@keywaysh/cli 0.0.21 → 0.1.1

package/dist/auth-QLPQ24HZ.js

@@ -0,0 +1,12 @@
+import {
+  clearAuth,
+  getAuthFilePath,
+  getStoredAuth,
+  saveAuthToken
+} from "./chunk-F4C46224.js";
+export {
+  clearAuth,
+  getAuthFilePath,
+  getStoredAuth,
+  saveAuthToken
+};

package/dist/chunk-F4C46224.js

@@ -0,0 +1,102 @@
+// src/utils/auth.ts
+import Conf from "conf";
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var store = new Conf({
+  projectName: "keyway",
+  configName: "config",
+  fileMode: 384
+});
+var KEY_DIR = join(homedir(), ".keyway");
+var KEY_FILE = join(KEY_DIR, ".key");
+function getOrCreateEncryptionKey() {
+  if (!existsSync(KEY_DIR)) {
+    mkdirSync(KEY_DIR, { recursive: true, mode: 448 });
+  }
+  if (existsSync(KEY_FILE)) {
+    const keyHex2 = readFileSync(KEY_FILE, "utf-8").trim();
+    if (keyHex2.length === 64) {
+      return Buffer.from(keyHex2, "hex");
+    }
+  }
+  const key = randomBytes(32);
+  const keyHex = key.toString("hex");
+  writeFileSync(KEY_FILE, keyHex, { mode: 384 });
+  try {
+    chmodSync(KEY_FILE, 384);
+  } catch {
+  }
+  return key;
+}
+function encryptToken(token) {
+  const key = getOrCreateEncryptionKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(token, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decryptToken(encryptedData) {
+  const key = getOrCreateEncryptionKey();
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted token format");
+  }
+  const iv = Buffer.from(parts[0], "hex");
+  const authTag = Buffer.from(parts[1], "hex");
+  const encrypted = Buffer.from(parts[2], "hex");
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+  return decrypted.toString("utf8");
+}
+function isExpired(auth) {
+  if (!auth.expiresAt) return false;
+  const expires = Date.parse(auth.expiresAt);
+  if (Number.isNaN(expires)) return false;
+  return expires <= Date.now();
+}
+async function getStoredAuth() {
+  const encryptedData = store.get("auth");
+  if (!encryptedData) {
+    return null;
+  }
+  try {
+    const decrypted = decryptToken(encryptedData);
+    const auth = JSON.parse(decrypted);
+    if (isExpired(auth)) {
+      clearAuth();
+      return null;
+    }
+    return auth;
+  } catch {
+    console.error("Failed to decrypt stored auth, clearing...");
+    clearAuth();
+    return null;
+  }
+}
+async function saveAuthToken(token, meta) {
+  const auth = {
+    keywayToken: token,
+    githubLogin: meta?.githubLogin,
+    expiresAt: meta?.expiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const encrypted = encryptToken(JSON.stringify(auth));
+  store.set("auth", encrypted);
+}
+function clearAuth() {
+  store.delete("auth");
+}
+function getAuthFilePath() {
+  return store.path;
+}
+
+export {
+  getStoredAuth,
+  saveAuthToken,
+  clearAuth,
+  getAuthFilePath
+};

package/dist/cli.js

@@ -1,4 +1,10 @@
 #!/usr/bin/env node
+import {
+  clearAuth,
+  getAuthFilePath,
+  getStoredAuth,
+  saveAuthToken
+} from "./chunk-F4C46224.js";
 
 // src/cli.ts
 import { Command } from "commander";
@@ -7,6 +13,7 @@ import pc9 from "picocolors";
 // src/cmds/init.ts
 import pc4 from "picocolors";
 import prompts4 from "prompts";
+import open2 from "open";
 
