@keywaysh/cli 0.0.13 → 0.0.15

package/dist/cli.js

@@ -2,10 +2,10 @@
 
 // src/cli.ts
 import { Command } from "commander";
-import chalk7 from "chalk";
+import pc9 from "picocolors";
 
 // src/cmds/init.ts
-import chalk4 from "chalk";
+import pc4 from "picocolors";
 import prompts4 from "prompts";
 
 // src/utils/git.ts
@@ -66,10 +66,10 @@ var INTERNAL_API_URL = "https://api.keyway.sh";
 var INTERNAL_POSTHOG_KEY = "phc_duG0qqI5z8LeHrS9pNxR5KaD4djgD0nmzUxuD3zP0ov";
 var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 
-// package.json with { type: 'json' }
+// package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.0.13",
+  version: "0.0.15",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -81,6 +81,7 @@ var package_default = {
   ],
   scripts: {
     dev: "pnpm exec tsx src/cli.ts",
+    "dev:local": "NODE_TLS_REJECT_UNAUTHORIZED=0 KEYWAY_API_URL=https://localhost/api pnpm exec tsx src/cli.ts",
     build: "pnpm exec tsup",
     "build:watch": "pnpm exec tsup --watch",
     prepublishOnly: "pnpm run build",
@@ -112,10 +113,10 @@ var package_default = {
     node: ">=18.0.0"
   },
   dependencies: {
-    chalk: "^4.1.2",
     commander: "^14.0.0",
     conf: "^15.0.2",
     open: "^11.0.0",
+    picocolors: "^1.1.1",
     "posthog-node": "^3.5.0",
     prompts: "^2.4.2"
   },
@@ -132,6 +133,73 @@ var package_default = {
 // src/utils/api.ts
 var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
 var USER_AGENT = `keyway-cli/${package_default.version}`;
+var DEFAULT_TIMEOUT_MS = 3e4;
+function truncateMessage(message, maxLength = 200) {
+  if (message.length <= maxLength) return message;
+  return message.slice(0, maxLength - 3) + "...";
+}
+var NETWORK_ERROR_MESSAGES = {
+  ECONNREFUSED: "Cannot connect to Keyway API server. Is the server running?",
+  ECONNRESET: "Connection was reset. Please try again.",
+  ENOTFOUND: "DNS lookup failed. Check your internet connection.",
+  ETIMEDOUT: "Connection timed out. Check your network connection.",
+  ENETUNREACH: "Network is unreachable. Check your internet connection.",
+  EHOSTUNREACH: "Host is unreachable. Check your network connection.",
+  CERT_HAS_EXPIRED: "SSL certificate has expired. Contact support.",
+  UNABLE_TO_VERIFY_LEAF_SIGNATURE: "SSL certificate verification failed.",
+  EPROTO: "SSL/TLS protocol error. Try again later."
+};
+function handleNetworkError(error) {
+  const errorCode = error.code || error.cause?.code;
+  if (errorCode && NETWORK_ERROR_MESSAGES[errorCode]) {
+    return new Error(NETWORK_ERROR_MESSAGES[errorCode]);
+  }
+  const message = error.message.toLowerCase();
+  if (message.includes("fetch failed") || message.includes("network")) {
+    return new Error("Network error. Check your internet connection and try again.");
+  }
+  return error;
+}
+async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, {
+      ...options,
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.name === "AbortError") {
+        throw new Error(`Request timeout after ${timeoutMs / 1e3}s. Check your network connection.`);
+      }
+      throw handleNetworkError(error);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function validateApiUrl(url) {
+  const parsed = new URL(url);
+  if (parsed.protocol !== "https:") {
+    const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "0.0.0.0";
+    if (!isLocalhost) {
+      throw new Error(
+        `Insecure API URL detected: ${url}
+HTTPS is required for security. If this is a development server, use localhost or configure HTTPS.`
+      );
+    }
+    if (!process.env.KEYWAY_DISABLE_SECURITY_WARNINGS) {
+      console.warn(
+        `\u26A0\uFE0F  WARNING: Using insecure HTTP connection to ${url}
+This should only be used for local development.
+Set KEYWAY_DISABLE_SECURITY_WARNINGS=1 to suppress this warning.`
+      );
+    }
+  }
+}
+validateApiUrl(API_BASE_URL);
 var APIError = class extends Error {
   constructor(statusCode, error, message, upgradeUrl) {
     super(message);
@@ -176,7 +244,7 @@ async function initVault(repoFullName, accessToken) {
   if (accessToken) {
     headers.Authorization = `Bearer ${accessToken}`;
   }
-  const response = await fetch(`${API_BASE_URL}/v1/vaults`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/vaults`, {
     method: "POST",
     headers,
     body: JSON.stringify(body)
@@ -211,7 +279,7 @@ async function pushSecrets(repoFullName, environment, content, accessToken) {
   if (accessToken) {
     headers.Authorization = `Bearer ${accessToken}`;
   }
-  const response = await fetch(`${API_BASE_URL}/v1/secrets/push`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/push`, {
     method: "POST",
     headers,
     body: JSON.stringify(body)
@@ -231,7 +299,7 @@ async function pullSecrets(repoFullName, environment, accessToken) {
     repo: repoFullName,
     environment
   });
-  const response = await fetch(`${API_BASE_URL}/v1/secrets/pull?${params}`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/pull?${params}`, {
     method: "GET",
     headers
   });
@@ -239,7 +307,7 @@ async function pullSecrets(repoFullName, environment, accessToken) {
   return { content: result.data.content };
 }
 async function startDeviceLogin(repository) {
-  const response = await fetch(`${API_BASE_URL}/v1/auth/device/start`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/start`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -250,7 +318,7 @@ async function startDeviceLogin(repository) {
   return handleResponse(response);
 }
 async function pollDeviceLogin(deviceCode) {
-  const response = await fetch(`${API_BASE_URL}/v1/auth/device/poll`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/poll`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -261,7 +329,7 @@ async function pollDeviceLogin(deviceCode) {
   return handleResponse(response);
 }
 async function validateToken(token) {
-  const response = await fetch(`${API_BASE_URL}/v1/auth/token/validate`, {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/token/validate`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -272,6 +340,117 @@ async function validateToken(token) {
   });
   return handleResponse(response);
 }
