npm - @secretstash/cli - Versions diffs - 0.1.0 - Mend

@secretstash/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,4159 @@
+#!/usr/bin/env node
+// src/index.ts
+import { Command } from "commander";
+import chalk3 from "chalk";
+import { readFileSync as readFileSync4 } from "fs";
+import { fileURLToPath } from "url";
+import { dirname as dirname2, join as join2 } from "path";
+// src/commands/auth.ts
+import { prompt } from "enquirer";
+import qrcode from "qrcode-terminal";
+// src/config.ts
+import Conf from "conf";
+import { homedir, platform } from "os";
+import { join } from "path";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, statSync, chmodSync } from "fs";
+import { randomBytes } from "crypto";
+function getOrCreateEncryptionKey() {
+  if (process.env.VAULT_CONFIG_KEY) {
+    return process.env.VAULT_CONFIG_KEY;
+  }
+  const keyDir = join(homedir(), ".secretstash");
+  const keyPath = join(keyDir, ".config-key");
+  if (existsSync(keyPath)) {
+    const key2 = readFileSync(keyPath, "utf-8").trim();
+    if (platform() !== "win32") {
+      try {
+        const stats = statSync(keyPath);
+        const mode = stats.mode & 511;
+        if (mode !== 384) {
+          console.warn(
+            `WARNING: Config key file ${keyPath} has insecure permissions (${mode.toString(8)}). Fixing to 0600.`
+          );
+          chmodSync(keyPath, 384);
+        }
+      } catch {
+      }
+    }
+    return key2;
+  }
+  const key = randomBytes(32).toString("hex");
+  if (!existsSync(keyDir)) {
+    mkdirSync(keyDir, { mode: 448, recursive: true });
+  }
+  writeFileSync(keyPath, key + "\n", { mode: 384 });
+  if (platform() !== "win32") {
+    try {
+      chmodSync(keyPath, 384);
+    } catch {
+      console.warn(`WARNING: Could not set permissions on ${keyPath}`);
+    }
+  }
+  return key;
+}
+var config = new Conf({
+  projectName: "secretstash",
+  schema: {
+    apiUrl: {
+      type: "string",
+      default: "http://localhost:3000"
+    },
+    accessToken: {
+      type: "string"
+    },
+    refreshToken: {
+      type: "string"
+    },
+    tokenExpiresAt: {
+      type: "number"
+    },
+    userId: {
+      type: "string"
+    },
+    email: {
+      type: "string"
+    },
+    currentTeam: {
+      type: "object",
+      properties: {
+        id: { type: "string" },
+        name: { type: "string" },
+        slug: { type: "string" }
+      }
+    },
+    currentProject: {
+      type: "object",
+      properties: {
+        id: { type: "string" },
+        name: { type: "string" },
+        slug: { type: "string" }
+      }
+    },
+    currentEnvironment: {
+      type: "string"
+    },
+    serviceToken: {
+      type: "string"
+    },
+    serviceTokenInfo: {
+      type: "object",
+      properties: {
+        name: { type: "string" },
+        environmentId: { type: "string" },
+        permission: { type: "string" },
+        expiresAt: { type: "string" }
+      }
+    }
+  },
+  // Always use encryption for config store - key is auto-generated if not provided
+  encryptionKey: getOrCreateEncryptionKey()
+});
+var runtimeState = {
+  quiet: false
+};
+var configManager = {
+  // Quiet mode (runtime only, not persisted)
+  setQuiet(quiet) {
+    runtimeState.quiet = quiet;
+  },
+  isQuiet() {
+    return runtimeState.quiet;
+  },
+  // API URL
+  getApiUrl() {
+    return process.env.VAULT_API_URL || config.get("apiUrl");
+  },
+  setApiUrl(url) {
+    config.set("apiUrl", url);
+  },
+  // Authentication
+  getAccessToken() {
+    const serviceToken = this.getServiceToken();
+    if (serviceToken) {
+      return serviceToken;
+    }
+    return config.get("accessToken");
+  },
+  getRefreshToken() {
+    return config.get("refreshToken");
+  },
+  setTokens(accessToken, refreshToken, expiresInSeconds) {
+    config.set("accessToken", accessToken);
+    config.set("refreshToken", refreshToken);
+    config.set("tokenExpiresAt", Date.now() + expiresInSeconds * 1e3);
+  },
+  isTokenExpired() {
+    const expiresAt = config.get("tokenExpiresAt");
+    if (!expiresAt) return true;
+    return Date.now() > expiresAt - 3e4;
+  },
+  clearTokens() {
+    config.delete("accessToken");
+    config.delete("refreshToken");
+    config.delete("tokenExpiresAt");
+  },
+  // User info
+  setUser(userId, email) {
+    config.set("userId", userId);
+    config.set("email", email);
+  },
+  getUser() {
+    return {
+      userId: config.get("userId"),
+      email: config.get("email")
+    };
+  },
+  clearUser() {
+    config.delete("userId");
+    config.delete("email");
+  },
+  // Team context
+  setCurrentTeam(team) {
+    config.set("currentTeam", team);
+  },
+  getCurrentTeam() {
+    return config.get("currentTeam");
+  },
+  clearCurrentTeam() {
+    config.delete("currentTeam");
+  },
+  // Project context
+  setCurrentProject(project) {
+    config.set("currentProject", project);
+  },
+  getCurrentProject() {
+    return config.get("currentProject");
+  },
+  clearCurrentProject() {
+    config.delete("currentProject");
+  },
+  // Environment context
+  setCurrentEnvironment(env) {
+    config.set("currentEnvironment", env);
+  },
+  getCurrentEnvironment() {
+    return config.get("currentEnvironment");
+  },
+  clearCurrentEnvironment() {
+    config.delete("currentEnvironment");
+  },
+  // Full logout
+  logout() {
+    this.clearTokens();
+    this.clearUser();
+    this.clearCurrentTeam();
+    this.clearCurrentProject();
+    this.clearCurrentEnvironment();
+    this.clearServiceToken();
+  },
+  // Service token authentication (for CI/CD)
+  setServiceToken(token, info) {
+    config.set("serviceToken", token);
+    config.set("serviceTokenInfo", info);
+  },
+  getServiceToken() {
+    if (process.env.SECRETSTASH_TOKEN) {
+      return process.env.SECRETSTASH_TOKEN;
+    }
+    return config.get("serviceToken");
+  },
+  getServiceTokenInfo() {
+    return config.get("serviceTokenInfo");
+  },
+  clearServiceToken() {
+    config.delete("serviceToken");
+    config.delete("serviceTokenInfo");
+  },
+  isServiceTokenAuth() {
+    return !!this.getServiceToken();
+  },
+  // Check if authenticated
+  isAuthenticated() {
+    if (this.isServiceTokenAuth()) {
+      return true;
+    }
+    return !!this.getAccessToken() && !this.isTokenExpired();
+  },
+  // Config file path (for debugging)
+  getConfigPath() {
+    return config.path;
+  },
+  // Clear all config
+  clear() {
+    config.clear();
+  }
+};
+var projectConfig = {
+  getLocalConfigPath() {
+    return join(process.cwd(), ".secretstash.json");
+  },
+  hasLocalConfig() {
+    return existsSync(this.getLocalConfigPath());
+  },
+  getLocalConfig() {
+    const configPath = this.getLocalConfigPath();
+    if (!existsSync(configPath)) {
+      return null;
+    }
+    try {
+      const content = readFileSync(configPath, "utf-8");
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  },
+  // Get effective project (local config overrides global)
+  getEffectiveProject() {
+    const local = this.getLocalConfig();
+    if (local?.project) return local.project;
+    return configManager.getCurrentProject()?.slug;
+  },
+  // Get effective environment (local config overrides global)
+  getEffectiveEnvironment() {
+    const local = this.getLocalConfig();
+    if (local?.environment) return local.environment;
+    return configManager.getCurrentEnvironment();
+  },
+  // Get effective team (local config overrides global)
+  getEffectiveTeam() {
+    const local = this.getLocalConfig();
+    if (local?.teamSlug) return local.teamSlug;
+    return configManager.getCurrentTeam()?.slug;
+  }
+};
+var envPaths = {
+  getEnvPath(environment) {
+    if (!environment || environment === "development") {
+      return join(process.cwd(), ".env");
+    }
+    return join(process.cwd(), `.env.${environment}`);
+  },
+  getLocalEnvPath() {
+    return join(process.cwd(), ".env.local");
+  },
+  getExampleEnvPath() {
+    return join(process.cwd(), ".env.example");
+  }
+};
+// src/api-client.ts
+var ApiClient = class {
+  async refreshAccessToken() {
+    const refreshToken = configManager.getRefreshToken();
+    if (!refreshToken) return false;
+    try {
+      const response = await fetch(`${configManager.getApiUrl()}/api/auth/refresh`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ refreshToken })
+      });
+      if (!response.ok) {
+        configManager.logout();
+        return false;
+      }
+      const data = await response.json();
+      configManager.setTokens(
+        data.accessToken,
+        data.refreshToken,
+        data.expiresIn || 900
+      );
+      return true;
+    } catch {
+      configManager.logout();
+      return false;
+    }
+  }
+  async request(endpoint, options = {}) {
+    const { method = "GET", body, headers = {}, requireAuth = true } = options;
+    if (requireAuth && configManager.isTokenExpired()) {
+      const refreshed = await this.refreshAccessToken();
+      if (!refreshed) {
+        return {
+          error: {
+            code: "UNAUTHORIZED",
+            message: "Session expired. Please log in again."
+          }
+        };
+      }
+    }
+    const requestHeaders = {
+      "Content-Type": "application/json",
+      ...headers
+    };
+    if (requireAuth) {
+      const token = configManager.getAccessToken();
+      if (token) {
+        requestHeaders["Authorization"] = `Bearer ${token}`;
+      }
+    }
+    try {
+      const response = await fetch(`${configManager.getApiUrl()}${endpoint}`, {
+        method,
+        headers: requestHeaders,
+        body: body ? JSON.stringify(body) : void 0
+      });
+      const data = await response.json();
+      if (!response.ok) {
+        return {
+          error: {
+            code: data.code || "API_ERROR",
+            message: data.message || `Request failed with status ${response.status}`,
+            details: data.details
+          }
+        };
+      }
+      return { data };
+    } catch (error) {
+      return {
+        error: {
+          code: "NETWORK_ERROR",
+          message: error instanceof Error ? error.message : "Network request failed"
+        }
+      };
+    }
+  }
+  // Auth endpoints
+  async login(email, password) {
+    return this.request("/api/auth/login", {
+      method: "POST",
+      body: { email, password, client: "cli" },
+      requireAuth: false
+    });
+  }
+  async verify2FA(tempToken, code) {
+    return this.request("/api/auth/2fa/verify", {
+      method: "POST",
+      body: { tempToken, code },
+      requireAuth: false
+    });
+  }
+  async register(email, password) {
+    return this.request("/api/auth/register", {
+      method: "POST",
+      body: { email, password },
+      requireAuth: false
+    });
+  }
+  async logout() {
+    const refreshToken = configManager.getRefreshToken();
+    if (refreshToken) {
+      await this.request("/api/auth/logout", {
+        method: "POST",
+        body: { refreshToken }
+      });
+    }
+    configManager.logout();
+  }
+  async getMe() {
+    return this.request("/api/users/me");
+  }
+  // Team endpoints
+  async getTeams() {
+    return this.request("/api/teams");
+  }
+  async createTeam(name) {
+    return this.request("/api/teams", {
+      method: "POST",
+      body: { name }
+    });
+  }
+  // Project endpoints
+  async getProjects(teamId) {
+    return this.request(`/api/teams/${teamId}/projects`);
+  }
+  async createProject(teamId, name, description) {
+    return this.request(`/api/teams/${teamId}/projects`, {
+      method: "POST",
+      body: { name, description }
+    });
+  }
+  async deleteProject(projectId) {
+    return this.request(`/api/projects/${projectId}`, {
+      method: "DELETE"
+    });
+  }
+  // Environment endpoints
+  async getEnvironments(projectId) {
+    return this.request(`/api/projects/${projectId}/environments`);
+  }
+  async createEnvironment(projectId, name, parentId) {
+    return this.request(`/api/projects/${projectId}/environments`, {
+      method: "POST",
+      body: { name, parentId }
+    });
+  }
+  async deleteEnvironment(environmentId) {
+    return this.request(`/api/v1/environments/${environmentId}`, {
+      method: "DELETE"
+    });
+  }
+  // Secret endpoints (keys only, no decryption)
+  async getSecrets(environmentId) {
+    return this.request(`/api/environments/${environmentId}/secrets`);
+  }
+  // Decrypted secrets (requires password)
+  async getDecryptedSecrets(environmentId, password) {
+    return this.request(`/api/environments/${environmentId}/secrets/decrypt`, {
+      method: "POST",
+      body: { password }
+    });
+  }
+  async createSecret(environmentId, key, value, password, description) {
+    return this.request(`/api/environments/${environmentId}/secrets`, {
+      method: "POST",
+      body: { key, value, password, description }
+    });
+  }
+  async updateSecret(secretId, value, password, description) {
+    return this.request(`/api/secrets/${secretId}`, {
+      method: "PATCH",
+      body: { value, password, description }
+    });
+  }
+  async deleteSecret(secretId) {
+    return this.request(`/api/secrets/${secretId}`, {
+      method: "DELETE"
+    });
+  }
+  // Bulk secrets operations (require password for encryption/decryption)
+  async pullSecrets(teamSlug, projectSlug, environment, password, options) {
+    const includeInherited = options?.includeInherited ?? true;
+    const query = includeInherited ? "" : "?includeInherited=false";
+    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/decrypt${query}`, {
+      method: "POST",
+      body: { password }
+    });
+  }
+  async pushSecrets(teamSlug, projectSlug, environment, secrets, password) {
+    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/bulk`, {
+      method: "PUT",
+      body: { secrets, password }
+    });
+  }
+  // 2FA endpoints
+  async setup2FA() {
+    return this.request("/api/users/me/2fa/setup", {
+      method: "POST"
+    });
+  }
+  async enable2FA(code) {
+    return this.request("/api/users/me/2fa/enable", {
+      method: "POST",
+      body: { code }
+    });
+  }
+  async disable2FA(code) {
+    return this.request("/api/users/me/2fa/disable", {
+      method: "POST",
+      body: { code }
+    });
+  }
+  // Team member endpoints
+  async getTeamMembers(teamId) {
+    return this.request(`/api/teams/${teamId}/members`);
+  }
+  async inviteTeamMember(teamId, email, role) {
+    return this.request(`/api/teams/${teamId}/invitations`, {
+      method: "POST",
+      body: { email, role }
+    });
+  }
+  async removeTeamMember(teamId, memberId) {
+    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+      method: "DELETE"
+    });
+  }
+  async updateTeamMemberRole(teamId, memberId, role) {
+    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+      method: "PATCH",
+      body: { role }
+    });
+  }
+  async getPendingInvitations(teamId) {
+    return this.request(`/api/teams/${teamId}/invitations`);
+  }
+  // Share link endpoints
+  async createShare(teamSlug, projectSlug, environment, secretKey, options) {
+    return this.request("/api/v1/shares", {
+      method: "POST",
+      body: {
+        teamSlug,
+        projectSlug,
+        environment,
+        secretKey,
+        ...options
+      }
+    });
+  }
+  async listShares(options) {
+    const query = options?.includeExpired ? "?includeExpired=true" : "";
+    return this.request(`/api/v1/shares${query}`);
+  }
+  async revokeShare(shareId) {
+    return this.request(`/api/v1/shares/${shareId}`, {
+      method: "DELETE"
+    });
+  }
+  // Service token verification - make a request to validate the token works
+  async verifyServiceToken(token) {
+    return this.request("/api/teams", {
+      headers: {
+        "Authorization": `Bearer ${token}`
+      },
+      requireAuth: false
+    });
+  }
+  // Secret version endpoints
+  async getSecretVersions(secretId, password, limit) {
+    return this.request(`/api/v1/secrets/${secretId}/versions/decrypt`, {
+      method: "POST",
+      body: { password, limit }
+    });
+  }
+  async rollbackSecret(secretId, version2, password) {
+    return this.request(`/api/v1/secrets/${secretId}/rollback`, {
+      method: "POST",
+      body: { version: version2, password }
+    });
+  }
+  // Tag endpoints
+  async getTags(teamId) {
+    return this.request(`/api/v1/teams/${teamId}/tags`);
+  }
+  async createTag(teamId, name, color) {
+    return this.request(`/api/v1/teams/${teamId}/tags`, {
+      method: "POST",
+      body: { name, color }
+    });
+  }
+  async deleteTag(tagId) {
+    return this.request(`/api/v1/tags/${tagId}`, {
+      method: "DELETE"
+    });
+  }
+  async getSecretTags(secretId) {
+    return this.request(`/api/v1/secrets/${secretId}/tags`);
+  }
+  async addTagToSecret(secretId, tagId) {
+    return this.request(`/api/v1/secrets/${secretId}/tags`, {
+      method: "POST",
+      body: { tagId }
+    });
+  }
+  async removeTagFromSecret(secretId, tagId) {
+    return this.request(`/api/v1/secrets/${secretId}/tags/${tagId}`, {
