@keywaysh/cli 0.1.14 → 0.1.15

package/dist/cli.js

@@ -8,7 +8,7 @@ import {
 
 // src/cli.ts
 import { Command } from "commander";
-import pc12 from "picocolors";
+import pc13 from "picocolors";
 
 // src/cmds/init.ts
 import pc7 from "picocolors";
@@ -140,7 +140,7 @@ var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 // package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.1.14",
+  version: "0.1.15",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -185,9 +185,11 @@ var package_default = {
     node: ">=18.0.0"
   },
   dependencies: {
+    "@octokit/rest": "^22.0.1",
     "balanced-match": "^3.0.1",
     commander: "^14.0.0",
     conf: "^15.0.2",
+    "libsodium-wrappers": "^0.7.15",
     open: "^11.0.0",
     picocolors: "^1.1.1",
     "posthog-node": "^3.5.0",
@@ -195,6 +197,7 @@ var package_default = {
   },
   devDependencies: {
     "@types/balanced-match": "^3.0.2",
+    "@types/libsodium-wrappers": "^0.7.14",
     "@types/node": "^24.2.0",
     "@types/prompts": "^2.4.9",
     "@vitest/coverage-v8": "^3.0.0",
@@ -453,8 +456,8 @@ function getProviderAuthUrl(provider, accessToken, redirectUri) {
   if (redirectUri) params.set("redirect_uri", redirectUri);
   return `${API_BASE_URL}/v1/integrations/${provider}/authorize?${params}`;
 }
-async function getConnectionProjects(accessToken, connectionId) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}/projects`, {
+async function getAllProviderProjects(accessToken, provider) {
+  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/providers/${provider}/all-projects`, {
     method: "GET",
     headers: {
       "User-Agent": USER_AGENT,
@@ -2043,9 +2046,139 @@ Summary: ${formatSummary(results)}`);
   }
 }
 
-// src/cmds/connect.ts
+// src/cmds/ci.ts
+import { execSync as execSync3 } from "child_process";
+import { Octokit } from "@octokit/rest";
 import pc10 from "picocolors";
 import prompts8 from "prompts";
+function isGhAvailable() {
+  try {
+    execSync3("gh auth status", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function addSecretWithGh(repo, secretName, secretValue) {
+  execSync3(`gh secret set ${secretName} --repo ${repo}`, {
+    input: secretValue,
+    stdio: ["pipe", "ignore", "ignore"]
+  });
+}
+async function ciSetupCommand(options) {
+  const repo = options.repo || detectGitRepo();
+  if (!repo) {
+    console.error(pc10.red("Not in a git repository. Use --repo owner/repo"));
+    process.exit(1);
+  }
+  console.log(pc10.bold(`
+\u{1F510} Setting up GitHub Actions for ${repo}
+`));
+  console.log(pc10.dim("Step 1: Keyway Authentication"));
+  let keywayToken;
+  try {
+    keywayToken = await ensureLogin({ allowPrompt: true });
+    console.log(pc10.green("  \u2713 Authenticated with Keyway\n"));
+  } catch {
+    console.error(pc10.red("  \u2717 Failed to authenticate with Keyway"));
+    console.error(pc10.dim("  Run `keyway login` first"));
+    process.exit(1);
+  }
+  const useGh = isGhAvailable();
+  if (useGh) {
+    console.log(pc10.dim("Step 2: Adding secret via GitHub CLI"));
+    try {
+      addSecretWithGh(repo, "KEYWAY_TOKEN", keywayToken);
+      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
+`));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
+      console.error(pc10.dim("  Try running: gh auth login"));
+      process.exit(1);
+    }
+  } else {
+    console.log(pc10.dim("Step 2: Temporary GitHub PAT"));
+    console.log("  gh CLI not found. We need a one-time GitHub PAT.");
+    console.log(pc10.dim("  You can delete it immediately after setup.\n"));
+    const patUrl = "https://github.com/settings/tokens/new?scopes=repo&description=Keyway%20CI%20Setup%20(temporary)";
+    await openUrl(patUrl);
+    const { githubToken } = await prompts8({
+      type: "password",
+      name: "githubToken",
+      message: "Paste your GitHub PAT:"
+    });
+    if (!githubToken) {
+      console.error(pc10.red("\n  \u2717 GitHub PAT is required"));
+      process.exit(1);
+    }
+    const octokit = new Octokit({ auth: githubToken });
+    try {
+      await octokit.users.getAuthenticated();
+      console.log(pc10.green("  \u2713 GitHub PAT validated\n"));
+    } catch {
+      console.error(pc10.red("  \u2717 Invalid GitHub PAT"));
+      process.exit(1);
+    }
+    console.log(pc10.dim("Step 3: Adding secret to repository"));
+    const [owner, repoName] = repo.split("/");
+    try {
+      await addRepoSecret(octokit, owner, repoName, "KEYWAY_TOKEN", keywayToken);
+      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
+`));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (message.includes("Not Found")) {
+        console.error(pc10.red(`  \u2717 Repository not found or no access: ${repo}`));
+        console.error(pc10.dim("  Make sure the PAT has access to this repository"));
+      } else {
+        console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
+      }
+      process.exit(1);
+    }
+  }
+  console.log(pc10.green(pc10.bold("\u2713 Setup complete!\n")));
+  console.log("Add this to your workflow (.github/workflows/*.yml):\n");
+  console.log(
+    pc10.cyan(`    - uses: keywaysh/keyway-action@v1
+      with:
+        token: \${{ secrets.KEYWAY_TOKEN }}
+        environment: production`)
+  );
+  console.log();
+  if (!useGh) {
+    console.log(`\u{1F5D1}\uFE0F  Delete the temporary PAT: ${pc10.underline("https://github.com/settings/tokens")}`);
