npm - @keywaysh/cli - Versions diffs - 0.1.16 → 0.3.1 - Mend

@keywaysh/cli 0.1.16 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli.js DELETED Viewed

@@ -1,3100 +0,0 @@
-#!/usr/bin/env node
-import {
-  clearAuth,
-  getAuthFilePath,
-  getStoredAuth,
-  saveAuthToken
-} from "./chunk-F4C46224.js";
-// src/cli.ts
-import { Command } from "commander";
-import pc13 from "picocolors";
-// src/cmds/init.ts
-import pc7 from "picocolors";
-import prompts6 from "prompts";
-// src/utils/git.ts
-import { execSync } from "child_process";
-import fs from "fs";
-import path from "path";
-import pc from "picocolors";
-import prompts from "prompts";
-function getCurrentRepoFullName() {
-  try {
-    if (!isGitRepository()) {
-      throw new Error("Not in a git repository");
-    }
-    const remoteUrl = execSync("git config --get remote.origin.url", {
-      encoding: "utf-8"
-    }).trim();
-    return parseGitHubUrl(remoteUrl);
-  } catch (error) {
-    throw new Error("Failed to get repository name. Make sure you are in a git repository with a GitHub remote.");
-  }
-}
-function isGitRepository() {
-  try {
-    execSync("git rev-parse --is-inside-work-tree", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function detectGitRepo() {
-  try {
-    const remoteUrl = execSync("git remote get-url origin", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    return parseGitHubUrl(remoteUrl);
-  } catch {
-    return null;
-  }
-}
-function parseGitHubUrl(url) {
-  const sshMatch = url.match(/git@github\.com:(.+)\/(.+)\.git/);
-  if (sshMatch) {
-    return `${sshMatch[1]}/${sshMatch[2]}`;
-  }
-  const httpsMatch = url.match(/https:\/\/github\.com\/(.+)\/(.+)\.git/);
-  if (httpsMatch) {
-    return `${httpsMatch[1]}/${httpsMatch[2]}`;
-  }
-  const httpsMatch2 = url.match(/https:\/\/github\.com\/(.+)\/(.+)/);
-  if (httpsMatch2) {
-    return `${httpsMatch2[1]}/${httpsMatch2[2]}`;
-  }
-  throw new Error(`Invalid GitHub URL: ${url}`);
-}
-function checkEnvGitignore() {
-  try {
-    const gitRoot = execSync("git rev-parse --show-toplevel", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    const gitignorePath = path.join(gitRoot, ".gitignore");
-    if (!fs.existsSync(gitignorePath)) {
-      return false;
-    }
-    const content = fs.readFileSync(gitignorePath, "utf-8");
-    const lines = content.split("\n").map((l) => l.trim());
-    const envPatterns = [".env", ".env*", ".env.*", "*.env"];
-    return envPatterns.some((pattern) => lines.includes(pattern));
-  } catch {
-    return true;
-  }
-}
-function addEnvToGitignore() {
-  try {
-    const gitRoot = execSync("git rev-parse --show-toplevel", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    const gitignorePath = path.join(gitRoot, ".gitignore");
-    const envEntry = ".env*";
-    if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, "utf-8");
-      const newContent = content.endsWith("\n") ? `${content}${envEntry}
-` : `${content}
-${envEntry}
-`;
-      fs.writeFileSync(gitignorePath, newContent);
-    } else {
-      fs.writeFileSync(gitignorePath, `${envEntry}
-`);
-    }
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function warnIfEnvNotGitignored() {
-  if (checkEnvGitignore()) {
-    return;
-  }
-  console.log(pc.yellow("\u26A0\uFE0F  .env files are not in .gitignore - secrets may be committed"));
-  const { addToGitignore } = await prompts({
-    type: "confirm",
-    name: "addToGitignore",
-    message: "Add .env* to .gitignore?",
-    initial: true
-  });
-  if (addToGitignore) {
-    if (addEnvToGitignore()) {
-      console.log(pc.green("\u2713 Added .env* to .gitignore"));
-    } else {
-      console.log(pc.red("\u2717 Failed to update .gitignore"));
-    }
-  }
-}
-// src/config/internal.ts
-var INTERNAL_API_URL = "https://api.keyway.sh";
-var INTERNAL_POSTHOG_KEY = "phc_duG0qqI5z8LeHrS9pNxR5KaD4djgD0nmzUxuD3zP0ov";
-var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
-// package.json
-var package_default = {
-  name: "@keywaysh/cli",
-  version: "0.1.16",
-  description: "One link to all your secrets",
-  type: "module",
-  bin: {
-    keyway: "./dist/cli.js"
-  },
-  main: "./dist/cli.js",
-  files: [
-    "dist"
-  ],
-  scripts: {
-    dev: "pnpm exec tsx src/cli.ts",
-    "dev:local": "NODE_TLS_REJECT_UNAUTHORIZED=0 KEYWAY_API_URL=https://localhost/api pnpm exec tsx src/cli.ts",
-    build: "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    prepublishOnly: "pnpm run build",
-    test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    "test:coverage": "pnpm exec vitest run --coverage",
-    release: "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
-  },
-  keywords: [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  author: "Nicolas Ritouet",
-  license: "MIT",
-  homepage: "https://keyway.sh",
-  repository: {
-    type: "git",
-    url: "https://github.com/keywaysh/cli.git"
-  },
-  bugs: {
-    url: "https://github.com/keywaysh/cli/issues"
-  },
-  packageManager: "pnpm@10.6.1",
-  engines: {
-    node: ">=18.0.0"
-  },
-  dependencies: {
-    "@octokit/rest": "^22.0.1",
-    "balanced-match": "^3.0.1",
-    commander: "^14.0.0",
-    conf: "^15.0.2",
-    "libsodium-wrappers": "^0.7.15",
-    open: "^11.0.0",
-    picocolors: "^1.1.1",
-    "posthog-node": "^3.5.0",
-    prompts: "^2.4.2"
-  },
-  devDependencies: {
-    "@types/balanced-match": "^3.0.2",
-    "@types/libsodium-wrappers": "^0.7.14",
-    "@types/node": "^24.2.0",
-    "@types/prompts": "^2.4.9",
-    "@vitest/coverage-v8": "^3.0.0",
-    msw: "^2.12.4",
-    tsup: "^8.5.0",
-    tsx: "^4.20.3",
-    typescript: "^5.9.2",
-    vitest: "^3.2.4"
-  }
-};
-// src/utils/api.ts
-var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
-var USER_AGENT = `keyway-cli/${package_default.version}`;
-var DEFAULT_TIMEOUT_MS = 3e4;
-function truncateMessage(message, maxLength = 200) {
-  if (message.length <= maxLength) return message;
-  return message.slice(0, maxLength - 3) + "...";
-}
-var NETWORK_ERROR_MESSAGES = {
-  ECONNREFUSED: "Cannot connect to Keyway API server. Is the server running?",
-  ECONNRESET: "Connection was reset. Please try again.",
-  ENOTFOUND: "DNS lookup failed. Check your internet connection.",
-  ETIMEDOUT: "Connection timed out. Check your network connection.",
-  ENETUNREACH: "Network is unreachable. Check your internet connection.",
-  EHOSTUNREACH: "Host is unreachable. Check your network connection.",
-  CERT_HAS_EXPIRED: "SSL certificate has expired. Contact support.",
-  UNABLE_TO_VERIFY_LEAF_SIGNATURE: "SSL certificate verification failed.",
-  EPROTO: "SSL/TLS protocol error. Try again later."
-};
-function handleNetworkError(error) {
-  const errorCode = error.code || error.cause?.code;
-  if (errorCode && NETWORK_ERROR_MESSAGES[errorCode]) {
-    return new Error(NETWORK_ERROR_MESSAGES[errorCode]);
-  }
-  const message = error.message.toLowerCase();
-  if (message.includes("fetch failed") || message.includes("network")) {
-    return new Error("Network error. Check your internet connection and try again.");
-  }
-  return error;
-}
-async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    return await fetch(url, {
-      ...options,
-      signal: controller.signal
-    });
-  } catch (error) {
-    if (error instanceof Error) {
-      if (error.name === "AbortError") {
-        throw new Error(`Request timeout after ${timeoutMs / 1e3}s. Check your network connection.`);
-      }
-      throw handleNetworkError(error);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-function validateApiUrl(url) {
-  const parsed = new URL(url);
-  if (parsed.protocol !== "https:") {
-    const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "0.0.0.0";
-    if (!isLocalhost) {
-      throw new Error(
-        `Insecure API URL detected: ${url}
-HTTPS is required for security. If this is a development server, use localhost or configure HTTPS.`
-      );
-    }
-    if (!process.env.KEYWAY_DISABLE_SECURITY_WARNINGS) {
-      console.warn(
-        `\u26A0\uFE0F  WARNING: Using insecure HTTP connection to ${url}
-This should only be used for local development.