+      method: "DELETE"
+    });
+  }
+  // Expiring secrets endpoint
+  async getExpiringSecrets(teamId, days = 7) {
+    return this.request(`/api/v1/teams/${teamId}/secrets/expiring?days=${days}`);
+  }
+};
+var apiClient = new ApiClient();
+// src/ui.ts
+import chalk from "chalk";
+import ora from "ora";
+import { table } from "table";
+var colors = {
+  primary: chalk.hex("#6366f1"),
+  // electric-500
+  secondary: chalk.hex("#8b5cf6"),
+  // vault-500
+  success: chalk.hex("#22c55e"),
+  // emerald-500
+  warning: chalk.hex("#f59e0b"),
+  // amber-500
+  error: chalk.hex("#ef4444"),
+  // red-500
+  muted: chalk.hex("#71717a"),
+  // text-muted
+  highlight: chalk.hex("#38bdf8")
+  // sky-400
+};
+var SilentSpinner = class {
+  text = "";
+  succeed(_text) {
+    return this;
+  }
+  fail(_text) {
+    return this;
+  }
+  stop() {
+    return this;
+  }
+  start() {
+    return this;
+  }
+  warn(_text) {
+    return this;
+  }
+  info(_text) {
+    return this;
+  }
+  stopAndPersist() {
+    return this;
+  }
+  clear() {
+    return this;
+  }
+  render() {
+    return this;
+  }
+  frame() {
+    return "";
+  }
+  isSpinning = false;
+  indent = 0;
+  color = "cyan";
+  prefixText = "";
+  suffixText = "";
+  spinner = { frames: [], interval: 0 };
+  hideCursor = false;
+  discardStdin = false;
+};
+var ui = {
+  // Headings (decorative - skip in quiet mode)
+  heading(text) {
+    if (configManager.isQuiet()) return;
+    console.log();
+    console.log(colors.primary.bold(`\u25C6 ${text}`));
+    console.log();
+  },
+  subheading(text) {
+    if (configManager.isQuiet()) return;
+    console.log(colors.muted(`  ${text}`));
+  },
+  // Status messages
+  // success is kept - it's a final result
+  success(text) {
+    console.log(colors.success(`\u2713 ${text}`));
+  },
+  // error is always shown - critical information
+  error(text) {
+    console.log(colors.error(`\u2717 ${text}`));
+  },
+  // warning is skipped in quiet mode - non-essential
+  warning(text) {
+    if (configManager.isQuiet()) return;
+    console.log(colors.warning(`\u26A0 ${text}`));
+  },
+  // info is skipped in quiet mode - non-essential
+  info(text) {
+    if (configManager.isQuiet()) return;
+    console.log(colors.highlight(`\u2139 ${text}`));
+  },
+  // Key-value display (decorative - skip in quiet mode)
+  keyValue(key, value) {
+    if (configManager.isQuiet()) return;
+    console.log(`  ${colors.muted(key + ":")} ${value}`);
+  },
+  // Lists (decorative - skip in quiet mode)
+  list(items) {
+    if (configManager.isQuiet()) return;
+    items.forEach((item) => {
+      console.log(`  ${colors.muted("\u2022")} ${item}`);
+    });
+  },
+  // Code/values - formatting helpers, always return value
+  code(text) {
+    return chalk.cyan(text);
+  },
+  dim(text) {
+    return colors.muted(text);
+  },
+  bold(text) {
+    return chalk.bold(text);
+  },
+  // Tables - final results, keep them
+  table(data, options) {
+    if (configManager.isQuiet()) return;
+    const tableData = options?.header ? [options.header.map((h) => colors.primary.bold(h)), ...data] : data;
+    console.log(table(tableData, {
+      border: {
+        topBody: colors.muted("\u2500"),
+        topJoin: colors.muted("\u252C"),
+        topLeft: colors.muted("\u250C"),
+        topRight: colors.muted("\u2510"),
+        bottomBody: colors.muted("\u2500"),
+        bottomJoin: colors.muted("\u2534"),
+        bottomLeft: colors.muted("\u2514"),
+        bottomRight: colors.muted("\u2518"),
+        bodyLeft: colors.muted("\u2502"),
+        bodyRight: colors.muted("\u2502"),
+        bodyJoin: colors.muted("\u2502"),
+        joinBody: colors.muted("\u2500"),
+        joinLeft: colors.muted("\u251C"),
+        joinRight: colors.muted("\u2524"),
+        joinJoin: colors.muted("\u253C")
+      }
+    }));
+  },
+  // Spinners - in quiet mode, return silent spinner
+  spinner(text) {
+    if (configManager.isQuiet()) {
+      return new SilentSpinner();
+    }
+    return ora({
+      text,
+      color: "cyan",
+      spinner: "dots"
+    }).start();
+  },
+  // Empty line (decorative - skip in quiet mode)
+  br() {
+    if (configManager.isQuiet()) return;
+    console.log();
+  },
+  // Box for important info (decorative - skip in quiet mode)
+  box(title, content) {
+    if (configManager.isQuiet()) return;
+    const width = Math.max(title.length + 4, ...content.map((c) => c.length + 4));
+    const border = colors.muted("\u2500".repeat(width));
+    console.log();
+    console.log(colors.muted("\u250C") + border + colors.muted("\u2510"));
+    console.log(colors.muted("\u2502") + " " + colors.primary.bold(title.padEnd(width - 1)) + colors.muted("\u2502"));
+    console.log(colors.muted("\u251C") + border + colors.muted("\u2524"));
+    content.forEach((line) => {
+      console.log(colors.muted("\u2502") + " " + line.padEnd(width - 1) + colors.muted("\u2502"));
+    });
+    console.log(colors.muted("\u2514") + border + colors.muted("\u2518"));
+    console.log();
+  },
+  // Secret value display (masked by default)
+  secret(value, reveal = false) {
+    if (reveal) {
+      return chalk.yellow(value);
+    }
+    return colors.muted("\u2022".repeat(Math.min(value.length, 20)));
+  },
+  // Environment badge
+  envBadge(env) {
+    const badges = {
+      production: chalk.bgRed.white,
+      staging: chalk.bgYellow.black,
+      development: chalk.bgGreen.white,
+      testing: chalk.bgBlue.white
+    };
+    const badge = badges[env.toLowerCase()] || chalk.bgGray.white;
+    return badge(` ${env.toUpperCase()} `);
+  },
+  // Role badge
+  roleBadge(role) {
+    const badges = {
+      owner: chalk.bgMagenta.white,
+      admin: chalk.bgBlue.white,
+      member: chalk.bgGray.white
+    };
+    const badge = badges[role.toLowerCase()] || chalk.bgGray.white;
+    return badge(` ${role} `);
+  }
+};
+// src/commands/auth.ts
+var SERVICE_TOKEN_PREFIX = "stk_";
+async function handleServiceTokenLogin(token, fromEnvVar = false) {
+  ui.heading("SecretStash Service Token Login");
+  if (!token.startsWith(SERVICE_TOKEN_PREFIX)) {
+    ui.error(`Invalid token format. Service tokens must start with "${SERVICE_TOKEN_PREFIX}"`);
+    process.exit(1);
+  }
+  const spinner = ui.spinner("Validating service token...");
+  const result = await apiClient.verifyServiceToken(token);
+  if (result.error) {
+    spinner.fail();
+    ui.error(result.error.message);
+    if (result.error.code === "UNAUTHORIZED") {
+      ui.info("The service token may be expired, revoked, or invalid");
+    }
+    process.exit(1);
+  }
+  spinner.succeed("Service token validated successfully");
+  if (!fromEnvVar) {
+    configManager.setServiceToken(token, {
+      name: "Service Token",
+      environmentId: "scoped",
+      permission: "environment-scoped",
+      expiresAt: "see-token-metadata"
+    });
+  }
+  ui.br();
+  ui.keyValue("Auth Type", colors.highlight("Service Token"));
+  if (fromEnvVar) {
+    ui.keyValue("Source", "SECRETSTASH_TOKEN environment variable");
+    ui.info("Token will be used from environment variable (not stored in config)");
+  } else {
+    ui.keyValue("Token", `${token.substring(0, 12)}...`);
+    ui.keyValue("Config", configManager.getConfigPath());
+  }
+  ui.br();
+  ui.box("CI/CD Authentication", [
+    "Service tokens are scoped to a specific environment.",
+    "Use this token in your CI/CD pipeline:",
+    "",
+    `  ${colors.muted("# Set as environment variable")}`,
+    `  ${colors.highlight("export SECRETSTASH_TOKEN=" + token.substring(0, 16) + "...")}`,
+    "",
+    `  ${colors.muted("# Then run CLI commands normally")}`,
+    `  ${colors.highlight("sstash pull -q")}`
+  ]);
+}
+function registerAuthCommands(program2) {
+  program2.command("login").description("Authenticate with SecretStash").option("-e, --email <email>", "Email address").option("-t, --token <token>", "Service token for CI/CD authentication (must start with stk_)").action(async (options) => {
+    if (options.token) {
+      await handleServiceTokenLogin(options.token);
+      return;
+    }
+    if (process.env.SECRETSTASH_TOKEN) {
+      await handleServiceTokenLogin(process.env.SECRETSTASH_TOKEN, true);
+      return;
+    }
+    ui.heading("SecretStash Login");
+    let email = options.email;
+    if (!email) {
+      const response = await prompt({
+        type: "input",
+        name: "email",
+        message: "Email:",
+        validate: (value) => {
+          if (!value) return "Email is required";
+          if (!value.includes("@")) return "Invalid email format";
+          return true;
+        }
+      });
+      email = response.email;
+    }
+    const { password } = await prompt({
+      type: "password",
+      name: "password",
+      message: "Password:",
+      validate: (value) => value ? true : "Password is required"
+    });
+    const spinner = ui.spinner("Authenticating...");
+    const result = await apiClient.login(email, password);
+    if (result.error) {
+      spinner.fail();
+      if (result.error.code === "CLI_2FA_REQUIRED") {
+        ui.br();
+        ui.box("Two-Factor Authentication Required", [
+          "CLI access requires two-factor authentication.",
+          "",
+          "To set up 2FA:",
+          `  1. Visit ${colors.highlight("https://app.secretstash.dev/settings/security")}`,
+          "  2. Enable two-factor authentication",
+          "  3. Return here and try again",
+          "",
+          colors.muted("For CI/CD pipelines, use service tokens instead:"),
+          `  ${colors.highlight("sstash login --token <service-token>")}`
+        ]);
+        process.exit(1);
+      }
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    if (result.data?.requires2FA) {
+      spinner.stop();
+      ui.info("Two-factor authentication required");
+      const { code } = await prompt({
+        type: "input",
+        name: "code",
+        message: "2FA Code:",
+        validate: (value) => {
+          if (!value) return "2FA code is required";
+          if (!/^\d{6}$/.test(value)) return "Code must be 6 digits";
+          return true;
+        }
+      });
+      const spinner2 = ui.spinner("Verifying...");
+      const twoFAResult = await apiClient.verify2FA(
+        result.data.tempToken,
+        code
+      );
+      if (twoFAResult.error) {
+        spinner2.fail();
+        ui.error(twoFAResult.error.message);
+        process.exit(1);
+      }
+      configManager.setTokens(
+        twoFAResult.data.accessToken,
+        twoFAResult.data.refreshToken,
+        twoFAResult.data.expiresIn
+      );
+      configManager.setUser(twoFAResult.data.user.id, twoFAResult.data.user.email);
+      spinner2.succeed("Logged in successfully");
+    } else {
+      configManager.setTokens(
+        result.data.accessToken,
+        result.data.refreshToken,
+        result.data.expiresIn
+      );
+      configManager.setUser(result.data.user.id, result.data.user.email);
+      spinner.succeed("Logged in successfully");
+    }
+    ui.br();
+    ui.keyValue("Email", email);
+    ui.keyValue("Config", configManager.getConfigPath());
+    ui.br();
+    ui.info(`Run ${ui.code("sstash teams")} to see your teams`);
+  });
+  program2.command("logout").description("Log out from SecretStash").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.warning("You are not logged in");
+      return;
+    }
+    if (configManager.isServiceTokenAuth()) {
+      if (process.env.SECRETSTASH_TOKEN) {
+        ui.warning("Using SECRETSTASH_TOKEN environment variable");
+        ui.info("Unset the environment variable to log out:");
+        ui.info(`  ${ui.code("unset SECRETSTASH_TOKEN")}`);
+        return;
+      }
+      configManager.clearServiceToken();
+      ui.success("Service token cleared successfully");
+      return;
+    }
+    const spinner = ui.spinner("Logging out...");
+    await apiClient.logout();
+    spinner.succeed("Logged out successfully");
+  });
+  program2.command("whoami").description("Display current user information").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    if (configManager.isServiceTokenAuth()) {
+      ui.heading("Current Authentication");
+      ui.keyValue("Auth Type", colors.highlight("Service Token"));
+      const serviceToken = configManager.getServiceToken();
+      if (serviceToken) {
+        ui.keyValue("Token", `${serviceToken.substring(0, 12)}...`);
+      }
+      if (process.env.SECRETSTASH_TOKEN) {
+        ui.keyValue("Source", "SECRETSTASH_TOKEN environment variable");
+      } else {
+        ui.keyValue("Source", "Stored in config");
+      }
+      ui.br();
+      ui.info("Service tokens are scoped to a specific environment");
+      ui.info("User information is not available with service token auth");
+      return;
+    }
+    const spinner = ui.spinner("Fetching user info...");
+    const result = await apiClient.getMe();
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    ui.heading("Current User");
+    ui.keyValue("Email", result.data.email);
+    ui.keyValue("User ID", result.data.id);
+    ui.keyValue("2FA", result.data.totpEnabled ? colors.success("Enabled") : colors.warning("Disabled"));
+    ui.keyValue("Member since", new Date(result.data.createdAt).toLocaleDateString());
+    const currentTeam = configManager.getCurrentTeam();
+    const currentProject = configManager.getCurrentProject();
+    const currentEnv = configManager.getCurrentEnvironment();
+    if (currentTeam || currentProject || currentEnv) {
+      ui.br();
+      ui.subheading("Current Context");
+      if (currentTeam) ui.keyValue("Team", currentTeam.name);
+      if (currentProject) ui.keyValue("Project", currentProject.name);
+      if (currentEnv) ui.keyValue("Environment", ui.envBadge(currentEnv));
+    }
+  });
+  program2.command("2fa").description("Manage two-factor authentication").command("setup").description("Set up two-factor authentication").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Setting up 2FA...");
+    const result = await apiClient.setup2FA();
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    ui.heading("Two-Factor Authentication Setup");
+    ui.info("Scan this QR code with your authenticator app:");
+    ui.br();
+    qrcode.generate(result.data.qrCodeUrl, { small: true });
+    ui.br();
+    ui.subheading("Or enter this secret manually:");
+    console.log(colors.primary.bold(`  ${result.data.secret}`));
+    ui.br();
+    ui.box("Backup Codes", [
+      "Save these codes in a secure location.",
+      "Each code can only be used once.",
+      "",
+      ...result.data.backupCodes.map((code2) => `  ${colors.highlight(code2)}`)
+    ]);
+    const { code } = await prompt({
+      type: "input",
+      name: "code",
+      message: "Enter a code from your authenticator app to verify:",
+      validate: (value) => {
+        if (!value) return "Code is required";
+        if (!/^\d{6}$/.test(value)) return "Code must be 6 digits";
+        return true;
+      }
+    });
+    const verifySpinner = ui.spinner("Verifying...");
+    const enableResult = await apiClient.enable2FA(code);
+    if (enableResult.error) {
+      verifySpinner.fail();
+      ui.error(enableResult.error.message);
+      process.exit(1);
+    }
+    verifySpinner.succeed("2FA enabled successfully");
+    ui.br();
+    ui.success("Your account is now protected with two-factor authentication");
+  });
+  program2.command("register").description("Create a new SecretStash account").option("-e, --email <email>", "Email address").action(async (options) => {
+    ui.heading("Create SecretStash Account");
+    let email = options.email;
+    if (!email) {
+      const response = await prompt({
+        type: "input",
+        name: "email",
+        message: "Email:",
+        validate: (value) => {
+          if (!value) return "Email is required";
+          if (!value.includes("@")) return "Invalid email format";
+          return true;
+        }
+      });
+      email = response.email;
+    }
+    const { password } = await prompt({
+      type: "password",
+      name: "password",
+      message: "Password:",
+      validate: (value) => {
+        if (!value) return "Password is required";
+        if (value.length < 12) return "Password must be at least 12 characters";
+        if (!/[A-Z]/.test(value)) return "Password must contain an uppercase letter";
+        if (!/[a-z]/.test(value)) return "Password must contain a lowercase letter";
+        if (!/[0-9]/.test(value)) return "Password must contain a number";
+        return true;
+      }
+    });
+    const { confirmPassword } = await prompt({
+      type: "password",
+      name: "confirmPassword",
+      message: "Confirm Password:",
+      validate: (value) => value === password ? true : "Passwords do not match"
+    });
+    const spinner = ui.spinner("Creating account...");
+    const result = await apiClient.register(email, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    configManager.setTokens(