+  }
+  console.log(pc10.dim(`\u{1F4D6} Docs: ${pc10.underline("https://docs.keyway.sh/ci")}
+`));
+}
+async function addRepoSecret(octokit, owner, repo, secretName, secretValue) {
+  const { data: publicKey } = await octokit.rest.actions.getRepoPublicKey({
+    owner,
+    repo
+  });
+  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
+  await octokit.rest.actions.createOrUpdateRepoSecret({
+    owner,
+    repo,
+    secret_name: secretName,
+    encrypted_value: encryptedValue,
+    key_id: publicKey.key_id
+  });
+}
+async function encryptSecret(publicKey, secret) {
+  const sodiumModule = await import("libsodium-wrappers");
+  const sodium = sodiumModule.default || sodiumModule;
+  await sodium.ready;
+  const binkey = sodium.from_base64(publicKey, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(secret);
+  const encBytes = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+}
+
+// src/cmds/connect.ts
+import pc11 from "picocolors";
+import prompts9 from "prompts";
 var TOKEN_AUTH_PROVIDERS = ["railway"];
 function getTokenCreationUrl(provider) {
   switch (provider) {
@@ -2058,37 +2191,37 @@ function getTokenCreationUrl(provider) {
 async function connectWithTokenFlow(accessToken, provider, displayName) {
   const tokenUrl = getTokenCreationUrl(provider);
   if (provider === "railway") {
-    console.log(pc10.yellow("\nTip: Select the workspace containing your projects."));
-    console.log(pc10.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
+    console.log(pc11.yellow("\nTip: Select the workspace containing your projects."));
+    console.log(pc11.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
   }
   await openUrl(tokenUrl);
-  const { token } = await prompts8({
+  const { token } = await prompts9({
     type: "password",
     name: "token",
     message: `${displayName} API Token:`
   });
   if (!token) {
-    console.log(pc10.gray("Cancelled."));
+    console.log(pc11.gray("Cancelled."));
     return false;
   }
-  console.log(pc10.gray("\nValidating token..."));
+  console.log(pc11.gray("\nValidating token..."));
   try {
     const result = await connectWithToken(accessToken, provider, token);
     if (result.success) {
-      console.log(pc10.green(`
+      console.log(pc11.green(`
 \u2713 Connected to ${displayName}!`));
-      console.log(pc10.gray(`  Account: ${result.user.username}`));
+      console.log(pc11.gray(`  Account: ${result.user.username}`));
       if (result.user.teamName) {
-        console.log(pc10.gray(`  Team: ${result.user.teamName}`));
+        console.log(pc11.gray(`  Team: ${result.user.teamName}`));
       }
       return true;
     } else {
-      console.log(pc10.red("\n\u2717 Connection failed."));
+      console.log(pc11.red("\n\u2717 Connection failed."));
       return false;
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : "Token validation failed";
-    console.log(pc10.red(`
+    console.log(pc11.red(`
 \u2717 ${message}`));
     return false;
   }
@@ -2097,7 +2230,7 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
   const authUrl = getProviderAuthUrl(provider, accessToken);
   const startTime = /* @__PURE__ */ new Date();
   await openUrl(authUrl);
-  console.log(pc10.gray("Waiting for authorization..."));
+  console.log(pc11.gray("Waiting for authorization..."));
   const maxAttempts = 60;
   let attempts = 0;
   while (attempts < maxAttempts) {
@@ -2109,15 +2242,15 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
         (c) => c.provider === provider && new Date(c.createdAt) > startTime
       );
       if (newConn) {
-        console.log(pc10.green(`
+        console.log(pc11.green(`
 \u2713 Connected to ${displayName}!`));
         return true;
       }
     } catch {
     }
   }
-  console.log(pc10.red("\n\u2717 Authorization timeout."));
-  console.log(pc10.gray("Run `keyway connections` to check if the connection was established."));
+  console.log(pc11.red("\n\u2717 Authorization timeout."));
+  console.log(pc11.gray("Run `keyway connections` to check if the connection was established."));
   return false;
 }
 async function connectCommand(provider, options = {}) {
@@ -2127,30 +2260,40 @@ async function connectCommand(provider, options = {}) {
     const providerInfo = providers.find((p) => p.name === provider.toLowerCase());
     if (!providerInfo) {
       const available = providers.map((p) => p.name).join(", ");
-      console.error(pc10.red(`Unknown provider: ${provider}`));
-      console.log(pc10.gray(`Available providers: ${available || "none"}`));
+      console.error(pc11.red(`Unknown provider: ${provider}`));
+      console.log(pc11.gray(`Available providers: ${available || "none"}`));
       process.exit(1);
     }
     if (!providerInfo.configured) {
-      console.error(pc10.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
-      console.log(pc10.gray("Contact your administrator to enable this integration."));
+      console.error(pc11.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
+      console.log(pc11.gray("Contact your administrator to enable this integration."));
       process.exit(1);
     }
     const { connections } = await getConnections(accessToken);
-    const existingConnection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (existingConnection) {
-      const { reconnect } = await prompts8({
-        type: "confirm",
-        name: "reconnect",
