@keywaysh/cli 0.2.0 → 0.3.2

package/dist/cli.js

@@ -1,3047 +0,0 @@
-#!/usr/bin/env node
-import {
-  clearAuth,
-  getAuthFilePath,
-  getStoredAuth,
-  saveAuthToken
-} from "./chunk-IVZM2JTT.js";
-
-// src/cli.ts
-import { Command } from "commander";
-
-// src/utils/ui.ts
-import * as p from "@clack/prompts";
-import pc from "picocolors";
-function intro2(command2) {
-  p.intro(pc.bgCyan(pc.black(` keyway ${command2} `)));
-}
-function outro2(message2) {
-  p.outro(message2);
-}
-function spinner2() {
-  return p.spinner();
-}
-function success(message2) {
-  p.log.success(message2);
-}
-function error(message2) {
-  p.log.error(message2);
-}
-function warn(message2) {
-  p.log.warn(message2);
-}
-function info(message2) {
-  p.log.info(message2);
-}
-function step(message2) {
-  p.log.step(message2);
-}
-function message(message2) {
-  p.log.message(message2);
-}
-function note2(message2, title) {
-  p.note(message2, title);
-}
-function cancel2(message2 = "Operation cancelled.") {
-  p.cancel(message2);
-  process.exit(0);
-}
-async function text2(options) {
-  const result = await p.text(options);
-  if (p.isCancel(result)) {
-    cancel2();
-  }
-  return result;
-}
-async function confirm2(options) {
-  const result = await p.confirm(options);
-  if (p.isCancel(result)) {
-    cancel2();
-  }
-  return result;
-}
-async function select2(options) {
-  const result = await p.select(options);
-  if (p.isCancel(result)) {
-    cancel2();
-  }
-  return result;
-}
-function link(url) {
-  return pc.underline(pc.cyan(url));
-}
-function command(cmd) {
-  return pc.cyan(cmd);
-}
-function file(path7) {
-  return pc.cyan(path7);
-}
-function value(val) {
-  return pc.cyan(String(val));
-}
-function dim(text3) {
-  return pc.dim(text3);
-}
-function bold(text3) {
-  return pc.bold(text3);
-}
-
-// src/utils/git.ts
-import { execSync } from "child_process";
-import fs from "fs";
-import path from "path";
-function getCurrentRepoFullName() {
-  try {
-    if (!isGitRepository()) {
-      throw new Error("Not in a git repository");
-    }
-    const remoteUrl = execSync("git config --get remote.origin.url", {
-      encoding: "utf-8"
-    }).trim();
-    return parseGitHubUrl(remoteUrl);
-  } catch (error2) {
-    throw new Error("Failed to get repository name. Make sure you are in a git repository with a GitHub remote.");
-  }
-}
-function isGitRepository() {
-  try {
-    execSync("git rev-parse --is-inside-work-tree", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function detectGitRepo() {
-  try {
-    const remoteUrl = execSync("git remote get-url origin", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    return parseGitHubUrl(remoteUrl);
-  } catch {
-    return null;
-  }
-}
-function parseGitHubUrl(url) {
-  const sshMatch = url.match(/git@github\.com:(.+)\/(.+)\.git/);
-  if (sshMatch) {
-    return `${sshMatch[1]}/${sshMatch[2]}`;
-  }
-  const httpsMatch = url.match(/https:\/\/github\.com\/(.+)\/(.+)\.git/);
-  if (httpsMatch) {
-    return `${httpsMatch[1]}/${httpsMatch[2]}`;
-  }
-  const httpsMatch2 = url.match(/https:\/\/github\.com\/(.+)\/(.+)/);
-  if (httpsMatch2) {
-    return `${httpsMatch2[1]}/${httpsMatch2[2]}`;
-  }
-  throw new Error(`Invalid GitHub URL: ${url}`);
-}
-function checkEnvGitignore() {
-  try {
-    const gitRoot = execSync("git rev-parse --show-toplevel", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    const gitignorePath = path.join(gitRoot, ".gitignore");
-    if (!fs.existsSync(gitignorePath)) {
-      return false;
-    }
-    const content = fs.readFileSync(gitignorePath, "utf-8");
-    const lines = content.split("\n").map((l) => l.trim());
-    const envPatterns = [".env", ".env*", ".env.*", "*.env"];
-    return envPatterns.some((pattern) => lines.includes(pattern));
-  } catch {
-    return true;
-  }
-}
-function addEnvToGitignore() {
-  try {
-    const gitRoot = execSync("git rev-parse --show-toplevel", {
-      encoding: "utf-8",
-      stdio: "pipe"
-    }).trim();
-    const gitignorePath = path.join(gitRoot, ".gitignore");
-    const envEntry = ".env*";
-    if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, "utf-8");
-      const newContent = content.endsWith("\n") ? `${content}${envEntry}
-` : `${content}
-${envEntry}
-`;
-      fs.writeFileSync(gitignorePath, newContent);
-    } else {
-      fs.writeFileSync(gitignorePath, `${envEntry}
-`);
-    }
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function warnIfEnvNotGitignored() {
-  if (checkEnvGitignore()) {
-    return;
-  }
-  warn(".env files are not in .gitignore - secrets may be committed");
-  const addToGitignore = await confirm2({
-    message: "Add .env* to .gitignore?",
-    initialValue: true
-  });
-  if (addToGitignore) {
-    if (addEnvToGitignore()) {
-      success("Added .env* to .gitignore");
-    } else {
-      error("Failed to update .gitignore");
-    }
-  }
-}
-
-// src/config/internal.ts
-var INTERNAL_API_URL = "https://api.keyway.sh";
-var INTERNAL_POSTHOG_KEY = "phc_duG0qqI5z8LeHrS9pNxR5KaD4djgD0nmzUxuD3zP0ov";
-var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
-
-// package.json
-var package_default = {
-  name: "@keywaysh/cli",
-  version: "0.2.0",
-  description: "Env vars that sync like code.",
-  type: "module",
-  bin: {
-    keyway: "./dist/cli.js"
-  },
-  main: "./dist/cli.js",
-  files: [
-    "dist"
-  ],
-  scripts: {
-    dev: "pnpm exec tsx src/cli.ts",
-    "dev:local": "NODE_TLS_REJECT_UNAUTHORIZED=0 KEYWAY_API_URL=https://localhost/api pnpm exec tsx src/cli.ts",
-    build: "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    prepublishOnly: "pnpm run build",
-    test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    "test:coverage": "pnpm exec vitest run --coverage",
-    release: "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
-  },
-  keywords: [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  author: "Nicolas Ritouet",
-  license: "MIT",
-  homepage: "https://keyway.sh",
-  repository: {
-    type: "git",
-    url: "https://github.com/keywaysh/cli.git"
-  },
-  bugs: {
-    url: "https://github.com/keywaysh/cli/issues"
-  },
-  packageManager: "pnpm@10.6.1",
-  engines: {
-    node: ">=18.0.0"
-  },
-  dependencies: {
-    "@octokit/rest": "^22.0.1",
-    "balanced-match": "^3.0.1",
-    commander: "^14.0.0",
-    conf: "^15.0.2",
-    "libsodium-wrappers": "^0.7.15",
-    open: "^11.0.0",
-    picocolors: "^1.1.1",
-    "posthog-node": "^3.5.0",
-    "@clack/prompts": "^0.9.1"
-  },
-  devDependencies: {
-    "@types/balanced-match": "^3.0.2",
-    "@types/libsodium-wrappers": "^0.7.14",
-    "@types/node": "^24.2.0",
-    "@vitest/coverage-v8": "^3.0.0",
-    msw: "^2.12.4",
-    tsup: "^8.5.0",
-    tsx: "^4.20.3",
-    typescript: "^5.9.2",
-    vitest: "^3.2.4"
-  }
-};
-
-// src/utils/api.ts
-var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
-var USER_AGENT = `keyway-cli/${package_default.version}`;
-var DEFAULT_TIMEOUT_MS = 3e4;
-function truncateMessage(message2, maxLength = 200) {
-  if (message2.length <= maxLength) return message2;
-  return message2.slice(0, maxLength - 3) + "...";
-}
-var NETWORK_ERROR_MESSAGES = {
-  ECONNREFUSED: "Cannot connect to Keyway API server. Is the server running?",
-  ECONNRESET: "Connection was reset. Please try again.",
-  ENOTFOUND: "DNS lookup failed. Check your internet connection.",
-  ETIMEDOUT: "Connection timed out. Check your network connection.",
-  ENETUNREACH: "Network is unreachable. Check your internet connection.",
-  EHOSTUNREACH: "Host is unreachable. Check your network connection.",
-  CERT_HAS_EXPIRED: "SSL certificate has expired. Contact support.",
-  UNABLE_TO_VERIFY_LEAF_SIGNATURE: "SSL certificate verification failed.",
-  EPROTO: "SSL/TLS protocol error. Try again later."
-};
-function handleNetworkError(error2) {
-  const errorCode = error2.code || error2.cause?.code;
-  if (errorCode && NETWORK_ERROR_MESSAGES[errorCode]) {
-    return new Error(NETWORK_ERROR_MESSAGES[errorCode]);
-  }
-  const message2 = error2.message.toLowerCase();
-  if (message2.includes("fetch failed") || message2.includes("network")) {
-    return new Error("Network error. Check your internet connection and try again.");
-  }
-  return error2;
-}
-async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    return await fetch(url, {
-      ...options,
-      signal: controller.signal
-    });
-  } catch (error2) {
-    if (error2 instanceof Error) {
-      if (error2.name === "AbortError") {
-        throw new Error(`Request timeout after ${timeoutMs / 1e3}s. Check your network connection.`);
-      }
-      throw handleNetworkError(error2);
-    }
-    throw error2;
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-function validateApiUrl(url) {
-  const parsed = new URL(url);
-  if (parsed.protocol !== "https:") {
-    const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "0.0.0.0";
-    if (!isLocalhost) {
-      throw new Error(
-        `Insecure API URL detected: ${url}
-HTTPS is required for security. If this is a development server, use localhost or configure HTTPS.`
-      );
-    }
-    if (!process.env.KEYWAY_DISABLE_SECURITY_WARNINGS) {
-      console.warn(
-        `\u26A0\uFE0F  WARNING: Using insecure HTTP connection to ${url}
-This should only be used for local development.
