@kuckit/cli 5.0.1 → 6.0.0

package/dist/bin.js

@@ -10,6 +10,7 @@ import { dirname as dirname$1, join as join$1 } from "path";
 import { homedir } from "node:os";
 import { accessSync as accessSync$1, constants as constants$2 } from "fs";
 import { confirm, input, select } from "@inquirer/prompts";
+import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
 
 //#region src/commands/doctor.ts
 const CONFIG_FILES$1 = [
@@ -643,7 +644,7 @@ async function dbStudio(options) {
 
 //#endregion
 //#region src/lib/credentials.ts
-const DEFAULT_SERVER_URL = "https://api.kuckit.dev";
+const DEFAULT_SERVER_URL = "https://dev-app-nyh7i73bea-uc.a.run.app/";
 const CONFIG_DIR = join(homedir(), ".kuckit");
 const CONFIG_PATH = join(CONFIG_DIR, "config.json");
 function loadConfig$7() {
@@ -2117,7 +2118,7 @@ function runGcloud(args, options = {}) {
 /**
 * Get the path to the packages/infra directory
 */
-function getInfraDir$1(projectRoot) {
+function getInfraDir$2(projectRoot) {
 	return join$1(projectRoot, "packages", "infra");
 }
 /**
@@ -2418,7 +2419,7 @@ async function infraDestroy(options) {
 		process.exit(1);
 	}
 	const stackName = computeStackName(config, env);
-	const infraDir = getInfraDir$1(projectRoot);
+	const infraDir = getInfraDir$2(projectRoot);
 	if (!await fileExists$6(infraDir)) {
 		console.error("Error: packages/infra not found.");
 		process.exit(1);
@@ -2572,7 +2573,7 @@ async function infraRepair(options) {
 		process.exit(1);
 	}
 	const stackName = computeStackName(config, env);
-	const infraDir = getInfraDir$1(projectRoot);
+	const infraDir = getInfraDir$2(projectRoot);
 	if (!await fileExists$5(infraDir)) {
 		console.error("Error: packages/infra not found.");
 		process.exit(1);
@@ -3157,7 +3158,7 @@ async function infraStatus(options) {
 		process.exit(1);
 	}
 	const stackName = computeStackName(config, options.env ?? config.env);
-	const infraDir = getInfraDir$1(projectRoot);
+	const infraDir = getInfraDir$2(projectRoot);
 	if (!await fileExists$1(infraDir)) {
 		console.error("Error: packages/infra not found.");
 		process.exit(1);
@@ -3268,7 +3269,7 @@ async function infraOutputs(options) {
 	}
 	const env = options.env ?? config.env ?? "dev";
 	const stackName = computeStackName(config, env);
-	const infraDir = getInfraDir$1(projectRoot);
+	const infraDir = getInfraDir$2(projectRoot);
 	if (!await fileExists(infraDir)) {
 		console.error("Error: packages/infra not found.");
 		process.exit(1);
@@ -3333,10 +3334,10 @@ const KNOWN_CONFIG_KEYS = {
 		example: "prod"
 	}
 };
-function getProjectRoot() {
+function getProjectRoot$1() {
 	return process.cwd();
 }
-async function ensureConfigExists(projectRoot, env) {
+async function ensureConfigExists$1(projectRoot, env) {
 	const config = await loadStoredConfig(projectRoot, env);
 	if (!config) throw new Error("No infrastructure configuration found. Run `kuckit infra init` first.");
 	return config;
@@ -3344,25 +3345,25 @@ async function ensureConfigExists(projectRoot, env) {
 function getStackName(config, env) {
 	return `${config.projectName}-${env}`;
 }
-async function getInfraDir(projectRoot, config) {
+async function getInfraDir$1(projectRoot, config) {
 	if (config.localInfraDir) return config.localInfraDir;
 	return (await loadProviderFromPackage(config.providerPackage ?? getProviderPackage(config.provider), projectRoot)).getInfraDir(projectRoot);
 }
-async function selectStack(infraDir, stackName) {
+async function selectStack$1(infraDir, stackName) {
 	return selectOrCreateStack(stackName, { cwd: infraDir });
 }
 async function syncToPulumi(projectRoot, config, env, key, value) {
-	const infraDir = await getInfraDir(projectRoot, config);
+	const infraDir = await getInfraDir$1(projectRoot, config);
 	const stackName = getStackName(config, env);
 	const pulumiOptions = { cwd: infraDir };
-	if (!await selectStack(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
+	if (!await selectStack$1(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