 // src/utils/git.ts
 import { execSync } from "child_process";
@@ -69,7 +76,7 @@ var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 // package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.0.21",
+  version: "0.1.1",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -338,7 +345,8 @@ async function validateToken(token) {
     },
     body: JSON.stringify({})
   });
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function getProviders() {
   const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations`, {
@@ -347,7 +355,8 @@ async function getProviders() {
       "User-Agent": USER_AGENT
     }
   });
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function getConnections(accessToken) {
   const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections`, {
@@ -357,7 +366,8 @@ async function getConnections(accessToken) {
       Authorization: `Bearer ${accessToken}`
     }
   });
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function deleteConnection(accessToken, connectionId) {
   const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}`, {
@@ -367,7 +377,7 @@ async function deleteConnection(accessToken, connectionId) {
       Authorization: `Bearer ${accessToken}`
     }
   });
-  return handleResponse(response);
+  await handleResponse(response);
 }
 function getProviderAuthUrl(provider, redirectUri) {
   const params = redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : "";
@@ -381,7 +391,8 @@ async function getConnectionProjects(accessToken, connectionId) {
       Authorization: `Bearer ${accessToken}`
     }
   });
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function getSyncStatus(accessToken, repoFullName, connectionId, projectId, environment = "production") {
   const [owner, repo] = repoFullName.split("/");
@@ -400,7 +411,8 @@ async function getSyncStatus(accessToken, repoFullName, connectionId, projectId,
       }
     }
   );
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function getSyncPreview(accessToken, repoFullName, options) {
   const [owner, repo] = repoFullName.split("/");
@@ -424,7 +436,8 @@ async function getSyncPreview(accessToken, repoFullName, options) {
     6e4
     // 60 seconds for sync operations
   );
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 async function executeSync(accessToken, repoFullName, options) {
   const [owner, repo] = repoFullName.split("/");
@@ -449,7 +462,21 @@ async function executeSync(accessToken, repoFullName, options) {
     12e4
     // 2 minutes for sync execution
   );
-  return handleResponse(response);
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
+}
+async function checkGitHubAppInstallation(repoOwner, repoName, accessToken) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/github/check-installation`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": USER_AGENT,
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ repoOwner, repoName })
+  });
+  const wrapped = await handleResponse(response);
+  return wrapped.data;
 }
 
 // src/utils/analytics.ts
@@ -541,6 +568,30 @@ async function shutdownAnalytics() {
     await posthog.shutdown();
   }
 }
+function identifyUser(userId, properties) {
+  try {
+    if (TELEMETRY_DISABLED) return;
+    if (!posthog) initPostHog();
+    if (!posthog) return;
+    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
+    posthog.identify({
+      distinctId: userId,
+      properties: {
+        ...sanitizedProperties,
+        source: "cli"
+      }
+    });
+    const anonId = getDistinctId();
+    if (anonId && anonId !== userId) {
+      posthog.alias({
+        distinctId: userId,
+        alias: anonId
+      });
+    }
+  } catch (error) {
+    console.debug("Analytics identify error:", error);
+  }
+}
 var AnalyticsEvents = {
   CLI_INIT: "cli_init",
   CLI_PUSH: "cli_push",
@@ -554,103 +605,108 @@ var AnalyticsEvents = {
   CLI_FEEDBACK: "cli_feedback"
 };
 
-// src/cmds/login.ts
-import pc from "picocolors";
-import readline from "readline";
-import open from "open";
+// src/cmds/readme.ts
+import fs2 from "fs";
+import path2 from "path";
 import prompts from "prompts";
+import pc from "picocolors";
+function generateBadge(repo) {
+  return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
+}
+function insertBadgeIntoReadme(readmeContent, badge) {
+  if (readmeContent.includes("keyway.sh/badge.svg")) {
+    return readmeContent;
+  }
+  const lines = readmeContent.split(/\r?\n/);
+  const titleIndex = lines.findIndex((line) => /^#(?!#)\s+/.test(line.trim()));
+  if (titleIndex !== -1) {
+    const before = lines.slice(0, titleIndex + 1);
+    const after = lines.slice(titleIndex + 1);
+    while (after.length > 0 && after[0].trim() === "") {
+      after.shift();
+    }
+    const newLines = [...before, "", badge, "", ...after];
+    return newLines.join("\n");
+  }
+  return `${badge}
 