+      result.data.accessToken,
+      result.data.refreshToken,
+      result.data.expiresIn
+    );
+    configManager.setUser(result.data.user.id, result.data.user.email);
+    spinner.succeed("Account created successfully");
+    ui.br();
+    ui.keyValue("Email", email);
+    ui.br();
+    ui.info("We recommend setting up 2FA for added security");
+    ui.info(`Run ${ui.code("sstash 2fa setup")} to enable two-factor authentication`);
+  });
+}
+// src/commands/teams.ts
+import { prompt as prompt2 } from "enquirer";
+function registerTeamCommands(program2) {
+  const teams = program2.command("teams").description("Manage teams");
+  teams.command("list").alias("ls").description("List all teams you belong to").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Fetching teams...");
+    const result = await apiClient.getTeams();
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.teams.length) {
+      ui.warning("You are not a member of any teams");
+      ui.info(`Create one with ${ui.code("sstash teams create")}`);
+      return;
+    }
+    ui.heading("Your Teams");
+    const currentTeam = configManager.getCurrentTeam();
+    const tableData = result.data.teams.map((team) => [
+      team.id === currentTeam?.id ? "\u2192" : " ",
+      team.name,
+      team.slug,
+      ui.roleBadge(team.role)
+    ]);
+    ui.table(tableData, {
+      header: ["", "Name", "Slug", "Role"]
+    });
+    ui.br();
+    ui.info(`Switch teams with ${ui.code("sstash teams use <slug>")}`);
+  });
+  teams.command("create").description("Create a new team").option("-n, --name <name>", "Team name").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    let name = options.name;
+    if (!name) {
+      const response = await prompt2({
+        type: "input",
+        name: "name",
+        message: "Team name:",
+        validate: (value) => {
+          if (!value) return "Name is required";
+          if (value.length < 2) return "Name must be at least 2 characters";
+          return true;
+        }
+      });
+      name = response.name;
+    }
+    const spinner = ui.spinner("Creating team...");
+    const result = await apiClient.createTeam(name);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    configManager.setCurrentTeam({
+      id: result.data.id,
+      name: result.data.name,
+      slug: result.data.slug
+    });
+    spinner.succeed(`Team "${name}" created successfully`);
+    ui.br();
+    ui.keyValue("ID", result.data.id);
+    ui.keyValue("Slug", result.data.slug);
+    ui.br();
+    ui.info(`Create your first project with ${ui.code("sstash projects create")}`);
+  });
+  teams.command("use <slug>").description("Switch to a different team").action(async (slug) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Fetching teams...");
+    const result = await apiClient.getTeams();
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const team = result.data?.teams.find((t) => t.slug === slug);
+    if (!team) {
+      spinner.fail();
+      ui.error(`Team "${slug}" not found or you don't have access`);
+      process.exit(1);
+    }
+    configManager.setCurrentTeam({
+      id: team.id,
+      name: team.name,
+      slug: team.slug
+    });
+    configManager.clearCurrentProject();
+    configManager.clearCurrentEnvironment();
+    spinner.succeed(`Switched to team "${team.name}"`);
+  });
+  teams.command("current").description("Show the current team").action(() => {
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.warning("No team selected");
+      ui.info(`Select one with ${ui.code("sstash teams use <slug>")}`);
+      return;
+    }
+    ui.heading("Current Team");
+    ui.keyValue("Name", currentTeam.name);
+    ui.keyValue("Slug", currentTeam.slug);
+    ui.keyValue("ID", currentTeam.id);
+  });
+  teams.command("invite <email>").description("Invite a member to the current team").option("-r, --role <role>", "Role for the invited member (member|admin)", "member").action(async (email, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const role = options.role.toLowerCase();
+    if (role !== "member" && role !== "admin") {
+      ui.error('Invalid role. Must be "member" or "admin".');
+      process.exit(1);
+    }
+    const spinner = ui.spinner(`Inviting ${email} to ${currentTeam.name}...`);
+    const result = await apiClient.inviteTeamMember(currentTeam.id, email, role);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(`Invitation sent to ${email}`);
+    ui.br();
+    ui.keyValue("Team", currentTeam.name);
+    ui.keyValue("Email", email);
+    ui.keyValue("Role", ui.roleBadge(role));
+    ui.br();
+    ui.info("The invitation link has been generated. Share it with the invitee.");
+    ui.info(`Invitation token: ${result.data?.token}`);
+  });
+  teams.command("members").description("List members of the current team").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Fetching team members...");
+    const result = await apiClient.getTeamMembers(currentTeam.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.members.length) {
+      ui.warning("No members found");
+      return;
+    }
+    ui.heading(`Members of ${currentTeam.name}`);
+    const tableData = result.data.members.map((member) => {
+      const joinedDate = new Date(member.createdAt).toLocaleDateString();
+      const twoFAStatus = member.user.totpEnabled ? ui.code("enabled") : ui.dim("disabled");
+      return [
+        member.user.email,
+        ui.roleBadge(member.role),
+        joinedDate,
+        twoFAStatus
+      ];
+    });
+    ui.table(tableData, {
+      header: ["Email", "Role", "Joined", "2FA"]
+    });
+  });
+  teams.command("remove <email>").description("Remove a member from the current team").option("-f, --force", "Skip confirmation prompt").action(async (email, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Looking up member...");
+    const membersResult = await apiClient.getTeamMembers(currentTeam.id);
+    if (membersResult.error) {
+      spinner.fail();
+      ui.error(membersResult.error.message);
+      process.exit(1);
+    }
+    const member = membersResult.data?.members.find(
+      (m) => m.user.email.toLowerCase() === email.toLowerCase()
+    );
+    if (!member) {
+      spinner.fail();
+      ui.error(`Member "${email}" not found in team "${currentTeam.name}"`);
+      process.exit(1);
+    }
+    const currentUser = configManager.getUser();
+    if (member.user.email.toLowerCase() === currentUser.email?.toLowerCase()) {
+      spinner.fail();
+      ui.error("You cannot remove yourself from the team");
+      process.exit(1);
+    }
+    if (member.role.toLowerCase() === "owner") {
+      spinner.fail();
+      ui.error("Cannot remove the team owner");
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!options.force) {
+      const response = await prompt2({
+        type: "confirm",
+        name: "confirm",
+        message: `Are you sure you want to remove ${email} from ${currentTeam.name}?`,
+        initial: false
+      });
+      if (!response.confirm) {
+        ui.warning("Operation cancelled");
+        return;
+      }
+    }
+    const removeSpinner = ui.spinner(`Removing ${email}...`);
+    const removeResult = await apiClient.removeTeamMember(currentTeam.id, member.id);
+    if (removeResult.error) {
+      removeSpinner.fail();
+      ui.error(removeResult.error.message);
+      process.exit(1);
+    }
+    removeSpinner.succeed(`${email} has been removed from ${currentTeam.name}`);
+  });
+  teams.command("role <email> <role>").description("Change a member's role in the current team").option("-f, --force", "Skip confirmation prompt").action(async (email, role, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const validRoles = ["admin", "member"];
+    const normalizedRole = role.toLowerCase();
+    if (!validRoles.includes(normalizedRole)) {
+      ui.error(`Invalid role "${role}". Must be one of: admin, member`);
+      ui.info("Note: Owner role cannot be assigned via this command.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Looking up member...");
+    const membersResult = await apiClient.getTeamMembers(currentTeam.id);
+    if (membersResult.error) {
+      spinner.fail();
+      ui.error(membersResult.error.message);
+      process.exit(1);
+    }
+    const member = membersResult.data?.members.find(
+      (m) => m.user.email.toLowerCase() === email.toLowerCase()
+    );
+    if (!member) {
+      spinner.fail();
+      ui.error(`Member "${email}" not found in team "${currentTeam.name}"`);
+      process.exit(1);
+    }
+    if (member.role.toLowerCase() === "owner") {
+      spinner.fail();
+      ui.error("Cannot change the role of the team owner");
+      process.exit(1);
+    }
+    if (member.role.toLowerCase() === normalizedRole) {
+      spinner.stop();
+      ui.warning(`${email} is already a ${normalizedRole}`);
+      return;
+    }
+    spinner.stop();
+    if (!options.force) {
+      const response = await prompt2({
+        type: "confirm",
+        name: "confirm",
+        message: `Change ${email}'s role from ${member.role} to ${normalizedRole}?`,
+        initial: false
+      });
+      if (!response.confirm) {
+        ui.warning("Operation cancelled");
+        return;
+      }
+    }
+    const updateSpinner = ui.spinner(`Updating role for ${email}...`);
+    const updateResult = await apiClient.updateTeamMemberRole(
+      currentTeam.id,
+      member.id,
+      normalizedRole
+    );
+    if (updateResult.error) {
+      updateSpinner.fail();
+      ui.error(updateResult.error.message);
+      process.exit(1);
+    }
+    updateSpinner.succeed(`${email}'s role has been changed to ${normalizedRole}`);
+    ui.br();
+    ui.keyValue("Member", email);
+    ui.keyValue("New Role", ui.roleBadge(normalizedRole));
+  });
+  teams.action(async () => {
+    await teams.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/projects.ts
+import { prompt as prompt3 } from "enquirer";
+function requireTeam() {
+  const team = configManager.getCurrentTeam();
+  if (!team) {
+    ui.error("No team selected. Run `sstash teams use <slug>` first.");
+    process.exit(1);
+  }
+  return team;
+}
+function registerProjectCommands(program2) {
+  const projects = program2.command("projects").description("Manage projects");
+  projects.command("list").alias("ls").description("List all projects in the current team").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const team = requireTeam();
+    const spinner = ui.spinner("Fetching projects...");
+    const result = await apiClient.getProjects(team.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.projects.length) {
+      ui.warning(`No projects in team "${team.name}"`);
+      ui.info(`Create one with ${ui.code("sstash projects create")}`);
+      return;
+    }
+    ui.heading(`Projects in ${team.name}`);
+    const currentProject = configManager.getCurrentProject();
+    const tableData = result.data.projects.map((project) => [
+      project.id === currentProject?.id ? "\u2192" : " ",
+      project.name,
+      project.slug,
+      String(project.environmentCount),
+      String(project.secretCount)
+    ]);
+    ui.table(tableData, {
+      header: ["", "Name", "Slug", "Environments", "Secrets"]
+    });
+    ui.br();
+    ui.info(`Switch projects with ${ui.code("sstash projects use <slug>")}`);
+  });
+  projects.command("create").description("Create a new project").option("-n, --name <name>", "Project name").option("-d, --description <description>", "Project description").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const team = requireTeam();
+    let name = options.name;
+    let description = options.description;
+    if (!name) {
+      const response = await prompt3([
+        {
+          type: "input",
+          name: "name",
+          message: "Project name:",
+          validate: (value) => {
+            if (!value) return "Name is required";
+            if (value.length < 2) return "Name must be at least 2 characters";
+            return true;
+          }
+        },
+        {
+          type: "input",
+          name: "description",
+          message: "Description (optional):"
+        }
+      ]);
+      name = response.name;
+      description = response.description || void 0;
+    }
+    const spinner = ui.spinner("Creating project...");
+    const result = await apiClient.createProject(team.id, name, description);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    configManager.setCurrentProject({
+      id: result.data.id,
+      name: result.data.name,
+      slug: result.data.slug
+    });
+    spinner.succeed(`Project "${name}" created successfully`);
+    ui.br();
+    ui.keyValue("ID", result.data.id);
+    ui.keyValue("Slug", result.data.slug);
+    ui.br();
+    ui.info(`Create environments with ${ui.code("sstash environments create")}`);
+  });
+  projects.command("use <slug>").description("Switch to a different project").action(async (slug) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const team = requireTeam();
+    const spinner = ui.spinner("Fetching projects...");
+    const result = await apiClient.getProjects(team.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const project = result.data?.projects.find((p) => p.slug === slug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${slug}" not found in team "${team.name}"`);
+      process.exit(1);
+    }
+    configManager.setCurrentProject({
+      id: project.id,
+      name: project.name,
+      slug: project.slug
+    });
+    configManager.clearCurrentEnvironment();
+    spinner.succeed(`Switched to project "${project.name}"`);
+  });
+  projects.command("current").description("Show the current project").action(() => {
+    const currentProject = configManager.getCurrentProject();
+    if (!currentProject) {
+      ui.warning("No project selected");
+      ui.info(`Select one with ${ui.code("sstash projects use <slug>")}`);
+      return;
+    }
+    ui.heading("Current Project");
+    ui.keyValue("Name", currentProject.name);
+    ui.keyValue("Slug", currentProject.slug);
+    ui.keyValue("ID", currentProject.id);
+  });
+  projects.command("delete <slug>").alias("rm").description("Delete a project and all its environments and secrets").option("-f, --force", "Skip confirmation prompt").action(async (slug, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const team = requireTeam();
+    const spinner = ui.spinner("Fetching project details...");
+    const result = await apiClient.getProjects(team.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const project = result.data?.projects.find((p) => p.slug === slug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${slug}" not found in team "${team.name}"`);
+      process.exit(1);
+    }
+    spinner.stop();
+    ui.br();
+    ui.warning("This action will permanently delete:");
+    ui.br();
+    ui.keyValue("Project", project.name);
+    ui.keyValue("Environments", String(project.environmentCount));
+    ui.keyValue("Secrets", String(project.secretCount));
+    ui.br();
+    ui.error("This action cannot be undone!");
+    ui.br();
+    if (!options.force) {
+      const { confirmName } = await prompt3({
+        type: "input",
+        name: "confirmName",
+        message: `Type the project name "${project.name}" to confirm deletion:`
+      });
+      if (confirmName !== project.name) {
+        ui.error("Project name does not match. Deletion cancelled.");
+        process.exit(1);
+      }
+    }
+    const deleteSpinner = ui.spinner(`Deleting project "${project.name}"...`);
+    const deleteResult = await apiClient.deleteProject(project.id);
+    if (deleteResult.error) {
+      deleteSpinner.fail();
+      ui.error(deleteResult.error.message);
+      process.exit(1);
+    }
+    const currentProject = configManager.getCurrentProject();
+    if (currentProject?.id === project.id) {
+      configManager.clearCurrentProject();
+      configManager.clearCurrentEnvironment();
+    }
+    deleteSpinner.succeed(`Project "${project.name}" deleted successfully`);
+    ui.br();
+    ui.keyValue("Environments deleted", String(project.environmentCount));
+    ui.keyValue("Secrets deleted", String(project.secretCount));
+  });
+  projects.action(async () => {
+    await projects.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/environments.ts
+import { prompt as prompt4 } from "enquirer";
+function requireProject() {
+  const project = configManager.getCurrentProject();
+  if (!project) {
+    ui.error("No project selected. Run `sstash projects use <slug>` first.");
+    process.exit(1);
+  }
+  return project;
+}
+function registerEnvironmentCommands(program2) {
+  const envs = program2.command("environments").alias("envs").description("Manage environments");
+  envs.command("list").alias("ls").description("List all environments in the current project").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const project = requireProject();
+    const spinner = ui.spinner("Fetching environments...");