 	await setPulumiConfig(key, value, pulumiOptions);
 }
 async function getPulumiConfigValue(projectRoot, config, env, key) {
-	const infraDir = await getInfraDir(projectRoot, config);
+	const infraDir = await getInfraDir$1(projectRoot, config);
 	const stackName = getStackName(config, env);
 	const pulumiOptions = { cwd: infraDir };
-	if (!await selectStack(infraDir, stackName)) return null;
+	if (!await selectStack$1(infraDir, stackName)) return null;
 	try {
 		const result = await runPulumi([
 			"config",
@@ -3375,10 +3376,10 @@ async function getPulumiConfigValue(projectRoot, config, env, key) {
 	}
 }
 async function getAllPulumiConfig(projectRoot, config, env) {
-	const infraDir = await getInfraDir(projectRoot, config);
+	const infraDir = await getInfraDir$1(projectRoot, config);
 	const stackName = getStackName(config, env);
 	const pulumiOptions = { cwd: infraDir };
-	if (!await selectStack(infraDir, stackName)) return {};
+	if (!await selectStack$1(infraDir, stackName)) return {};
 	try {
 		const result = await runPulumi(["config", "--json"], pulumiOptions);
 		if (result.code === 0 && result.stdout) {
@@ -3396,10 +3397,10 @@ async function getAllPulumiConfig(projectRoot, config, env) {
 	}
 }
 async function unsetPulumiConfig(projectRoot, config, env, key) {
-	const infraDir = await getInfraDir(projectRoot, config);
+	const infraDir = await getInfraDir$1(projectRoot, config);
 	const stackName = getStackName(config, env);
 	const pulumiOptions = { cwd: infraDir };
-	if (!await selectStack(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
+	if (!await selectStack$1(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
 	await runPulumi([
 		"config",
 		"rm",
@@ -3410,9 +3411,9 @@ async function unsetPulumiConfig(projectRoot, config, env, key) {
 * Set a configuration value
 */
 async function infraConfigSet(key, value, options = {}) {
-	const projectRoot = getProjectRoot();
+	const projectRoot = getProjectRoot$1();
 	const env = options.env;
-	const config = await ensureConfigExists(projectRoot, env);
+	const config = await ensureConfigExists$1(projectRoot, env);
 	const resolvedEnv = env ?? config.env ?? "dev";
 	if (["region", "projectName"].includes(key)) {
 		if (key === "region") config.region = value;
@@ -3438,9 +3439,9 @@ async function infraConfigSet(key, value, options = {}) {
 * Get a configuration value
 */
 async function infraConfigGet(key, options = {}) {
-	const projectRoot = getProjectRoot();
+	const projectRoot = getProjectRoot$1();
 	const env = options.env;
-	const config = await ensureConfigExists(projectRoot, env);
+	const config = await ensureConfigExists$1(projectRoot, env);
 	const resolvedEnv = env ?? config.env ?? "dev";
 	const localKeys = {
 		region: (c) => c.region,
@@ -3469,9 +3470,9 @@ async function infraConfigGet(key, options = {}) {
 * List all configuration values
 */
 async function infraConfigList(options = {}) {
-	const projectRoot = getProjectRoot();
+	const projectRoot = getProjectRoot$1();
 	const env = options.env;
-	const config = await ensureConfigExists(projectRoot, env);
+	const config = await ensureConfigExists$1(projectRoot, env);
 	const resolvedEnv = env ?? config.env ?? "dev";
 	const localConfig = {
 		provider: config.provider,
@@ -3509,9 +3510,9 @@ async function infraConfigList(options = {}) {
 * Unset a configuration value
 */
 async function infraConfigUnset(key, options = {}) {
-	const projectRoot = getProjectRoot();
+	const projectRoot = getProjectRoot$1();
 	const env = options.env;
-	const config = await ensureConfigExists(projectRoot, env);
+	const config = await ensureConfigExists$1(projectRoot, env);
 	const resolvedEnv = env ?? config.env ?? "dev";
 	if ([
 		"provider",
@@ -3522,6 +3523,378 @@ async function infraConfigUnset(key, options = {}) {
 	console.log(`✓ Unset ${key} for env '${resolvedEnv}'`);
 }
 
+//#endregion
+//#region src/lib/secret-manager.ts
+/**
+* Sync a secret to GCP Secret Manager.