-Set KEYWAY_DISABLE_SECURITY_WARNINGS=1 to suppress this warning.`
-      );
-    }
-  }
-}
-validateApiUrl(API_BASE_URL);
-var APIError = class extends Error {
-  constructor(statusCode, error2, message2, upgradeUrl) {
-    super(message2);
-    this.statusCode = statusCode;
-    this.error = error2;
-    this.upgradeUrl = upgradeUrl;
-    this.name = "APIError";
-  }
-};
-async function handleResponse(response) {
-  const contentType = response.headers.get("content-type") || "";
-  const text3 = await response.text();
-  if (!response.ok) {
-    if (contentType.includes("application/json")) {
-      try {
-        const error2 = JSON.parse(text3);
-        throw new APIError(response.status, error2.title || "Error", error2.detail || `HTTP ${response.status}`, error2.upgradeUrl);
-      } catch (e) {
-        if (e instanceof APIError) throw e;
-        throw new APIError(response.status, "Error", text3 || `HTTP ${response.status}`);
-      }
-    }
-    throw new APIError(response.status, "Error", text3 || `HTTP ${response.status}`);
-  }
-  if (!text3) {
-    return {};
-  }
-  if (contentType.includes("application/json")) {
-    try {
-      return JSON.parse(text3);
-    } catch {
-    }
-  }
-  return { content: text3 };
-}
-async function initVault(repoFullName, accessToken) {
-  const body = { repoFullName };
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/vaults`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body)
-  });
-  const result = await handleResponse(response);
-  return result.data;
-}
-function parseEnvContent(content) {
-  const result = {};
-  const lines = content.split("\n");
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eqIndex = trimmed.indexOf("=");
-    if (eqIndex === -1) continue;
-    const key = trimmed.substring(0, eqIndex).trim();
-    let value2 = trimmed.substring(eqIndex + 1);
-    if (value2.startsWith('"') && value2.endsWith('"') || value2.startsWith("'") && value2.endsWith("'")) {
-      value2 = value2.slice(1, -1);
-    }
-    if (key) result[key] = value2;
-  }
-  return result;
-}
-async function pushSecrets(repoFullName, environment, content, accessToken) {
-  const secrets = parseEnvContent(content);
-  const body = { repoFullName, environment, secrets };
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/push`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body)
-  });
-  const result = await handleResponse(response);
-  return result.data;
-}
-async function pullSecrets(repoFullName, environment, accessToken) {
-  const headers = {
-    "Content-Type": "application/json",
-    "User-Agent": USER_AGENT
-  };
-  if (accessToken) {
-    headers.Authorization = `Bearer ${accessToken}`;
-  }
-  const params = new URLSearchParams({
-    repo: repoFullName,
-    environment
-  });
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/secrets/pull?${params}`, {
-    method: "GET",
-    headers
-  });
-  const result = await handleResponse(response);
-  return { content: result.data.content };
-}
-async function startDeviceLogin(repository) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/start`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT
-    },
-    body: JSON.stringify(repository ? { repository } : {})
-  });
-  return handleResponse(response);
-}
-async function pollDeviceLogin(deviceCode) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/device/poll`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT
-    },
-    body: JSON.stringify({ deviceCode })
-  });
-  return handleResponse(response);
-}
-async function validateToken(token) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/auth/token/validate`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${token}`
-    },
-    body: JSON.stringify({})
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getProviders() {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getConnections(accessToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function deleteConnection(accessToken, connectionId) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/connections/${connectionId}`, {
-    method: "DELETE",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  await handleResponse(response);
-}
-function getProviderAuthUrl(provider, accessToken, redirectUri) {
-  const params = new URLSearchParams({ token: accessToken });
-  if (redirectUri) params.set("redirect_uri", redirectUri);
-  return `${API_BASE_URL}/v1/integrations/${provider}/authorize?${params}`;
-}
-async function getAllProviderProjects(accessToken, provider) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/providers/${provider}/all-projects`, {
-    method: "GET",
-    headers: {
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    }
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncStatus(accessToken, repoFullName, connectionId, projectId, environment = "production") {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId,
-    projectId,
-    environment
-  });
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/status?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    }
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncDiff(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId: options.connectionId,
-    projectId: options.projectId,
-    keywayEnvironment: options.keywayEnvironment || "production",
-    providerEnvironment: options.providerEnvironment || "production"
-  });
-  if (options.serviceId) {
-    params.set("serviceId", options.serviceId);
-  }
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/diff?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    },
-    6e4
-    // 60 seconds
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function getSyncPreview(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const params = new URLSearchParams({
-    connectionId: options.connectionId,
-    projectId: options.projectId,
-    keywayEnvironment: options.keywayEnvironment || "production",
-    providerEnvironment: options.providerEnvironment || "production",
-    direction: options.direction || "push",
-    allowDelete: String(options.allowDelete || false)
-  });
-  if (options.serviceId) {
-    params.set("serviceId", options.serviceId);
-  }
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync/preview?${params}`,
-    {
-      method: "GET",
-      headers: {
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      }
-    },
-    6e4
-    // 60 seconds for sync operations
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function executeSync(accessToken, repoFullName, options) {
-  const [owner, repo] = repoFullName.split("/");
-  const response = await fetchWithTimeout(
-    `${API_BASE_URL}/v1/integrations/vaults/${owner}/${repo}/sync`,
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "User-Agent": USER_AGENT,
-        Authorization: `Bearer ${accessToken}`
-      },
-      body: JSON.stringify({
-        connectionId: options.connectionId,
-        projectId: options.projectId,
-        serviceId: options.serviceId,
-        keywayEnvironment: options.keywayEnvironment || "production",
-        providerEnvironment: options.providerEnvironment || "production",
-        direction: options.direction || "push",
-        allowDelete: options.allowDelete || false
-      })
-    },
-    12e4
-    // 2 minutes for sync execution
-  );
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function connectWithToken(accessToken, provider, providerToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/integrations/${provider}/connect`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    },
-    body: JSON.stringify({ token: providerToken })
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-async function checkVaultExists(accessToken, repoFullName) {
-  const [owner, repo] = repoFullName.split("/");
-  try {
-    const response = await fetchWithTimeout(
-      `${API_BASE_URL}/v1/vaults/${owner}/${repo}`,
-      {
-        method: "GET",
-        headers: {
-          "User-Agent": USER_AGENT,
-          Authorization: `Bearer ${accessToken}`
-        }
-      }
-    );
-    return response.ok;
-  } catch {
-    return false;
-  }
-}
-async function getVaultEnvironments(accessToken, repoFullName) {
-  const [owner, repo] = repoFullName.split("/");
-  try {
-    const response = await fetchWithTimeout(
-      `${API_BASE_URL}/v1/vaults/${owner}/${repo}`,
-      {
-        method: "GET",
-        headers: {
-          "User-Agent": USER_AGENT,
-          Authorization: `Bearer ${accessToken}`
-        }
-      }
-    );
-    const wrapped = await handleResponse(response);
-    return wrapped.data.environments || ["production"];
-  } catch {
-    return ["production"];
-  }
-}
-async function checkGitHubAppInstallation(repoOwner, repoName, accessToken) {
-  const response = await fetchWithTimeout(`${API_BASE_URL}/v1/github/check-installation`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "User-Agent": USER_AGENT,
-      Authorization: `Bearer ${accessToken}`
-    },
-    body: JSON.stringify({ repoOwner, repoName })
-  });
-  const wrapped = await handleResponse(response);
-  return wrapped.data;
-}
-
-// src/utils/analytics.ts
-import { PostHog } from "posthog-node";
-import crypto from "crypto";
-import path2 from "path";
-import os from "os";
-import fs2 from "fs";
-var posthog = null;
-var distinctId = null;
-var CONFIG_DIR = path2.join(os.homedir(), ".config", "keyway");
-var ID_FILE = path2.join(CONFIG_DIR, "id.json");
-var TELEMETRY_DISABLED = process.env.KEYWAY_DISABLE_TELEMETRY === "1";
-var CI = process.env.CI === "true" || process.env.CI === "1";
-function getDistinctId() {
-  if (distinctId) return distinctId;
-  try {
-    if (!fs2.existsSync(CONFIG_DIR)) {
-      fs2.mkdirSync(CONFIG_DIR, { recursive: true });
-    }
-    if (fs2.existsSync(ID_FILE)) {
-      const content = fs2.readFileSync(ID_FILE, "utf-8");
-      const config2 = JSON.parse(content);
-      distinctId = config2.distinctId;
-      return distinctId;
-    }
-    distinctId = crypto.randomUUID();
-    const config = { distinctId };
-    fs2.writeFileSync(ID_FILE, JSON.stringify(config, null, 2), { encoding: "utf-8", mode: 384 });
-    try {
-      fs2.chmodSync(ID_FILE, 384);
-    } catch {
-    }
-    return distinctId;
-  } catch (error2) {
-    console.warn("Failed to persist distinct ID, using session-based ID");
-    distinctId = `session-${crypto.randomUUID()}`;
-    return distinctId;
-  }
-}
-function initPostHog() {
-  if (posthog) return;
-  if (TELEMETRY_DISABLED) return;
-  const apiKey = process.env.KEYWAY_POSTHOG_KEY || INTERNAL_POSTHOG_KEY;
-  if (!apiKey) return;
-  posthog = new PostHog(apiKey, {
-    host: process.env.KEYWAY_POSTHOG_HOST || INTERNAL_POSTHOG_HOST
-  });
-}
-function trackEvent(event, properties) {
-  try {
-    if (TELEMETRY_DISABLED) return;
-    if (!posthog) initPostHog();
-    if (!posthog) return;
-    const id = getDistinctId();
-    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
-    posthog.capture({
-      distinctId: id,
-      event,
-      properties: {
-        ...sanitizedProperties,
-        source: "cli",
-        platform: process.platform,
-        nodeVersion: process.version,
-        version: package_default.version,
-        ci: CI
-      }
-    });
-  } catch (error2) {
-    console.debug("Analytics error:", error2);
-  }
-}
-function sanitizeProperties(properties) {
-  const sanitized = {};
-  for (const [key, value2] of Object.entries(properties)) {
-    if (key.toLowerCase().includes("secret") || key.toLowerCase().includes("token") || key.toLowerCase().includes("password") || key.toLowerCase().includes("content") || key.toLowerCase().includes("key") || key.toLowerCase().includes("value")) {
-      continue;
-    }
-    if (value2 && typeof value2 === "string" && value2.length > 500) {
-      sanitized[key] = `${value2.slice(0, 200)}...`;
-      continue;
-    }
-    sanitized[key] = value2;
-  }
-  return sanitized;
-}
-async function shutdownAnalytics() {
-  if (posthog) {
-    await posthog.shutdown();
-  }
-}
-function identifyUser(userId, properties) {
-  try {
-    if (TELEMETRY_DISABLED) return;
-    if (!posthog) initPostHog();
-    if (!posthog) return;
-    const sanitizedProperties = properties ? sanitizeProperties(properties) : {};
-    posthog.identify({
-      distinctId: userId,
-      properties: {
-        ...sanitizedProperties,
-        source: "cli"
-      }
-    });
-    const anonId = getDistinctId();
-    if (anonId && anonId !== userId) {
-      posthog.alias({
-        distinctId: userId,
-        alias: anonId
-      });
-    }
-  } catch (error2) {
-    console.debug("Analytics identify error:", error2);
-  }
-}
-var AnalyticsEvents = {
-  CLI_INIT: "cli_init",
-  CLI_PUSH: "cli_push",
-  CLI_PULL: "cli_pull",
-  CLI_ERROR: "cli_error",
-  CLI_LOGIN: "cli_login",
-  CLI_DOCTOR: "cli_doctor",
-  CLI_CONNECT: "cli_connect",
-  CLI_DISCONNECT: "cli_disconnect",
-  CLI_SYNC: "cli_sync",
-  CLI_FEEDBACK: "cli_feedback"
-};
-
-// src/cmds/readme.ts
-import fs3 from "fs";
-import path3 from "path";
-import balanced from "balanced-match";
-function generateBadge(repo) {