-Set KEYWAY_DISABLE_SECURITY_WARNINGS=1 to suppress this warning.`
-      );
-    }
-  }
-}
-validateApiUrl(API_BASE_URL);
-var APIError = class extends Error {
-  constructor(statusCode, error, message, upgradeUrl) {
-    super(message);
-    this.statusCode = statusCode;
-    this.error = error;
-    this.upgradeUrl = upgradeUrl;
-    this.name = "APIError";
-  }
-};
-async function handleResponse(response) {
-  const contentType = response.headers.get("content-type") || "";
-  const text = await response.text();
-  if (!response.ok) {
-    if (contentType.includes("application/json")) {
-      try {
-        const error = JSON.parse(text);
-        throw new APIError(response.status, error.title || "Error", error.detail || `HTTP ${response.status}`, error.upgradeUrl);
-      } catch (e) {
-        if (e instanceof APIError) throw e;
-        throw new APIError(response.status, "Error", text || `HTTP ${response.status}`);
-      }
-    }
-    throw new APIError(response.status, "Error", text || `HTTP ${response.status}`);
-  }
-  if (!text) {
-    return {};
-  }
-  if (contentType.includes("application/json")) {
-    try {
-      return JSON.parse(text);
-    } catch {
-    }
-  }
-  return { content: text };
-}
-async function initVault(repoFullName, accessToken) {
-  const body = { repoFullName };
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/vaults`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body)
-  });
-  const result = await handleResponse(response);
-  return result.data;
-}
-function parseEnvContent(content) {
-  const result = {};
-  const lines = content.split("\n");
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eqIndex = trimmed.indexOf("=");
-    if (eqIndex === -1) continue;
-    const key = trimmed.substring(0, eqIndex).trim();
-    let value = trimmed.substring(eqIndex + 1);
-    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
-    }
-    if (key) result[key] = value;
-  }
-  return result;
-}
-async function pushSecrets(repoFullName, environment, content, accessToken) {
-  const secrets = parseEnvContent(content);
-  const body = { repoFullName, environment, secrets };
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/push`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body)
-  });
-  const result = await handleResponse(response);
-  return result.data;
-}
-async function pullSecrets(repoFullName, environment, accessToken) {
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const params = new URLSearchParams({
-    repo: repoFullName,
-    environment
-  });
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/pull?${params}`, {
-    method: "GET",
-    headers
-  });
-  const result = await handleResponse(response);
-  return { content: result.data.content };
-}
-async function startDeviceLogin(repository) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/start`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT
-    },
-    body: JSON.stringify(repository ? { repository } : {})
-  });
-  return handleResponse(response);
-}
-async function pollDeviceLogin(deviceCode) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/poll`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT
-    },
-    body: JSON.stringify({ deviceCode })
-  });
-  return handleResponse(response);
-}
-async function validateToken(token) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/token/validate`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${token}`
-    },
-    body: JSON.stringify({})
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getProviders() {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getConnections(accessToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function deleteConnection(accessToken, connectionId) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}`, {
-    method: "DELETE",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  await handleResponse(response);
-}
-function getProviderAuthUrl(provider, accessToken, redirectUri) {
-  const params = new URLSearchParams({ token: accessToken });
-  if (redirectUri) params.set("redirect_uri", redirectUri);
-  return `${API_BASE_URL}/v1/integrations/${provider}/authorize?${params}`;
-}
-async function getAllProviderProjects(accessToken, provider) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/providers/${provider}/all-projects`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncStatus(accessToken, repoFullName, connectionId, projectId, environment = "production") {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId,
-    projectId,
-    environment
-  });
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/status?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    }
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncDiff(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId: options.connectionId,
-    projectId: options.projectId,
-    keywayEnvironment: options.keywayEnvironment || "production",
-    providerEnvironment: options.providerEnvironment || "production"
-  });
-  if (options.serviceId) {
-    params.set("serviceId", options.serviceId);
-  }
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/diff?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    },
-    6e4
-    // 60 seconds
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncPreview(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId: options.connectionId,
-    projectId: options.projectId,
-    keywayEnvironment: options.keywayEnvironment || "production",
-    providerEnvironment: options.providerEnvironment || "production",
-    direction: options.direction || "push",
-    allowDelete: String(options.allowDelete || false)
-  });
-  if (options.serviceId) {
-    params.set("serviceId", options.serviceId);
-  }
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/preview?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    },
-    6e4
-    // 60 seconds for sync operations
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function executeSync(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync`,
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      },
-      body: JSON.stringify({
-        connectionId: options.connectionId,
-        projectId: options.projectId,
-        serviceId: options.serviceId,
-        keywayEnvironment: options.keywayEnvironment || "production",
-        providerEnvironment: options.providerEnvironment || "production",
-        direction: options.direction || "push",
-        allowDelete: options.allowDelete || false
-      })
-    },
-    12e4
-    // 2 minutes for sync execution
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function connectWithToken(accessToken, provider, providerToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/${provider}/connect`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    },
-    body: JSON.stringify({ token: providerToken })
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function checkVaultExists(accessToken, repoFullName) {
-  const [owner, repo] = repoFullName.split("/");
-  try {
-    const response = await fetchWithTimeout(
-      `${API_BASE_URL}/v1/vaults/${owner}/${repo}`,
-      {
-        method: "GET",
-        headers: {
-          "User-Agent": USER_AGENT,
-          Authorization: `Bearer ${accessToken}`
-        }
-      }
-    );
-    return response.ok;
-  } catch {
-    return false;
-  }
-}
-async function getVaultEnvironments(accessToken, repoFullName) {
-  const [owner, repo] = repoFullName.split("/");
-  try {
-    const response = await fetchWithTimeout(
-      `${API_BASE_URL}/v1/vaults/${owner}/${repo}`,
-      {
-        method: "GET",
-        headers: {
-          "User-Agent": USER_AGENT,
-          Authorization: `Bearer ${accessToken}`
-        }
-      }
-    );
-    const wrapped = await handleResponse(response);
-    return wrapped.data.environments || ["production"];
-  } catch {
-    return ["production"];
-  }
-}
-async function checkGitHubAppInstallation(repoOwner, repoName, accessToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/github/check-installation`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    },
-    body: JSON.stringify({ repoOwner, repoName })
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-// src/utils/analytics.ts
-import { PostHog } from "posthog-node";
-import crypto from "crypto";
-import path2 from "path";
-import os from "os";
-import fs2 from "fs";
-var posthog = null;
-var distinctId = null;
-var CONFIG_DIR = path2.join(os.homedir(), ".config", "keyway");
-var ID_FILE = path2.join(CONFIG_DIR, "id.json");
-var TELEMETRY_DISABLED = process.env.KEYWAY_DISABLE_TELEMETRY === "1";
-var CI = process.env.CI === "true" || process.env.CI === "1";
-function getDistinctId() {
-  if (distinctId) return distinctId;
-  try {
-    if (!fs2.existsSync(CONFIG_DIR)) {
-      fs2.mkdirSync(CONFIG_DIR, { recursive: true });
-    }
-    if (fs2.existsSync(ID_FILE)) {
-      const content = fs2.readFileSync(ID_FILE, "utf-8");
-      const config2 = JSON.parse(content);
-      distinctId = config2.distinctId;
-      return distinctId;
-    }
-    distinctId = crypto.randomUUID();
-    const config = { distinctId };
-    fs2.writeFileSync(ID_FILE, JSON.stringify(config, null, 2), { encoding: "utf-8", mode: 384 });
-    try {
-      fs2.chmodSync(ID_FILE, 384);
-    } catch {
-    }
-    return distinctId;
-  } catch (error) {
-    console.warn("Failed to persist distinct ID, using session-based ID");
-    distinctId = `session-${crypto.randomUUID()}`;
-    return distinctId;
-  }
-}
-function initPostHog() {
-  if (posthog) return;
-  if (TELEMETRY_DISABLED) return;
-  const apiKey = process.env.KEYWAY_POSTHOG_KEY || INTERNAL_POSTHOG_KEY;
-  if (!apiKey) return;
-  posthog = new PostHog(apiKey, {
-    host: process.env.KEYWAY_POSTHOG_HOST || INTERNAL_POSTHOG_HOST
-  });
-}
-function trackEvent(event, properties) {
-  try {
-    if (TELEMETRY_DISABLED) return;
-    if (!posthog) initPostHog();
-    if (!posthog) return;
-    const id = getDistinctId();
-    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
-    posthog.capture({
-      distinctId: id,
-      event,
-      properties: {
-        ...sanitizedProperties,
-        source: "cli",
-        platform: process.platform,
-        nodeVersion: process.version,
-        version: package_default.version,
-        ci: CI
-      }
-    });
-  } catch (error) {
-    console.debug("Analytics error:", error);
-  }
-}
-function sanitizeProperties(properties) {
-  const sanitized = {};
-  for (const [key, value] of Object.entries(properties)) {
-    if (key.toLowerCase().includes("secret") || key.toLowerCase().includes("token") || key.toLowerCase().includes("password") || key.toLowerCase().includes("content") || key.toLowerCase().includes("key") || key.toLowerCase().includes("value")) {
-      continue;
-    }
-    if (value && typeof value === "string" && value.length > 500) {
-      sanitized[key] = `${value.slice(0, 200)}...`;
-      continue;
-    }
-    sanitized[key] = value;
-  }
-  return sanitized;
-}
-async function shutdownAnalytics() {
-  if (posthog) {
-    await posthog.shutdown();
-  }
-}
-function identifyUser(userId, properties) {
-  try {
-    if (TELEMETRY_DISABLED) return;
-    if (!posthog) initPostHog();
-    if (!posthog) return;
-    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
-    posthog.identify({
-      distinctId: userId,
-      properties: {
-        ...sanitizedProperties,
-        source: "cli"
-      }
-    });
-    const anonId = getDistinctId();
-    if (anonId && anonId !== userId) {
-      posthog.alias({
-        distinctId: userId,
-        alias: anonId
-      });
-    }
-  } catch (error) {
-    console.debug("Analytics identify error:", error);
-  }
-}
-var AnalyticsEvents = {
-  CLI_INIT: "cli_init",
-  CLI_PUSH: "cli_push",
-  CLI_PULL: "cli_pull",
-  CLI_ERROR: "cli_error",
-  CLI_LOGIN: "cli_login",
-  CLI_DOCTOR: "cli_doctor",
-  CLI_CONNECT: "cli_connect",
-  CLI_DISCONNECT: "cli_disconnect",
-  CLI_SYNC: "cli_sync",
-  CLI_FEEDBACK: "cli_feedback"
-};
-// src/cmds/readme.ts
-import fs3 from "fs";
-import path3 from "path";
-import prompts2 from "prompts";
-import pc2 from "picocolors";
-import balanced from "balanced-match";
-function generateBadge(repo) {
-  return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
-}
-var BADGE_PREFIX = /\[!\[[^\]]*\]\([^)]*\)\]\(/g;
-var H1_PATTERN = /^#\s+/;
-var CODE_FENCE = /^```/;
-function findLastBadgeEnd(line) {
-  let lastEnd = -1;
-  let match;
-  BADGE_PREFIX.lastIndex = 0;
-  while ((match = BADGE_PREFIX.exec(line)) !== null) {
-    const prefixEnd = match.index + match[0].length - 1;
-    const remainder = line.substring(prefixEnd);
-    const balancedMatch = balanced("(", ")", remainder);
-    if (balancedMatch) {
-      lastEnd = prefixEnd + balancedMatch.end + 1;
-    }
-  }
-  return lastEnd;
-}
-function insertBadgeIntoReadme(readmeContent, badge) {
-  if (readmeContent.includes("keyway.sh/badge.svg")) {
-    return readmeContent;
-  }
-  const lines = readmeContent.split(/\r?\n/);
-  let inCodeBlock = false;
-  let inHtmlComment = false;
-  let lastBadgeLine = -1;
-  let lastBadgeEndIndex = -1;
-  let firstH1Line = -1;
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (CODE_FENCE.test(trimmed)) {
-      inCodeBlock = !inCodeBlock;
-      continue;
-    }
-    if (inCodeBlock) continue;
-    if (trimmed.includes("<!--")) inHtmlComment = true;
