candidates.map((c) => ({
+              title: `${c.file} (env: ${c.env})`,
+              value: c
+            })),
+            { title: "Enter a different file...", value: "custom" }
+          ]
+        },
+        {
+          onCancel: () => {
+            throw new Error("Push cancelled by user.");
+          }
+        }
+      );
+      if (choice && choice !== "custom") {
+        envFile = choice.file;
+        environment = choice.env;
+      } else if (choice === "custom") {
+        const { fileInput } = await prompts3(
+          {
+            type: "text",
+            name: "fileInput",
+            message: "Path to env file:",
+            validate: (value) => {
+              if (!value) return "Path is required";
+              const resolved = path3.resolve(process.cwd(), value);
+              if (!fs3.existsSync(resolved)) return `File not found: ${value}`;
+              return true;
+            }
+          },
+          {
+            onCancel: () => {
+              throw new Error("Push cancelled by user.");
+            }
+          }
+        );
+        envFile = fileInput;
+        environment = deriveEnvFromFile(fileInput);
+      }
+    }
+    if (!environment) {
+      environment = "development";
+    }
+    if (!envFile) {
+      envFile = ".env";
+    }
+    let envFilePath = path3.resolve(process.cwd(), envFile);
+    if (!fs3.existsSync(envFilePath)) {
+      if (!isInteractive2) {
+        throw new Error(`File not found: ${envFile}. Provide --file <path> or run interactively to choose a file.`);
+      }
+      const { newPath } = await prompts3(
+        {
+          type: "text",
+          name: "newPath",
+          message: `File not found: ${envFile}. Enter an env file path to use:`,
+          validate: (value) => {
+            if (!value || typeof value !== "string") return "Path is required";
+            const resolved = path3.resolve(process.cwd(), value);
+            if (!fs3.existsSync(resolved)) return `File not found: ${value}`;
+            return true;
+          }
+        },
+        {
+          onCancel: () => {
+            throw new Error("Push cancelled (no env file provided).");
+          }
+        }
+      );
+      if (!newPath || typeof newPath !== "string") {
+        throw new Error("Push cancelled (no env file provided).");
+      }
+      envFile = newPath.trim();
+      envFilePath = path3.resolve(process.cwd(), envFile);
+    }
+    const content = fs3.readFileSync(envFilePath, "utf-8");
+    if (content.trim().length === 0) {
+      throw new Error(`File is empty: ${envFile}`);
+    }
+    const lines = content.split("\n").filter((line) => {
+      const trimmed = line.trim();
+      return trimmed.length > 0 && !trimmed.startsWith("#");
+    });
+    console.log(`File: ${chalk4.cyan(envFile)}`);
+    console.log(`Environment: ${chalk4.cyan(environment)}`);
+    console.log(`Variables: ${chalk4.cyan(lines.length.toString())}`);
+    const repoFullName = getCurrentRepoFullName();
+    console.log(`Repository: ${chalk4.cyan(repoFullName)}`);
+    if (!options.yes) {
+      const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
+      if (!isInteractive3) {
+        throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
+      }
+      const { confirm } = await prompts3(
+        {
+          type: "confirm",
+          name: "confirm",
+          message: `Send ${lines.length} secrets from ${envFile} (env: ${environment}) to ${repoFullName}?`,
+          initial: true
+        },
+        {
+          onCancel: () => {
+            throw new Error("Push cancelled by user.");
+          }
+        }
+      );
+      if (!confirm) {
+        console.log(chalk4.yellow("Push aborted."));
+        return;
       }
     }
-    if (repoPath) {
-      console.log(import_chalk.default.green("\u2713") + " GitHub repository detected:");
-      console.log(`  ${import_chalk.default.gray("Repository:")} ${repoPath}`);
-      console.log(`  ${import_chalk.default.gray("Future vault URL:")} ${import_chalk.default.white(`https://keyway.sh/${repoPath}`)}`);
-      console.log();
