@keywaysh/cli 0.1.13 → 0.1.15

package/dist/cli.js

@@ -8,11 +8,11 @@ import {
 
 // src/cli.ts
 import { Command } from "commander";
-import pc11 from "picocolors";
+import pc13 from "picocolors";
 
 // src/cmds/init.ts
-import pc6 from "picocolors";
-import prompts5 from "prompts";
+import pc7 from "picocolors";
+import prompts6 from "prompts";
 
 // src/utils/git.ts
 import { execSync } from "child_process";
@@ -140,7 +140,7 @@ var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 // package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.1.13",
+  version: "0.1.15",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -185,9 +185,11 @@ var package_default = {
     node: ">=18.0.0"
   },
   dependencies: {
+    "@octokit/rest": "^22.0.1",
     "balanced-match": "^3.0.1",
     commander: "^14.0.0",
     conf: "^15.0.2",
+    "libsodium-wrappers": "^0.7.15",
     open: "^11.0.0",
     picocolors: "^1.1.1",
     "posthog-node": "^3.5.0",
@@ -195,6 +197,7 @@ var package_default = {
   },
   devDependencies: {
     "@types/balanced-match": "^3.0.2",
+    "@types/libsodium-wrappers": "^0.7.14",
     "@types/node": "^24.2.0",
     "@types/prompts": "^2.4.9",
     "@vitest/coverage-v8": "^3.0.0",
@@ -453,8 +456,8 @@ function getProviderAuthUrl(provider, accessToken, redirectUri) {
   if (redirectUri) params.set("redirect_uri", redirectUri);
   return `${API_BASE_URL}/v1/integrations/${provider}/authorize?${params}`;
 }
-async function getConnectionProjects(accessToken, connectionId) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}/projects`, {
+async function getAllProviderProjects(accessToken, provider) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/providers/${provider}/all-projects`, {
     method: "GET",
     headers: {
       "User-Agent": USER_AGENT,
@@ -900,10 +903,10 @@ async function addBadgeToReadme(silent = false) {
 }
 
 // src/cmds/push.ts
-import pc5 from "picocolors";
-import fs4 from "fs";
-import path4 from "path";
-import prompts4 from "prompts";
+import pc6 from "picocolors";
+import fs5 from "fs";
+import path5 from "path";
+import prompts5 from "prompts";
 
 // src/cmds/login.ts
 import pc4 from "picocolors";
@@ -1112,9 +1115,34 @@ async function logoutCommand() {
   console.log(pc4.gray(`Auth cache cleared: ${getAuthFilePath()}`));
 }
 
+// src/utils/env.ts
+import fs4 from "fs";
+import path4 from "path";
+import pc5 from "picocolors";
+import prompts4 from "prompts";
+async function promptCreateEnvFile() {
+  const { createEnv } = await prompts4({
+    type: "confirm",
+    name: "createEnv",
+    message: "No .env file found. Create one?",
+    initial: true
+  }, {
+    onCancel: () => {
+      throw new Error("Cancelled by user.");
+    }
+  });
+  if (!createEnv) {
+    return false;
+  }
+  const envFilePath = path4.join(process.cwd(), ".env");
+  fs4.writeFileSync(envFilePath, "# Add your environment variables here\n# Example: API_KEY=your-api-key\n");
+  console.log(pc5.green("\u2713 Created .env file"));
+  return true;
+}
+
 // src/cmds/push.ts
 function deriveEnvFromFile(file) {
-  const base = path4.basename(file);
+  const base = path5.basename(file);
   const match = base.match(/\.env(?:\.(.+))?$/);
   if (match) {
     return match[1] || "development";
@@ -1123,15 +1151,15 @@ function deriveEnvFromFile(file) {
 }
 function discoverEnvCandidates(cwd) {
   try {
-    const entries = fs4.readdirSync(cwd);
+    const entries = fs5.readdirSync(cwd);
     const hasEnvLocal = entries.includes(".env.local");
     if (hasEnvLocal) {
-      console.log(pc5.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
+      console.log(pc6.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
     }
     const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
-      const fullPath = path4.join(cwd, name);
+      const fullPath = path5.join(cwd, name);
       try {
-        const stat = fs4.statSync(fullPath);
+        const stat = fs5.statSync(fullPath);
         if (!stat.isFile()) return null;
         return { file: name, env: deriveEnvFromFile(name) };
       } catch {
@@ -1152,13 +1180,21 @@ function discoverEnvCandidates(cwd) {
 }
 async function pushCommand(options) {
   try {
-    console.log(pc5.blue("\u{1F510} Pushing secrets to Keyway...\n"));
+    console.log(pc6.blue("\u{1F510} Pushing secrets to Keyway...\n"));
     const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
     let environment = options.env;
     let envFile = options.file;
     const candidates = discoverEnvCandidates(process.cwd());
     if (candidates.length === 0 && !envFile) {
-      throw new Error("No .env file found. Create a .env file first, or use --file <path> to specify one.");
+      if (!isInteractive2) {
+        throw new Error("No .env file found. Create a .env file first, or use --file <path> to specify one.");
+      }
+      const created = await promptCreateEnvFile();
+      if (!created) {
+        throw new Error("No .env file found.");
+      }
+      console.log(pc6.gray("  Add your variables and run keyway push again\n"));
+      return;
     }
     if (environment && !envFile) {
       const match = candidates.find((c) => c.env === environment);
@@ -1167,7 +1203,7 @@ async function pushCommand(options) {
       }
     }
     if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
-      const { choice } = await prompts4(
+      const { choice } = await prompts5(
         {
           type: "select",
           name: "choice",
@@ -1190,15 +1226,15 @@ async function pushCommand(options) {
         envFile = choice.file;
         environment = choice.env;
       } else if (choice === "custom") {
-        const { fileInput } = await prompts4(
+        const { fileInput } = await prompts5(
           {
             type: "text",
             name: "fileInput",
             message: "Path to env file:",
             validate: (value) => {
               if (!value) return "Path is required";
-              const resolved = path4.resolve(process.cwd(), value);
-              if (!fs4.existsSync(resolved)) return `File not found: ${value}`;
+              const resolved = path5.resolve(process.cwd(), value);
+              if (!fs5.existsSync(resolved)) return `File not found: ${value}`;
               return true;
             }
           },
@@ -1218,11 +1254,11 @@ async function pushCommand(options) {
     if (!envFile) {
       envFile = ".env";
     }
-    const envFilePath = path4.resolve(process.cwd(), envFile);
-    if (!fs4.existsSync(envFilePath)) {
+    const envFilePath = path5.resolve(process.cwd(), envFile);
+    if (!fs5.existsSync(envFilePath)) {
       throw new Error(`File not found: ${envFile}`);
     }
-    const content = fs4.readFileSync(envFilePath, "utf-8");
+    const content = fs5.readFileSync(envFilePath, "utf-8");
     if (content.trim().length === 0) {
       throw new Error(`File is empty: ${envFile}`);
     }
@@ -1230,17 +1266,17 @@ async function pushCommand(options) {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(`File: ${pc5.cyan(envFile)}`);
-    console.log(`Environment: ${pc5.cyan(environment)}`);
-    console.log(`Variables: ${pc5.cyan(lines.length.toString())}`);
+    console.log(`File: ${pc6.cyan(envFile)}`);
+    console.log(`Environment: ${pc6.cyan(environment)}`);
+    console.log(`Variables: ${pc6.cyan(lines.length.toString())}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc5.cyan(repoFullName)}`);
+    console.log(`Repository: ${pc6.cyan(repoFullName)}`);
     if (!options.yes) {
       const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
       if (!isInteractive3) {
         throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
       }
-      const { confirm } = await prompts4(
+      const { confirm } = await prompts5(
         {
           type: "confirm",
           name: "confirm",
@@ -1254,7 +1290,7 @@ async function pushCommand(options) {
         }
       );
       if (!confirm) {
-        console.log(pc5.yellow("Push aborted."));
+        console.log(pc6.yellow("Push aborted."));
         return;
       }
     }
@@ -1266,13 +1302,13 @@ async function pushCommand(options) {
     });
     console.log("\nUploading secrets...");
     const response = await pushSecrets(repoFullName, environment, content, accessToken);
-    console.log(pc5.green("\n\u2713 " + response.message));
+    console.log(pc6.green("\n\u2713 " + response.message));
     if (response.stats) {
       const { created, updated, deleted } = response.stats;
       const parts = [];
-      if (created > 0) parts.push(pc5.green(`+${created} created`));
-      if (updated > 0) parts.push(pc5.yellow(`~${updated} updated`));
