@keywaysh/cli 0.1.15 → 0.2.0

package/dist/cli.js

@@ -4,22 +4,92 @@ import {
   getAuthFilePath,
   getStoredAuth,
   saveAuthToken
-} from "./chunk-F4C46224.js";
+} from "./chunk-IVZM2JTT.js";
 
 // src/cli.ts
 import { Command } from "commander";
-import pc13 from "picocolors";
 
-// src/cmds/init.ts
-import pc7 from "picocolors";
-import prompts6 from "prompts";
+// src/utils/ui.ts
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+function intro2(command2) {
+  p.intro(pc.bgCyan(pc.black(` keyway ${command2} `)));
+}
+function outro2(message2) {
+  p.outro(message2);
+}
+function spinner2() {
+  return p.spinner();
+}
+function success(message2) {
+  p.log.success(message2);
+}
+function error(message2) {
+  p.log.error(message2);
+}
+function warn(message2) {
+  p.log.warn(message2);
+}
+function info(message2) {
+  p.log.info(message2);
+}
+function step(message2) {
+  p.log.step(message2);
+}
+function message(message2) {
+  p.log.message(message2);
+}
+function note2(message2, title) {
+  p.note(message2, title);
+}
+function cancel2(message2 = "Operation cancelled.") {
+  p.cancel(message2);
+  process.exit(0);
+}
+async function text2(options) {
+  const result = await p.text(options);
+  if (p.isCancel(result)) {
+    cancel2();
+  }
+  return result;
+}
+async function confirm2(options) {
+  const result = await p.confirm(options);
+  if (p.isCancel(result)) {
+    cancel2();
+  }
+  return result;
+}
+async function select2(options) {
+  const result = await p.select(options);
+  if (p.isCancel(result)) {
+    cancel2();
+  }
+  return result;
+}
+function link(url) {
+  return pc.underline(pc.cyan(url));
+}
+function command(cmd) {
+  return pc.cyan(cmd);
+}
+function file(path7) {
+  return pc.cyan(path7);
+}
+function value(val) {
+  return pc.cyan(String(val));
+}
+function dim(text3) {
+  return pc.dim(text3);
+}
+function bold(text3) {
+  return pc.bold(text3);
+}
 
 // src/utils/git.ts
 import { execSync } from "child_process";
 import fs from "fs";
 import path from "path";
-import pc from "picocolors";
-import prompts from "prompts";
 function getCurrentRepoFullName() {
   try {
     if (!isGitRepository()) {
@@ -29,7 +99,7 @@ function getCurrentRepoFullName() {
       encoding: "utf-8"
     }).trim();
     return parseGitHubUrl(remoteUrl);
-  } catch (error) {
+  } catch (error2) {
     throw new Error("Failed to get repository name. Make sure you are in a git repository with a GitHub remote.");
   }
 }
@@ -116,18 +186,16 @@ async function warnIfEnvNotGitignored() {
   if (checkEnvGitignore()) {
     return;
   }
-  console.log(pc.yellow("\u26A0\uFE0F  .env files are not in .gitignore - secrets may be committed"));
-  const { addToGitignore } = await prompts({
-    type: "confirm",
-    name: "addToGitignore",
+  warn(".env files are not in .gitignore - secrets may be committed");
+  const addToGitignore = await confirm2({
     message: "Add .env* to .gitignore?",
-    initial: true
+    initialValue: true
   });
   if (addToGitignore) {
     if (addEnvToGitignore()) {
-      console.log(pc.green("\u2713 Added .env* to .gitignore"));
+      success("Added .env* to .gitignore");
     } else {
-      console.log(pc.red("\u2717 Failed to update .gitignore"));
+      error("Failed to update .gitignore");
     }
   }
 }
@@ -140,8 +208,8 @@ var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 // package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.1.15",
-  description: "One link to all your secrets",
+  version: "0.2.0",
+  description: "Env vars that sync like code.",
   type: "module",
   bin: {
     keyway: "./dist/cli.js"
@@ -193,13 +261,12 @@ var package_default = {
     open: "^11.0.0",
     picocolors: "^1.1.1",
     "posthog-node": "^3.5.0",
-    prompts: "^2.4.2"
+    "@clack/prompts": "^0.9.1"
   },
   devDependencies: {
     "@types/balanced-match": "^3.0.2",
     "@types/libsodium-wrappers": "^0.7.14",
     "@types/node": "^24.2.0",
-    "@types/prompts": "^2.4.9",
     "@vitest/coverage-v8": "^3.0.0",
     msw: "^2.12.4",
     tsup: "^8.5.0",
@@ -213,9 +280,9 @@ var package_default = {
 var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
 var USER_AGENT = `keyway-cli/${package_default.version}`;
 var DEFAULT_TIMEOUT_MS = 3e4;
-function truncateMessage(message, maxLength = 200) {
-  if (message.length <= maxLength) return message;
-  return message.slice(0, maxLength - 3) + "...";
+function truncateMessage(message2, maxLength = 200) {
+  if (message2.length <= maxLength) return message2;
+  return message2.slice(0, maxLength - 3) + "...";
 }
 var NETWORK_ERROR_MESSAGES = {
   ECONNREFUSED: "Cannot connect to Keyway API server. Is the server running?",
@@ -228,16 +295,16 @@ var NETWORK_ERROR_MESSAGES = {
   UNABLE_TO_VERIFY_LEAF_SIGNATURE: "SSL certificate verification failed.",
   EPROTO: "SSL/TLS protocol error. Try again later."
 };
-function handleNetworkError(error) {
-  const errorCode = error.code || error.cause?.code;
+function handleNetworkError(error2) {
+  const errorCode = error2.code || error2.cause?.code;
   if (errorCode && NETWORK_ERROR_MESSAGES[errorCode]) {
     return new Error(NETWORK_ERROR_MESSAGES[errorCode]);
   }
-  const message = error.message.toLowerCase();
-  if (message.includes("fetch failed") || message.includes("network")) {
+  const message2 = error2.message.toLowerCase();
+  if (message2.includes("fetch failed") || message2.includes("network")) {
     return new Error("Network error. Check your internet connection and try again.");
   }
-  return error;
+  return error2;
 }
 async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
   const controller = new AbortController();
@@ -247,14 +314,14 @@ async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_M
       ...options,
       signal: controller.signal
     });
-  } catch (error) {
-    if (error instanceof Error) {
-      if (error.name === "AbortError") {
+  } catch (error2) {
+    if (error2 instanceof Error) {
+      if (error2.name === "AbortError") {
         throw new Error(`Request timeout after ${timeoutMs / 1e3}s. Check your network connection.`);
       }
-      throw handleNetworkError(error);
+      throw handleNetworkError(error2);
     }
-    throw error;
+    throw error2;
   } finally {
     clearTimeout(timeout);
   }
@@ -280,39 +347,39 @@ Set KEYWAY_DISABLE_SECURITY_WARNINGS=1 to suppress this warning.`
 }
 validateApiUrl(API_BASE_URL);
 var APIError = class extends Error {
-  constructor(statusCode, error, message, upgradeUrl) {
-    super(message);
+  constructor(statusCode, error2, message2, upgradeUrl) {
+    super(message2);
     this.statusCode = statusCode;
-    this.error = error;
+    this.error = error2;
     this.upgradeUrl = upgradeUrl;
     this.name = "APIError";
   }
 };
 async function handleResponse(response) {
   const contentType = response.headers.get("content-type") || "";
-  const text = await response.text();
+  const text3 = await response.text();
   if (!response.ok) {
     if (contentType.includes("application/json")) {
       try {
-        const error = JSON.parse(text);
-        throw new APIError(response.status, error.title || "Error", error.detail || `HTTP ${response.status}`, error.upgradeUrl);
+        const error2 = JSON.parse(text3);
+        throw new APIError(response.status, error2.title || "Error", error2.detail || `HTTP ${response.status}`, error2.upgradeUrl);
       } catch (e) {
         if (e instanceof APIError) throw e;
-        throw new APIError(response.status, "Error", text || `HTTP ${response.status}`);
+        throw new APIError(response.status, "Error", text3 || `HTTP ${response.status}`);
       }
     }
-    throw new APIError(response.status, "Error", text || `HTTP ${response.status}`);
+    throw new APIError(response.status, "Error", text3 || `HTTP ${response.status}`);
   }
-  if (!text) {
+  if (!text3) {
     return {};
   }
   if (contentType.includes("application/json")) {
     try {
-      return JSON.parse(text);
+      return JSON.parse(text3);
     } catch {
     }
   }
-  return { content: text };
+  return { content: text3 };
 }
 async function initVault(repoFullName, accessToken) {
   const body = { repoFullName };
@@ -340,11 +407,11 @@ function parseEnvContent(content) {
     const eqIndex = trimmed.indexOf("=");
     if (eqIndex === -1) continue;
     const key = trimmed.substring(0, eqIndex).trim();
-    let value = trimmed.substring(eqIndex + 1);
-    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
+    let value2 = trimmed.substring(eqIndex + 1);
+    if (value2.startsWith('"') && value2.endsWith('"') || value2.startsWith("'") && value2.endsWith("'")) {
+      value2 = value2.slice(1, -1);
     }
-    if (key) result[key] = value;
+    if (key) result[key] = value2;
   }
   return result;
 }
@@ -664,7 +731,7 @@ function getDistinctId() {
     } catch {
     }
     return distinctId;
-  } catch (error) {
+  } catch (error2) {
     console.warn("Failed to persist distinct ID, using session-based ID");
     distinctId = `session-${crypto.randomUUID()}`;
     return distinctId;
@@ -698,21 +765,21 @@ function trackEvent(event, properties) {
         ci: CI
       }
     });
-  } catch (error) {
-    console.debug("Analytics error:", error);
+  } catch (error2) {
+    console.debug("Analytics error:", error2);
   }
 }
 function sanitizeProperties(properties) {
   const sanitized = {};
-  for (const [key, value] of Object.entries(properties)) {
+  for (const [key, value2] of Object.entries(properties)) {
     if (key.toLowerCase().includes("secret") || key.toLowerCase().includes("token") || key.toLowerCase().includes("password") || key.toLowerCase().includes("content") || key.toLowerCase().includes("key") || key.toLowerCase().includes("value")) {
       continue;
     }
-    if (value && typeof value === "string" && value.length > 500) {
-      sanitized[key] = `${value.slice(0, 200)}...`;
+    if (value2 && typeof value2 === "string" && value2.length > 500) {
+      sanitized[key] = `${value2.slice(0, 200)}...`;
       continue;
     }
-    sanitized[key] = value;
+    sanitized[key] = value2;
   }
   return sanitized;
 }
@@ -741,8 +808,8 @@ function identifyUser(userId, properties) {
         alias: anonId
       });
     }
-  } catch (error) {
-    console.debug("Analytics identify error:", error);
+  } catch (error2) {
+    console.debug("Analytics identify error:", error2);
   }
 }
 var AnalyticsEvents = {
@@ -761,8 +828,6 @@ var AnalyticsEvents = {
 // src/cmds/readme.ts
 import fs3 from "fs";
 import path3 from "path";
-import prompts2 from "prompts";
-import pc2 from "picocolors";
 import balanced from "balanced-match";
 function generateBadge(repo) {
   return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
@@ -853,22 +918,15 @@ async function ensureReadme(repoName, cwd) {
   if (existing) return existing;
   const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
   if (!isInteractive2) {
-    console.log(pc2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
+    warn('No README found. Run "keyway readme add-badge" from a repo with a README.');
     return null;
   }
-  const { confirm } = await prompts2(
-    {
-      type: "confirm",
-      name: "confirm",
-      message: "No README found. Create a default README.md?",
-      initial: false
-    },
-    {
-      onCancel: () => ({ confirm: false })
-    }
-  );
-  if (!confirm) {
-    console.log(pc2.yellow("Skipping badge insertion (no README)."));
+  const confirm3 = await confirm2({
+    message: "No README found. Create a default README.md?",
+    initialValue: false
+  });
+  if (!confirm3) {
+    warn("Skipping badge insertion (no README).");
     return null;
   }
   const defaultPath = path3.join(cwd, "README.md");
@@ -891,94 +949,66 @@ async function addBadgeToReadme(silent = false) {
   const updated = insertBadgeIntoReadme(content, badge);
   if (updated === content) {
     if (!silent) {
-      console.log(pc2.gray("Keyway badge already present in README."));
+      info("Keyway badge already present in README.");
     }
     return false;
   }
   fs3.writeFileSync(readmePath, updated, "utf-8");
   if (!silent) {
-    console.log(pc2.green(`\u2713 Keyway badge added to ${path3.basename(readmePath)}`));
+    success(`Keyway badge added to ${path3.basename(readmePath)}`);
   }
   return true;
 }
 