-    if (trimmed.includes("-->")) {
-      inHtmlComment = false;
-      continue;
-    }
-    if (inHtmlComment) continue;
-    BADGE_PREFIX.lastIndex = 0;
-    if (BADGE_PREFIX.test(line)) {
-      lastBadgeLine = i;
-      lastBadgeEndIndex = findLastBadgeEnd(line);
-    }
-    if (firstH1Line === -1 && H1_PATTERN.test(line)) {
-      firstH1Line = i;
-    }
-  }
-  if (lastBadgeLine >= 0 && lastBadgeEndIndex > 0) {
-    const line = lines[lastBadgeLine];
-    lines[lastBadgeLine] = line.slice(0, lastBadgeEndIndex) + " " + badge + line.slice(lastBadgeEndIndex);
-    return lines.join("\n");
-  }
-  if (firstH1Line >= 0) {
-    const before = lines.slice(0, firstH1Line + 1);
-    const after = lines.slice(firstH1Line + 1);
-    while (after.length > 0 && after[0].trim() === "") {
-      after.shift();
-    }
-    if (after.length > 0) {
-      return [...before, "", badge, "", ...after].join("\n");
-    } else {
-      return [...before, "", badge, ""].join("\n");
-    }
-  }
-  return `${badge}
-${readmeContent}`;
-}
-function findReadmePath(cwd) {
-  const candidates = ["README.md", "readme.md", "Readme.md"];
-  for (const candidate of candidates) {
-    const candidatePath = path3.join(cwd, candidate);
-    if (fs3.existsSync(candidatePath)) {
-      return candidatePath;
-    }
-  }
-  return null;
-}
-async function ensureReadme(repoName, cwd) {
-  const existing = findReadmePath(cwd);
-  if (existing) return existing;
-  const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-  if (!isInteractive2) {
-    console.log(pc2.yellow('No README found. Run "keyway readme add-badge" from a repo with a README.'));
-    return null;
-  }
-  const { confirm } = await prompts2(
-    {
-      type: "confirm",
-      name: "confirm",
-      message: "No README found. Create a default README.md?",
-      initial: false
-    },
-    {
-      onCancel: () => ({ confirm: false })
-    }
-  );
-  if (!confirm) {
-    console.log(pc2.yellow("Skipping badge insertion (no README)."));
-    return null;
-  }
-  const defaultPath = path3.join(cwd, "README.md");
-  const content = `# ${repoName}
-`;
-  fs3.writeFileSync(defaultPath, content, "utf-8");
-  return defaultPath;
-}
-async function addBadgeToReadme(silent = false) {
-  const repo = detectGitRepo();
-  if (!repo) {
-    throw new Error("This directory is not a Git repository.");
-  }
-  const cwd = process.cwd();
-  const readmePath = await ensureReadme(repo, cwd);
-  if (!readmePath) return false;
-  const badge = generateBadge(repo);
-  const content = fs3.readFileSync(readmePath, "utf-8");
-  const updated = insertBadgeIntoReadme(content, badge);
-  if (updated === content) {
-    if (!silent) {
-      console.log(pc2.gray("Keyway badge already present in README."));
-    }
-    return false;
-  }
-  fs3.writeFileSync(readmePath, updated, "utf-8");
-  if (!silent) {
-    console.log(pc2.green(`\u2713 Keyway badge added to ${path3.basename(readmePath)}`));
-  }
-  return true;
-}
-// src/cmds/push.ts
-import pc6 from "picocolors";
-import fs5 from "fs";
-import path5 from "path";
-import prompts5 from "prompts";
-// src/cmds/login.ts
-import pc4 from "picocolors";
-import readline from "readline";
-import prompts3 from "prompts";
-// src/utils/helpers.ts
-import pc3 from "picocolors";
-import open from "open";
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function openUrl(url) {
-  console.log(pc3.gray(`
-Open this URL in your browser:
-${url}
-`));
-  await open(url).catch(() => {
-  });
-}
-function isInteractive() {
-  return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI);
-}
-function showUpgradePrompt(message, upgradeUrl) {
-  console.log("");
-  console.log(pc3.dim("\u2500".repeat(50)));
-  console.log("");
-  console.log(`  ${pc3.yellow("\u26A1")} ${pc3.bold("Plan Limit Reached")}`);
-  console.log("");
-  console.log(pc3.white(`  ${message}`));
-  console.log("");
-  console.log(`  ${pc3.cyan("Upgrade now \u2192")} ${pc3.underline(upgradeUrl)}`);
-  console.log("");
-  console.log(pc3.dim("\u2500".repeat(50)));
-  console.log("");
-}
-var MAX_CONSECUTIVE_ERRORS = 5;
-// src/cmds/login.ts
-async function promptYesNo(question, defaultYes = true) {
-  return new Promise((resolve) => {
-    const rl = readline.createInterface({
-      input: process.stdin,
-      output: process.stdout
-    });
-    rl.question(question, (answer) => {
-      rl.close();
-      const normalized = answer.trim().toLowerCase();
-      if (!normalized) return resolve(defaultYes);
-      if (["y", "yes"].includes(normalized)) return resolve(true);
-      if (["n", "no"].includes(normalized)) return resolve(false);
-      return resolve(defaultYes);
-    });
-  });
-}
-async function runLoginFlow() {
-  console.log(pc4.blue("\u{1F510} Starting Keyway login...\n"));
-  const repoName = detectGitRepo();
-  const start = await startDeviceLogin(repoName);
-  const verifyUrl = start.verificationUriComplete || start.verificationUri;
-  if (!verifyUrl) {
-    throw new Error("Missing verification URL from the auth server.");
-  }
-  console.log(`Code: ${pc4.bold(pc4.green(start.userCode))}`);
-  await openUrl(verifyUrl);
-  console.log("Waiting for auth...");
-  const pollIntervalMs = (start.interval ?? 5) * 1e3;
-  const maxTimeoutMs = Math.min((start.expiresIn ?? 900) * 1e3, 30 * 60 * 1e3);
-  const startTime = Date.now();
-  let consecutiveErrors = 0;
-  while (true) {
-    if (Date.now() - startTime > maxTimeoutMs) {
-      throw new Error('Login timed out. Please run "keyway login" again.');
-    }
-    await sleep(pollIntervalMs);
-    try {
-      const result = await pollDeviceLogin(start.deviceCode);
-      consecutiveErrors = 0;
-      if (result.status === "pending") {
-        continue;
-      }
-      if (result.status === "approved" && result.keywayToken) {
-        await saveAuthToken(result.keywayToken, {
-          githubLogin: result.githubLogin,
-          expiresAt: result.expiresAt
-        });
-        trackEvent(AnalyticsEvents.CLI_LOGIN, {
-          method: "device",
-          repo: repoName
-        });
-        if (result.githubLogin) {
-          identifyUser(result.githubLogin, {
-            github_username: result.githubLogin,
-            login_method: "device"
-          });
-        }
-        console.log(pc4.green("\n\u2713 Login successful"));
-        if (result.githubLogin) {
-          console.log(`Authenticated GitHub user: ${pc4.cyan(result.githubLogin)}`);
-        }
-        return result.keywayToken;
-      }
-      throw new Error(result.message || "Authentication failed");
-    } catch (error) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
-        throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-}
-async function ensureLogin(options = {}) {
-  const envToken = process.env.KEYWAY_TOKEN;
-  if (envToken) {
-    return envToken;
-  }
-  if (process.env.GITHUB_TOKEN && !process.env.KEYWAY_TOKEN) {
-    console.warn(pc4.yellow("Note: GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication."));
-  }
-  const stored = await getStoredAuth();
-  if (stored?.keywayToken) {
-    return stored.keywayToken;
-  }
-  const allowPrompt = options.allowPrompt !== false;
-  const canPrompt = allowPrompt && isInteractive();
-  if (!canPrompt) {
-    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
-  }
-  const proceed = await promptYesNo("No Keyway session found. Open the browser to sign in now? (Y/n) ");
-  if (!proceed) {
-    throw new Error("Login required. Aborting.");
-  }
-  return runLoginFlow();
-}
-async function runTokenLogin() {
-  const repoName = detectGitRepo();
-  if (repoName) {
-    console.log(`\u{1F4C1} Detected: ${pc4.cyan(repoName)}`);
-  }
-  const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
-  const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
-  await openUrl(url);
-  console.log(pc4.gray("Select the detected repo (or scope manually)."));
-  console.log(pc4.gray("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
-  const { token } = await prompts3(
-    {
-      type: "password",
-      name: "token",
-      message: "Paste token:",
-      validate: (value) => {
-        if (!value || typeof value !== "string") return "Token is required";
-        if (!value.startsWith("github_pat_")) return "Token must start with github_pat_";
-        return true;
-      }
-    },
-    {
-      onCancel: () => {
-        throw new Error("Login cancelled.");
-      }
-    }
-  );
-  if (!token || typeof token !== "string") {
-    throw new Error("Token is required.");
-  }
-  const trimmedToken = token.trim();
-  if (!trimmedToken.startsWith("github_pat_")) {
-    throw new Error("Token must start with github_pat_.");
-  }
-  const validation = await validateToken(trimmedToken);
-  await saveAuthToken(trimmedToken, {
-    githubLogin: validation.username
-  });
-  trackEvent(AnalyticsEvents.CLI_LOGIN, {
-    method: "pat",
-    repo: repoName
-  });
-  identifyUser(validation.username, {
-    github_username: validation.username,
-    login_method: "pat"
-  });
-  console.log(pc4.green("\u2705 Authenticated"), `as ${pc4.cyan(`@${validation.username}`)}`);
-  return trimmedToken;
-}
-async function loginCommand(options = {}) {
-  try {
-    if (options.token) {
-      await runTokenLogin();
-    } else {
-      await runLoginFlow();
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unexpected login error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "login",
-      error: truncateMessage(message)
-    });
-    console.error(pc4.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-async function logoutCommand() {
-  clearAuth();
-  console.log(pc4.green("\u2713 Logged out of Keyway"));
-  console.log(pc4.gray(`Auth cache cleared: ${getAuthFilePath()}`));
-}
-// src/utils/env.ts
-import fs4 from "fs";
-import path4 from "path";
-import pc5 from "picocolors";
-import prompts4 from "prompts";
-async function promptCreateEnvFile() {
-  const { createEnv } = await prompts4({
-    type: "confirm",
-    name: "createEnv",
-    message: "No .env file found. Create one?",
-    initial: true
-  }, {
-    onCancel: () => {
-      throw new Error("Cancelled by user.");
-    }
-  });
-  if (!createEnv) {
-    return false;
-  }
-  const envFilePath = path4.join(process.cwd(), ".env");
-  fs4.writeFileSync(envFilePath, "# Add your environment variables here\n# Example: API_KEY=your-api-key\n");
-  console.log(pc5.green("\u2713 Created .env file"));
-  return true;
-}
-// src/cmds/push.ts
-function deriveEnvFromFile(file) {
-  const base = path5.basename(file);
-  const match = base.match(/\.env(?:\.(.+))?$/);
-  if (match) {
-    return match[1] || "development";
-  }
-  return "development";
-}
-function discoverEnvCandidates(cwd) {
-  try {
-    const entries = fs5.readdirSync(cwd);
-    const hasEnvLocal = entries.includes(".env.local");
-    if (hasEnvLocal) {
-      console.log(pc6.gray("\u2139\uFE0F  Detected .env.local \u2014 not synced by design (machine-specific secrets)"));
-    }
-    const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
-      const fullPath = path5.join(cwd, name);
-      try {
-        const stat = fs5.statSync(fullPath);
-        if (!stat.isFile()) return null;
-        return { file: name, env: deriveEnvFromFile(name) };
-      } catch {
-        return null;
-      }
-    }).filter((c) => Boolean(c));
-    const seen = /* @__PURE__ */ new Set();
-    const unique = [];
-    for (const c of candidates) {
-      if (seen.has(c.file)) continue;
-      seen.add(c.file);
-      unique.push(c);
-    }
-    return unique;
-  } catch {
-    return [];
-  }
-}
-async function pushCommand(options) {
-  try {
-    console.log(pc6.blue("\u{1F510} Pushing secrets to Keyway...\n"));
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-    let environment = options.env;
-    let envFile = options.file;
-    const candidates = discoverEnvCandidates(process.cwd());
-    if (candidates.length === 0 && !envFile) {
-      if (!isInteractive2) {
-        throw new Error("No .env file found. Create a .env file first, or use --file <path> to specify one.");
-      }
-      const created = await promptCreateEnvFile();
-      if (!created) {
-        throw new Error("No .env file found.");
-      }
-      console.log(pc6.gray("  Add your variables and run keyway push again\n"));
-      return;
-    }
-    if (environment && !envFile) {
-      const match = candidates.find((c) => c.env === environment);
-      if (match) {
-        envFile = match.file;
-      }
-    }
-    if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
-      const { choice } = await prompts5(
-        {
-          type: "select",
-          name: "choice",
-          message: "Select an env file to push:",
-          choices: [
-            ...candidates.map((c) => ({
-              title: `${c.file} (env: ${c.env})`,
-              value: c
-            })),
-            { title: "Enter a different file...", value: "custom" }
-          ]
-        },
-        {
-          onCancel: () => {
-            throw new Error("Push cancelled by user.");
-          }
-        }
-      );
-      if (choice && choice !== "custom") {
-        envFile = choice.file;
-        environment = choice.env;
-      } else if (choice === "custom") {
-        const { fileInput } = await prompts5(
-          {
-            type: "text",
-            name: "fileInput",
-            message: "Path to env file:",