-      if (deleted > 0) parts.push(pc5.red(`-${deleted} deleted`));
+      if (created > 0) parts.push(pc6.green(`+${created} created`));
+      if (updated > 0) parts.push(pc6.yellow(`~${updated} updated`));
+      if (deleted > 0) parts.push(pc6.red(`-${deleted} deleted`));
       if (parts.length > 0) {
         console.log(`Stats: ${parts.join(", ")}`);
       }
@@ -1281,7 +1317,7 @@ async function pushCommand(options) {
 Your secrets are now encrypted and stored securely.`);
     const dashboardLink = `https://www.keyway.sh/dashboard/vaults/${repoFullName}`;
     console.log(`
-${pc5.blue("\u2394")} Dashboard: ${pc5.underline(dashboardLink)}`);
+${pc6.blue("\u2394")} Dashboard: ${pc6.underline(dashboardLink)}`);
     await shutdownAnalytics();
   } catch (error) {
     let message;
@@ -1294,7 +1330,7 @@ ${pc5.blue("\u2394")} Dashboard: ${pc5.underline(dashboardLink)}`);
         const availableEnvs = envNotFoundMatch[2];
         message = `Environment '${requestedEnv}' does not exist in this vault.`;
         hint = `Available environments: ${availableEnvs}
-Use ${pc5.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
+Use ${pc6.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
       }
       if (error.statusCode === 403 && (error.upgradeUrl || message.toLowerCase().includes("read-only"))) {
         const upgradeMessage = message.toLowerCase().includes("read-only") ? "This vault is read-only on your current plan." : message;
@@ -1317,10 +1353,10 @@ Use ${pc5.cyan(`keyway push --env <environment>`)} to specify one, or create '${
       error: message
     });
     await shutdownAnalytics();
-    console.error(pc5.red(`
+    console.error(pc6.red(`
 \u2717 ${message}`));
     if (hint) {
-      console.error(pc5.gray(`
+      console.error(pc6.gray(`
 ${hint}`));
     }
     process.exit(1);
@@ -1355,7 +1391,7 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
   const deviceStart = await startDeviceLogin(repoFullName);
   const installUrl = deviceStart.githubAppInstallUrl || "https://github.com/apps/keyway/installations/new";
   console.log("");
-  const { shouldProceed } = await prompts5({
+  const { shouldProceed } = await prompts6({
     type: "confirm",
     name: "shouldProceed",
     message: "Open browser to sign in?",
@@ -1365,8 +1401,8 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
     throw new Error('Setup required. Run "keyway init" when ready.');
   }
   await openUrl(deviceStart.verificationUriComplete);
-  console.log(pc6.blue("\u23F3 Waiting for authorization..."));
-  console.log(pc6.gray("   (Press Ctrl+C to cancel)\n"));
+  console.log(pc7.blue("\u23F3 Waiting for authorization..."));
+  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
   const pollIntervalMs = Math.max((deviceStart.interval ?? 5) * 1e3, POLL_INTERVAL_MS);
   const startTime = Date.now();
   let accessToken = null;
@@ -1381,7 +1417,7 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
           githubLogin: result.githubLogin,
           expiresAt: result.expiresAt
         });
-        console.log(pc6.green("\u2713 Signed in!"));
+        console.log(pc7.green("\u2713 Signed in!"));
         if (result.githubLogin) {
           identifyUser(result.githubLogin, {
             github_username: result.githubLogin,
@@ -1391,7 +1427,7 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
         break;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc6.gray("."));
+      process.stdout.write(pc7.gray("."));
     } catch (error) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
@@ -1402,35 +1438,35 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
   }
   if (!accessToken) {
     console.log("");
-    console.log(pc6.yellow("\u26A0 Timed out waiting for sign in."));
+    console.log(pc7.yellow("\u26A0 Timed out waiting for sign in."));
     throw new Error("Sign in timed out. Please try again.");
   }
   const installStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
   if (installStatus.installed) {
-    console.log(pc6.green("\u2713 GitHub App installed"));
+    console.log(pc7.green("\u2713 GitHub App installed"));
     console.log("");
     return accessToken;
   }
   console.log("");
-  console.log(pc6.yellow("\u26A0 GitHub App not installed on this repository"));
-  console.log(pc6.gray("  The Keyway GitHub App is required for secure access."));
+  console.log(pc7.yellow("\u26A0 GitHub App not installed on this repository"));
+  console.log(pc7.gray("  The Keyway GitHub App is required for secure access."));
   console.log("");
-  const { shouldInstall } = await prompts5({
+  const { shouldInstall } = await prompts6({
     type: "confirm",
     name: "shouldInstall",
     message: "Open browser to install GitHub App?",
     initial: true
   });
   if (!shouldInstall) {
-    console.log(pc6.gray(`
+    console.log(pc7.gray(`
   Install later: ${installUrl}`));
     throw new Error("GitHub App installation required.");
   }
   await openUrl(installUrl);
-  console.log(pc6.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc6.gray('   Add this repository and click "Install"'));
-  console.log(pc6.gray("   Then return here - the CLI will detect it automatically"));
-  console.log(pc6.gray("   (Press Ctrl+C to cancel)\n"));
+  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
+  console.log(pc7.gray('   Add this repository and click "Install"'));
+  console.log(pc7.gray("   Then return here - the CLI will detect it automatically"));
+  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
   const installStartTime = Date.now();
   consecutiveErrors = 0;
   while (Date.now() - installStartTime < POLL_TIMEOUT_MS) {
@@ -1438,12 +1474,12 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
     try {
       const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
       if (pollStatus.installed) {
-        console.log(pc6.green("\u2713 GitHub App installed!"));
+        console.log(pc7.green("\u2713 GitHub App installed!"));
         console.log("");
         return accessToken;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc6.gray("."));
+      process.stdout.write(pc7.gray("."));
     } catch (error) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
@@ -1453,8 +1489,8 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
     }
   }
   console.log("");
-  console.log(pc6.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc6.gray(`  Install the GitHub App: ${installUrl}`));
+  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
+  console.log(pc7.gray(`  Install the GitHub App: ${installUrl}`));
   throw new Error("GitHub App installation timed out.");
 }
 async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
@@ -1464,7 +1500,7 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
     status = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
   } catch (error) {
     if (error instanceof APIError && error.statusCode === 401) {
-      console.log(pc6.yellow("\n\u26A0 Session expired or invalid. Clearing credentials..."));
+      console.log(pc7.yellow("\n\u26A0 Session expired or invalid. Clearing credentials..."));
       const { clearAuth: clearAuth2 } = await import("./auth-QLPQ24HZ.js");
       clearAuth2();
       return null;
@@ -1475,29 +1511,29 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
     return accessToken;
   }
   console.log("");
-  console.log(pc6.yellow("\u26A0 GitHub App not installed for this repository"));
+  console.log(pc7.yellow("\u26A0 GitHub App not installed for this repository"));
   console.log("");
-  console.log(pc6.gray("  The Keyway GitHub App is required to securely manage secrets."));
-  console.log(pc6.gray("  It only requests minimal permissions (repository metadata)."));
+  console.log(pc7.gray("  The Keyway GitHub App is required to securely manage secrets."));
+  console.log(pc7.gray("  It only requests minimal permissions (repository metadata)."));
   console.log("");
   if (!isInteractive()) {
-    console.log(pc6.gray(`  Install the Keyway GitHub App: ${status.installUrl}`));
+    console.log(pc7.gray(`  Install the Keyway GitHub App: ${status.installUrl}`));
     throw new Error("GitHub App installation required.");
   }
-  const { shouldInstall } = await prompts5({
+  const { shouldInstall } = await prompts6({
     type: "confirm",
     name: "shouldInstall",
     message: "Open browser to install Keyway GitHub App?",
     initial: true
   });
   if (!shouldInstall) {
-    console.log(pc6.gray(`
+    console.log(pc7.gray(`
   You can install later: ${status.installUrl}`));
     throw new Error("GitHub App installation required.");
   }
   await openUrl(status.installUrl);