+    const result = await apiClient.getEnvironments(project.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.environments.length) {
+      ui.warning(`No environments in project "${project.name}"`);
+      ui.info(`Create one with ${ui.code("sstash environments create")}`);
+      return;
+    }
+    ui.heading(`Environments in ${project.name}`);
+    const currentEnv = configManager.getCurrentEnvironment();
+    const envMap = new Map(result.data.environments.map((e) => [e.id, e.slug]));
+    const tableData = result.data.environments.map((env) => {
+      const parentSlug = env.parentId ? envMap.get(env.parentId) : null;
+      return [
+        env.slug === currentEnv ? "\u2192" : " ",
+        ui.envBadge(env.name),
+        env.slug,
+        String(env.secretCount),
+        parentSlug ? ui.dim(`\u2190 ${parentSlug}`) : ""
+      ];
+    });
+    ui.table(tableData, {
+      header: ["", "Name", "Slug", "Secrets", "Inherits From"]
+    });
+    ui.br();
+    ui.info(`Switch environments with ${ui.code("sstash environments use <slug>")}`);
+  });
+  envs.command("create").description("Create a new environment").option("-n, --name <name>", "Environment name").option("--inherit-from <slug>", "Inherit secrets from parent environment (e.g., development)").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const project = requireProject();
+    let name = options.name;
+    if (!name) {
+      const response = await prompt4({
+        type: "select",
+        name: "name",
+        message: "Environment name:",
+        choices: ["development", "staging", "production", "testing", "other"]
+      });
+      if (response.name === "other") {
+        const custom = await prompt4({
+          type: "input",
+          name: "customName",
+          message: "Custom environment name:",
+          validate: (value) => {
+            if (!value) return "Name is required";
+            if (!/^[a-z][a-z0-9-]*$/.test(value)) {
+              return "Name must start with a letter and contain only lowercase letters, numbers, and hyphens";
+            }
+            return true;
+          }
+        });
+        name = custom.customName;
+      } else {
+        name = response.name;
+      }
+    }
+    let parentId = null;
+    if (options.inheritFrom) {
+      const envsResult = await apiClient.getEnvironments(project.id);
+      if (envsResult.error) {
+        ui.error(envsResult.error.message);
+        process.exit(1);
+      }
+      const parentEnv = envsResult.data?.environments.find((e) => e.slug === options.inheritFrom);
+      if (!parentEnv) {
+        ui.error(`Parent environment "${options.inheritFrom}" not found in project "${project.name}"`);
+        process.exit(1);
+      }
+      parentId = parentEnv.id;
+    }
+    const spinner = ui.spinner("Creating environment...");
+    const result = await apiClient.createEnvironment(project.id, name, parentId);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    configManager.setCurrentEnvironment(result.data.slug);
+    spinner.succeed(`Environment "${name}" created successfully`);
+    ui.br();
+    ui.keyValue("ID", result.data.id);
+    ui.keyValue("Slug", result.data.slug);
+    if (options.inheritFrom) {
+      ui.keyValue("Inherits from", options.inheritFrom);
+    }
+    ui.br();
+    ui.info(`Add secrets with ${ui.code("sstash secrets create")} or ${ui.code("sstash push")}`);
+  });
+  envs.command("use <slug>").description("Switch to a different environment").action(async (slug) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const project = requireProject();
+    const spinner = ui.spinner("Fetching environments...");
+    const result = await apiClient.getEnvironments(project.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const env = result.data?.environments.find((e) => e.slug === slug);
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${slug}" not found in project "${project.name}"`);
+      process.exit(1);
+    }
+    configManager.setCurrentEnvironment(env.slug);
+    spinner.succeed(`Switched to environment ${ui.envBadge(env.name)}`);
+  });
+  envs.command("current").description("Show the current environment").action(() => {
+    const currentEnv = configManager.getCurrentEnvironment();
+    if (!currentEnv) {
+      ui.warning("No environment selected");
+      ui.info(`Select one with ${ui.code("sstash environments use <slug>")}`);
+      return;
+    }
+    ui.heading("Current Environment");
+    console.log(`  ${ui.envBadge(currentEnv)}`);
+  });
+  envs.command("clone <source> <target>").description("Clone an environment with all its secrets").action(async (source, target) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const teamSlug = projectConfig.getEffectiveTeam();
+    const projectSlug = projectConfig.getEffectiveProject();
+    if (!teamSlug) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    if (!projectSlug) {
+      ui.error("No project selected. Run `sstash projects use <slug>` first.");
+      process.exit(1);
+    }
+    const { password } = await prompt4({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt/encrypt secrets:"
+    });
+    const spinner = ui.spinner(`Fetching secrets from ${ui.envBadge(source)}...`);
+    const pullResult = await apiClient.pullSecrets(teamSlug, projectSlug, source, password);
+    if (pullResult.error) {
+      spinner.fail();
+      ui.error(pullResult.error.message);
+      process.exit(1);
+    }
+    const secrets = pullResult.data?.secrets || [];
+    if (secrets.length === 0) {
+      spinner.fail();
+      ui.warning(`No secrets found in source environment "${source}"`);
+      process.exit(1);
+    }
+    spinner.text = `Checking if target environment "${target}" exists...`;
+    const project = requireProject();
+    const envsResult = await apiClient.getEnvironments(project.id);
+    if (envsResult.error) {
+      spinner.fail();
+      ui.error(envsResult.error.message);
+      process.exit(1);
+    }
+    const targetEnv = envsResult.data?.environments.find((e) => e.slug === target);
+    let targetCreated = false;
+    if (!targetEnv) {
+      spinner.text = `Creating target environment "${target}"...`;
+      const createResult = await apiClient.createEnvironment(project.id, target);
+      if (createResult.error) {
+        spinner.fail();
+        ui.error(createResult.error.message);
+        process.exit(1);
+      }
+      targetCreated = true;
+    }
+    spinner.text = `Copying ${secrets.length} secrets to ${ui.envBadge(target)}...`;
+    const pushResult = await apiClient.pushSecrets(
+      teamSlug,
+      projectSlug,
+      target,
+      secrets.map((s) => ({ key: s.key, value: s.value })),
+      password
+    );
+    if (pushResult.error) {
+      spinner.fail();
+      ui.error(pushResult.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(`Cloned ${secrets.length} secrets from "${source}" to "${target}"`);
+    ui.br();
+    ui.heading("Clone Summary");
+    ui.keyValue("Source", ui.envBadge(source));
+    ui.keyValue("Target", ui.envBadge(target));
+    if (targetCreated) {
+      console.log(`  ${colors.success("+")} Created new environment "${target}"`);
+    }
+    ui.keyValue("Secrets copied", String(secrets.length));
+    ui.br();
+    console.log(ui.dim("  Copied secrets:"));
+    for (const secret of secrets) {
+      console.log(`    ${colors.success("+")} ${secret.key}`);
+    }
+    ui.br();
+    ui.info(`Switch to the new environment with ${ui.code(`sstash environments use ${target}`)}`);
+  });
+  envs.command("delete <slug>").description("Delete an environment").option("-f, --force", "Skip confirmation prompts").action(async (slug, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const project = requireProject();
+    const spinner = ui.spinner("Fetching environment details...");
+    const result = await apiClient.getEnvironments(project.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const env = result.data?.environments.find((e) => e.slug === slug);
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${slug}" not found in project "${project.name}"`);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (env.secretCount > 0) {
+      ui.br();
+      ui.warning(`This environment contains ${env.secretCount} secret${env.secretCount === 1 ? "" : "s"} that will be permanently deleted.`);
+      ui.br();
+    }
+    if (env.isProtected) {
+      ui.br();
+      console.log(colors.error.bold("  !! WARNING: This is a protected environment !!"));
+      ui.br();
+    }
+    if (!options.force) {
+      const { confirm } = await prompt4({
+        type: "confirm",
+        name: "confirm",
+        message: `Are you sure you want to delete the "${env.name}" environment?`,
+        initial: false
+      });
+      if (!confirm) {
+        ui.info("Deletion cancelled");
+        return;
+      }
+      if (env.isProtected) {
+        const { confirmProtected } = await prompt4({
+          type: "input",
+          name: "confirmProtected",
+          message: `Type "${env.slug}" to confirm deletion of this protected environment:`
+        });
+        if (confirmProtected !== env.slug) {
+          ui.error("Environment name does not match. Deletion cancelled.");
+          process.exit(1);
+        }
+      }
+    }
+    const deleteSpinner = ui.spinner("Deleting environment...");
+    const deleteResult = await apiClient.deleteEnvironment(env.id);
+    if (deleteResult.error) {
+      deleteSpinner.fail();
+      ui.error(deleteResult.error.message);
+      process.exit(1);
+    }
+    if (configManager.getCurrentEnvironment() === env.slug) {
+      configManager.clearCurrentEnvironment();
+    }
+    deleteSpinner.succeed(`Environment "${env.name}" deleted successfully`);
+  });
+  envs.action(async () => {
+    await envs.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/secrets.ts
+import { prompt as prompt5 } from "enquirer";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
+import { spawn } from "child_process";
+import yaml from "js-yaml";
+function requireContext() {
+  const teamSlug = projectConfig.getEffectiveTeam();
+  const projectSlug = projectConfig.getEffectiveProject();
+  const environment = projectConfig.getEffectiveEnvironment();
+  if (!teamSlug) {
+    ui.error("No team selected. Run `sstash teams use <slug>` first.");
+    process.exit(1);
+  }
+  if (!projectSlug) {
+    ui.error("No project selected. Run `sstash projects use <slug>` first.");
+    process.exit(1);
+  }
+  if (!environment) {
+    ui.error("No environment selected. Run `sstash environments use <slug>` first.");
+    process.exit(1);
+  }
+  return { teamSlug, projectSlug, environment };
+}
+function parseEnvFile(content) {
+  const secrets = /* @__PURE__ */ new Map();
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const equalIndex = trimmed.indexOf("=");
+    if (equalIndex === -1) continue;
+    const key = trimmed.substring(0, equalIndex).trim();
+    let value = trimmed.substring(equalIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key) {
+      secrets.set(key, value);
+    }
+  }
+  return secrets;
+}
+function formatEnvFile(secrets) {
+  const lines = [
+    "# Generated by SecretStash CLI",
+    `# Environment: ${projectConfig.getEffectiveEnvironment()}`,
+    `# Generated at: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    ""
+  ];
+  const sorted = [...secrets].sort((a, b) => a.key.localeCompare(b.key));
+  for (const secret of sorted) {
+    const needsQuotes = /[\s#"'$\\]/.test(secret.value);
+    const value = needsQuotes ? `"${secret.value.replace(/"/g, '\\"')}"` : secret.value;
+    lines.push(`${secret.key}=${value}`);
+  }
+  return lines.join("\n") + "\n";
+}
+function registerSecretCommands(program2) {
+  const secrets = program2.command("secrets").description("Manage secrets");
+  secrets.command("list").alias("ls").description("List all secrets in the current environment").option("-r, --reveal", "Show secret values").option("-f, --format <format>", "Output format: table, json, or env", "table").option("--no-inherited", "Exclude inherited secrets from parent environments").action(async (options) => {
+    const validFormats = ["table", "json", "env"];
+    if (!validFormats.includes(options.format)) {
+      ui.error(`Invalid format "${options.format}". Valid formats: ${validFormats.join(", ")}`);
+      process.exit(1);
+    }
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    const spinner = ui.spinner("Fetching secrets...");
+    const includeInherited = options.inherited !== false;
+    const result = await apiClient.pullSecrets(ctx.teamSlug, ctx.projectSlug, ctx.environment, password, { includeInherited });
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.secrets.length) {
+      if (options.format === "json") {
+        console.log("[]");
+      } else if (options.format === "env") {
+      } else {
+        ui.warning("No secrets in this environment");
+        ui.info(`Add secrets with ${ui.code("sstash secrets create")} or ${ui.code("sstash push")}`);
+      }
+      return;
+    }
+    const secretsList = result.data.secrets;
+    if (options.format === "json") {
+      const jsonOutput = secretsList.map((secret) => ({
+        key: secret.key,
+        value: options.reveal ? secret.value : "********",
+        ...secret.description && { description: secret.description },
+        ...secret.inherited !== void 0 && { inherited: secret.inherited }
+      }));
+      console.log(JSON.stringify(jsonOutput, null, 2));
+    } else if (options.format === "env") {
+      const sorted = [...secretsList].sort((a, b) => a.key.localeCompare(b.key));
+      for (const secret of sorted) {
+        const value = options.reveal ? secret.value : "********";
+        const needsQuotes = options.reveal && /[\s#"'$\\]/.test(value);
+        const formattedValue = needsQuotes ? `"${value.replace(/"/g, '\\"')}"` : value;
+        const inheritedComment = secret.inherited ? " # [inherited]" : "";
+        console.log(`${secret.key}=${formattedValue}${inheritedComment}`);
+      }
+    } else {
+      ui.heading(`Secrets in ${ui.envBadge(ctx.environment)}`);
+      const hasDescriptions = secretsList.some((s) => s.description);
+      const hasInherited = secretsList.some((s) => s.inherited);
+      const tableData = secretsList.map((secret) => {
+        const inheritedMarker = secret.inherited ? ui.dim("[inherited]") : "";
+        const keyDisplay = secret.inherited ? `${secret.key} ${inheritedMarker}` : secret.key;
+        if (hasDescriptions) {
+          return [
+            keyDisplay,
+            ui.secret(secret.value, options.reveal),
+            secret.description || "-"
+          ];
+        } else {
+          return [
+            keyDisplay,
+            ui.secret(secret.value, options.reveal)
+          ];
+        }
+      });
+      ui.table(tableData, {
+        header: hasDescriptions ? ["Key", "Value", "Description"] : ["Key", "Value"]
+      });
+      ui.br();
+      const inheritedCount = secretsList.filter((s) => s.inherited).length;
+      const ownCount = secretsList.length - inheritedCount;
+      if (inheritedCount > 0) {
+        ui.info(`${ownCount} own secrets, ${inheritedCount} inherited (${secretsList.length} total)`);
+      } else {
+        ui.info(`${secretsList.length} secrets total`);
+      }
+      if (!options.reveal) {
+        ui.info(`Use ${ui.code("--reveal")} flag to show values`);
+      }
+      if (hasInherited && includeInherited) {
+        ui.info(`Use ${ui.code("--no-inherited")} to hide inherited secrets`);
+      }
+    }
+  });
+  secrets.command("set <key> [value]").description("Create or update a single secret").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").option("-d, --description <description>", "Secret description").option("--from-file <file>", "Read value from file").option("--expires <date>", "Set expiration date (YYYY-MM-DD format)").action(async (key, value, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
+    let secretValue = value;
+    if (options.fromFile) {
+      if (!existsSync2(options.fromFile)) {
+        ui.error(`File not found: ${options.fromFile}`);
+        process.exit(1);
+      }
+      secretValue = readFileSync2(options.fromFile, "utf-8");
+    }
+    if (!secretValue) {
+      ui.error("Value is required. Provide it as an argument or use --from-file");
+      process.exit(1);
+    }
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to encrypt secret:"
+    });
+    const spinner = ui.spinner(`Checking if secret "${key}" exists...`);
+    const pullResult = await apiClient.pullSecrets(ctx.teamSlug, projectSlug, environment, password);
+    if (pullResult.error) {
+      spinner.fail();
+      ui.error(pullResult.error.message);
+      process.exit(1);
+    }
+    const existingSecret = pullResult.data?.secrets.find((s) => s.key === key);
+    let expiresAt;
+    if (options.expires) {
+      const expDate = new Date(options.expires);
+      if (isNaN(expDate.getTime())) {
+        spinner.fail();