-  return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/vaults/${repo})`;
-}
-var BADGE_PREFIX = /\[!\[[^\]]*\]\([^)]*\)\]\(/g;
-var H1_PATTERN = /^#\s+/;
-var CODE_FENCE = /^```/;
-function findLastBadgeEnd(line) {
-  let lastEnd = -1;
-  let match;
-  BADGE_PREFIX.lastIndex = 0;
-  while ((match = BADGE_PREFIX.exec(line)) !== null) {
-    const prefixEnd = match.index + match[0].length - 1;
-    const remainder = line.substring(prefixEnd);
-    const balancedMatch = balanced("(", ")", remainder);
-    if (balancedMatch) {
-      lastEnd = prefixEnd + balancedMatch.end + 1;
-    }
-  }
-  return lastEnd;
-}
-function insertBadgeIntoReadme(readmeContent, badge) {
-  if (readmeContent.includes("keyway.sh/badge.svg")) {
-    return readmeContent;
-  }
-  const lines = readmeContent.split(/\r?\n/);
-  let inCodeBlock = false;
-  let inHtmlComment = false;
-  let lastBadgeLine = -1;
-  let lastBadgeEndIndex = -1;
-  let firstH1Line = -1;
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (CODE_FENCE.test(trimmed)) {
-      inCodeBlock = !inCodeBlock;
-      continue;
-    }
-    if (inCodeBlock) continue;
-    if (trimmed.includes("<!--")) inHtmlComment = true;
-    if (trimmed.includes("-->")) {
-      inHtmlComment = false;
-      continue;
-    }
-    if (inHtmlComment) continue;
-    BADGE_PREFIX.lastIndex = 0;
-    if (BADGE_PREFIX.test(line)) {
-      lastBadgeLine = i;
-      lastBadgeEndIndex = findLastBadgeEnd(line);
-    }
-    if (firstH1Line === -1 && H1_PATTERN.test(line)) {
-      firstH1Line = i;
-    }
-  }
-  if (lastBadgeLine >= 0 && lastBadgeEndIndex > 0) {
-    const line = lines[lastBadgeLine];
-    lines[lastBadgeLine] = line.slice(0, lastBadgeEndIndex) + " " + badge + line.slice(lastBadgeEndIndex);
-    return lines.join("\n");
-  }
-  if (firstH1Line >= 0) {
-    const before = lines.slice(0, firstH1Line + 1);
-    const after = lines.slice(firstH1Line + 1);
-    while (after.length > 0 && after[0].trim() === "") {
-      after.shift();
-    }
-    if (after.length > 0) {
-      return [...before, "", badge, "", ...after].join("\n");
-    } else {
-      return [...before, "", badge, ""].join("\n");
-    }
-  }
-  return `${badge}
-
-${readmeContent}`;
-}
-function findReadmePath(cwd) {
-  const candidates = ["README.md", "readme.md", "Readme.md"];
-  for (const candidate of candidates) {
-    const candidatePath = path3.join(cwd, candidate);
-    if (fs3.existsSync(candidatePath)) {
-      return candidatePath;
-    }
-  }
-  return null;
-}
-async function ensureReadme(repoName, cwd) {
-  const existing = findReadmePath(cwd);
-  if (existing) return existing;
-  const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-  if (!isInteractive2) {
-    warn('No README found. Run "keyway readme add-badge" from a repo with a README.');
-    return null;
-  }
-  const confirm3 = await confirm2({
-    message: "No README found. Create a default README.md?",
-    initialValue: false
-  });
-  if (!confirm3) {
-    warn("Skipping badge insertion (no README).");
-    return null;
-  }
-  const defaultPath = path3.join(cwd, "README.md");
-  const content = `# ${repoName}
-
-`;
-  fs3.writeFileSync(defaultPath, content, "utf-8");
-  return defaultPath;
-}
-async function addBadgeToReadme(silent = false) {
-  const repo = detectGitRepo();
-  if (!repo) {
-    throw new Error("This directory is not a Git repository.");
-  }
-  const cwd = process.cwd();
-  const readmePath = await ensureReadme(repo, cwd);
-  if (!readmePath) return false;
-  const badge = generateBadge(repo);
-  const content = fs3.readFileSync(readmePath, "utf-8");
-  const updated = insertBadgeIntoReadme(content, badge);
-  if (updated === content) {
-    if (!silent) {
-      info("Keyway badge already present in README.");
-    }
-    return false;
-  }
-  fs3.writeFileSync(readmePath, updated, "utf-8");
-  if (!silent) {
-    success(`Keyway badge added to ${path3.basename(readmePath)}`);
-  }
-  return true;
-}
-
-// src/cmds/push.ts
-import pc3 from "picocolors";
-import fs5 from "fs";
-import path5 from "path";
-
-// src/cmds/login.ts
-import pc2 from "picocolors";
-import * as p2 from "@clack/prompts";
-
-// src/utils/helpers.ts
-import open from "open";
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function openUrl(url) {
-  message(dim(`Open this URL in your browser:
-${url}`));
-  await open(url).catch(() => {
-  });
-}
-function isInteractive() {
-  return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI);
-}
-function showUpgradePrompt(message2, upgradeUrl) {
-  note2(`${message2}
-
-Upgrade: ${link(upgradeUrl)}`, "Plan Limit Reached");
-}
-var MAX_CONSECUTIVE_ERRORS = 5;
-
-// src/cmds/login.ts
-async function runLoginFlow() {
-  const repoName = detectGitRepo();
-  const start = await startDeviceLogin(repoName);
-  const verifyUrl = start.verificationUriComplete || start.verificationUri;
-  if (!verifyUrl) {
-    throw new Error("Missing verification URL from the auth server.");
-  }
-  step(`Code: ${pc2.bold(pc2.green(start.userCode))}`);
-  await openUrl(verifyUrl);
-  const s = spinner2();
-  s.start("Waiting for authorization...");
-  const pollIntervalMs = (start.interval ?? 5) * 1e3;
-  const maxTimeoutMs = Math.min((start.expiresIn ?? 900) * 1e3, 30 * 60 * 1e3);
-  const startTime = Date.now();
-  let consecutiveErrors = 0;
-  while (true) {
-    if (Date.now() - startTime > maxTimeoutMs) {
-      s.stop("Login timed out");
-      throw new Error('Login timed out. Please run "keyway login" again.');
-    }
-    await sleep(pollIntervalMs);
-    try {
-      const result = await pollDeviceLogin(start.deviceCode);
-      consecutiveErrors = 0;
-      if (result.status === "pending") {
-        continue;
-      }
-      if (result.status === "approved" && result.keywayToken) {
-        await saveAuthToken(result.keywayToken, {
-          githubLogin: result.githubLogin,
-          expiresAt: result.expiresAt
-        });
-        trackEvent(AnalyticsEvents.CLI_LOGIN, {
-          method: "device",
-          repo: repoName
-        });
-        if (result.githubLogin) {
-          identifyUser(result.githubLogin, {
-            github_username: result.githubLogin,
-            login_method: "device"
-          });
-        }
-        s.stop("Authorized");
-        success(`Logged in as ${value(`@${result.githubLogin}`)}`);
-        return result.keywayToken;
-      }
-      s.stop("Authorization failed");
-      throw new Error(result.message || "Authentication failed");
-    } catch (error2) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
-        s.stop("Login failed");
-        throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-}
-async function ensureLogin(options = {}) {
-  const envToken = process.env.KEYWAY_TOKEN;
-  if (envToken) {
-    return envToken;
-  }
-  if (process.env.GITHUB_TOKEN && !process.env.KEYWAY_TOKEN) {
-    warn("GITHUB_TOKEN found but not used. Set KEYWAY_TOKEN for Keyway authentication.");
-  }
-  const stored = await getStoredAuth();
-  if (stored?.keywayToken) {
-    return stored.keywayToken;
-  }
-  const allowPrompt = options.allowPrompt !== false;
-  const canPrompt = allowPrompt && isInteractive();
-  if (!canPrompt) {
-    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
-  }
-  const proceed = await confirm2({
-    message: "No Keyway session found. Open browser to sign in?",
-    initialValue: true
-  });
-  if (!proceed) {
-    throw new Error("Login required. Aborting.");
-  }
-  return runLoginFlow();
-}
-async function runTokenLogin() {
-  const repoName = detectGitRepo();
-  if (repoName) {
-    step(`Detected repository: ${value(repoName)}`);
-  }
-  const description = repoName ? `Keyway CLI for ${repoName}` : "Keyway CLI";
-  const url = `https://github.com/settings/personal-access-tokens/new?description=${encodeURIComponent(description)}`;
-  await openUrl(url);
-  info("Select the detected repo (or scope manually).");
-  message(dim("Permissions: Metadata \u2192 Read-only; Account permissions: None."));
-  const token = await p2.password({
-    message: "Paste your GitHub PAT:",
-    validate: (value2) => {
-      if (!value2 || typeof value2 !== "string") return "Token is required";
-      if (!value2.startsWith("github_pat_")) return "Token must start with github_pat_";
-      return void 0;
-    }
-  });
-  if (p2.isCancel(token)) {
-    cancel2("Login cancelled.");
-  }
-  if (!token || typeof token !== "string") {
-    throw new Error("Token is required.");
-  }
-  const trimmedToken = token.trim();
-  if (!trimmedToken.startsWith("github_pat_")) {
-    throw new Error("Token must start with github_pat_.");
-  }
-  const s = spinner2();
-  s.start("Validating token...");
-  const validation = await validateToken(trimmedToken);
-  await saveAuthToken(trimmedToken, {
-    githubLogin: validation.username
-  });
-  trackEvent(AnalyticsEvents.CLI_LOGIN, {
-    method: "pat",
-    repo: repoName
-  });
-  identifyUser(validation.username, {
-    github_username: validation.username,
-    login_method: "pat"
-  });
-  s.stop("Token validated");
-  success(`Logged in as ${value(`@${validation.username}`)}`);
-  return trimmedToken;
-}
-async function loginCommand(options = {}) {
-  intro2("login");
-  try {
-    if (options.token) {
-      await runTokenLogin();
-    } else {
-      await runLoginFlow();
-    }
-    outro2("Ready to sync secrets!");
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? error2.message : "Unexpected login error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "login",
-      error: truncateMessage(message2)
-    });
-    error(message2);
-    process.exit(1);
-  }
-}
-async function logoutCommand() {
-  intro2("logout");
-  clearAuth();
-  success("Logged out of Keyway");
-  outro2(dim(`Auth cache cleared: ${getAuthFilePath()}`));
-}
-
-// src/utils/env.ts
-import fs4 from "fs";
-import path4 from "path";
-async function promptCreateEnvFile() {
-  const createEnv = await confirm2({
-    message: "No .env file found. Create one?",
-    initialValue: true
-  });
-  if (!createEnv) {
-    return false;
-  }
-  const envFilePath = path4.join(process.cwd(), ".env");
-  fs4.writeFileSync(envFilePath, "# Add your environment variables here\n# Example: API_KEY=your-api-key\n");
-  success("Created .env file");
-  return true;
-}
-
-// src/cmds/push.ts
-function deriveEnvFromFile(file2) {
-  const base = path5.basename(file2);
-  const match = base.match(/\.env(?:\.(.+))?$/);
-  if (match) {
-    return match[1] || "development";
-  }
-  return "development";
-}
-function discoverEnvCandidates(cwd) {
-  try {
-    const entries = fs5.readdirSync(cwd);
-    const hasEnvLocal = entries.includes(".env.local");
-    if (hasEnvLocal) {
-      info("Detected .env.local \u2014 not synced by design (machine-specific secrets)");
-    }
-    const candidates = entries.filter((name) => name.startsWith(".env") && name !== ".env.local").map((name) => {
-      const fullPath = path5.join(cwd, name);
-      try {
-        const stat = fs5.statSync(fullPath);
-        if (!stat.isFile()) return null;
-        return { file: name, env: deriveEnvFromFile(name) };
-      } catch {
-        return null;
-      }
-    }).filter((c) => Boolean(c));
-    const seen = /* @__PURE__ */ new Set();
-    const unique = [];
-    for (const c of candidates) {
-      if (seen.has(c.file)) continue;
-      seen.add(c.file);
-      unique.push(c);
-    }
-    return unique;
-  } catch {
-    return [];
-  }
-}
-async function pushCommand(options) {
-  intro2("push");
-  await warnIfEnvNotGitignored();
-  try {
-    const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-    let environment = options.env;
-    let envFile = options.file;
-    const candidates = discoverEnvCandidates(process.cwd());
-    if (candidates.length === 0 && !envFile) {
-      if (!isInteractive2) {
-        throw new Error("No .env file found. Create a .env file first, or use --file <path> to specify one.");
-      }
-      const created = await promptCreateEnvFile();
-      if (!created) {
-        throw new Error("No .env file found.");
-      }
-      message(dim("Add your variables and run keyway push again"));
-      return;
-    }
-    if (environment && !envFile) {
-      const match = candidates.find((c) => c.env === environment);
-      if (match) {
-        envFile = match.file;
-      }
-    }
-    if (!environment && !envFile && isInteractive2 && candidates.length > 0) {
-      const choice = await select2({
-        message: "Select an env file to push:",
-        options: [
-          ...candidates.map((c) => ({
-            label: `${c.file} (env: ${c.env})`,
-            value: c.file
-          })),
-          { label: "Enter a different file...", value: "__custom__" }
-        ]
-      });
-      if (choice && choice !== "__custom__") {
-        envFile = choice;
-        const matched = candidates.find((c) => c.file === envFile);
-        environment = matched?.env;
-      } else if (choice === "__custom__") {
-        const fileInput = await text2({
-          message: "Path to env file:",