 // src/cmds/push.ts
-import pc6 from "picocolors";
+import pc3 from "picocolors";
 import fs5 from "fs";
 import path5 from "path";
-import prompts5 from "prompts";
 
 // src/cmds/login.ts
-import pc4 from "picocolors";
-import readline from "readline";
-import prompts3 from "prompts";
+import pc2 from "picocolors";
+import * as p2 from "@clack/prompts";
 
 // src/utils/helpers.ts
-import pc3 from "picocolors";
 import open from "open";
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 async function openUrl(url) {
-  console.log(pc3.gray(`
-Open this URL in your browser:
-${url}
-`));
+  message(dim(`Open this URL in your browser:
+${url}`));
   await open(url).catch(() => {
   });
 }
 function isInteractive() {
   return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI);
 }
-function showUpgradePrompt(message, upgradeUrl) {
-  console.log("");
-  console.log(pc3.dim("\u2500".repeat(50)));
-  console.log("");
-  console.log(`  ${pc3.yellow("\u26A1")} ${pc3.bold("Plan Limit Reached")}`);
-  console.log("");
-  console.log(pc3.white(`  ${message}`));
-  console.log("");
-  console.log(`  ${pc3.cyan("Upgrade now \u2192")} ${pc3.underline(upgradeUrl)}`);
-  console.log("");
-  console.log(pc3.dim("\u2500".repeat(50)));
-  console.log("");
+function showUpgradePrompt(message2, upgradeUrl) {
+  note2(`${message2}
+
+Upgrade: ${link(upgradeUrl)}`, "Plan Limit Reached");
 }
 var MAX_CONSECUTIVE_ERRORS = 5;
 
 // src/cmds/login.ts
-async function promptYesNo(question, defaultYes = true) {
-  return new Promise((resolve) => {
-    const rl = readline.createInterface({
-      input: process.stdin,
-      output: process.stdout
-    });
-    rl.question(question, (answer) => {
-      rl.close();
-      const normalized = answer.trim().toLowerCase();
-      if (!normalized) return resolve(defaultYes);
-      if (["y", "yes"].includes(normalized)) return resolve(true);
-      if (["n", "no"].includes(normalized)) return resolve(false);
-      return resolve(defaultYes);
-    });
-  });
-}
 async function runLoginFlow() {
-  console.log(pc4.blue("\u{1F510} Starting Keyway login...\n"));
   const repoName = detectGitRepo();
   const start = await startDeviceLogin(repoName);
   const verifyUrl = start.verificationUriComplete || start.verificationUri;
   if (!verifyUrl) {
     throw new Error("Missing verification URL from the auth server.");
   }
-  console.log(`Code: ${pc4.bold(pc4.green(start.userCode))}`);
+  step(`Code: ${pc2.bold(pc2.green(start.userCode))}`);
   await openUrl(verifyUrl);
-  console.log("Waiting for auth...");
+  const s = spinner2();
+  s.start("Waiting for authorization...");
   const pollIntervalMs = (start.interval ?? 5) * 1e3;
   const maxTimeoutMs = Math.min((start.expiresIn ?? 900) * 1e3, 30 * 60 * 1e3);
   const startTime = Date.now();
   let consecutiveErrors = 0;
   while (true) {
     if (Date.now() - startTime > maxTimeoutMs) {
+      s.stop("Login timed out");
       throw new Error('Login timed out. Please run "keyway login" again.');
     }
     await sleep(pollIntervalMs);
@@ -1003,17 +1033,17 @@ async function runLoginFlow() {
             login_method: "device"
           });
         }
-        console.log(pc4.green("\n\u2713 Login successful"));
-        if (result.githubLogin) {
-          console.log(`Authenticated GitHub user: ${pc4.cyan(result.githubLogin)}`);
-        }
+        s.stop("Authorized");
+        success(`Logged in as ${value(`@${result.githubLogin}`)}`);
         return result.keywayToken;
       }
+      s.stop("Authorization failed");
       throw new Error(result.message || "Authentication failed");
-    } catch (error) {
+    } catch (error2) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
+        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
+        s.stop("Login failed");
         throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
       }
     }
@@ -1025,7 +1055,7 @@ async function ensureLogin(options = {}) {
     return envToken;
   }
   if (process.env.GITHUB_TOKEN && !process.env.KEYWAY_TOKEN) {
-    console.warn(pc4.yellow("Note: GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication."));
+    warn("GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication.");
   }
   const stored = await getStoredAuth();
   if (stored?.keywayToken) {
@@ -1036,7 +1066,10 @@ async function ensureLogin(options = {}) {
   if (!canPrompt) {
     throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
   }
-  const proceed = await promptYesNo("No Keyway session found. Open the browser to sign in now? (Y/n) ");
+  const proceed = await confirm2({
+    message: "No Keyway session found. Open browser to sign in?",
+    initialValue: true
+  });
   if (!proceed) {
     throw new Error("Login required. Aborting.");
   }
@@ -1045,30 +1078,24 @@ async function ensureLogin(options = {}) {
 async function runTokenLogin() {
   const repoName = detectGitRepo();
   if (repoName) {
-    console.log(`\u{1F4C1} Detected: ${pc4.cyan(repoName)}`);
+    step(`Detected repository: ${value(repoName)}`);
   }
   const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
   const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
   await openUrl(url);
-  console.log(pc4.gray("Select the detected repo (or scope manually)."));
-  console.log(pc4.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
-  const { token } = await prompts3(
-    {
-      type: "password",
-      name: "token",
-      message: "Paste token:",
-      validate: (value) => {
-        if (!value || typeof value !== "string") return "Token is required";
-        if (!value.startsWith("github_pat_")) return "Token must start with github_pat_";
-        return true;
-      }
-    },
-    {
-      onCancel: () => {
-        throw new Error("Login cancelled.");
-      }
+  info("Select the detected repo (or scope manually).");
+  message(dim("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
+  const token = await p2.password({
+    message: "Paste your GitHub PAT:",
+    validate: (value2) => {
+      if (!value2 || typeof value2 !== "string") return "Token is required";
+      if (!value2.startsWith("github_pat_")) return "Token must start with github_pat_";
+      return void 0;
     }
-  );
+  });
+  if (p2.isCancel(token)) {
+    cancel2("Login cancelled.");
+  }
   if (!token || typeof token !== "string") {
     throw new Error("Token is required.");
   }
@@ -1076,6 +1103,8 @@ async function runTokenLogin() {
   if (!trimmedToken.startsWith("github_pat_")) {
     throw new Error("Token must start with github_pat_.");
   }
+  const s = spinner2();
+  s.start("Validating token...");
   const validation = await validateToken(trimmedToken);
   await saveAuthToken(trimmedToken, {
     githubLogin: validation.username
@@ -1088,61 +1117,56 @@ async function runTokenLogin() {
     github_username: validation.username,
     login_method: "pat"
   });
-  console.log(pc4.green("\u2705 Authenticated"), `as ${pc4.cyan(`@${validation.username}`)}`);
+  s.stop("Token validated");
+  success(`Logged in as ${value(`@${validation.username}`)}`);
   return trimmedToken;
 }
 async function loginCommand(options = {}) {
+  intro2("login");
   try {
     if (options.token) {
       await runTokenLogin();
     } else {
       await runLoginFlow();
     }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unexpected login error";
+    outro2("Ready to sync secrets!");
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? error2.message : "Unexpected login error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "login",
-      error: truncateMessage(message)
+      error: truncateMessage(message2)
     });
-    console.error(pc4.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
 async function logoutCommand() {
+  intro2("logout");
   clearAuth();
-  console.log(pc4.green("\u2713 Logged out of Keyway"));
-  console.log(pc4.gray(`Auth cache cleared: ${getAuthFilePath()}`));
+  success("Logged out of Keyway");
+  outro2(dim(`Auth cache cleared: ${getAuthFilePath()}`));
 }
 
 // src/utils/env.ts
 import fs4 from "fs";
 import path4 from "path";
-import pc5 from "picocolors";
-import prompts4 from "prompts";
 async function promptCreateEnvFile() {
-  const { createEnv } = await prompts4({
-    type: "confirm",
-    name: "createEnv",
+  const createEnv = await confirm2({
     message: "No .env file found. Create one?",
-    initial: true
-  }, {
-    onCancel: () => {
-      throw new Error("Cancelled by user.");
-    }
+    initialValue: true
   });
   if (!createEnv) {
     return false;
   }
   const envFilePath = path4.join(process.cwd(), ".env");
   fs4.writeFileSync(envFilePath, "# Add your environment variables here\n# Example: API_KEY=your-api-key\n");
-  console.log(pc5.green("\u2713 Created .env file"));
+  success("Created .env file");
   return true;
 }
 
