@uagents/syncenv-cli 0.1.1

package/dist/index.js

@@ -0,0 +1,2091 @@
+#!/usr/bin/env node
+import {
+  decryptContent,
+  decryptDEK,
+  encryptContent,
+  generateContentHash,
+  reencryptUserKEK,
+  setupUserKEK,
+  unlockUserKEK
+} from "./chunk-NV6H5OGL.js";
+import {
+  getKEKTimeRemaining,
+  getUserKEK,
+  isKEKCached,
+  lockKEK,
+  unlockAndStoreKEK
+} from "./chunk-JBMZAAVP.js";
+import {
+  clearAuthState,
+  client,
+  getConfig,
+  getConfigPath,
+  getOrUnlockUserKEK,
+  hasProjectConfig,
+  isAuthenticated,
+  loadConfig,
+  loadProjectConfig,
+  saveProjectConfig,
+  setConfig,
+  withAuthGuard
+} from "./chunk-OVEYHV4C.js";
+import {
+  applyMergeStrategy,
+  interactiveMerge,
+  threeWayMerge
+} from "./chunk-F7ZZUTRW.js";
+
+// src/index.ts
+import chalk8 from "chalk";
+import { Command as Command7 } from "commander";
+
+// src/commands/auth.ts
+import chalk2 from "chalk";
+import { Command } from "commander";
+import inquirer from "inquirer";
+
+// src/utils/index.ts
+import chalk from "chalk";
+import ora from "ora";
+function info(...args) {
+  console.log(chalk.blue("\u2139"), ...args);
+}
+function success(...args) {
+  console.log(chalk.green("\u2713"), ...args);
+}
+function warning(...args) {
+  console.log(chalk.yellow("\u26A0"), ...args);
+}
+function error(...args) {
+  console.error(chalk.red("\u2717"), ...args);
+}
+function createSpinner(text) {
+  return ora(text);
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const k = 1024;
+  const sizes = ["B", "KB", "MB", "GB"];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + " " + sizes[i];
+}
+function formatRelativeTime(date) {
+  const d = new Date(date);
+  const now = /* @__PURE__ */ new Date();
+  const diff = now.getTime() - d.getTime();
+  const seconds = Math.floor(diff / 1e3);
+  const minutes = Math.floor(seconds / 60);
+  const hours = Math.floor(minutes / 60);
+  const days = Math.floor(hours / 24);
+  if (days > 0) return `${days} day${days > 1 ? "s" : ""} ago`;
+  if (hours > 0) return `${hours} hour${hours > 1 ? "s" : ""} ago`;
+  if (minutes > 0) return `${minutes} minute${minutes > 1 ? "s" : ""} ago`;
+  return "just now";
+}
+function parseEnvFile(content) {
+  const env = {};
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    let value = trimmed.slice(eqIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    env[key] = value;
+  }
+  return env;
+}
+function stringifyEnvFile(env) {
+  const lines = [];
+  for (const [key, value] of Object.entries(env)) {
+    if (value.includes(" ") || value.includes("#") || value.includes("$")) {
+      lines.push(`${key}="${value}"`);
+    } else {
+      lines.push(`${key}=${value}`);
+    }
+  }
+  return lines.join("\n");
+}
+function diffEnvFiles(local, remote) {
+  const localKeys = Object.keys(local);
+  const remoteKeys = Object.keys(remote);
+  const added = localKeys.filter((k) => !remoteKeys.includes(k));
+  const removed = remoteKeys.filter((k) => !localKeys.includes(k));
+  const modified = localKeys.filter((k) => remoteKeys.includes(k) && local[k] !== remote[k]);
+  return { added, removed, modified };
+}
+
+// src/commands/auth.ts
+var authCommands = new Command("auth").description("Authentication commands");
+authCommands.command("signup").description("Guide to create a new account via web app").action(async () => {
+  console.log(chalk2.bold("\n\u{1F4CB} Account Registration\n"));
+  info(
+    "To ensure a smooth registration experience, please create your account via our web application."