-      console.log(import_chalk.default.yellow("When launched, you'll be able to:"));
-      console.log("  \u2022 Store all your secrets securely");
-      console.log("  \u2022 Share with your team instantly");
-      console.log("  \u2022 Pull secrets with one command");
-      console.log();
-      console.log(import_chalk.default.gray("Want early access? Visit https://keyway.sh"));
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    trackEvent(AnalyticsEvents.CLI_PUSH, {
+      repoFullName,
+      environment,
+      variableCount: lines.length
+    });
+    console.log("\nUploading secrets...");
+    const response = await pushSecrets(repoFullName, environment, content, accessToken);
+    console.log(chalk4.green("\n\u2713 " + response.message));
+    console.log(`
+Your secrets are now encrypted and stored securely.`);
+    console.log(`To retrieve them, run: ${chalk4.cyan(`keyway pull --env ${environment}`)}`);
+    await shutdownAnalytics();
+  } catch (error) {
+    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "push",
+      error: message
+    });
+    await shutdownAnalytics();
+    console.error(chalk4.red(`
+\u2717 Error: ${message}`));
+    process.exit(1);
+  }
+}
+
+// src/cmds/pull.ts
+import chalk5 from "chalk";
+import fs4 from "fs";
+import path4 from "path";
+import prompts4 from "prompts";
+async function pullCommand(options) {
+  try {
+    const environment = options.env || "development";
+    const envFile = options.file || ".env";
+    console.log(chalk5.blue("\u{1F510} Pulling secrets from Keyway...\n"));
+    console.log(`Environment: ${chalk5.cyan(environment)}`);
+    const repoFullName = getCurrentRepoFullName();
+    console.log(`Repository: ${chalk5.cyan(repoFullName)}`);
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    trackEvent(AnalyticsEvents.CLI_PULL, {
+      repoFullName,
+      environment
+    });
+    console.log("\nDownloading secrets...");
+    const response = await pullSecrets(repoFullName, environment, accessToken);
+    const envFilePath = path4.resolve(process.cwd(), envFile);
+    if (fs4.existsSync(envFilePath)) {
+      const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
+      if (options.yes) {
+        console.log(chalk5.yellow(`
+\u26A0 Overwriting existing file: ${envFile}`));
+      } else if (!isInteractive2) {
+        throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
+      } else {
+        const { confirm } = await prompts4(
+          {
+            type: "confirm",
+            name: "confirm",
+            message: `${envFile} exists. Overwrite with secrets from ${environment}?`,
+            initial: false
+          },
+          {
+            onCancel: () => {
+              throw new Error("Pull cancelled by user.");
+            }
+          }
+        );
+        if (!confirm) {
+          console.log(chalk5.yellow("Pull aborted."));
+          return;
+        }
+      }
     }
+    fs4.writeFileSync(envFilePath, response.content, "utf-8");
+    const lines = response.content.split("\n").filter((line) => {
+      const trimmed = line.trim();
+      return trimmed.length > 0 && !trimmed.startsWith("#");
+    });
+    console.log(chalk5.green(`
+\u2713 Secrets downloaded successfully`));
+    console.log(`
+File: ${chalk5.cyan(envFile)}`);
+    console.log(`Variables: ${chalk5.cyan(lines.length.toString())}`);
+    await shutdownAnalytics();
+  } catch (error) {
+    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "pull",
+      error: message
+    });
+    await shutdownAnalytics();
+    console.error(chalk5.red(`
+\u2717 Error: ${message}`));
+    process.exit(1);
+  }
+}
+
+// src/cmds/doctor.ts
+import chalk6 from "chalk";
+
+// src/core/doctor.ts
+import { execSync as execSync2 } from "child_process";
+import { writeFileSync, unlinkSync, readFileSync, existsSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/`;
+async function checkNode() {
+  const nodeVersion = process.versions.node;
+  const [major] = nodeVersion.split(".").map(Number);
+  if (major >= 18) {
+    return {
+      id: "node",
+      name: "Node.js version",