-  console.log(pc6.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc6.gray("   (Press Ctrl+C to cancel)\n"));
+  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
+  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
   const startTime = Date.now();
   let consecutiveErrors = 0;
   while (Date.now() - startTime < POLL_TIMEOUT_MS) {
@@ -1505,12 +1541,12 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
     try {
       const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
       if (pollStatus.installed) {
-        console.log(pc6.green("\u2713 GitHub App installed!"));
+        console.log(pc7.green("\u2713 GitHub App installed!"));
         console.log("");
         return accessToken;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc6.gray("."));
+      process.stdout.write(pc7.gray("."));
     } catch (error) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
@@ -1520,35 +1556,35 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
     }
   }
   console.log("");
-  console.log(pc6.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc6.gray(`  You can install the GitHub App later: ${status.installUrl}`));
+  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
+  console.log(pc7.gray(`  You can install the GitHub App later: ${status.installUrl}`));
   throw new Error("GitHub App installation timed out.");
 }
 async function initCommand(options = {}) {
   try {
     const repoFullName = getCurrentRepoFullName();
     const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
-    console.log(pc6.blue("\u{1F510} Initializing Keyway vault...\n"));
-    console.log(`  ${pc6.gray("Repository:")} ${pc6.white(repoFullName)}`);
+    console.log(pc7.blue("\u{1F510} Initializing Keyway vault...\n"));
+    console.log(`  ${pc7.gray("Repository:")} ${pc7.white(repoFullName)}`);
     const accessToken = await ensureLoginAndGitHubApp(repoFullName, {
       allowPrompt: options.loginPrompt !== false
     });
     trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName, githubAppInstalled: true });
     const vaultExists = await checkVaultExists(accessToken, repoFullName);
     if (vaultExists) {
-      console.log(pc6.green("\n\u2713 Already initialized!\n"));
-      console.log(`  ${pc6.yellow("\u2192")} Run ${pc6.cyan("keyway push")} to sync your secrets`);
-      console.log(`  ${pc6.blue("\u2394")} Dashboard: ${pc6.underline(dashboardLink)}`);
+      console.log(pc7.green("\n\u2713 Already initialized!\n"));
+      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
+      console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
       console.log("");
       await shutdownAnalytics();
       return;
     }
     await initVault(repoFullName, accessToken);
-    console.log(pc6.green("\u2713 Vault created!"));
+    console.log(pc7.green("\u2713 Vault created!"));
     try {
       const badgeAdded = await addBadgeToReadme(true);
       if (badgeAdded) {
-        console.log(pc6.green("\u2713 Badge added to README.md"));
+        console.log(pc7.green("\u2713 Badge added to README.md"));
       }
     } catch {
     }
@@ -1556,9 +1592,9 @@ async function initCommand(options = {}) {
     const envCandidates = discoverEnvCandidates(process.cwd());
     const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
     if (envCandidates.length > 0 && isInteractive2) {
-      console.log(pc6.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
+      console.log(pc7.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
 `));
-      const { shouldPush } = await prompts5({
+      const { shouldPush } = await prompts6({
         type: "confirm",
         name: "shouldPush",
         message: "Push secrets now?",
@@ -1570,25 +1606,36 @@ async function initCommand(options = {}) {
         return;
       }
     }
-    console.log(pc6.dim("\u2500".repeat(50)));
+    console.log(pc7.dim("\u2500".repeat(50)));
     console.log("");
     if (envCandidates.length === 0) {
-      console.log(`${pc6.yellow("\u26A0")} No .env file found - your vault is empty`);
-      console.log(`  Next: Create ${pc6.cyan(".env")} and run ${pc6.cyan("keyway push")}
+      if (isInteractive2) {
+        const created = await promptCreateEnvFile();
+        if (created) {
+          console.log(`  Add your variables and run ${pc7.cyan("keyway push")}
+`);
+        } else {
+          console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
+`);
+        }
+      } else {
+        console.log(`${pc7.yellow("\u26A0")} No .env file found - your vault is empty`);
+        console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
 `);
+      }
     } else {
-      console.log(`  ${pc6.yellow("\u2192")} Run ${pc6.cyan("keyway push")} to sync your secrets
+      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets
 `);
     }
-    console.log(`  ${pc6.blue("\u2394")} Dashboard: ${pc6.underline(dashboardLink)}`);
+    console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
     console.log("");
     await shutdownAnalytics();
   } catch (error) {
     if (error instanceof APIError) {
       if (error.statusCode === 409) {
-        console.log(pc6.green("\n\u2713 Already initialized!\n"));
-        console.log(`  ${pc6.yellow("\u2192")} Run ${pc6.cyan("keyway push")} to sync your secrets`);
-        console.log(`  ${pc6.blue("\u2394")} Dashboard: ${pc6.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
+        console.log(pc7.green("\n\u2713 Already initialized!\n"));
+        console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
+        console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
         console.log("");
         await shutdownAnalytics();
         return;
@@ -1606,25 +1653,25 @@ async function initCommand(options = {}) {
       error: message
     });
     await shutdownAnalytics();
-    console.error(pc6.red(`
+    console.error(pc7.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/pull.ts
-import pc7 from "picocolors";
-import fs5 from "fs";
-import path5 from "path";
-import prompts6 from "prompts";
+import pc8 from "picocolors";
+import fs6 from "fs";
+import path6 from "path";
+import prompts7 from "prompts";
 async function pullCommand(options) {
   try {
     const environment = options.env || "development";
     const envFile = options.file || ".env";
-    console.log(pc7.blue("\u{1F510} Pulling secrets from Keyway...\n"));
-    console.log(`Environment: ${pc7.cyan(environment)}`);
+    console.log(pc8.blue("\u{1F510} Pulling secrets from Keyway...\n"));
+    console.log(`Environment: ${pc8.cyan(environment)}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc7.cyan(repoFullName)}`);
+    console.log(`Repository: ${pc8.cyan(repoFullName)}`);
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     trackEvent(AnalyticsEvents.CLI_PULL, {
       repoFullName,
@@ -1632,16 +1679,16 @@ async function pullCommand(options) {
     });
     console.log("\nDownloading secrets...");
     const response = await pullSecrets(repoFullName, environment, accessToken);
-    const envFilePath = path5.resolve(process.cwd(), envFile);
-    if (fs5.existsSync(envFilePath)) {
+    const envFilePath = path6.resolve(process.cwd(), envFile);
+    if (fs6.existsSync(envFilePath)) {
       const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
       if (options.yes) {
-        console.log(pc7.yellow(`
+        console.log(pc8.yellow(`
 \u26A0 Overwriting existing file: ${envFile}`));
       } else if (!isInteractive2) {
         throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
       } else {
-        const { confirm } = await prompts6(
+        const { confirm } = await prompts7(
           {
             type: "confirm",
             name: "confirm",
@@ -1655,21 +1702,21 @@ async function pullCommand(options) {
           }
         );
         if (!confirm) {
-          console.log(pc7.yellow("Pull aborted."));
+          console.log(pc8.yellow("Pull aborted."));
           return;
         }
       }
     }
-    fs5.writeFileSync(envFilePath, response.content, "utf-8");
+    fs6.writeFileSync(envFilePath, response.content, "utf-8");
     const lines = response.content.split("\n").filter((line) => {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(pc7.green(`
+    console.log(pc8.green(`
 \u2713 Secrets downloaded successfully`));
     console.log(`
-File: ${pc7.cyan(envFile)}`);
-    console.log(`Variables: ${pc7.cyan(lines.length.toString())}`);
+File: ${pc8.cyan(envFile)}`);
+    console.log(`Variables: ${pc8.cyan(lines.length.toString())}`);
     await shutdownAnalytics();
   } catch (error) {
     const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
@@ -1678,14 +1725,14 @@ File: ${pc7.cyan(envFile)}`);