+async function getProviders() {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations`, {
+    method: "GET",
+    headers: {
+      "User-Agent": USER_AGENT
+    }
+  });
+  return handleResponse(response);
+}
+async function getConnections(accessToken) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections`, {
+    method: "GET",
+    headers: {
+      "User-Agent": USER_AGENT,
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  return handleResponse(response);
+}
+async function deleteConnection(accessToken, connectionId) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}`, {
+    method: "DELETE",
+    headers: {
+      "User-Agent": USER_AGENT,
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  return handleResponse(response);
+}
+function getProviderAuthUrl(provider, redirectUri) {
+  const params = redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : "";
+  return `${API_BASE_URL}/v1/integrations/${provider}/authorize${params}`;
+}
+async function getConnectionProjects(accessToken, connectionId) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}/projects`, {
+    method: "GET",
+    headers: {
+      "User-Agent": USER_AGENT,
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  return handleResponse(response);
+}
+async function getSyncStatus(accessToken, repoFullName, connectionId, projectId, environment = "production") {
+  const [owner, repo] = repoFullName.split("/");
+  const params = new URLSearchParams({
+    connectionId,
+    projectId,
+    environment
+  });
+  const response = await fetchWithTimeout(
+    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/status?${params}`,
+    {
+      method: "GET",
+      headers: {
+        "User-Agent": USER_AGENT,
+        Authorization: `Bearer ${accessToken}`
+      }
+    }
+  );
+  return handleResponse(response);
+}
+async function getSyncPreview(accessToken, repoFullName, options) {
+  const [owner, repo] = repoFullName.split("/");
+  const params = new URLSearchParams({
+    connectionId: options.connectionId,
+    projectId: options.projectId,
+    keywayEnvironment: options.keywayEnvironment || "production",
+    providerEnvironment: options.providerEnvironment || "production",
+    direction: options.direction || "push",
+    allowDelete: String(options.allowDelete || false)
+  });
+  const response = await fetchWithTimeout(
+    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/preview?${params}`,
+    {
+      method: "GET",
+      headers: {
+        "User-Agent": USER_AGENT,
+        Authorization: `Bearer ${accessToken}`
+      }
+    },
+    6e4
+    // 60 seconds for sync operations
+  );
+  return handleResponse(response);
+}
+async function executeSync(accessToken, repoFullName, options) {
+  const [owner, repo] = repoFullName.split("/");
+  const response = await fetchWithTimeout(
+    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": USER_AGENT,
+        Authorization: `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({
+        connectionId: options.connectionId,
+        projectId: options.projectId,
+        keywayEnvironment: options.keywayEnvironment || "production",
+        providerEnvironment: options.providerEnvironment || "production",
+        direction: options.direction || "push",
+        allowDelete: options.allowDelete || false
+      })
+    },
+    12e4
+    // 2 minutes for sync execution
+  );
+  return handleResponse(response);
+}
 
 // src/utils/analytics.ts
 import { PostHog } from "posthog-node";
@@ -279,71 +458,6 @@ import crypto from "crypto";
 import path from "path";
 import os from "os";
 import fs from "fs";
-
-// package.json
-var package_default2 = {
-  name: "@keywaysh/cli",
-  version: "0.0.13",
-  description: "One link to all your secrets",
-  type: "module",
-  bin: {
-    keyway: "./dist/cli.js"
-  },
-  main: "./dist/cli.js",
-  files: [
-    "dist"
-  ],
-  scripts: {
-    dev: "pnpm exec tsx src/cli.ts",
-    build: "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    prepublishOnly: "pnpm run build",
-    test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    release: "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
-  },
-  keywords: [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  author: "Nicolas Ritouet",
-  license: "MIT",
-  homepage: "https://keyway.sh",
-  repository: {
-    type: "git",
-    url: "https://github.com/keywaysh/cli.git"
-  },
-  bugs: {
-    url: "https://github.com/keywaysh/cli/issues"
-  },
-  packageManager: "pnpm@10.6.1",
-  engines: {
-    node: ">=18.0.0"
-  },
-  dependencies: {
-    chalk: "^4.1.2",
-    commander: "^14.0.0",
-    conf: "^15.0.2",
-    open: "^11.0.0",
-    "posthog-node": "^3.5.0",
-    prompts: "^2.4.2"
-  },
-  devDependencies: {
-    "@types/node": "^24.2.0",
-    "@types/prompts": "^2.4.9",
-    tsup: "^8.5.0",
-    tsx: "^4.20.3",
-    typescript: "^5.9.2",
-    vitest: "^3.2.4"
-  }
-};
-
-// src/utils/analytics.ts
 var posthog = null;
 var distinctId = null;
 var CONFIG_DIR = path.join(os.homedir(), ".config", "keyway");
@@ -400,7 +514,7 @@ function trackEvent(event, properties) {
         source: "cli",
         platform: process.platform,
         nodeVersion: process.version,
-        version: package_default2.version,
+        version: package_default.version,
         ci: CI
       }
     });
@@ -433,44 +547,100 @@ var AnalyticsEvents = {
   CLI_PULL: "cli_pull",
   CLI_ERROR: "cli_error",
   CLI_LOGIN: "cli_login",
-  CLI_DOCTOR: "cli_doctor"
+  CLI_DOCTOR: "cli_doctor",
+  CLI_CONNECT: "cli_connect",
+  CLI_DISCONNECT: "cli_disconnect",
+  CLI_SYNC: "cli_sync"
 };
 
 // src/cmds/login.ts
-import chalk from "chalk";
+import pc from "picocolors";
 import readline from "readline";
 import open from "open";
 import prompts from "prompts";
 
 // src/utils/auth.ts
 import Conf from "conf";
+import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "crypto";
+import { promisify } from "util";
 var store = new Conf({
   projectName: "keyway",
   configName: "config",
   fileMode: 384
 });
+var scryptAsync = promisify(scrypt);
+async function getEncryptionKey() {
+  const machineId = process.env.USER || process.env.USERNAME || "keyway-user";
+  let salt = store.get("salt");