+  );
+  info("The web app provides:");
+  console.log("  \u2022 Email verification flow");
+  console.log("  \u2022 Secure password setup");
+  console.log("  \u2022 User-friendly interface");
+  console.log();
+  const apiUrl = getConfig("apiUrl") || "https://syncenv.uagents.app";
+  const signupUrl = `${apiUrl}/signup`;
+  console.log(chalk2.cyan("\u{1F310} Please visit:"));
+  console.log(chalk2.bold(signupUrl));
+  console.log();
+  info("After registering and verifying your email:");
+  console.log("  1. Return to the CLI");
+  console.log("  2. Run: syncenv auth login");
+  console.log("  3. This device will be automatically registered");
+  console.log();
+  const { openBrowser } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "openBrowser",
+      message: "Open the signup page in your browser?",
+      default: true
+    }
+  ]);
+  if (openBrowser) {
+    const { default: open } = await import("open");
+    await open(signupUrl);
+    info("Browser opened. Please complete registration there.");
+  }
+  console.log();
+  success("Waiting for you to complete registration...");
+  info("Once done, run: syncenv auth login");
+});
+authCommands.command("login").description("Login to your account").option("-e, --email <email>", "email address").action(async (options) => {
+  try {
+    let email = options.email;
+    if (!email) {
+      const answer = await inquirer.prompt([
+        {
+          type: "input",
+          name: "email",
+          message: "Email:",
+          validate: (input) => {
+            if (!input.includes("@")) return "Please enter a valid email";
+            return true;
+          }
+        }
+      ]);
+      email = answer.email;
+    }
+    const { password } = await inquirer.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Master Password:",
+        mask: "*"
+      }
+    ]);
+    const spinner = createSpinner("Authenticating...");
+    spinner.start();
+    try {
+      const apiUrl = getConfig("apiUrl");
+      const loginResponse = await fetch(`${apiUrl}/api/auth/sign-in/email`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password })
+      });
+      if (!loginResponse.ok) {
+        const errorData = await loginResponse.json().catch(() => ({ error: "Login failed" }));
+        throw new Error(errorData.error || errorData.message || "Login failed");
+      }
+      const setCookie = loginResponse.headers.getSetCookie?.() || (loginResponse.headers.get("set-cookie") ? [loginResponse.headers.get("set-cookie")] : []);
+      if (setCookie.length > 0) {
+        const { storeCookies } = await import("./cookie-store-Z6DNTUGS.js");
+        storeCookies(setCookie);
+      }
+      const result = await loginResponse.json();
+      setConfig("userId", result.user.id);
+      setConfig("userEmail", result.user.email);
+      spinner.succeed("Authenticated");
+      success("Session active");
+    } catch (err) {
+      spinner.fail("Authentication failed");
+      throw err;
+    }
+  } catch (err) {
+    error("Login failed:", err.message);
+    process.exit(1);
+  }
+});
+authCommands.command("logout").description("Logout and clear session").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      info("Not logged in.");
+      return;
+    }
+    const spinner = createSpinner("Logging out...");
+    spinner.start();
+    try {
+      await client.request("POST", "/api/auth/signout");
+    } catch {
+    }
+    await clearAuthState();
+    spinner.succeed("Logged out");
+    success("Session terminated and local keys cleared");
+  } catch (err) {
+    error("Logout failed:", err.message);
+    process.exit(1);
+  }
+});
+authCommands.command("status").description("Check authentication status").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      info("Not authenticated. Run `syncenv auth login` to login.");
+      return;
+    }
+    const { data: session } = await withAuthGuard(
+      () => client.request("GET", "/api/auth/get-session")
+    );
+    if (session.session) {
+      console.log(
+        `${chalk2.green("\u2713")} Authenticated as ${chalk2.cyan(session.session.user.email)}`
+      );