       error: message
     });
     await shutdownAnalytics();
-    console.error(pc7.red(`
+    console.error(pc8.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/doctor.ts
-import pc8 from "picocolors";
+import pc9 from "picocolors";
 
 // src/core/doctor.ts
 import { execSync as execSync2 } from "child_process";
@@ -1939,9 +1986,9 @@ async function runAllChecks(options = {}) {
 // src/cmds/doctor.ts
 function formatSummary(results) {
   const parts = [
-    pc8.green(`${results.summary.pass} passed`),
-    results.summary.warn > 0 ? pc8.yellow(`${results.summary.warn} warnings`) : null,
-    results.summary.fail > 0 ? pc8.red(`${results.summary.fail} failed`) : null
+    pc9.green(`${results.summary.pass} passed`),
+    results.summary.warn > 0 ? pc9.yellow(`${results.summary.warn} warnings`) : null,
+    results.summary.fail > 0 ? pc9.red(`${results.summary.fail} failed`) : null
   ].filter(Boolean);
   return parts.join(", ");
 }
@@ -1958,20 +2005,20 @@ async function doctorCommand(options = {}) {
       process.stdout.write(JSON.stringify(results, null, 0) + "\n");
       process.exit(results.exitCode);
     }
-    console.log(pc8.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
+    console.log(pc9.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
     results.checks.forEach((check) => {
-      const icon = check.status === "pass" ? pc8.green("\u2713") : check.status === "warn" ? pc8.yellow("!") : pc8.red("\u2717");
-      const detail = check.detail ? pc8.dim(` \u2014 ${check.detail}`) : "";
+      const icon = check.status === "pass" ? pc9.green("\u2713") : check.status === "warn" ? pc9.yellow("!") : pc9.red("\u2717");
+      const detail = check.detail ? pc9.dim(` \u2014 ${check.detail}`) : "";
       console.log(`  ${icon} ${check.name}${detail}`);
     });
     console.log(`
 Summary: ${formatSummary(results)}`);
     if (results.summary.fail > 0) {
-      console.log(pc8.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
+      console.log(pc9.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
     } else if (results.summary.warn > 0) {
-      console.log(pc8.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
+      console.log(pc9.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
     } else {
-      console.log(pc8.green("\u2728 All checks passed! Your environment is ready for Keyway."));
+      console.log(pc9.green("\u2728 All checks passed! Your environment is ready for Keyway."));
     }
     process.exit(results.exitCode);
   } catch (error) {
@@ -1992,16 +2039,146 @@ Summary: ${formatSummary(results)}`);
       };
       process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
     } else {
-      console.error(pc8.red(`
+      console.error(pc9.red(`
 \u2717 ${message}`));
     }
     process.exit(1);
   }
 }
 
+// src/cmds/ci.ts
+import { execSync as execSync3 } from "child_process";
+import { Octokit } from "@octokit/rest";
+import pc10 from "picocolors";
+import prompts8 from "prompts";
+function isGhAvailable() {
+  try {
+    execSync3("gh auth status", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function addSecretWithGh(repo, secretName, secretValue) {
+  execSync3(`gh secret set ${secretName} --repo ${repo}`, {
+    input: secretValue,
+    stdio: ["pipe", "ignore", "ignore"]
+  });
+}
+async function ciSetupCommand(options) {
+  const repo = options.repo || detectGitRepo();
+  if (!repo) {
+    console.error(pc10.red("Not in a git repository. Use --repo owner/repo"));
+    process.exit(1);
+  }
+  console.log(pc10.bold(`
+\u{1F510} Setting up GitHub Actions for ${repo}
+`));
+  console.log(pc10.dim("Step 1: Keyway Authentication"));
+  let keywayToken;
+  try {
+    keywayToken = await ensureLogin({ allowPrompt: true });
+    console.log(pc10.green("  \u2713 Authenticated with Keyway\n"));
+  } catch {
+    console.error(pc10.red("  \u2717 Failed to authenticate with Keyway"));
+    console.error(pc10.dim("  Run `keyway login` first"));
+    process.exit(1);
+  }
+  const useGh = isGhAvailable();
+  if (useGh) {
+    console.log(pc10.dim("Step 2: Adding secret via GitHub CLI"));
+    try {
+      addSecretWithGh(repo, "KEYWAY_TOKEN", keywayToken);
+      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
+`));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
+      console.error(pc10.dim("  Try running: gh auth login"));
+      process.exit(1);
+    }
+  } else {
+    console.log(pc10.dim("Step 2: Temporary GitHub PAT"));
+    console.log("  gh CLI not found. We need a one-time GitHub PAT.");
+    console.log(pc10.dim("  You can delete it immediately after setup.\n"));
+    const patUrl = "https://github.com/settings/tokens/new?scopes=repo&description=Keyway%20CI%20Setup%20(temporary)";
+    await openUrl(patUrl);
+    const { githubToken } = await prompts8({
+      type: "password",
+      name: "githubToken",
+      message: "Paste your GitHub PAT:"
+    });
+    if (!githubToken) {
+      console.error(pc10.red("\n  \u2717 GitHub PAT is required"));
+      process.exit(1);
+    }
+    const octokit = new Octokit({ auth: githubToken });
+    try {
+      await octokit.users.getAuthenticated();
+      console.log(pc10.green("  \u2713 GitHub PAT validated\n"));
+    } catch {
+      console.error(pc10.red("  \u2717 Invalid GitHub PAT"));
+      process.exit(1);
+    }
+    console.log(pc10.dim("Step 3: Adding secret to repository"));
+    const [owner, repoName] = repo.split("/");
+    try {
+      await addRepoSecret(octokit, owner, repoName, "KEYWAY_TOKEN", keywayToken);
+      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
+`));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (message.includes("Not Found")) {
+        console.error(pc10.red(`  \u2717 Repository not found or no access: ${repo}`));
+        console.error(pc10.dim("  Make sure the PAT has access to this repository"));
+      } else {
+        console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
+      }
+      process.exit(1);
+    }
+  }
+  console.log(pc10.green(pc10.bold("\u2713 Setup complete!\n")));
+  console.log("Add this to your workflow (.github/workflows/*.yml):\n");
+  console.log(
+    pc10.cyan(`    - uses: keywaysh/keyway-action@v1
+      with:
+        token: \${{ secrets.KEYWAY_TOKEN }}
+        environment: production`)
+  );
+  console.log();
+  if (!useGh) {
+    console.log(`\u{1F5D1}\uFE0F  Delete the temporary PAT: ${pc10.underline("https://github.com/settings/tokens")}`);
+  }
+  console.log(pc10.dim(`\u{1F4D6} Docs: ${pc10.underline("https://docs.keyway.sh/ci")}
+`));
+}
+async function addRepoSecret(octokit, owner, repo, secretName, secretValue) {
+  const { data: publicKey } = await octokit.rest.actions.getRepoPublicKey({
+    owner,
+    repo
+  });
+  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
+  await octokit.rest.actions.createOrUpdateRepoSecret({
+    owner,
+    repo,
+    secret_name: secretName,
+    encrypted_value: encryptedValue,
+    key_id: publicKey.key_id
+  });
+}
+async function encryptSecret(publicKey, secret) {
+  const sodiumModule = await import("libsodium-wrappers");
+  const sodium = sodiumModule.default || sodiumModule;
+  await sodium.ready;
+  const binkey = sodium.from_base64(publicKey, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(secret);
+  const encBytes = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+}
+
 // src/cmds/connect.ts
-import pc9 from "picocolors";
-import prompts7 from "prompts";
+import pc11 from "picocolors";
+import prompts9 from "prompts";
 var TOKEN_AUTH_PROVIDERS = ["railway"];
 function getTokenCreationUrl(provider) {
   switch (provider) {
@@ -2014,37 +2191,37 @@ function getTokenCreationUrl(provider) {
 async function connectWithTokenFlow(accessToken, provider, displayName) {
   const tokenUrl = getTokenCreationUrl(provider);
   if (provider === "railway") {
-    console.log(pc9.yellow("\nTip: Select the workspace containing your projects."));
-    console.log(pc9.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
+    console.log(pc11.yellow("\nTip: Select the workspace containing your projects."));
+    console.log(pc11.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
   }
   await openUrl(tokenUrl);
-  const { token } = await prompts7({
+  const { token } = await prompts9({
     type: "password",
     name: "token",
     message: `${displayName} API Token:`
   });
   if (!token) {
-    console.log(pc9.gray("Cancelled."));
+    console.log(pc11.gray("Cancelled."));
     return false;
   }
-  console.log(pc9.gray("\nValidating token..."));
+  console.log(pc11.gray("\nValidating token..."));
   try {
     const result = await connectWithToken(accessToken, provider, token);