+  if (!salt) {
+    salt = randomBytes(16).toString("hex");
+    store.set("salt", salt);
+  }
+  const key = await scryptAsync(machineId, salt, 32);
+  return key;
+}
+async function encryptToken(token) {
+  const key = await getEncryptionKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(token, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+async function decryptToken(encryptedData) {
+  const key = await getEncryptionKey();
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted token format");
+  }
+  const iv = Buffer.from(parts[0], "hex");
+  const authTag = Buffer.from(parts[1], "hex");
+  const encrypted = Buffer.from(parts[2], "hex");
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return decrypted.toString("utf8");
+}
 function isExpired(auth) {
   if (!auth.expiresAt) return false;
   const expires = Date.parse(auth.expiresAt);
   if (Number.isNaN(expires)) return false;
   return expires <= Date.now();
 }
-function getStoredAuth() {
-  const auth = store.get("auth");
-  if (auth && isExpired(auth)) {
+async function getStoredAuth() {
+  const encryptedData = store.get("auth");
+  if (!encryptedData) {
+    return null;
+  }
+  try {
+    const decrypted = await decryptToken(encryptedData);
+    const auth = JSON.parse(decrypted);
+    if (isExpired(auth)) {
+      clearAuth();
+      return null;
+    }
+    return auth;
+  } catch (error) {
+    console.error("Failed to decrypt stored auth, clearing...");
     clearAuth();
     return null;
   }
-  return auth ?? null;
 }
-function saveAuthToken(token, meta) {
+async function saveAuthToken(token, meta) {
   const auth = {
     keywayToken: token,
     githubLogin: meta?.githubLogin,
     expiresAt: meta?.expiresAt,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  store.set("auth", auth);
+  const encrypted = await encryptToken(JSON.stringify(auth));
+  store.set("auth", encrypted);
 }
 function clearAuth() {
   store.delete("auth");
@@ -503,17 +673,17 @@ async function promptYesNo(question, defaultYes = true) {
   });
 }
 async function runLoginFlow() {
-  console.log(chalk.blue("\u{1F510} Starting Keyway login...\n"));
+  console.log(pc.blue("\u{1F510} Starting Keyway login...\n"));
   const repoName = detectGitRepo();
   const start = await startDeviceLogin(repoName);
   const verifyUrl = start.verificationUriComplete || start.verificationUri;
   if (!verifyUrl) {
     throw new Error("Missing verification URL from the auth server.");
   }
-  console.log(`Code: ${chalk.green.bold(start.userCode)}`);
+  console.log(`Code: ${pc.green.bold(start.userCode)}`);
   console.log("Waiting for auth...");
   open(verifyUrl).catch(() => {
-    console.log(chalk.gray(`Open this URL in your browser: ${verifyUrl}`));
+    console.log(pc.gray(`Open this URL in your browser: ${verifyUrl}`));
   });
   const pollIntervalMs = (start.interval ?? 5) * 1e3;
   const maxTimeoutMs = Math.min((start.expiresIn ?? 900) * 1e3, 30 * 60 * 1e3);
@@ -528,7 +698,7 @@ async function runLoginFlow() {
       continue;
     }
     if (result.status === "approved" && result.keywayToken) {
-      saveAuthToken(result.keywayToken, {
+      await saveAuthToken(result.keywayToken, {
         githubLogin: result.githubLogin,
         expiresAt: result.expiresAt
       });
@@ -536,9 +706,9 @@ async function runLoginFlow() {
         method: "device",
         repo: repoName
       });
-      console.log(chalk.green("\n\u2713 Login successful"));
+      console.log(pc.green("\n\u2713 Login successful"));
       if (result.githubLogin) {
-        console.log(`Authenticated GitHub user: ${chalk.cyan(result.githubLogin)}`);
+        console.log(`Authenticated GitHub user: ${pc.cyan(result.githubLogin)}`);
       }
       return result.keywayToken;
     }
@@ -546,11 +716,14 @@ async function runLoginFlow() {
   }
 }
 async function ensureLogin(options = {}) {
-  const envToken = process.env.KEYWAY_TOKEN || process.env.GITHUB_TOKEN;
+  const envToken = process.env.KEYWAY_TOKEN;
   if (envToken) {
     return envToken;
   }
-  const stored = getStoredAuth();
+  if (process.env.GITHUB_TOKEN && !process.env.KEYWAY_TOKEN) {
+    console.warn(pc.yellow("Note: GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication."));
+  }
+  const stored = await getStoredAuth();
   if (stored?.keywayToken) {
     return stored.keywayToken;
   }
@@ -568,16 +741,16 @@ async function ensureLogin(options = {}) {
 async function runTokenLogin() {
   const repoName = detectGitRepo();
   if (repoName) {
-    console.log(`\u{1F4C1} Detected: ${chalk.cyan(repoName)}`);
+    console.log(`\u{1F4C1} Detected: ${pc.cyan(repoName)}`);
   }
   const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
   const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
   console.log("Opening GitHub...");
   open(url).catch(() => {
-    console.log(chalk.gray(`Open this URL in your browser: ${url}`));
+    console.log(pc.gray(`Open this URL in your browser: ${url}`));
   });
-  console.log(chalk.gray("Select the detected repo (or scope manually)."));
-  console.log(chalk.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
+  console.log(pc.gray("Select the detected repo (or scope manually)."));
+  console.log(pc.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
   const { token } = await prompts(
     {
       type: "password",
@@ -603,14 +776,14 @@ async function runTokenLogin() {
     throw new Error("Token must start with github_pat_.");
   }
   const validation = await validateToken(trimmedToken);
-  saveAuthToken(trimmedToken, {
+  await saveAuthToken(trimmedToken, {
     githubLogin: validation.username
   });
   trackEvent(AnalyticsEvents.CLI_LOGIN, {
     method: "pat",
     repo: repoName
   });
-  console.log(chalk.green("\u2705 Authenticated"), `as ${chalk.cyan(`@${validation.username}`)}`);
+  console.log(pc.green("\u2705 Authenticated"), `as ${pc.cyan(`@${validation.username}`)}`);
   return trimmedToken;
 }
 async function loginCommand(options = {}) {
@@ -624,24 +797,24 @@ async function loginCommand(options = {}) {
     const message = error instanceof Error ? error.message : "Unexpected login error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "login",