-// src/utils/auth.ts
-import Conf from "conf";
-import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "crypto";
-import { promisify } from "util";
-var store = new Conf({
-  projectName: "keyway",
-  configName: "config",
-  fileMode: 384
-});
-var scryptAsync = promisify(scrypt);
-async function getEncryptionKey() {
-  const machineId = process.env.USER || process.env.USERNAME || "keyway-user";
-  let salt = store.get("salt");
-  if (!salt) {
-    salt = randomBytes(16).toString("hex");
-    store.set("salt", salt);
-  }
-  const key = await scryptAsync(machineId, salt, 32);
-  return key;
-}
-async function encryptToken(token) {
-  const key = await getEncryptionKey();
-  const iv = randomBytes(16);
-  const cipher = createCipheriv("aes-256-gcm", key, iv);
-  const encrypted = Buffer.concat([
-    cipher.update(token, "utf8"),
-    cipher.final()
-  ]);
-  const authTag = cipher.getAuthTag();
-  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
-}
-async function decryptToken(encryptedData) {
-  const key = await getEncryptionKey();
-  const parts = encryptedData.split(":");
-  if (parts.length !== 3) {
-    throw new Error("Invalid encrypted token format");
-  }
-  const iv = Buffer.from(parts[0], "hex");
-  const authTag = Buffer.from(parts[1], "hex");
-  const encrypted = Buffer.from(parts[2], "hex");
-  const decipher = createDecipheriv("aes-256-gcm", key, iv);
-  decipher.setAuthTag(authTag);
-  const decrypted = Buffer.concat([
-    decipher.update(encrypted),
-    decipher.final()
-  ]);
-  return decrypted.toString("utf8");
+${readmeContent}`;
 }
-function isExpired(auth) {
-  if (!auth.expiresAt) return false;
-  const expires = Date.parse(auth.expiresAt);
-  if (Number.isNaN(expires)) return false;
-  return expires <= Date.now();
+function findReadmePath(cwd) {
+  const candidates = ["README.md", "readme.md", "Readme.md"];
+  for (const candidate of candidates) {
+    const candidatePath = path2.join(cwd, candidate);
+    if (fs2.existsSync(candidatePath)) {
+      return candidatePath;
+    }
+  }
+  return null;
 }
-async function getStoredAuth() {
-  const encryptedData = store.get("auth");
-  if (!encryptedData) {
+async function ensureReadme(repoName, cwd) {
+  const existing = findReadmePath(cwd);
+  if (existing) return existing;
+  const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
+  if (!isInteractive3) {
+    console.log(pc.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
     return null;
   }
-  try {
-    const decrypted = await decryptToken(encryptedData);
-    const auth = JSON.parse(decrypted);
-    if (isExpired(auth)) {
-      clearAuth();
-      return null;
+  const { confirm } = await prompts(
+    {
+      type: "confirm",
+      name: "confirm",
+      message: "No README found. Create a default README.md?",
+      initial: false
+    },
+    {
+      onCancel: () => ({ confirm: false })
     }
-    return auth;
-  } catch (error) {
-    console.error("Failed to decrypt stored auth, clearing...");
-    clearAuth();
+  );
+  if (!confirm) {
+    console.log(pc.yellow("Skipping badge insertion (no README)."));
     return null;
   }
+  const defaultPath = path2.join(cwd, "README.md");
+  const content = `# ${repoName}
+
+`;
+  fs2.writeFileSync(defaultPath, content, "utf-8");
+  return defaultPath;
 }
-async function saveAuthToken(token, meta) {
-  const auth = {
-    keywayToken: token,
-    githubLogin: meta?.githubLogin,
-    expiresAt: meta?.expiresAt,
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  const encrypted = await encryptToken(JSON.stringify(auth));
-  store.set("auth", encrypted);
-}
-function clearAuth() {
-  store.delete("auth");
-}
-function getAuthFilePath() {
-  return store.path;
+async function addBadgeToReadme(silent = false) {
+  const repo = detectGitRepo();
+  if (!repo) {
+    throw new Error("This directory is not a Git repository.");
+  }
+  const cwd = process.cwd();
+  const readmePath = await ensureReadme(repo, cwd);
+  if (!readmePath) return false;
+  const badge = generateBadge(repo);
+  const content = fs2.readFileSync(readmePath, "utf-8");
+  const updated = insertBadgeIntoReadme(content, badge);
+  if (updated === content) {
+    if (!silent) {
+      console.log(pc.gray("Keyway badge already present in README."));
+    }
+    return false;
+  }
+  fs2.writeFileSync(readmePath, updated, "utf-8");
+  if (!silent) {
+    console.log(pc.green(`\u2713 Keyway badge added to ${path2.basename(readmePath)}`));
+  }
+  return true;
 }
 