+* Creates the secret if it doesn't exist, then adds a new version.
+*/
+async function syncSecret(options) {
+	const { projectId, secretId, value } = options;
+	await createSecretIfNotExists(projectId, secretId);
+	await addSecretVersion(projectId, secretId, value);
+}
+/**
+* Create a secret if it doesn't exist.
+*/
+async function createSecretIfNotExists(projectId, secretId) {
+	const client = new SecretManagerServiceClient();
+	const name = `projects/${projectId}/secrets/${secretId}`;
+	try {
+		await client.getSecret({ name });
+	} catch (error) {
+		if (isGrpcError(error) && error.code === 5) await client.createSecret({
+			parent: `projects/${projectId}`,
+			secretId,
+			secret: { replication: { automatic: {} } }
+		});
+		else throw wrapAuthError(error);
+	}
+}
+/**
+* Add a new version to an existing secret.
+* @returns The version name (e.g., "projects/.../secrets/.../versions/1")
+*/
+async function addSecretVersion(projectId, secretId, value) {
+	const client = new SecretManagerServiceClient();
+	const parent = `projects/${projectId}/secrets/${secretId}`;
+	try {
+		const [version] = await client.addSecretVersion({
+			parent,
+			payload: { data: Buffer.from(value, "utf8") }
+		});
+		return version.name ?? "";
+	} catch (error) {
+		throw wrapAuthError(error);
+	}
+}
+function isGrpcError(error) {
+	return error !== null && typeof error === "object" && "code" in error && typeof error.code === "number";
+}
+/**
+* Wrap authentication errors with a helpful message.
+*/
+function wrapAuthError(error) {
+	if (isGrpcError(error)) {
+		if (error.code === 16) return /* @__PURE__ */ new Error(`GCP authentication failed. Please run \`gcloud auth application-default login\` or ensure your service account credentials are configured.
+Original error: ${error.message}`);
+		if (error.code === 7) return /* @__PURE__ */ new Error(`GCP permission denied. Ensure your account has the "Secret Manager Secret Accessor" and "Secret Manager Admin" roles.
+Original error: ${error.message}`);
+	}
+	if (error instanceof Error) return error;
+	return new Error(String(error));
+}
+
+//#endregion
+//#region src/commands/infra/env.ts
+/** Default pattern to detect secret environment variables by name */
+const DEFAULT_SECRET_PATTERN = /SECRET|KEY|TOKEN|PASSWORD|WEBHOOK/i;
+function getProjectRoot() {
+	return process.cwd();
+}
+/**
+* Parse a .env file into key-value pairs
+* Handles:
+* - Empty lines and comments (#)
+* - Quoted values (single and double quotes)
+* - Inline comments after values
+*/
+function parseEnvFile(content) {
+	const vars = {};
+	for (const line of content.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const match = trimmed.match(/^([^=]+)=(.*)$/);
+		if (match) {
+			const [, key, rawValue] = match;
+			if (!key) continue;
+			let value = rawValue ?? "";
+			if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+			else {
+				const commentIndex = value.indexOf(" #");
+				if (commentIndex !== -1) value = value.substring(0, commentIndex);
+			}
+			vars[key.trim()] = value.trim();
+		}
+	}
+	return vars;
+}
+/**
+* Classify env vars into secrets and plain vars based on pattern
+*/
+function classifyEnvVars(vars, secretPattern) {
+	const secrets = {};
+	const plain = {};
+	for (const [key, value] of Object.entries(vars)) if (secretPattern.test(key)) secrets[key] = value;
+	else plain[key] = value;
+	return {
+		secrets,
+		plain
+	};
+}
+/**
+* Convert env var name to GCP Secret Manager ID format
+* GCP Secret IDs must match: [a-zA-Z_0-9]+
+* We convert to lowercase with underscores for consistency
+*/
+function toSecretId(envVarName, env) {
+	return `${envVarName.toLowerCase().replace(/[^a-z0-9_]/g, "_")}_${env}`;
+}
+async function ensureConfigExists(projectRoot, env) {
+	const config = await loadStoredConfig(projectRoot, env);
+	if (!config) throw new Error("No infrastructure configuration found. Run `kuckit infra init` first.");
+	return config;
+}