-      error: message.slice(0, 200)
+      error: truncateMessage(message)
     });
-    console.error(chalk.red(`
+    console.error(pc.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 async function logoutCommand() {
   clearAuth();
-  console.log(chalk.green("\u2713 Logged out of Keyway"));
-  console.log(chalk.gray(`Auth cache cleared: ${getAuthFilePath()}`));
+  console.log(pc.green("\u2713 Logged out of Keyway"));
+  console.log(pc.gray(`Auth cache cleared: ${getAuthFilePath()}`));
 }
 
 // src/cmds/readme.ts
 import fs2 from "fs";
 import path2 from "path";
 import prompts2 from "prompts";
-import chalk2 from "chalk";
+import pc2 from "picocolors";
 function generateBadge(repo) {
   return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
 }
@@ -679,7 +852,7 @@ async function ensureReadme(repoName, cwd) {
   if (existing) return existing;
   const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
   if (!isInteractive2) {
-    console.log(chalk2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
+    console.log(pc2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
     return null;
   }
   const { confirm } = await prompts2(
@@ -694,7 +867,7 @@ async function ensureReadme(repoName, cwd) {
     }
   );
   if (!confirm) {
-    console.log(chalk2.yellow("Skipping badge insertion (no README)."));
+    console.log(pc2.yellow("Skipping badge insertion (no README)."));
     return null;
   }
   const defaultPath = path2.join(cwd, "README.md");
@@ -717,19 +890,19 @@ async function addBadgeToReadme(silent = false) {
   const updated = insertBadgeIntoReadme(content, badge);
   if (updated === content) {
     if (!silent) {
-      console.log(chalk2.gray("Keyway badge already present in README."));
+      console.log(pc2.gray("Keyway badge already present in README."));
     }
     return false;
   }
   fs2.writeFileSync(readmePath, updated, "utf-8");
   if (!silent) {
-    console.log(chalk2.green(`\u2713 Keyway badge added to ${path2.basename(readmePath)}`));
+    console.log(pc2.green(`\u2713 Keyway badge added to ${path2.basename(readmePath)}`));
   }
   return true;
 }
 
 // src/cmds/push.ts
-import chalk3 from "chalk";
+import pc3 from "picocolors";
 import fs3 from "fs";
 import path3 from "path";
 import prompts3 from "prompts";
@@ -746,7 +919,7 @@ function discoverEnvCandidates(cwd) {
     const entries = fs3.readdirSync(cwd);
     const hasEnvLocal = entries.includes(".env.local");
     if (hasEnvLocal) {
-      console.log(chalk3.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
+      console.log(pc3.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
     }
     const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
       const fullPath = path3.join(cwd, name);
@@ -772,7 +945,7 @@ function discoverEnvCandidates(cwd) {
 }
 async function pushCommand(options) {
   try {
-    console.log(chalk3.blue("\u{1F510} Pushing secrets to Keyway...\n"));
+    console.log(pc3.blue("\u{1F510} Pushing secrets to Keyway...\n"));
     const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
     let environment = options.env;
     let envFile = options.file;
@@ -872,11 +1045,11 @@ async function pushCommand(options) {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(`File: ${chalk3.cyan(envFile)}`);
-    console.log(`Environment: ${chalk3.cyan(environment)}`);
-    console.log(`Variables: ${chalk3.cyan(lines.length.toString())}`);
+    console.log(`File: ${pc3.cyan(envFile)}`);
+    console.log(`Environment: ${pc3.cyan(environment)}`);
+    console.log(`Variables: ${pc3.cyan(lines.length.toString())}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${chalk3.cyan(repoFullName)}`);
+    console.log(`Repository: ${pc3.cyan(repoFullName)}`);
     if (!options.yes) {
       const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
       if (!isInteractive3) {
@@ -896,7 +1069,7 @@ async function pushCommand(options) {
         }
       );
       if (!confirm) {
-        console.log(chalk3.yellow("Push aborted."));
+        console.log(pc3.yellow("Push aborted."));
         return;
       }
     }
@@ -908,30 +1081,50 @@ async function pushCommand(options) {
     });
     console.log("\nUploading secrets...");
     const response = await pushSecrets(repoFullName, environment, content, accessToken);
-    console.log(chalk3.green("\n\u2713 " + response.message));
+    console.log(pc3.green("\n\u2713 " + response.message));
     if (response.stats) {
       const { created, updated, deleted } = response.stats;
       const parts = [];
-      if (created > 0) parts.push(chalk3.green(`+${created} created`));
-      if (updated > 0) parts.push(chalk3.yellow(`~${updated} updated`));
-      if (deleted > 0) parts.push(chalk3.red(`-${deleted} deleted`));
+      if (created > 0) parts.push(pc3.green(`+${created} created`));
+      if (updated > 0) parts.push(pc3.yellow(`~${updated} updated`));
+      if (deleted > 0) parts.push(pc3.red(`-${deleted} deleted`));
       if (parts.length > 0) {
         console.log(`Stats: ${parts.join(", ")}`);
       }
     }
     console.log(`
 Your secrets are now encrypted and stored securely.`);
-    console.log(`To retrieve them, run: ${chalk3.cyan(`keyway pull --env ${environment}`)}`);
+    console.log(`To retrieve them, run: ${pc3.cyan(`keyway pull --env ${environment}`)}`);
     await shutdownAnalytics();
   } catch (error) {
-    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    let message;
+    let hint = null;
+    if (error instanceof APIError) {
+      message = error.message || `HTTP ${error.statusCode} - ${error.error}`;
+      const envNotFoundMatch = message.match(/Environment '([^']+)' does not exist.*Available environments: ([^.]+)/);
+      if (envNotFoundMatch) {
+        const requestedEnv = envNotFoundMatch[1];
+        const availableEnvs = envNotFoundMatch[2];
+        message = `Environment '${requestedEnv}' does not exist in this vault.`;
+        hint = `Available environments: ${availableEnvs}
+Use ${pc3.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
+      }
+    } else if (error instanceof Error) {
+      message = truncateMessage(error.message);
+    } else {
+      message = "Unknown error";
+    }