-          validate: (value2) => {
-            if (!value2) return "Path is required";
-            const resolved = path5.resolve(process.cwd(), value2);
-            if (!fs5.existsSync(resolved)) return `File not found: ${value2}`;
-            return void 0;
-          }
-        });
-        envFile = fileInput;
-        environment = deriveEnvFromFile(fileInput);
-      }
-    }
-    if (!environment) {
-      environment = "development";
-    }
-    if (!envFile) {
-      envFile = ".env";
-    }
-    const envFilePath = path5.resolve(process.cwd(), envFile);
-    if (!fs5.existsSync(envFilePath)) {
-      throw new Error(`File not found: ${envFile}`);
-    }
-    const content = fs5.readFileSync(envFilePath, "utf-8");
-    if (content.trim().length === 0) {
-      throw new Error(`File is empty: ${envFile}`);
-    }
-    const lines = content.split("\n").filter((line) => {
-      const trimmed = line.trim();
-      return trimmed.length > 0 && !trimmed.startsWith("#");
-    });
-    step(`File: ${file(envFile)}`);
-    step(`Environment: ${value(environment)}`);
-    step(`Variables: ${value(lines.length)}`);
-    const repoFullName = getCurrentRepoFullName();
-    step(`Repository: ${value(repoFullName)}`);
-    if (!options.yes) {
-      if (!isInteractive2) {
-        throw new Error("Confirmation required. Re-run with --yes in non-interactive environments.");
-      }
-      const confirm3 = await confirm2({
-        message: `Push ${lines.length} secrets from ${envFile} to ${repoFullName}?`,
-        initialValue: true
-      });
-      if (!confirm3) {
-        warn("Push aborted.");
-        return;
-      }
-    }
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    trackEvent(AnalyticsEvents.CLI_PUSH, {
-      repoFullName,
-      environment,
-      variableCount: lines.length
-    });
-    const s = spinner2();
-    s.start("Uploading secrets...");
-    const response = await pushSecrets(repoFullName, environment, content, accessToken);
-    s.stop("Uploaded");
-    success(response.message);
-    if (response.stats) {
-      const { created, updated, deleted } = response.stats;
-      const parts = [];
-      if (created > 0) parts.push(pc3.green(`+${created} created`));
-      if (updated > 0) parts.push(pc3.yellow(`~${updated} updated`));
-      if (deleted > 0) parts.push(pc3.red(`-${deleted} deleted`));
-      if (parts.length > 0) {
-        message(`Stats: ${parts.join(", ")}`);
-      }
-    }
-    const dashboardLink = `https://www.keyway.sh/dashboard/vaults/${repoFullName}`;
-    outro2(`Dashboard: ${link(dashboardLink)}`);
-    await shutdownAnalytics();
-  } catch (error2) {
-    let message2;
-    let hint = null;
-    if (error2 instanceof APIError) {
-      message2 = error2.message || `HTTP ${error2.statusCode} - ${error2.error}`;
-      const envNotFoundMatch = message2.match(/Environment '([^']+)' does not exist.*Available environments: ([^.]+)/);
-      if (envNotFoundMatch) {
-        const requestedEnv = envNotFoundMatch[1];
-        const availableEnvs = envNotFoundMatch[2];
-        message2 = `Environment '${requestedEnv}' does not exist in this vault.`;
-        hint = `Available environments: ${availableEnvs}
-Use ${command(`keyway push --env <environment>`)} to specify one.`;
-      }
-      if (error2.statusCode === 403 && (error2.upgradeUrl || message2.toLowerCase().includes("read-only"))) {
-        const upgradeMessage = message2.toLowerCase().includes("read-only") ? "This vault is read-only on your current plan." : message2;
-        const upgradeUrl = error2.upgradeUrl || "https://keyway.sh/settings";
-        trackEvent(AnalyticsEvents.CLI_ERROR, {
-          command: "push",
-          error: upgradeMessage
-        });
-        await shutdownAnalytics();
-        showUpgradePrompt(upgradeMessage, upgradeUrl);
-        process.exit(1);
-      }
-    } else if (error2 instanceof Error) {
-      message2 = truncateMessage(error2.message);
-    } else {
-      message2 = "Unknown error";
-    }
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "push",
-      error: message2
-    });
-    await shutdownAnalytics();
-    error(message2);
-    if (hint) {
-      message(dim(hint));
-    }
-    process.exit(1);
-  }
-}
-
-// src/cmds/init.ts
-var DASHBOARD_URL = "https://www.keyway.sh/dashboard/vaults";
-var POLL_INTERVAL_MS = 3e3;
-var POLL_TIMEOUT_MS = 12e4;
-async function ensureLoginAndGitHubApp(repoFullName, options = {}) {
-  const [repoOwner, repoName] = repoFullName.split("/");
-  const envToken = process.env.KEYWAY_TOKEN;
-  if (envToken) {
-    const result = await ensureGitHubAppInstalledOnly(repoFullName, envToken);
-    if (result === null) {
-      throw new Error("KEYWAY_TOKEN is invalid or expired. Please update the token.");
-    }
-    return result;
-  }
-  const stored = await getStoredAuth();
-  if (stored?.keywayToken) {
-    const result = await ensureGitHubAppInstalledOnly(repoFullName, stored.keywayToken);
-    if (result !== null) {
-      return result;
-    }
-  }
-  const allowPrompt = options.allowPrompt !== false;
-  if (!allowPrompt || !isInteractive()) {
-    throw new Error('No Keyway session found. Run "keyway login" to authenticate.');
-  }
-  const deviceStart = await startDeviceLogin(repoFullName);
-  const installUrl = deviceStart.githubAppInstallUrl || "https://github.com/apps/keyway/installations/new";
-  const shouldProceed = await confirm2({
-    message: "Open browser to sign in?",
-    initialValue: true
-  });
-  if (!shouldProceed) {
-    throw new Error('Setup required. Run "keyway init" when ready.');
-  }
-  await openUrl(deviceStart.verificationUriComplete);
-  const loginSpinner = spinner2();
-  loginSpinner.start("Waiting for authorization...");
-  const pollIntervalMs = Math.max((deviceStart.interval ?? 5) * 1e3, POLL_INTERVAL_MS);
-  const startTime = Date.now();
-  let accessToken = null;
-  let consecutiveErrors = 0;
-  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
-    await sleep(pollIntervalMs);
-    try {
-      const result = await pollDeviceLogin(deviceStart.deviceCode);
-      if (result.status === "approved" && result.keywayToken) {
-        accessToken = result.keywayToken;
-        await saveAuthToken(result.keywayToken, {
-          githubLogin: result.githubLogin,
-          expiresAt: result.expiresAt
-        });
-        loginSpinner.stop("Signed in!");
-        if (result.githubLogin) {
-          identifyUser(result.githubLogin, {
-            github_username: result.githubLogin,
-            login_method: "device_flow"
-          });
-        }
-        break;
-      }
-      consecutiveErrors = 0;
-    } catch (error2) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        loginSpinner.stop("Failed");
-        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
-        throw new Error(`Login failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  if (!accessToken) {
-    loginSpinner.stop("Timeout");
-    warn("Timed out waiting for sign in.");
-    throw new Error("Sign in timed out. Please try again.");
-  }
-  const installStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-  if (installStatus.installed) {
-    success("GitHub App installed");
-    return accessToken;
-  }
-  warn("GitHub App not installed on this repository");
-  message(dim("The Keyway GitHub App is required for secure access."));
-  const shouldInstall = await confirm2({
-    message: "Open browser to install GitHub App?",
-    initialValue: true
-  });
-  if (!shouldInstall) {
-    message(dim(`Install later: ${installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  await openUrl(installUrl);
-  const installSpinner = spinner2();
-  installSpinner.start("Waiting for GitHub App installation...");
-  const installStartTime = Date.now();
-  consecutiveErrors = 0;
-  while (Date.now() - installStartTime < POLL_TIMEOUT_MS) {
-    await sleep(POLL_INTERVAL_MS);
-    try {
-      const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-      if (pollStatus.installed) {
-        installSpinner.stop("GitHub App installed!");
-        return accessToken;
-      }
-      consecutiveErrors = 0;
-    } catch (error2) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        installSpinner.stop("Failed");
-        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
-        throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  installSpinner.stop("Timeout");
-  warn("Timed out waiting for installation.");
-  message(dim(`Install the GitHub App: ${installUrl}`));
-  throw new Error("GitHub App installation timed out.");
-}
-async function ensureGitHubAppInstalledOnly(repoFullName, accessToken) {
-  const [repoOwner, repoName] = repoFullName.split("/");
-  let status;
-  try {
-    status = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-  } catch (error2) {
-    if (error2 instanceof APIError && error2.statusCode === 401) {
-      warn("Session expired or invalid. Clearing credentials...");
-      const { clearAuth: clearAuth2 } = await import("./auth-64V3RWUK.js");
-      clearAuth2();
-      return null;
-    }
-    throw error2;
-  }
-  if (status.installed) {
-    return accessToken;
-  }
-  warn("GitHub App not installed for this repository");
-  message(dim("The Keyway GitHub App is required to securely manage secrets."));
-  message(dim("It only requests minimal permissions (repository metadata)."));
-  if (!isInteractive()) {
-    message(dim(`Install the Keyway GitHub App: ${status.installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  const shouldInstall = await confirm2({
-    message: "Open browser to install Keyway GitHub App?",
-    initialValue: true
-  });
-  if (!shouldInstall) {
-    message(dim(`You can install later: ${status.installUrl}`));
-    throw new Error("GitHub App installation required.");
-  }
-  await openUrl(status.installUrl);
-  const s = spinner2();
-  s.start("Waiting for GitHub App installation...");
-  const startTime = Date.now();
-  let consecutiveErrors = 0;
-  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
-    await sleep(POLL_INTERVAL_MS);
-    try {
-      const pollStatus = await checkGitHubAppInstallation(repoOwner, repoName, accessToken);
-      if (pollStatus.installed) {
-        s.stop("GitHub App installed!");
-        return accessToken;
-      }
-      consecutiveErrors = 0;
-    } catch (error2) {
-      consecutiveErrors++;
-      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-        s.stop("Failed");
-        const errorMsg = error2 instanceof Error ? error2.message : "Unknown error";
-        throw new Error(`Installation check failed after ${MAX_CONSECUTIVE_ERRORS} consecutive errors: ${errorMsg}`);
-      }
-    }
-  }
-  s.stop("Timeout");
-  warn("Timed out waiting for installation.");
-  message(dim(`You can install the GitHub App later: ${status.installUrl}`));
-  throw new Error("GitHub App installation timed out.");
-}
-async function initCommand(options = {}) {
-  try {
-    const repoFullName = getCurrentRepoFullName();
-    const dashboardLink = `${DASHBOARD_URL}/${repoFullName}`;
-    intro2("init");
-    await warnIfEnvNotGitignored();
-    step(`Repository: ${value(repoFullName)}`);
-    const accessToken = await ensureLoginAndGitHubApp(repoFullName, {
-      allowPrompt: options.loginPrompt !== false
-    });
-    trackEvent(AnalyticsEvents.CLI_INIT, { repoFullName, githubAppInstalled: true });
-    const vaultExists = await checkVaultExists(accessToken, repoFullName);
-    if (vaultExists) {
-      success("Already initialized!");
-      message(dim(`Run ${command("keyway push")} to sync your secrets`));
-      outro2(`Dashboard: ${link(dashboardLink)}`);
-      await shutdownAnalytics();
-      return;
-    }
-    await initVault(repoFullName, accessToken);
-    success("Vault created!");
-    try {
-      const badgeAdded = await addBadgeToReadme(true);
-      if (badgeAdded) {
-        success("Badge added to README.md");
-      }
-    } catch {
-    }
-    const envCandidates = discoverEnvCandidates(process.cwd());
-    const interactive = process.stdin.isTTY && process.stdout.isTTY;
-    if (envCandidates.length > 0 && interactive) {
-      message(dim(`Found ${envCandidates.length} env file(s): ${envCandidates.map((c) => c.file).join(", ")}`));
-      const shouldPush = await confirm2({
-        message: "Push secrets now?",
-        initialValue: true
-      });
-      if (shouldPush) {
-        await pushCommand({ loginPrompt: false, yes: false });
-        return;
-      }
-    }
-    if (envCandidates.length === 0) {
-      if (interactive) {
-        const created = await promptCreateEnvFile();
-        if (created) {
-          message(dim(`Add your variables and run ${command("keyway push")}`));
-        } else {
-          message(dim(`Next: Create ${file(".env")} and run ${command("keyway push")}`));
-        }
-      } else {
-        warn("No .env file found - your vault is empty");
-        message(dim(`Next: Create ${file(".env")} and run ${command("keyway push")}`));
-      }
-    } else {
-      message(dim(`Run ${command("keyway push")} to sync your secrets`));