     if (result.success) {
-      console.log(pc9.green(`
+      console.log(pc11.green(`
 \u2713 Connected to ${displayName}!`));
-      console.log(pc9.gray(`  Account: ${result.user.username}`));
+      console.log(pc11.gray(`  Account: ${result.user.username}`));
       if (result.user.teamName) {
-        console.log(pc9.gray(`  Team: ${result.user.teamName}`));
+        console.log(pc11.gray(`  Team: ${result.user.teamName}`));
       }
       return true;
     } else {
-      console.log(pc9.red("\n\u2717 Connection failed."));
+      console.log(pc11.red("\n\u2717 Connection failed."));
       return false;
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : "Token validation failed";
-    console.log(pc9.red(`
+    console.log(pc11.red(`
 \u2717 ${message}`));
     return false;
   }
@@ -2053,7 +2230,7 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
   const authUrl = getProviderAuthUrl(provider, accessToken);
   const startTime = /* @__PURE__ */ new Date();
   await openUrl(authUrl);
-  console.log(pc9.gray("Waiting for authorization..."));
+  console.log(pc11.gray("Waiting for authorization..."));
   const maxAttempts = 60;
   let attempts = 0;
   while (attempts < maxAttempts) {
@@ -2065,15 +2242,15 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
         (c) => c.provider === provider && new Date(c.createdAt) > startTime
       );
       if (newConn) {
-        console.log(pc9.green(`
+        console.log(pc11.green(`
 \u2713 Connected to ${displayName}!`));
         return true;
       }
     } catch {
     }
   }
-  console.log(pc9.red("\n\u2717 Authorization timeout."));
-  console.log(pc9.gray("Run `keyway connections` to check if the connection was established."));
+  console.log(pc11.red("\n\u2717 Authorization timeout."));
+  console.log(pc11.gray("Run `keyway connections` to check if the connection was established."));
   return false;
 }
 async function connectCommand(provider, options = {}) {
@@ -2083,30 +2260,40 @@ async function connectCommand(provider, options = {}) {
     const providerInfo = providers.find((p) => p.name === provider.toLowerCase());
     if (!providerInfo) {
       const available = providers.map((p) => p.name).join(", ");
-      console.error(pc9.red(`Unknown provider: ${provider}`));
-      console.log(pc9.gray(`Available providers: ${available || "none"}`));
+      console.error(pc11.red(`Unknown provider: ${provider}`));
+      console.log(pc11.gray(`Available providers: ${available || "none"}`));
       process.exit(1);
     }
     if (!providerInfo.configured) {
-      console.error(pc9.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
-      console.log(pc9.gray("Contact your administrator to enable this integration."));
+      console.error(pc11.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
+      console.log(pc11.gray("Contact your administrator to enable this integration."));
       process.exit(1);
     }
     const { connections } = await getConnections(accessToken);
-    const existingConnection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (existingConnection) {
-      const { reconnect } = await prompts7({
-        type: "confirm",
-        name: "reconnect",
-        message: `You're already connected to ${providerInfo.displayName}. Reconnect?`,
-        initial: false
+    const existingConnections = connections.filter((c) => c.provider === provider.toLowerCase());
+    if (existingConnections.length > 0) {
+      console.log(pc11.gray(`
+You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
+      for (const conn of existingConnections) {
+        const teamInfo = conn.providerTeamId ? `(Team: ${conn.providerTeamId})` : "(Personal)";
+        console.log(pc11.gray(`  - ${teamInfo}`));
+      }
+      console.log("");
+      const { action } = await prompts9({
+        type: "select",
+        name: "action",
+        message: "What would you like to do?",
+        choices: [
+          { title: "Add another account/team", value: "add" },
+          { title: "Cancel", value: "cancel" }
+        ]
       });
-      if (!reconnect) {
-        console.log(pc9.gray("Keeping existing connection."));
+      if (action !== "add") {
+        console.log(pc11.gray("Keeping existing connections."));
         return;
       }
     }
-    console.log(pc9.blue(`
+    console.log(pc11.blue(`
 Connecting to ${providerInfo.displayName}...
 `));
     let connected = false;
@@ -2125,7 +2312,7 @@ Connecting to ${providerInfo.displayName}...
       command: "connect",
       error: truncateMessage(message)
     });
-    console.error(pc9.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2135,24 +2322,24 @@ async function connectionsCommand(options = {}) {
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const { connections } = await getConnections(accessToken);
     if (connections.length === 0) {
-      console.log(pc9.gray("No provider connections found."));
-      console.log(pc9.gray("\nConnect to a provider with: keyway connect <provider>"));
-      console.log(pc9.gray("Available providers: vercel, railway"));
+      console.log(pc11.gray("No provider connections found."));
+      console.log(pc11.gray("\nConnect to a provider with: keyway connect <provider>"));
+      console.log(pc11.gray("Available providers: vercel, railway"));
       return;
     }
-    console.log(pc9.blue("\n\u{1F4E1} Provider Connections\n"));
+    console.log(pc11.blue("\n\u{1F4E1} Provider Connections\n"));
     for (const conn of connections) {
       const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
-      const teamInfo = conn.providerTeamId ? pc9.gray(` (Team: ${conn.providerTeamId})`) : "";
+      const teamInfo = conn.providerTeamId ? pc11.gray(` (Team: ${conn.providerTeamId})`) : "";
       const date = new Date(conn.createdAt).toLocaleDateString();
-      console.log(`  ${pc9.green("\u25CF")} ${pc9.bold(providerName)}${teamInfo}`);
-      console.log(pc9.gray(`    Connected: ${date}`));
-      console.log(pc9.gray(`    ID: ${conn.id}`));
+      console.log(`  ${pc11.green("\u25CF")} ${pc11.bold(providerName)}${teamInfo}`);
+      console.log(pc11.gray(`    Connected: ${date}`));
+      console.log(pc11.gray(`    ID: ${conn.id}`));
       console.log("");
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : "Failed to list connections";
-    console.error(pc9.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2163,22 +2350,22 @@ async function disconnectCommand(provider, options = {}) {
     const { connections } = await getConnections(accessToken);
     const connection = connections.find((c) => c.provider === provider.toLowerCase());
     if (!connection) {
-      console.log(pc9.gray(`No connection found for provider: ${provider}`));
+      console.log(pc11.gray(`No connection found for provider: ${provider}`));
       return;
     }
     const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    const { confirm } = await prompts7({
+    const { confirm } = await prompts9({
       type: "confirm",
       name: "confirm",
       message: `Disconnect from ${providerName}?`,
       initial: false
     });
     if (!confirm) {
-      console.log(pc9.gray("Cancelled."));
+      console.log(pc11.gray("Cancelled."));
       return;
     }
     await deleteConnection(accessToken, connection.id);
-    console.log(pc9.green(`
+    console.log(pc11.green(`
 \u2713 Disconnected from ${providerName}`));
     trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
       provider: provider.toLowerCase()
@@ -2189,15 +2376,15 @@ async function disconnectCommand(provider, options = {}) {
       command: "disconnect",
       error: truncateMessage(message)
     });
-    console.error(pc9.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/sync.ts
-import pc10 from "picocolors";
-import prompts8 from "prompts";
+import pc12 from "picocolors";
+import prompts10 from "prompts";
 function mapToVercelEnvironment(keywayEnv) {
   const mapping = {
     production: "production",
@@ -2241,36 +2428,36 @@ function mapToProviderEnvironment(provider, keywayEnv) {
 function displayDiffSummary(diff, providerName) {
   const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
   if (totalDiff === 0 && diff.same.length > 0) {
-    console.log(pc10.green(`
+    console.log(pc12.green(`
 \u2713 Already in sync (${diff.same.length} secrets)`));
     return;
   }
-  console.log(pc10.blue("\n\u{1F4CA} Comparison Summary\n"));
-  console.log(pc10.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
+  console.log(pc12.blue("\n\u{1F4CA} Comparison Summary\n"));
+  console.log(pc12.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