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "push",
       error: message
     });
     await shutdownAnalytics();
-    console.error(chalk3.red(`
-\u2717 Error: ${message}`));
+    console.error(pc3.red(`
+\u2717 ${message}`));
+    if (hint) {
+      console.error(pc3.gray(`
+${hint}`));
+    }
     process.exit(1);
   }
 }
@@ -942,16 +1135,16 @@ async function initCommand(options = {}) {
   try {
     const repoFullName = getCurrentRepoFullName();
     const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
-    console.log(chalk4.blue("\u{1F510} Initializing Keyway vault...\n"));
-    console.log(`  ${chalk4.gray("Repository:")} ${chalk4.white(repoFullName)}`);
+    console.log(pc4.blue("\u{1F510} Initializing Keyway vault...\n"));
+    console.log(`  ${pc4.gray("Repository:")} ${pc4.white(repoFullName)}`);
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName });
     const response = await initVault(repoFullName, accessToken);
-    console.log(chalk4.green("\u2713 Vault created!"));
+    console.log(pc4.green("\u2713 Vault created!"));
     try {
       const badgeAdded = await addBadgeToReadme(true);
       if (badgeAdded) {
-        console.log(chalk4.green("\u2713 Badge added to README.md"));
+        console.log(pc4.green("\u2713 Badge added to README.md"));
       }
     } catch {
     }
@@ -959,7 +1152,7 @@ async function initCommand(options = {}) {
     const envCandidates = discoverEnvCandidates(process.cwd());
     const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
     if (envCandidates.length > 0 && isInteractive2) {
-      console.log(chalk4.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
+      console.log(pc4.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
 `));
       const { shouldPush } = await prompts4({
         type: "confirm",
@@ -973,60 +1166,59 @@ async function initCommand(options = {}) {
         return;
       }
     }
-    console.log(chalk4.dim("\u2500".repeat(50)));
+    console.log(pc4.dim("\u2500".repeat(50)));
     console.log("");
     if (envCandidates.length === 0) {
-      console.log(`  ${chalk4.yellow("\u2192")} Create a ${chalk4.cyan(".env")} file with your secrets`);
-      console.log(`  ${chalk4.yellow("\u2192")} Run ${chalk4.cyan("keyway push")} to sync them
+      console.log(`  ${pc4.yellow("\u2192")} Create a ${pc4.cyan(".env")} file with your secrets`);
+      console.log(`  ${pc4.yellow("\u2192")} Run ${pc4.cyan("keyway push")} to sync them
 `);
     } else {
-      console.log(`  ${chalk4.yellow("\u2192")} Run ${chalk4.cyan("keyway push")} to sync your secrets
+      console.log(`  ${pc4.yellow("\u2192")} Run ${pc4.cyan("keyway push")} to sync your secrets
 `);
     }
-    console.log(`  ${chalk4.blue("\u2394")} Dashboard: ${chalk4.underline(dashboardLink)}`);
+    console.log(`  ${pc4.blue("\u2394")} Dashboard: ${pc4.underline(dashboardLink)}`);
     console.log("");
     await shutdownAnalytics();
   } catch (error) {
     if (error instanceof APIError) {
       if (error.statusCode === 409) {
-        console.log(chalk4.yellow("\n\u26A0 Vault already exists for this repository.\n"));
-        console.log(`  ${chalk4.yellow("\u2192")} Run ${chalk4.cyan("keyway push")} to sync your secrets`);
-        console.log(`  ${chalk4.blue("\u2394")} Dashboard: ${chalk4.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
+        console.log(pc4.yellow("\n\u26A0 Vault already exists for this repository.\n"));
+        console.log(`  ${pc4.yellow("\u2192")} Run ${pc4.cyan("keyway push")} to sync your secrets`);
+        console.log(`  ${pc4.blue("\u2394")} Dashboard: ${pc4.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
         console.log("");
         await shutdownAnalytics();
         return;
       }
       if (error.error === "PLAN_LIMIT_REACHED") {
         console.log("");
-        console.log(chalk4.dim("\u2500".repeat(50)));
+        console.log(pc4.dim("\u2500".repeat(50)));
         console.log("");
-        console.log(`  ${chalk4.yellow("\u26A1")} ${chalk4.bold("Upgrade to Pro")}`);
+        console.log(`  ${pc4.yellow("\u26A1")} ${pc4.bold("Upgrade Required")}`);
         console.log("");
-        console.log(chalk4.gray("  You've reached the limit of your free plan."));
-        console.log(chalk4.gray("  Upgrade to Pro for unlimited private repositories."));
+        console.log(pc4.gray(`  ${error.message}`));
         console.log("");
-        console.log(`  ${chalk4.cyan("\u2192")} ${chalk4.underline(error.upgradeUrl || "https://keyway.sh/upgrade")}`);
+        console.log(`  ${pc4.cyan("\u2192")} ${pc4.underline(error.upgradeUrl || "https://keyway.sh/upgrade")}`);
         console.log("");
-        console.log(chalk4.dim("\u2500".repeat(50)));
+        console.log(pc4.dim("\u2500".repeat(50)));
         console.log("");
         await shutdownAnalytics();
         process.exit(1);
       }
     }
-    const message = error instanceof APIError ? error.message : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    const message = error instanceof APIError ? error.message : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "init",
       error: message
     });
     await shutdownAnalytics();
-    console.error(chalk4.red(`
+    console.error(pc4.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/pull.ts
-import chalk5 from "chalk";
+import pc5 from "picocolors";
 import fs4 from "fs";
 import path4 from "path";
 import prompts5 from "prompts";
@@ -1034,10 +1226,10 @@ async function pullCommand(options) {
   try {
     const environment = options.env || "development";
     const envFile = options.file || ".env";
-    console.log(chalk5.blue("\u{1F510} Pulling secrets from Keyway...\n"));
-    console.log(`Environment: ${chalk5.cyan(environment)}`);
+    console.log(pc5.blue("\u{1F510} Pulling secrets from Keyway...\n"));
+    console.log(`Environment: ${pc5.cyan(environment)}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${chalk5.cyan(repoFullName)}`);
+    console.log(`Repository: ${pc5.cyan(repoFullName)}`);
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     trackEvent(AnalyticsEvents.CLI_PULL, {
       repoFullName,
@@ -1049,7 +1241,7 @@ async function pullCommand(options) {