+      status: "pass",
+      detail: `v${nodeVersion} (>=18.0.0 required)`
+    };
+  }
+  return {
+    id: "node",
+    name: "Node.js version",
+    status: "fail",
+    detail: `v${nodeVersion} (<18.0.0, please upgrade)`
+  };
+}
+async function checkGit() {
+  try {
+    const gitVersion = execSync2("git --version", { encoding: "utf-8" }).trim();
+    try {
+      execSync2("git rev-parse --is-inside-work-tree", {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "ignore"]
+      });
+      return {
+        id: "git",
+        name: "Git repository",
+        status: "pass",
+        detail: `${gitVersion} - inside repository`
+      };
+    } catch {
+      return {
+        id: "git",
+        name: "Git repository",
+        status: "warn",
+        detail: `${gitVersion} - not in a repository`
+      };
+    }
+  } catch {
+    return {
+      id: "git",
+      name: "Git repository",
+      status: "warn",
+      detail: "Git not installed"
+    };
+  }
+}
+async function checkNetwork() {
+  const fetchFn = globalThis.fetch;
+  if (!fetchFn) {
+    return {
+      id: "network",
+      name: "API connectivity",
+      status: "warn",
+      detail: "Fetch API not available in this Node.js runtime"
+    };
+  }
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 2e3);
+    const response = await fetchFn(API_HEALTH_URL, {
+      method: "HEAD",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (response.ok || response.status < 500) {
+      return {
+        id: "network",
+        name: "API connectivity",
+        status: "pass",
+        detail: `Connected to ${API_HEALTH_URL}`
+      };
+    }
+    return {
+      id: "network",
+      name: "API connectivity",
+      status: "warn",
+      detail: `Server returned ${response.status}`
+    };
+  } catch (error) {
+    if (error.name === "AbortError") {
+      return {
+        id: "network",
+        name: "API connectivity",
+        status: "warn",
+        detail: "Connection timeout (>2s)"
+      };
+    }
+    if (error.code === "ENOTFOUND") {
+      return {
+        id: "network",
+        name: "API connectivity",
+        status: "fail",
+        detail: "DNS resolution failed"
+      };
+    }
+    if (error.code === "CERT_HAS_EXPIRED" || error.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
+      return {
+        id: "network",
+        name: "API connectivity",
+        status: "fail",
+        detail: "SSL certificate error"
+      };
+    }
+    return {
+      id: "network",
+      name: "API connectivity",
+      status: "warn",
+      detail: error.message || "Connection failed"
+    };
+  }
+}
+async function checkFileSystem() {
+  const testFile = join(tmpdir(), `.keyway-test-${Date.now()}.tmp`);
+  try {
+    writeFileSync(testFile, "test");
+    unlinkSync(testFile);
+    return {
+      id: "filesystem",
+      name: "File system permissions",
+      status: "pass",
+      detail: "Write permissions verified"
+    };
+  } catch (error) {
+    return {
+      id: "filesystem",
+      name: "File system permissions",
+      status: "fail",
+      detail: `Cannot write to temp directory: ${error.message}`
+    };
+  }
+}
+async function checkGitignore() {
+  try {
+    if (!existsSync(".gitignore")) {
+      return {
+        id: "gitignore",
+        name: ".gitignore configuration",
+        status: "warn",
+        detail: "No .gitignore file found"
+      };
+    }
+    const gitignoreContent = readFileSync(".gitignore", "utf-8");
+    const hasEnvPattern = gitignoreContent.includes("*.env") || gitignoreContent.includes(".env*");
+    const hasDotEnv = gitignoreContent.includes(".env");
+    if (hasEnvPattern || hasDotEnv) {
+      return {
+        id: "gitignore",
+        name: ".gitignore configuration",
+        status: "pass",
+        detail: "Environment files are ignored"
+      };
+    }
+    return {
+      id: "gitignore",
+      name: ".gitignore configuration",
+      status: "warn",
+      detail: "Missing .env patterns in .gitignore"
+    };
+  } catch {
+    return {
+      id: "gitignore",
+      name: ".gitignore configuration",
+      status: "warn",