 `));
   if (diff.onlyInKeyway.length > 0) {
-    console.log(pc10.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
-    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc10.gray(`      ${key}`)));
+    console.log(pc12.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
+    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.onlyInKeyway.length > 3) {
-      console.log(pc10.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
     }
   }
   if (diff.onlyInProvider.length > 0) {
-    console.log(pc10.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
-    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc10.gray(`      ${key}`)));
+    console.log(pc12.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
+    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.onlyInProvider.length > 3) {
-      console.log(pc10.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
     }
   }
   if (diff.different.length > 0) {
-    console.log(pc10.yellow(`   \u2260 ${diff.different.length} with different values`));
-    diff.different.slice(0, 3).forEach((key) => console.log(pc10.gray(`      ${key}`)));
+    console.log(pc12.yellow(`   \u2260 ${diff.different.length} with different values`));
+    diff.different.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.different.length > 3) {
-      console.log(pc10.gray(`      ... and ${diff.different.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.different.length - 3} more`));
     }
   }
   if (diff.same.length > 0) {
-    console.log(pc10.gray(`   = ${diff.same.length} identical`));
+    console.log(pc12.gray(`   = ${diff.same.length} identical`));
   }
   console.log("");
 }
@@ -2312,30 +2499,42 @@ function projectMatchesRepo(project, repoFullName) {
 }
 async function promptProjectSelection(projects, repoFullName) {
   const repoName = repoFullName.split("/")[1]?.toLowerCase() || "";
+  const uniqueTeams = new Set(projects.map((p) => p.teamId || "personal"));
+  const hasMultipleAccounts = uniqueTeams.size > 1;
   const choices = projects.map((p) => {
     const displayName = getProjectDisplayName(p);
     let title = displayName;
     const badges = [];
+    if (hasMultipleAccounts) {
+      if (p.teamName) {
+        badges.push(pc12.cyan(`[${p.teamName}]`));
+      } else if (p.teamId) {
+        const shortTeamId = p.teamId.length > 12 ? p.teamId.slice(0, 12) + "..." : p.teamId;
+        badges.push(pc12.cyan(`[team:${shortTeamId}]`));
+      } else {
+        badges.push(pc12.cyan("[personal]"));
+      }
+    }
     if (p.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
-      badges.push(pc10.green("\u2190 linked"));
+      badges.push(pc12.green("\u2190 linked"));
     } else if (p.name.toLowerCase() === repoName || p.serviceName?.toLowerCase() === repoName) {
-      badges.push(pc10.green("\u2190 same name"));
+      badges.push(pc12.green("\u2190 same name"));
     } else if (p.linkedRepo) {
-      badges.push(pc10.gray(`\u2192 ${p.linkedRepo}`));
+      badges.push(pc12.gray(`\u2192 ${p.linkedRepo}`));
     }
     if (badges.length > 0) {
       title = `${displayName} ${badges.join(" ")}`;
     }
     return { title, value: p.id };
   });
-  const { projectChoice } = await prompts8({
+  const { projectChoice } = await prompts10({
     type: "select",
     name: "projectChoice",
     message: "Select a project:",
     choices
   });
   if (!projectChoice) {
-    console.log(pc10.gray("Cancelled."));
+    console.log(pc12.gray("Cancelled."));
     process.exit(0);
   }
   return projects.find((p) => p.id === projectChoice);
@@ -2343,97 +2542,133 @@ async function promptProjectSelection(projects, repoFullName) {
 async function syncCommand(provider, options = {}) {
   try {
     if (options.pull && options.allowDelete) {
-      console.error(pc10.red("Error: --allow-delete cannot be used with --pull"));
-      console.log(pc10.gray("The --allow-delete flag is only for push operations."));
+      console.error(pc12.red("Error: --allow-delete cannot be used with --pull"));
+      console.log(pc12.gray("The --allow-delete flag is only for push operations."));
       process.exit(1);
     }
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const repoFullName = detectGitRepo();
     if (!repoFullName) {
-      console.error(pc10.red("Could not detect Git repository."));
-      console.log(pc10.gray("Run this command from a Git repository directory."));
+      console.error(pc12.red("Could not detect Git repository."));
+      console.log(pc12.gray("Run this command from a Git repository directory."));
       process.exit(1);
     }
-    console.log(pc10.gray(`Repository: ${repoFullName}`));
+    console.log(pc12.gray(`Repository: ${repoFullName}`));
     const vaultExists = await checkVaultExists(accessToken, repoFullName);
     if (!vaultExists) {
-      console.log(pc10.yellow(`
+      console.log(pc12.yellow(`
 No vault found for ${repoFullName}.`));
-      const { shouldCreate } = await prompts8({
+      const { shouldCreate } = await prompts10({
         type: "confirm",
         name: "shouldCreate",
         message: "Create vault now?",
         initial: true
       });
       if (!shouldCreate) {
-        console.log(pc10.gray("Cancelled. Run `keyway init` to create a vault first."));
+        console.log(pc12.gray("Cancelled. Run `keyway init` to create a vault first."));
         process.exit(0);
       }
-      console.log(pc10.gray("\nCreating vault..."));
+      console.log(pc12.gray("\nCreating vault..."));
       try {
         await initVault(repoFullName, accessToken);
-        console.log(pc10.green(`\u2713 Vault created for ${repoFullName}
+        console.log(pc12.green(`\u2713 Vault created for ${repoFullName}
 `));
       } catch (error) {
         const message = error instanceof Error ? error.message : "Failed to create vault";
-        console.error(pc10.red(`
+        console.error(pc12.red(`
 \u2717 ${message}`));
         process.exit(1);
       }
     }
-    let { connections } = await getConnections(accessToken);
-    let connection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (!connection) {
-      const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
-      console.log(pc10.yellow(`
+    const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
+    let { projects: allProjects, connections } = await getAllProviderProjects(accessToken, provider.toLowerCase());
+    if (connections.length === 0) {
+      console.log(pc12.yellow(`
 Not connected to ${providerDisplayName}.`));
-      const { shouldConnect } = await prompts8({
+      const { shouldConnect } = await prompts10({
         type: "confirm",
         name: "shouldConnect",
         message: `Connect to ${providerDisplayName} now?`,
         initial: true
       });
       if (!shouldConnect) {
-        console.log(pc10.gray("Cancelled."));
+        console.log(pc12.gray("Cancelled."));
         process.exit(0);
       }
       await connectCommand(provider, { loginPrompt: false });
-      const refreshed = await getConnections(accessToken);
+      const refreshed = await getAllProviderProjects(accessToken, provider.toLowerCase());
+      allProjects = refreshed.projects;
       connections = refreshed.connections;
-      connection = connections.find((c) => c.provider === provider.toLowerCase());
-      if (!connection) {
-        console.error(pc10.red(`
+      if (connections.length === 0) {
+        console.error(pc12.red(`
 Connection to ${providerDisplayName} failed.`));
         process.exit(1);
       }
       console.log("");
     }
-    const { projects } = await getConnectionProjects(accessToken, connection.id);
+    let projects = allProjects.map((p) => ({
+      id: p.id,
+      name: p.name,
+      serviceId: p.serviceId,
+      serviceName: p.serviceName,
+      linkedRepo: p.linkedRepo,
+      environments: p.environments,
+      connectionId: p.connectionId,
+      teamId: p.teamId,
+      teamName: p.teamName
+    }));
+    if (options.team) {
+      const teamFilter = options.team.toLowerCase();
+      const filteredProjects = projects.filter(
+        (p) => p.teamId?.toLowerCase() === teamFilter || p.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
+        teamFilter === "personal" && !p.teamId
+      );
+      if (filteredProjects.length === 0) {
+        console.error(pc12.red(`No projects found for team: ${options.team}`));
+        console.log(pc12.gray("Available teams:"));
+        const teams = /* @__PURE__ */ new Set();
+        projects.forEach((p) => {
+          if (p.teamName) teams.add(p.teamName);
+          else if (p.teamId) teams.add(p.teamId);
+          else teams.add("personal");