     if (fs4.existsSync(envFilePath)) {
       const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
       if (options.yes) {
-        console.log(chalk5.yellow(`
+        console.log(pc5.yellow(`
 \u26A0 Overwriting existing file: ${envFile}`));
       } else if (!isInteractive2) {
         throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
@@ -1068,7 +1260,7 @@ async function pullCommand(options) {
           }
         );
         if (!confirm) {
-          console.log(chalk5.yellow("Pull aborted."));
+          console.log(pc5.yellow("Pull aborted."));
           return;
         }
       }
@@ -1078,27 +1270,27 @@ async function pullCommand(options) {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(chalk5.green(`
+    console.log(pc5.green(`
 \u2713 Secrets downloaded successfully`));
     console.log(`
-File: ${chalk5.cyan(envFile)}`);
-    console.log(`Variables: ${chalk5.cyan(lines.length.toString())}`);
+File: ${pc5.cyan(envFile)}`);
+    console.log(`Variables: ${pc5.cyan(lines.length.toString())}`);
     await shutdownAnalytics();
   } catch (error) {
-    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? error.message.slice(0, 200) : "Unknown error";
+    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "pull",
       error: message
     });
     await shutdownAnalytics();
-    console.error(chalk5.red(`
-\u2717 Error: ${message}`));
+    console.error(pc5.red(`
+\u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/doctor.ts
-import chalk6 from "chalk";
+import pc6 from "picocolors";
 
 // src/core/doctor.ts
 import { execSync as execSync2 } from "child_process";
@@ -1280,7 +1472,7 @@ async function checkSystemClock() {
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetch("https://api.keyway.sh/v1/health", {
+    const response = await fetch(API_HEALTH_URL, {
       method: "HEAD",
       signal: controller.signal
     });
@@ -1352,9 +1544,9 @@ async function runAllChecks(options = {}) {
 // src/cmds/doctor.ts
 function formatSummary(results) {
   const parts = [
-    chalk6.green(`${results.summary.pass} passed`),
-    results.summary.warn > 0 ? chalk6.yellow(`${results.summary.warn} warnings`) : null,
-    results.summary.fail > 0 ? chalk6.red(`${results.summary.fail} failed`) : null
+    pc6.green(`${results.summary.pass} passed`),
+    results.summary.warn > 0 ? pc6.yellow(`${results.summary.warn} warnings`) : null,
+    results.summary.fail > 0 ? pc6.red(`${results.summary.fail} failed`) : null
   ].filter(Boolean);
   return parts.join(", ");
 }
@@ -1371,24 +1563,24 @@ async function doctorCommand(options = {}) {
       process.stdout.write(JSON.stringify(results, null, 0) + "\n");
       process.exit(results.exitCode);
     }
-    console.log(chalk6.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
+    console.log(pc6.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
     results.checks.forEach((check) => {
-      const icon = check.status === "pass" ? chalk6.green("\u2713") : check.status === "warn" ? chalk6.yellow("!") : chalk6.red("\u2717");
-      const detail = check.detail ? chalk6.dim(` \u2014 ${check.detail}`) : "";
+      const icon = check.status === "pass" ? pc6.green("\u2713") : check.status === "warn" ? pc6.yellow("!") : pc6.red("\u2717");
+      const detail = check.detail ? pc6.dim(` \u2014 ${check.detail}`) : "";
       console.log(`  ${icon} ${check.name}${detail}`);
     });
     console.log(`
 Summary: ${formatSummary(results)}`);
     if (results.summary.fail > 0) {
-      console.log(chalk6.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
+      console.log(pc6.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
     } else if (results.summary.warn > 0) {
-      console.log(chalk6.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
+      console.log(pc6.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
     } else {
-      console.log(chalk6.green("\u2728 All checks passed! Your environment is ready for Keyway."));
+      console.log(pc6.green("\u2728 All checks passed! Your environment is ready for Keyway."));
     }
     process.exit(results.exitCode);
   } catch (error) {
-    const message = error instanceof Error ? error.message : "Doctor failed";
+    const message = error instanceof Error ? truncateMessage(error.message) : "Doctor failed";
     trackEvent(AnalyticsEvents.CLI_DOCTOR, {
       pass: 0,
       warn: 0,
@@ -1405,17 +1597,403 @@ Summary: ${formatSummary(results)}`);
       };
       process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
     } else {
-      console.error(chalk6.red(`\u2716 Doctor check failed: ${message}`));
+      console.error(pc6.red(`
+\u2717 ${message}`));
     }
     process.exit(1);
   }
 }
 
+// src/cmds/connect.ts
+import pc7 from "picocolors";
+import open2 from "open";
+import prompts6 from "prompts";
+async function connectCommand(provider, options = {}) {
+  try {
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    const { providers } = await getProviders();
+    const providerInfo = providers.find((p) => p.name === provider.toLowerCase());
+    if (!providerInfo) {
+      const available = providers.map((p) => p.name).join(", ");
+      console.error(pc7.red(`Unknown provider: ${provider}`));
+      console.log(pc7.gray(`Available providers: ${available || "none"}`));
+      process.exit(1);
+    }
+    if (!providerInfo.configured) {
+      console.error(pc7.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
+      console.log(pc7.gray("Contact your administrator to enable this integration."));
+      process.exit(1);
+    }
+    const { connections } = await getConnections(accessToken);
+    const existingConnection = connections.find((c) => c.provider === provider.toLowerCase());
+    if (existingConnection) {
+      const { reconnect } = await prompts6({
+        type: "confirm",
+        name: "reconnect",
+        message: `You're already connected to ${providerInfo.displayName}. Reconnect?`,
+        initial: false
+      });
+      if (!reconnect) {
+        console.log(pc7.gray("Keeping existing connection."));
+        return;
+      }
+    }
+    console.log(pc7.blue(`
+Connecting to ${providerInfo.displayName}...