-        message: `You're already connected to ${providerInfo.displayName}. Reconnect?`,
-        initial: false
+    const existingConnections = connections.filter((c) => c.provider === provider.toLowerCase());
+    if (existingConnections.length > 0) {
+      console.log(pc11.gray(`
+You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
+      for (const conn of existingConnections) {
+        const teamInfo = conn.providerTeamId ? `(Team: ${conn.providerTeamId})` : "(Personal)";
+        console.log(pc11.gray(`  - ${teamInfo}`));
+      }
+      console.log("");
+      const { action } = await prompts9({
+        type: "select",
+        name: "action",
+        message: "What would you like to do?",
+        choices: [
+          { title: "Add another account/team", value: "add" },
+          { title: "Cancel", value: "cancel" }
+        ]
       });
-      if (!reconnect) {
-        console.log(pc10.gray("Keeping existing connection."));
+      if (action !== "add") {
+        console.log(pc11.gray("Keeping existing connections."));
         return;
       }
     }
-    console.log(pc10.blue(`
+    console.log(pc11.blue(`
 Connecting to ${providerInfo.displayName}...
 `));
     let connected = false;
@@ -2169,7 +2312,7 @@ Connecting to ${providerInfo.displayName}...
       command: "connect",
       error: truncateMessage(message)
     });
-    console.error(pc10.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2179,24 +2322,24 @@ async function connectionsCommand(options = {}) {
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const { connections } = await getConnections(accessToken);
     if (connections.length === 0) {
-      console.log(pc10.gray("No provider connections found."));
-      console.log(pc10.gray("\nConnect to a provider with: keyway connect <provider>"));
-      console.log(pc10.gray("Available providers: vercel, railway"));
+      console.log(pc11.gray("No provider connections found."));
+      console.log(pc11.gray("\nConnect to a provider with: keyway connect <provider>"));
+      console.log(pc11.gray("Available providers: vercel, railway"));
       return;
     }
-    console.log(pc10.blue("\n\u{1F4E1} Provider Connections\n"));
+    console.log(pc11.blue("\n\u{1F4E1} Provider Connections\n"));
     for (const conn of connections) {
       const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
-      const teamInfo = conn.providerTeamId ? pc10.gray(` (Team: ${conn.providerTeamId})`) : "";
+      const teamInfo = conn.providerTeamId ? pc11.gray(` (Team: ${conn.providerTeamId})`) : "";
       const date = new Date(conn.createdAt).toLocaleDateString();
-      console.log(`  ${pc10.green("\u25CF")} ${pc10.bold(providerName)}${teamInfo}`);
-      console.log(pc10.gray(`    Connected: ${date}`));
-      console.log(pc10.gray(`    ID: ${conn.id}`));
+      console.log(`  ${pc11.green("\u25CF")} ${pc11.bold(providerName)}${teamInfo}`);
+      console.log(pc11.gray(`    Connected: ${date}`));
+      console.log(pc11.gray(`    ID: ${conn.id}`));
       console.log("");
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : "Failed to list connections";
-    console.error(pc10.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2207,22 +2350,22 @@ async function disconnectCommand(provider, options = {}) {
     const { connections } = await getConnections(accessToken);
     const connection = connections.find((c) => c.provider === provider.toLowerCase());
     if (!connection) {
-      console.log(pc10.gray(`No connection found for provider: ${provider}`));
+      console.log(pc11.gray(`No connection found for provider: ${provider}`));
       return;
     }
     const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    const { confirm } = await prompts8({
+    const { confirm } = await prompts9({
       type: "confirm",
       name: "confirm",
       message: `Disconnect from ${providerName}?`,
       initial: false
     });
     if (!confirm) {
-      console.log(pc10.gray("Cancelled."));
+      console.log(pc11.gray("Cancelled."));
       return;
     }
     await deleteConnection(accessToken, connection.id);
-    console.log(pc10.green(`
+    console.log(pc11.green(`
 \u2713 Disconnected from ${providerName}`));
     trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
       provider: provider.toLowerCase()
@@ -2233,15 +2376,15 @@ async function disconnectCommand(provider, options = {}) {
       command: "disconnect",
       error: truncateMessage(message)
     });
-    console.error(pc10.red(`
+    console.error(pc11.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
 }
 
 // src/cmds/sync.ts
-import pc11 from "picocolors";
-import prompts9 from "prompts";
+import pc12 from "picocolors";
+import prompts10 from "prompts";
 function mapToVercelEnvironment(keywayEnv) {
   const mapping = {
     production: "production",
@@ -2285,36 +2428,36 @@ function mapToProviderEnvironment(provider, keywayEnv) {
 function displayDiffSummary(diff, providerName) {
   const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
   if (totalDiff === 0 && diff.same.length > 0) {
-    console.log(pc11.green(`
+    console.log(pc12.green(`
 \u2713 Already in sync (${diff.same.length} secrets)`));
     return;
   }
-  console.log(pc11.blue("\n\u{1F4CA} Comparison Summary\n"));
-  console.log(pc11.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
+  console.log(pc12.blue("\n\u{1F4CA} Comparison Summary\n"));