+        });
+        teams.forEach((t) => console.log(pc12.gray(`  - ${t}`)));
+        process.exit(1);
+      }
+      projects = filteredProjects;
+      console.log(pc12.gray(`Filtered to ${projects.length} projects in team: ${options.team}`));
+    }
     if (projects.length === 0) {
-      console.error(pc10.red(`No projects found in your ${provider} account.`));
+      console.error(pc12.red(`No projects found in your ${providerDisplayName} account(s).`));
+      if (connections.length > 1) {
+        console.log(pc12.gray(`Checked ${connections.length} connected accounts.`));
+      }
       process.exit(1);
     }
+    if (connections.length > 1 && !options.team) {
+      console.log(pc12.gray(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
+    }
     let selectedProject;
     if (options.project) {
       const found = projects.find(
         (p) => p.id === options.project || p.name.toLowerCase() === options.project?.toLowerCase() || p.serviceName?.toLowerCase() === options.project?.toLowerCase()
       );
       if (!found) {
-        console.error(pc10.red(`Project not found: ${options.project}`));
-        console.log(pc10.gray("Available projects:"));
-        projects.forEach((p) => console.log(pc10.gray(`  - ${getProjectDisplayName(p)}`)));
+        console.error(pc12.red(`Project not found: ${options.project}`));
+        console.log(pc12.gray("Available projects:"));
+        projects.forEach((p) => console.log(pc12.gray(`  - ${getProjectDisplayName(p)}`)));
         process.exit(1);
       }
       selectedProject = found;
       if (!projectMatchesRepo(selectedProject, repoFullName)) {
         console.log("");
-        console.log(pc10.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc10.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-        console.log(pc10.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc10.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc10.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
+        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc10.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
         }
         console.log("");
       }
@@ -2442,11 +2677,18 @@ Connection to ${providerDisplayName} failed.`));
       if (autoMatch && (autoMatch.matchType === "linked_repo" || autoMatch.matchType === "exact_name")) {
         selectedProject = autoMatch.project;
         const matchReason = autoMatch.matchType === "linked_repo" ? `linked to ${repoFullName}` : "exact name match";
-        console.log(pc10.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)} (${matchReason})`));
+        let teamInfo = "";
+        if (selectedProject.teamName) {
+          teamInfo = pc12.gray(` (${selectedProject.teamName})`);
+        } else if (selectedProject.teamId && connections.length > 1) {
+          const shortTeamId = selectedProject.teamId.length > 12 ? selectedProject.teamId.slice(0, 12) + "..." : selectedProject.teamId;
+          teamInfo = pc12.gray(` (team:${shortTeamId})`);
+        }
+        console.log(pc12.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`));
       } else if (autoMatch && autoMatch.matchType === "partial_name") {
         const partialDisplayName = getProjectDisplayName(autoMatch.project);
-        console.log(pc10.yellow(`Detected project: ${partialDisplayName} (partial match)`));
-        const { useDetected } = await prompts8({
+        console.log(pc12.yellow(`Detected project: ${partialDisplayName} (partial match)`));
+        const { useDetected } = await prompts10({
           type: "confirm",
           name: "useDetected",
           message: `Use ${partialDisplayName}?`,
@@ -2461,30 +2703,30 @@ Connection to ${providerDisplayName} failed.`));
         selectedProject = projects[0];
         if (!projectMatchesRepo(selectedProject, repoFullName)) {
           console.log("");
-          console.log(pc10.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-          console.log(pc10.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-          console.log(pc10.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-          console.log(pc10.yellow(`  Current repo:      ${repoFullName}`));
-          console.log(pc10.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
+          console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+          console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
+          console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+          console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+          console.log(pc12.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
           if (selectedProject.linkedRepo) {
-            console.log(pc10.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+            console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
           }
           console.log("");
-          const { continueAnyway } = await prompts8({
+          const { continueAnyway } = await prompts10({
             type: "confirm",
             name: "continueAnyway",
             message: "Continue anyway?",
             initial: false
           });
           if (!continueAnyway) {
-            console.log(pc10.gray("Cancelled."));
+            console.log(pc12.gray("Cancelled."));
             process.exit(0);
           }
         }
       } else {
-        console.log(pc10.yellow(`
+        console.log(pc12.yellow(`
 \u26A0\uFE0F  No matching project found for ${repoFullName}`));
-        console.log(pc10.gray("Select a project manually:\n"));
+        console.log(pc12.gray("Select a project manually:\n"));
         selectedProject = await promptProjectSelection(projects, repoFullName);
       }
     }
@@ -2492,23 +2734,23 @@ Connection to ${providerDisplayName} failed.`));
       const autoMatch = findMatchingProject(projects, repoFullName);
       if (autoMatch && autoMatch.project.id !== selectedProject.id) {
         console.log("");
-        console.log(pc10.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc10.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
-        console.log(pc10.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc10.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc10.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
+        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc10.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
         }
         console.log("");
-        const { continueAnyway } = await prompts8({
+        const { continueAnyway } = await prompts10({
           type: "confirm",
           name: "continueAnyway",
           message: "Are you sure you want to sync with this project?",
           initial: false
         });
         if (!continueAnyway) {
-          console.log(pc10.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
       }
@@ -2522,7 +2764,7 @@ Connection to ${providerDisplayName} failed.`));
     if (needsEnvPrompt || needsDirectionPrompt) {
       if (needsEnvPrompt) {
         const vaultEnvs = await getVaultEnvironments(accessToken, repoFullName);
-        const { selectedEnv } = await prompts8({
+        const { selectedEnv } = await prompts10({
           type: "select",
           name: "selectedEnv",
           message: "Keyway environment:",
@@ -2530,7 +2772,7 @@ Connection to ${providerDisplayName} failed.`));
           initial: Math.max(0, vaultEnvs.indexOf("production"))
         });
         if (!selectedEnv) {
-          console.log(pc10.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
         keywayEnv = selectedEnv;
@@ -2544,9 +2786,9 @@ Connection to ${providerDisplayName} failed.`));
               providerEnv = mappedEnv;
             } else if (selectedProject.environments.length === 1) {
               providerEnv = selectedProject.environments[0];
-              console.log(pc10.gray(`Using ${providerName} environment: ${providerEnv}`));
+              console.log(pc12.gray(`Using ${providerName} environment: ${providerEnv}`));
             } else {
-              const { selectedProviderEnv } = await prompts8({
+              const { selectedProviderEnv } = await prompts10({
                 type: "select",
                 name: "selectedProviderEnv",
                 message: `${providerName} environment:`,
@@ -2556,7 +2798,7 @@ Connection to ${providerDisplayName} failed.`));
                 ))
               });
               if (!selectedProviderEnv) {
-                console.log(pc10.gray("Cancelled."));
+                console.log(pc12.gray("Cancelled."));
                 process.exit(0);
               }
               providerEnv = selectedProviderEnv;