+async function getInfraDir(projectRoot, config) {
+	if (config.localInfraDir) return config.localInfraDir;
+	return (await loadProviderFromPackage(config.providerPackage ?? getProviderPackage(config.provider), projectRoot)).getInfraDir(projectRoot);
+}
+async function selectStack(infraDir, stackName) {
+	return selectOrCreateStack(stackName, { cwd: infraDir });
+}
+/**
+* Find the .env file to use
+* Priority:
+* 1. Explicit --file option
+* 2. .env.{env} (e.g., .env.dev)
+* 3. .env
+*/
+async function findEnvFile(projectRoot, env, explicitFile) {
+	if (explicitFile) {
+		const explicitPath = join$1(projectRoot, explicitFile);
+		try {
+			await access(explicitPath, constants$1.F_OK);
+			return explicitPath;
+		} catch {
+			throw new Error(`Specified .env file not found: ${explicitFile}`);
+		}
+	}
+	const envSpecificPath = join$1(projectRoot, `.env.${env}`);
+	try {
+		await access(envSpecificPath, constants$1.F_OK);
+		return envSpecificPath;
+	} catch {}
+	const defaultPath = join$1(projectRoot, ".env");
+	try {
+		await access(defaultPath, constants$1.F_OK);
+		return defaultPath;
+	} catch {
+		throw new Error(`No .env file found. Tried:\n  - .env.${env}\n  - .env\n\nCreate one or specify with --file.`);
+	}
+}
+/**
+* Sync environment variables from .env file to GCP Secret Manager and Pulumi config
+*
+* 1. Load and parse .env file
+* 2. Classify variables (secrets vs plain)
+* 3. Sync secrets to GCP Secret Manager
+* 4. Update Pulumi config with extraEnvVars and extraSecretEnvVars
+*/
+async function infraEnvSync(options) {
+	const projectRoot = getProjectRoot();
+	const env = options.env;
+	const secretPattern = options.secretPattern ?? DEFAULT_SECRET_PATTERN;
+	console.log(`\n🔄 Syncing environment variables for '${env}'...\n`);
+	const config = await ensureConfigExists(projectRoot, env);
+	if (!isGcpConfig(config)) throw new Error("Environment sync is currently only supported for GCP provider.");
+	const gcpProject = config.providerConfig.gcpProject;
+	const envFilePath = await findEnvFile(projectRoot, env, options.file);
+	console.log(`📂 Loading: ${envFilePath}`);
+	const allVars = parseEnvFile(await readFile(envFilePath, "utf-8"));
+	if (Object.keys(allVars).length === 0) {
+		console.log("⚠️  No environment variables found in file.");
+		return;
+	}
+	console.log(`   Found ${Object.keys(allVars).length} variables\n`);
+	const { secrets, plain } = classifyEnvVars(allVars, secretPattern);
+	console.log(`📋 Classification:`);
+	console.log(`   • Plain env vars: ${Object.keys(plain).length}`);
+	console.log(`   • Secrets: ${Object.keys(secrets).length}\n`);
+	if (Object.keys(secrets).length > 0) {
+		console.log(`🔐 Syncing secrets to GCP Secret Manager (project: ${gcpProject})...`);
+		const extraSecretEnvVars = {};
+		for (const [name, value] of Object.entries(secrets)) {
+			const secretId = toSecretId(name, env);
+			console.log(`   • ${name} → ${secretId}`);
+			try {
+				await syncSecret({
+					projectId: gcpProject,
+					secretId,
+					value
+				});
+				extraSecretEnvVars[name] = secretId;
+			} catch (error) {
+				const message = error instanceof Error ? error.message : String(error);
+				throw new Error(`Failed to sync secret '${name}': ${message}`);
+			}
+		}
+		console.log(`   ✓ All secrets synced\n`);
+		await updatePulumiConfig(projectRoot, config, env, "extraSecretEnvVars", extraSecretEnvVars);
+	}
+	if (Object.keys(plain).length > 0) {
+		console.log(`📝 Setting plain environment variables in Pulumi config...`);
+		for (const name of Object.keys(plain)) console.log(`   • ${name}`);
+		await updatePulumiConfig(projectRoot, config, env, "extraEnvVars", plain);
+		console.log(`   ✓ Config updated\n`);
+	}
+	console.log(`✅ Environment sync complete!`);
+	console.log(`\nNext steps:`);
+	console.log(`  • Run 'kuckit infra deploy --env ${env}' to apply changes`);
+}
+/**
+* Update Pulumi config with an object value using --json flag
+*/
+async function updatePulumiConfig(projectRoot, config, env, key, value) {