-    }
-    outro2(`Dashboard: ${link(dashboardLink)}`);
-    await shutdownAnalytics();
-  } catch (error2) {
-    if (error2 instanceof APIError) {
-      if (error2.statusCode === 409) {
-        success("Already initialized!");
-        message(dim(`Run ${command("keyway push")} to sync your secrets`));
-        outro2(`Dashboard: ${link(`${DASHBOARD_URL}/${getCurrentRepoFullName()}`)}`);
-        await shutdownAnalytics();
-        return;
-      }
-      if (error2.error === "Plan Limit Reached" || error2.upgradeUrl) {
-        const upgradeUrl = error2.upgradeUrl || "https://keyway.sh/pricing";
-        showUpgradePrompt(error2.message, upgradeUrl);
-        await shutdownAnalytics();
-        process.exit(1);
-      }
-    }
-    const message2 = error2 instanceof APIError ? error2.message : error2 instanceof Error ? truncateMessage(error2.message) : "Unknown error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "init",
-      error: message2
-    });
-    await shutdownAnalytics();
-    error(message2);
-    process.exit(1);
-  }
-}
-
-// src/cmds/pull.ts
-import fs6 from "fs";
-import path6 from "path";
-async function pullCommand(options) {
-  intro2("pull");
-  await warnIfEnvNotGitignored();
-  try {
-    const environment = options.env || "development";
-    const envFile = options.file || ".env";
-    step(`Environment: ${value(environment)}`);
-    const repoFullName = getCurrentRepoFullName();
-    step(`Repository: ${value(repoFullName)}`);
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    trackEvent(AnalyticsEvents.CLI_PULL, {
-      repoFullName,
-      environment
-    });
-    const s = spinner2();
-    s.start("Downloading secrets...");
-    const response = await pullSecrets(repoFullName, environment, accessToken);
-    const envFilePath = path6.resolve(process.cwd(), envFile);
-    if (fs6.existsSync(envFilePath)) {
-      s.stop("Downloaded");
-      const isInteractive2 = process.stdin.isTTY && process.stdout.isTTY;
-      if (options.yes) {
-        warn(`Overwriting existing file: ${envFile}`);
-      } else if (!isInteractive2) {
-        throw new Error(`File ${envFile} exists. Re-run with --yes to overwrite or choose a different --file.`);
-      } else {
-        const confirm3 = await confirm2({
-          message: `${envFile} exists. Overwrite with secrets from ${environment}?`,
-          initialValue: false
-        });
-        if (!confirm3) {
-          warn("Pull aborted.");
-          return;
-        }
-      }
-    } else {
-      s.stop("Downloaded");
-    }
-    fs6.writeFileSync(envFilePath, response.content, "utf-8");
-    const lines = response.content.split("\n").filter((line) => {
-      const trimmed = line.trim();
-      return trimmed.length > 0 && !trimmed.startsWith("#");
-    });
-    success(`Secrets downloaded to ${file(envFile)}`);
-    message(`Variables: ${value(lines.length)}`);
-    outro2("Secrets synced!");
-    await shutdownAnalytics();
-  } catch (error2) {
-    const message2 = error2 instanceof APIError ? `API ${error2.statusCode}: ${error2.message}` : error2 instanceof Error ? truncateMessage(error2.message) : "Unknown error";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "pull",
-      error: message2
-    });
-    await shutdownAnalytics();
-    error(message2);
-    process.exit(1);
-  }
-}
-
-// src/cmds/doctor.ts
-import pc4 from "picocolors";
-
-// src/core/doctor.ts
-import { execSync as execSync2 } from "child_process";
-import { readFileSync, existsSync } from "fs";
-var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/v1/health`;
-async function checkAuth() {
-  try {
-    const auth = await getStoredAuth();
-    if (!auth) {
-      return {
-        id: "auth",
-        name: "Authentication",
-        status: "warn",
-        detail: "Not logged in. Run: keyway login"
-      };
-    }
-    try {
-      const result = await validateToken(auth.keywayToken);
-      return {
-        id: "auth",
-        name: "Authentication",
-        status: "pass",
-        detail: `Logged in as ${result.login || auth.githubLogin || "user"}`
-      };
-    } catch {
-      return {
-        id: "auth",
-        name: "Authentication",
-        status: "warn",
-        detail: "Token expired or invalid. Run: keyway login"
-      };
-    }
-  } catch {
-    return {
-      id: "auth",
-      name: "Authentication",
-      status: "warn",
-      detail: "Unable to check authentication status"
-    };
-  }
-}
-async function checkGitHubRemote() {
-  try {
-    try {
-      execSync2("git rev-parse --is-inside-work-tree", {
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "ignore"]
-      });
-    } catch {
-      return {
-        id: "github",
-        name: "GitHub repository",
-        status: "warn",
-        detail: "Not in a git repository"
-      };
-    }
-    try {
-      const remoteUrl = execSync2("git remote get-url origin", {
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "ignore"]
-      }).trim();
-      const sshMatch = remoteUrl.match(/git@github\.com:(.+)\/(.+?)(\.git)?$/);
-      const httpsMatch = remoteUrl.match(/https:\/\/github\.com\/(.+)\/(.+?)(\.git)?$/);
-      if (sshMatch || httpsMatch) {
-        const match = sshMatch || httpsMatch;
-        const repoName = `${match[1]}/${match[2]}`;
-        return {
-          id: "github",
-          name: "GitHub repository",
-          status: "pass",
-          detail: repoName
-        };
-      }
-      return {
-        id: "github",
-        name: "GitHub repository",
-        status: "warn",
-        detail: "Remote is not a GitHub URL"
-      };
-    } catch {
-      return {
-        id: "github",
-        name: "GitHub repository",
-        status: "warn",
-        detail: "No remote origin configured"
-      };
-    }
-  } catch {
-    return {
-      id: "github",
-      name: "GitHub repository",
-      status: "warn",
-      detail: "Unable to detect repository"
-    };
-  }
-}
-async function checkNetwork() {
-  const fetchFn = globalThis.fetch;
-  if (!fetchFn) {
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: "Fetch API not available in this Node.js runtime"
-    };
-  }
-  try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetchFn(API_HEALTH_URL, {
-      method: "HEAD",
-      signal: controller.signal
-    });
-    clearTimeout(timeout);
-    if (response.ok || response.status < 500) {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "pass",
-        detail: `Connected to ${API_HEALTH_URL}`
-      };
-    }
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: `Server returned ${response.status}`
-    };
-  } catch (error2) {
-    if (error2.name === "AbortError") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "warn",
-        detail: "Connection timeout (>2s)"
-      };
-    }
-    if (error2.code === "ENOTFOUND") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "fail",
-        detail: "DNS resolution failed"
-      };
-    }
-    if (error2.code === "CERT_HAS_EXPIRED" || error2.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") {
-      return {
-        id: "network",
-        name: "API connectivity",
-        status: "fail",
-        detail: "SSL certificate error"
-      };
-    }
-    return {
-      id: "network",
-      name: "API connectivity",
-      status: "warn",
-      detail: error2.message || "Connection failed"
-    };
-  }
-}
-async function checkEnvFile() {
-  const envFiles = [".env", ".env.local", ".env.development"];
-  const found = [];
-  for (const file2 of envFiles) {
-    if (existsSync(file2)) {
-      found.push(file2);
-    }
-  }
-  if (found.length === 0) {
-    return {
-      id: "envfile",
-      name: "Environment file",
-      status: "warn",
-      detail: "No .env file found. Run: keyway pull"
-    };
-  }
-  return {
-    id: "envfile",
-    name: "Environment file",
-    status: "pass",
-    detail: found.join(", ")
-  };
-}
-async function checkSyncs(repoFullName) {
-  if (!repoFullName) {
-    return {
-      id: "syncs",
-      name: "Provider syncs",
-      status: "warn",
-      detail: "Not in a GitHub repository"
-    };
-  }
-  try {
-    const auth = await getStoredAuth();
-    if (!auth) {
-      return {
-        id: "syncs",
-        name: "Provider syncs",
-        status: "warn",
-        detail: "Login required to check"
-      };
-    }
-    try {
-      const { connections } = await getConnections(auth.keywayToken);
-      if (connections.length === 0) {
-        return {
-          id: "syncs",
-          name: "Provider syncs",
-          status: "pass",
-          detail: "No integrations connected"
-        };
-      }
-      const providers = [...new Set(connections.map((c) => c.provider))];
-      const linkedProviders = [];
-      const repoLower = repoFullName.toLowerCase();
-      for (const provider of providers) {
-        try {
-          const { projects } = await getAllProviderProjects(auth.keywayToken, provider);
-          const hasLinked = projects.some((p5) => p5.linkedRepo?.toLowerCase() === repoLower);
-          if (hasLinked) {
-            linkedProviders.push(provider);
-          }
-        } catch {
-        }
-      }
-      if (linkedProviders.length === 0) {
-        return {
-          id: "syncs",
-          name: "Provider syncs",
-          status: "pass",
-          detail: "None for this repo"
-        };
-      }
-      return {
-        id: "syncs",
-        name: "Provider syncs",
-        status: "pass",
-        detail: linkedProviders.join(", ")
-      };
-    } catch {
-      return {
-        id: "syncs",
-        name: "Provider syncs",
-        status: "warn",
-        detail: "Unable to check"
-      };
-    }
-  } catch {
-    return {
-      id: "syncs",
-      name: "Provider syncs",
-      status: "warn",
-      detail: "Unable to check"
-    };
-  }
-}
-async function checkGitignore() {
-  try {
-    if (!existsSync(".gitignore")) {
-      return {
-        id: "gitignore",
-        name: ".gitignore configuration",
-        status: "warn",
-        detail: "No .gitignore file found"
-      };
-    }
-    const gitignoreContent = readFileSync(".gitignore", "utf-8");
-    const hasEnvPattern = gitignoreContent.includes("*.env") || gitignoreContent.includes(".env*");
-    const hasDotEnv = gitignoreContent.includes(".env");
-    if (hasEnvPattern || hasDotEnv) {
-      return {
-        id: "gitignore",
-        name: ".gitignore configuration",
-        status: "pass",
-        detail: "Environment files are ignored"
-      };
-    }
-    return {
-      id: "gitignore",
-      name: ".gitignore configuration",
-      status: "warn",
-      detail: "Missing .env patterns in .gitignore"
-    };
-  } catch {
-    return {
-      id: "gitignore",
-      name: ".gitignore configuration",
-      status: "warn",
-      detail: "Could not read .gitignore"
-    };
-  }
-}
-async function runAllChecks(options = {}) {
-  const githubResult = await checkGitHubRemote();
-  const repoFullName = githubResult.status === "pass" ? githubResult.detail || null : null;
-  const [authResult, networkResult, syncsResult, envFileResult, gitignoreResult] = await Promise.all([
-    checkAuth(),
-    checkNetwork(),
-    checkSyncs(repoFullName),
-    checkEnvFile(),
-    checkGitignore()
-  ]);
-  const checks = [authResult, githubResult, networkResult, syncsResult, envFileResult, gitignoreResult];
-  if (options.strict) {
-    checks.forEach((check) => {
-      if (check.status === "warn") {
-        check.status = "fail";
-      }
-    });
-  }
-  const summary = {
-    pass: checks.filter((c) => c.status === "pass").length,
-    warn: checks.filter((c) => c.status === "warn").length,
-    fail: checks.filter((c) => c.status === "fail").length
-  };
-  const exitCode = summary.fail > 0 ? 1 : 0;
-  return {
-    checks,
-    summary,
-    exitCode
-  };
-}
-
-// src/cmds/doctor.ts
-function formatSummary(results) {
-  const parts = [
-    pc4.green(`${results.summary.pass} passed`),
-    results.summary.warn > 0 ? pc4.yellow(`${results.summary.warn} warnings`) : null,
-    results.summary.fail > 0 ? pc4.red(`${results.summary.fail} failed`) : null
-  ].filter(Boolean);
-  return parts.join(", ");
-}
-async function doctorCommand(options = {}) {
-  try {
-    const results = await runAllChecks({ strict: !!options.strict });
-    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
-      pass: results.summary.pass,
-      warn: results.summary.warn,
-      fail: results.summary.fail,
-      strict: !!options.strict
-    });
-    if (options.json) {
-      process.stdout.write(JSON.stringify(results, null, 0) + "\n");
-      process.exit(results.exitCode);
-    }
-    intro2("doctor");
-    results.checks.forEach((check) => {
-      const detail = check.detail ? dim(` \u2014 ${check.detail}`) : "";
-      if (check.status === "pass") {
-        success(`${check.name}${detail}`);
-      } else if (check.status === "warn") {
-        warn(`${check.name}${detail}`);
-      } else {
-        error(`${check.name}${detail}`);
-      }
-    });
-    message(`Summary: ${formatSummary(results)}`);