+  console.log(pc12.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
 `));
   if (diff.onlyInKeyway.length > 0) {
-    console.log(pc11.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
-    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc11.gray(`      ${key}`)));
+    console.log(pc12.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
+    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.onlyInKeyway.length > 3) {
-      console.log(pc11.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
     }
   }
   if (diff.onlyInProvider.length > 0) {
-    console.log(pc11.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
-    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc11.gray(`      ${key}`)));
+    console.log(pc12.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
+    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.onlyInProvider.length > 3) {
-      console.log(pc11.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
     }
   }
   if (diff.different.length > 0) {
-    console.log(pc11.yellow(`   \u2260 ${diff.different.length} with different values`));
-    diff.different.slice(0, 3).forEach((key) => console.log(pc11.gray(`      ${key}`)));
+    console.log(pc12.yellow(`   \u2260 ${diff.different.length} with different values`));
+    diff.different.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
     if (diff.different.length > 3) {
-      console.log(pc11.gray(`      ... and ${diff.different.length - 3} more`));
+      console.log(pc12.gray(`      ... and ${diff.different.length - 3} more`));
     }
   }
   if (diff.same.length > 0) {
-    console.log(pc11.gray(`   = ${diff.same.length} identical`));
+    console.log(pc12.gray(`   = ${diff.same.length} identical`));
   }
   console.log("");
 }
@@ -2356,30 +2499,42 @@ function projectMatchesRepo(project, repoFullName) {
 }
 async function promptProjectSelection(projects, repoFullName) {
   const repoName = repoFullName.split("/")[1]?.toLowerCase() || "";
+  const uniqueTeams = new Set(projects.map((p) => p.teamId || "personal"));
+  const hasMultipleAccounts = uniqueTeams.size > 1;
   const choices = projects.map((p) => {
     const displayName = getProjectDisplayName(p);
     let title = displayName;
     const badges = [];
+    if (hasMultipleAccounts) {
+      if (p.teamName) {
+        badges.push(pc12.cyan(`[${p.teamName}]`));
+      } else if (p.teamId) {
+        const shortTeamId = p.teamId.length > 12 ? p.teamId.slice(0, 12) + "..." : p.teamId;
+        badges.push(pc12.cyan(`[team:${shortTeamId}]`));
+      } else {
+        badges.push(pc12.cyan("[personal]"));
+      }
+    }
     if (p.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
-      badges.push(pc11.green("\u2190 linked"));
+      badges.push(pc12.green("\u2190 linked"));
     } else if (p.name.toLowerCase() === repoName || p.serviceName?.toLowerCase() === repoName) {
-      badges.push(pc11.green("\u2190 same name"));
+      badges.push(pc12.green("\u2190 same name"));
     } else if (p.linkedRepo) {
-      badges.push(pc11.gray(`\u2192 ${p.linkedRepo}`));
+      badges.push(pc12.gray(`\u2192 ${p.linkedRepo}`));
     }
     if (badges.length > 0) {
       title = `${displayName} ${badges.join(" ")}`;
     }
     return { title, value: p.id };
   });
-  const { projectChoice } = await prompts9({
+  const { projectChoice } = await prompts10({
     type: "select",
     name: "projectChoice",
     message: "Select a project:",
     choices
   });
   if (!projectChoice) {
-    console.log(pc11.gray("Cancelled."));
+    console.log(pc12.gray("Cancelled."));
     process.exit(0);
   }
   return projects.find((p) => p.id === projectChoice);
@@ -2387,97 +2542,133 @@ async function promptProjectSelection(projects, repoFullName) {
 async function syncCommand(provider, options = {}) {
   try {
     if (options.pull && options.allowDelete) {
-      console.error(pc11.red("Error: --allow-delete cannot be used with --pull"));
-      console.log(pc11.gray("The --allow-delete flag is only for push operations."));
+      console.error(pc12.red("Error: --allow-delete cannot be used with --pull"));
+      console.log(pc12.gray("The --allow-delete flag is only for push operations."));
       process.exit(1);
     }
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const repoFullName = detectGitRepo();
     if (!repoFullName) {
-      console.error(pc11.red("Could not detect Git repository."));
-      console.log(pc11.gray("Run this command from a Git repository directory."));
+      console.error(pc12.red("Could not detect Git repository."));
+      console.log(pc12.gray("Run this command from a Git repository directory."));
       process.exit(1);
     }
-    console.log(pc11.gray(`Repository: ${repoFullName}`));
+    console.log(pc12.gray(`Repository: ${repoFullName}`));
     const vaultExists = await checkVaultExists(accessToken, repoFullName);
     if (!vaultExists) {
-      console.log(pc11.yellow(`
+      console.log(pc12.yellow(`
 No vault found for ${repoFullName}.`));
-      const { shouldCreate } = await prompts9({
+      const { shouldCreate } = await prompts10({
         type: "confirm",
         name: "shouldCreate",
         message: "Create vault now?",
         initial: true
       });
       if (!shouldCreate) {
-        console.log(pc11.gray("Cancelled. Run `keyway init` to create a vault first."));