+	const infraDir = await getInfraDir(projectRoot, config);
+	const stackName = computeStackName(config, env);
+	const pulumiOptions = { cwd: infraDir };
+	if (!await selectStack(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
+	const result = await runPulumi([
+		"config",
+		"set",
+		key,
+		`'${JSON.stringify(value).replace(/'/g, "'\\''")}'`
+	], pulumiOptions);
+	if (result.code !== 0) throw new Error(`Failed to set Pulumi config '${key}': ${result.stderr}`);
+}
+/**
+* Read an object value from Pulumi config
+*/
+async function getPulumiConfigObject(projectRoot, config, env, key) {
+	const infraDir = await getInfraDir(projectRoot, config);
+	const stackName = computeStackName(config, env);
+	const pulumiOptions = { cwd: infraDir };
+	if (!await selectStack(infraDir, stackName)) throw new Error(`Could not select stack '${stackName}'. Run 'kuckit infra init --env ${env}' first.`);
+	const result = await runPulumi([
+		"config",
+		"get",
+		key
+	], pulumiOptions);
+	if (result.code === 0 && result.stdout.trim()) try {
+		return JSON.parse(result.stdout.trim());
+	} catch {
+		return {};
+	}
+	return {};
+}
+/**
+* List all configured environment variables and secrets for an environment
+*/
+async function infraEnvList(options) {
+	const projectRoot = getProjectRoot();
+	const env = options.env;
+	const config = await ensureConfigExists(projectRoot, env);
+	if (!isGcpConfig(config)) throw new Error("Environment commands are currently only supported for GCP provider.");
+	const extraEnvVars = await getPulumiConfigObject(projectRoot, config, env, "extraEnvVars");
+	const extraSecretEnvVars = await getPulumiConfigObject(projectRoot, config, env, "extraSecretEnvVars");
+	const hasEnvVars = Object.keys(extraEnvVars).length > 0;
+	const hasSecrets = Object.keys(extraSecretEnvVars).length > 0;
+	if (options.json) {
+		console.log(JSON.stringify({
+			env,
+			envVars: extraEnvVars,
+			secrets: extraSecretEnvVars
+		}, null, 2));
+		return;
+	}
+	console.log(`\nEnvironment Variables (env: ${env})\n`);
+	if (hasEnvVars) {
+		console.log("Plain Environment Variables:");
+		for (const [key, value] of Object.entries(extraEnvVars)) console.log(`  ${key}=${value}`);
+	} else console.log("Plain Environment Variables: (none)");
+	console.log("");
+	if (hasSecrets) {
+		console.log("Secrets (stored in GCP Secret Manager):");
+		for (const [key, secretId] of Object.entries(extraSecretEnvVars)) console.log(`  ${key} → ${secretId}`);
+	} else console.log("Secrets: (none)");
+	console.log(`\nTip: Use 'kuckit infra env add KEY=value --env ${env}' to add variables`);
+}
+/**
+* Add an environment variable or secret
+*/
+async function infraEnvAdd(keyValue, options) {
+	const projectRoot = getProjectRoot();
+	const env = options.env;
+	const equalsIndex = keyValue.indexOf("=");
+	if (equalsIndex === -1) throw new Error(`Invalid format. Expected KEY=value, got: ${keyValue}`);
+	const key = keyValue.substring(0, equalsIndex).trim();
+	const value = keyValue.substring(equalsIndex + 1);
+	if (!key) throw new Error("Key cannot be empty.");
+	const config = await ensureConfigExists(projectRoot, env);
+	if (!isGcpConfig(config)) throw new Error("Environment commands are currently only supported for GCP provider.");
+	const gcpProject = config.providerConfig.gcpProject;
+	if (options.secret) {
+		const secretId = toSecretId(key, env);
+		console.log(`\n🔐 Syncing secret '${key}' to GCP Secret Manager...`);
+		console.log(`   Project: ${gcpProject}`);
+		console.log(`   Secret ID: ${secretId}`);
+		try {
+			await syncSecret({
+				projectId: gcpProject,
+				secretId,
+				value
+			});
+			console.log(`   ✓ Secret synced`);
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			throw new Error(`Failed to sync secret: ${message}`);
+		}
+		await updatePulumiConfig(projectRoot, config, env, "extraSecretEnvVars", {
+			...await getPulumiConfigObject(projectRoot, config, env, "extraSecretEnvVars"),