 // src/cmds/push.ts
-function deriveEnvFromFile(file) {
-  const base = path5.basename(file);
+function deriveEnvFromFile(file2) {
+  const base = path5.basename(file2);
   const match = base.match(/\.env(?:\.(.+))?$/);
   if (match) {
     return match[1] || "development";
@@ -1154,7 +1178,7 @@ function discoverEnvCandidates(cwd) {
     const entries = fs5.readdirSync(cwd);
     const hasEnvLocal = entries.includes(".env.local");
     if (hasEnvLocal) {
-      console.log(pc6.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
+      info("Detected .env.local \u2014 not synced by design (machine-specific secrets)");
     }
     const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
       const fullPath = path5.join(cwd, name);
@@ -1179,8 +1203,9 @@ function discoverEnvCandidates(cwd) {
   }
 }
 async function pushCommand(options) {
+  intro2("push");
+  await warnIfEnvNotGitignored();
   try {
-    console.log(pc6.blue("\u{1F510} Pushing secrets to Keyway...\n"));
     const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
     let environment = options.env;
     let envFile = options.file;
@@ -1193,7 +1218,7 @@ async function pushCommand(options) {
       if (!created) {
         throw new Error("No .env file found.");
       }
-      console.log(pc6.gray("  Add your variables and run keyway push again\n"));
+      message(dim("Add your variables and run keyway push again"));
       return;
     }
     if (environment && !envFile) {
@@ -1203,47 +1228,30 @@ async function pushCommand(options) {
       }
     }
     if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
-      const { choice } = await prompts5(
-        {
-          type: "select",
-          name: "choice",
-          message: "Select an env file to push:",
-          choices: [
-            ...candidates.map((c) => ({
-              title: `${c.file} (env: ${c.env})`,
-              value: c
-            })),
-            { title: "Enter a different file...", value: "custom" }
-          ]
-        },
-        {
-          onCancel: () => {
-            throw new Error("Push cancelled by user.");
-          }
-        }
-      );
-      if (choice && choice !== "custom") {
-        envFile = choice.file;
-        environment = choice.env;
-      } else if (choice === "custom") {
-        const { fileInput } = await prompts5(
-          {
-            type: "text",
-            name: "fileInput",
-            message: "Path to env file:",
-            validate: (value) => {
-              if (!value) return "Path is required";
-              const resolved = path5.resolve(process.cwd(), value);
-              if (!fs5.existsSync(resolved)) return `File not found: ${value}`;
-              return true;
-            }
-          },
-          {
-            onCancel: () => {
-              throw new Error("Push cancelled by user.");
-            }
+      const choice = await select2({
+        message: "Select an env file to push:",
+        options: [
+          ...candidates.map((c) => ({
+            label: `${c.file} (env: ${c.env})`,
+            value: c.file
+          })),
+          { label: "Enter a different file...", value: "__custom__" }
+        ]
+      });
+      if (choice && choice !== "__custom__") {
+        envFile = choice;
+        const matched = candidates.find((c) => c.file === envFile);
+        environment = matched?.env;
+      } else if (choice === "__custom__") {
+        const fileInput = await text2({
+          message: "Path to env file:",
+          validate: (value2) => {
+            if (!value2) return "Path is required";
+            const resolved = path5.resolve(process.cwd(), value2);
+            if (!fs5.existsSync(resolved)) return `File not found: ${value2}`;
+            return void 0;
           }
-        );
+        });
         envFile = fileInput;
         environment = deriveEnvFromFile(fileInput);
       }
@@ -1266,31 +1274,21 @@ async function pushCommand(options) {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(`File: ${pc6.cyan(envFile)}`);
-    console.log(`Environment: ${pc6.cyan(environment)}`);
-    console.log(`Variables: ${pc6.cyan(lines.length.toString())}`);
+    step(`File: ${file(envFile)}`);
+    step(`Environment: ${value(environment)}`);
+    step(`Variables: ${value(lines.length)}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc6.cyan(repoFullName)}`);
+    step(`Repository: ${value(repoFullName)}`);
     if (!options.yes) {
-      const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
-      if (!isInteractive3) {
+      if (!isInteractive2) {
         throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
       }
-      const { confirm } = await prompts5(
-        {
-          type: "confirm",
-          name: "confirm",
-          message: `Send ${lines.length} secrets from ${envFile} (env: ${environment}) to ${repoFullName}?`,
-          initial: true
-        },
-        {
-          onCancel: () => {
-            throw new Error("Push cancelled by user.");
-          }
-        }
-      );
-      if (!confirm) {
-        console.log(pc6.yellow("Push aborted."));
+      const confirm3 = await confirm2({
+        message: `Push ${lines.length} secrets from ${envFile} to ${repoFullName}?`,
+        initialValue: true
+      });
+      if (!confirm3) {
+        warn("Push aborted.");
         return;
       }
     }
@@ -1300,41 +1298,40 @@ async function pushCommand(options) {
       environment,
       variableCount: lines.length
     });
-    console.log("\nUploading secrets...");
+    const s = spinner2();
+    s.start("Uploading secrets...");
     const response = await pushSecrets(repoFullName, environment, content, accessToken);
-    console.log(pc6.green("\n\u2713 " + response.message));
+    s.stop("Uploaded");
+    success(response.message);
     if (response.stats) {
       const { created, updated, deleted } = response.stats;
       const parts = [];
-      if (created > 0) parts.push(pc6.green(`+${created} created`));
-      if (updated > 0) parts.push(pc6.yellow(`~${updated} updated`));
-      if (deleted > 0) parts.push(pc6.red(`-${deleted} deleted`));
+      if (created > 0) parts.push(pc3.green(`+${created} created`));
+      if (updated > 0) parts.push(pc3.yellow(`~${updated} updated`));
+      if (deleted > 0) parts.push(pc3.red(`-${deleted} deleted`));
       if (parts.length > 0) {
-        console.log(`Stats: ${parts.join(", ")}`);
+        message(`Stats: ${parts.join(", ")}`);
       }
     }
-    console.log(`
-Your secrets are now encrypted and stored securely.`);
     const dashboardLink = `https://www.keyway.sh/dashboard/vaults/${repoFullName}`;
-    console.log(`
-${pc6.blue("\u2394")} Dashboard: ${pc6.underline(dashboardLink)}`);
+    outro2(`Dashboard: ${link(dashboardLink)}`);
     await shutdownAnalytics();
-  } catch (error) {
-    let message;
+  } catch (error2) {
+    let message2;
     let hint = null;
-    if (error instanceof APIError) {
-      message = error.message || `HTTP ${error.statusCode} - ${error.error}`;
-      const envNotFoundMatch = message.match(/Environment '([^']+)' does not exist.*Available environments: ([^.]+)/);
+    if (error2 instanceof APIError) {
+      message2 = error2.message || `HTTP ${error2.statusCode} - ${error2.error}`;
+      const envNotFoundMatch = message2.match(/Environment '([^']+)' does not exist.*Available environments: ([^.]+)/);
       if (envNotFoundMatch) {
         const requestedEnv = envNotFoundMatch[1];
         const availableEnvs = envNotFoundMatch[2];
-        message = `Environment '${requestedEnv}' does not exist in this vault.`;
+        message2 = `Environment '${requestedEnv}' does not exist in this vault.`;
         hint = `Available environments: ${availableEnvs}
-Use ${pc6.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
+Use ${command(`keyway push --env <environment>`)} to specify one.`;
       }
-      if (error.statusCode === 403 && (error.upgradeUrl || message.toLowerCase().includes("read-only"))) {
-        const upgradeMessage = message.toLowerCase().includes("read-only") ? "This vault is read-only on your current plan." : message;
-        const upgradeUrl = error.upgradeUrl || "https://keyway.sh/settings";
+      if (error2.statusCode === 403 && (error2.upgradeUrl || message2.toLowerCase().includes("read-only"))) {
+        const upgradeMessage = message2.toLowerCase().includes("read-only") ? "This vault is read-only on your current plan." : message2;
+        const upgradeUrl = error2.upgradeUrl || "https://keyway.sh/settings";
         trackEvent(AnalyticsEvents.CLI_ERROR, {
           command: "push",
           error: upgradeMessage
@@ -1343,21 +1340,19 @@ Use ${pc6.cyan(`keyway push --env <environment>`)} to specify one, or create '${
         showUpgradePrompt(upgradeMessage, upgradeUrl);
         process.exit(1);
       }
-    } else if (error instanceof Error) {
-      message = truncateMessage(error.message);
+    } else if (error2 instanceof Error) {
+      message2 = truncateMessage(error2.message);
     } else {
-      message = "Unknown error";
+      message2 = "Unknown error";
     }
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "push",
-      error: message
+      error: message2
     });
     await shutdownAnalytics();
-    console.error(pc6.red(`
-\u2717 ${message}`));
+    error(message2);
     if (hint) {
-      console.error(pc6.gray(`
-${hint}`));
+      message(dim(hint));
     }
     process.exit(1);
   }
@@ -1390,19 +1385,16 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
   }
   const deviceStart = await startDeviceLogin(repoFullName);
   const installUrl = deviceStart.githubAppInstallUrl || "https://github.com/apps/keyway/installations/new";
-  console.log("");
-  const { shouldProceed } = await prompts6({
-    type: "confirm",
-    name: "shouldProceed",
+  const shouldProceed = await confirm2({
     message: "Open browser to sign in?",
-    initial: true
+    initialValue: true
   });
   if (!shouldProceed) {
     throw new Error('Setup required. Run "keyway init" when ready.');
   }
   await openUrl(deviceStart.verificationUriComplete);
-  console.log(pc7.blue("\u23F3 Waiting for authorization..."));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
+  const loginSpinner = spinner2();
+  loginSpinner.start("Waiting for authorization...");
   const pollIntervalMs = Math.max((deviceStart.interval ?? 5) * 1e3, POLL_INTERVAL_MS);
   const startTime = Date.now();
   let accessToken = null;
@@ -1417,7 +1409,7 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
           githubLogin: result.githubLogin,
           expiresAt: result.expiresAt
         });
-        console.log(pc7.green("\u2713 Signed in!"));
+        loginSpinner.stop("Signed in!");
         if (result.githubLogin) {
           identifyUser(result.githubLogin, {
             github_username: result.githubLogin,
@@ -1427,46 +1419,38 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
         break;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
+    } catch (error2) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
+        loginSpinner.stop("Failed");
+        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
         throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
       }
     }
   }
   if (!accessToken) {
-    console.log("");
-    console.log(pc7.yellow("\u26A0 Timed out waiting for sign in."));
+    loginSpinner.stop("Timeout");
+    warn("Timed out waiting for sign in.");
     throw new Error("Sign in timed out. Please try again.");
   }
   const installStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
   if (installStatus.installed) {
-    console.log(pc7.green("\u2713 GitHub App installed"));
-    console.log("");
+    success("GitHub App installed");
     return accessToken;
   }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 GitHub App not installed on this repository"));
-  console.log(pc7.gray("  The Keyway GitHub App is required for secure access."));
-  console.log("");
-  const { shouldInstall } = await prompts6({
-    type: "confirm",
-    name: "shouldInstall",
+  warn("GitHub App not installed on this repository");
+  message(dim("The Keyway GitHub App is required for secure access."));
+  const shouldInstall = await confirm2({
     message: "Open browser to install GitHub App?",
-    initial: true
+    initialValue: true
   });
   if (!shouldInstall) {
-    console.log(pc7.gray(`
-  Install later: ${installUrl}`));
+    message(dim(`Install later: ${installUrl}`));
     throw new Error("GitHub App installation required.");
   }
   await openUrl(installUrl);
-  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc7.gray('   Add this repository and click "Install"'));
-  console.log(pc7.gray("   Then return here - the CLI will detect it automatically"));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
+  const installSpinner = spinner2();
+  installSpinner.start("Waiting for GitHub App installation...");
   const installStartTime = Date.now();
   consecutiveErrors = 0;
   while (Date.now() - installStartTime < POLL_TIMEOUT_MS) {
@@ -1474,23 +1458,22 @@ async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
     try {
       const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
       if (pollStatus.installed) {
-        console.log(pc7.green("\u2713 GitHub App installed!"));
-        console.log("");
+        installSpinner.stop("GitHub App installed!");
         return accessToken;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
+    } catch (error2) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
+        installSpinner.stop("Failed");
+        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
         throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
       }
     }
   }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc7.gray(`  Install the GitHub App: ${installUrl}`));
+  installSpinner.stop("Timeout");
+  warn("Timed out waiting for installation.");
+  message(dim(`Install the GitHub App: ${installUrl}`));
   throw new Error("GitHub App installation timed out.");
 }
 async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
@@ -1498,42 +1481,36 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
   let status;
   try {
     status = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-  } catch (error) {
-    if (error instanceof APIError && error.statusCode === 401) {
-      console.log(pc7.yellow("\n\u26A0 Session expired or invalid. Clearing credentials..."));
-      const { clearAuth: clearAuth2 } = await import("./auth-QLPQ24HZ.js");
+  } catch (error2) {
+    if (error2 instanceof APIError && error2.statusCode === 401) {
+      warn("Session expired or invalid. Clearing credentials...");
+      const { clearAuth: clearAuth2 } = await import("./auth-64V3RWUK.js");
       clearAuth2();
       return null;
     }
-    throw error;
+    throw error2;
   }
   if (status.installed) {
     return accessToken;
   }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 GitHub App not installed for this repository"));
-  console.log("");
-  console.log(pc7.gray("  The Keyway GitHub App is required to securely manage secrets."));
-  console.log(pc7.gray("  It only requests minimal permissions (repository metadata)."));
-  console.log("");
+  warn("GitHub App not installed for this repository");
+  message(dim("The Keyway GitHub App is required to securely manage secrets."));
+  message(dim("It only requests minimal permissions (repository metadata)."));
   if (!isInteractive()) {
-    console.log(pc7.gray(`  Install the Keyway GitHub App: ${status.installUrl}`));
+    message(dim(`Install the Keyway GitHub App: ${status.installUrl}`));
     throw new Error("GitHub App installation required.");
   }
-  const { shouldInstall } = await prompts6({
-    type: "confirm",
-    name: "shouldInstall",
+  const shouldInstall = await confirm2({
     message: "Open browser to install Keyway GitHub App?",
-    initial: true
+    initialValue: true
   });
   if (!shouldInstall) {
-    console.log(pc7.gray(`
-  You can install later: ${status.installUrl}`));
+    message(dim(`You can install later: ${status.installUrl}`));
     throw new Error("GitHub App installation required.");
   }
   await openUrl(status.installUrl);
-  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
+  const s = spinner2();
+  s.start("Waiting for GitHub App installation...");
   const startTime = Date.now();
   let consecutiveErrors = 0;
   while (Date.now() - startTime < POLL_TIMEOUT_MS) {
@@ -1541,251 +1518,266 @@ async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
     try {
       const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
       if (pollStatus.installed) {
-        console.log(pc7.green("\u2713 GitHub App installed!"));
-        console.log("");
+        s.stop("GitHub App installed!");
         return accessToken;
       }
       consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
+    } catch (error2) {
       consecutiveErrors++;
       if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
+        s.stop("Failed");
+        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
         throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
       }
     }
   }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc7.gray(`  You can install the GitHub App later: ${status.installUrl}`));
+  s.stop("Timeout");
+  warn("Timed out waiting for installation.");
+  message(dim(`You can install the GitHub App later: ${status.installUrl}`));
   throw new Error("GitHub App installation timed out.");
 }
 async function initCommand(options = {}) {
   try {
     const repoFullName = getCurrentRepoFullName();
     const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
-    console.log(pc7.blue("\u{1F510} Initializing Keyway vault...\n"));
-    console.log(`  ${pc7.gray("Repository:")} ${pc7.white(repoFullName)}`);
+    intro2("init");
+    await warnIfEnvNotGitignored();
+    step(`Repository: ${value(repoFullName)}`);
     const accessToken = await ensureLoginAndGitHubApp(repoFullName, {
       allowPrompt: options.loginPrompt !== false
     });
     trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName, githubAppInstalled: true });
     const vaultExists = await checkVaultExists(accessToken, repoFullName);
     if (vaultExists) {
-      console.log(pc7.green("\n\u2713 Already initialized!\n"));
-      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
-      console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
-      console.log("");
+      success("Already initialized!");
+      message(dim(`Run ${command("keyway push")} to sync your secrets`));
+      outro2(`Dashboard: ${link(dashboardLink)}`);
       await shutdownAnalytics();
       return;
     }
     await initVault(repoFullName, accessToken);
-    console.log(pc7.green("\u2713 Vault created!"));
+    success("Vault created!");
     try {
       const badgeAdded = await addBadgeToReadme(true);
       if (badgeAdded) {
-        console.log(pc7.green("\u2713 Badge added to README.md"));
+        success("Badge added to README.md");
       }
     } catch {
     }
-    console.log("");
     const envCandidates = discoverEnvCandidates(process.cwd());
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-    if (envCandidates.length > 0 && isInteractive2) {
-      console.log(pc7.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
-`));
-      const { shouldPush } = await prompts6({
-        type: "confirm",
-        name: "shouldPush",
+    const interactive = process.stdin.isTTY && process.stdout.isTTY;
+    if (envCandidates.length > 0 && interactive) {
+      message(dim(`Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}`));
+      const shouldPush = await confirm2({
         message: "Push secrets now?",
-        initial: true
+        initialValue: true
       });
       if (shouldPush) {
-        console.log("");
         await pushCommand({ loginPrompt: false, yes: false });
         return;
       }
     }
-    console.log(pc7.dim("\u2500".repeat(50)));
-    console.log("");
     if (envCandidates.length === 0) {
-      if (isInteractive2) {
+      if (interactive) {
         const created = await promptCreateEnvFile();
         if (created) {
-          console.log(`  Add your variables and run ${pc7.cyan("keyway push")}
-`);
+          message(dim(`Add your variables and run ${command("keyway push")}`));
         } else {
-          console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
-`);
+          message(dim(`Next: Create ${file(".env")} and run ${command("keyway push")}`));
         }
       } else {
-        console.log(`${pc7.yellow("\u26A0")} No .env file found - your vault is empty`);
-        console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
-`);
+        warn("No .env file found - your vault is empty");
+        message(dim(`Next: Create ${file(".env")} and run ${command("keyway push")}`));
       }
     } else {
-      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets
-`);
+      message(dim(`Run ${command("keyway push")} to sync your secrets`));
     }
-    console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
-    console.log("");
+    outro2(`Dashboard: ${link(dashboardLink)}`);
     await shutdownAnalytics();
-  } catch (error) {
-    if (error instanceof APIError) {
-      if (error.statusCode === 409) {
-        console.log(pc7.green("\n\u2713 Already initialized!\n"));
-        console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
-        console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
-        console.log("");
+  } catch (error2) {
+    if (error2 instanceof APIError) {
+      if (error2.statusCode === 409) {
+        success("Already initialized!");
+        message(dim(`Run ${command("keyway push")} to sync your secrets`));
+        outro2(`Dashboard: ${link(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
         await shutdownAnalytics();
         return;
       }
-      if (error.error === "Plan Limit Reached" || error.upgradeUrl) {
-        const upgradeUrl = error.upgradeUrl || "https://keyway.sh/pricing";
-        showUpgradePrompt(error.message, upgradeUrl);
+      if (error2.error === "Plan Limit Reached" || error2.upgradeUrl) {
+        const upgradeUrl = error2.upgradeUrl || "https://keyway.sh/pricing";
+        showUpgradePrompt(error2.message, upgradeUrl);
         await shutdownAnalytics();
         process.exit(1);
       }
     }
-    const message = error instanceof APIError ? error.message : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
+    const message2 = error2 instanceof APIError ? error2.message : error2 instanceof Error ? truncateMessage(error2.message) : "Unknown error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "init",
-      error: message
+      error: message2
     });
     await shutdownAnalytics();
-    console.error(pc7.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
 