+      detail: "Could not read .gitignore"
+    };
+  }
+}
+async function checkSystemClock() {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 2e3);
+    const response = await fetch("https://api.keyway.sh/", {
+      method: "HEAD",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    const serverDate = response.headers.get("date");
+    if (!serverDate) {
+      return {
+        id: "clock",
+        name: "System clock",
+        status: "pass",
+        detail: "Unable to verify (no server date)"
+      };
+    }
+    const serverTime = new Date(serverDate).getTime();
+    const localTime = Date.now();
+    const diffMinutes = Math.abs(serverTime - localTime) / 1e3 / 60;
+    if (diffMinutes < 5) {
+      return {
+        id: "clock",
+        name: "System clock",
+        status: "pass",
+        detail: `Synchronized (drift: ${Math.round(diffMinutes * 60)}s)`
+      };
+    }
+    return {
+      id: "clock",
+      name: "System clock",
+      status: "warn",
+      detail: `Clock drift: ${Math.round(diffMinutes)} minutes`
+    };
   } catch {
-    console.log(import_chalk.default.yellow("No git repository detected"));
-    console.log(import_chalk.default.gray("Keyway will work with any GitHub repository"));
+    return {
+      id: "clock",
+      name: "System clock",
+      status: "pass",
+      detail: "Unable to verify"
+    };
   }
+}
+async function runAllChecks(options = {}) {
+  const checks = await Promise.all([
+    checkNode(),
+    checkGit(),
+    checkNetwork(),
+    checkFileSystem(),
+    checkGitignore(),
+    checkSystemClock()
+  ]);
+  if (options.strict) {
+    checks.forEach((check) => {
+      if (check.status === "warn") {
+        check.status = "fail";
+      }
+    });
+  }
+  const summary = {
+    pass: checks.filter((c) => c.status === "pass").length,
+    warn: checks.filter((c) => c.status === "warn").length,
+    fail: checks.filter((c) => c.status === "fail").length
+  };
+  const exitCode = summary.fail > 0 ? 1 : 0;
+  return {
+    checks,
+    summary,
+    exitCode
+  };
+}
+
+// src/cmds/doctor.ts
+function formatSummary(results) {
+  const parts = [
+    chalk6.green(`${results.summary.pass} passed`),
+    results.summary.warn > 0 ? chalk6.yellow(`${results.summary.warn} warnings`) : null,
+    results.summary.fail > 0 ? chalk6.red(`${results.summary.fail} failed`) : null
+  ].filter(Boolean);
+  return parts.join(", ");
+}
+async function doctorCommand(options = {}) {
+  try {
+    const results = await runAllChecks({ strict: !!options.strict });
+    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
+      pass: results.summary.pass,
+      warn: results.summary.warn,
+      fail: results.summary.fail,
+      strict: !!options.strict
+    });
+    if (options.json) {
+      process.stdout.write(JSON.stringify(results, null, 0) + "\n");
+      process.exit(results.exitCode);
+    }
+    console.log(chalk6.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
+    results.checks.forEach((check) => {
+      const icon = check.status === "pass" ? chalk6.green("\u2713") : check.status === "warn" ? chalk6.yellow("!") : chalk6.red("\u2717");
+      const detail = check.detail ? chalk6.dim(` \u2014 ${check.detail}`) : "";
+      console.log(`  ${icon} ${check.name}${detail}`);
+    });
+    console.log(`
+Summary: ${formatSummary(results)}`);
+    if (results.summary.fail > 0) {
+      console.log(chalk6.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
+    } else if (results.summary.warn > 0) {
+      console.log(chalk6.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
+    } else {
+      console.log(chalk6.green("\u2728 All checks passed! Your environment is ready for Keyway."));
+    }
+    process.exit(results.exitCode);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Doctor failed";
+    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
+      pass: 0,
+      warn: 0,
+      fail: 1,
+      strict: !!options.strict,
+      error: "doctor_failed"
+    });
+    if (options.json) {
+      const errorResult = {
+        checks: [],
+        summary: { pass: 0, warn: 0, fail: 1 },