+// src/cmds/push.ts
+import pc3 from "picocolors";
+import fs3 from "fs";
+import path3 from "path";
+import prompts3 from "prompts";
+
 // src/cmds/login.ts
+import pc2 from "picocolors";
+import readline from "readline";
+import open from "open";
+import prompts2 from "prompts";
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -674,17 +730,17 @@ async function promptYesNo(question, defaultYes = true) {
   });
 }
 async function runLoginFlow() {
-  console.log(pc.blue("\u{1F510} Starting Keyway login...\n"));
+  console.log(pc2.blue("\u{1F510} Starting Keyway login...\n"));
   const repoName = detectGitRepo();
   const start = await startDeviceLogin(repoName);
   const verifyUrl = start.verificationUriComplete || start.verificationUri;
   if (!verifyUrl) {
     throw new Error("Missing verification URL from the auth server.");
   }
-  console.log(`Code: ${pc.bold(pc.green(start.userCode))}`);
+  console.log(`Code: ${pc2.bold(pc2.green(start.userCode))}`);
   console.log("Waiting for auth...");
   open(verifyUrl).catch(() => {
-    console.log(pc.gray(`Open this URL in your browser: ${verifyUrl}`));
+    console.log(pc2.gray(`Open this URL in your browser: ${verifyUrl}`));
   });
   const pollIntervalMs = (start.interval ?? 5) * 1e3;
   const maxTimeoutMs = Math.min((start.expiresIn ?? 900) * 1e3, 30 * 60 * 1e3);
@@ -707,9 +763,15 @@ async function runLoginFlow() {
         method: "device",
         repo: repoName
       });
-      console.log(pc.green("\n\u2713 Login successful"));
       if (result.githubLogin) {
-        console.log(`Authenticated GitHub user: ${pc.cyan(result.githubLogin)}`);
+        identifyUser(result.githubLogin, {
+          github_username: result.githubLogin,
+          login_method: "device"
+        });
+      }
+      console.log(pc2.green("\n\u2713 Login successful"));
+      if (result.githubLogin) {
+        console.log(`Authenticated GitHub user: ${pc2.cyan(result.githubLogin)}`);
       }
       return result.keywayToken;
     }
@@ -722,7 +784,7 @@ async function ensureLogin(options = {}) {
     return envToken;
   }
   if (process.env.GITHUB_TOKEN && !process.env.KEYWAY_TOKEN) {
-    console.warn(pc.yellow("Note: GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication."));
+    console.warn(pc2.yellow("Note: GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication."));
   }
   const stored = await getStoredAuth();
   if (stored?.keywayToken) {
@@ -742,17 +804,17 @@ async function ensureLogin(options = {}) {
 async function runTokenLogin() {
   const repoName = detectGitRepo();
   if (repoName) {
-    console.log(`\u{1F4C1} Detected: ${pc.cyan(repoName)}`);
+    console.log(`\u{1F4C1} Detected: ${pc2.cyan(repoName)}`);
   }
   const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
   const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
   console.log("Opening GitHub...");
   open(url).catch(() => {
-    console.log(pc.gray(`Open this URL in your browser: ${url}`));
+    console.log(pc2.gray(`Open this URL in your browser: ${url}`));
   });
-  console.log(pc.gray("Select the detected repo (or scope manually)."));
-  console.log(pc.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
-  const { token } = await prompts(
+  console.log(pc2.gray("Select the detected repo (or scope manually)."));
+  console.log(pc2.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
+  const { token } = await prompts2(
     {
       type: "password",
       name: "token",
@@ -784,7 +846,11 @@ async function runTokenLogin() {
     method: "pat",
     repo: repoName
   });
-  console.log(pc.green("\u2705 Authenticated"), `as ${pc.cyan(`@${validation.username}`)}`);