 // src/cmds/pull.ts
-import pc8 from "picocolors";
 import fs6 from "fs";
 import path6 from "path";
-import prompts7 from "prompts";
 async function pullCommand(options) {
+  intro2("pull");
+  await warnIfEnvNotGitignored();
   try {
     const environment = options.env || "development";
     const envFile = options.file || ".env";
-    console.log(pc8.blue("\u{1F510} Pulling secrets from Keyway...\n"));
-    console.log(`Environment: ${pc8.cyan(environment)}`);
+    step(`Environment: ${value(environment)}`);
     const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc8.cyan(repoFullName)}`);
+    step(`Repository: ${value(repoFullName)}`);
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     trackEvent(AnalyticsEvents.CLI_PULL, {
       repoFullName,
       environment
     });
-    console.log("\nDownloading secrets...");
+    const s = spinner2();
+    s.start("Downloading secrets...");
     const response = await pullSecrets(repoFullName, environment, accessToken);
     const envFilePath = path6.resolve(process.cwd(), envFile);
     if (fs6.existsSync(envFilePath)) {
+      s.stop("Downloaded");
       const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
       if (options.yes) {
-        console.log(pc8.yellow(`
-\u26A0 Overwriting existing file: ${envFile}`));
+        warn(`Overwriting existing file: ${envFile}`);
       } else if (!isInteractive2) {
         throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
       } else {
-        const { confirm } = await prompts7(
-          {
-            type: "confirm",
-            name: "confirm",
-            message: `${envFile} exists. Overwrite with secrets from ${environment}?`,
-            initial: false
-          },
-          {
-            onCancel: () => {
-              throw new Error("Pull cancelled by user.");
-            }
-          }
-        );
-        if (!confirm) {
-          console.log(pc8.yellow("Pull aborted."));
+        const confirm3 = await confirm2({
+          message: `${envFile} exists. Overwrite with secrets from ${environment}?`,
+          initialValue: false
+        });
+        if (!confirm3) {
+          warn("Pull aborted.");
           return;
         }
       }
+    } else {
+      s.stop("Downloaded");
     }
     fs6.writeFileSync(envFilePath, response.content, "utf-8");
     const lines = response.content.split("\n").filter((line) => {
       const trimmed = line.trim();
       return trimmed.length > 0 && !trimmed.startsWith("#");
     });
-    console.log(pc8.green(`
-\u2713 Secrets downloaded successfully`));
-    console.log(`
-File: ${pc8.cyan(envFile)}`);
-    console.log(`Variables: ${pc8.cyan(lines.length.toString())}`);
+    success(`Secrets downloaded to ${file(envFile)}`);
+    message(`Variables: ${value(lines.length)}`);
+    outro2("Secrets synced!");
     await shutdownAnalytics();
-  } catch (error) {
-    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
+  } catch (error2) {
+    const message2 = error2 instanceof APIError ? `API ${error2.statusCode}: ${error2.message}` : error2 instanceof Error ? truncateMessage(error2.message) : "Unknown error";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "pull",
-      error: message
+      error: message2
     });
     await shutdownAnalytics();
-    console.error(pc8.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
 
 // src/cmds/doctor.ts
-import pc9 from "picocolors";
+import pc4 from "picocolors";
 