+        console.log(pc12.gray("Cancelled. Run `keyway init` to create a vault first."));
         process.exit(0);
       }
-      console.log(pc11.gray("\nCreating vault..."));
+      console.log(pc12.gray("\nCreating vault..."));
       try {
         await initVault(repoFullName, accessToken);
-        console.log(pc11.green(`\u2713 Vault created for ${repoFullName}
+        console.log(pc12.green(`\u2713 Vault created for ${repoFullName}
 `));
       } catch (error) {
         const message = error instanceof Error ? error.message : "Failed to create vault";
-        console.error(pc11.red(`
+        console.error(pc12.red(`
 \u2717 ${message}`));
         process.exit(1);
       }
     }
-    let { connections } = await getConnections(accessToken);
-    let connection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (!connection) {
-      const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
-      console.log(pc11.yellow(`
+    const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
+    let { projects: allProjects, connections } = await getAllProviderProjects(accessToken, provider.toLowerCase());
+    if (connections.length === 0) {
+      console.log(pc12.yellow(`
 Not connected to ${providerDisplayName}.`));
-      const { shouldConnect } = await prompts9({
+      const { shouldConnect } = await prompts10({
         type: "confirm",
         name: "shouldConnect",
         message: `Connect to ${providerDisplayName} now?`,
         initial: true
       });
       if (!shouldConnect) {
-        console.log(pc11.gray("Cancelled."));
+        console.log(pc12.gray("Cancelled."));
         process.exit(0);
       }
       await connectCommand(provider, { loginPrompt: false });
-      const refreshed = await getConnections(accessToken);
+      const refreshed = await getAllProviderProjects(accessToken, provider.toLowerCase());
+      allProjects = refreshed.projects;
       connections = refreshed.connections;
-      connection = connections.find((c) => c.provider === provider.toLowerCase());
-      if (!connection) {
-        console.error(pc11.red(`
+      if (connections.length === 0) {
+        console.error(pc12.red(`
 Connection to ${providerDisplayName} failed.`));
         process.exit(1);
       }
       console.log("");
     }
-    const { projects } = await getConnectionProjects(accessToken, connection.id);
+    let projects = allProjects.map((p) => ({
+      id: p.id,
+      name: p.name,
+      serviceId: p.serviceId,
+      serviceName: p.serviceName,
+      linkedRepo: p.linkedRepo,
+      environments: p.environments,
+      connectionId: p.connectionId,
+      teamId: p.teamId,
+      teamName: p.teamName
+    }));
+    if (options.team) {
+      const teamFilter = options.team.toLowerCase();
+      const filteredProjects = projects.filter(
+        (p) => p.teamId?.toLowerCase() === teamFilter || p.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
+        teamFilter === "personal" && !p.teamId
+      );
+      if (filteredProjects.length === 0) {
+        console.error(pc12.red(`No projects found for team: ${options.team}`));
+        console.log(pc12.gray("Available teams:"));
+        const teams = /* @__PURE__ */ new Set();
+        projects.forEach((p) => {
+          if (p.teamName) teams.add(p.teamName);
+          else if (p.teamId) teams.add(p.teamId);
+          else teams.add("personal");
+        });
+        teams.forEach((t) => console.log(pc12.gray(`  - ${t}`)));
+        process.exit(1);
+      }
+      projects = filteredProjects;
+      console.log(pc12.gray(`Filtered to ${projects.length} projects in team: ${options.team}`));
+    }
     if (projects.length === 0) {
-      console.error(pc11.red(`No projects found in your ${provider} account.`));
+      console.error(pc12.red(`No projects found in your ${providerDisplayName} account(s).`));
+      if (connections.length > 1) {
+        console.log(pc12.gray(`Checked ${connections.length} connected accounts.`));
+      }
       process.exit(1);
     }
+    if (connections.length > 1 && !options.team) {
+      console.log(pc12.gray(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
+    }
     let selectedProject;
     if (options.project) {
       const found = projects.find(
         (p) => p.id === options.project || p.name.toLowerCase() === options.project?.toLowerCase() || p.serviceName?.toLowerCase() === options.project?.toLowerCase()
       );
       if (!found) {
-        console.error(pc11.red(`Project not found: ${options.project}`));
-        console.log(pc11.gray("Available projects:"));
-        projects.forEach((p) => console.log(pc11.gray(`  - ${getProjectDisplayName(p)}`)));
+        console.error(pc12.red(`Project not found: ${options.project}`));
+        console.log(pc12.gray("Available projects:"));
+        projects.forEach((p) => console.log(pc12.gray(`  - ${getProjectDisplayName(p)}`)));
         process.exit(1);
       }
       selectedProject = found;
       if (!projectMatchesRepo(selectedProject, repoFullName)) {
         console.log("");
-        console.log(pc11.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc11.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-        console.log(pc11.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc11.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc11.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