+`));
+    const authUrl = getProviderAuthUrl(provider.toLowerCase());
+    const startTime = /* @__PURE__ */ new Date();
+    console.log(pc7.gray("Opening browser for authorization..."));
+    console.log(pc7.gray(`If the browser doesn't open, visit: ${authUrl}`));
+    await open2(authUrl).catch(() => {
+    });
+    console.log(pc7.gray("Waiting for authorization..."));
+    const maxAttempts = 60;
+    let attempts = 0;
+    let connected = false;
+    while (attempts < maxAttempts) {
+      await new Promise((resolve) => setTimeout(resolve, 5e3));
+      attempts++;
+      try {
+        const { connections: connections2 } = await getConnections(accessToken);
+        const newConn = connections2.find(
+          (c) => c.provider === provider.toLowerCase() && new Date(c.createdAt) > startTime
+        );
+        if (newConn) {
+          connected = true;
+          console.log(pc7.green(`
+\u2713 Connected to ${providerInfo.displayName}!`));
+          break;
+        }
+      } catch {
+      }
+    }
+    if (!connected) {
+      console.log(pc7.red("\n\u2717 Authorization timeout."));
+      console.log(pc7.gray("Run `keyway connections` to check if the connection was established."));
+    }
+    trackEvent(AnalyticsEvents.CLI_CONNECT, {
+      provider: provider.toLowerCase(),
+      success: connected
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Connection failed";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "connect",
+      error: truncateMessage(message)
+    });
+    console.error(pc7.red(`
+\u2717 ${message}`));
+    process.exit(1);
+  }
+}
+async function connectionsCommand(options = {}) {
+  try {
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    const { connections } = await getConnections(accessToken);
+    if (connections.length === 0) {
+      console.log(pc7.gray("No provider connections found."));
+      console.log(pc7.gray("\nConnect to a provider with: keyway connect <provider>"));
+      console.log(pc7.gray("Available providers: vercel"));
+      return;
+    }
+    console.log(pc7.blue("\n\u{1F4E1} Provider Connections\n"));
+    for (const conn of connections) {
+      const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
+      const teamInfo = conn.providerTeamId ? pc7.gray(` (Team: ${conn.providerTeamId})`) : "";
+      const date = new Date(conn.createdAt).toLocaleDateString();
+      console.log(`  ${pc7.green("\u25CF")} ${pc7.bold(providerName)}${teamInfo}`);
+      console.log(pc7.gray(`    Connected: ${date}`));
+      console.log(pc7.gray(`    ID: ${conn.id}`));
+      console.log("");
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Failed to list connections";
+    console.error(pc7.red(`
+\u2717 ${message}`));
+    process.exit(1);
+  }
+}
+async function disconnectCommand(provider, options = {}) {
+  try {
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    const { connections } = await getConnections(accessToken);
+    const connection = connections.find((c) => c.provider === provider.toLowerCase());
+    if (!connection) {
+      console.log(pc7.gray(`No connection found for provider: ${provider}`));
+      return;
+    }
+    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
+    const { confirm } = await prompts6({
+      type: "confirm",
+      name: "confirm",
+      message: `Disconnect from ${providerName}?`,
+      initial: false
+    });
+    if (!confirm) {
+      console.log(pc7.gray("Cancelled."));
+      return;
+    }
+    await deleteConnection(accessToken, connection.id);
+    console.log(pc7.green(`
+\u2713 Disconnected from ${providerName}`));
+    trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
+      provider: provider.toLowerCase()
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Disconnect failed";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "disconnect",
+      error: truncateMessage(message)
+    });
+    console.error(pc7.red(`
+\u2717 ${message}`));
+    process.exit(1);
+  }
+}
+
+// src/cmds/sync.ts
+import pc8 from "picocolors";
+import prompts7 from "prompts";
+function findMatchingProject(projects, repoFullName) {
+  const repoName = repoFullName.split("/")[1]?.toLowerCase();
+  if (!repoName) return void 0;
+  const exact = projects.find((p) => p.name.toLowerCase() === repoName);
+  if (exact) return exact;
+  const partial = projects.filter(
+    (p) => p.name.toLowerCase().includes(repoName) || repoName.includes(p.name.toLowerCase())
+  );
+  return partial.length === 1 ? partial[0] : void 0;
+}
+async function syncCommand(provider, options = {}) {
+  try {
+    if (options.pull && options.allowDelete) {
+      console.error(pc8.red("Error: --allow-delete cannot be used with --pull"));
+      console.log(pc8.gray("The --allow-delete flag is only for push operations."));
+      process.exit(1);
+    }
+    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
+    const repoFullName = detectGitRepo();
+    if (!repoFullName) {
+      console.error(pc8.red("Could not detect Git repository."));
+      console.log(pc8.gray("Run this command from a Git repository directory."));
+      process.exit(1);
+    }
+    console.log(pc8.gray(`Repository: ${repoFullName}`));
+    const { connections } = await getConnections(accessToken);
+    const connection = connections.find((c) => c.provider === provider.toLowerCase());
+    if (!connection) {
+      console.error(pc8.red(`Not connected to ${provider}.`));
+      console.log(pc8.gray(`Run: keyway connect ${provider}`));
+      process.exit(1);
+    }
+    const { projects } = await getConnectionProjects(accessToken, connection.id);
+    if (projects.length === 0) {
+      console.error(pc8.red(`No projects found in your ${provider} account.`));
+      process.exit(1);
+    }
+    let selectedProject;
+    if (options.project) {
+      const found = projects.find(
+        (p) => p.id === options.project || p.name.toLowerCase() === options.project?.toLowerCase()
+      );
+      if (!found) {
+        console.error(pc8.red(`Project not found: ${options.project}`));
+        console.log(pc8.gray("Available projects:"));
+        projects.forEach((p) => console.log(pc8.gray(`  - ${p.name}`)));
+        process.exit(1);
+      }
+      selectedProject = found;
+    } else {
+      const autoMatch = findMatchingProject(projects, repoFullName);
+      if (autoMatch && projects.length > 1) {
+        console.log(pc8.gray(`Detected project: ${autoMatch.name}`));
+        const { useDetected } = await prompts7({
+          type: "confirm",
+          name: "useDetected",
+          message: `Use ${autoMatch.name}?`,
+          initial: true
+        });
+        if (useDetected) {
+          selectedProject = autoMatch;
+        } else {
+          const { projectChoice } = await prompts7({
+            type: "select",
+            name: "projectChoice",
+            message: "Select a project:",
+            choices: projects.map((p) => ({ title: p.name, value: p.id }))
+          });
+          selectedProject = projects.find((p) => p.id === projectChoice);
+        }
+      } else if (autoMatch) {
+        selectedProject = autoMatch;
+      } else if (projects.length === 1) {
+        selectedProject = projects[0];
+      } else {
+        const { projectChoice } = await prompts7({