+      console.log(`  User ID: ${chalk2.dim(session.session.user.id)}`);
+    } else {
+      info("Session expired. Please login again.");
+    }
+  } catch (err) {
+    error("Failed to check status:", err.message);
+    process.exit(1);
+  }
+});
+authCommands.command("change-password").description("Change your account password").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const { currentPassword } = await inquirer.prompt([
+      {
+        type: "password",
+        name: "currentPassword",
+        message: "Current password:",
+        mask: "*",
+        validate: (input) => input.length > 0 || "Current password is required"
+      }
+    ]);
+    const { newPassword } = await inquirer.prompt([
+      {
+        type: "password",
+        name: "newPassword",
+        message: "New password:",
+        mask: "*",
+        validate: (input) => {
+          if (input.length < 8) return "Password must be at least 8 characters";
+          return true;
+        }
+      }
+    ]);
+    const { confirmPassword } = await inquirer.prompt([
+      {
+        type: "password",
+        name: "confirmPassword",
+        message: "Confirm new password:",
+        mask: "*",
+        validate: (input) => {
+          if (input !== newPassword) return "Passwords do not match";
+          return true;
+        }
+      }
+    ]);
+    const answers = { currentPassword, newPassword, confirmPassword };
+    const spinner = createSpinner("Changing password...");
+    spinner.start();
+    try {
+      await withAuthGuard(
+        () => client.request("POST", "/api/auth/change-password", {
+          body: {
+            currentPassword: answers.currentPassword,
+            newPassword: answers.newPassword,
+            revokeOtherSessions: false
+          }
+        })
+      );
+      try {
+        const userKeys = await withAuthGuard(() => client.userKeys.get());
+        spinner.text = "Re-encrypting encryption keys...";
+        const { unlockUserKEK: unlockUserKEK2, reencryptUserKEK: reencryptUserKEK2 } = await import("./crypto-X7MZU7DV.js");
+        const userKek = await unlockUserKEK2(
+          answers.currentPassword,
+          userKeys.encryptedUserKek,
+          userKeys.kekIv,
+          userKeys.kekSalt
+        );
+        if (!userKek) {
+          spinner.fail("Password changed but failed to re-encrypt keys");
+          warning("Your password was changed, but your encryption keys need to be updated.");
+          info("Run `syncenv user-keys rotate` to fix this.");
+          return;
+        }
+        const { encryptedUserKek, kekIv, kekSalt } = await reencryptUserKEK2(
+          userKek,
+          answers.newPassword
+        );
+        await withAuthGuard(
+          () => client.userKeys.update({
+            encryptedUserKek,
+            kekIv,
+            kekSalt
+          })
+        );
+        const { saveEncryptedKEK, saveKEKPassword, getKEKPassword } = await import("./secure-storage-UEK3LD5L.js");
+        saveEncryptedKEK({ encryptedUserKek, kekIv, kekSalt });
+        const existingPassword = await getKEKPassword();
+        if (existingPassword) {
+          await saveKEKPassword(answers.newPassword);
+        }
+      } catch (err) {
+        if (!err.message?.includes("404")) {
+          throw err;
+        }
+      }
+      spinner.succeed("Password changed successfully");
+      success("Your account password has been updated");
+    } catch (err) {
+      spinner.fail("Failed to change password");
+      throw err;
+    }
+  } catch (err) {
+    error("Change password failed:", err.message);
+    process.exit(1);
+  }
+});
+
+// src/commands/doctor.ts
+import fs from "fs/promises";
+import chalk3 from "chalk";
+import { Command as Command2 } from "commander";
+var doctorCommand = new Command2("doctor").description("Diagnose configuration and connectivity issues").action(async () => {
+  let exitCode = 0;
+  console.log(chalk3.bold("\n\u{1F50D} SyncEnv Doctor\n"));
+  const nodeVersion = process.version;
+  const majorVersion = parseInt(nodeVersion.slice(1).split(".")[0]);
+  console.log(chalk3.dim("Checking Node.js version..."));