+        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc11.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
         }
         console.log("");
       }
@@ -2486,11 +2677,18 @@ Connection to ${providerDisplayName} failed.`));
       if (autoMatch && (autoMatch.matchType === "linked_repo" || autoMatch.matchType === "exact_name")) {
         selectedProject = autoMatch.project;
         const matchReason = autoMatch.matchType === "linked_repo" ? `linked to ${repoFullName}` : "exact name match";
-        console.log(pc11.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)} (${matchReason})`));
+        let teamInfo = "";
+        if (selectedProject.teamName) {
+          teamInfo = pc12.gray(` (${selectedProject.teamName})`);
+        } else if (selectedProject.teamId && connections.length > 1) {
+          const shortTeamId = selectedProject.teamId.length > 12 ? selectedProject.teamId.slice(0, 12) + "..." : selectedProject.teamId;
+          teamInfo = pc12.gray(` (team:${shortTeamId})`);
+        }
+        console.log(pc12.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`));
       } else if (autoMatch && autoMatch.matchType === "partial_name") {
         const partialDisplayName = getProjectDisplayName(autoMatch.project);
-        console.log(pc11.yellow(`Detected project: ${partialDisplayName} (partial match)`));
-        const { useDetected } = await prompts9({
+        console.log(pc12.yellow(`Detected project: ${partialDisplayName} (partial match)`));
+        const { useDetected } = await prompts10({
           type: "confirm",
           name: "useDetected",
           message: `Use ${partialDisplayName}?`,
@@ -2505,30 +2703,30 @@ Connection to ${providerDisplayName} failed.`));
         selectedProject = projects[0];
         if (!projectMatchesRepo(selectedProject, repoFullName)) {
           console.log("");
-          console.log(pc11.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-          console.log(pc11.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-          console.log(pc11.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-          console.log(pc11.yellow(`  Current repo:      ${repoFullName}`));
-          console.log(pc11.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
+          console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+          console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
+          console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+          console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+          console.log(pc12.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
           if (selectedProject.linkedRepo) {
-            console.log(pc11.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+            console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
           }
           console.log("");
-          const { continueAnyway } = await prompts9({
+          const { continueAnyway } = await prompts10({
             type: "confirm",
             name: "continueAnyway",
             message: "Continue anyway?",
             initial: false
           });
           if (!continueAnyway) {
-            console.log(pc11.gray("Cancelled."));
+            console.log(pc12.gray("Cancelled."));
             process.exit(0);
           }
         }
       } else {
-        console.log(pc11.yellow(`
+        console.log(pc12.yellow(`
 \u26A0\uFE0F  No matching project found for ${repoFullName}`));
-        console.log(pc11.gray("Select a project manually:\n"));
+        console.log(pc12.gray("Select a project manually:\n"));
         selectedProject = await promptProjectSelection(projects, repoFullName);
       }
     }
@@ -2536,23 +2734,23 @@ Connection to ${providerDisplayName} failed.`));
       const autoMatch = findMatchingProject(projects, repoFullName);
       if (autoMatch && autoMatch.project.id !== selectedProject.id) {
         console.log("");
-        console.log(pc11.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc11.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
-        console.log(pc11.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc11.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc11.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
+        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
+        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc11.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
         }
         console.log("");
-        const { continueAnyway } = await prompts9({
+        const { continueAnyway } = await prompts10({
           type: "confirm",
           name: "continueAnyway",
           message: "Are you sure you want to sync with this project?",
           initial: false
         });
         if (!continueAnyway) {
-          console.log(pc11.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
       }
@@ -2566,7 +2764,7 @@ Connection to ${providerDisplayName} failed.`));
     if (needsEnvPrompt || needsDirectionPrompt) {
       if (needsEnvPrompt) {
         const vaultEnvs = await getVaultEnvironments(accessToken, repoFullName);
-        const { selectedEnv } = await prompts9({
+        const { selectedEnv } = await prompts10({
           type: "select",
           name: "selectedEnv",
           message: "Keyway environment:",
@@ -2574,7 +2772,7 @@ Connection to ${providerDisplayName} failed.`));