-            validate: (value) => {
-              if (!value) return "Path is required";
-              const resolved = path5.resolve(process.cwd(), value);
-              if (!fs5.existsSync(resolved)) return `File not found: ${value}`;
-              return true;
-            }
-          },
-          {
-            onCancel: () => {
-              throw new Error("Push cancelled by user.");
-            }
-          }
-        );
-        envFile = fileInput;
-        environment = deriveEnvFromFile(fileInput);
-      }
-    }
-    if (!environment) {
-      environment = "development";
-    }
-    if (!envFile) {
-      envFile = ".env";
-    }
-    const envFilePath = path5.resolve(process.cwd(), envFile);
-    if (!fs5.existsSync(envFilePath)) {
-      throw new Error(`File not found: ${envFile}`);
-    }
-    const content = fs5.readFileSync(envFilePath, "utf-8");
-    if (content.trim().length === 0) {
-      throw new Error(`File is empty: ${envFile}`);
-    }
-    const lines = content.split("\n").filter((line) => {
-      const trimmed = line.trim();
-      return trimmed.length > 0 && !trimmed.startsWith("#");
-    });
-    console.log(`File: ${pc6.cyan(envFile)}`);
-    console.log(`Environment: ${pc6.cyan(environment)}`);
-    console.log(`Variables: ${pc6.cyan(lines.length.toString())}`);
-    const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc6.cyan(repoFullName)}`);
-    if (!options.yes) {
-      const isInteractive3 = process.stdin.isTTY && process.stdout.isTTY;
-      if (!isInteractive3) {
-        throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
-      }
-      const { confirm } = await prompts5(
-        {
-          type: "confirm",
-          name: "confirm",
-          message: `Send ${lines.length} secrets from ${envFile} (env: ${environment}) to ${repoFullName}?`,
-          initial: true
-        },
-        {
-          onCancel: () => {
-            throw new Error("Push cancelled by user.");
-          }
-        }
-      );
-      if (!confirm) {
-        console.log(pc6.yellow("Push aborted."));
-        return;
-      }
-    }
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    trackEvent(AnalyticsEvents.CLI_PUSH, {
-      repoFullName,
-      environment,
-      variableCount: lines.length
-    });
-    console.log("\nUploading secrets...");
-    const response = await pushSecrets(repoFullName, environment, content, accessToken);
-    console.log(pc6.green("\n\u2713 " + response.message));
-    if (response.stats) {
-      const { created, updated, deleted } = response.stats;
-      const parts = [];
-      if (created > 0) parts.push(pc6.green(`+${created} created`));
-      if (updated > 0) parts.push(pc6.yellow(`~${updated} updated`));
-      if (deleted > 0) parts.push(pc6.red(`-${deleted} deleted`));
-      if (parts.length > 0) {
-        console.log(`Stats: ${parts.join(", ")}`);
-      }
-    }
-    console.log(`
-Your secrets are now encrypted and stored securely.`);
-    const dashboardLink = `https://www.keyway.sh/dashboard/vaults/${repoFullName}`;
-    console.log(`
-${pc6.blue("\u2394")} Dashboard: ${pc6.underline(dashboardLink)}`);
-    await shutdownAnalytics();
-  } catch (error) {
-    let message;
-    let hint = null;
-    if (error instanceof APIError) {
-      message = error.message || `HTTP ${error.statusCode} - ${error.error}`;
-      const envNotFoundMatch = message.match(/Environment '([^']+)' does not exist.*Available environments: ([^.]+)/);
-      if (envNotFoundMatch) {
-        const requestedEnv = envNotFoundMatch[1];
-        const availableEnvs = envNotFoundMatch[2];
-        message = `Environment '${requestedEnv}' does not exist in this vault.`;
-        hint = `Available environments: ${availableEnvs}
-Use ${pc6.cyan(`keyway push --env <environment>`)} to specify one, or create '${requestedEnv}' via the dashboard.`;
-      }
-      if (error.statusCode === 403 && (error.upgradeUrl || message.toLowerCase().includes("read-only"))) {
-        const upgradeMessage = message.toLowerCase().includes("read-only") ? "This vault is read-only on your current plan." : message;
-        const upgradeUrl = error.upgradeUrl || "https://keyway.sh/settings";
-        trackEvent(AnalyticsEvents.CLI_ERROR, {
-          command: "push",
-          error: upgradeMessage
-        });
-        await shutdownAnalytics();
-        showUpgradePrompt(upgradeMessage, upgradeUrl);
-        process.exit(1);
-      }
-    } else if (error instanceof Error) {
-      message = truncateMessage(error.message);
-    } else {
-      message = "Unknown error";
-    }
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "push",
-      error: message
-    });
-    await shutdownAnalytics();
-    console.error(pc6.red(`
-\u2717 ${message}`));
-    if (hint) {
-      console.error(pc6.gray(`
-${hint}`));
-    }
-    process.exit(1);
-  }
-}
-// src/cmds/init.ts
-var DASHBOARD_URL = "https://www.keyway.sh/dashboard/vaults";
-var POLL_INTERVAL_MS = 3e3;
-var POLL_TIMEOUT_MS = 12e4;
-async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
-  const [repoOwner, repoName] = repoFullName.split("/");
-  const envToken = process.env.KEYWAY_TOKEN;
-  if (envToken) {
-    const result = await ensureGitHubAppInstalledOnly(repoFullName, envToken);
-    if (result === null) {
-      throw new Error("KEYWAY_TOKEN is invalid or expired. Please update the token.");
-    }
-    return result;
-  }
-  const stored = await getStoredAuth();
-  if (stored?.keywayToken) {
-    const result = await ensureGitHubAppInstalledOnly(repoFullName, stored.keywayToken);
-    if (result !== null) {
-      return result;
-    }
-  }
-  const allowPrompt = options.allowPrompt !== false;
-  if (!allowPrompt || !isInteractive()) {
-    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
-  }
-  const deviceStart = await startDeviceLogin(repoFullName);
-  const installUrl = deviceStart.githubAppInstallUrl || "https://github.com/apps/keyway/installations/new";
-  console.log("");
-  const { shouldProceed } = await prompts6({
-    type: "confirm",
-    name: "shouldProceed",
-    message: "Open browser to sign in?",
-    initial: true
-  });
-  if (!shouldProceed) {
-    throw new Error('Setup required. Run "keyway init" when ready.');
-  }
-  await openUrl(deviceStart.verificationUriComplete);
-  console.log(pc7.blue("\u23F3 Waiting for authorization..."));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
-  const pollIntervalMs = Math.max((deviceStart.interval ?? 5) * 1e3, POLL_INTERVAL_MS);
-  const startTime = Date.now();
-  let accessToken = null;
-  let consecutiveErrors = 0;
-  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
-    await sleep(pollIntervalMs);
-    try {
-      const result = await pollDeviceLogin(deviceStart.deviceCode);
-      if (result.status === "approved" && result.keywayToken) {
-        accessToken = result.keywayToken;
-        await saveAuthToken(result.keywayToken, {
-          githubLogin: result.githubLogin,
-          expiresAt: result.expiresAt
-        });
-        console.log(pc7.green("\u2713 Signed in!"));
-        if (result.githubLogin) {
-          identifyUser(result.githubLogin, {
-            github_username: result.githubLogin,
-            login_method: "device_flow"
-          });
-        }
-        break;
-      }
-      consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
-        throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  if (!accessToken) {
-    console.log("");
-    console.log(pc7.yellow("\u26A0 Timed out waiting for sign in."));
-    throw new Error("Sign in timed out. Please try again.");
-  }
-  const installStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-  if (installStatus.installed) {
-    console.log(pc7.green("\u2713 GitHub App installed"));
-    console.log("");
-    return accessToken;
-  }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 GitHub App not installed on this repository"));
-  console.log(pc7.gray("  The Keyway GitHub App is required for secure access."));
-  console.log("");
-  const { shouldInstall } = await prompts6({
-    type: "confirm",
-    name: "shouldInstall",
-    message: "Open browser to install GitHub App?",
-    initial: true
-  });
-  if (!shouldInstall) {
-    console.log(pc7.gray(`
-  Install later: ${installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  await openUrl(installUrl);
-  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc7.gray('   Add this repository and click "Install"'));
-  console.log(pc7.gray("   Then return here - the CLI will detect it automatically"));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
-  const installStartTime = Date.now();
-  consecutiveErrors = 0;
-  while (Date.now() - installStartTime < POLL_TIMEOUT_MS) {
-    await sleep(POLL_INTERVAL_MS);
-    try {
-      const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-      if (pollStatus.installed) {
-        console.log(pc7.green("\u2713 GitHub App installed!"));
-        console.log("");
-        return accessToken;
-      }
-      consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
-        throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc7.gray(`  Install the GitHub App: ${installUrl}`));
-  throw new Error("GitHub App installation timed out.");
-}
-async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
-  const [repoOwner, repoName] = repoFullName.split("/");
-  let status;
-  try {
-    status = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-  } catch (error) {
-    if (error instanceof APIError && error.statusCode === 401) {
-      console.log(pc7.yellow("\n\u26A0 Session expired or invalid. Clearing credentials..."));
-      const { clearAuth: clearAuth2 } = await import("./auth-QLPQ24HZ.js");
-      clearAuth2();
-      return null;
-    }
-    throw error;
-  }
-  if (status.installed) {
-    return accessToken;
-  }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 GitHub App not installed for this repository"));
-  console.log("");
-  console.log(pc7.gray("  The Keyway GitHub App is required to securely manage secrets."));
-  console.log(pc7.gray("  It only requests minimal permissions (repository metadata)."));
-  console.log("");
-  if (!isInteractive()) {
-    console.log(pc7.gray(`  Install the Keyway GitHub App: ${status.installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  const { shouldInstall } = await prompts6({
-    type: "confirm",
-    name: "shouldInstall",
-    message: "Open browser to install Keyway GitHub App?",
-    initial: true
-  });
-  if (!shouldInstall) {
-    console.log(pc7.gray(`
-  You can install later: ${status.installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  await openUrl(status.installUrl);
-  console.log(pc7.blue("\u23F3 Waiting for GitHub App installation..."));
-  console.log(pc7.gray("   (Press Ctrl+C to cancel)\n"));
-  const startTime = Date.now();
-  let consecutiveErrors = 0;
-  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
-    await sleep(POLL_INTERVAL_MS);
-    try {
-      const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-      if (pollStatus.installed) {
-        console.log(pc7.green("\u2713 GitHub App installed!"));
-        console.log("");
-        return accessToken;
-      }
-      consecutiveErrors = 0;
-      process.stdout.write(pc7.gray("."));
-    } catch (error) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error instanceof Error ? error.message : "Unknown error";
-        throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  console.log("");
-  console.log(pc7.yellow("\u26A0 Timed out waiting for installation."));
-  console.log(pc7.gray(`  You can install the GitHub App later: ${status.installUrl}`));
-  throw new Error("GitHub App installation timed out.");
-}
-async function initCommand(options = {}) {
-  try {
-    const repoFullName = getCurrentRepoFullName();
-    const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
-    console.log(pc7.blue("\u{1F510} Initializing Keyway vault...\n"));
-    console.log(`  ${pc7.gray("Repository:")} ${pc7.white(repoFullName)}`);
-    const accessToken = await ensureLoginAndGitHubApp(repoFullName, {
-      allowPrompt: options.loginPrompt !== false
-    });
-    trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName, githubAppInstalled: true });
-    const vaultExists = await checkVaultExists(accessToken, repoFullName);
-    if (vaultExists) {
-      console.log(pc7.green("\n\u2713 Already initialized!\n"));
-      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
-      console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
-      console.log("");
-      await shutdownAnalytics();
-      return;
-    }
-    await initVault(repoFullName, accessToken);
-    console.log(pc7.green("\u2713 Vault created!"));
-    try {
-      const badgeAdded = await addBadgeToReadme(true);
-      if (badgeAdded) {
-        console.log(pc7.green("\u2713 Badge added to README.md"));
-      }
-    } catch {
-    }
-    console.log("");
-    const envCandidates = discoverEnvCandidates(process.cwd());
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-    if (envCandidates.length > 0 && isInteractive2) {
-      console.log(pc7.gray(`  Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}
-`));
-      const { shouldPush } = await prompts6({
-        type: "confirm",
-        name: "shouldPush",
-        message: "Push secrets now?",
-        initial: true