+        exitCode: 1,
+        error: message
+      };
+      process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
+    } else {
+      console.error(chalk6.red(`\u2716 Doctor check failed: ${message}`));
+    }
+    process.exit(1);
+  }
+}
+
+// package.json with { type: 'json' }
+var package_default2 = {
+  name: "@keywaysh/cli",
+  version: "0.0.3",
+  description: "One link to all your secrets",
+  type: "module",
+  bin: {
+    keyway: "./dist/cli.js"
+  },
+  main: "./dist/cli.js",
+  files: [
+    "dist"
+  ],
+  scripts: {
+    dev: "pnpm exec tsx src/cli.ts",
+    build: "pnpm exec tsup",
+    "build:watch": "pnpm exec tsup --watch",
+    prepublishOnly: "pnpm run build",
+    test: "pnpm exec vitest run",
+    "test:watch": "pnpm exec vitest"
+  },
+  keywords: [
+    "secrets",
+    "env",
+    "keyway",
+    "cli",
+    "devops"
+  ],
+  author: "Nicolas Ritouet",
+  license: "MIT",
+  homepage: "https://keyway.sh",
+  repository: {
+    type: "git",
+    url: "https://github.com/keywaysh/cli.git"
+  },
+  bugs: {
+    url: "https://github.com/keywaysh/cli/issues"
+  },
+  packageManager: "pnpm@10.6.1",
+  engines: {
+    node: ">=18.0.0"
+  },
+  dependencies: {
+    chalk: "^4.1.2",
+    commander: "^14.0.0",
+    conf: "^15.0.2",
+    open: "^11.0.0",
+    "posthog-node": "^3.5.0",
+    prompts: "^2.4.2"
+  },
+  devDependencies: {
+    "@types/node": "^24.2.0",
+    "@types/prompts": "^2.4.9",
+    tsup: "^8.5.0",
+    tsx: "^4.20.3",
+    typescript: "^5.9.2",
+    vitest: "^3.2.4"
+  }
+};
+
+// src/cli.ts
+var program = new Command();
+var shouldShowBanner = () => {
+  if (process.env.KEYWAY_NO_BANNER === "1") return false;
+  const argv = process.argv.slice(2);
+  return !argv.includes("--no-banner") && argv.length > 0;
+};
+var showBanner = () => {
+  const text = chalk7.cyan.bold("Keyway CLI");
+  const subtitle = chalk7.gray("GitHub-native secrets manager for dev teams");
+  console.log(`
+${text}
+${subtitle}
+`);
+};
+if (shouldShowBanner()) {
+  showBanner();
+}
+program.name("keyway").description("GitHub-native secrets manager for dev teams").version(package_default2.version).option("--no-banner", "Disable the startup banner");
+program.command("init").description("Initialize a vault for the current repository").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
+  await initCommand(options);
 });
-program.command("demo").description("See how Keyway will work").action(() => {
-  console.log(import_chalk.default.cyan("\n\u{1F3AC} Keyway Demo\n"));
-  console.log("How it will work:\n");
-  console.log(import_chalk.default.white("1. Initialize your project:"));
-  console.log(import_chalk.default.gray("   $ ") + import_chalk.default.green("keyway init"));
-  console.log(import_chalk.default.gray("   \u2713 Vault created at https://keyway.sh/your/repo\n"));
-  console.log(import_chalk.default.white("2. Add the link to your README:"));
-  console.log(import_chalk.default.gray("   ## \u{1F511} Secrets"));
-  console.log(import_chalk.default.gray("   Access vault: https://keyway.sh/your/repo\n"));
-  console.log(import_chalk.default.white("3. Team members pull secrets:"));
-  console.log(import_chalk.default.gray("   $ ") + import_chalk.default.green("keyway pull"));
-  console.log(import_chalk.default.gray("   \u2713 Authenticated via GitHub"));
-  console.log(import_chalk.default.gray("   \u2713 Pulled 23 secrets in 12ms\n"));
-  console.log(import_chalk.default.white("4. That's it! No more:"));
-  console.log(import_chalk.default.gray('   \u274C "Can you send me the .env file?"'));
-  console.log(import_chalk.default.gray("   \u274C API keys in Slack"));
-  console.log(import_chalk.default.gray("   \u274C Outdated credentials"));
-  console.log(import_chalk.default.gray("   \u274C Onboarding delays\n"));
-  console.log(import_chalk.default.cyan("Ready to simplify your secret management?"));
-  console.log(import_chalk.default.white("Get early access: ") + import_chalk.default.underline("https://keyway.sh"));