+        ui.error("Invalid expiration date. Use YYYY-MM-DD format.");
+        process.exit(1);
+      }
+      if (expDate <= /* @__PURE__ */ new Date()) {
+        spinner.fail();
+        ui.error("Expiration date must be in the future.");
+        process.exit(1);
+      }
+      expiresAt = expDate.toISOString();
+    }
+    spinner.text = existingSecret ? `Updating secret "${key}"...` : `Creating secret "${key}"...`;
+    const secrets2 = pullResult.data?.secrets.map((s) => ({
+      key: s.key,
+      value: s.key === key ? secretValue : s.value,
+      // Preserve existing description unless this is the secret being updated and a new description is provided
+      description: s.key === key && options.description !== void 0 ? options.description : s.description,
+      // Only set expiresAt for the secret being updated
+      ...s.key === key && expiresAt ? { expiresAt } : {}
+    })) || [];
+    if (!existingSecret) {
+      secrets2.push({ key, value: secretValue, description: options.description, expiresAt });
+    }
+    const result = await apiClient.pushSecrets(ctx.teamSlug, projectSlug, environment, secrets2, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(existingSecret ? `Updated secret "${key}"` : `Created secret "${key}"`);
+    ui.br();
+    ui.keyValue("Environment", ui.envBadge(environment));
+    if (options.description) {
+      ui.keyValue("Description", options.description);
+    }
+    if (expiresAt) {
+      ui.keyValue("Expires", new Date(expiresAt).toLocaleDateString());
+    }
+  });
+  secrets.command("get <key>").description("Get a single secret value").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").option("-r, --reveal", "Show unmasked value").action(async (key, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secret:"
+    });
+    const spinner = ui.spinner(`Fetching secret "${key}"...`);
+    const result = await apiClient.pullSecrets(ctx.teamSlug, projectSlug, environment, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const secret = result.data?.secrets.find((s) => s.key === key);
+    if (!secret) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    spinner.stop();
+    ui.heading(`Secret: ${key}`);
+    ui.keyValue("Environment", ui.envBadge(environment));
+    ui.keyValue("Value", ui.secret(secret.value, options.reveal));
+    if (secret.description) {
+      ui.keyValue("Description", secret.description);
+    }
+    ui.br();
+    if (!options.reveal) {
+      ui.info(`Use ${ui.code("--reveal")} flag to show the actual value`);
+    }
+  });
+  secrets.command("delete <key>").alias("rm").description("Delete a single secret").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").option("-f, --force", "Skip confirmation").action(async (key, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password:"
+    });
+    const spinner = ui.spinner(`Looking for secret "${key}"...`);
+    const result = await apiClient.pullSecrets(ctx.teamSlug, projectSlug, environment, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    const secretToDelete = result.data?.secrets.find((s) => s.key === key);
+    if (!secretToDelete) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!options.force) {
+      ui.warning(`You are about to delete secret "${key}" from ${ui.envBadge(environment)}`);
+      const { confirm } = await prompt5({
+        type: "confirm",
+        name: "confirm",
+        message: "Are you sure you want to delete this secret?",
+        initial: false
+      });
+      if (!confirm) {
+        ui.warning("Aborted");
+        return;
+      }
+    }
+    const deleteSpinner = ui.spinner(`Deleting secret "${key}"...`);
+    const remainingSecrets = result.data?.secrets.filter((s) => s.key !== key).map((s) => ({ key: s.key, value: s.value })) || [];
+    const pushResult = await apiClient.pushSecrets(ctx.teamSlug, projectSlug, environment, remainingSecrets, password);
+    if (pushResult.error) {
+      deleteSpinner.fail();
+      ui.error(pushResult.error.message);
+      process.exit(1);
+    }
+    deleteSpinner.succeed(`Deleted secret "${key}"`);
+    ui.keyValue("Environment", ui.envBadge(environment));
+  });
+  secrets.command("history <key>").description("Show version history for a secret").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").option("-l, --limit <n>", "Number of versions to show", "10").action(async (key, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
+    const limit = parseInt(options.limit, 10) || 10;
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    const spinner = ui.spinner(`Fetching version history for "${key}"...`);
+    const teamsResult = await apiClient.getTeams();
+    if (teamsResult.error) {
+      spinner.fail();
+      ui.error(teamsResult.error.message);
+      process.exit(1);
+    }
+    const team = teamsResult.data?.teams.find((t) => t.slug === ctx.teamSlug);
+    if (!team) {
+      spinner.fail();
+      ui.error(`Team "${ctx.teamSlug}" not found`);
+      process.exit(1);
+    }
+    const projectsResult = await apiClient.getProjects(team.id);
+    if (projectsResult.error) {
+      spinner.fail();
+      ui.error(projectsResult.error.message);
+      process.exit(1);
+    }
+    const project = projectsResult.data?.projects.find((p) => p.slug === projectSlug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${projectSlug}" not found`);
+      process.exit(1);
+    }
+    const envsResult = await apiClient.getEnvironments(project.id);
+    if (envsResult.error) {
+      spinner.fail();
+      ui.error(envsResult.error.message);
+      process.exit(1);
+    }
+    const env = envsResult.data?.environments.find((e) => e.slug === environment || e.name.toLowerCase() === environment.toLowerCase());
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${environment}" not found`);
+      process.exit(1);
+    }
+    const secretsResult = await apiClient.getSecrets(env.id);
+    if (secretsResult.error) {
+      spinner.fail();
+      ui.error(secretsResult.error.message);
+      process.exit(1);
+    }
+    const secret = secretsResult.data?.secrets.find((s) => s.key === key);
+    if (!secret) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    const versionsResult = await apiClient.getSecretVersions(secret.id, password, limit);
+    if (versionsResult.error) {
+      spinner.fail();
+      ui.error(versionsResult.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    const versions = versionsResult.data?.versions || [];
+    if (versions.length === 0) {
+      ui.heading(`Version History: ${key}`);
+      ui.warning("No version history found. History is created when a secret value is changed.");
+      return;
+    }
+    ui.heading(`Version History: ${key}`);
+    ui.keyValue("Environment", ui.envBadge(environment));
+    ui.br();
+    const tableData = versions.map((v) => [
+      `v${v.version}`,
+      ui.secret(v.value, false),
+      v.createdByEmail || v.createdBy,
+      new Date(v.createdAt).toLocaleString()
+    ]);
+    ui.table(tableData, {
+      header: ["Version", "Value", "Updated By", "Updated At"]
+    });
+    ui.br();
+    ui.info(`Showing ${versions.length} version(s)`);
+    ui.info(`Use ${ui.code(`sstash secrets rollback ${key} --version <n>`)} to restore a previous version`);
+  });
+  secrets.command("rollback <key>").description("Restore a secret to a previous version").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").option("-v, --version <n>", "Version number to restore (required)").action(async (key, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    if (!options.version) {
+      ui.error("Version number is required. Use --version <n>");
+      ui.info(`Use ${ui.code(`sstash secrets history ${key}`)} to see available versions`);
+      process.exit(1);
+    }
+    const version2 = parseInt(options.version, 10);
+    if (isNaN(version2) || version2 < 1) {
+      ui.error("Version must be a positive number");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt and restore the secret:"
+    });
+    const spinner = ui.spinner(`Fetching secret information...`);
+    const teamsResult = await apiClient.getTeams();
+    if (teamsResult.error) {
+      spinner.fail();
+      ui.error(teamsResult.error.message);
+      process.exit(1);
+    }
+    const team = teamsResult.data?.teams.find((t) => t.slug === ctx.teamSlug);
+    if (!team) {
+      spinner.fail();
+      ui.error(`Team "${ctx.teamSlug}" not found`);
+      process.exit(1);
+    }
+    const projectsResult = await apiClient.getProjects(team.id);
+    if (projectsResult.error) {
+      spinner.fail();
+      ui.error(projectsResult.error.message);
+      process.exit(1);
+    }
+    const project = projectsResult.data?.projects.find((p) => p.slug === projectSlug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${projectSlug}" not found`);
+      process.exit(1);
+    }
+    const envsResult = await apiClient.getEnvironments(project.id);
+    if (envsResult.error) {
+      spinner.fail();
+      ui.error(envsResult.error.message);
+      process.exit(1);
+    }
+    const env = envsResult.data?.environments.find((e) => e.slug === environment || e.name.toLowerCase() === environment.toLowerCase());
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${environment}" not found`);
+      process.exit(1);
+    }
+    const secretsResult = await apiClient.getSecrets(env.id);
+    if (secretsResult.error) {
+      spinner.fail();
+      ui.error(secretsResult.error.message);
+      process.exit(1);
+    }
+    const secret = secretsResult.data?.secrets.find((s) => s.key === key);
+    if (!secret) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    spinner.text = "Fetching version history...";
+    const versionsResult = await apiClient.getSecretVersions(secret.id, password);
+    if (versionsResult.error) {
+      spinner.fail();
+      ui.error(versionsResult.error.message);
+      process.exit(1);
+    }
+    const versions = versionsResult.data?.versions || [];
+    const targetVersion = versions.find((v) => v.version === version2);
+    if (!targetVersion) {
+      spinner.fail();
+      ui.error(`Version ${version2} not found for secret "${key}"`);
+      if (versions.length > 0) {
+        ui.info(`Available versions: ${versions.map((v) => `v${v.version}`).join(", ")}`);
+      } else {
+        ui.info("No version history available for this secret");
+      }
+      process.exit(1);
+    }
+    spinner.stop();
+    ui.heading(`Rollback Secret: ${key}`);
+    ui.keyValue("Environment", ui.envBadge(environment));
+    ui.br();
+    console.log(colors.warning("  Target version:"));
+    ui.keyValue("  Version", `v${targetVersion.version}`);
+    ui.keyValue("  Value", ui.secret(targetVersion.value, false));
+    ui.keyValue("  Created by", targetVersion.createdByEmail || targetVersion.createdBy);
+    ui.keyValue("  Created at", new Date(targetVersion.createdAt).toLocaleString());
+    ui.br();
+    const { confirm } = await prompt5({
+      type: "confirm",
+      name: "confirm",
+      message: `Restore secret "${key}" to version ${version2}?`,
+      initial: false
+    });
+    if (!confirm) {
+      ui.warning("Aborted");
+      return;
+    }
+    const rollbackSpinner = ui.spinner(`Rolling back "${key}" to v${version2}...`);
+    const rollbackResult = await apiClient.rollbackSecret(secret.id, version2, password);
+    if (rollbackResult.error) {
+      rollbackSpinner.fail();
+      ui.error(rollbackResult.error.message);
+      process.exit(1);
+    }
+    rollbackSpinner.succeed(`Rolled back "${key}" to version ${version2}`);
+    ui.br();
+    ui.keyValue("Secret", key);
+    ui.keyValue("Environment", ui.envBadge(environment));
+    ui.keyValue("Restored to", `v${version2}`);
+  });
+  program2.command("pull").description("Pull secrets from SecretStash to a local .env file").option("-e, --env <environment>", "Environment to pull from").option("-o, --output <file>", "Output file path").option("-f, --force", "Overwrite existing file without confirmation").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const outputPath = options.output || envPaths.getEnvPath(environment);
+    if (existsSync2(outputPath) && !options.force) {
+      const { overwrite } = await prompt5({
+        type: "confirm",
+        name: "overwrite",
+        message: `File ${outputPath} already exists. Overwrite?`,
+        initial: false
+      });
+      if (!overwrite) {
+        ui.warning("Aborted");
+        return;
+      }
+    }
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    const spinner = ui.spinner(`Pulling secrets from ${ui.envBadge(environment)}...`);
+    const result = await apiClient.pullSecrets(ctx.teamSlug, ctx.projectSlug, environment, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    if (!result.data?.secrets.length) {
+      spinner.fail();
+      ui.warning("No secrets to pull");
+      return;
+    }
+    const content = formatEnvFile(result.data.secrets);
+    writeFileSync2(outputPath, content, "utf-8");
+    spinner.succeed(`Pulled ${result.data.secrets.length} secrets to ${outputPath}`);
+    ui.br();
+    ui.warning(`Remember to add ${outputPath} to .gitignore!`);
+  });
+  program2.command("export").description("Export secrets in various formats (env, json, yaml)").option("-e, --env <environment>", "Environment to export from").option("-f, --format <format>", "Output format (env, json, yaml)", "env").option("-o, --output <file>", "Output file path (default: stdout)").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const format = options.format.toLowerCase();
+    if (!["env", "json", "yaml"].includes(format)) {
+      ui.error(`Invalid format: ${format}. Valid formats are: env, json, yaml`);
+      process.exit(1);
+    }
+    if (options.output && existsSync2(options.output)) {
+      const { overwrite } = await prompt5({
+        type: "confirm",
+        name: "overwrite",
+        message: `File ${options.output} already exists. Overwrite?`,
+        initial: false
+      });
+      if (!overwrite) {
+        ui.warning("Aborted");
+        return;
+      }
+    }
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    const spinner = ui.spinner(`Fetching secrets from ${ui.envBadge(environment)}...`);
+    const result = await apiClient.pullSecrets(ctx.teamSlug, ctx.projectSlug, environment, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    if (!result.data?.secrets.length) {
+      spinner.fail();
+      ui.warning("No secrets to export");
+      return;
+    }
+    spinner.stop();
+    const sorted = [...result.data.secrets].sort((a, b) => a.key.localeCompare(b.key));
+    let output;
+    switch (format) {
+      case "json": {
+        const jsonObj = {};
+        for (const secret of sorted) {
+          jsonObj[secret.key] = secret.value;
+        }
+        output = JSON.stringify(jsonObj, null, 2) + "\n";
+        break;
+      }
+      case "yaml": {
+        const yamlObj = {};
+        for (const secret of sorted) {
+          yamlObj[secret.key] = secret.value;
+        }
+        output = yaml.dump(yamlObj, { lineWidth: -1, quotingType: '"', forceQuotes: true });
+        break;
+      }
+      case "env":
+      default: {
+        output = formatEnvFile(sorted);
+        break;
+      }
+    }
+    if (options.output) {
+      writeFileSync2(options.output, output, "utf-8");
+      ui.success(`Exported ${result.data.secrets.length} secrets to ${options.output}`);
+      ui.keyValue("Format", format);
+      ui.keyValue("Environment", ui.envBadge(environment));
+      ui.br();
+      ui.warning(`Remember to add ${options.output} to .gitignore!`);
+    } else {
+      process.stdout.write(output);
+    }
+  });
+  program2.command("push").description("Push secrets from a local .env file to SecretStash").option("-e, --env <environment>", "Environment to push to").option("-i, --input <file>", "Input file path").option("--dry-run", "Show what would be pushed without making changes").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const inputPath = options.input || envPaths.getEnvPath(environment);
+    if (!existsSync2(inputPath)) {
+      ui.error(`File ${inputPath} not found`);
+      ui.info(`Create one or specify a different file with ${ui.code("--input")}`);
+      process.exit(1);
+    }
+    const spinner = ui.spinner(`Reading ${inputPath}...`);
+    const content = readFileSync2(inputPath, "utf-8");
+    const localSecrets = parseEnvFile(content);
+    if (localSecrets.size === 0) {
+      spinner.fail();
+      ui.warning("No secrets found in file");
+      return;
+    }
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to encrypt secrets:"
+    });
+    spinner.text = "Comparing with remote...";
+    const remoteResult = await apiClient.pullSecrets(ctx.teamSlug, ctx.projectSlug, environment, password);
+    const remoteSecrets = new Map(
+      remoteResult.data?.secrets.map((s) => [s.key, s.value]) || []
+    );
+    const toCreate = [];
+    const toUpdate = [];
+    for (const [key, value] of localSecrets) {