           initial: Math.max(0, vaultEnvs.indexOf("production"))
         });
         if (!selectedEnv) {
-          console.log(pc11.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
         keywayEnv = selectedEnv;
@@ -2588,9 +2786,9 @@ Connection to ${providerDisplayName} failed.`));
               providerEnv = mappedEnv;
             } else if (selectedProject.environments.length === 1) {
               providerEnv = selectedProject.environments[0];
-              console.log(pc11.gray(`Using ${providerName} environment: ${providerEnv}`));
+              console.log(pc12.gray(`Using ${providerName} environment: ${providerEnv}`));
             } else {
-              const { selectedProviderEnv } = await prompts9({
+              const { selectedProviderEnv } = await prompts10({
                 type: "select",
                 name: "selectedProviderEnv",
                 message: `${providerName} environment:`,
@@ -2600,7 +2798,7 @@ Connection to ${providerDisplayName} failed.`));
                 ))
               });
               if (!selectedProviderEnv) {
-                console.log(pc11.gray("Cancelled."));
+                console.log(pc12.gray("Cancelled."));
                 process.exit(0);
               }
               providerEnv = selectedProviderEnv;
@@ -2614,9 +2812,9 @@ Connection to ${providerDisplayName} failed.`));
       if (needsDirectionPrompt) {
         const effectiveKeywayEnv = keywayEnv || "production";
         const effectiveProviderEnv = providerEnv || mapToProviderEnvironment(provider, effectiveKeywayEnv);
-        console.log(pc11.gray("\nComparing secrets..."));
+        console.log(pc12.gray("\nComparing secrets..."));
         diff = await getSyncDiff(accessToken, repoFullName, {
-          connectionId: connection.id,
+          connectionId: selectedProject.connectionId,
           projectId: selectedProject.id,
           serviceId: selectedProject.serviceId,
           // Railway: service ID for service-specific variables
@@ -2636,7 +2834,7 @@ Connection to ${providerDisplayName} failed.`));
         } else if (diff.providerCount === 0 && diff.keywayCount > 0) {
           defaultDirection = 0;
         }
-        const { selectedDirection } = await prompts9({
+        const { selectedDirection } = await prompts10({
           type: "select",
           name: "selectedDirection",
           message: "Sync direction:",
@@ -2647,7 +2845,7 @@ Connection to ${providerDisplayName} failed.`));
           initial: defaultDirection
         });
         if (!selectedDirection) {
-          console.log(pc11.gray("Cancelled."));
+          console.log(pc12.gray("Cancelled."));
           process.exit(0);
         }
         direction = selectedDirection;
@@ -2659,15 +2857,15 @@ Connection to ${providerDisplayName} failed.`));
     const status = await getSyncStatus(
       accessToken,
       repoFullName,
-      connection.id,
+      selectedProject.connectionId,
       selectedProject.id,
       keywayEnv
     );
     if (status.isFirstSync && direction === "push" && status.vaultIsEmpty && status.providerHasSecrets) {
-      console.log(pc11.yellow(`
+      console.log(pc12.yellow(`
 \u26A0\uFE0F  Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`));
-      console.log(pc11.gray(`   (Use --environment to sync a different environment)`));
-      const { importFirst } = await prompts9({
+      console.log(pc12.gray(`   (Use --environment to sync a different environment)`));
+      const { importFirst } = await prompts10({
         type: "confirm",
         name: "importFirst",
         message: `Import secrets from ${providerName} first?`,
@@ -2677,7 +2875,7 @@ Connection to ${providerDisplayName} failed.`));
         await executeSyncOperation(
           accessToken,
           repoFullName,
-          connection.id,
+          selectedProject.connectionId,
           selectedProject,
           keywayEnv,
           providerEnv,
@@ -2693,7 +2891,7 @@ Connection to ${providerDisplayName} failed.`));
     await executeSyncOperation(
       accessToken,
       repoFullName,
-      connection.id,
+      selectedProject.connectionId,
       selectedProject,
       keywayEnv,
       providerEnv,
@@ -2708,7 +2906,7 @@ Connection to ${providerDisplayName} failed.`));
       command: "sync",
       error: truncateMessage(message)
     });
-    console.error(pc11.red(`
+    console.error(pc12.red(`
 \u2717 ${message}`));
     process.exit(1);
   }
@@ -2727,49 +2925,49 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
   });
   const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
   if (totalChanges === 0) {
-    console.log(pc11.green("\n\u2713 Already in sync. No changes needed."));
+    console.log(pc12.green("\n\u2713 Already in sync. No changes needed."));
     return;
   }
-  console.log(pc11.blue("\n\u{1F4CB} Sync Preview\n"));
+  console.log(pc12.blue("\n\u{1F4CB} Sync Preview\n"));
   if (preview.toCreate.length > 0) {
-    console.log(pc11.green(`  + ${preview.toCreate.length} to create`));
-    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc11.gray(`    ${key}`)));
+    console.log(pc12.green(`  + ${preview.toCreate.length} to create`));
+    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toCreate.length > 5) {
-      console.log(pc11.gray(`    ... and ${preview.toCreate.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toCreate.length - 5} more`));