-      });
-      if (shouldPush) {
-        console.log("");
-        await pushCommand({ loginPrompt: false, yes: false });
-        return;
-      }
-    }
-    console.log(pc7.dim("\u2500".repeat(50)));
-    console.log("");
-    if (envCandidates.length === 0) {
-      if (isInteractive2) {
-        const created = await promptCreateEnvFile();
-        if (created) {
-          console.log(`  Add your variables and run ${pc7.cyan("keyway push")}
-`);
-        } else {
-          console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
-`);
-        }
-      } else {
-        console.log(`${pc7.yellow("\u26A0")} No .env file found - your vault is empty`);
-        console.log(`  Next: Create ${pc7.cyan(".env")} and run ${pc7.cyan("keyway push")}
-`);
-      }
-    } else {
-      console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets
-`);
-    }
-    console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(dashboardLink)}`);
-    console.log("");
-    await shutdownAnalytics();
-  } catch (error) {
-    if (error instanceof APIError) {
-      if (error.statusCode === 409) {
-        console.log(pc7.green("\n\u2713 Already initialized!\n"));
-        console.log(`  ${pc7.yellow("\u2192")} Run ${pc7.cyan("keyway push")} to sync your secrets`);
-        console.log(`  ${pc7.blue("\u2394")} Dashboard: ${pc7.underline(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
-        console.log("");
-        await shutdownAnalytics();
-        return;
-      }
-      if (error.error === "Plan Limit Reached" || error.upgradeUrl) {
-        const upgradeUrl = error.upgradeUrl || "https://keyway.sh/pricing";
-        showUpgradePrompt(error.message, upgradeUrl);
-        await shutdownAnalytics();
-        process.exit(1);
-      }
-    }
-    const message = error instanceof APIError ? error.message : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "init",
-      error: message
-    });
-    await shutdownAnalytics();
-    console.error(pc7.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-// src/cmds/pull.ts
-import pc8 from "picocolors";
-import fs6 from "fs";
-import path6 from "path";
-import prompts7 from "prompts";
-async function pullCommand(options) {
-  try {
-    const environment = options.env || "development";
-    const envFile = options.file || ".env";
-    console.log(pc8.blue("\u{1F510} Pulling secrets from Keyway...\n"));
-    console.log(`Environment: ${pc8.cyan(environment)}`);
-    const repoFullName = getCurrentRepoFullName();
-    console.log(`Repository: ${pc8.cyan(repoFullName)}`);
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    trackEvent(AnalyticsEvents.CLI_PULL, {
-      repoFullName,
-      environment
-    });
-    console.log("\nDownloading secrets...");
-    const response = await pullSecrets(repoFullName, environment, accessToken);
-    const envFilePath = path6.resolve(process.cwd(), envFile);
-    if (fs6.existsSync(envFilePath)) {
-      const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-      if (options.yes) {
-        console.log(pc8.yellow(`
-\u26A0 Overwriting existing file: ${envFile}`));
-      } else if (!isInteractive2) {
-        throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
-      } else {
-        const { confirm } = await prompts7(
-          {
-            type: "confirm",
-            name: "confirm",
-            message: `${envFile} exists. Overwrite with secrets from ${environment}?`,
-            initial: false
-          },
-          {
-            onCancel: () => {
-              throw new Error("Pull cancelled by user.");
-            }
-          }
-        );
-        if (!confirm) {
-          console.log(pc8.yellow("Pull aborted."));
-          return;
-        }
-      }
-    }
-    fs6.writeFileSync(envFilePath, response.content, "utf-8");
-    const lines = response.content.split("\n").filter((line) => {
-      const trimmed = line.trim();
-      return trimmed.length > 0 && !trimmed.startsWith("#");
-    });
-    console.log(pc8.green(`
-\u2713 Secrets downloaded successfully`));
-    console.log(`
-File: ${pc8.cyan(envFile)}`);
-    console.log(`Variables: ${pc8.cyan(lines.length.toString())}`);
-    await shutdownAnalytics();
-  } catch (error) {
-    const message = error instanceof APIError ? `API ${error.statusCode}: ${error.message}` : error instanceof Error ? truncateMessage(error.message) : "Unknown error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "pull",
-      error: message
-    });
-    await shutdownAnalytics();
-    console.error(pc8.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-// src/cmds/doctor.ts
-import pc9 from "picocolors";
-// src/core/doctor.ts
-import { execSync as execSync2 } from "child_process";
-import { writeFileSync, unlinkSync, readFileSync, existsSync } from "fs";
-import { tmpdir } from "os";
-import { join } from "path";
-var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/v1/health`;
-async function checkNode() {
-  const nodeVersion = process.versions.node;
-  const [major] = nodeVersion.split(".").map(Number);
-  if (major >= 18) {
-    return {
-      id: "node",
-      name: "Node.js version",
-      status: "pass",
-      detail: `v${nodeVersion} (>=18.0.0 required)`
-    };
-  }
-  return {
-    id: "node",
-    name: "Node.js version",
-    status: "fail",
-    detail: `v${nodeVersion} (<18.0.0, please upgrade)`
-  };
-}
-async function checkGit() {
-  try {
-    const gitVersion = execSync2("git --version", { encoding: "utf-8" }).trim();
-    try {
-      execSync2("git rev-parse --is-inside-work-tree", {
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "ignore"]
-      });
-      return {
-        id: "git",
-        name: "Git repository",
-        status: "pass",
-        detail: `${gitVersion} - inside repository`
-      };
-    } catch {
-      return {
-        id: "git",
-        name: "Git repository",
-        status: "warn",
-        detail: `${gitVersion} - not in a repository`
-      };
-    }
-  } catch {
-    return {
-      id: "git",
-      name: "Git repository",
-      status: "warn",
-      detail: "Git not installed"
-    };
-  }
-}
-async function checkNetwork() {
-  const fetchFn = globalThis.fetch;
-  if (!fetchFn) {
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: "Fetch API not available in this Node.js runtime"
-    };
-  }
-  try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetchFn(API_HEALTH_URL, {
-      method: "HEAD",
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
-    if (response.ok || response.status < 500) {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "pass",
-        detail: `Connected to ${API_HEALTH_URL}`
-      };
-    }
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: `Server returned ${response.status}`
-    };
-  } catch (error) {
-    if (error.name === "AbortError") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "warn",
-        detail: "Connection timeout (>2s)"
-      };
-    }
-    if (error.code === "ENOTFOUND") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "fail",
-        detail: "DNS resolution failed"
-      };
-    }
-    if (error.code === "CERT_HAS_EXPIRED" || error.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "fail",
-        detail: "SSL certificate error"
-      };
-    }
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: error.message || "Connection failed"
-    };
-  }
-}
-async function checkFileSystem() {
-  const testFile = join(tmpdir(), `.keyway-test-${Date.now()}.tmp`);
-  try {
-    writeFileSync(testFile, "test");
-    unlinkSync(testFile);
-    return {
-      id: "filesystem",
-      name: "File system permissions",
-      status: "pass",
-      detail: "Write permissions verified"
-    };
-  } catch (error) {
-    return {
-      id: "filesystem",
-      name: "File system permissions",
-      status: "fail",
-      detail: `Cannot write to temp directory: ${error.message}`
-    };
-  }
-}
-async function checkGitignore() {
-  try {
-    if (!existsSync(".gitignore")) {
-      return {
-        id: "gitignore",
-        name: ".gitignore configuration",
-        status: "warn",
-        detail: "No .gitignore file found"
-      };
-    }
-    const gitignoreContent = readFileSync(".gitignore", "utf-8");
-    const hasEnvPattern = gitignoreContent.includes("*.env") || gitignoreContent.includes(".env*");
-    const hasDotEnv = gitignoreContent.includes(".env");
-    if (hasEnvPattern || hasDotEnv) {
-      return {
-        id: "gitignore",
-        name: ".gitignore configuration",
-        status: "pass",
-        detail: "Environment files are ignored"
-      };
-    }
-    return {
-      id: "gitignore",
-      name: ".gitignore configuration",
-      status: "warn",
-      detail: "Missing .env patterns in .gitignore"
-    };
-  } catch {
-    return {
-      id: "gitignore",
-      name: ".gitignore configuration",
-      status: "warn",
-      detail: "Could not read .gitignore"
-    };
-  }
-}
-async function checkSystemClock() {
-  try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetch(API_HEALTH_URL, {
-      method: "HEAD",
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
-    const serverDate = response.headers.get("date");
-    if (!serverDate) {
-      return {
-        id: "clock",
-        name: "System clock",
-        status: "pass",
-        detail: "Unable to verify (no server date)"
-      };
-    }
-    const serverTime = new Date(serverDate).getTime();
-    const localTime = Date.now();
-    const diffMinutes = Math.abs(serverTime - localTime) / 1e3 / 60;
-    if (diffMinutes < 5) {
-      return {
-        id: "clock",
-        name: "System clock",
-        status: "pass",
-        detail: `Synchronized (drift: ${Math.round(diffMinutes * 60)}s)`
-      };
-    }
-    return {
-      id: "clock",
-      name: "System clock",
-      status: "warn",
-      detail: `Clock drift: ${Math.round(diffMinutes)} minutes`
-    };
-  } catch {
-    return {
-      id: "clock",
-      name: "System clock",
-      status: "pass",
-      detail: "Unable to verify"
-    };
-  }
-}
-async function runAllChecks(options = {}) {
-  const checks = await Promise.all([
-    checkNode(),
-    checkGit(),
-    checkNetwork(),
-    checkFileSystem(),
-    checkGitignore(),
-    checkSystemClock()
-  ]);
-  if (options.strict) {
-    checks.forEach((check) => {
-      if (check.status === "warn") {
-        check.status = "fail";
-      }
-    });
-  }
-  const summary = {
-    pass: checks.filter((c) => c.status === "pass").length,
-    warn: checks.filter((c) => c.status === "warn").length,
-    fail: checks.filter((c) => c.status === "fail").length
-  };
-  const exitCode = summary.fail > 0 ? 1 : 0;
-  return {
-    checks,
-    summary,
-    exitCode
-  };
-}
-// src/cmds/doctor.ts
-function formatSummary(results) {
-  const parts = [
-    pc9.green(`${results.summary.pass} passed`),
-    results.summary.warn > 0 ? pc9.yellow(`${results.summary.warn} warnings`) : null,
-    results.summary.fail > 0 ? pc9.red(`${results.summary.fail} failed`) : null
-  ].filter(Boolean);
-  return parts.join(", ");
-}
-async function doctorCommand(options = {}) {
-  try {
-    const results = await runAllChecks({ strict: !!options.strict });
-    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
-      pass: results.summary.pass,
-      warn: results.summary.warn,
-      fail: results.summary.fail,
-      strict: !!options.strict
-    });
-    if (options.json) {
-      process.stdout.write(JSON.stringify(results, null, 0) + "\n");
-      process.exit(results.exitCode);
-    }
-    console.log(pc9.cyan("\n\u{1F50D} Keyway Doctor - Environment Check\n"));
-    results.checks.forEach((check) => {
-      const icon = check.status === "pass" ? pc9.green("\u2713") : check.status === "warn" ? pc9.yellow("!") : pc9.red("\u2717");
-      const detail = check.detail ? pc9.dim(` \u2014 ${check.detail}`) : "";
-      console.log(`  ${icon} ${check.name}${detail}`);
-    });
-    console.log(`
-Summary: ${formatSummary(results)}`);
-    if (results.summary.fail > 0) {
-      console.log(pc9.red("\u26A0 Some checks failed. Please resolve the issues above before using Keyway."));
-    } else if (results.summary.warn > 0) {
-      console.log(pc9.yellow("\u26A0 Some warnings detected. Keyway should work but consider addressing them."));
-    } else {
-      console.log(pc9.green("\u2728 All checks passed! Your environment is ready for Keyway."));
-    }
-    process.exit(results.exitCode);
-  } catch (error) {
-    const message = error instanceof Error ? truncateMessage(error.message) : "Doctor failed";
-    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
-      pass: 0,
-      warn: 0,
-      fail: 1,
-      strict: !!options.strict,
-      error: "doctor_failed"
-    });
-    if (options.json) {
-      const errorResult = {
-        checks: [],
-        summary: { pass: 0, warn: 0, fail: 1 },
-        exitCode: 1,
-        error: message
-      };
-      process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
-    } else {
-      console.error(pc9.red(`
-\u2717 ${message}`));
-    }
-    process.exit(1);
-  }
-}
-// src/cmds/ci.ts
-import { execSync as execSync3 } from "child_process";
-import { Octokit } from "@octokit/rest";
-import pc10 from "picocolors";
-import prompts8 from "prompts";
-function isGhAvailable() {
-  try {