+  identifyUser(validation.username, {
+    github_username: validation.username,
+    login_method: "pat"
+  });
+  console.log(pc2.green("\u2705 Authenticated"), `as ${pc2.cyan(`@${validation.username}`)}`);
   return trimmedToken;
 }
 async function loginCommand(options = {}) {
@@ -800,113 +866,18 @@ async function loginCommand(options = {}) {
       command: "login",
       error: truncateMessage(message)
     });
-    console.error(pc.red(`
+    console.error(pc2.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 async function logoutCommand() {
   clearAuth();
-  console.log(pc.green("\u2713 Logged out of Keyway"));
-  console.log(pc.gray(`Auth cache cleared: ${getAuthFilePath()}`));
-}
-
-// src/cmds/readme.ts
-import fs2 from "fs";
-import path2 from "path";
-import prompts2 from "prompts";
-import pc2 from "picocolors";
-function generateBadge(repo) {
-  return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
-}
-function insertBadgeIntoReadme(readmeContent, badge) {
-  if (readmeContent.includes("keyway.sh/badge.svg")) {
-    return readmeContent;
-  }
-  const lines = readmeContent.split(/\r?\n/);
-  const titleIndex = lines.findIndex((line) => /^#(?!#)\s+/.test(line.trim()));
-  if (titleIndex !== -1) {
-    const before = lines.slice(0, titleIndex + 1);
-    const after = lines.slice(titleIndex + 1);
-    while (after.length > 0 && after[0].trim() === "") {
-      after.shift();
-    }
-    const newLines = [...before, "", badge, "", ...after];
-    return newLines.join("\n");
-  }
-  return `${badge}
-
-${readmeContent}`;
-}
-function findReadmePath(cwd) {
-  const candidates = ["README.md", "readme.md", "Readme.md"];
-  for (const candidate of candidates) {
-    const candidatePath = path2.join(cwd, candidate);
-    if (fs2.existsSync(candidatePath)) {
-      return candidatePath;
-    }
-  }
-  return null;
-}
-async function ensureReadme(repoName, cwd) {
-  const existing = findReadmePath(cwd);
-  if (existing) return existing;
-  const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-  if (!isInteractive2) {
-    console.log(pc2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
-    return null;
-  }
-  const { confirm } = await prompts2(
-    {
-      type: "confirm",
-      name: "confirm",
-      message: "No README found. Create a default README.md?",
-      initial: false
-    },
-    {
-      onCancel: () => ({ confirm: false })
-    }
-  );
-  if (!confirm) {
-    console.log(pc2.yellow("Skipping badge insertion (no README)."));
-    return null;
-  }
-  const defaultPath = path2.join(cwd, "README.md");
-  const content = `# ${repoName}
-
-`;
-  fs2.writeFileSync(defaultPath, content, "utf-8");
-  return defaultPath;
-}
-async function addBadgeToReadme(silent = false) {
-  const repo = detectGitRepo();
-  if (!repo) {
-    throw new Error("This directory is not a Git repository.");
-  }
-  const cwd = process.cwd();
-  const readmePath = await ensureReadme(repo, cwd);
-  if (!readmePath) return false;
-  const badge = generateBadge(repo);
-  const content = fs2.readFileSync(readmePath, "utf-8");
-  const updated = insertBadgeIntoReadme(content, badge);
-  if (updated === content) {
-    if (!silent) {
-      console.log(pc2.gray("Keyway badge already present in README."));
-    }
-    return false;
-  }
-  fs2.writeFileSync(readmePath, updated, "utf-8");
-  if (!silent) {
-    console.log(pc2.green(`\u2713 Keyway badge added to ${path2.basename(readmePath)}`));
-  }
-  return true;
+  console.log(pc2.green("\u2713 Logged out of Keyway"));
+  console.log(pc2.gray(`Auth cache cleared: ${getAuthFilePath()}`));
 }
 