+          type: "select",
+          name: "projectChoice",
+          message: "Select a project:",
+          choices: projects.map((p) => ({ title: p.name, value: p.id }))
+        });
+        if (!projectChoice) {
+          console.log(pc8.gray("Cancelled."));
+          process.exit(0);
+        }
+        selectedProject = projects.find((p) => p.id === projectChoice);
+      }
+    }
+    const keywayEnv = options.environment || "production";
+    const providerEnv = options.providerEnv || "production";
+    const direction = options.pull ? "pull" : "push";
+    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
+    console.log(pc8.gray(`Project: ${selectedProject.name}`));
+    console.log(pc8.gray(`Direction: ${direction === "push" ? "Keyway \u2192 " + providerName : providerName + " \u2192 Keyway"}`));
+    const status = await getSyncStatus(
+      accessToken,
+      repoFullName,
+      connection.id,
+      selectedProject.id,
+      keywayEnv
+    );
+    if (status.isFirstSync && !options.pull && status.vaultIsEmpty && status.providerHasSecrets) {
+      console.log(pc8.yellow(`
+\u26A0\uFE0F  Your Keyway vault is empty, but ${providerName} has ${status.providerSecretCount} secrets.`));
+      const { importFirst } = await prompts7({
+        type: "confirm",
+        name: "importFirst",
+        message: `Import secrets from ${providerName} first?`,
+        initial: true
+      });
+      if (importFirst) {
+        await executeSyncOperation(
+          accessToken,
+          repoFullName,
+          connection.id,
+          selectedProject,
+          keywayEnv,
+          providerEnv,
+          "pull",
+          false,
+          // Never delete on import
+          options.yes || false,
+          provider
+        );
+        return;
+      }
+    }
+    await executeSyncOperation(
+      accessToken,
+      repoFullName,
+      connection.id,
+      selectedProject,
+      keywayEnv,
+      providerEnv,
+      direction,
+      options.allowDelete || false,
+      options.yes || false,
+      provider
+    );
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Sync failed";
+    trackEvent(AnalyticsEvents.CLI_ERROR, {
+      command: "sync",
+      error: truncateMessage(message)
+    });
+    console.error(pc8.red(`
+\u2717 ${message}`));
+    process.exit(1);
+  }
+}
+async function executeSyncOperation(accessToken, repoFullName, connectionId, project, keywayEnv, providerEnv, direction, allowDelete, skipConfirm, provider) {
+  const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
+  const preview = await getSyncPreview(accessToken, repoFullName, {
+    connectionId,
+    projectId: project.id,
+    keywayEnvironment: keywayEnv,
+    providerEnvironment: providerEnv,
+    direction,
+    allowDelete
+  });
+  const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
+  if (totalChanges === 0) {
+    console.log(pc8.green("\n\u2713 Already in sync. No changes needed."));
+    return;
+  }
+  console.log(pc8.blue("\n\u{1F4CB} Sync Preview\n"));
+  if (preview.toCreate.length > 0) {
+    console.log(pc8.green(`  + ${preview.toCreate.length} to create`));
+    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc8.gray(`    ${key}`)));
+    if (preview.toCreate.length > 5) {
+      console.log(pc8.gray(`    ... and ${preview.toCreate.length - 5} more`));
+    }
+  }
+  if (preview.toUpdate.length > 0) {
+    console.log(pc8.yellow(`  ~ ${preview.toUpdate.length} to update`));
+    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc8.gray(`    ${key}`)));
+    if (preview.toUpdate.length > 5) {
+      console.log(pc8.gray(`    ... and ${preview.toUpdate.length - 5} more`));
+    }
+  }
+  if (preview.toDelete.length > 0) {
+    console.log(pc8.red(`  - ${preview.toDelete.length} to delete`));
+    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc8.gray(`    ${key}`)));
+    if (preview.toDelete.length > 5) {
+      console.log(pc8.gray(`    ... and ${preview.toDelete.length - 5} more`));
+    }
+  }
+  if (preview.toSkip.length > 0) {
+    console.log(pc8.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
+  }
+  console.log("");
+  if (!skipConfirm) {
+    const target = direction === "push" ? providerName : "Keyway";
+    const { confirm } = await prompts7({
+      type: "confirm",
+      name: "confirm",
+      message: `Apply ${totalChanges} changes to ${target}?`,
+      initial: true
+    });
+    if (!confirm) {
+      console.log(pc8.gray("Cancelled."));
+      return;
+    }
+  }
+  console.log(pc8.blue("\n\u23F3 Syncing...\n"));
+  const result = await executeSync(accessToken, repoFullName, {
+    connectionId,
+    projectId: project.id,
+    keywayEnvironment: keywayEnv,
+    providerEnvironment: providerEnv,
+    direction,
+    allowDelete
+  });
+  if (result.success) {
+    console.log(pc8.green("\u2713 Sync complete"));
+    console.log(pc8.gray(`  Created: ${result.stats.created}`));
+    console.log(pc8.gray(`  Updated: ${result.stats.updated}`));
+    if (result.stats.deleted > 0) {
+      console.log(pc8.gray(`  Deleted: ${result.stats.deleted}`));
+    }
+    trackEvent(AnalyticsEvents.CLI_SYNC, {
+      provider,
+      direction,
+      created: result.stats.created,
+      updated: result.stats.updated,
+      deleted: result.stats.deleted
+    });
+  } else {
+    console.error(pc8.red(`
+\u2717 ${result.error}`));
+    process.exit(1);
+  }
+}
+
 // src/cli.ts
 var program = new Command();
 var showBanner = () => {
-  const text = chalk7.cyan.bold("Keyway CLI");
-  const subtitle = chalk7.gray("GitHub-native secrets manager for dev teams");
+  const text = pc9.cyan.bold("Keyway CLI");
+  const subtitle = pc9.gray("GitHub-native secrets manager for dev teams");
   console.log(`
 ${text}
 ${subtitle}
@@ -1441,7 +2019,19 @@ program.command("logout").description("Clear stored Keyway credentials").action(
 program.command("doctor").description("Run environment checks to ensure Keyway runs smoothly").option("--json", "Output results as JSON for machine processing", false).option("--strict", "Treat warnings as failures", false).action(async (options) => {
   await doctorCommand(options);
 });
+program.command("connect <provider>").description("Connect to an external provider (e.g., vercel)").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
+  await connectCommand(provider, options);
+});
+program.command("connections").description("List your provider connections").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
+  await connectionsCommand(options);
+});
+program.command("disconnect <provider>").description("Disconnect from a provider").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
+  await disconnectCommand(provider, options);
+});
+program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment", "production").option("--provider-env <env>", "Provider environment", "production").option("--project <project>", "Provider project name or ID").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
+  await syncCommand(provider, options);
+});
 program.parseAsync().catch((error) => {
-  console.error(chalk7.red("Error:"), error.message || error);
+  console.error(pc9.red("Error:"), error.message || error);
   process.exit(1);
 });