-    execSync3("gh auth status", { stdio: "ignore" });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function addSecretWithGh(repo, secretName, secretValue) {
-  execSync3(`gh secret set ${secretName} --repo ${repo}`, {
-    input: secretValue,
-    stdio: ["pipe", "ignore", "ignore"]
-  });
-}
-async function ciSetupCommand(options) {
-  const repo = options.repo || detectGitRepo();
-  if (!repo) {
-    console.error(pc10.red("Not in a git repository. Use --repo owner/repo"));
-    process.exit(1);
-  }
-  console.log(pc10.bold(`
-\u{1F510} Setting up GitHub Actions for ${repo}
-`));
-  console.log(pc10.dim("Step 1: Keyway Authentication"));
-  let keywayToken;
-  try {
-    keywayToken = await ensureLogin({ allowPrompt: true });
-    console.log(pc10.green("  \u2713 Authenticated with Keyway\n"));
-  } catch {
-    console.error(pc10.red("  \u2717 Failed to authenticate with Keyway"));
-    console.error(pc10.dim("  Run `keyway login` first"));
-    process.exit(1);
-  }
-  const useGh = isGhAvailable();
-  if (useGh) {
-    console.log(pc10.dim("Step 2: Adding secret via GitHub CLI"));
-    try {
-      addSecretWithGh(repo, "KEYWAY_TOKEN", keywayToken);
-      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
-`));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
-      console.error(pc10.dim("  Try running: gh auth login"));
-      process.exit(1);
-    }
-  } else {
-    console.log(pc10.dim("Step 2: Temporary GitHub PAT"));
-    console.log("  gh CLI not found. We need a one-time GitHub PAT.");
-    console.log(pc10.dim("  You can delete it immediately after setup.\n"));
-    const patUrl = "https://github.com/settings/tokens/new?scopes=repo&description=Keyway%20CI%20Setup%20(temporary)";
-    await openUrl(patUrl);
-    const { githubToken } = await prompts8({
-      type: "password",
-      name: "githubToken",
-      message: "Paste your GitHub PAT:"
-    });
-    if (!githubToken) {
-      console.error(pc10.red("\n  \u2717 GitHub PAT is required"));
-      process.exit(1);
-    }
-    const octokit = new Octokit({ auth: githubToken });
-    try {
-      await octokit.users.getAuthenticated();
-      console.log(pc10.green("  \u2713 GitHub PAT validated\n"));
-    } catch {
-      console.error(pc10.red("  \u2717 Invalid GitHub PAT"));
-      process.exit(1);
-    }
-    console.log(pc10.dim("Step 3: Adding secret to repository"));
-    const [owner, repoName] = repo.split("/");
-    try {
-      await addRepoSecret(octokit, owner, repoName, "KEYWAY_TOKEN", keywayToken);
-      console.log(pc10.green(`  \u2713 Secret KEYWAY_TOKEN added to ${repo}
-`));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Not Found")) {
-        console.error(pc10.red(`  \u2717 Repository not found or no access: ${repo}`));
-        console.error(pc10.dim("  Make sure the PAT has access to this repository"));
-      } else {
-        console.error(pc10.red(`  \u2717 Failed to add secret: ${message}`));
-      }
-      process.exit(1);
-    }
-  }
-  console.log(pc10.green(pc10.bold("\u2713 Setup complete!\n")));
-  console.log("Add this to your workflow (.github/workflows/*.yml):\n");
-  console.log(
-    pc10.cyan(`    - uses: keywaysh/keyway-action@v1
-      with:
-        token: \${{ secrets.KEYWAY_TOKEN }}
-        environment: production`)
-  );
-  console.log();
-  if (!useGh) {
-    console.log(`\u{1F5D1}\uFE0F  Delete the temporary PAT: ${pc10.underline("https://github.com/settings/tokens")}`);
-  }
-  console.log(pc10.dim(`\u{1F4D6} Docs: ${pc10.underline("https://docs.keyway.sh/ci")}
-`));
-}
-async function addRepoSecret(octokit, owner, repo, secretName, secretValue) {
-  const { data: publicKey } = await octokit.rest.actions.getRepoPublicKey({
-    owner,
-    repo
-  });
-  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
-  await octokit.rest.actions.createOrUpdateRepoSecret({
-    owner,
-    repo,
-    secret_name: secretName,
-    encrypted_value: encryptedValue,
-    key_id: publicKey.key_id
-  });
-}
-async function encryptSecret(publicKey, secret) {
-  const sodiumModule = await import("libsodium-wrappers");
-  const sodium = sodiumModule.default || sodiumModule;
-  await sodium.ready;
-  const binkey = sodium.from_base64(publicKey, sodium.base64_variants.ORIGINAL);
-  const binsec = sodium.from_string(secret);
-  const encBytes = sodium.crypto_box_seal(binsec, binkey);
-  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
-}
-// src/cmds/connect.ts
-import pc11 from "picocolors";
-import prompts9 from "prompts";
-var TOKEN_AUTH_PROVIDERS = ["railway"];
-function getTokenCreationUrl(provider) {
-  switch (provider) {
-    case "railway":
-      return "https://railway.com/account/tokens";
-    default:
-      return "";
-  }
-}
-async function connectWithTokenFlow(accessToken, provider, displayName) {
-  const tokenUrl = getTokenCreationUrl(provider);
-  if (provider === "railway") {
-    console.log(pc11.yellow("\nTip: Select the workspace containing your projects."));
-    console.log(pc11.yellow(`     Do NOT use "No workspace" - it won't have access to your projects.`));
-  }
-  await openUrl(tokenUrl);
-  const { token } = await prompts9({
-    type: "password",
-    name: "token",
-    message: `${displayName} API Token:`
-  });
-  if (!token) {
-    console.log(pc11.gray("Cancelled."));
-    return false;
-  }
-  console.log(pc11.gray("\nValidating token..."));
-  try {
-    const result = await connectWithToken(accessToken, provider, token);
-    if (result.success) {
-      console.log(pc11.green(`
-\u2713 Connected to ${displayName}!`));
-      console.log(pc11.gray(`  Account: ${result.user.username}`));
-      if (result.user.teamName) {
-        console.log(pc11.gray(`  Team: ${result.user.teamName}`));
-      }
-      return true;
-    } else {
-      console.log(pc11.red("\n\u2717 Connection failed."));
-      return false;
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Token validation failed";
-    console.log(pc11.red(`
-\u2717 ${message}`));
-    return false;
-  }
-}
-async function connectWithOAuthFlow(accessToken, provider, displayName) {
-  const authUrl = getProviderAuthUrl(provider, accessToken);
-  const startTime = /* @__PURE__ */ new Date();
-  await openUrl(authUrl);
-  console.log(pc11.gray("Waiting for authorization..."));
-  const maxAttempts = 60;
-  let attempts = 0;
-  while (attempts < maxAttempts) {
-    await new Promise((resolve) => setTimeout(resolve, 5e3));
-    attempts++;
-    try {
-      const { connections } = await getConnections(accessToken);
-      const newConn = connections.find(
-        (c) => c.provider === provider && new Date(c.createdAt) > startTime
-      );
-      if (newConn) {
-        console.log(pc11.green(`
-\u2713 Connected to ${displayName}!`));
-        return true;
-      }
-    } catch {
-    }
-  }
-  console.log(pc11.red("\n\u2717 Authorization timeout."));
-  console.log(pc11.gray("Run `keyway connections` to check if the connection was established."));
-  return false;
-}
-async function connectCommand(provider, options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { providers } = await getProviders();
-    const providerInfo = providers.find((p) => p.name === provider.toLowerCase());
-    if (!providerInfo) {
-      const available = providers.map((p) => p.name).join(", ");
-      console.error(pc11.red(`Unknown provider: ${provider}`));
-      console.log(pc11.gray(`Available providers: ${available || "none"}`));
-      process.exit(1);
-    }
-    if (!providerInfo.configured) {
-      console.error(pc11.red(`Provider ${providerInfo.displayName} is not configured on the server.`));
-      console.log(pc11.gray("Contact your administrator to enable this integration."));
-      process.exit(1);
-    }
-    const { connections } = await getConnections(accessToken);
-    const existingConnections = connections.filter((c) => c.provider === provider.toLowerCase());
-    if (existingConnections.length > 0) {
-      console.log(pc11.gray(`
-You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
-      for (const conn of existingConnections) {
-        const teamInfo = conn.providerTeamId ? `(Team: ${conn.providerTeamId})` : "(Personal)";
-        console.log(pc11.gray(`  - ${teamInfo}`));
-      }
-      console.log("");
-      const { action } = await prompts9({
-        type: "select",
-        name: "action",
-        message: "What would you like to do?",
-        choices: [
-          { title: "Add another account/team", value: "add" },
-          { title: "Cancel", value: "cancel" }
-        ]
-      });
-      if (action !== "add") {
-        console.log(pc11.gray("Keeping existing connections."));
-        return;
-      }
-    }
-    console.log(pc11.blue(`
-Connecting to ${providerInfo.displayName}...
-`));
-    let connected = false;
-    if (TOKEN_AUTH_PROVIDERS.includes(provider.toLowerCase())) {
-      connected = await connectWithTokenFlow(accessToken, provider.toLowerCase(), providerInfo.displayName);
-    } else {
-      connected = await connectWithOAuthFlow(accessToken, provider.toLowerCase(), providerInfo.displayName);
-    }
-    trackEvent(AnalyticsEvents.CLI_CONNECT, {
-      provider: provider.toLowerCase(),
-      success: connected
-    });
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Connection failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "connect",
-      error: truncateMessage(message)
-    });
-    console.error(pc11.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-async function connectionsCommand(options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { connections } = await getConnections(accessToken);
-    if (connections.length === 0) {
-      console.log(pc11.gray("No provider connections found."));
-      console.log(pc11.gray("\nConnect to a provider with: keyway connect <provider>"));
-      console.log(pc11.gray("Available providers: vercel, railway"));
-      return;
-    }
-    console.log(pc11.blue("\n\u{1F4E1} Provider Connections\n"));
-    for (const conn of connections) {
-      const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
-      const teamInfo = conn.providerTeamId ? pc11.gray(` (Team: ${conn.providerTeamId})`) : "";
-      const date = new Date(conn.createdAt).toLocaleDateString();
-      console.log(`  ${pc11.green("\u25CF")} ${pc11.bold(providerName)}${teamInfo}`);
-      console.log(pc11.gray(`    Connected: ${date}`));
-      console.log(pc11.gray(`    ID: ${conn.id}`));
-      console.log("");
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Failed to list connections";
-    console.error(pc11.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-async function disconnectCommand(provider, options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { connections } = await getConnections(accessToken);
-    const connection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (!connection) {
-      console.log(pc11.gray(`No connection found for provider: ${provider}`));
-      return;
-    }
-    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    const { confirm } = await prompts9({
-      type: "confirm",
-      name: "confirm",
-      message: `Disconnect from ${providerName}?`,
-      initial: false
-    });
-    if (!confirm) {
-      console.log(pc11.gray("Cancelled."));
-      return;
-    }
-    await deleteConnection(accessToken, connection.id);
-    console.log(pc11.green(`
-\u2713 Disconnected from ${providerName}`));
-    trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
-      provider: provider.toLowerCase()
-    });
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Disconnect failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "disconnect",
-      error: truncateMessage(message)
-    });
-    console.error(pc11.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-// src/cmds/sync.ts
-import pc12 from "picocolors";
-import prompts10 from "prompts";
-function mapToVercelEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "preview",
-    dev: "development",
-    development: "development"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToRailwayEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "staging",
-    dev: "development",
-    development: "development"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToNetlifyEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "branch-deploy",
-    preview: "deploy-preview",
-    dev: "dev",
-    development: "dev"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToProviderEnvironment(provider, keywayEnv) {
-  switch (provider.toLowerCase()) {
-    case "vercel":
-      return mapToVercelEnvironment(keywayEnv);
-    case "railway":
-      return mapToRailwayEnvironment(keywayEnv);
-    case "netlify":
-      return mapToNetlifyEnvironment(keywayEnv);
-    default:
-      return keywayEnv;
-  }
-}
-function displayDiffSummary(diff, providerName) {
-  const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
-  if (totalDiff === 0 && diff.same.length > 0) {
-    console.log(pc12.green(`
-\u2713 Already in sync (${diff.same.length} secrets)`));
-    return;
-  }
-  console.log(pc12.blue("\n\u{1F4CA} Comparison Summary\n"));
-  console.log(pc12.gray(`   Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets
-`));
-  if (diff.onlyInKeyway.length > 0) {
-    console.log(pc12.cyan(`   \u2192 ${diff.onlyInKeyway.length} only in Keyway`));
-    diff.onlyInKeyway.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