+      if (!remoteSecrets.has(key)) {
+        toCreate.push({ key, value });
+      } else if (remoteSecrets.get(key) !== value) {
+        toUpdate.push({ key, value });
+      }
+    }
+    spinner.stop();
+    if (toCreate.length === 0 && toUpdate.length === 0) {
+      ui.success("All secrets are up to date");
+      return;
+    }
+    ui.heading(`Changes for ${ui.envBadge(environment)}`);
+    if (toCreate.length > 0) {
+      console.log(colors.success.bold(`  + ${toCreate.length} secrets to create`));
+      toCreate.forEach((s) => console.log(`    ${colors.success("+")} ${s.key}`));
+    }
+    if (toUpdate.length > 0) {
+      console.log(colors.warning.bold(`  ~ ${toUpdate.length} secrets to update`));
+      toUpdate.forEach((s) => console.log(`    ${colors.warning("~")} ${s.key}`));
+    }
+    ui.br();
+    if (options.dryRun) {
+      ui.info("Dry run - no changes made");
+      return;
+    }
+    const { confirm } = await prompt5({
+      type: "confirm",
+      name: "confirm",
+      message: "Push these changes?",
+      initial: true
+    });
+    if (!confirm) {
+      ui.warning("Aborted");
+      return;
+    }
+    const pushSpinner = ui.spinner("Pushing secrets...");
+    const secrets2 = [...localSecrets].map(([key, value]) => ({ key, value }));
+    const result = await apiClient.pushSecrets(ctx.teamSlug, ctx.projectSlug, environment, secrets2, password);
+    if (result.error) {
+      pushSpinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    pushSpinner.succeed("Secrets pushed successfully");
+    ui.br();
+    ui.keyValue("Created", String(result.data?.created || 0));
+    ui.keyValue("Updated", String(result.data?.updated || 0));
+  });
+  program2.command("run").description("Run a command with secrets injected as environment variables").option("-e, --env <environment>", "Environment to use").argument("<command...>", "Command to run").action(async (commandArgs, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const { password } = await prompt5({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    ui.warning("Note: Secrets will be injected as environment variables.");
+    ui.warning("These may be visible via /proc/<pid>/environ on Linux.");
+    ui.br();
+    const spinner = ui.spinner(`Loading secrets from ${ui.envBadge(environment)}...`);
+    const result = await apiClient.pullSecrets(ctx.teamSlug, ctx.projectSlug, environment, password);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    const secretEnv = {};
+    for (const secret of result.data?.secrets || []) {
+      secretEnv[secret.key] = secret.value;
+    }
+    ui.info(`Loaded ${Object.keys(secretEnv).length} secrets`);
+    ui.br();
+    const [cmd, ...args] = commandArgs;
+    const child = spawn(cmd, args, {
+      env: { ...process.env, ...secretEnv },
+      stdio: "inherit",
+      shell: true
+    });
+    child.on("close", (code) => {
+      process.exit(code || 0);
+    });
+    child.on("error", (err) => {
+      ui.error(`Failed to start command: ${err.message}`);
+      process.exit(1);
+    });
+  });
+  program2.command("init").description("Initialize SecretStash in the current directory").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    ui.heading("Initialize SecretStash");
+    const teamsSpinner = ui.spinner("Fetching teams...");
+    const teamsResult = await apiClient.getTeams();
+    if (teamsResult.error) {
+      teamsSpinner.fail();
+      ui.error(teamsResult.error.message);
+      process.exit(1);
+    }
+    teamsSpinner.stop();
+    if (!teamsResult.data?.teams.length) {
+      ui.error("No teams found. Create one first with `sstash teams create`");
+      process.exit(1);
+    }
+    const { teamSlug } = await prompt5({
+      type: "select",
+      name: "teamSlug",
+      message: "Select team:",
+      choices: teamsResult.data.teams.map((t) => ({
+        name: t.slug,
+        message: `${t.name} (${t.slug})`
+      }))
+    });
+    const selectedTeam = teamsResult.data.teams.find((t) => t.slug === teamSlug);
+    const projectsSpinner = ui.spinner("Fetching projects...");
+    const projectsResult = await apiClient.getProjects(selectedTeam.id);
+    projectsSpinner.stop();
+    let projectSlug;
+    if (!projectsResult.data?.projects.length) {
+      ui.info("No projects found. Creating a new one...");
+      const { name } = await prompt5({
+        type: "input",
+        name: "name",
+        message: "Project name:",
+        validate: (value) => value ? true : "Name is required"
+      });
+      const createResult = await apiClient.createProject(selectedTeam.id, name);
+      if (createResult.error) {
+        ui.error(createResult.error.message);
+        process.exit(1);
+      }
+      projectSlug = createResult.data.slug;
+    } else {
+      const response = await prompt5({
+        type: "select",
+        name: "projectSlug",
+        message: "Select project:",
+        choices: [
+          ...projectsResult.data.projects.map((p) => ({
+            name: p.slug,
+            message: `${p.name} (${p.slug})`
+          })),
+          { name: "__new__", message: "+ Create new project" }
+        ]
+      });
+      if (response.projectSlug === "__new__") {
+        const { name } = await prompt5({
+          type: "input",
+          name: "name",
+          message: "Project name:",
+          validate: (value) => value ? true : "Name is required"
+        });
+        const createResult = await apiClient.createProject(selectedTeam.id, name);
+        if (createResult.error) {
+          ui.error(createResult.error.message);
+          process.exit(1);
+        }
+        projectSlug = createResult.data.slug;
+      } else {
+        projectSlug = response.projectSlug;
+      }
+    }
+    const { environment } = await prompt5({
+      type: "select",
+      name: "environment",
+      message: "Default environment:",
+      choices: ["development", "staging", "production"],
+      initial: 0
+    });
+    const config2 = {
+      teamSlug,
+      project: projectSlug,
+      environment
+    };
+    const configPath = projectConfig.getLocalConfigPath();
+    writeFileSync2(configPath, JSON.stringify(config2, null, 2) + "\n", "utf-8");
+    ui.br();
+    ui.success(`Created ${configPath}`);
+    ui.br();
+    ui.box("Next Steps", [
+      `1. Add secrets: ${ui.code("sstash push .env")}`,
+      `2. Pull secrets: ${ui.code("sstash pull")}`,
+      `3. Run with secrets: ${ui.code("sstash run npm start")}`,
+      "",
+      `Add ${ui.code(".secretstash.json")} to version control`,
+      `Add ${ui.code(".env*")} to .gitignore`
+    ]);
+  });
+  secrets.command("tag <key> <tagname>").description("Add a tag to a secret").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").action(async (key, tagname, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Looking up secret and tag...");
+    const tagsResult = await apiClient.getTags(currentTeam.id);
+    if (tagsResult.error) {
+      spinner.fail();
+      ui.error(tagsResult.error.message);
+      process.exit(1);
+    }
+    const tag = tagsResult.data?.tags.find(
+      (t) => t.name.toLowerCase() === tagname.toLowerCase()
+    );
+    if (!tag) {
+      spinner.fail();
+      ui.error(`Tag "${tagname}" not found`);
+      ui.info(`Create it with ${ui.code(`sstash tags create ${tagname}`)}`);
+      process.exit(1);
+    }
+    const secretsResult = await apiClient.getSecrets(environment);
+    if (secretsResult.error) {
+      spinner.fail();
+      ui.error(secretsResult.error.message);
+      process.exit(1);
+    }
+    const secret = secretsResult.data?.secrets.find(
+      (s) => s.key.toUpperCase() === key.toUpperCase()
+    );
+    if (!secret) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    spinner.text = `Tagging secret "${key}" with "${tag.name}"...`;
+    const result = await apiClient.addTagToSecret(secret.id, tag.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(`Tagged "${key}" with "${tag.name}"`);
+    ui.br();
+    ui.keyValue("Secret", key);
+    ui.keyValue("Tag", tag.name);
+    ui.keyValue("Environment", ui.envBadge(environment));
+  });
+  secrets.command("untag <key> <tagname>").description("Remove a tag from a secret").option("-e, --env <environment>", "Environment to use").option("-p, --project <project>", "Project slug to use").action(async (key, tagname, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext();
+    const environment = options.env || ctx.environment;
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Looking up secret and tag...");
+    const tagsResult = await apiClient.getTags(currentTeam.id);
+    if (tagsResult.error) {
+      spinner.fail();
+      ui.error(tagsResult.error.message);
+      process.exit(1);
+    }
+    const tag = tagsResult.data?.tags.find(
+      (t) => t.name.toLowerCase() === tagname.toLowerCase()
+    );
+    if (!tag) {
+      spinner.fail();
+      ui.error(`Tag "${tagname}" not found`);
+      process.exit(1);
+    }
+    const secretsResult = await apiClient.getSecrets(environment);
+    if (secretsResult.error) {
+      spinner.fail();
+      ui.error(secretsResult.error.message);
+      process.exit(1);
+    }
+    const secret = secretsResult.data?.secrets.find(
+      (s) => s.key.toUpperCase() === key.toUpperCase()
+    );
+    if (!secret) {
+      spinner.fail();
+      ui.error(`Secret "${key}" not found in environment ${environment}`);
+      process.exit(1);
+    }
+    spinner.text = `Removing tag "${tag.name}" from "${key}"...`;
+    const result = await apiClient.removeTagFromSecret(secret.id, tag.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(`Removed tag "${tag.name}" from "${key}"`);
+  });
+  secrets.command("expiring").description("List secrets that are expiring soon").option("--days <days>", "Number of days to look ahead", "7").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const teamSlug = projectConfig.getEffectiveTeam();
+    if (!teamSlug) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const days = parseInt(options.days) || 7;
+    const spinner = ui.spinner(`Fetching secrets expiring in the next ${days} days...`);
+    const teamsResult = await apiClient.getTeams();
+    if (teamsResult.error) {
+      spinner.fail();
+      ui.error(teamsResult.error.message);
+      process.exit(1);
+    }
+    const team = teamsResult.data?.teams.find((t) => t.slug === teamSlug);
+    if (!team) {
+      spinner.fail();
+      ui.error(`Team "${teamSlug}" not found`);
+      process.exit(1);
+    }
+    const result = await apiClient.getExpiringSecrets(team.id, days);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.secrets.length) {
+      ui.success(`No secrets expiring in the next ${days} days`);
+      return;
+    }
+    ui.heading(`${colors.warning("\u26A0")} Secrets Expiring Soon (${days} days)`);
+    const tableData = result.data.secrets.map((secret) => {
+      const expiresDate = new Date(secret.expiresAt);
+      const daysUntil = Math.ceil((expiresDate.getTime() - Date.now()) / (1e3 * 60 * 60 * 24));
+      const urgency = daysUntil <= 1 ? colors.error(`${daysUntil}d`) : daysUntil <= 3 ? colors.warning(`${daysUntil}d`) : colors.muted(`${daysUntil}d`);
+      return [
+        secret.key,
+        `${secret.projectName} / ${secret.environmentName}`,
+        urgency,
+        expiresDate.toLocaleDateString()
+      ];
+    });
+    ui.table(tableData, {
+      header: ["Key", "Project / Environment", "Days Left", "Expires"]
+    });
+    ui.br();
+    ui.warning(`${result.data.secrets.length} secret(s) expiring soon`);
+    ui.info("Consider rotating these secrets before they expire.");
+  });
+  secrets.action(async () => {
+    await secrets.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/diff.ts
+import { prompt as prompt6 } from "enquirer";
+function computeDiff(secrets1, secrets2) {
+  const map1 = new Map(secrets1.map((s) => [s.key, s.value]));
+  const map2 = new Map(secrets2.map((s) => [s.key, s.value]));
+  const added = [];
+  const removed = [];
+  const changed = [];
+  const unchanged = [];
+  for (const [key, value1] of map1) {
+    if (!map2.has(key)) {
+      removed.push({ key, value: value1 });
+    } else {
+      const value2 = map2.get(key);
+      if (value1 !== value2) {
+        changed.push({ key, value1, value2 });
+      } else {
+        unchanged.push({ key, value: value1 });
+      }
+    }
+  }
+  for (const [key, value] of map2) {
+    if (!map1.has(key)) {
+      added.push({ key, value });
+    }
+  }
+  added.sort((a, b) => a.key.localeCompare(b.key));
+  removed.sort((a, b) => a.key.localeCompare(b.key));
+  changed.sort((a, b) => a.key.localeCompare(b.key));
+  unchanged.sort((a, b) => a.key.localeCompare(b.key));
+  return { added, removed, changed, unchanged };
+}
+function formatTableOutput(diff, showUnchanged) {
+  const hasChanges = diff.added.length > 0 || diff.removed.length > 0 || diff.changed.length > 0;
+  if (!hasChanges && !showUnchanged) {
+    ui.success("Environments are identical");
+    return;
+  }
+  if (!hasChanges && showUnchanged && diff.unchanged.length === 0) {
+    ui.warning("Both environments have no secrets");
+    return;
+  }
+  ui.br();
+  if (diff.added.length > 0) {
+    for (const secret of diff.added) {
+      console.log(`${colors.success("+")} ${secret.key} ${colors.muted("(only in target)")}`);
+    }
+  }
+  if (diff.removed.length > 0) {
+    for (const secret of diff.removed) {
+      console.log(`${colors.error("-")} ${secret.key} ${colors.muted("(only in source)")}`);
+    }
+  }
+  if (diff.changed.length > 0) {
+    for (const item of diff.changed) {
+      console.log(`${colors.warning("~")} ${item.key} ${colors.muted("(value differs)")}`);
+    }
+  }
+  if (showUnchanged && diff.unchanged.length > 0) {
+    for (const secret of diff.unchanged) {
+      console.log(`${colors.muted("=")} ${secret.key} ${colors.muted("(same in both)")}`);
+    }
+  }
+  ui.br();
+  const parts = [];
+  if (diff.added.length > 0) {
+    parts.push(colors.success(`+${diff.added.length} added`));
+  }
+  if (diff.removed.length > 0) {
+    parts.push(colors.error(`-${diff.removed.length} removed`));
+  }
+  if (diff.changed.length > 0) {
+    parts.push(colors.warning(`~${diff.changed.length} changed`));
+  }
+  if (showUnchanged && diff.unchanged.length > 0) {
+    parts.push(colors.muted(`=${diff.unchanged.length} unchanged`));
+  }
+  if (parts.length > 0) {
+    ui.info(`Summary: ${parts.join(", ")}`);
+  }
+}
+function formatJsonOutput(diff, showUnchanged) {
+  const output = {
+    added: diff.added.map((s) => s.key),
+    removed: diff.removed.map((s) => s.key),
+    changed: diff.changed.map((s) => s.key)
+  };
+  if (showUnchanged) {
+    output.unchanged = diff.unchanged.map((s) => s.key);
+  }
+  console.log(JSON.stringify(output, null, 2));
+}
+function requirePartialContext() {
+  const teamSlug = projectConfig.getEffectiveTeam();
+  const projectSlug = projectConfig.getEffectiveProject();
+  if (!teamSlug) {
+    ui.error("No team selected. Run `sstash teams use <slug>` first.");
+    process.exit(1);
+  }
+  if (!projectSlug) {
+    ui.error("No project selected. Run `sstash projects use <slug>` first.");
+    process.exit(1);
+  }
+  return { teamSlug, projectSlug };
+}
+function registerDiffCommand(program2) {
+  program2.command("diff <env1> <env2>").description("Compare secrets between two environments").option("-p, --project <slug>", "Use specific project").option("--show-unchanged", "Include secrets that are the same in both environments").option("-f, --format <format>", "Output format: table or json", "table").action(async (env1, env2, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requirePartialContext();
+    const projectSlug = options.project || ctx.projectSlug;
+    if (options.format !== "table" && options.format !== "json") {
+      ui.error(`Invalid format: ${options.format}. Use 'table' or 'json'.`);
+      process.exit(1);
+    }
+    if (env1 === env2) {
+      ui.error("Cannot compare an environment with itself.");
+      process.exit(1);
+    }
+    const { password } = await prompt6({
+      type: "password",
+      name: "password",
+      message: "Enter your password to decrypt secrets:"
+    });
+    const spinner = ui.spinner(`Comparing ${ui.envBadge(env1)} and ${ui.envBadge(env2)}...`);
+    const [result1, result2] = await Promise.all([
+      apiClient.pullSecrets(ctx.teamSlug, projectSlug, env1, password),
+      apiClient.pullSecrets(ctx.teamSlug, projectSlug, env2, password)
+    ]);
+    if (result1.error) {
+      spinner.fail();
+      ui.error(`Failed to fetch secrets from ${env1}: ${result1.error.message}`);
+      process.exit(1);
+    }
+    if (result2.error) {
+      spinner.fail();
+      ui.error(`Failed to fetch secrets from ${env2}: ${result2.error.message}`);
+      process.exit(1);
+    }
+    spinner.stop();
+    const secrets1 = result1.data?.secrets || [];
+    const secrets2 = result2.data?.secrets || [];
+    const diff = computeDiff(secrets1, secrets2);