 // src/cmds/push.ts
-import pc3 from "picocolors";
-import fs3 from "fs";
-import path3 from "path";
-import prompts3 from "prompts";
 function deriveEnvFromFile(file) {
   const base = path3.basename(file);
   const match = base.match(/\.env(?:\.(.+))?$/);
@@ -947,7 +918,7 @@ function discoverEnvCandidates(cwd) {
 async function pushCommand(options) {
   try {
     console.log(pc3.blue("\u{1F510} Pushing secrets to Keyway...\n"));
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
+    const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
     let environment = options.env;
     let envFile = options.file;
     const candidates = discoverEnvCandidates(process.cwd());
@@ -957,7 +928,7 @@ async function pushCommand(options) {
         envFile = match.file;
       }
     }
-    if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
+    if (!environment && !envFile && isInteractive3 && candidates.length > 0) {
       const { choice } = await prompts3(
         {
           type: "select",
@@ -1011,7 +982,7 @@ async function pushCommand(options) {
     }
     let envFilePath = path3.resolve(process.cwd(), envFile);
     if (!fs3.existsSync(envFilePath)) {
-      if (!isInteractive2) {
+      if (!isInteractive3) {
         throw new Error(`File not found: ${envFile}. Provide --file <path> or run interactively to choose a file.`);
       }
       const { newPath } = await prompts3(
@@ -1052,8 +1023,8 @@ async function pushCommand(options) {
     const repoFullName = getCurrentRepoFullName();
     console.log(`Repository: ${pc3.cyan(repoFullName)}`);
     if (!options.yes) {
-      const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
-      if (!isInteractive3) {
+      const isInteractive4 = process.stdin.isTTY && process.stdout.isTTY;
+      if (!isInteractive4) {
         throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
       }
       const { confirm } = await prompts3(
@@ -1110,6 +1081,12 @@ Your secrets are now encrypted and stored securely.`);
         hint = `Available environments: ${availableEnvs}
 Use ${pc3.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
       }
+      if (error.statusCode === 403 && error.upgradeUrl) {
+        hint = `${pc3.yellow("\u26A1")} Upgrade to Pro: ${pc3.cyan(error.upgradeUrl)}`;
+      } else if (error.statusCode === 403 && message.toLowerCase().includes("read-only")) {
+        message = "This vault is read-only on your current plan.";
+        hint = `Upgrade to Pro to unlock editing: ${pc3.cyan("https://keyway.sh/settings")}`;
+      }
     } else if (error instanceof Error) {
       message = truncateMessage(error.message);
     } else {
@@ -1132,15 +1109,168 @@ ${hint}`));
 