-    if (diff.onlyInKeyway.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.onlyInKeyway.length - 3} more`));
-    }
-  }
-  if (diff.onlyInProvider.length > 0) {
-    console.log(pc12.magenta(`   \u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
-    diff.onlyInProvider.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
-    if (diff.onlyInProvider.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.onlyInProvider.length - 3} more`));
-    }
-  }
-  if (diff.different.length > 0) {
-    console.log(pc12.yellow(`   \u2260 ${diff.different.length} with different values`));
-    diff.different.slice(0, 3).forEach((key) => console.log(pc12.gray(`      ${key}`)));
-    if (diff.different.length > 3) {
-      console.log(pc12.gray(`      ... and ${diff.different.length - 3} more`));
-    }
-  }
-  if (diff.same.length > 0) {
-    console.log(pc12.gray(`   = ${diff.same.length} identical`));
-  }
-  console.log("");
-}
-function getProjectDisplayName(project) {
-  return project.serviceName || project.name;
-}
-function findMatchingProject(projects, repoFullName) {
-  const repoFullNameLower = repoFullName.toLowerCase();
-  const repoName = repoFullName.split("/")[1]?.toLowerCase();
-  if (!repoName) return void 0;
-  const linkedMatch = projects.find(
-    (p) => p.linkedRepo?.toLowerCase() === repoFullNameLower
-  );
-  if (linkedMatch) {
-    return { project: linkedMatch, matchType: "linked_repo" };
-  }
-  const exactNameMatch = projects.find((p) => p.name.toLowerCase() === repoName);
-  if (exactNameMatch) {
-    return { project: exactNameMatch, matchType: "exact_name" };
-  }
-  const partialMatches = projects.filter(
-    (p) => p.name.toLowerCase().includes(repoName) || repoName.includes(p.name.toLowerCase())
-  );
-  if (partialMatches.length === 1) {
-    return { project: partialMatches[0], matchType: "partial_name" };
-  }
-  return void 0;
-}
-function projectMatchesRepo(project, repoFullName) {
-  const repoFullNameLower = repoFullName.toLowerCase();
-  const repoName = repoFullName.split("/")[1]?.toLowerCase();
-  if (project.linkedRepo?.toLowerCase() === repoFullNameLower) {
-    return true;
-  }
-  if (repoName && project.name.toLowerCase() === repoName) {
-    return true;
-  }
-  return false;
-}
-async function selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, initialProjects) {
-  let projects = initialProjects;
-  while (true) {
-    const result = await promptProjectSelection(projects, repoFullName, providerDisplayName);
-    if (result === "connect_new") {
-      console.log("");
-      await connectCommand(provider, { loginPrompt: false });
-      console.log("");
-      const { projects: allProjects } = await getAllProviderProjects(accessToken, provider.toLowerCase());
-      projects = allProjects.map((p) => ({
-        id: p.id,
-        name: p.name,
-        serviceId: p.serviceId,
-        serviceName: p.serviceName,
-        linkedRepo: p.linkedRepo,
-        environments: p.environments,
-        connectionId: p.connectionId,
-        teamId: p.teamId,
-        teamName: p.teamName
-      }));
-      if (projects.length === 0) {
-        console.error(pc12.red(`No projects found after connecting.`));
-        process.exit(1);
-      }
-      console.log(pc12.green(`Found ${projects.length} projects. Select one:
-`));
-      continue;
-    }
-    return { project: result, projects };
-  }
-}
-async function promptProjectSelection(projects, repoFullName, providerDisplayName) {
-  const repoName = repoFullName.split("/")[1]?.toLowerCase() || "";
-  const uniqueTeams = new Set(projects.map((p) => p.teamId || "personal"));
-  const hasMultipleAccounts = uniqueTeams.size > 1;
-  const choices = projects.map((p) => {
-    const displayName = getProjectDisplayName(p);
-    let title = displayName;
-    const badges = [];
-    if (hasMultipleAccounts) {
-      if (p.teamName) {
-        badges.push(pc12.cyan(`[${p.teamName}]`));
-      } else if (p.teamId) {
-        const shortTeamId = p.teamId.length > 12 ? p.teamId.slice(0, 12) + "..." : p.teamId;
-        badges.push(pc12.cyan(`[team:${shortTeamId}]`));
-      } else {
-        badges.push(pc12.cyan("[personal]"));
-      }
-    }
-    if (p.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
-      badges.push(pc12.green("\u2190 linked"));
-    } else if (p.name.toLowerCase() === repoName || p.serviceName?.toLowerCase() === repoName) {
-      badges.push(pc12.green("\u2190 same name"));
-    } else if (p.linkedRepo) {
-      badges.push(pc12.gray(`\u2192 ${p.linkedRepo}`));
-    }
-    if (badges.length > 0) {
-      title = `${displayName} ${badges.join(" ")}`;
-    }
-    return { title, value: p.id };
-  });
-  choices.push({
-    title: pc12.blue(`+ Connect another ${providerDisplayName} account`),
-    value: "__connect_new__"
-  });
-  const { projectChoice } = await prompts10({
-    type: "select",
-    name: "projectChoice",
-    message: "Select a project:",
-    choices
-  });
-  if (!projectChoice) {
-    console.log(pc12.gray("Cancelled."));
-    process.exit(0);
-  }
-  if (projectChoice === "__connect_new__") {
-    return "connect_new";
-  }
-  return projects.find((p) => p.id === projectChoice);
-}
-async function syncCommand(provider, options = {}) {
-  try {
-    if (options.pull && options.allowDelete) {
-      console.error(pc12.red("Error: --allow-delete cannot be used with --pull"));
-      console.log(pc12.gray("The --allow-delete flag is only for push operations."));
-      process.exit(1);
-    }
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const repoFullName = detectGitRepo();
-    if (!repoFullName) {
-      console.error(pc12.red("Could not detect Git repository."));
-      console.log(pc12.gray("Run this command from a Git repository directory."));
-      process.exit(1);
-    }
-    console.log(pc12.gray(`Repository: ${repoFullName}`));
-    const vaultExists = await checkVaultExists(accessToken, repoFullName);
-    if (!vaultExists) {
-      console.log(pc12.yellow(`
-No vault found for ${repoFullName}.`));
-      const { shouldCreate } = await prompts10({
-        type: "confirm",
-        name: "shouldCreate",
-        message: "Create vault now?",
-        initial: true
-      });
-      if (!shouldCreate) {
-        console.log(pc12.gray("Cancelled. Run `keyway init` to create a vault first."));
-        process.exit(0);
-      }
-      console.log(pc12.gray("\nCreating vault..."));
-      try {
-        await initVault(repoFullName, accessToken);
-        console.log(pc12.green(`\u2713 Vault created for ${repoFullName}
-`));
-      } catch (error) {
-        const message = error instanceof Error ? error.message : "Failed to create vault";
-        console.error(pc12.red(`
-\u2717 ${message}`));
-        process.exit(1);
-      }
-    }
-    const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    let { projects: allProjects, connections } = await getAllProviderProjects(accessToken, provider.toLowerCase());
-    if (connections.length === 0) {
-      console.log(pc12.yellow(`
-Not connected to ${providerDisplayName}.`));
-      const { shouldConnect } = await prompts10({
-        type: "confirm",
-        name: "shouldConnect",
-        message: `Connect to ${providerDisplayName} now?`,
-        initial: true
-      });
-      if (!shouldConnect) {
-        console.log(pc12.gray("Cancelled."));
-        process.exit(0);
-      }
-      await connectCommand(provider, { loginPrompt: false });
-      const refreshed = await getAllProviderProjects(accessToken, provider.toLowerCase());
-      allProjects = refreshed.projects;
-      connections = refreshed.connections;
-      if (connections.length === 0) {
-        console.error(pc12.red(`
-Connection to ${providerDisplayName} failed.`));
-        process.exit(1);
-      }
-      console.log("");
-    }
-    let projects = allProjects.map((p) => ({
-      id: p.id,
-      name: p.name,
-      serviceId: p.serviceId,
-      serviceName: p.serviceName,
-      linkedRepo: p.linkedRepo,
-      environments: p.environments,
-      connectionId: p.connectionId,
-      teamId: p.teamId,
-      teamName: p.teamName
-    }));
-    if (options.team) {
-      const teamFilter = options.team.toLowerCase();
-      const filteredProjects = projects.filter(
-        (p) => p.teamId?.toLowerCase() === teamFilter || p.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
-        teamFilter === "personal" && !p.teamId
-      );
-      if (filteredProjects.length === 0) {
-        console.error(pc12.red(`No projects found for team: ${options.team}`));
-        console.log(pc12.gray("Available teams:"));
-        const teams = /* @__PURE__ */ new Set();
-        projects.forEach((p) => {
-          if (p.teamName) teams.add(p.teamName);
-          else if (p.teamId) teams.add(p.teamId);
-          else teams.add("personal");
-        });
-        teams.forEach((t) => console.log(pc12.gray(`  - ${t}`)));
-        process.exit(1);
-      }
-      projects = filteredProjects;
-      console.log(pc12.gray(`Filtered to ${projects.length} projects in team: ${options.team}`));
-    }
-    if (projects.length === 0) {
-      console.error(pc12.red(`No projects found in your ${providerDisplayName} account(s).`));
-      if (connections.length > 1) {
-        console.log(pc12.gray(`Checked ${connections.length} connected accounts.`));
-      }
-      process.exit(1);
-    }
-    if (connections.length > 1 && !options.team) {
-      console.log(pc12.gray(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
-    }
-    let selectedProject;
-    if (options.project) {
-      const found = projects.find(
-        (p) => p.id === options.project || p.name.toLowerCase() === options.project?.toLowerCase() || p.serviceName?.toLowerCase() === options.project?.toLowerCase()
-      );
-      if (!found) {
-        console.error(pc12.red(`Project not found: ${options.project}`));
-        console.log(pc12.gray("Available projects:"));
-        projects.forEach((p) => console.log(pc12.gray(`  - ${getProjectDisplayName(p)}`)));
-        process.exit(1);
-      }
-      selectedProject = found;
-      if (!projectMatchesRepo(selectedProject, repoFullName)) {
-        console.log("");
-        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
-        if (selectedProject.linkedRepo) {
-          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
-        }
-        console.log("");
-      }
-    } else {
-      const autoMatch = findMatchingProject(projects, repoFullName);
-      if (autoMatch && (autoMatch.matchType === "linked_repo" || autoMatch.matchType === "exact_name")) {
-        selectedProject = autoMatch.project;
-        const matchReason = autoMatch.matchType === "linked_repo" ? `linked to ${repoFullName}` : "exact name match";
-        let teamInfo = "";
-        if (selectedProject.teamName) {
-          teamInfo = pc12.gray(` (${selectedProject.teamName})`);
-        } else if (selectedProject.teamId && connections.length > 1) {
-          const shortTeamId = selectedProject.teamId.length > 12 ? selectedProject.teamId.slice(0, 12) + "..." : selectedProject.teamId;
-          teamInfo = pc12.gray(` (team:${shortTeamId})`);
-        }
-        console.log(pc12.green(`\u2713 Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`));
-      } else if (autoMatch && autoMatch.matchType === "partial_name") {
-        const partialDisplayName = getProjectDisplayName(autoMatch.project);
-        console.log(pc12.yellow(`Detected project: ${partialDisplayName} (partial match)`));
-        const { useDetected } = await prompts10({
-          type: "confirm",
-          name: "useDetected",
-          message: `Use ${partialDisplayName}?`,
-          initial: true
-        });
-        if (useDetected) {
-          selectedProject = autoMatch.project;
-        } else {
-          const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
-          selectedProject = result.project;
-          projects = result.projects;
-        }
-      } else if (projects.length === 1) {
-        selectedProject = projects[0];
-        if (!projectMatchesRepo(selectedProject, repoFullName)) {
-          console.log("");
-          console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-          console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: Project does not match current repository     \u2502"));
-          console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-          console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-          console.log(pc12.yellow(`  Only project:      ${getProjectDisplayName(selectedProject)}`));
-          if (selectedProject.linkedRepo) {
-            console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
-          }
-          console.log("");
-          const { continueAnyway } = await prompts10({
-            type: "confirm",
-            name: "continueAnyway",
-            message: "Continue anyway?",
-            initial: false
-          });
-          if (!continueAnyway) {
-            console.log(pc12.gray("Cancelled."));
-            process.exit(0);
-          }
-        }
-      } else {
-        console.log(pc12.yellow(`
-\u26A0\uFE0F  No matching project found for ${repoFullName}`));
-        console.log(pc12.gray("Select a project manually:\n"));
-        const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
-        selectedProject = result.project;
-        projects = result.projects;
-      }
-    }