+    if (options.format === "json") {
+      formatJsonOutput(diff, options.showUnchanged);
+    } else {
+      ui.heading(`Comparing ${ui.envBadge(env1)} \u2192 ${ui.envBadge(env2)}`);
+      formatTableOutput(diff, options.showUnchanged);
+    }
+  });
+}
+// src/commands/share.ts
+import { prompt as prompt7 } from "enquirer";
+function requireContext2() {
+  const teamSlug = projectConfig.getEffectiveTeam();
+  const projectSlug = projectConfig.getEffectiveProject();
+  const environment = projectConfig.getEffectiveEnvironment();
+  if (!teamSlug) {
+    ui.error("No team selected. Run `sstash teams use <slug>` first.");
+    process.exit(1);
+  }
+  if (!projectSlug) {
+    ui.error("No project selected. Run `sstash projects use <slug>` first.");
+    process.exit(1);
+  }
+  if (!environment) {
+    ui.error("No environment selected. Run `sstash environments use <slug>` first.");
+    process.exit(1);
+  }
+  return { teamSlug, projectSlug, environment };
+}
+function formatExpiration(expiresAt) {
+  const now = /* @__PURE__ */ new Date();
+  const expiry = new Date(expiresAt);
+  const diffMs = expiry.getTime() - now.getTime();
+  if (diffMs <= 0) {
+    return colors.error("Expired");
+  }
+  const diffMins = Math.floor(diffMs / (1e3 * 60));
+  const diffHours = Math.floor(diffMs / (1e3 * 60 * 60));
+  const diffDays = Math.floor(diffMs / (1e3 * 60 * 60 * 24));
+  if (diffDays > 0) {
+    return `${diffDays}d ${diffHours % 24}h`;
+  } else if (diffHours > 0) {
+    return `${diffHours}h ${diffMins % 60}m`;
+  } else {
+    return `${diffMins}m`;
+  }
+}
+function formatDate(dateStr) {
+  const date = new Date(dateStr);
+  return date.toLocaleDateString("en-US", {
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit"
+  });
+}
+function registerShareCommands(program2) {
+  const share = program2.command("share").description("Share secrets via temporary links");
+  share.command("create <key>").alias("new").description("Create a share link for a secret").option("-e, --expires <time>", "Expiration time (e.g., 1h, 24h, 7d, 30m)", "24h").option("--one-time", "Link can only be viewed once").option("--env <environment>", "Environment (overrides current)").action(async (key, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const ctx = requireContext2();
+    const environment = options.env || ctx.environment;
+    const expiresRegex = /^(\d+)(m|h|d)$/;
+    if (!expiresRegex.test(options.expires)) {
+      ui.error("Invalid expiration format. Use formats like: 30m, 1h, 24h, 7d");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Creating share link...");
+    const result = await apiClient.createShare(
+      ctx.teamSlug,
+      ctx.projectSlug,
+      environment,
+      key,
+      {
+        expiresIn: options.expires,
+        oneTime: options.oneTime || false
+      }
+    );
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed("Share link created");
+    ui.br();
+    ui.heading("Share Link Details");
+    ui.keyValue("Secret", key);
+    ui.keyValue("Environment", ui.envBadge(environment));
+    ui.keyValue("Expires", formatExpiration(result.data.expiresAt));
+    ui.keyValue("One-time", result.data.oneTime ? colors.warning("Yes") : "No");
+    ui.br();
+    ui.box("Share URL", [
+      colors.highlight(result.data.url)
+    ]);
+    ui.warning("This link provides access to the secret value. Share securely!");
+    if (result.data.oneTime) {
+      ui.info("This link will be invalidated after a single view.");
+    }
+  });
+  share.command("list").alias("ls").description("List active share links").option("-a, --all", "Include expired and revoked links").action(async (options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Fetching share links...");
+    const result = await apiClient.listShares({
+      includeExpired: options.all || false
+    });
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.shares.length) {
+      ui.warning("No share links found");
+      ui.info(`Create one with ${ui.code("sstash share create <KEY>")}`);
+      return;
+    }
+    ui.heading("Share Links");
+    const tableData = result.data.shares.map((share2) => {
+      let status = colors.success("Active");
+      if (share2.isRevoked) {
+        status = colors.error("Revoked");
+      } else if (share2.isExpired) {
+        status = colors.muted("Expired");
+      }
+      const viewInfo = share2.oneTime ? share2.viewCount > 0 ? colors.muted("Used") : colors.warning("1 view") : String(share2.viewCount);
+      return [
+        share2.id.substring(0, 8),
+        share2.secretKey,
+        ui.envBadge(share2.environment),
+        formatDate(share2.createdAt),
+        share2.isExpired || share2.isRevoked ? "-" : formatExpiration(share2.expiresAt),
+        viewInfo,
+        status
+      ];
+    });
+    ui.table(tableData, {
+      header: ["ID", "Key", "Environment", "Created", "Expires", "Views", "Status"]
+    });
+    ui.br();
+    ui.info(`${result.data.shares.length} share link(s) total`);
+    ui.info(`Revoke with ${ui.code("sstash share revoke <id>")}`);
+  });
+  share.command("revoke <id>").description("Revoke a share link").option("-f, --force", "Skip confirmation prompt").action(async (id, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    if (!options.force) {
+      const { confirm } = await prompt7({
+        type: "confirm",
+        name: "confirm",
+        message: `Are you sure you want to revoke share link "${id}"?`,
+        initial: false
+      });
+      if (!confirm) {
+        ui.warning("Aborted");
+        return;
+      }
+    }
+    const spinner = ui.spinner("Revoking share link...");
+    const result = await apiClient.revokeShare(id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed("Share link revoked");
+    ui.info("The link can no longer be used to access the secret.");
+  });
+  share.action(async () => {
+    await share.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/doctor.ts
+import { readFileSync as readFileSync3 } from "fs";
+async function checkApiConnectivity() {
+  const apiUrl = configManager.getApiUrl();
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5e3);
+    const response = await fetch(`${apiUrl}/api/health`, {
+      method: "GET",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (response.ok) {
+      return {
+        name: "API reachable",
+        status: "pass",
+        message: `API reachable (${apiUrl})`
+      };
+    }
+    return {
+      name: "API reachable",
+      status: "fail",
+      message: `API returned ${response.status}`,
+      hint: "Check if the API server is running"
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    if (errorMessage.includes("abort")) {
+      return {
+        name: "API reachable",
+        status: "fail",
+        message: "Connection timed out",
+        hint: `Check if the API server is running at ${apiUrl}`
+      };
+    }
+    return {
+      name: "API reachable",
+      status: "fail",
+      message: `Cannot reach API: ${errorMessage}`,
+      hint: `Check if the API server is running at ${apiUrl}`
+    };
+  }
+}
+async function checkNetworkLatency() {
+  const apiUrl = configManager.getApiUrl();
+  const start = Date.now();
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5e3);
+    await fetch(`${apiUrl}/api/health`, {
+      method: "GET",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    const latency = Date.now() - start;
+    if (latency < 200) {
+      return {
+        name: "Network latency",
+        status: "pass",
+        message: `Network latency OK (${latency}ms)`
+      };
+    } else if (latency < 1e3) {
+      return {
+        name: "Network latency",
+        status: "warn",
+        message: `Network latency high (${latency}ms)`,
+        hint: "Operations may be slow"
+      };
+    } else {
+      return {
+        name: "Network latency",
+        status: "warn",
+        message: `Network latency very high (${latency}ms)`,
+        hint: "Consider using a closer API endpoint or checking network"
+      };
+    }
+  } catch {
+    return {
+      name: "Network latency",
+      status: "fail",
+      message: "Could not measure latency",
+      hint: "API is not reachable"
+    };
+  }
+}
+async function checkAuthentication() {
+  if (configManager.isServiceTokenAuth()) {
+    const serviceToken = configManager.getServiceToken();
+    if (serviceToken) {
+      const source = process.env.SECRETSTASH_TOKEN ? "env var" : "config";
+      return {
+        name: "Authentication",
+        status: "pass",
+        message: `Authenticated via service token (${source})`
+      };
+    }
+  }
+  const token = configManager.getAccessToken();
+  if (!token) {
+    return {
+      name: "Authentication",
+      status: "fail",
+      message: "Not authenticated",
+      hint: "Run: sstash login"
+    };
+  }
+  const user = configManager.getUser();
+  if (user.email) {
+    return {
+      name: "Authentication",
+      status: "pass",
+      message: `Authenticated as ${user.email}`
+    };
+  }
+  return {
+    name: "Authentication",
+    status: "pass",
+    message: "Authenticated"
+  };
+}
+function checkTokenExpiration() {
+  if (configManager.isServiceTokenAuth()) {
+    return {
+      name: "Token expiration",
+      status: "pass",
+      message: "Service token (expiration managed by server)"
+    };
+  }
+  const token = configManager.getAccessToken();
+  if (!token) {
+    return {
+      name: "Token expiration",
+      status: "fail",
+      message: "No token found",
+      hint: "Run: sstash login"
+    };
+  }
+  if (configManager.isTokenExpired()) {
+    return {
+      name: "Token expiration",
+      status: "warn",
+      message: "Token expired or expiring soon",
+      hint: "Run: sstash login"
+    };
+  }
+  return {
+    name: "Token expiration",
+    status: "pass",
+    message: "Token valid"
+  };
+}
+function checkTeamSelected() {
+  const effectiveTeam = projectConfig.getEffectiveTeam();
+  if (effectiveTeam) {
+    const team = configManager.getCurrentTeam();
+    const source = projectConfig.getLocalConfig()?.teamSlug ? "local config" : "global";
+    return {
+      name: "Team selected",
+      status: "pass",
+      message: `Team: ${team?.name || effectiveTeam} (${source})`
+    };
+  }
+  return {
+    name: "Team selected",
+    status: "fail",
+    message: "No team selected",
+    hint: "Run: sstash teams use <slug>"
+  };
+}
+function checkProjectSelected() {
+  const effectiveProject = projectConfig.getEffectiveProject();
+  if (effectiveProject) {
+    const project = configManager.getCurrentProject();
+    const source = projectConfig.getLocalConfig()?.project ? "local config" : "global";
+    return {
+      name: "Project selected",
+      status: "pass",
+      message: `Project: ${project?.name || effectiveProject} (${source})`
+    };
+  }
+  return {
+    name: "Project selected",
+    status: "fail",
+    message: "No project selected",
+    hint: "Run: sstash projects use <slug>"
+  };
+}
+function checkEnvironmentSelected() {
+  const effectiveEnv = projectConfig.getEffectiveEnvironment();
+  if (effectiveEnv) {
+    const source = projectConfig.getLocalConfig()?.environment ? "local config" : "global";
+    return {
+      name: "Environment selected",
+      status: "pass",
+      message: `Environment: ${effectiveEnv} (${source})`
+    };
+  }
+  return {
+    name: "Environment selected",
+    status: "fail",
+    message: "No environment selected",
+    hint: "Run: sstash environments use <name>"
+  };
+}
+function checkLocalConfigExists() {
+  if (projectConfig.hasLocalConfig()) {
+    return {
+      name: "Local config file",
+      status: "pass",
+      message: ".secretstash.json exists"
+    };
+  }
+  return {
+    name: "Local config file",
+    status: "warn",
+    message: ".secretstash.json not found",
+    hint: "Run: sstash init (optional, for project-specific config)"
+  };
+}
+function checkLocalConfigValid() {
+  if (!projectConfig.hasLocalConfig()) {
+    return {
+      name: "Config file valid",
+      status: "pass",
+      message: "No local config to validate"
+    };
+  }
+  const configPath = projectConfig.getLocalConfigPath();
+  try {
+    const content = readFileSync3(configPath, "utf-8");
+    JSON.parse(content);
+    return {
+      name: "Config file valid",
+      status: "pass",
+      message: ".secretstash.json is valid JSON"
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Invalid JSON";
+    return {
+      name: "Config file valid",
+      status: "fail",
+      message: ".secretstash.json has invalid JSON",
+      hint: `Fix the JSON syntax error: ${message}`
+    };
+  }
+}
+async function checkCliVersion() {
+  let currentVersion = "0.1.0";
+  try {
+    const pkgPath = new URL("../../package.json", import.meta.url);
+    const pkg = JSON.parse(readFileSync3(pkgPath, "utf-8"));
+    currentVersion = pkg.version;
+  } catch {
+  }
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 3e3);
+    const response = await fetch("https://registry.npmjs.org/@secretstash/cli/latest", {
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!response.ok) {
+      return {
+        name: "CLI version",
+        status: "pass",
+        message: `v${currentVersion} (could not check for updates)`
+      };
+    }
+    const data = await response.json();
+    const latestVersion = data.version;
+    if (!latestVersion) {
+      return {
+        name: "CLI version",
+        status: "pass",
+        message: `v${currentVersion}`
+      };
+    }
+    if (currentVersion === latestVersion) {
+      return {
+        name: "CLI version",
+        status: "pass",
+        message: `v${currentVersion} (latest)`
+      };
+    }
+    const currentParts = currentVersion.split(".").map(Number);
+    const latestParts = latestVersion.split(".").map(Number);
+    let isOutdated = false;
+    for (let i = 0; i < 3; i++) {
+      if ((latestParts[i] || 0) > (currentParts[i] || 0)) {
+        isOutdated = true;
+        break;
+      } else if ((latestParts[i] || 0) < (currentParts[i] || 0)) {
+        break;
+      }
+    }
+    if (isOutdated) {
+      return {
+        name: "CLI version",
+        status: "warn",
+        message: `v${currentVersion} (v${latestVersion} available)`,
+        hint: "Run: npm update -g @secretstash/cli"
+      };
+    }
+    return {
+      name: "CLI version",
+      status: "pass",
+      message: `v${currentVersion}`
+    };
+  } catch {
+    return {
+      name: "CLI version",
+      status: "pass",
+      message: `v${currentVersion} (could not check for updates)`
+    };
+  }
+}
+function printResult(result) {
+  const icon = result.status === "pass" ? colors.success("\u2713") : result.status === "warn" ? colors.warning("\u26A0") : colors.error("\u2717");
+  console.log(`${icon} ${result.message}`);
+  if (result.hint) {
+    console.log(`  ${colors.muted("\u2192")} ${colors.muted(result.hint)}`);
+  }
+}
+function registerDoctorCommand(program2) {
+  program2.command("doctor").description("Diagnose common setup issues").action(async () => {
+    console.log();
+    console.log(colors.primary.bold("SecretStash Doctor"));
+    console.log(colors.muted("=================="));
+    console.log();
+    const results = [];
+    const apiResult = await checkApiConnectivity();
+    results.push(apiResult);
+    printResult(apiResult);
+    const authResult = await checkAuthentication();
+    results.push(authResult);
+    printResult(authResult);
+    const tokenResult = checkTokenExpiration();
+    results.push(tokenResult);
+    printResult(tokenResult);
+    const teamResult = checkTeamSelected();
+    results.push(teamResult);
+    printResult(teamResult);
+    const projectResult = checkProjectSelected();
+    results.push(projectResult);
+    printResult(projectResult);
+    const envResult = checkEnvironmentSelected();
+    results.push(envResult);
+    printResult(envResult);
+    const localConfigResult = checkLocalConfigExists();
+    results.push(localConfigResult);
+    printResult(localConfigResult);
+    const configValidResult = checkLocalConfigValid();
+    results.push(configValidResult);
+    printResult(configValidResult);
+    const versionResult = await checkCliVersion();
+    results.push(versionResult);
+    printResult(versionResult);
+    if (apiResult.status === "pass") {
+      const latencyResult = await checkNetworkLatency();
+      results.push(latencyResult);
+      printResult(latencyResult);
+    }
+    console.log();
+    const issues = results.filter((r) => r.status === "fail");
+    const warnings = results.filter((r) => r.status === "warn");
+    if (issues.length === 0 && warnings.length === 0) {
+      console.log(colors.success("All checks passed!"));
+    } else {
+      const parts = [];
+      if (issues.length > 0) {
+        parts.push(`${issues.length} issue${issues.length !== 1 ? "s" : ""}`);
+      }
+      if (warnings.length > 0) {