-    if (results.summary.fail > 0) {
-      outro2("Some checks failed. Please resolve the issues above.");
-    } else if (results.summary.warn > 0) {
-      outro2("Some warnings detected. Keyway should work but consider addressing them.");
-    } else {
-      outro2("All checks passed! Your environment is ready.");
-    }
-    process.exit(results.exitCode);
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? truncateMessage(error2.message) : "Doctor failed";
-    trackEvent(AnalyticsEvents.CLI_DOCTOR, {
-      pass: 0,
-      warn: 0,
-      fail: 1,
-      strict: !!options.strict,
-      error: "doctor_failed"
-    });
-    if (options.json) {
-      const errorResult = {
-        checks: [],
-        summary: { pass: 0, warn: 0, fail: 1 },
-        exitCode: 1,
-        error: message2
-      };
-      process.stdout.write(JSON.stringify(errorResult, null, 0) + "\n");
-    } else {
-      error(message2);
-    }
-    process.exit(1);
-  }
-}
-
-// src/cmds/ci.ts
-import { execSync as execSync3 } from "child_process";
-import { Octokit } from "@octokit/rest";
-import * as p3 from "@clack/prompts";
-function isGhAvailable() {
-  try {
-    execSync3("gh auth status", { stdio: "ignore" });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function addSecretWithGh(repo, secretName, secretValue) {
-  execSync3(`gh secret set ${secretName} --repo ${repo}`, {
-    input: secretValue,
-    stdio: ["pipe", "ignore", "ignore"]
-  });
-}
-async function ciSetupCommand(options) {
-  const repo = options.repo || detectGitRepo();
-  if (!repo) {
-    error("Not in a git repository. Use --repo owner/repo");
-    process.exit(1);
-  }
-  intro2("ci setup");
-  step(`Setting up GitHub Actions for ${value(repo)}`);
-  message(dim("Step 1: Keyway Authentication"));
-  let keywayToken;
-  try {
-    keywayToken = await ensureLogin({ allowPrompt: true });
-    success("Authenticated with Keyway");
-  } catch {
-    error("Failed to authenticate with Keyway");
-    message(dim("Run `keyway login` first"));
-    process.exit(1);
-  }
-  const useGh = isGhAvailable();
-  if (useGh) {
-    message(dim("Step 2: Adding secret via GitHub CLI"));
-    try {
-      addSecretWithGh(repo, "KEYWAY_TOKEN", keywayToken);
-      success(`Secret KEYWAY_TOKEN added to ${repo}`);
-    } catch (error2) {
-      const message2 = error2 instanceof Error ? error2.message : String(error2);
-      error(`Failed to add secret: ${message2}`);
-      message(dim("Try running: gh auth login"));
-      process.exit(1);
-    }
-  } else {
-    message(dim("Step 2: Temporary GitHub PAT"));
-    info("gh CLI not found. We need a one-time GitHub PAT.");
-    message(dim("You can delete it immediately after setup."));
-    const patUrl = "https://github.com/settings/tokens/new?scopes=repo&description=Keyway%20CI%20Setup%20(temporary)";
-    await openUrl(patUrl);
-    const githubToken = await p3.password({
-      message: "Paste your GitHub PAT:"
-    });
-    if (p3.isCancel(githubToken) || !githubToken) {
-      error("GitHub PAT is required");
-      process.exit(1);
-    }
-    const octokit = new Octokit({ auth: githubToken });
-    try {
-      await octokit.users.getAuthenticated();
-      success("GitHub PAT validated");
-    } catch {
-      error("Invalid GitHub PAT");
-      process.exit(1);
-    }
-    message(dim("Step 3: Adding secret to repository"));
-    const [owner, repoName] = repo.split("/");
-    try {
-      await addRepoSecret(octokit, owner, repoName, "KEYWAY_TOKEN", keywayToken);
-      success(`Secret KEYWAY_TOKEN added to ${repo}`);
-    } catch (error2) {
-      const message2 = error2 instanceof Error ? error2.message : String(error2);
-      if (message2.includes("Not Found")) {
-        error(`Repository not found or no access: ${repo}`);
-        message(dim("Make sure the PAT has access to this repository"));
-      } else {
-        error(`Failed to add secret: ${message2}`);
-      }
-      process.exit(1);
-    }
-  }
-  success("Setup complete!");
-  note2(
-    `- uses: keywaysh/keyway-action@v1
-  with:
-    token: \${{ secrets.KEYWAY_TOKEN }}
-    environment: production`,
-    "Add this to your workflow"
-  );
-  if (!useGh) {
-    message(`Delete the temporary PAT: ${link("https://github.com/settings/tokens")}`);
-  }
-  outro2(`Docs: ${link("https://docs.keyway.sh/ci")}`);
-}
-async function addRepoSecret(octokit, owner, repo, secretName, secretValue) {
-  const { data: publicKey } = await octokit.rest.actions.getRepoPublicKey({
-    owner,
-    repo
-  });
-  const encryptedValue = await encryptSecret(publicKey.key, secretValue);
-  await octokit.rest.actions.createOrUpdateRepoSecret({
-    owner,
-    repo,
-    secret_name: secretName,
-    encrypted_value: encryptedValue,
-    key_id: publicKey.key_id
-  });
-}
-async function encryptSecret(publicKey, secret) {
-  const sodiumModule = await import("libsodium-wrappers");
-  const sodium = sodiumModule.default || sodiumModule;
-  await sodium.ready;
-  const binkey = sodium.from_base64(publicKey, sodium.base64_variants.ORIGINAL);
-  const binsec = sodium.from_string(secret);
-  const encBytes = sodium.crypto_box_seal(binsec, binkey);
-  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
-}
-
-// src/cmds/connect.ts
-import * as p4 from "@clack/prompts";
-var TOKEN_AUTH_PROVIDERS = ["railway"];
-function getTokenCreationUrl(provider) {
-  switch (provider) {
-    case "railway":
-      return "https://railway.com/account/tokens";
-    default:
-      return "";
-  }
-}
-async function connectWithTokenFlow(accessToken, provider, displayName) {
-  const tokenUrl = getTokenCreationUrl(provider);
-  if (provider === "railway") {
-    warn("Tip: Select the workspace containing your projects.");
-    message(dim(`Do NOT use "No workspace" - it won't have access to your projects.`));
-  }
-  await openUrl(tokenUrl);
-  const token = await p4.password({
-    message: `${displayName} API Token:`
-  });
-  if (p4.isCancel(token) || !token) {
-    message(dim("Cancelled."));
-    return false;
-  }
-  const s = spinner2();
-  s.start("Validating token...");
-  try {
-    const result = await connectWithToken(accessToken, provider, token);
-    s.stop("Validated");
-    if (result.success) {
-      success(`Connected to ${displayName}!`);
-      message(dim(`Account: ${result.user.username}`));
-      if (result.user.teamName) {
-        message(dim(`Team: ${result.user.teamName}`));
-      }
-      return true;
-    } else {
-      error("Connection failed.");
-      return false;
-    }
-  } catch (error2) {
-    s.stop("Failed");
-    const message2 = error2 instanceof Error ? error2.message : "Token validation failed";
-    error(message2);
-    return false;
-  }
-}
-async function connectWithOAuthFlow(accessToken, provider, displayName) {
-  const authUrl = getProviderAuthUrl(provider, accessToken);
-  const startTime = /* @__PURE__ */ new Date();
-  await openUrl(authUrl);
-  const s = spinner2();
-  s.start("Waiting for authorization...");
-  const maxAttempts = 60;
-  let attempts = 0;
-  while (attempts < maxAttempts) {
-    await new Promise((resolve) => setTimeout(resolve, 5e3));
-    attempts++;
-    try {
-      const { connections } = await getConnections(accessToken);
-      const newConn = connections.find(
-        (c) => c.provider === provider && new Date(c.createdAt) > startTime
-      );
-      if (newConn) {
-        s.stop("Authorized");
-        success(`Connected to ${displayName}!`);
-        return true;
-      }
-    } catch {
-    }
-  }
-  s.stop("Timeout");
-  error("Authorization timeout.");
-  message(dim("Run `keyway connections` to check if the connection was established."));
-  return false;
-}
-async function connectCommand(provider, options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { providers } = await getProviders();
-    const providerInfo = providers.find((p5) => p5.name === provider.toLowerCase());
-    if (!providerInfo) {
-      const available = providers.map((p5) => p5.name).join(", ");
-      error(`Unknown provider: ${provider}`);
-      message(dim(`Available providers: ${available || "none"}`));
-      process.exit(1);
-    }
-    if (!providerInfo.configured) {
-      error(`Provider ${providerInfo.displayName} is not configured on the server.`);
-      message(dim("Contact your administrator to enable this integration."));
-      process.exit(1);
-    }
-    const { connections } = await getConnections(accessToken);
-    const existingConnections = connections.filter((c) => c.provider === provider.toLowerCase());
-    if (existingConnections.length > 0) {
-      message(dim(`You have ${existingConnections.length} ${providerInfo.displayName} connection(s):`));
-      for (const conn of existingConnections) {
-        const teamInfo = conn.providerTeamId ? `(Team: ${conn.providerTeamId})` : "(Personal)";
-        message(dim(`  - ${teamInfo}`));
-      }
-      const action = await select2({
-        message: "What would you like to do?",
-        options: [
-          { label: "Add another account/team", value: "add" },
-          { label: "Cancel", value: "cancel" }
-        ]
-      });
-      if (action !== "add") {
-        message(dim("Keeping existing connections."));
-        return;
-      }
-    }
-    step(`Connecting to ${providerInfo.displayName}...`);
-    let connected = false;
-    if (TOKEN_AUTH_PROVIDERS.includes(provider.toLowerCase())) {
-      connected = await connectWithTokenFlow(accessToken, provider.toLowerCase(), providerInfo.displayName);
-    } else {
-      connected = await connectWithOAuthFlow(accessToken, provider.toLowerCase(), providerInfo.displayName);
-    }
-    trackEvent(AnalyticsEvents.CLI_CONNECT, {
-      provider: provider.toLowerCase(),
-      success: connected
-    });
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? error2.message : "Connection failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "connect",
-      error: truncateMessage(message2)
-    });
-    error(message2);
-    process.exit(1);
-  }
-}
-async function connectionsCommand(options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { connections } = await getConnections(accessToken);
-    if (connections.length === 0) {
-      info("No provider connections found.");
-      message(dim("Connect to a provider with: keyway connect <provider>"));
-      message(dim("Available providers: vercel, railway"));
-      return;
-    }
-    intro2("connections");
-    for (const conn of connections) {
-      const providerName = conn.provider.charAt(0).toUpperCase() + conn.provider.slice(1);
-      const teamInfo = conn.providerTeamId ? dim(` (Team: ${conn.providerTeamId})`) : "";
-      const date = new Date(conn.createdAt).toLocaleDateString();
-      success(`${bold(providerName)}${teamInfo}`);
-      message(dim(`  Connected: ${date}`));
-      message(dim(`  ID: ${conn.id}`));
-    }
-    outro2("");
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? error2.message : "Failed to list connections";
-    error(message2);
-    process.exit(1);
-  }
-}
-async function disconnectCommand(provider, options = {}) {
-  try {
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const { connections } = await getConnections(accessToken);
-    const connection = connections.find((c) => c.provider === provider.toLowerCase());
-    if (!connection) {
-      info(`No connection found for provider: ${provider}`);
-      return;
-    }
-    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    const confirm3 = await confirm2({
-      message: `Disconnect from ${providerName}?`,
-      initialValue: false
-    });
-    if (!confirm3) {
-      message(dim("Cancelled."));
-      return;
-    }
-    await deleteConnection(accessToken, connection.id);
-    success(`Disconnected from ${providerName}`);
-    trackEvent(AnalyticsEvents.CLI_DISCONNECT, {
-      provider: provider.toLowerCase()
-    });
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? error2.message : "Disconnect failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "disconnect",
-      error: truncateMessage(message2)
-    });
-    error(message2);
-    process.exit(1);
-  }
-}
-
-// src/cmds/sync.ts
-import pc5 from "picocolors";
-function mapToVercelEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "preview",
-    dev: "development",
-    development: "development"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToRailwayEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "staging",
-    dev: "development",
-    development: "development"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToNetlifyEnvironment(keywayEnv) {
-  const mapping = {
-    production: "production",
-    staging: "branch-deploy",
-    preview: "deploy-preview",
-    dev: "dev",
-    development: "dev"
-  };
-  return mapping[keywayEnv.toLowerCase()] || "production";
-}
-function mapToProviderEnvironment(provider, keywayEnv) {
-  switch (provider.toLowerCase()) {
-    case "vercel":
-      return mapToVercelEnvironment(keywayEnv);
-    case "railway":
-      return mapToRailwayEnvironment(keywayEnv);
-    case "netlify":