-    if (!options.project && !projectMatchesRepo(selectedProject, repoFullName)) {
-      const autoMatch = findMatchingProject(projects, repoFullName);
-      if (autoMatch && autoMatch.project.id !== selectedProject.id) {
-        console.log("");
-        console.log(pc12.yellow("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
-        console.log(pc12.yellow("\u2502  \u26A0\uFE0F  WARNING: You selected a different project              \u2502"));
-        console.log(pc12.yellow("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
-        console.log(pc12.yellow(`  Current repo:      ${repoFullName}`));
-        console.log(pc12.yellow(`  Selected project:  ${getProjectDisplayName(selectedProject)}`));
-        if (selectedProject.linkedRepo) {
-          console.log(pc12.yellow(`  Project linked to: ${selectedProject.linkedRepo}`));
-        }
-        console.log("");
-        const { continueAnyway } = await prompts10({
-          type: "confirm",
-          name: "continueAnyway",
-          message: "Are you sure you want to sync with this project?",
-          initial: false
-        });
-        if (!continueAnyway) {
-          console.log(pc12.gray("Cancelled."));
-          process.exit(0);
-        }
-      }
-    }
-    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    let keywayEnv = options.environment;
-    let providerEnv = options.providerEnv;
-    let direction = options.push ? "push" : options.pull ? "pull" : void 0;
-    const needsEnvPrompt = !options.environment;
-    const needsDirectionPrompt = !direction;
-    if (needsEnvPrompt || needsDirectionPrompt) {
-      if (needsEnvPrompt) {
-        const vaultEnvs = await getVaultEnvironments(accessToken, repoFullName);
-        const { selectedEnv } = await prompts10({
-          type: "select",
-          name: "selectedEnv",
-          message: "Keyway environment:",
-          choices: vaultEnvs.map((e) => ({ title: e, value: e })),
-          initial: Math.max(0, vaultEnvs.indexOf("production"))
-        });
-        if (!selectedEnv) {
-          console.log(pc12.gray("Cancelled."));
-          process.exit(0);
-        }
-        keywayEnv = selectedEnv;
-        if (!options.providerEnv) {
-          if (selectedProject.environments && selectedProject.environments.length > 0) {
-            const mappedEnv = mapToProviderEnvironment(provider, keywayEnv);
-            const envExists = selectedProject.environments.some(
-              (e) => e.toLowerCase() === mappedEnv.toLowerCase()
-            );
-            if (envExists) {
-              providerEnv = mappedEnv;
-            } else if (selectedProject.environments.length === 1) {
-              providerEnv = selectedProject.environments[0];
-              console.log(pc12.gray(`Using ${providerName} environment: ${providerEnv}`));
-            } else {
-              const { selectedProviderEnv } = await prompts10({
-                type: "select",
-                name: "selectedProviderEnv",
-                message: `${providerName} environment:`,
-                choices: selectedProject.environments.map((e) => ({ title: e, value: e })),
-                initial: Math.max(0, selectedProject.environments.findIndex(
-                  (e) => e.toLowerCase() === "production"
-                ))
-              });
-              if (!selectedProviderEnv) {
-                console.log(pc12.gray("Cancelled."));
-                process.exit(0);
-              }
-              providerEnv = selectedProviderEnv;
-            }
-          } else {
-            providerEnv = mapToProviderEnvironment(provider, keywayEnv);
-          }
-        }
-      }
-      let diff;
-      if (needsDirectionPrompt) {
-        const effectiveKeywayEnv = keywayEnv || "production";
-        const effectiveProviderEnv = providerEnv || mapToProviderEnvironment(provider, effectiveKeywayEnv);
-        console.log(pc12.gray("\nComparing secrets..."));
-        diff = await getSyncDiff(accessToken, repoFullName, {
-          connectionId: selectedProject.connectionId,
-          projectId: selectedProject.id,
-          serviceId: selectedProject.serviceId,
-          // Railway: service ID for service-specific variables
-          keywayEnvironment: effectiveKeywayEnv,
-          providerEnvironment: effectiveProviderEnv
-        });
-        displayDiffSummary(diff, providerName);
-        const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
-        if (totalDiff === 0) {
-          return;
-        }
-      }
-      if (needsDirectionPrompt && diff) {
-        let defaultDirection = 0;
-        if (diff.keywayCount === 0 && diff.providerCount > 0) {
-          defaultDirection = 1;
-        } else if (diff.providerCount === 0 && diff.keywayCount > 0) {
-          defaultDirection = 0;
-        }
-        const { selectedDirection } = await prompts10({
-          type: "select",
-          name: "selectedDirection",
-          message: "Sync direction:",
-          choices: [
-            { title: `Keyway \u2192 ${providerName}`, value: "push" },
-            { title: `${providerName} \u2192 Keyway`, value: "pull" }
-          ],
-          initial: defaultDirection
-        });
-        if (!selectedDirection) {
-          console.log(pc12.gray("Cancelled."));
-          process.exit(0);
-        }
-        direction = selectedDirection;
-      }
-    }
-    keywayEnv = keywayEnv || "production";
-    providerEnv = providerEnv || "production";
-    direction = direction || "push";
-    const status = await getSyncStatus(
-      accessToken,
-      repoFullName,
-      selectedProject.connectionId,
-      selectedProject.id,
-      keywayEnv
-    );
-    if (status.isFirstSync && direction === "push" && status.vaultIsEmpty && status.providerHasSecrets) {
-      console.log(pc12.yellow(`
-\u26A0\uFE0F  Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`));
-      console.log(pc12.gray(`   (Use --environment to sync a different environment)`));
-      const { importFirst } = await prompts10({
-        type: "confirm",
-        name: "importFirst",
-        message: `Import secrets from ${providerName} first?`,
-        initial: true
-      });
-      if (importFirst) {
-        await executeSyncOperation(
-          accessToken,
-          repoFullName,
-          selectedProject.connectionId,
-          selectedProject,
-          keywayEnv,
-          providerEnv,
-          "pull",
-          false,
-          // Never delete on import
-          options.yes || false,
-          provider
-        );
-        return;
-      }
-    }
-    await executeSyncOperation(
-      accessToken,
-      repoFullName,
-      selectedProject.connectionId,
-      selectedProject,
-      keywayEnv,
-      providerEnv,
-      direction,
-      options.allowDelete || false,
-      options.yes || false,
-      provider
-    );
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Sync failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "sync",
-      error: truncateMessage(message)
-    });
-    console.error(pc12.red(`
-\u2717 ${message}`));
-    process.exit(1);
-  }
-}
-async function executeSyncOperation(accessToken, repoFullName, connectionId, project, keywayEnv, providerEnv, direction, allowDelete, skipConfirm, provider) {
-  const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-  const preview = await getSyncPreview(accessToken, repoFullName, {
-    connectionId,
-    projectId: project.id,
-    serviceId: project.serviceId,
-    // Railway: service ID for service-specific variables
-    keywayEnvironment: keywayEnv,
-    providerEnvironment: providerEnv,
-    direction,
-    allowDelete
-  });
-  const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
-  if (totalChanges === 0) {
-    console.log(pc12.green("\n\u2713 Already in sync. No changes needed."));
-    return;
-  }
-  console.log(pc12.blue("\n\u{1F4CB} Sync Preview\n"));
-  if (preview.toCreate.length > 0) {
-    console.log(pc12.green(`  + ${preview.toCreate.length} to create`));
-    preview.toCreate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
-    if (preview.toCreate.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toCreate.length - 5} more`));
-    }
-  }
-  if (preview.toUpdate.length > 0) {
-    console.log(pc12.yellow(`  ~ ${preview.toUpdate.length} to update`));
-    preview.toUpdate.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
-    if (preview.toUpdate.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toUpdate.length - 5} more`));
-    }
-  }
-  if (preview.toDelete.length > 0) {
-    console.log(pc12.red(`  - ${preview.toDelete.length} to delete`));
-    preview.toDelete.slice(0, 5).forEach((key) => console.log(pc12.gray(`    ${key}`)));
-    if (preview.toDelete.length > 5) {
-      console.log(pc12.gray(`    ... and ${preview.toDelete.length - 5} more`));
-    }
-  }
-  if (preview.toSkip.length > 0) {
-    console.log(pc12.gray(`  \u25CB ${preview.toSkip.length} unchanged`));
-  }
-  console.log("");
-  if (!skipConfirm) {
-    const target = direction === "push" ? providerName : "Keyway";
-    const { confirm } = await prompts10({
-      type: "confirm",
-      name: "confirm",
-      message: `Apply ${totalChanges} changes to ${target}?`,
-      initial: true
-    });
-    if (!confirm) {
-      console.log(pc12.gray("Cancelled."));
-      return;
-    }
-  }
-  console.log(pc12.blue("\n\u23F3 Syncing...\n"));
-  const result = await executeSync(accessToken, repoFullName, {
-    connectionId,
-    projectId: project.id,
-    serviceId: project.serviceId,
-    // Railway: service ID for service-specific variables
-    keywayEnvironment: keywayEnv,
-    providerEnvironment: providerEnv,
-    direction,
-    allowDelete
-  });
-  if (result.success) {
-    console.log(pc12.green("\u2713 Sync complete"));
-    console.log(pc12.gray(`  Created: ${result.stats.created}`));
-    console.log(pc12.gray(`  Updated: ${result.stats.updated}`));
-    if (result.stats.deleted > 0) {
-      console.log(pc12.gray(`  Deleted: ${result.stats.deleted}`));
-    }
-    trackEvent(AnalyticsEvents.CLI_SYNC, {
-      provider,
-      direction,
-      created: result.stats.created,
-      updated: result.stats.updated,
-      deleted: result.stats.deleted
-    });
-  } else {
-    console.error(pc12.red(`
-\u2717 ${result.error}`));
-    process.exit(1);
-  }
-}
-// src/cli.ts
-process.on("unhandledRejection", (reason) => {
-  console.error(pc13.red("Unhandled error:"), reason);
-  process.exit(1);
-});
-var program = new Command();
-var TAGLINE = "Sync secrets with your team and infra";
-var showBanner = () => {
-  const text = pc13.bold(pc13.cyan("Keyway CLI"));
-  console.log(`
-${text}
-${pc13.gray(TAGLINE)}
-`);
-};
-showBanner();
-program.name("keyway").description(TAGLINE).version(package_default.version);
-program.command("init").description("Initialize a vault for the current repository").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await initCommand(options);
-});
-program.command("push").description("Upload secrets from an env file to the vault").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to push").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await pushCommand(options);
-});
-program.command("pull").description("Download secrets from the vault to an env file").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to write to").option("-y, --yes", "Overwrite target file without confirmation").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await pullCommand(options);
-});
-program.command("login").description("Authenticate with GitHub via Keyway").option("--token", "Authenticate using a GitHub fine-grained PAT").action(async (options) => {
-  await loginCommand(options);
-});
-program.command("logout").description("Clear stored Keyway credentials").action(async () => {
-  await logoutCommand();
-});
-program.command("doctor").description("Run environment checks to ensure Keyway runs smoothly").option("--json", "Output results as JSON for machine processing", false).option("--strict", "Treat warnings as failures", false).action(async (options) => {
-  await doctorCommand(options);
-});
-program.command("connect <provider>").description("Connect to an external provider (e.g., vercel)").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await connectCommand(provider, options);
-});
-program.command("connections").description("List your provider connections").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await connectionsCommand(options);
-});
-program.command("disconnect <provider>").description("Disconnect from a provider").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await disconnectCommand(provider, options);
-});
-program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--team <team>", "Team/org name or ID (for multi-account)").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await syncCommand(provider, options);
-});
-var ci = program.command("ci").description("CI/CD integration commands");
-ci.command("setup").description("Setup GitHub Actions integration (adds KEYWAY_TOKEN secret)").option("--repo <repo>", "Repository in owner/repo format (auto-detected)").action(async (options) => {
-  await ciSetupCommand(options);
-});
-(async () => {
-  await warnIfEnvNotGitignored();
-  await program.parseAsync();
-})().catch((error) => {
-  console.error(pc13.red("Error:"), error.message || error);
-  process.exit(1);
-});