+        parts.push(`${warnings.length} warning${warnings.length !== 1 ? "s" : ""}`);
+      }
+      console.log(colors.muted(parts.join(", ") + " found"));
+    }
+    console.log();
+  });
+}
+// src/commands/tags.ts
+import { prompt as prompt8 } from "enquirer";
+import chalk2 from "chalk";
+function registerTagCommands(program2) {
+  const tags = program2.command("tags").description("Manage tags for organizing secrets");
+  tags.command("list").alias("ls").description("List all tags in the current team").action(async () => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Fetching tags...");
+    const result = await apiClient.getTags(currentTeam.id);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!result.data?.tags.length) {
+      ui.warning("No tags found");
+      ui.info(`Create one with ${ui.code("sstash tags create <name>")}`);
+      return;
+    }
+    ui.heading(`Tags in ${currentTeam.name}`);
+    const tableData = result.data.tags.map((tag) => [
+      tag.name,
+      tag.color ? chalk2.hex(tag.color)(tag.color) : ui.dim("none"),
+      new Date(tag.createdAt).toLocaleDateString()
+    ]);
+    ui.table(tableData, {
+      header: ["Name", "Color", "Created"]
+    });
+    ui.br();
+    ui.info(`${result.data.tags.length} tags total`);
+  });
+  tags.command("create <name>").description("Create a new tag").option("-c, --color <hex>", "Hex color for the tag (e.g., #FF5733)").action(async (name, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    if (options.color && !/^#[0-9A-Fa-f]{6}$/.test(options.color)) {
+      ui.error("Color must be a valid hex color (e.g., #FF5733)");
+      process.exit(1);
+    }
+    const spinner = ui.spinner(`Creating tag "${name}"...`);
+    const result = await apiClient.createTag(currentTeam.id, name, options.color);
+    if (result.error) {
+      spinner.fail();
+      ui.error(result.error.message);
+      process.exit(1);
+    }
+    spinner.succeed(`Tag "${result.data.tag.name}" created`);
+    ui.br();
+    ui.keyValue("ID", result.data.tag.id);
+    if (result.data.tag.color) {
+      ui.keyValue("Color", chalk2.hex(result.data.tag.color)(result.data.tag.color));
+    }
+  });
+  tags.command("delete <name>").alias("rm").description("Delete a tag").option("-f, --force", "Skip confirmation prompt").action(async (name, options) => {
+    if (!configManager.isAuthenticated()) {
+      ui.error("Not authenticated. Run `sstash login` first.");
+      process.exit(1);
+    }
+    const currentTeam = configManager.getCurrentTeam();
+    if (!currentTeam) {
+      ui.error("No team selected. Run `sstash teams use <slug>` first.");
+      process.exit(1);
+    }
+    const spinner = ui.spinner("Looking up tag...");
+    const listResult = await apiClient.getTags(currentTeam.id);
+    if (listResult.error) {
+      spinner.fail();
+      ui.error(listResult.error.message);
+      process.exit(1);
+    }
+    const tag = listResult.data?.tags.find(
+      (t) => t.name.toLowerCase() === name.toLowerCase()
+    );
+    if (!tag) {
+      spinner.fail();
+      ui.error(`Tag "${name}" not found`);
+      process.exit(1);
+    }
+    spinner.stop();
+    if (!options.force) {
+      ui.warning(`You are about to delete tag "${tag.name}"`);
+      ui.warning("This will remove the tag from all secrets.");
+      const response = await prompt8({
+        type: "confirm",
+        name: "confirm",
+        message: "Are you sure you want to delete this tag?",
+        initial: false
+      });
+      if (!response.confirm) {
+        ui.warning("Operation cancelled");
+        return;
+      }
+    }
+    const deleteSpinner = ui.spinner(`Deleting tag "${tag.name}"...`);
+    const deleteResult = await apiClient.deleteTag(tag.id);
+    if (deleteResult.error) {
+      deleteSpinner.fail();
+      ui.error(deleteResult.error.message);
+      process.exit(1);
+    }
+    deleteSpinner.succeed(`Tag "${tag.name}" deleted`);
+  });
+  tags.action(async () => {
+    await tags.commands.find((c) => c.name() === "list")?.parseAsync([], { from: "user" });
+  });
+}
+// src/commands/pull.ts
+import { writeFileSync as writeFileSync3 } from "fs";
+function formatSecrets(secrets, format) {
+  const sorted = [...secrets].sort((a, b) => a.key.localeCompare(b.key));
+  switch (format) {
+    case "json": {
+      const obj = {};
+      for (const secret of sorted) {
+        obj[secret.key] = secret.value;
+      }
+      return JSON.stringify(obj, null, 2);
+    }
+    case "shell": {
+      return sorted.map(({ key, value }) => {
+        const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+        return `export ${key}="${escaped}"`;
+      }).join("\n");
+    }
+    case "env":
+    default: {
+      return sorted.map(({ key, value }) => {
+        const needsQuotes = /[\s#"'$\\]/.test(value);
+        const formattedValue = needsQuotes ? `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"` : value;
+        return `${key}=${formattedValue}`;
+      }).join("\n");
+    }
+  }
+}
+async function fetchCISecrets(project, environment, token) {
+  const apiUrl = configManager.getApiUrl();
+  const url = `${apiUrl}/api/v1/ci/secrets`;
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${token}`
+      },
+      body: JSON.stringify({ project, environment })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      if (response.status === 401) {
+        return {
+          success: false,
+          error: {
+            code: "UNAUTHORIZED",
+            message: "Invalid or expired token"
+          }
+        };
+      }
+      if (response.status === 403) {
+        return {
+          success: false,
+          error: {
+            code: "FORBIDDEN",
+            message: "Token does not have access to this project/environment"
+          }
+        };
+      }
+      return {
+        success: false,
+        error: data.error || {
+          code: "API_ERROR",
+          message: `Request failed with status ${response.status}`
+        }
+      };
+    }
+    return data;
+  } catch (error) {
+    return {
+      success: false,
+      error: {
+        code: "NETWORK_ERROR",
+        message: error instanceof Error ? error.message : "Network request failed"
+      }
+    };
+  }
+}
+function registerPullCICommand(program2) {
+  program2.command("ci-pull").description("Pull secrets for CI/CD pipelines (uses SECRETS_TOKEN env var or --token flag)").requiredOption("-p, --project <slug>", "Project slug").requiredOption("-e, --env <environment>", "Environment name (e.g., production, staging)").option("-t, --token <token>", "Service token (defaults to SECRETS_TOKEN env var)").option("-f, --format <format>", "Output format: env (default), shell, json", "env").option("-o, --output <file>", "Write to file instead of stdout").action(async (options) => {
+    const { project, env: environment, format, output } = options;
+    const token = options.token || process.env.SECRETS_TOKEN;
+    if (!token) {
+      ui.error("Set SECRETS_TOKEN environment variable or use --token flag");
+      process.exit(1);
+    }
+    const validFormats = ["env", "shell", "json"];
+    if (!validFormats.includes(format)) {
+      ui.error(`Invalid format "${format}". Valid formats: ${validFormats.join(", ")}`);
+      process.exit(1);
+    }
+    const result = await fetchCISecrets(project, environment, token);
+    if (!result.success || result.error) {
+      const errorMessage = result.error?.message || "Failed to fetch secrets";
+      ui.error(errorMessage);
+      if (result.error?.code === "UNAUTHORIZED") {
+        ui.info("Check that your token is valid and has not expired");
+      } else if (result.error?.code === "FORBIDDEN") {
+        ui.info("Verify the token has access to the specified project and environment");
+      }
+      process.exit(1);
+    }
+    const secrets = result.data?.secrets || [];
+    if (secrets.length === 0) {
+      const emptyOutput = format === "json" ? "{}" : "";
+      if (output) {
+        writeFileSync3(output, emptyOutput + "\n", "utf-8");
+      } else {
+        if (emptyOutput) {
+          process.stdout.write(emptyOutput + "\n");
+        }
+      }
+      return;
+    }
+    const formatted = formatSecrets(secrets, format);
+    if (output) {
+      writeFileSync3(output, formatted + "\n", "utf-8");
+      if (!configManager.isQuiet()) {
+        ui.success(`Wrote ${secrets.length} secrets to ${output}`);
+      }
+    } else {
+      process.stdout.write(formatted + "\n");
+    }
+  });
+}
+// src/commands/exec.ts
+import { spawn as spawn2 } from "child_process";
+async function fetchCISecrets2(apiUrl, token, project, environment) {
+  const url = `${apiUrl}/api/v1/ci/secrets`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json",
+      "User-Agent": "SecretStash-CLI/1.0"
+    },
+    body: JSON.stringify({ project, environment })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorData = {};
+    try {
+      errorData = JSON.parse(errorText);
+    } catch {
+    }
+    return {
+      success: false,
+      error: {
+        code: errorData.error?.code || "API_ERROR",
+        message: errorData.error?.message || `API request failed: ${response.status} ${response.statusText}`
+      }
+    };
+  }
+  return response.json();
+}
+function registerExecCommand(program2) {
+  program2.command("exec").description("Run a command with secrets injected as environment variables (CI/CD friendly)").requiredOption("--project <slug>", "Project slug").requiredOption("--env <environment>", "Environment name (e.g., production, staging)").option("--token <token>", "Service token (defaults to SECRETS_TOKEN env var)").option("--api-url <url>", "API URL (defaults to VAULT_API_URL env var or configured URL)").argument("<command...>", "Command to run").allowExcessArguments(true).action(async (commandArgs, options) => {
+    if (!commandArgs || commandArgs.length === 0) {
+      ui.error("No command provided");
+      ui.info("Usage: sstash exec --project=<slug> --env=<environment> -- <command> [args...]");
+      ui.info("");
+      ui.info("Example:");
+      ui.info("  sstash exec --project=myapp --env=production -- npm run build");
+      process.exit(1);
+    }
+    const token = options.token || process.env.SECRETS_TOKEN;
+    if (!token) {
+      ui.error("No service token provided");
+      ui.info("Provide a token via --token flag or SECRETS_TOKEN environment variable");
+      ui.info("");
+      ui.info("Generate a service token from the SecretStash dashboard or CLI:");
+      ui.info('  sstash tokens create --name "CI Token" --env production');
+      process.exit(1);
+    }
+    if (!token.startsWith("stk_")) {
+      ui.error("Invalid service token format");
+      ui.info('Service tokens should start with "stk_" prefix');
+      ui.info("User access tokens are not supported for the exec command");
+      process.exit(1);
+    }
+    const apiUrl = options.apiUrl || configManager.getApiUrl();
+    const { project, env: environment } = options;
+    const spinner = ui.spinner(`Fetching secrets for ${project}/${environment}...`);
+    try {
+      const result = await fetchCISecrets2(apiUrl, token, project, environment);
+      if (!result.success || !result.data?.secrets) {
+        spinner.fail();
+        ui.error(result.error?.message || "Failed to fetch secrets");
+        if (result.error?.code === "FORBIDDEN") {
+          ui.info("The service token may not have access to this project/environment");
+        } else if (result.error?.code === "UNAUTHORIZED") {
+          ui.info("The service token may be expired or invalid");
+        }
+        process.exit(1);
+      }
+      const secrets = result.data.secrets;
+      spinner.succeed(`Loaded ${secrets.length} secret(s)`);
+      const secretEnv = {};
+      for (const secret of secrets) {
+        secretEnv[secret.key] = secret.value;
+      }
+      let cmd;
+      let args;
+      if (commandArgs.length === 1 && commandArgs[0].includes(" ")) {
+        const parts = commandArgs[0].split(/\s+/);
+        cmd = parts[0];
+        args = parts.slice(1);
+      } else {
+        cmd = commandArgs[0];
+        args = commandArgs.slice(1);
+      }
+      const child = spawn2(cmd, args, {
+        env: { ...process.env, ...secretEnv },
+        stdio: "inherit",
+        // Forward stdin/stdout/stderr
+        shell: true
+      });
+      const signals = ["SIGINT", "SIGTERM", "SIGHUP"];
+      signals.forEach((signal) => {
+        process.on(signal, () => {
+          child.kill(signal);
+        });
+      });
+      child.on("close", (code, signal) => {
+        if (signal) {
+          process.exit(128 + (signal === "SIGINT" ? 2 : signal === "SIGTERM" ? 15 : 1));
+        }
+        process.exit(code ?? 0);
+      });
+      child.on("error", (err) => {
+        ui.error(`Failed to start command: ${err.message}`);
+        if (err.code === "ENOENT") {
+          ui.info(`Command not found: ${cmd}`);
+        }
+        process.exit(127);
+      });
+    } catch (error) {
+      spinner.fail();
+      if (error instanceof Error) {
+        ui.error(error.message);
+        if (error.message.includes("fetch")) {
+          ui.info("Could not connect to the API. Check your network and API URL.");
+        }
+      } else {
+        ui.error("An unexpected error occurred");
+      }
+      process.exit(1);
+    }
+  });
+}
+// src/index.ts
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var version = "0.1.0";
+try {
+  const pkg = JSON.parse(readFileSync4(join2(__dirname, "..", "package.json"), "utf-8"));
+  version = pkg.version;
+} catch {
+}
+var banner = chalk3.hex("#6366f1")(`
+  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+  \u2551                                                   \u2551
+  \u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551
+  \u2551   \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u2551
+  \u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2551  \u2551
+  \u2551   \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u255D     \u2588\u2588\u2551  \u2551
+  \u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551  \u2551
+  \u2551   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D  \u2551
+  \u2551                                                   \u2551
+  \u2551          ${chalk3.white("SecretStash")} ${chalk3.dim(`v${version}`)}                      \u2551
+  \u2551          ${chalk3.dim("Ultra-secure team secrets management")}       \u2551
+  \u2551                                                   \u2551
+  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+var program = new Command();
+program.name("sstash").description("SecretStash CLI - Ultra-secure team secrets management").version(version, "-v, --version", "Output the current version").option("--no-banner", "Disable the banner").option("-q, --quiet", "Suppress non-essential output (useful for CI/CD)").hook("preAction", (thisCommand) => {
+  const opts = thisCommand.opts();
+  if (opts.quiet) {
+    configManager.setQuiet(true);
+  }
+  if (opts.banner !== false && !opts.quiet && process.argv.length <= 2) {
+    console.log(banner);
+  }
+});
+registerAuthCommands(program);
+registerTeamCommands(program);
+registerProjectCommands(program);
+registerEnvironmentCommands(program);
+registerSecretCommands(program);
+registerDiffCommand(program);
+registerShareCommands(program);
+registerDoctorCommand(program);
+registerTagCommands(program);
+registerPullCICommand(program);
+registerExecCommand(program);
+program.addHelpText("after", `
+${chalk3.bold("Examples:")}
+  ${chalk3.dim("# Authenticate")}
+  $ sstash login
+  $ sstash whoami
+  ${chalk3.dim("# Set up context")}
+  $ sstash teams use my-team
+  $ sstash projects use my-project
+  $ sstash environments use development
+  ${chalk3.dim("# Or initialize in current directory")}
+  $ sstash init
+  ${chalk3.dim("# Manage secrets")}
+  $ sstash pull                    # Pull secrets to .env
+  $ sstash push                    # Push secrets from .env
+  $ sstash run npm start           # Run with secrets injected
+  ${chalk3.dim("# View secrets")}
+  $ sstash secrets list
+  $ sstash secrets list --reveal
+  ${chalk3.dim("# Compare environments")}
+  $ sstash diff development production
+  ${chalk3.dim("# Share secrets")}
+  $ sstash share create DATABASE_URL --expires 24h --one-time
+  $ sstash share list
+  $ sstash share revoke <id>
+  ${chalk3.dim("# Organize with tags")}
+  $ sstash tags create database --color #FF5733
+  $ sstash tags list
+  $ sstash secrets tag DATABASE_URL database
+  ${chalk3.dim("# CI/CD - pull secrets or run commands with secrets injected")}
+  $ SECRETS_TOKEN=stk_xxx sstash ci-pull -p myapp -e production
+  $ SECRETS_TOKEN=stk_xxx sstash ci-pull -p myapp -e production --format json
+  $ eval "$(SECRETS_TOKEN=stk_xxx sstash ci-pull -p myapp -e production --format shell)"
+  $ SECRETS_TOKEN=stk_... sstash exec --project=myapp --env=production -- npm run build
+${chalk3.bold("Documentation:")}
+  https://secretstash.dev/docs
+`);
+program.parse();