 // src/core/doctor.ts
 import { execSync as execSync2 } from "child_process";
-import { writeFileSync, unlinkSync, readFileSync, existsSync } from "fs";
-import { tmpdir } from "os";
-import { join } from "path";
+import { readFileSync, existsSync } from "fs";
 var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/v1/health`;
-async function checkNode() {
-  const nodeVersion = process.versions.node;
-  const [major] = nodeVersion.split(".").map(Number);
-  if (major >= 18) {
+async function checkAuth() {
+  try {
+    const auth = await getStoredAuth();
+    if (!auth) {
+      return {
+        id: "auth",
+        name: "Authentication",
+        status: "warn",
+        detail: "Not logged in. Run: keyway login"
+      };
+    }
+    try {
+      const result = await validateToken(auth.keywayToken);
+      return {
+        id: "auth",
+        name: "Authentication",
+        status: "pass",
+        detail: `Logged in as ${result.login || auth.githubLogin || "user"}`
+      };
+    } catch {
+      return {
+        id: "auth",
+        name: "Authentication",
+        status: "warn",
+        detail: "Token expired or invalid. Run: keyway login"
+      };
+    }
+  } catch {
     return {
-      id: "node",
-      name: "Node.js version",
-      status: "pass",
-      detail: `v${nodeVersion} (>=18.0.0 required)`
+      id: "auth",
+      name: "Authentication",
+      status: "warn",
+      detail: "Unable to check authentication status"
     };
   }
-  return {
-    id: "node",
-    name: "Node.js version",
-    status: "fail",
-    detail: `v${nodeVersion} (<18.0.0, please upgrade)`
-  };
 }
-async function checkGit() {
+async function checkGitHubRemote() {
   try {
-    const gitVersion = execSync2("git --version", { encoding: "utf-8" }).trim();
     try {
       execSync2("git rev-parse --is-inside-work-tree", {
         encoding: "utf-8",
         stdio: ["pipe", "pipe", "ignore"]
       });
+    } catch {
       return {
-        id: "git",
-        name: "Git repository",
-        status: "pass",
-        detail: `${gitVersion} - inside repository`
+        id: "github",
+        name: "GitHub repository",
+        status: "warn",
+        detail: "Not in a git repository"
+      };
+    }
+    try {
+      const remoteUrl = execSync2("git remote get-url origin", {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "ignore"]
+      }).trim();
+      const sshMatch = remoteUrl.match(/git@github\.com:(.+)\/(.+?)(\.git)?$/);
+      const httpsMatch = remoteUrl.match(/https:\/\/github\.com\/(.+)\/(.+?)(\.git)?$/);
+      if (sshMatch || httpsMatch) {
+        const match = sshMatch || httpsMatch;
+        const repoName = `${match[1]}/${match[2]}`;
+        return {
+          id: "github",
+          name: "GitHub repository",
+          status: "pass",
+          detail: repoName
+        };
+      }
+      return {
+        id: "github",
+        name: "GitHub repository",
+        status: "warn",
+        detail: "Remote is not a GitHub URL"
       };
     } catch {
       return {
-        id: "git",
-        name: "Git repository",
+        id: "github",
+        name: "GitHub repository",
         status: "warn",
-        detail: `${gitVersion} - not in a repository`
+        detail: "No remote origin configured"
       };
     }
   } catch {
     return {
-      id: "git",
-      name: "Git repository",
+      id: "github",
+      name: "GitHub repository",
       status: "warn",
-      detail: "Git not installed"
+      detail: "Unable to detect repository"
     };
   }
 }
@@ -1821,8 +1813,8 @@ async function checkNetwork() {
       status: "warn",
       detail: `Server returned ${response.status}`
     };
-  } catch (error) {
-    if (error.name === "AbortError") {
+  } catch (error2) {
+    if (error2.name === "AbortError") {
       return {
         id: "network",
         name: "API connectivity",
@@ -1830,7 +1822,7 @@ async function checkNetwork() {
         detail: "Connection timeout (>2s)"
       };
     }
-    if (error.code === "ENOTFOUND") {
+    if (error2.code === "ENOTFOUND") {
       return {
         id: "network",
         name: "API connectivity",
@@ -1838,7 +1830,7 @@ async function checkNetwork() {
         detail: "DNS resolution failed"
       };
     }
-    if (error.code === "CERT_HAS_EXPIRED" || error.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
+    if (error2.code === "CERT_HAS_EXPIRED" || error2.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
       return {
         id: "network",
         name: "API connectivity",
@@ -1850,27 +1842,103 @@ async function checkNetwork() {
       id: "network",
       name: "API connectivity",
       status: "warn",
-      detail: error.message || "Connection failed"
+      detail: error2.message || "Connection failed"
     };
   }
 }
-async function checkFileSystem() {
-  const testFile = join(tmpdir(), `.keyway-test-${Date.now()}.tmp`);
-  try {
-    writeFileSync(testFile, "test");
-    unlinkSync(testFile);
+async function checkEnvFile() {
+  const envFiles = [".env", ".env.local", ".env.development"];
+  const found = [];
+  for (const file2 of envFiles) {
+    if (existsSync(file2)) {
+      found.push(file2);
+    }
+  }
+  if (found.length === 0) {
     return {
-      id: "filesystem",
-      name: "File system permissions",
-      status: "pass",
-      detail: "Write permissions verified"
+      id: "envfile",
+      name: "Environment file",
+      status: "warn",
+      detail: "No .env file found. Run: keyway pull"
     };
-  } catch (error) {
+  }
+  return {
+    id: "envfile",
+    name: "Environment file",
+    status: "pass",
+    detail: found.join(", ")
+  };
+}
+async function checkSyncs(repoFullName) {
+  if (!repoFullName) {
     return {
-      id: "filesystem",
-      name: "File system permissions",
-      status: "fail",
-      detail: `Cannot write to temp directory: ${error.message}`
+      id: "syncs",
+      name: "Provider syncs",
+      status: "warn",
+      detail: "Not in a GitHub repository"
+    };
+  }
+  try {
+    const auth = await getStoredAuth();
+    if (!auth) {
+      return {
+        id: "syncs",
+        name: "Provider syncs",
+        status: "warn",
+        detail: "Login required to check"
+      };
+    }
+    try {
+      const { connections } = await getConnections(auth.keywayToken);
+      if (connections.length === 0) {
+        return {
+          id: "syncs",
+          name: "Provider syncs",
+          status: "pass",
+          detail: "No integrations connected"
+        };
+      }
+      const providers = [...new Set(connections.map((c) => c.provider))];
+      const linkedProviders = [];
+      const repoLower = repoFullName.toLowerCase();
+      for (const provider of providers) {
+        try {
+          const { projects } = await getAllProviderProjects(auth.keywayToken, provider);
+          const hasLinked = projects.some((p5) => p5.linkedRepo?.toLowerCase() === repoLower);
+          if (hasLinked) {
+            linkedProviders.push(provider);
+          }
+        } catch {
+        }
+      }
+      if (linkedProviders.length === 0) {
+        return {
+          id: "syncs",
+          name: "Provider syncs",
+          status: "pass",
+          detail: "None for this repo"
+        };
+      }
+      return {
+        id: "syncs",
+        name: "Provider syncs",
+        status: "pass",
+        detail: linkedProviders.join(", ")
+      };
+    } catch {
+      return {
+        id: "syncs",
+        name: "Provider syncs",
+        status: "warn",
+        detail: "Unable to check"
+      };
+    }
+  } catch {
+    return {
+      id: "syncs",
+      name: "Provider syncs",
+      status: "warn",
+      detail: "Unable to check"
     };
   }
 }
@@ -1910,59 +1978,17 @@ async function checkGitignore() {
     };
   }
 }
-async function checkSystemClock() {
-  try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetch(API_HEALTH_URL, {
-      method: "HEAD",
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
-    const serverDate = response.headers.get("date");
-    if (!serverDate) {
-      return {
-        id: "clock",
-        name: "System clock",
-        status: "pass",
-        detail: "Unable to verify (no server date)"
-      };
-    }
-    const serverTime = new Date(serverDate).getTime();
-    const localTime = Date.now();
-    const diffMinutes = Math.abs(serverTime - localTime) / 1e3 / 60;
-    if (diffMinutes < 5) {
-      return {
-        id: "clock",
-        name: "System clock",
-        status: "pass",
-        detail: `Synchronized (drift: ${Math.round(diffMinutes * 60)}s)`
-      };
-    }
-    return {
-      id: "clock",
-      name: "System clock",
-      status: "warn",
-      detail: `Clock drift: ${Math.round(diffMinutes)} minutes`
-    };
-  } catch {
-    return {
-      id: "clock",
-      name: "System clock",
-      status: "pass",
-      detail: "Unable to verify"
-    };
-  }
-}
 async function runAllChecks(options = {}) {
-  const checks = await Promise.all([
-    checkNode(),
-    checkGit(),
+  const githubResult = await checkGitHubRemote();
+  const repoFullName = githubResult.status === "pass" ? githubResult.detail || null : null;
+  const [authResult, networkResult, syncsResult, envFileResult, gitignoreResult] = await Promise.all([
+    checkAuth(),
     checkNetwork(),
-    checkFileSystem(),
-    checkGitignore(),
-    checkSystemClock()
+    checkSyncs(repoFullName),
+    checkEnvFile(),
+    checkGitignore()
   ]);
+  const checks = [authResult, githubResult, networkResult, syncsResult, envFileResult, gitignoreResult];
   if (options.strict) {
     checks.forEach((check) => {
       if (check.status === "warn") {
@@ -1986,9 +2012,9 @@ async function runAllChecks(options = {}) {
 // src/cmds/doctor.ts
 function formatSummary(results) {
   const parts = [
-    pc9.green(`${results.summary.pass} passed`),
-    results.summary.warn > 0 ? pc9.yellow(`${results.summary.warn} warnings`) : null,
-    results.summary.fail > 0 ? pc9.red(`${results.summary.fail} failed`) : null
+    pc4.green(`${results.summary.pass} passed`),
+    results.summary.warn > 0 ? pc4.yellow(`${results.summary.warn} warnings`) : null,
+    results.summary.fail > 0 ? pc4.red(`${results.summary.fail} failed`) : null
   ].filter(Boolean);
   return parts.join(", ");
 }
@@ -2005,24 +2031,28 @@ async function doctorCommand(options = {}) {
       process.stdout.write(JSON.stringify(results, null, 0) + "\n");
       process.exit(results.exitCode);
     }
-    console.log(pc9.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
+    intro2("doctor");
     results.checks.forEach((check) => {
-      const icon = check.status === "pass" ? pc9.green("\u2713") : check.status === "warn" ? pc9.yellow("!") : pc9.red("\u2717");
-      const detail = check.detail ? pc9.dim(` \u2014 ${check.detail}`) : "";
-      console.log(`  ${icon} ${check.name}${detail}`);
+      const detail = check.detail ? dim(` \u2014 ${check.detail}`) : "";
+      if (check.status === "pass") {
+        success(`${check.name}${detail}`);
+      } else if (check.status === "warn") {
+        warn(`${check.name}${detail}`);
+      } else {
+        error(`${check.name}${detail}`);
+      }
     });
-    console.log(`
-Summary: ${formatSummary(results)}`);
+    message(`Summary: ${formatSummary(results)}`);
     if (results.summary.fail > 0) {
-      console.log(pc9.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
+      outro2("Some checks failed. Please resolve the issues above.");
     } else if (results.summary.warn > 0) {
-      console.log(pc9.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
+      outro2("Some warnings detected. Keyway should work but consider addressing them.");
     } else {
-      console.log(pc9.green("\u2728 All checks passed! Your environment is ready for Keyway."));
+      outro2("All checks passed! Your environment is ready.");
     }
     process.exit(results.exitCode);
-  } catch (error) {
-    const message = error instanceof Error ? truncateMessage(error.message) : "Doctor failed";
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? truncateMessage(error2.message) : "Doctor failed";
     trackEvent(AnalyticsEvents.CLI_DOCTOR, {
       pass: 0,
       warn: 0,
@@ -2035,12 +2065,11 @@ Summary: ${formatSummary(results)}`);
         checks: [],
         summary: { pass: 0, warn: 0, fail: 1 },
         exitCode: 1,
-        error: message
+        error: message2
       };
       process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
     } else {
-      console.error(pc9.red(`
-\u2717 ${message}`));
+      error(message2);
     }
     process.exit(1);
   }
@@ -2049,8 +2078,7 @@ Summary: ${formatSummary(results)}`);
 // src/cmds/ci.ts
 import { execSync as execSync3 } from "child_process";
 import { Octokit } from "@octokit/rest";
-import pc10 from "picocolors";
-import prompts8 from "prompts";
+import * as p3 from "@clack/prompts";
 function isGhAvailable() {
   try {
     execSync3("gh auth status", { stdio: "ignore" });
@@ -2068,89 +2096,82 @@ function addSecretWithGh(repo, secretName, secretValue) {
 async function ciSetupCommand(options) {
   const repo = options.repo || detectGitRepo();
   if (!repo) {
-    console.error(pc10.red("Not in a git repository. Use --repo owner/repo"));
+    error("Not in a git repository. Use --repo owner/repo");
     process.exit(1);
   }
-  console.log(pc10.bold(`
-\u{1F510} Setting up GitHub Actions for ${repo}
-`));
-  console.log(pc10.dim("Step 1: Keyway Authentication"));
+  intro2("ci setup");
+  step(`Setting up GitHub Actions for ${value(repo)}`);
+  message(dim("Step 1: Keyway Authentication"));
   let keywayToken;
   try {
     keywayToken = await ensureLogin({ allowPrompt: true });
-    console.log(pc10.green("  \u2713 Authenticated with Keyway\n"));
+    success("Authenticated with Keyway");
   } catch {
-    console.error(pc10.red("  \u2717 Failed to authenticate with Keyway"));
-    console.error(pc10.dim("  Run `keyway login` first"));
+    error("Failed to authenticate with Keyway");
+    message(dim("Run `keyway login` first"));
     process.exit(1);
   }
   const useGh = isGhAvailable();
   if (useGh) {
-    console.log(pc10.dim("Step 2: Adding secret via GitHub CLI"));
+    message(dim("Step 2: Adding secret via GitHub CLI"));
     try {
       addSecretWithGh(repo, "KEYWAY_TOKEN", keywayToken);
-      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
-`));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
-      console.error(pc10.dim("  Try running: gh auth login"));
+      success(`Secret KEYWAY_TOKEN added to ${repo}`);
+    } catch (error2) {
+      const message2 = error2 instanceof Error ? error2.message : String(error2);
+      error(`Failed to add secret: ${message2}`);
+      message(dim("Try running: gh auth login"));
       process.exit(1);
     }
   } else {
-    console.log(pc10.dim("Step 2: Temporary GitHub PAT"));
-    console.log("  gh CLI not found. We need a one-time GitHub PAT.");
-    console.log(pc10.dim("  You can delete it immediately after setup.\n"));
+    message(dim("Step 2: Temporary GitHub PAT"));
+    info("gh CLI not found. We need a one-time GitHub PAT.");
+    message(dim("You can delete it immediately after setup."));
     const patUrl = "https://github.com/settings/tokens/new?scopes=repo&description=Keyway%20CI%20Setup%20(temporary)";
     await openUrl(patUrl);
-    const { githubToken } = await prompts8({
-      type: "password",
-      name: "githubToken",
+    const githubToken = await p3.password({
       message: "Paste your GitHub PAT:"
     });
-    if (!githubToken) {
-      console.error(pc10.red("\n  \u2717 GitHub PAT is required"));
+    if (p3.isCancel(githubToken) || !githubToken) {
+      error("GitHub PAT is required");
       process.exit(1);
     }
     const octokit = new Octokit({ auth: githubToken });
     try {
       await octokit.users.getAuthenticated();
-      console.log(pc10.green("  \u2713 GitHub PAT validated\n"));
+      success("GitHub PAT validated");
     } catch {
-      console.error(pc10.red("  \u2717 Invalid GitHub PAT"));
+      error("Invalid GitHub PAT");
       process.exit(1);
     }
-    console.log(pc10.dim("Step 3: Adding secret to repository"));
+    message(dim("Step 3: Adding secret to repository"));
     const [owner, repoName] = repo.split("/");
     try {
       await addRepoSecret(octokit, owner, repoName, "KEYWAY_TOKEN", keywayToken);
-      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
-`));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Not Found")) {
-        console.error(pc10.red(`  \u2717 Repository not found or no access: ${repo}`));
-        console.error(pc10.dim("  Make sure the PAT has access to this repository"));
+      success(`Secret KEYWAY_TOKEN added to ${repo}`);
+    } catch (error2) {
+      const message2 = error2 instanceof Error ? error2.message : String(error2);
+      if (message2.includes("Not Found")) {
+        error(`Repository not found or no access: ${repo}`);
+        message(dim("Make sure the PAT has access to this repository"));
       } else {
-        console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
+        error(`Failed to add secret: ${message2}`);
       }
       process.exit(1);
     }
   }
-  console.log(pc10.green(pc10.bold("\u2713 Setup complete!\n")));
-  console.log("Add this to your workflow (.github/workflows/*.yml):\n");
-  console.log(
-    pc10.cyan(`    - uses: keywaysh/keyway-action@v1
-      with:
-        token: \${{ secrets.KEYWAY_TOKEN }}
-        environment: production`)
+  success("Setup complete!");
+  note2(
+    `- uses: keywaysh/keyway-action@v1
+  with:
+    token: \${{ secrets.KEYWAY_TOKEN }}
+    environment: production`,
+    "Add this to your workflow"
   );
-  console.log();
   if (!useGh) {
-    console.log(`\u{1F5D1}\uFE0F  Delete the temporary PAT: ${pc10.underline("https://github.com/settings/tokens")}`);
+    message(`Delete the temporary PAT: ${link("https://github.com/settings/tokens")}`);
   }
-  console.log(pc10.dim(`\u{1F4D6} Docs: ${pc10.underline("https://docs.keyway.sh/ci")}
-`));
+  outro2(`Docs: ${link("https://docs.keyway.sh/ci")}`);
 }
 async function addRepoSecret(octokit, owner, repo, secretName, secretValue) {
   const { data: publicKey } = await octokit.rest.actions.getRepoPublicKey({
@@ -2177,8 +2198,7 @@ async function encryptSecret(publicKey, secret) {
 }
 