+  if (majorVersion >= 18) {
+    success(`Node.js ${nodeVersion}`);
+  } else {
+    error(`Node.js ${nodeVersion} (>= 18 required)`);
+    exitCode = 1;
+  }
+  console.log(chalk3.dim("\nChecking configuration..."));
+  const configPath = getConfigPath();
+  try {
+    await fs.access(configPath);
+    success(`Config file exists: ${configPath}`);
+  } catch {
+    warning(`Config file not found: ${configPath}`);
+  }
+  console.log(chalk3.dim("\nChecking project configuration..."));
+  const hasConfig = await hasProjectConfig();
+  if (hasConfig) {
+    try {
+      const config = await loadProjectConfig();
+      if (config) {
+        success(`.envsyncrc found`);
+        info(`  Project: ${config.project.name}`);
+        if (config.project.id) {
+          info(`  Project ID: ${config.project.id}`);
+        } else {
+          warning(`  Project ID not set - run \`syncenv project create\``);
+        }
+        info(`  Default env: ${config.defaults.environment}`);
+      }
+    } catch (err) {
+      error(`.envsyncrc exists but is invalid: ${err.message}`);
+      exitCode = 1;
+    }
+  } else {
+    warning(`.envsyncrc not found - run \`syncenv init\``);
+  }
+  console.log(chalk3.dim("\nChecking authentication..."));
+  if (isAuthenticated()) {
+    const userEmail = getConfig("userEmail");
+    success(`Authenticated as ${userEmail}`);
+    try {
+      const session = await withAuthGuard(
+        () => client.request("GET", "/api/auth/get-session")
+      );
+      if (session.data.session) {
+        success(`Server session valid`);
+      } else {
+        warning(`Server session expired`);
+      }
+    } catch (err) {
+      error(`Failed to verify session: ${err.message}`);
+      exitCode = 1;
+    }
+  } else {
+    warning(`Not authenticated - run \`syncenv auth login\``);
+  }
+  console.log(chalk3.dim("\nChecking API connectivity..."));
+  const apiUrl = process.env.SYNCENV_API_URL || getConfig("apiUrl") || "http://localhost:8787";
+  try {
+    const response = await fetch(apiUrl);
+    if (response.ok) {
+      const data = await response.json();
+      success(`API reachable at ${apiUrl}`);
+      info(`  Server: ${data.name || "Unknown"} v${data.version || "?"}`);
+    } else {
+      error(`API returned ${response.status}`);
+      exitCode = 1;
+    }
+  } catch (err) {
+    error(`Cannot connect to API at ${apiUrl}`);
+    info(`  Error: ${err.message}`);
+    exitCode = 1;
+  }
+  console.log("");
+  if (exitCode === 0) {
+    success("All checks passed!\n");
+  } else {
+    error("Some checks failed. Please fix the issues above.\n");
+  }
+  process.exit(exitCode);
+});
+
+// src/commands/env.ts
+import fs2 from "fs/promises";
+import chalk4 from "chalk";
+import { Command as Command3 } from "commander";
+import inquirer2 from "inquirer";
+
+// src/state/index.ts
+import { existsSync } from "fs";
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { homedir } from "os";
+import { join, dirname } from "path";
+var STATE_VERSION = 1;
+var STATE_DIR = ".envsync";
+var STATE_FILE = "state.json";
+var StateManager = class {
+  statePath;
+  state = null;
+  loaded = false;
+  constructor(options = {}) {
+    if (options.projectRoot) {
+      this.statePath = join(options.projectRoot, STATE_DIR, STATE_FILE);
+    } else {
+      this.statePath = join(homedir(), ".config", "syncenv", STATE_FILE);
+    }
+  }
+  /**
+   * Load state from disk
+   */
+  async load() {
+    if (this.loaded && this.state) {
+      return this.state;
+    }
+    try {
+      if (existsSync(this.statePath)) {
+        const content = await readFile(this.statePath, "utf-8");
+        this.state = JSON.parse(content);
+        this.state = this.migrate(this.state);
+      } else {
+        this.state = this.createEmptyState();
+      }
+    } catch (err) {
+      console.warn("Failed to load sync state, creating new:", err);
+      this.state = this.createEmptyState();
+    }
+    this.loaded = true;
+    return this.state;
+  }
+  /**
+   * Save state to disk
+   */
+  async save() {
+    if (!this.state) {
+      throw new Error("State not loaded");
+    }