 // src/cmds/init.ts
 var DASHBOARD_URL = "https://www.keyway.sh/dashboard/vaults";
+var POLL_INTERVAL_MS = 3e3;
+var POLL_TIMEOUT_MS = 12e4;
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isInteractive2() {
+  return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI);
+}
+async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
+  const [repoOwner, repoName] = repoFullName.split("/");
+  const envToken = process.env.KEYWAY_TOKEN;
+  if (envToken) {
+    const result = await ensureGitHubAppInstalledOnly(repoFullName, envToken);
+    if (result === null) {
+      throw new Error("KEYWAY_TOKEN is invalid or expired. Please update the token.");
+    }
+    return result;
+  }
+  const stored = await getStoredAuth();
+  if (stored?.keywayToken) {
+    const result = await ensureGitHubAppInstalledOnly(repoFullName, stored.keywayToken);
+    if (result !== null) {
+      return result;
+    }
+  }
+  const allowPrompt = options.allowPrompt !== false;
+  if (!allowPrompt || !isInteractive2()) {
+    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
+  }
+  console.log("");
+  console.log(pc4.gray("  Keyway uses a GitHub App for secure access."));
+  console.log(pc4.gray("  Installing the app will also log you in."));
+  console.log("");
+  const { shouldProceed } = await prompts4({
+    type: "confirm",
+    name: "shouldProceed",
+    message: "Open browser to install Keyway & sign in?",
+    initial: true
+  });
+  if (!shouldProceed) {
+    throw new Error('Setup required. Run "keyway init" when ready.');
+  }
+  const deviceStart = await startDeviceLogin(repoFullName);
+  const installUrl = deviceStart.githubAppInstallUrl || "https://github.com/apps/keyway/installations/new";
+  console.log(pc4.gray("\n  Opening browser..."));
+  await open2(installUrl);
+  console.log("");
+  console.log(pc4.blue("\u23F3 Waiting for installation & authorization..."));
+  console.log(pc4.gray("   (Press Ctrl+C to cancel)\n"));
+  const pollIntervalMs = Math.max((deviceStart.interval ?? 5) * 1e3, POLL_INTERVAL_MS);
+  const startTime = Date.now();
+  let accessToken = null;
+  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
+    await sleep2(pollIntervalMs);
+    try {
+      if (!accessToken) {
+        const result = await pollDeviceLogin(deviceStart.deviceCode);
+        if (result.status === "approved" && result.keywayToken) {
+          accessToken = result.keywayToken;
+          await saveAuthToken(result.keywayToken, {
+            githubLogin: result.githubLogin,
+            expiresAt: result.expiresAt
+          });
+          console.log(pc4.green("\u2713 Signed in!"));
+          if (result.githubLogin) {
+            identifyUser(result.githubLogin, {
+              github_username: result.githubLogin,
+              login_method: "github_app"
+            });
+          }
+        }
+      }
+      if (accessToken) {
+        const installStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
+        if (installStatus.installed) {
+          console.log(pc4.green("\u2713 GitHub App installed!"));
+          console.log("");
+          return accessToken;
+        }
+      }
+      process.stdout.write(pc4.gray("."));
+    } catch {
+    }
+  }
+  console.log("");
+  console.log(pc4.yellow("\u26A0 Timed out waiting for setup."));
+  console.log(pc4.gray(`  Install the GitHub App: ${installUrl}`));
+  throw new Error("Setup timed out. Please try again.");
+}
+async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
+  const [repoOwner, repoName] = repoFullName.split("/");
+  let status;
+  try {
+    status = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
+  } catch (error) {
+    if (error instanceof APIError && error.statusCode === 401) {
+      console.log(pc4.yellow("\n\u26A0 Session expired or invalid. Clearing credentials..."));
+      const { clearAuth: clearAuth2 } = await import("./auth-QLPQ24HZ.js");
+      clearAuth2();
+      return null;
+    }
+    throw error;
+  }
+  if (status.installed) {
+    return accessToken;
+  }
+  console.log("");
+  console.log(pc4.yellow("\u26A0 GitHub App not installed for this repository"));
+  console.log("");
+  console.log(pc4.gray("  The Keyway GitHub App is required to securely manage secrets."));
+  console.log(pc4.gray("  It only requests minimal permissions (repository metadata)."));
+  console.log("");
+  if (!isInteractive2()) {
+    console.log(pc4.gray(`  Install the Keyway GitHub App: ${status.installUrl}`));
+    throw new Error("GitHub App installation required.");
+  }
+  const { shouldInstall } = await prompts4({
+    type: "confirm",
+    name: "shouldInstall",
+    message: "Open browser to install Keyway GitHub App?",
+    initial: true
+  });
+  if (!shouldInstall) {
+    console.log(pc4.gray(`
+  You can install later: ${status.installUrl}`));
+    throw new Error("GitHub App installation required.");
+  }