 // src/cmds/connect.ts
-import pc11 from "picocolors";
-import prompts9 from "prompts";
+import * as p4 from "@clack/prompts";
 var TOKEN_AUTH_PROVIDERS = ["railway"];
 function getTokenCreationUrl(provider) {
   switch (provider) {
@@ -2191,38 +2211,37 @@ function getTokenCreationUrl(provider) {
 async function connectWithTokenFlow(accessToken, provider, displayName) {
   const tokenUrl = getTokenCreationUrl(provider);
   if (provider === "railway") {
-    console.log(pc11.yellow("\nTip: Select the workspace containing your projects."));
-    console.log(pc11.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
+    warn("Tip: Select the workspace containing your projects.");
+    message(dim(`Do NOT use "No workspace" - it won't have access to your projects.`));
   }
   await openUrl(tokenUrl);
-  const { token } = await prompts9({
-    type: "password",
-    name: "token",
+  const token = await p4.password({
     message: `${displayName} API Token:`
   });
-  if (!token) {
-    console.log(pc11.gray("Cancelled."));
+  if (p4.isCancel(token) || !token) {
+    message(dim("Cancelled."));
     return false;
   }
-  console.log(pc11.gray("\nValidating token..."));
+  const s = spinner2();
+  s.start("Validating token...");
   try {
     const result = await connectWithToken(accessToken, provider, token);
+    s.stop("Validated");
     if (result.success) {
-      console.log(pc11.green(`
-\u2713 Connected to ${displayName}!`));
-      console.log(pc11.gray(`  Account: ${result.user.username}`));
+      success(`Connected to ${displayName}!`);
+      message(dim(`Account: ${result.user.username}`));
       if (result.user.teamName) {
-        console.log(pc11.gray(`  Team: ${result.user.teamName}`));
+        message(dim(`Team: ${result.user.teamName}`));
       }
       return true;
     } else {
-      console.log(pc11.red("\n\u2717 Connection failed."));
+      error("Connection failed.");
       return false;
     }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Token validation failed";
-    console.log(pc11.red(`
-\u2717 ${message}`));
+  } catch (error2) {
+    s.stop("Failed");
+    const message2 = error2 instanceof Error ? error2.message : "Token validation failed";
+    error(message2);
     return false;
   }
 }
@@ -2230,7 +2249,8 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
   const authUrl = getProviderAuthUrl(provider, accessToken);
   const startTime = /* @__PURE__ */ new Date();
   await openUrl(authUrl);
-  console.log(pc11.gray("Waiting for authorization..."));
+  const s = spinner2();
+  s.start("Waiting for authorization...");
   const maxAttempts = 60;
   let attempts = 0;
   while (attempts < maxAttempts) {
@@ -2242,60 +2262,55 @@ async function connectWithOAuthFlow(accessToken, provider, displayName) {
         (c) => c.provider === provider && new Date(c.createdAt) > startTime
       );
       if (newConn) {
-        console.log(pc11.green(`
-\u2713 Connected to ${displayName}!`));
+        s.stop("Authorized");
+        success(`Connected to ${displayName}!`);
         return true;
       }
     } catch {
     }
   }
-  console.log(pc11.red("\n\u2717 Authorization timeout."));
-  console.log(pc11.gray("Run `keyway connections` to check if the connection was established."));
+  s.stop("Timeout");
+  error("Authorization timeout.");
+  message(dim("Run `keyway connections` to check if the connection was established."));
   return false;
 }
 async function connectCommand(provider, options = {}) {
   try {
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const { providers } = await getProviders();
-    const providerInfo = providers.find((p) => p.name === provider.toLowerCase());
+    const providerInfo = providers.find((p5) => p5.name === provider.toLowerCase());
     if (!providerInfo) {
-      const available = providers.map((p) => p.name).join(", ");
-      console.error(pc11.red(`Unknown provider: ${provider}`));
-      console.log(pc11.gray(`Available providers: ${available || "none"}`));
+      const available = providers.map((p5) => p5.name).join(", ");
+      error(`Unknown provider: ${provider}`);
+      message(dim(`Available providers: ${available || "none"}`));
       process.exit(1);
     }
     if (!providerInfo.configured) {
-      console.error(pc11.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
-      console.log(pc11.gray("Contact your administrator to enable this integration."));
+      error(`Provider ${providerInfo.displayName} is not configured on the server.`);
+      message(dim("Contact your administrator to enable this integration."));
       process.exit(1);
     }
     const { connections } = await getConnections(accessToken);
     const existingConnections = connections.filter((c) => c.provider === provider.toLowerCase());
     if (existingConnections.length > 0) {
-      console.log(pc11.gray(`
-You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
+      message(dim(`You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
       for (const conn of existingConnections) {
         const teamInfo = conn.providerTeamId ? `(Team: ${conn.providerTeamId})` : "(Personal)";
-        console.log(pc11.gray(`  - ${teamInfo}`));
+        message(dim(`  - ${teamInfo}`));
       }
-      console.log("");
-      const { action } = await prompts9({
-        type: "select",
-        name: "action",
+      const action = await select2({
         message: "What would you like to do?",
-        choices: [
-          { title: "Add another account/team", value: "add" },
-          { title: "Cancel", value: "cancel" }
+        options: [
+          { label: "Add another account/team", value: "add" },
+          { label: "Cancel", value: "cancel" }
         ]
       });
       if (action !== "add") {
-        console.log(pc11.gray("Keeping existing connections."));
+        message(dim("Keeping existing connections."));
         return;
       }
     }
-    console.log(pc11.blue(`
-Connecting to ${providerInfo.displayName}...
-`));
+    step(`Connecting to ${providerInfo.displayName}...`);
     let connected = false;
     if (TOKEN_AUTH_PROVIDERS.includes(provider.toLowerCase())) {
       connected = await connectWithTokenFlow(accessToken, provider.toLowerCase(), providerInfo.displayName);
@@ -2306,14 +2321,13 @@ Connecting to ${providerInfo.displayName}...
       provider: provider.toLowerCase(),
       success: connected
     });
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Connection failed";
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? error2.message : "Connection failed";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "connect",
-      error: truncateMessage(message)
+      error: truncateMessage(message2)
     });
-    console.error(pc11.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
@@ -2322,25 +2336,24 @@ async function connectionsCommand(options = {}) {
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const { connections } = await getConnections(accessToken);
     if (connections.length === 0) {
-      console.log(pc11.gray("No provider connections found."));
-      console.log(pc11.gray("\nConnect to a provider with: keyway connect <provider>"));
-      console.log(pc11.gray("Available providers: vercel, railway"));
+      info("No provider connections found.");
+      message(dim("Connect to a provider with: keyway connect <provider>"));
+      message(dim("Available providers: vercel, railway"));
       return;
     }
-    console.log(pc11.blue("\n\u{1F4E1} Provider Connections\n"));
+    intro2("connections");
     for (const conn of connections) {
       const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
-      const teamInfo = conn.providerTeamId ? pc11.gray(` (Team: ${conn.providerTeamId})`) : "";
+      const teamInfo = conn.providerTeamId ? dim(` (Team: ${conn.providerTeamId})`) : "";
       const date = new Date(conn.createdAt).toLocaleDateString();
-      console.log(`  ${pc11.green("\u25CF")} ${pc11.bold(providerName)}${teamInfo}`);
-      console.log(pc11.gray(`    Connected: ${date}`));
-      console.log(pc11.gray(`    ID: ${conn.id}`));
-      console.log("");
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Failed to list connections";
-    console.error(pc11.red(`
-\u2717 ${message}`));
+      success(`${bold(providerName)}${teamInfo}`);
+      message(dim(`  Connected: ${date}`));
+      message(dim(`  ID: ${conn.id}`));
+    }
+    outro2("");
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? error2.message : "Failed to list connections";
+    error(message2);
     process.exit(1);
   }
 }
@@ -2350,41 +2363,36 @@ async function disconnectCommand(provider, options = {}) {
     const { connections } = await getConnections(accessToken);
     const connection = connections.find((c) => c.provider === provider.toLowerCase());
     if (!connection) {
-      console.log(pc11.gray(`No connection found for provider: ${provider}`));
+      info(`No connection found for provider: ${provider}`);
       return;
     }
     const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    const { confirm } = await prompts9({
-      type: "confirm",
-      name: "confirm",
+    const confirm3 = await confirm2({
       message: `Disconnect from ${providerName}?`,
-      initial: false
+      initialValue: false
     });
-    if (!confirm) {
-      console.log(pc11.gray("Cancelled."));
+    if (!confirm3) {
+      message(dim("Cancelled."));
       return;
     }
     await deleteConnection(accessToken, connection.id);
-    console.log(pc11.green(`
-\u2713 Disconnected from ${providerName}`));
+    success(`Disconnected from ${providerName}`);
     trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
       provider: provider.toLowerCase()
     });
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Disconnect failed";
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? error2.message : "Disconnect failed";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "disconnect",
-      error: truncateMessage(message)
+      error: truncateMessage(message2)
     });
-    console.error(pc11.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
 