@@ -2570,9 +2812,9 @@ Connection to ${providerDisplayName} failed.`));
       if (needsDirectionPrompt) {
         const effectiveKeywayEnv = keywayEnv || "production";
         const effectiveProviderEnv = providerEnv || mapToProviderEnvironment(provider, effectiveKeywayEnv);
-        console.log(pc10.gray("\nComparing secrets..."));
+        console.log(pc12.gray("\nComparing secrets..."));
         diff = await getSyncDiff(accessToken, repoFullName, {
-          connectionId: connection.id,
+          connectionId: selectedProject.connectionId,
           projectId: selectedProject.id,
           serviceId: selectedProject.serviceId,
           // Railway: service ID for service-specific variables
@@ -2592,7 +2834,7 @@ Connection to ${providerDisplayName} failed.`));
         } else if (diff.providerCount === 0 && diff.keywayCount > 0) {
           defaultDirection = 0;
         }
-        const { selectedDirection } = await prompts8({
+        const { selectedDirection } = await prompts10({
           type: "select",
           name: "selectedDirection",
           message: "Sync direction:",
@@ -2603,7 +2845,7 @@ Connection to ${providerDisplayName} failed.`));
           initial: defaultDirection
         });
         if (!selectedDirection) {
-          console.log(pc10.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
         direction = selectedDirection;
@@ -2615,15 +2857,15 @@ Connection to ${providerDisplayName} failed.`));
     const status = await getSyncStatus(
       accessToken,
       repoFullName,
-      connection.id,
+      selectedProject.connectionId,
       selectedProject.id,
       keywayEnv
     );
     if (status.isFirstSync && direction === "push" && status.vaultIsEmpty && status.providerHasSecrets) {
-      console.log(pc10.yellow(`
+      console.log(pc12.yellow(`
 \u26A0\uFE0F  Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`));
-      console.log(pc10.gray(`   (Use --environment to sync a different environment)`));
-      const { importFirst } = await prompts8({
+      console.log(pc12.gray(`   (Use --environment to sync a different environment)`));
+      const { importFirst } = await prompts10({
         type: "confirm",
         name: "importFirst",
         message: `Import secrets from ${providerName} first?`,
@@ -2633,7 +2875,7 @@ Connection to ${providerDisplayName} failed.`));
         await executeSyncOperation(
           accessToken,
           repoFullName,
-          connection.id,
+          selectedProject.connectionId,
           selectedProject,
           keywayEnv,
           providerEnv,
@@ -2649,7 +2891,7 @@ Connection to ${providerDisplayName} failed.`));
     await executeSyncOperation(
       accessToken,
       repoFullName,
-      connection.id,
+      selectedProject.connectionId,
       selectedProject,
       keywayEnv,
       providerEnv,
@@ -2664,7 +2906,7 @@ Connection to ${providerDisplayName} failed.`));
       command: "sync",
       error: truncateMessage(message)
     });
-    console.error(pc10.red(`
+    console.error(pc12.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2683,49 +2925,49 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
   });
   const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
   if (totalChanges === 0) {
-    console.log(pc10.green("\n\u2713 Already in sync. No changes needed."));
+    console.log(pc12.green("\n\u2713 Already in sync. No changes needed."));
     return;
   }
-  console.log(pc10.blue("\n\u{1F4CB} Sync Preview\n"));
+  console.log(pc12.blue("\n\u{1F4CB} Sync Preview\n"));
   if (preview.toCreate.length > 0) {
-    console.log(pc10.green(`  + ${preview.toCreate.length} to create`));
-    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc10.gray(`    ${key}`)));
+    console.log(pc12.green(`  + ${preview.toCreate.length} to create`));
+    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toCreate.length > 5) {
-      console.log(pc10.gray(`    ... and ${preview.toCreate.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toCreate.length - 5} more`));
     }
   }
   if (preview.toUpdate.length > 0) {
-    console.log(pc10.yellow(`  ~ ${preview.toUpdate.length} to update`));
-    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc10.gray(`    ${key}`)));
+    console.log(pc12.yellow(`  ~ ${preview.toUpdate.length} to update`));
+    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toUpdate.length > 5) {
-      console.log(pc10.gray(`    ... and ${preview.toUpdate.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toUpdate.length - 5} more`));
     }
   }
   if (preview.toDelete.length > 0) {
-    console.log(pc10.red(`  - ${preview.toDelete.length} to delete`));
-    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc10.gray(`    ${key}`)));
+    console.log(pc12.red(`  - ${preview.toDelete.length} to delete`));
+    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toDelete.length > 5) {
-      console.log(pc10.gray(`    ... and ${preview.toDelete.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toDelete.length - 5} more`));
     }
   }
   if (preview.toSkip.length > 0) {
-    console.log(pc10.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
+    console.log(pc12.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
   }
   console.log("");
   if (!skipConfirm) {
     const target = direction === "push" ? providerName : "Keyway";
-    const { confirm } = await prompts8({
+    const { confirm } = await prompts10({
       type: "confirm",
       name: "confirm",
       message: `Apply ${totalChanges} changes to ${target}?`,
       initial: true
     });
     if (!confirm) {
-      console.log(pc10.gray("Cancelled."));
+      console.log(pc12.gray("Cancelled."));
       return;
     }
   }
-  console.log(pc10.blue("\n\u23F3 Syncing...\n"));
+  console.log(pc12.blue("\n\u23F3 Syncing...\n"));
   const result = await executeSync(accessToken, repoFullName, {
     connectionId,
     projectId: project.id,
@@ -2737,11 +2979,11 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
     allowDelete
   });
   if (result.success) {
-    console.log(pc10.green("\u2713 Sync complete"));
-    console.log(pc10.gray(`  Created: ${result.stats.created}`));
-    console.log(pc10.gray(`  Updated: ${result.stats.updated}`));
+    console.log(pc12.green("\u2713 Sync complete"));
+    console.log(pc12.gray(`  Created: ${result.stats.created}`));
+    console.log(pc12.gray(`  Updated: ${result.stats.updated}`));
     if (result.stats.deleted > 0) {
-      console.log(pc10.gray(`  Deleted: ${result.stats.deleted}`));
+      console.log(pc12.gray(`  Deleted: ${result.stats.deleted}`));
     }
     trackEvent(AnalyticsEvents.CLI_SYNC, {
       provider,
@@ -2751,7 +2993,7 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
       deleted: result.stats.deleted
     });
   } else {
-    console.error(pc10.red(`
+    console.error(pc12.red(`
 \u2717 ${result.error}`));
     process.exit(1);
   }
@@ -2759,16 +3001,16 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
 
 // src/cli.ts
 process.on("unhandledRejection", (reason) => {
-  console.error(pc11.red("Unhandled error:"), reason);
+  console.error(pc13.red("Unhandled error:"), reason);
   process.exit(1);
 });
 var program = new Command();
 var TAGLINE = "Sync secrets with your team and infra";
 var showBanner = () => {
-  const text = pc11.bold(pc11.cyan("Keyway CLI"));
+  const text = pc13.bold(pc13.cyan("Keyway CLI"));
   console.log(`
 ${text}
-${pc11.gray(TAGLINE)}
+${pc13.gray(TAGLINE)}
 `);
 };
 showBanner();
@@ -2800,13 +3042,17 @@ program.command("connections").description("List your provider connections").opt
 program.command("disconnect <provider>").description("Disconnect from a provider").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
   await disconnectCommand(provider, options);
 });
-program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
+program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--team <team>", "Team/org name or ID (for multi-account)").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
   await syncCommand(provider, options);
 });
+var ci = program.command("ci").description("CI/CD integration commands");
+ci.command("setup").description("Setup GitHub Actions integration (adds KEYWAY_TOKEN secret)").option("--repo <repo>", "Repository in owner/repo format (auto-detected)").action(async (options) => {
+  await ciSetupCommand(options);
+});
 (async () => {
   await warnIfEnvNotGitignored();
   await program.parseAsync();
 })().catch((error) => {
-  console.error(pc11.red("Error:"), error.message || error);
+  console.error(pc13.red("Error:"), error.message || error);
   process.exit(1);
 });