-      return mapToNetlifyEnvironment(keywayEnv);
-    default:
-      return keywayEnv;
-  }
-}
-function displayDiffSummary(diff, providerName) {
-  const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
-  if (totalDiff === 0 && diff.same.length > 0) {
-    success(`Already in sync (${diff.same.length} secrets)`);
-    return;
-  }
-  step("Comparison Summary");
-  message(dim(`Keyway: ${diff.keywayCount} secrets | ${providerName}: ${diff.providerCount} secrets`));
-  if (diff.onlyInKeyway.length > 0) {
-    message(pc5.cyan(`\u2192 ${diff.onlyInKeyway.length} only in Keyway`));
-    diff.onlyInKeyway.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
-    if (diff.onlyInKeyway.length > 3) {
-      message(dim(`  ... and ${diff.onlyInKeyway.length - 3} more`));
-    }
-  }
-  if (diff.onlyInProvider.length > 0) {
-    message(pc5.magenta(`\u2190 ${diff.onlyInProvider.length} only in ${providerName}`));
-    diff.onlyInProvider.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
-    if (diff.onlyInProvider.length > 3) {
-      message(dim(`  ... and ${diff.onlyInProvider.length - 3} more`));
-    }
-  }
-  if (diff.different.length > 0) {
-    message(pc5.yellow(`\u2260 ${diff.different.length} with different values`));
-    diff.different.slice(0, 3).forEach((key) => message(dim(`  ${key}`)));
-    if (diff.different.length > 3) {
-      message(dim(`  ... and ${diff.different.length - 3} more`));
-    }
-  }
-  if (diff.same.length > 0) {
-    message(dim(`= ${diff.same.length} identical`));
-  }
-}
-function getProjectDisplayName(project) {
-  return project.serviceName || project.name;
-}
-function findMatchingProject(projects, repoFullName) {
-  const repoFullNameLower = repoFullName.toLowerCase();
-  const repoName = repoFullName.split("/")[1]?.toLowerCase();
-  if (!repoName) return void 0;
-  const linkedMatch = projects.find(
-    (p5) => p5.linkedRepo?.toLowerCase() === repoFullNameLower
-  );
-  if (linkedMatch) {
-    return { project: linkedMatch, matchType: "linked_repo" };
-  }
-  const exactNameMatch = projects.find((p5) => p5.name.toLowerCase() === repoName);
-  if (exactNameMatch) {
-    return { project: exactNameMatch, matchType: "exact_name" };
-  }
-  const partialMatches = projects.filter(
-    (p5) => p5.name.toLowerCase().includes(repoName) || repoName.includes(p5.name.toLowerCase())
-  );
-  if (partialMatches.length === 1) {
-    return { project: partialMatches[0], matchType: "partial_name" };
-  }
-  return void 0;
-}
-function projectMatchesRepo(project, repoFullName) {
-  const repoFullNameLower = repoFullName.toLowerCase();
-  const repoName = repoFullName.split("/")[1]?.toLowerCase();
-  if (project.linkedRepo?.toLowerCase() === repoFullNameLower) {
-    return true;
-  }
-  if (repoName && project.name.toLowerCase() === repoName) {
-    return true;
-  }
-  return false;
-}
-async function selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, initialProjects) {
-  let projects = initialProjects;
-  while (true) {
-    const result = await promptProjectSelection(projects, repoFullName, providerDisplayName);
-    if (result === "connect_new") {
-      await connectCommand(provider, { loginPrompt: false });
-      const { projects: allProjects } = await getAllProviderProjects(accessToken, provider.toLowerCase());
-      projects = allProjects.map((p5) => ({
-        id: p5.id,
-        name: p5.name,
-        serviceId: p5.serviceId,
-        serviceName: p5.serviceName,
-        linkedRepo: p5.linkedRepo,
-        environments: p5.environments,
-        connectionId: p5.connectionId,
-        teamId: p5.teamId,
-        teamName: p5.teamName
-      }));
-      if (projects.length === 0) {
-        error("No projects found after connecting.");
-        process.exit(1);
-      }
-      success(`Found ${projects.length} projects. Select one:`);
-      continue;
-    }
-    return { project: result, projects };
-  }
-}
-async function promptProjectSelection(projects, repoFullName, providerDisplayName) {
-  const repoName = repoFullName.split("/")[1]?.toLowerCase() || "";
-  const uniqueTeams = new Set(projects.map((p5) => p5.teamId || "personal"));
-  const hasMultipleAccounts = uniqueTeams.size > 1;
-  const options = projects.map((p5) => {
-    const displayName = getProjectDisplayName(p5);
-    let label = displayName;
-    const badges = [];
-    if (hasMultipleAccounts) {
-      if (p5.teamName) {
-        badges.push(pc5.cyan(`[${p5.teamName}]`));
-      } else if (p5.teamId) {
-        const shortTeamId = p5.teamId.length > 12 ? p5.teamId.slice(0, 12) + "..." : p5.teamId;
-        badges.push(pc5.cyan(`[team:${shortTeamId}]`));
-      } else {
-        badges.push(pc5.cyan("[personal]"));
-      }
-    }
-    if (p5.linkedRepo?.toLowerCase() === repoFullName.toLowerCase()) {
-      badges.push(pc5.green("\u2190 linked"));
-    } else if (p5.name.toLowerCase() === repoName || p5.serviceName?.toLowerCase() === repoName) {
-      badges.push(pc5.green("\u2190 same name"));
-    } else if (p5.linkedRepo) {
-      badges.push(pc5.gray(`\u2192 ${p5.linkedRepo}`));
-    }
-    if (badges.length > 0) {
-      label = `${displayName} ${badges.join(" ")}`;
-    }
-    return { label, value: p5.id };
-  });
-  options.push({
-    label: pc5.blue(`+ Connect another ${providerDisplayName} account`),
-    value: "__connect_new__"
-  });
-  const projectChoice = await select2({
-    message: "Select a project:",
-    options
-  });
-  if (!projectChoice) {
-    message(dim("Cancelled."));
-    process.exit(0);
-  }
-  if (projectChoice === "__connect_new__") {
-    return "connect_new";
-  }
-  return projects.find((p5) => p5.id === projectChoice);
-}
-async function syncCommand(provider, options = {}) {
-  try {
-    if (options.pull && options.allowDelete) {
-      error("--allow-delete cannot be used with --pull");
-      message(dim("The --allow-delete flag is only for push operations."));
-      process.exit(1);
-    }
-    const accessToken = await ensureLogin({ allowPrompt: options.loginPrompt !== false });
-    const repoFullName = detectGitRepo();
-    if (!repoFullName) {
-      error("Could not detect Git repository.");
-      message(dim("Run this command from a Git repository directory."));
-      process.exit(1);
-    }
-    step(`Repository: ${value(repoFullName)}`);
-    const vaultExists = await checkVaultExists(accessToken, repoFullName);
-    if (!vaultExists) {
-      warn(`No vault found for ${repoFullName}.`);
-      const shouldCreate = await confirm2({
-        message: "Create vault now?",
-        initialValue: true
-      });
-      if (!shouldCreate) {
-        message(dim("Cancelled. Run `keyway init` to create a vault first."));
-        process.exit(0);
-      }
-      const s = spinner2();
-      s.start("Creating vault...");
-      try {
-        await initVault(repoFullName, accessToken);
-        s.stop(`Vault created for ${repoFullName}`);
-      } catch (error2) {
-        s.stop("Failed");
-        const message2 = error2 instanceof Error ? error2.message : "Failed to create vault";
-        error(message2);
-        process.exit(1);
-      }
-    }
-    const providerDisplayName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    let { projects: allProjects, connections } = await getAllProviderProjects(accessToken, provider.toLowerCase());
-    if (connections.length === 0) {
-      warn(`Not connected to ${providerDisplayName}.`);
-      const shouldConnect = await confirm2({
-        message: `Connect to ${providerDisplayName} now?`,
-        initialValue: true
-      });
-      if (!shouldConnect) {
-        message(dim("Cancelled."));
-        process.exit(0);
-      }
-      await connectCommand(provider, { loginPrompt: false });
-      const refreshed = await getAllProviderProjects(accessToken, provider.toLowerCase());
-      allProjects = refreshed.projects;
-      connections = refreshed.connections;
-      if (connections.length === 0) {
-        error(`Connection to ${providerDisplayName} failed.`);
-        process.exit(1);
-      }
-    }
-    let projects = allProjects.map((p5) => ({
-      id: p5.id,
-      name: p5.name,
-      serviceId: p5.serviceId,
-      serviceName: p5.serviceName,
-      linkedRepo: p5.linkedRepo,
-      environments: p5.environments,
-      connectionId: p5.connectionId,
-      teamId: p5.teamId,
-      teamName: p5.teamName
-    }));
-    if (options.team) {
-      const teamFilter = options.team.toLowerCase();
-      const filteredProjects = projects.filter(
-        (p5) => p5.teamId?.toLowerCase() === teamFilter || p5.teamName?.toLowerCase() === teamFilter || // Match "personal" for null teamId
-        teamFilter === "personal" && !p5.teamId
-      );
-      if (filteredProjects.length === 0) {
-        error(`No projects found for team: ${options.team}`);
-        message(dim("Available teams:"));
-        const teams = /* @__PURE__ */ new Set();
-        projects.forEach((p5) => {
-          if (p5.teamName) teams.add(p5.teamName);
-          else if (p5.teamId) teams.add(p5.teamId);
-          else teams.add("personal");
-        });
-        teams.forEach((t) => message(dim(`  - ${t}`)));
-        process.exit(1);
-      }
-      projects = filteredProjects;
-      message(dim(`Filtered to ${projects.length} projects in team: ${options.team}`));
-    }
-    if (projects.length === 0) {
-      error(`No projects found in your ${providerDisplayName} account(s).`);
-      if (connections.length > 1) {
-        message(dim(`Checked ${connections.length} connected accounts.`));
-      }
-      process.exit(1);
-    }
-    if (connections.length > 1 && !options.team) {
-      message(dim(`Searching ${projects.length} projects across ${connections.length} ${providerDisplayName} accounts...`));
-    }
-    let selectedProject;
-    if (options.project) {
-      const found = projects.find(
-        (p5) => p5.id === options.project || p5.name.toLowerCase() === options.project?.toLowerCase() || p5.serviceName?.toLowerCase() === options.project?.toLowerCase()
-      );
-      if (!found) {
-        error(`Project not found: ${options.project}`);
-        message(dim("Available projects:"));
-        projects.forEach((p5) => message(dim(`  - ${getProjectDisplayName(p5)}`)));
-        process.exit(1);
-      }
-      selectedProject = found;
-      if (!projectMatchesRepo(selectedProject, repoFullName)) {
-        warn("Project does not match current repository");
-        message(pc5.yellow(`Current repo:      ${repoFullName}`));
-        message(pc5.yellow(`Selected project:  ${getProjectDisplayName(selectedProject)}`));
-        if (selectedProject.linkedRepo) {
-          message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
-        }
-      }
-    } else {
-      const autoMatch = findMatchingProject(projects, repoFullName);
-      if (autoMatch && (autoMatch.matchType === "linked_repo" || autoMatch.matchType === "exact_name")) {
-        selectedProject = autoMatch.project;
-        const matchReason = autoMatch.matchType === "linked_repo" ? `linked to ${repoFullName}` : "exact name match";
-        let teamInfo = "";
-        if (selectedProject.teamName) {
-          teamInfo = dim(` (${selectedProject.teamName})`);
-        } else if (selectedProject.teamId && connections.length > 1) {
-          const shortTeamId = selectedProject.teamId.length > 12 ? selectedProject.teamId.slice(0, 12) + "..." : selectedProject.teamId;
-          teamInfo = dim(` (team:${shortTeamId})`);
-        }
-        success(`Auto-selected project: ${getProjectDisplayName(selectedProject)}${teamInfo} (${matchReason})`);
-      } else if (autoMatch && autoMatch.matchType === "partial_name") {
-        const partialDisplayName = getProjectDisplayName(autoMatch.project);
-        info(`Detected project: ${partialDisplayName} (partial match)`);
-        const useDetected = await confirm2({
-          message: `Use ${partialDisplayName}?`,
-          initialValue: true
-        });
-        if (useDetected) {
-          selectedProject = autoMatch.project;
-        } else {
-          const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
-          selectedProject = result.project;
-          projects = result.projects;
-        }
-      } else if (projects.length === 1) {
-        selectedProject = projects[0];
-        if (!projectMatchesRepo(selectedProject, repoFullName)) {
-          warn("Project does not match current repository");
-          message(pc5.yellow(`Current repo:      ${repoFullName}`));
-          message(pc5.yellow(`Only project:      ${getProjectDisplayName(selectedProject)}`));
-          if (selectedProject.linkedRepo) {
-            message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
-          }
-          const continueAnyway = await confirm2({
-            message: "Continue anyway?",
-            initialValue: false
-          });
-          if (!continueAnyway) {
-            message(dim("Cancelled."));
-            process.exit(0);
-          }
-        }
-      } else {
-        warn(`No matching project found for ${repoFullName}`);