+    await mkdir(dirname(this.statePath), { recursive: true });
+    await writeFile(this.statePath, JSON.stringify(this.state, null, 2), "utf-8");
+  }
+  /**
+   * Get environment sync state
+   */
+  async getEnvironmentState(projectId, envId) {
+    const state = await this.load();
+    return state.projects[projectId]?.environments[envId] ?? null;
+  }
+  /**
+   * Update environment sync state
+   */
+  async updateEnvironmentState(projectId, envId, update) {
+    const state = await this.load();
+    if (!state.projects[projectId]) {
+      state.projects[projectId] = { environments: {} };
+    }
+    const current = state.projects[projectId].environments[envId] ?? this.createEmptyEntry();
+    if (typeof update === "function") {
+      state.projects[projectId].environments[envId] = update(current);
+    } else {
+      state.projects[projectId].environments[envId] = {
+        ...current,
+        ...update,
+        // Merge history arrays
+        history: [...current.history || [], ...update.history || []].slice(-20)
+      };
+    }
+    await this.save();
+  }
+  /**
+   * Record a successful sync operation
+   */
+  async recordSync(projectId, envId, version, contentHash, source) {
+    await this.updateEnvironmentState(projectId, envId, (current) => ({
+      lastSync: {
+        version,
+        contentHash,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        source
+      },
+      pendingMerge: void 0,
+      // Clear any pending merge
+      history: [
+        ...current?.history || [],
+        {
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          action: source,
+          version
+        }
+      ].slice(-20)
+    }));
+  }
+  /**
+   * Save a pending merge session
+   */
+  async savePendingMerge(projectId, envId, baseVersion, remoteVersion, localBackupPath, conflicts) {
+    await this.updateEnvironmentState(projectId, envId, {
+      pendingMerge: {
+        baseVersion,
+        remoteVersion,
+        localBackupPath,
+        conflicts
+      }
+    });
+  }
+  /**
+   * Clear pending merge
+   */
+  async clearPendingMerge(projectId, envId) {
+    await this.updateEnvironmentState(projectId, envId, (current) => {
+      const updated = {
+        lastSync: current?.lastSync ?? {
+          version: 0,
+          contentHash: "",
+          timestamp: (/* @__PURE__ */ new Date(0)).toISOString(),
+          source: "pull"
+        },
+        history: current?.history ?? []
+      };
+      return updated;
+    });
+  }
+  /**
+   * Check if there's a pending merge
+   */
+  async hasPendingMerge(projectId, envId) {
+    const state = await this.getEnvironmentState(projectId, envId);
+    return state?.pendingMerge !== void 0;
+  }
+  /**
+   * Get state file path (for debugging)
+   */
+  getStatePath() {
+    return this.statePath;
+  }
+  createEmptyState() {
+    return {
+      version: STATE_VERSION,
+      projects: {}
+    };
+  }
+  createEmptyEntry() {
+    return {
+      lastSync: {
+        version: 0,
+        contentHash: "",
+        timestamp: (/* @__PURE__ */ new Date(0)).toISOString(),
+        source: "pull"
+      },
+      history: []
+    };
+  }
+  migrate(state) {
+    if (!state) {
+      return this.createEmptyState();
+    }
+    if (!state.version) {
+      state.version = STATE_VERSION;
+    }
+    if (!state.projects) {
+      state.projects = {};
+    }
+    return state;
+  }
+};
+function createStateManager(options) {
+  return new StateManager(options);
+}
+var globalState = createStateManager();
+
+// src/commands/env.ts
+var envCommands = new Command3("env").description("Environment variable commands");
+envCommands.command("push").description("Push .env file to server").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").option("-f, --file <path>", "file path").option("-m, --message <message>", "change description").option("--force", "force push without conflict check").option("--strategy <strategy>", "merge strategy on conflict: local-wins, remote-wins, fail-on-conflict").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified. Use --project or run `syncenv init`");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const envConfig = config?.environments[envName];