 // src/cmds/sync.ts
-import pc12 from "picocolors";
-import prompts10 from "prompts";
+import pc5 from "picocolors";
 function mapToVercelEnvironment(keywayEnv) {
   const mapping = {
     production: "production",
@@ -2428,38 +2436,35 @@ function mapToProviderEnvironment(provider, keywayEnv) {
 function displayDiffSummary(diff, providerName) {
   const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
   if (totalDiff === 0 && diff.same.length > 0) {
-    console.log(pc12.green(`
-\u2713 Already in sync (${diff.same.length} secrets)`));
+    success(`Already in sync (${diff.same.length} secrets)`);
     return;
   }
-  console.log(pc12.blue("\n\u{1F4CA} Comparison Summary\n"));
-  console.log(pc12.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
-`));
+  step("Comparison Summary");
+  message(dim(`Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets`));
   if (diff.onlyInKeyway.length > 0) {
-    console.log(pc12.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
-    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
+    message(pc5.cyan(`\u2192 ${diff.onlyInKeyway.length} only in Keyway`));
+    diff.onlyInKeyway.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
     if (diff.onlyInKeyway.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
+      message(dim(`  ... and ${diff.onlyInKeyway.length - 3} more`));
     }
   }
   if (diff.onlyInProvider.length > 0) {
-    console.log(pc12.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
-    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
+    message(pc5.magenta(`\u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
+    diff.onlyInProvider.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
     if (diff.onlyInProvider.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
+      message(dim(`  ... and ${diff.onlyInProvider.length - 3} more`));
     }
   }
   if (diff.different.length > 0) {
-    console.log(pc12.yellow(`   \u2260 ${diff.different.length} with different values`));
-    diff.different.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
+    message(pc5.yellow(`\u2260 ${diff.different.length} with different values`));
+    diff.different.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
     if (diff.different.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.different.length - 3} more`));
+      message(dim(`  ... and ${diff.different.length - 3} more`));
     }
   }
   if (diff.same.length > 0) {
-    console.log(pc12.gray(`   = ${diff.same.length} identical`));
+    message(dim(`= ${diff.same.length} identical`));
   }
-  console.log("");
 }
 function getProjectDisplayName(project) {
   return project.serviceName || project.name;
@@ -2469,17 +2474,17 @@ function findMatchingProject(projects, repoFullName) {
   const repoName = repoFullName.split("/")[1]?.toLowerCase();
   if (!repoName) return void 0;
   const linkedMatch = projects.find(
-    (p) => p.linkedRepo?.toLowerCase() === repoFullNameLower
+    (p5) => p5.linkedRepo?.toLowerCase() === repoFullNameLower
   );
   if (linkedMatch) {
     return { project: linkedMatch, matchType: "linked_repo" };
   }
-  const exactNameMatch = projects.find((p) => p.name.toLowerCase() === repoName);
+  const exactNameMatch = projects.find((p5) => p5.name.toLowerCase() === repoName);
   if (exactNameMatch) {
     return { project: exactNameMatch, matchType: "exact_name" };
   }
   const partialMatches = projects.filter(
-    (p) => p.name.toLowerCase().includes(repoName) || repoName.includes(p.name.toLowerCase())
+    (p5) => p5.name.toLowerCase().includes(repoName) || repoName.includes(p5.name.toLowerCase())
   );
   if (partialMatches.length === 1) {
     return { project: partialMatches[0], matchType: "partial_name" };
@@ -2497,102 +2502,129 @@ function projectMatchesRepo(project, repoFullName) {
   }
   return false;
 }
-async function promptProjectSelection(projects, repoFullName) {
+async function selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, initialProjects) {
+  let projects = initialProjects;
+  while (true) {
+    const result = await promptProjectSelection(projects, repoFullName, providerDisplayName);
+    if (result === "connect_new") {
+      await connectCommand(provider, { loginPrompt: false });
+      const { projects: allProjects } = await getAllProviderProjects(accessToken, provider.toLowerCase());
+      projects = allProjects.map((p5) => ({
+        id: p5.id,
+        name: p5.name,
+        serviceId: p5.serviceId,
+        serviceName: p5.serviceName,
+        linkedRepo: p5.linkedRepo,
+        environments: p5.environments,
+        connectionId: p5.connectionId,
+        teamId: p5.teamId,
+        teamName: p5.teamName
+      }));
+      if (projects.length === 0) {
+        error("No projects found after connecting.");
+        process.exit(1);
+      }
+      success(`Found ${projects.length} projects. Select one:`);
+      continue;
+    }
+    return { project: result, projects };
+  }
+}
+async function promptProjectSelection(projects, repoFullName, providerDisplayName) {
   const repoName = repoFullName.split("/")[1]?.toLowerCase() || "";
-  const uniqueTeams = new Set(projects.map((p) => p.teamId || "personal"));
+  const uniqueTeams = new Set(projects.map((p5) => p5.teamId || "personal"));
   const hasMultipleAccounts = uniqueTeams.size > 1;
-  const choices = projects.map((p) => {
-    const displayName = getProjectDisplayName(p);
-    let title = displayName;
+  const options = projects.map((p5) => {
+    const displayName = getProjectDisplayName(p5);
+    let label = displayName;
     const badges = [];
     if (hasMultipleAccounts) {
-      if (p.teamName) {
-        badges.push(pc12.cyan(`[${p.teamName}]`));
-      } else if (p.teamId) {
-        const shortTeamId = p.teamId.length > 12 ? p.teamId.slice(0, 12) + "..." : p.teamId;
-        badges.push(pc12.cyan(`[team:${shortTeamId}]`));
+      if (p5.teamName) {
+        badges.push(pc5.cyan(`[${p5.teamName}]`));
+      } else if (p5.teamId) {
+        const shortTeamId = p5.teamId.length > 12 ? p5.teamId.slice(0, 12) + "..." : p5.teamId;
+        badges.push(pc5.cyan(`[team:${shortTeamId}]`));
       } else {
-        badges.push(pc12.cyan("[personal]"));
+        badges.push(pc5.cyan("[personal]"));
       }
     }
-    if (p.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
-      badges.push(pc12.green("\u2190 linked"));
-    } else if (p.name.toLowerCase() === repoName || p.serviceName?.toLowerCase() === repoName) {
-      badges.push(pc12.green("\u2190 same name"));
-    } else if (p.linkedRepo) {
-      badges.push(pc12.gray(`\u2192 ${p.linkedRepo}`));
+    if (p5.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
+      badges.push(pc5.green("\u2190 linked"));
+    } else if (p5.name.toLowerCase() === repoName || p5.serviceName?.toLowerCase() === repoName) {
+      badges.push(pc5.green("\u2190 same name"));
+    } else if (p5.linkedRepo) {
+      badges.push(pc5.gray(`\u2192 ${p5.linkedRepo}`));
     }
     if (badges.length > 0) {
-      title = `${displayName} ${badges.join(" ")}`;
+      label = `${displayName} ${badges.join(" ")}`;
     }
-    return { title, value: p.id };
+    return { label, value: p5.id };
+  });
+  options.push({
+    label: pc5.blue(`+ Connect another ${providerDisplayName} account`),
+    value: "__connect_new__"
   });
-  const { projectChoice } = await prompts10({
-    type: "select",
-    name: "projectChoice",
+  const projectChoice = await select2({
     message: "Select a project:",
-    choices
+    options
   });
   if (!projectChoice) {
-    console.log(pc12.gray("Cancelled."));
+    message(dim("Cancelled."));
     process.exit(0);
   }
-  return projects.find((p) => p.id === projectChoice);
+  if (projectChoice === "__connect_new__") {
+    return "connect_new";
+  }
+  return projects.find((p5) => p5.id === projectChoice);
 }
 async function syncCommand(provider, options = {}) {
   try {
     if (options.pull && options.allowDelete) {
-      console.error(pc12.red("Error: --allow-delete cannot be used with --pull"));
-      console.log(pc12.gray("The --allow-delete flag is only for push operations."));
+      error("--allow-delete cannot be used with --pull");
+      message(dim("The --allow-delete flag is only for push operations."));
       process.exit(1);
     }
     const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
     const repoFullName = detectGitRepo();
     if (!repoFullName) {
-      console.error(pc12.red("Could not detect Git repository."));
-      console.log(pc12.gray("Run this command from a Git repository directory."));
+      error("Could not detect Git repository.");
+      message(dim("Run this command from a Git repository directory."));
       process.exit(1);
     }
-    console.log(pc12.gray(`Repository: ${repoFullName}`));
+    step(`Repository: ${value(repoFullName)}`);
     const vaultExists = await checkVaultExists(accessToken, repoFullName);
     if (!vaultExists) {
-      console.log(pc12.yellow(`
-No vault found for ${repoFullName}.`));
-      const { shouldCreate } = await prompts10({
-        type: "confirm",
-        name: "shouldCreate",
+      warn(`No vault found for ${repoFullName}.`);
+      const shouldCreate = await confirm2({
         message: "Create vault now?",
-        initial: true
+        initialValue: true
       });
       if (!shouldCreate) {
-        console.log(pc12.gray("Cancelled. Run `keyway init` to create a vault first."));
+        message(dim("Cancelled. Run `keyway init` to create a vault first."));
         process.exit(0);
       }
-      console.log(pc12.gray("\nCreating vault..."));
+      const s = spinner2();
+      s.start("Creating vault...");
       try {
         await initVault(repoFullName, accessToken);
-        console.log(pc12.green(`\u2713 Vault created for ${repoFullName}
-`));
-      } catch (error) {
-        const message = error instanceof Error ? error.message : "Failed to create vault";
-        console.error(pc12.red(`
-\u2717 ${message}`));
+        s.stop(`Vault created for ${repoFullName}`);
+      } catch (error2) {
+        s.stop("Failed");
+        const message2 = error2 instanceof Error ? error2.message : "Failed to create vault";
+        error(message2);
         process.exit(1);
       }
     }
     const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
     let { projects: allProjects, connections } = await getAllProviderProjects(accessToken, provider.toLowerCase());
     if (connections.length === 0) {
-      console.log(pc12.yellow(`
-Not connected to ${providerDisplayName}.`));
-      const { shouldConnect } = await prompts10({
-        type: "confirm",
-        name: "shouldConnect",
+      warn(`Not connected to ${providerDisplayName}.`);
+      const shouldConnect = await confirm2({
         message: `Connect to ${providerDisplayName} now?`,
-        initial: true
+        initialValue: true
       });
       if (!shouldConnect) {
-        console.log(pc12.gray("Cancelled."));
+        message(dim("Cancelled."));
         process.exit(0);
       }
       await connectCommand(provider, { loginPrompt: false });
@@ -2600,77 +2632,71 @@ Not connected to ${providerDisplayName}.`));
       allProjects = refreshed.projects;
       connections = refreshed.connections;
       if (connections.length === 0) {
-        console.error(pc12.red(`
-Connection to ${providerDisplayName} failed.`));
+        error(`Connection to ${providerDisplayName} failed.`);
         process.exit(1);
       }
-      console.log("");
-    }
-    let projects = allProjects.map((p) => ({
-      id: p.id,
-      name: p.name,
-      serviceId: p.serviceId,
-      serviceName: p.serviceName,
-      linkedRepo: p.linkedRepo,
-      environments: p.environments,
-      connectionId: p.connectionId,
-      teamId: p.teamId,
-      teamName: p.teamName
+    }
+    let projects = allProjects.map((p5) => ({
+      id: p5.id,
+      name: p5.name,
+      serviceId: p5.serviceId,
+      serviceName: p5.serviceName,
+      linkedRepo: p5.linkedRepo,
+      environments: p5.environments,
+      connectionId: p5.connectionId,
+      teamId: p5.teamId,
+      teamName: p5.teamName
     }));
     if (options.team) {
       const teamFilter = options.team.toLowerCase();
       const filteredProjects = projects.filter(
-        (p) => p.teamId?.toLowerCase() === teamFilter || p.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
-        teamFilter === "personal" && !p.teamId
+        (p5) => p5.teamId?.toLowerCase() === teamFilter || p5.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
+        teamFilter === "personal" && !p5.teamId
       );
       if (filteredProjects.length === 0) {
-        console.error(pc12.red(`No projects found for team: ${options.team}`));
-        console.log(pc12.gray("Available teams:"));
+        error(`No projects found for team: ${options.team}`);
+        message(dim("Available teams:"));
         const teams = /* @__PURE__ */ new Set();
-        projects.forEach((p) => {
-          if (p.teamName) teams.add(p.teamName);
-          else if (p.teamId) teams.add(p.teamId);
+        projects.forEach((p5) => {
+          if (p5.teamName) teams.add(p5.teamName);
+          else if (p5.teamId) teams.add(p5.teamId);
           else teams.add("personal");
         });
-        teams.forEach((t) => console.log(pc12.gray(`  - ${t}`)));
+        teams.forEach((t) => message(dim(`  - ${t}`)));
         process.exit(1);
       }
       projects = filteredProjects;
-      console.log(pc12.gray(`Filtered to ${projects.length} projects in team: ${options.team}`));
+      message(dim(`Filtered to ${projects.length} projects in team: ${options.team}`));
     }
     if (projects.length === 0) {
-      console.error(pc12.red(`No projects found in your ${providerDisplayName} account(s).`));
+      error(`No projects found in your ${providerDisplayName} account(s).`);
       if (connections.length > 1) {
-        console.log(pc12.gray(`Checked ${connections.length} connected accounts.`));
+        message(dim(`Checked ${connections.length} connected accounts.`));
       }
       process.exit(1);
     }
     if (connections.length > 1 && !options.team) {
-      console.log(pc12.gray(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
+      message(dim(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
     }
     let selectedProject;
     if (options.project) {
       const found = projects.find(
-        (p) => p.id === options.project || p.name.toLowerCase() === options.project?.toLowerCase() || p.serviceName?.toLowerCase() === options.project?.toLowerCase()
+        (p5) => p5.id === options.project || p5.name.toLowerCase() === options.project?.toLowerCase() || p5.serviceName?.toLowerCase() === options.project?.toLowerCase()
       );
       if (!found) {
-        console.error(pc12.red(`Project not found: ${options.project}`));
-        console.log(pc12.gray("Available projects:"));
-        projects.forEach((p) => console.log(pc12.gray(`  - ${getProjectDisplayName(p)}`)));
+        error(`Project not found: ${options.project}`);
+        message(dim("Available projects:"));
+        projects.forEach((p5) => message(dim(`  - ${getProjectDisplayName(p5)}`)));
         process.exit(1);
       }
       selectedProject = found;
       if (!projectMatchesRepo(selectedProject, repoFullName)) {
-        console.log("");
-        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        warn("Project does not match current repository");
+        message(pc5.yellow(`Current repo:      ${repoFullName}`));
+        message(pc5.yellow(`Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
         }
-        console.log("");
       }
     } else {
       const autoMatch = findMatchingProject(projects, repoFullName);
@@ -2679,78 +2705,67 @@ Connection to ${providerDisplayName} failed.`));
         const matchReason = autoMatch.matchType === "linked_repo" ? `linked to ${repoFullName}` : "exact name match";