+program.command("push").description("Upload secrets from an env file to the vault").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to push").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
+  await pushCommand(options);
 });
-program.command("waitlist").description("Join the early access waitlist").action(() => {
-  console.log(import_chalk.default.cyan("\n\u{1F680} Join the Keyway Waitlist\n"));
-  console.log("Get early access at: " + import_chalk.default.underline("https://keyway.sh"));
-  console.log();
-  console.log("Or email us directly: " + import_chalk.default.underline("unlock@keyway.sh"));
-  console.log();
-  console.log(import_chalk.default.gray("We'll notify you as soon as Keyway is ready!"));
+program.command("pull").description("Download secrets from the vault to an env file").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to write to").option("-y, --yes", "Overwrite target file without confirmation").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
+  await pullCommand(options);
 });
-program.command("why").description("Why we're building Keyway").action(() => {
-  console.log(import_chalk.default.cyan("\n\u{1F4A1} Why Keyway?\n"));
-  console.log(import_chalk.default.white("The Problem:"));
-  console.log("  \u2022 Secrets scattered across Slack, email, and docs");
-  console.log("  \u2022 New developer onboarding takes hours");
-  console.log("  \u2022 No single source of truth for env variables");
-  console.log("  \u2022 Complex solutions like HashiCorp Vault are overkill\n");
-  console.log(import_chalk.default.white("Our Solution:"));
-  console.log("  \u2022 One link in your README");
-  console.log("  \u2022 GitHub access = vault access");
-  console.log("  \u2022 Zero-trust architecture");
-  console.log("  \u2022 12ms to pull all secrets\n");
-  console.log(import_chalk.default.white("Built for:"));
-  console.log("  \u2022 Small to medium dev teams");
-  console.log("  \u2022 Projects with multiple environments");
-  console.log("  \u2022 Teams tired of complexity\n");
-  console.log(import_chalk.default.gray("Learn more at https://keyway.sh"));
+program.command("login").description("Authenticate with GitHub via Keyway").option("--token", "Authenticate using a GitHub fine-grained PAT").action(async (options) => {
+  await loginCommand(options);
 });
-program.command("feedback [message...]").description("Send us feedback").action((message) => {
-  if (message && message.length > 0) {
-    console.log(import_chalk.default.cyan("\n\u{1F4EC} Thank you for your feedback!\n"));
-    console.log("Your message: " + import_chalk.default.italic(message.join(" ")));
-    console.log();
-    console.log("Please email it to: " + import_chalk.default.underline("unlock@keyway.sh"));
-    console.log(import_chalk.default.gray("We read every message!"));
-  } else {
-    console.log(import_chalk.default.cyan("\n\u{1F4EC} We'd love your feedback!\n"));
-    console.log("Email us at: " + import_chalk.default.underline("unlock@keyway.sh"));
-    console.log();
-    console.log("Or use: " + import_chalk.default.gray('keyway feedback "your message here"'));
-  }
+program.command("logout").description("Clear stored Keyway credentials").action(async () => {
+  await logoutCommand();
 });
-program.command("speed").description("Test CLI speed").action(() => {
-  const start = Date.now();
-  console.log(import_chalk.default.green(`\u26A1 Executed in ${Date.now() - start}ms`));
+program.command("doctor").description("Run environment checks to ensure Keyway runs smoothly").option("--json", "Output results as JSON for machine processing", false).option("--strict", "Treat warnings as failures", false).action(async (options) => {
+  await doctorCommand(options);
+});
+program.command("readme").description("README utilities").command("add-badge").description("Insert the Keyway badge into README").action(async () => {
+  await addBadgeToReadme();
+});
+program.parseAsync().catch((error) => {
+  console.error(chalk7.red("Error:"), error.message || error);
+  process.exit(1);
 });
-program.parse();
-if (!process.argv.slice(2).length) {
-  console.log(COMING_SOON_MESSAGE);
-  console.log(import_chalk.default.gray("Try: keyway demo"));
-}