+  console.log(pc4.gray("\n  Opening browser..."));
+  await open2(status.installUrl);
+  console.log("");
+  console.log(pc4.blue("\u23F3 Waiting for GitHub App installation..."));
+  console.log(pc4.gray("   (Press Ctrl+C to cancel)\n"));
+  const startTime = Date.now();
+  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
+    await sleep2(POLL_INTERVAL_MS);
+    try {
+      const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
+      if (pollStatus.installed) {
+        console.log(pc4.green("\u2713 GitHub App installed!"));
+        console.log("");
+        return accessToken;
+      }
+      process.stdout.write(pc4.gray("."));
+    } catch {
+    }
+  }
+  console.log("");
+  console.log(pc4.yellow("\u26A0 Timed out waiting for installation."));
+  console.log(pc4.gray(`  You can install the GitHub App later: ${status.installUrl}`));
+  throw new Error("GitHub App installation timed out.");
+}
 async function initCommand(options = {}) {
   try {
     const repoFullName = getCurrentRepoFullName();
     const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
     console.log(pc4.blue("\u{1F510} Initializing Keyway vault...\n"));
     console.log(`  ${pc4.gray("Repository:")} ${pc4.white(repoFullName)}`);
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName });
-    const response = await initVault(repoFullName, accessToken);
+    const accessToken = await ensureLoginAndGitHubApp(repoFullName, {
+      allowPrompt: options.loginPrompt !== false
+    });
+    trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName, githubAppInstalled: true });
+    await initVault(repoFullName, accessToken);
     console.log(pc4.green("\u2713 Vault created!"));
     try {
       const badgeAdded = await addBadgeToReadme(true);
@@ -1151,8 +1281,8 @@ async function initCommand(options = {}) {
     }
     console.log("");
     const envCandidates = discoverEnvCandidates(process.cwd());
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-    if (envCandidates.length > 0 && isInteractive2) {
+    const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
+    if (envCandidates.length > 0 && isInteractive3) {
       console.log(pc4.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
 `));
       const { shouldPush } = await prompts4({
@@ -1190,15 +1320,16 @@ async function initCommand(options = {}) {
         await shutdownAnalytics();
         return;
       }
-      if (error.error === "PLAN_LIMIT_REACHED") {
+      if (error.error === "Plan Limit Reached" || error.upgradeUrl) {
+        const upgradeUrl = error.upgradeUrl || "https://keyway.sh/pricing";
         console.log("");
         console.log(pc4.dim("\u2500".repeat(50)));
         console.log("");
-        console.log(`  ${pc4.yellow("\u26A1")} ${pc4.bold("Upgrade Required")}`);
+        console.log(`  ${pc4.yellow("\u26A1")} ${pc4.bold("Plan Limit Reached")}`);
         console.log("");
-        console.log(pc4.gray(`  ${error.message}`));
+        console.log(pc4.white(`  ${error.message}`));
         console.log("");
-        console.log(`  ${pc4.cyan("\u2192")} ${pc4.underline(error.upgradeUrl || "https://keyway.sh/upgrade")}`);
+        console.log(`  ${pc4.cyan("Upgrade now \u2192")} ${pc4.underline(upgradeUrl)}`);
         console.log("");
         console.log(pc4.dim("\u2500".repeat(50)));
         console.log("");
@@ -1240,11 +1371,11 @@ async function pullCommand(options) {
     const response = await pullSecrets(repoFullName, environment, accessToken);
     const envFilePath = path4.resolve(process.cwd(), envFile);
     if (fs4.existsSync(envFilePath)) {
-      const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
+      const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
       if (options.yes) {
         console.log(pc5.yellow(`
 \u26A0 Overwriting existing file: ${envFile}`));
-      } else if (!isInteractive2) {
+      } else if (!isInteractive3) {
         throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
       } else {
         const { confirm } = await prompts5(
@@ -1607,7 +1738,7 @@ Summary: ${formatSummary(results)}`);
 
 // src/cmds/connect.ts
 import pc7 from "picocolors";
-import open2 from "open";
+import open3 from "open";
 import prompts6 from "prompts";
 async function connectCommand(provider, options = {}) {
   try {
@@ -1646,7 +1777,7 @@ Connecting to ${providerInfo.displayName}...
     const startTime = /* @__PURE__ */ new Date();
     console.log(pc7.gray("Opening browser for authorization..."));
     console.log(pc7.gray(`If the browser doesn't open, visit: ${authUrl}`));
-    await open2(authUrl).catch(() => {
+    await open3(authUrl).catch(() => {
     });
     console.log(pc7.gray("Waiting for authorization..."));
     const maxAttempts = 60;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.0.21",
+  "version": "0.1.1",
   "description": "One link to all your secrets",
   "type": "module",
   "bin": {