+    const filePath = options.file || envConfig?.file || `.env.${envName}`;
+    const defaultFilePath = ".env";
+    let actualFilePath = filePath;
+    try {
+      await fs2.access(filePath);
+    } catch {
+      try {
+        await fs2.access(defaultFilePath);
+        actualFilePath = defaultFilePath;
+      } catch {
+        error(`No env file found. Tried: ${filePath}, ${defaultFilePath}`);
+        process.exit(1);
+      }
+    }
+    const content = await fs2.readFile(actualFilePath, "utf-8");
+    const contentHash = generateContentHash(content);
+    info(`Detected env file: ${actualFilePath}`);
+    info(`Project: ${projectId}`);
+    info(`Environment: ${envName}`);
+    const stateManager = createStateManager({ projectRoot: process.cwd() });
+    const userKek = await getOrUnlockUserKEK();
+    if (!userKek) {
+      error("Your encryption keys are locked.");
+      info("Run `syncenv user-keys unlock` to unlock your keys.");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Checking environment...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    let environment = environments.find((e) => e.name === envName);
+    const project = await withAuthGuard(() => client.projects.get(projectId));
+    let dek;
+    try {
+      dek = decryptDEK(project.encryptedDek, project.dekIv, userKek);
+    } catch (err) {
+      spinner.fail(`Failed to decrypt project key: ${err}`);
+      error("Could not decrypt the project encryption key. Your User KEK may be incorrect.");
+      process.exit(1);
+    }
+    const encrypted = encryptContent(content, dek);
+    if (environment && !options.force) {
+      const localState = await stateManager.getEnvironmentState(projectId, environment.id);
+      if (localState) {
+        const remoteVersion = environment.currentVersion || 1;
+        const localVersion = localState.lastSync.version;
+        if (remoteVersion > localVersion) {
+          spinner.stop();
+          warning(`Remote has been modified (version ${localVersion} \u2192 ${remoteVersion})`);
+          info("Attempting to merge...\n");
+          try {
+            const baseDownload = await client.environments.downloadContent(environment.id, localVersion);
+            const baseContent = decryptContent(baseDownload.content, baseDownload.encryptionIv, dek);
+            const remoteDownload = await client.environments.downloadContent(environment.id, remoteVersion);
+            const remoteContent = decryptContent(remoteDownload.content, remoteDownload.encryptionIv, dek);
+            const mergeInput = {
+              base: parseEnvFile(baseContent),
+              local: parseEnvFile(content),
+              remote: parseEnvFile(remoteContent)
+            };
+            const mergeResult = threeWayMerge(mergeInput);
+            if (mergeResult.autoMerged) {
+              info(chalk4.green("\u2713 Auto-merged successfully"));
+              info(chalk4.dim(`  Added: ${mergeResult.statistics.added}`));
+              info(chalk4.dim(`  Modified: ${mergeResult.statistics.modified}`));
+              info(chalk4.dim(`  Deleted: ${mergeResult.statistics.deleted}`));
+              const mergedEncrypted = encryptContent(mergeResult.mergedContent, dek);
+              spinner.start("Uploading merged content...");
+              const envId = environment.id;
+              const updateResult = await withAuthGuard(
+                () => client.environments.update(envId, {
+                  encryptedContent: mergedEncrypted.encrypted,
+                  contentHash: generateContentHash(mergeResult.mergedContent),
+                  encryptionIv: mergedEncrypted.iv,
+                  changeSummary: options.message || `Merged with remote version ${remoteVersion}`
+                })
+              );
+              await stateManager.recordSync(projectId, envId, updateResult.version, generateContentHash(mergeResult.mergedContent), "merge");
+              spinner.succeed("Merged and uploaded");
+              success(`Environment "${envName}" updated to version ${updateResult.version}`);