     }
   }
   if (preview.toUpdate.length > 0) {
-    console.log(pc11.yellow(`  ~ ${preview.toUpdate.length} to update`));
-    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc11.gray(`    ${key}`)));
+    console.log(pc12.yellow(`  ~ ${preview.toUpdate.length} to update`));
+    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toUpdate.length > 5) {
-      console.log(pc11.gray(`    ... and ${preview.toUpdate.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toUpdate.length - 5} more`));
     }
   }
   if (preview.toDelete.length > 0) {
-    console.log(pc11.red(`  - ${preview.toDelete.length} to delete`));
-    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc11.gray(`    ${key}`)));
+    console.log(pc12.red(`  - ${preview.toDelete.length} to delete`));
+    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
     if (preview.toDelete.length > 5) {
-      console.log(pc11.gray(`    ... and ${preview.toDelete.length - 5} more`));
+      console.log(pc12.gray(`    ... and ${preview.toDelete.length - 5} more`));
     }
   }
   if (preview.toSkip.length > 0) {
-    console.log(pc11.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
+    console.log(pc12.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
   }
   console.log("");
   if (!skipConfirm) {
     const target = direction === "push" ? providerName : "Keyway";
-    const { confirm } = await prompts9({
+    const { confirm } = await prompts10({
       type: "confirm",
       name: "confirm",
       message: `Apply ${totalChanges} changes to ${target}?`,
       initial: true
     });
     if (!confirm) {
-      console.log(pc11.gray("Cancelled."));
+      console.log(pc12.gray("Cancelled."));
       return;
     }
   }
-  console.log(pc11.blue("\n\u23F3 Syncing...\n"));
+  console.log(pc12.blue("\n\u23F3 Syncing...\n"));
   const result = await executeSync(accessToken, repoFullName, {
     connectionId,
     projectId: project.id,
@@ -2781,11 +2979,11 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
     allowDelete
   });
   if (result.success) {
-    console.log(pc11.green("\u2713 Sync complete"));
-    console.log(pc11.gray(`  Created: ${result.stats.created}`));
-    console.log(pc11.gray(`  Updated: ${result.stats.updated}`));
+    console.log(pc12.green("\u2713 Sync complete"));
+    console.log(pc12.gray(`  Created: ${result.stats.created}`));
+    console.log(pc12.gray(`  Updated: ${result.stats.updated}`));
     if (result.stats.deleted > 0) {
-      console.log(pc11.gray(`  Deleted: ${result.stats.deleted}`));
+      console.log(pc12.gray(`  Deleted: ${result.stats.deleted}`));
     }
     trackEvent(AnalyticsEvents.CLI_SYNC, {
       provider,
@@ -2795,7 +2993,7 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
       deleted: result.stats.deleted
     });
   } else {
-    console.error(pc11.red(`
+    console.error(pc12.red(`
 \u2717 ${result.error}`));
     process.exit(1);
   }
@@ -2803,16 +3001,16 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
 
 // src/cli.ts
 process.on("unhandledRejection", (reason) => {
-  console.error(pc12.red("Unhandled error:"), reason);
+  console.error(pc13.red("Unhandled error:"), reason);
   process.exit(1);
 });
 var program = new Command();
 var TAGLINE = "Sync secrets with your team and infra";
 var showBanner = () => {
-  const text = pc12.bold(pc12.cyan("Keyway CLI"));
+  const text = pc13.bold(pc13.cyan("Keyway CLI"));
   console.log(`
 ${text}
-${pc12.gray(TAGLINE)}
+${pc13.gray(TAGLINE)}
 `);
 };
 showBanner();
@@ -2844,13 +3042,17 @@ program.command("connections").description("List your provider connections").opt
 program.command("disconnect <provider>").description("Disconnect from a provider").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
   await disconnectCommand(provider, options);
 });
-program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
+program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--team <team>", "Team/org name or ID (for multi-account)").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
   await syncCommand(provider, options);
 });
+var ci = program.command("ci").description("CI/CD integration commands");
+ci.command("setup").description("Setup GitHub Actions integration (adds KEYWAY_TOKEN secret)").option("--repo <repo>", "Repository in owner/repo format (auto-detected)").action(async (options) => {
+  await ciSetupCommand(options);
+});
 (async () => {
   await warnIfEnvNotGitignored();
   await program.parseAsync();
 })().catch((error) => {
-  console.error(pc12.red("Error:"), error.message || error);
+  console.error(pc13.red("Error:"), error.message || error);
   process.exit(1);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "description": "One link to all your secrets",
   "type": "module",
   "bin": {
@@ -45,9 +45,11 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
+    "@octokit/rest": "^22.0.1",
     "balanced-match": "^3.0.1",
     "commander": "^14.0.0",
     "conf": "^15.0.2",
+    "libsodium-wrappers": "^0.7.15",
     "open": "^11.0.0",
     "picocolors": "^1.1.1",
     "posthog-node": "^3.5.0",
@@ -55,6 +57,7 @@
   },
   "devDependencies": {
     "@types/balanced-match": "^3.0.2",
+    "@types/libsodium-wrappers": "^0.7.14",
     "@types/node": "^24.2.0",
     "@types/prompts": "^2.4.9",
     "@vitest/coverage-v8": "^3.0.0",