+			[key]: secretId
+		});
+		console.log(`   ✓ Added to Pulumi config\n`);
+		console.log(`✅ Secret '${key}' added successfully!`);
+	} else {
+		console.log(`\n📝 Adding environment variable '${key}'...`);
+		await updatePulumiConfig(projectRoot, config, env, "extraEnvVars", {
+			...await getPulumiConfigObject(projectRoot, config, env, "extraEnvVars"),
+			[key]: value
+		});
+		console.log(`   ✓ Added to Pulumi config\n`);
+		console.log(`✅ Environment variable '${key}' added successfully!`);
+	}
+	console.log(`\nNext steps:`);
+	console.log(`  • Run 'kuckit infra deploy --env ${env}' to apply changes`);
+}
+/**
+* Remove an environment variable or secret
+*/
+async function infraEnvRemove(key, options) {
+	const projectRoot = getProjectRoot();
+	const env = options.env;
+	if (!key || !key.trim()) throw new Error("Key cannot be empty.");
+	key = key.trim();
+	const config = await ensureConfigExists(projectRoot, env);
+	if (!isGcpConfig(config)) throw new Error("Environment commands are currently only supported for GCP provider.");
+	const extraEnvVars = await getPulumiConfigObject(projectRoot, config, env, "extraEnvVars");
+	const extraSecretEnvVars = await getPulumiConfigObject(projectRoot, config, env, "extraSecretEnvVars");
+	let found = false;
+	if (key in extraEnvVars) {
+		console.log(`\n📝 Removing environment variable '${key}'...`);
+		const { [key]: _,...remaining } = extraEnvVars;
+		await updatePulumiConfig(projectRoot, config, env, "extraEnvVars", remaining);
+		console.log(`   ✓ Removed from Pulumi config`);
+		found = true;
+	}
+	if (key in extraSecretEnvVars) {
+		console.log(`\n🔐 Removing secret '${key}'...`);
+		const { [key]: __,...remaining } = extraSecretEnvVars;
+		await updatePulumiConfig(projectRoot, config, env, "extraSecretEnvVars", remaining);
+		console.log(`   ✓ Removed from Pulumi config`);
+		console.log(`   Note: The secret value remains in GCP Secret Manager (not deleted)`);
+		found = true;
+	}
+	if (!found) {
+		console.log(`\n⚠️  Key '${key}' not found in environment '${env}'.`);
+		console.log(`\nUse 'kuckit infra env list --env ${env}' to see configured variables.`);
+		return;
+	}
+	console.log(`\n✅ Removed '${key}' successfully!`);
+	console.log(`\nNext steps:`);
+	console.log(`  • Run 'kuckit infra deploy --env ${env}' to apply changes`);
+}
+
 //#endregion
 //#region src/bin.ts
 program.name("kuckit").description("CLI tools for Kuckit SDK module development").version("0.1.0");
@@ -3635,6 +4008,23 @@ configCmd.command("unset <key>").description("Remove a configuration value").opt
 	requireAuth();
 	await infraConfigUnset(key, options);
 });
+const envCmd = infra.command("env").description("Environment variable management");
+envCmd.command("sync").description("Sync .env file to GCP Secret Manager and Pulumi config").option("-e, --env <env>", "Environment (dev, staging, prod)", "dev").option("-f, --file <path>", "Path to .env file (default: .env.{env} or .env)").action(async (options) => {
+	requireAuth();
+	await infraEnvSync(options);
+});
+envCmd.command("list").description("List all configured environment variables and secrets").requiredOption("-e, --env <env>", "Environment (dev, staging, prod)").option("--json", "Output as JSON", false).action(async (options) => {
+	requireAuth();
+	await infraEnvList(options);
+});
+envCmd.command("add <KEY=value>").description("Add an environment variable or secret").requiredOption("-e, --env <env>", "Environment (dev, staging, prod)").option("-s, --secret", "Store as secret in GCP Secret Manager", false).action(async (keyValue, options) => {
+	requireAuth();
+	await infraEnvAdd(keyValue, options);
+});
+envCmd.command("remove <KEY>").description("Remove an environment variable or secret").requiredOption("-e, --env <env>", "Environment (dev, staging, prod)").action(async (key, options) => {
+	requireAuth();
+	await infraEnvRemove(key, options);
+});
 program.parse();
 
 //#endregion