+              return;
+            } else {
+              const { interactiveMerge: interactiveMerge2 } = await import("./interactive-GOIXZ6UH.js");
+              const interactiveResult = await interactiveMerge2(mergeInput, mergeResult, {
+                allowEdit: true,
+                allowBoth: true,
+                allowSkip: true
+              });
+              if (interactiveResult.cancelled) {
+                info("Push cancelled. Your local changes are preserved.");
+                process.exit(0);
+              }
+              const resolvedEncrypted = encryptContent(interactiveResult.content, dek);
+              spinner.start("Uploading resolved content...");
+              const envId = environment.id;
+              const updateResult = await withAuthGuard(
+                () => client.environments.update(envId, {
+                  encryptedContent: resolvedEncrypted.encrypted,
+                  contentHash: generateContentHash(interactiveResult.content),
+                  encryptionIv: resolvedEncrypted.iv,
+                  changeSummary: options.message || `Merged with remote version ${remoteVersion} (with conflict resolution)`
+                })
+              );
+              await stateManager.recordSync(projectId, envId, updateResult.version, generateContentHash(interactiveResult.content), "merge");
+              spinner.succeed("Resolved and uploaded");
+              success(`Environment "${envName}" updated to version ${updateResult.version}`);
+              return;
+            }
+          } catch (mergeErr) {
+            spinner.fail("Merge failed");
+            error("Failed to merge with remote changes:", mergeErr.message);
+            info("Use --force to overwrite remote changes (may lose data)");
+            info("Use --strategy=local-wins to automatically use your changes");
+            process.exit(1);
+          }
+        }
+      }
+    }
+    if (!environment) {
+      spinner.text = "Creating environment...";
+      const result = await withAuthGuard(
+        () => client.environments.create(projectId, {
+          projectId,
+          name: envName,
+          description: `${envName} environment`,
+          encryptedContent: encrypted.encrypted,
+          contentHash,
+          contentSize: content.length,
+          encryptionIv: encrypted.iv
+        })
+      );
+      environment = result;
+    } else {
+      spinner.text = "Uploading...";
+      const envId = environment.id;
+      const result = await withAuthGuard(
+        () => client.environments.update(envId, {
+          encryptedContent: encrypted.encrypted,
+          contentHash,
+          encryptionIv: encrypted.iv,
+          changeSummary: options.message
+        })
+      );
+      await stateManager.recordSync(
+        projectId,
+        environment.id,
+        result.version,
+        contentHash,
+        "push"
+      );
+    }
+    spinner.succeed("Encrypted and uploaded");
+    success(`Environment "${envName}" updated`);
+    info(`Version: ${(environment.currentVersion || 0) + 1}`);
+    info(
+      `Size: ${formatBytes(content.length)} \u2192 ${formatBytes(Buffer.from(encrypted.encrypted, "base64").length)} (encrypted)`
+    );
+    if (options.message) {
+      info(`Message: ${options.message}`);
+    }
+  } catch (err) {
+    error("Failed to push:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("pull").description("Pull .env file from server").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").option("-f, --file <path>", "output file path").option("-v, --version <number>", "specific version to pull").option("-m, --merge", "merge with existing file (using three-way merge if possible)").option("-y, --yes", "skip confirmation").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified. Use --project or run `syncenv init`");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const envConfig = config?.environments[envName];
+    const filePath = options.file || envConfig?.file || (envName === "dev" ? ".env" : `.env.${envName}`);
+    info(`Project: ${projectId}`);
+    info(`Environment: ${envName}`);