-        message(dim("Select a project manually:"));
-        const result = await selectProjectWithConnectOption(accessToken, provider, providerDisplayName, repoFullName, projects);
-        selectedProject = result.project;
-        projects = result.projects;
-      }
-    }
-    if (!options.project && !projectMatchesRepo(selectedProject, repoFullName)) {
-      const autoMatch = findMatchingProject(projects, repoFullName);
-      if (autoMatch && autoMatch.project.id !== selectedProject.id) {
-        warn("You selected a different project");
-        message(pc5.yellow(`Current repo:      ${repoFullName}`));
-        message(pc5.yellow(`Selected project:  ${getProjectDisplayName(selectedProject)}`));
-        if (selectedProject.linkedRepo) {
-          message(pc5.yellow(`Project linked to: ${selectedProject.linkedRepo}`));
-        }
-        const continueAnyway = await confirm2({
-          message: "Are you sure you want to sync with this project?",
-          initialValue: false
-        });
-        if (!continueAnyway) {
-          message(dim("Cancelled."));
-          process.exit(0);
-        }
-      }
-    }
-    const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-    let keywayEnv = options.environment;
-    let providerEnv = options.providerEnv;
-    let direction = options.push ? "push" : options.pull ? "pull" : void 0;
-    const needsEnvPrompt = !options.environment;
-    const needsDirectionPrompt = !direction;
-    if (needsEnvPrompt || needsDirectionPrompt) {
-      if (needsEnvPrompt) {
-        const vaultEnvs = await getVaultEnvironments(accessToken, repoFullName);
-        const selectedEnv = await select2({
-          message: "Keyway environment:",
-          options: vaultEnvs.map((e) => ({ label: e, value: e })),
-          initialValue: vaultEnvs.includes("production") ? "production" : vaultEnvs[0]
-        });
-        if (!selectedEnv) {
-          message(dim("Cancelled."));
-          process.exit(0);
-        }
-        keywayEnv = selectedEnv;
-        if (!options.providerEnv) {
-          if (selectedProject.environments && selectedProject.environments.length > 0) {
-            const mappedEnv = mapToProviderEnvironment(provider, keywayEnv);
-            const envExists = selectedProject.environments.some(
-              (e) => e.toLowerCase() === mappedEnv.toLowerCase()
-            );
-            if (envExists) {
-              providerEnv = mappedEnv;
-            } else if (selectedProject.environments.length === 1) {
-              providerEnv = selectedProject.environments[0];
-              message(dim(`Using ${providerName} environment: ${providerEnv}`));
-            } else {
-              const selectedProviderEnv = await select2({
-                message: `${providerName} environment:`,
-                options: selectedProject.environments.map((e) => ({ label: e, value: e })),
-                initialValue: selectedProject.environments.includes("production") ? "production" : selectedProject.environments[0]
-              });
-              if (!selectedProviderEnv) {
-                message(dim("Cancelled."));
-                process.exit(0);
-              }
-              providerEnv = selectedProviderEnv;
-            }
-          } else {
-            providerEnv = mapToProviderEnvironment(provider, keywayEnv);
-          }
-        }
-      }
-      let diff;
-      if (needsDirectionPrompt) {
-        const effectiveKeywayEnv = keywayEnv || "production";
-        const effectiveProviderEnv = providerEnv || mapToProviderEnvironment(provider, effectiveKeywayEnv);
-        const s = spinner2();
-        s.start("Comparing secrets...");
-        diff = await getSyncDiff(accessToken, repoFullName, {
-          connectionId: selectedProject.connectionId,
-          projectId: selectedProject.id,
-          serviceId: selectedProject.serviceId,
-          // Railway: service ID for service-specific variables
-          keywayEnvironment: effectiveKeywayEnv,
-          providerEnvironment: effectiveProviderEnv
-        });
-        s.stop("Compared");
-        displayDiffSummary(diff, providerName);
-        const totalDiff = diff.onlyInKeyway.length + diff.onlyInProvider.length + diff.different.length;
-        if (totalDiff === 0) {
-          return;
-        }
-      }
-      if (needsDirectionPrompt && diff) {
-        const defaultDirection = diff.keywayCount === 0 && diff.providerCount > 0 ? "pull" : "push";
-        const selectedDirection = await select2({
-          message: "Sync direction:",
-          options: [
-            { label: `Keyway \u2192 ${providerName}`, value: "push" },
-            { label: `${providerName} \u2192 Keyway`, value: "pull" }
-          ],
-          initialValue: defaultDirection
-        });
-        if (!selectedDirection) {
-          message(dim("Cancelled."));
-          process.exit(0);
-        }
-        direction = selectedDirection;
-      }
-    }
-    keywayEnv = keywayEnv || "production";
-    providerEnv = providerEnv || "production";
-    direction = direction || "push";
-    const status = await getSyncStatus(
-      accessToken,
-      repoFullName,
-      selectedProject.connectionId,
-      selectedProject.id,
-      keywayEnv
-    );
-    if (status.isFirstSync && direction === "push" && status.vaultIsEmpty && status.providerHasSecrets) {
-      warn(`Your Keyway vault is empty for "${keywayEnv}", but ${providerName} has ${status.providerSecretCount} secrets.`);
-      message(dim("(Use --environment to sync a different environment)"));
-      const importFirst = await confirm2({
-        message: `Import secrets from ${providerName} first?`,
-        initialValue: true
-      });
-      if (importFirst) {
-        await executeSyncOperation(
-          accessToken,
-          repoFullName,
-          selectedProject.connectionId,
-          selectedProject,
-          keywayEnv,
-          providerEnv,
-          "pull",
-          false,
-          // Never delete on import
-          options.yes || false,
-          provider
-        );
-        return;
-      }
-    }
-    await executeSyncOperation(
-      accessToken,
-      repoFullName,
-      selectedProject.connectionId,
-      selectedProject,
-      keywayEnv,
-      providerEnv,
-      direction,
-      options.allowDelete || false,
-      options.yes || false,
-      provider
-    );
-  } catch (error2) {
-    const message2 = error2 instanceof Error ? error2.message : "Sync failed";
-    trackEvent(AnalyticsEvents.CLI_ERROR, {
-      command: "sync",
-      error: truncateMessage(message2)
-    });
-    error(message2);
-    process.exit(1);
-  }
-}
-async function executeSyncOperation(accessToken, repoFullName, connectionId, project, keywayEnv, providerEnv, direction, allowDelete, skipConfirm, provider) {
-  const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
-  const preview = await getSyncPreview(accessToken, repoFullName, {
-    connectionId,
-    projectId: project.id,
-    serviceId: project.serviceId,
-    // Railway: service ID for service-specific variables
-    keywayEnvironment: keywayEnv,
-    providerEnvironment: providerEnv,
-    direction,
-    allowDelete
-  });
-  const totalChanges = preview.toCreate.length + preview.toUpdate.length + preview.toDelete.length;
-  if (totalChanges === 0) {
-    success("Already in sync. No changes needed.");
-    return;
-  }
-  step("Sync Preview");
-  if (preview.toCreate.length > 0) {
-    message(pc5.green(`+ ${preview.toCreate.length} to create`));
-    preview.toCreate.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
-    if (preview.toCreate.length > 5) {
-      message(dim(`  ... and ${preview.toCreate.length - 5} more`));
-    }
-  }
-  if (preview.toUpdate.length > 0) {
-    message(pc5.yellow(`~ ${preview.toUpdate.length} to update`));
-    preview.toUpdate.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
-    if (preview.toUpdate.length > 5) {
-      message(dim(`  ... and ${preview.toUpdate.length - 5} more`));
-    }
-  }
-  if (preview.toDelete.length > 0) {
-    message(pc5.red(`- ${preview.toDelete.length} to delete`));
-    preview.toDelete.slice(0, 5).forEach((key) => message(dim(`  ${key}`)));
-    if (preview.toDelete.length > 5) {
-      message(dim(`  ... and ${preview.toDelete.length - 5} more`));
-    }
-  }
-  if (preview.toSkip.length > 0) {
-    message(dim(`\u25CB ${preview.toSkip.length} unchanged`));
-  }
-  if (!skipConfirm) {
-    const target = direction === "push" ? providerName : "Keyway";
-    const confirm3 = await confirm2({
-      message: `Apply ${totalChanges} changes to ${target}?`,
-      initialValue: true
-    });
-    if (!confirm3) {
-      message(dim("Cancelled."));
-      return;
-    }
-  }
-  const s = spinner2();
-  s.start("Syncing...");
-  const result = await executeSync(accessToken, repoFullName, {
-    connectionId,
-    projectId: project.id,
-    serviceId: project.serviceId,
-    // Railway: service ID for service-specific variables
-    keywayEnvironment: keywayEnv,
-    providerEnvironment: providerEnv,
-    direction,
-    allowDelete
-  });
-  if (result.success) {
-    s.stop("Sync complete");
-    message(dim(`Created: ${result.stats.created}`));
-    message(dim(`Updated: ${result.stats.updated}`));
-    if (result.stats.deleted > 0) {
-      message(dim(`Deleted: ${result.stats.deleted}`));
-    }
-    trackEvent(AnalyticsEvents.CLI_SYNC, {
-      provider,
-      direction,
-      created: result.stats.created,
-      updated: result.stats.updated,
-      deleted: result.stats.deleted
-    });
-  } else {
-    s.stop("Failed");
-    error(result.error || "Sync failed");
-    process.exit(1);
-  }
-}
-
-// src/cli.ts
-process.on("unhandledRejection", (reason) => {
-  error(`Unhandled error: ${reason}`);
-  process.exit(1);
-});
-var program = new Command();
-var TAGLINE = "Sync secrets with your team and infra";
-program.name("keyway").description(TAGLINE).version(package_default.version);
-program.command("init").description("Initialize a vault for the current repository").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await initCommand(options);
-});
-program.command("push").description("Upload secrets from an env file to the vault").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to push").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await pushCommand(options);
-});
-program.command("pull").description("Download secrets from the vault to an env file").option("-e, --env <environment>", "Environment name", "development").option("-f, --file <file>", "Env file to write to").option("-y, --yes", "Overwrite target file without confirmation").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await pullCommand(options);
-});
-program.command("login").description("Authenticate with GitHub via Keyway").option("--token", "Authenticate using a GitHub fine-grained PAT").action(async (options) => {
-  await loginCommand(options);
-});
-program.command("logout").description("Clear stored Keyway credentials").action(async () => {
-  await logoutCommand();
-});
-program.command("doctor").description("Run environment checks to ensure Keyway runs smoothly").option("--json", "Output results as JSON for machine processing", false).option("--strict", "Treat warnings as failures", false).action(async (options) => {
-  await doctorCommand(options);
-});
-program.command("connect <provider>").description("Connect to an external provider (e.g., vercel)").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await connectCommand(provider, options);
-});
-program.command("connections").description("List your provider connections").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
-  await connectionsCommand(options);
-});
-program.command("disconnect <provider>").description("Disconnect from a provider").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await disconnectCommand(provider, options);
-});
-program.command("sync <provider>").description("Sync secrets with a provider (e.g., vercel)").option("--push", "Export secrets from Keyway to provider").option("--pull", "Import secrets from provider to Keyway").option("-e, --environment <env>", "Keyway environment (default: production)").option("--provider-env <env>", "Provider environment (default: production)").option("--project <project>", "Provider project name or ID").option("--team <team>", "Team/org name or ID (for multi-account)").option("--allow-delete", "Allow deleting secrets not in source").option("-y, --yes", "Skip confirmation prompt").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (provider, options) => {
-  await syncCommand(provider, options);
-});
-var ci = program.command("ci").description("CI/CD integration commands");
-ci.command("setup").description("Setup GitHub Actions integration (adds KEYWAY_TOKEN secret)").option("--repo <repo>", "Repository in owner/repo format (auto-detected)").action(async (options) => {
-  await ciSetupCommand(options);
-});
-(async () => {
-  await program.parseAsync();
-})().catch((error2) => {
-  error(error2.message || error2);
-  process.exit(1);
-});