         let teamInfo = "";
         if (selectedProject.teamName) {
-          teamInfo = pc12.gray(` (${selectedProject.teamName})`);
+          teamInfo = dim(` (${selectedProject.teamName})`);
         } else if (selectedProject.teamId && connections.length > 1) {
           const shortTeamId = selectedProject.teamId.length > 12 ? selectedProject.teamId.slice(0, 12) + "..." : selectedProject.teamId;
-          teamInfo = pc12.gray(` (team:${shortTeamId})`);
+          teamInfo = dim(` (team:${shortTeamId})`);
         }
-        console.log(pc12.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`));
+        success(`Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`);
       } else if (autoMatch && autoMatch.matchType === "partial_name") {
         const partialDisplayName = getProjectDisplayName(autoMatch.project);
-        console.log(pc12.yellow(`Detected project: ${partialDisplayName} (partial match)`));
-        const { useDetected } = await prompts10({
-          type: "confirm",
-          name: "useDetected",
+        info(`Detected project: ${partialDisplayName} (partial match)`);
+        const useDetected = await confirm2({
           message: `Use ${partialDisplayName}?`,
-          initial: true
+          initialValue: true
         });
         if (useDetected) {
           selectedProject = autoMatch.project;
         } else {
-          selectedProject = await promptProjectSelection(projects, repoFullName);
+          const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
+          selectedProject = result.project;
+          projects = result.projects;
         }
       } else if (projects.length === 1) {
         selectedProject = projects[0];
         if (!projectMatchesRepo(selectedProject, repoFullName)) {
-          console.log("");
-          console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-          console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-          console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-          console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-          console.log(pc12.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
+          warn("Project does not match current repository");
+          message(pc5.yellow(`Current repo:      ${repoFullName}`));
+          message(pc5.yellow(`Only project:      ${getProjectDisplayName(selectedProject)}`));
           if (selectedProject.linkedRepo) {
-            console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+            message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
           }
-          console.log("");
-          const { continueAnyway } = await prompts10({
-            type: "confirm",
-            name: "continueAnyway",
+          const continueAnyway = await confirm2({
             message: "Continue anyway?",
-            initial: false
+            initialValue: false
           });
           if (!continueAnyway) {
-            console.log(pc12.gray("Cancelled."));
+            message(dim("Cancelled."));
             process.exit(0);
           }
         }
       } else {
-        console.log(pc12.yellow(`
-\u26A0\uFE0F  No matching project found for ${repoFullName}`));
-        console.log(pc12.gray("Select a project manually:\n"));
-        selectedProject = await promptProjectSelection(projects, repoFullName);
+        warn(`No matching project found for ${repoFullName}`);
+        message(dim("Select a project manually:"));
+        const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
+        selectedProject = result.project;
+        projects = result.projects;
       }
     }
     if (!options.project && !projectMatchesRepo(selectedProject, repoFullName)) {
       const autoMatch = findMatchingProject(projects, repoFullName);
       if (autoMatch && autoMatch.project.id !== selectedProject.id) {
-        console.log("");
-        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
-        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
+        warn("You selected a different project");
+        message(pc5.yellow(`Current repo:      ${repoFullName}`));
+        message(pc5.yellow(`Selected project:  ${getProjectDisplayName(selectedProject)}`));
         if (selectedProject.linkedRepo) {
-          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
+          message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
         }
-        console.log("");
-        const { continueAnyway } = await prompts10({
-          type: "confirm",
-          name: "continueAnyway",
+        const continueAnyway = await confirm2({
           message: "Are you sure you want to sync with this project?",
-          initial: false
+          initialValue: false
         });
         if (!continueAnyway) {
-          console.log(pc12.gray("Cancelled."));
+          message(dim("Cancelled."));
           process.exit(0);
         }
       }
@@ -2764,15 +2779,13 @@ Connection to ${providerDisplayName} failed.`));
     if (needsEnvPrompt || needsDirectionPrompt) {
       if (needsEnvPrompt) {
         const vaultEnvs = await getVaultEnvironments(accessToken, repoFullName);
-        const { selectedEnv } = await prompts10({
-          type: "select",
-          name: "selectedEnv",
+        const selectedEnv = await select2({
           message: "Keyway environment:",
-          choices: vaultEnvs.map((e) => ({ title: e, value: e })),
-          initial: Math.max(0, vaultEnvs.indexOf("production"))
+          options: vaultEnvs.map((e) => ({ label: e, value: e })),
+          initialValue: vaultEnvs.includes("production") ? "production" : vaultEnvs[0]
         });
         if (!selectedEnv) {
-          console.log(pc12.gray("Cancelled."));
+          message(dim("Cancelled."));
           process.exit(0);
         }
         keywayEnv = selectedEnv;
@@ -2786,19 +2799,15 @@ Connection to ${providerDisplayName} failed.`));
               providerEnv = mappedEnv;
             } else if (selectedProject.environments.length === 1) {
               providerEnv = selectedProject.environments[0];
-              console.log(pc12.gray(`Using ${providerName} environment: ${providerEnv}`));
+              message(dim(`Using ${providerName} environment: ${providerEnv}`));
             } else {
-              const { selectedProviderEnv } = await prompts10({
-                type: "select",
-                name: "selectedProviderEnv",
+              const selectedProviderEnv = await select2({
                 message: `${providerName} environment:`,
-                choices: selectedProject.environments.map((e) => ({ title: e, value: e })),
-                initial: Math.max(0, selectedProject.environments.findIndex(
-                  (e) => e.toLowerCase() === "production"
-                ))
+                options: selectedProject.environments.map((e) => ({ label: e, value: e })),
+                initialValue: selectedProject.environments.includes("production") ? "production" : selectedProject.environments[0]
               });
               if (!selectedProviderEnv) {
-                console.log(pc12.gray("Cancelled."));
+                message(dim("Cancelled."));
                 process.exit(0);
               }
               providerEnv = selectedProviderEnv;
@@ -2812,7 +2821,8 @@ Connection to ${providerDisplayName} failed.`));
       if (needsDirectionPrompt) {
         const effectiveKeywayEnv = keywayEnv || "production";
         const effectiveProviderEnv = providerEnv || mapToProviderEnvironment(provider, effectiveKeywayEnv);
-        console.log(pc12.gray("\nComparing secrets..."));
+        const s = spinner2();
+        s.start("Comparing secrets...");
         diff = await getSyncDiff(accessToken, repoFullName, {
           connectionId: selectedProject.connectionId,
           projectId: selectedProject.id,
@@ -2821,6 +2831,7 @@ Connection to ${providerDisplayName} failed.`));
           keywayEnvironment: effectiveKeywayEnv,
           providerEnvironment: effectiveProviderEnv
         });
+        s.stop("Compared");
         displayDiffSummary(diff, providerName);
         const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
         if (totalDiff === 0) {
@@ -2828,24 +2839,17 @@ Connection to ${providerDisplayName} failed.`));
         }
       }
       if (needsDirectionPrompt && diff) {
-        let defaultDirection = 0;
-        if (diff.keywayCount === 0 && diff.providerCount > 0) {
-          defaultDirection = 1;
-        } else if (diff.providerCount === 0 && diff.keywayCount > 0) {
-          defaultDirection = 0;
-        }
-        const { selectedDirection } = await prompts10({
-          type: "select",
-          name: "selectedDirection",
+        const defaultDirection = diff.keywayCount === 0 && diff.providerCount > 0 ? "pull" : "push";
+        const selectedDirection = await select2({
           message: "Sync direction:",
-          choices: [
-            { title: `Keyway \u2192 ${providerName}`, value: "push" },
-            { title: `${providerName} \u2192 Keyway`, value: "pull" }
+          options: [
+            { label: `Keyway \u2192 ${providerName}`, value: "push" },
+            { label: `${providerName} \u2192 Keyway`, value: "pull" }
           ],
-          initial: defaultDirection
+          initialValue: defaultDirection
         });
         if (!selectedDirection) {
-          console.log(pc12.gray("Cancelled."));
+          message(dim("Cancelled."));
           process.exit(0);
         }
         direction = selectedDirection;
@@ -2862,14 +2866,11 @@ Connection to ${providerDisplayName} failed.`));
       keywayEnv
     );
     if (status.isFirstSync && direction === "push" && status.vaultIsEmpty && status.providerHasSecrets) {
-      console.log(pc12.yellow(`
-\u26A0\uFE0F  Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`));
-      console.log(pc12.gray(`   (Use --environment to sync a different environment)`));
-      const { importFirst } = await prompts10({
-        type: "confirm",
-        name: "importFirst",
+      warn(`Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`);
+      message(dim("(Use --environment to sync a different environment)"));
+      const importFirst = await confirm2({
         message: `Import secrets from ${providerName} first?`,
-        initial: true
+        initialValue: true
       });
       if (importFirst) {
         await executeSyncOperation(
@@ -2900,14 +2901,13 @@ Connection to ${providerDisplayName} failed.`));
       options.yes || false,
       provider
     );
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Sync failed";
+  } catch (error2) {
+    const message2 = error2 instanceof Error ? error2.message : "Sync failed";
     trackEvent(AnalyticsEvents.CLI_ERROR, {
       command: "sync",
-      error: truncateMessage(message)
+      error: truncateMessage(message2)
     });
-    console.error(pc12.red(`
-\u2717 ${message}`));
+    error(message2);
     process.exit(1);
   }
 }
@@ -2925,49 +2925,47 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
   });
   const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
   if (totalChanges === 0) {
-    console.log(pc12.green("\n\u2713 Already in sync. No changes needed."));
+    success("Already in sync. No changes needed.");
     return;
   }
-  console.log(pc12.blue("\n\u{1F4CB} Sync Preview\n"));
+  step("Sync Preview");
   if (preview.toCreate.length > 0) {
-    console.log(pc12.green(`  + ${preview.toCreate.length} to create`));
-    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
+    message(pc5.green(`+ ${preview.toCreate.length} to create`));
+    preview.toCreate.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
     if (preview.toCreate.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toCreate.length - 5} more`));
+      message(dim(`  ... and ${preview.toCreate.length - 5} more`));
     }
   }
   if (preview.toUpdate.length > 0) {
-    console.log(pc12.yellow(`  ~ ${preview.toUpdate.length} to update`));
-    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
+    message(pc5.yellow(`~ ${preview.toUpdate.length} to update`));
+    preview.toUpdate.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
     if (preview.toUpdate.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toUpdate.length - 5} more`));
+      message(dim(`  ... and ${preview.toUpdate.length - 5} more`));
     }
   }
   if (preview.toDelete.length > 0) {
-    console.log(pc12.red(`  - ${preview.toDelete.length} to delete`));
-    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
+    message(pc5.red(`- ${preview.toDelete.length} to delete`));
+    preview.toDelete.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
     if (preview.toDelete.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toDelete.length - 5} more`));
+      message(dim(`  ... and ${preview.toDelete.length - 5} more`));
     }
   }
   if (preview.toSkip.length > 0) {
-    console.log(pc12.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
+    message(dim(`\u25CB ${preview.toSkip.length} unchanged`));
   }
-  console.log("");
   if (!skipConfirm) {
     const target = direction === "push" ? providerName : "Keyway";
-    const { confirm } = await prompts10({
-      type: "confirm",
-      name: "confirm",
+    const confirm3 = await confirm2({
       message: `Apply ${totalChanges} changes to ${target}?`,
-      initial: true
+      initialValue: true
     });
-    if (!confirm) {
-      console.log(pc12.gray("Cancelled."));
+    if (!confirm3) {
+      message(dim("Cancelled."));
       return;
     }
   }
-  console.log(pc12.blue("\n\u23F3 Syncing...\n"));
+  const s = spinner2();
+  s.start("Syncing...");
   const result = await executeSync(accessToken, repoFullName, {
     connectionId,
     projectId: project.id,
@@ -2979,11 +2977,11 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
     allowDelete
   });
   if (result.success) {
-    console.log(pc12.green("\u2713 Sync complete"));
-    console.log(pc12.gray(`  Created: ${result.stats.created}`));
-    console.log(pc12.gray(`  Updated: ${result.stats.updated}`));
+    s.stop("Sync complete");
+    message(dim(`Created: ${result.stats.created}`));
+    message(dim(`Updated: ${result.stats.updated}`));
     if (result.stats.deleted > 0) {
-      console.log(pc12.gray(`  Deleted: ${result.stats.deleted}`));
+      message(dim(`Deleted: ${result.stats.deleted}`));
     }
     trackEvent(AnalyticsEvents.CLI_SYNC, {
       provider,
@@ -2993,27 +2991,19 @@ async function executeSyncOperation(accessToken, repoFullName, connectionId, pro
       deleted: result.stats.deleted
     });
   } else {
-    console.error(pc12.red(`
-\u2717 ${result.error}`));
+    s.stop("Failed");
+    error(result.error || "Sync failed");
     process.exit(1);
   }
 }
 
 // src/cli.ts
 process.on("unhandledRejection", (reason) => {
-  console.error(pc13.red("Unhandled error:"), reason);
+  error(`Unhandled error: ${reason}`);
   process.exit(1);
 });
 var program = new Command();
 var TAGLINE = "Sync secrets with your team and infra";
-var showBanner = () => {
-  const text = pc13.bold(pc13.cyan("Keyway CLI"));
-  console.log(`
-${text}
-${pc13.gray(TAGLINE)}
-`);
-};
-showBanner();
 program.name("keyway").description(TAGLINE).version(package_default.version);
 program.command("init").description("Initialize a vault for the current repository").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
   await initCommand(options);
@@ -3050,9 +3040,8 @@ ci.command("setup").description("Setup GitHub Actions integration (adds KEYWAY_T
   await ciSetupCommand(options);
 });
 (async () => {
-  await warnIfEnvNotGitignored();
   await program.parseAsync();
-})().catch((error) => {
-  console.error(pc13.red("Error:"), error.message || error);
+})().catch((error2) => {
+  error(error2.message || error2);
   process.exit(1);
 });