+    const userKek = await getOrUnlockUserKEK();
+    if (!userKek) {
+      error("Your encryption keys are locked.");
+      info("Run `syncenv user-keys unlock` to unlock your keys.");
+      process.exit(1);
+    }
+    const stateManager = createStateManager({ projectRoot: process.cwd() });
+    const spinner = createSpinner("Fetching environment...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    const environment = environments.find((e) => e.name === envName);
+    if (!environment) {
+      spinner.fail(`Environment "${envName}" not found`);
+      process.exit(1);
+    }
+    spinner.text = "Downloading...";
+    const versionNum = options.version ? parseInt(options.version) : void 0;
+    const download = await withAuthGuard(
+      () => client.environments.downloadContent(environment.id, versionNum)
+    );
+    spinner.text = "Decrypting...";
+    const project = await withAuthGuard(() => client.projects.get(projectId));
+    let dek;
+    try {
+      dek = decryptDEK(project.encryptedDek, project.dekIv, userKek);
+    } catch (err) {
+      console.error(`Failed to decrypt project key: ${err}`);
+      spinner.fail(`Failed to decrypt project key`);
+      error("Could not decrypt the project encryption key. Your User KEK may be incorrect.");
+      process.exit(1);
+    }
+    const decrypted = decryptContent(download.content, download.encryptionIv, dek);
+    spinner.stop();
+    let existingContent = "";
+    let shouldMerge = false;
+    try {
+      existingContent = await fs2.readFile(filePath, "utf-8");
+      if (!options.yes && !options.merge) {
+        const { action } = await inquirer2.prompt([
+          {
+            type: "list",
+            name: "action",
+            message: `File ${filePath} exists. What would you like to do?`,
+            choices: [
+              { name: "Overwrite", value: "overwrite" },
+              { name: "Merge", value: "merge" },
+              { name: "Cancel", value: "cancel" }
+            ]
+          }
+        ]);
+        if (action === "cancel") {
+          info("Cancelled.");
+          return;
+        }
+        shouldMerge = action === "merge";
+      } else if (options.merge) {
+        shouldMerge = true;
+      }
+    } catch {
+    }
+    if (shouldMerge && existingContent) {
+      const localEnv = parseEnvFile(existingContent);
+      const remoteEnv = parseEnvFile(decrypted);
+      const diff = diffEnvFiles(localEnv, remoteEnv);
+      if (diff.added.length === 0 && diff.removed.length === 0 && diff.modified.length === 0) {
+        info("No changes to merge.");
+        return;
+      }
+      console.log(chalk4.bold("\nMerge changes:"));
+      for (const key of diff.added) {
+        console.log(chalk4.green(`  + ${key}=${localEnv[key]}`));
+      }
+      for (const key of diff.removed) {
+        console.log(chalk4.red(`  - ${key}`));
+      }
+      for (const key of diff.modified) {
+        console.log(chalk4.yellow(`  ~ ${key}`));
+        console.log(chalk4.dim(`    local:  ${localEnv[key]}`));
+        console.log(chalk4.dim(`    remote: ${remoteEnv[key]}`));
+      }
+      const { mergeAction } = await inquirer2.prompt([
+        {
+          type: "list",
+          name: "mergeAction",
+          message: "How would you like to merge?",
+          choices: [
+            { name: "Keep local (use local values)", value: "local" },
+            { name: "Use remote (overwrite with remote)", value: "remote" },
+            { name: "Manual (open editor)", value: "manual" }
+          ]
+        }
+      ]);
+      let mergedEnv;
+      if (mergeAction === "local") {
+        mergedEnv = { ...remoteEnv, ...localEnv };
+      } else if (mergeAction === "remote") {
+        mergedEnv = { ...localEnv, ...remoteEnv };
+      } else {
+        mergedEnv = { ...localEnv, ...remoteEnv };
+        warning("Manual merge not implemented yet. Using remote values for conflicts.");
+      }
+      const mergedContent = stringifyEnvFile(mergedEnv);
+      await fs2.writeFile(filePath, mergedContent, "utf-8");
+      success(`Merged and written to ${filePath}`);
+    } else {
+      await fs2.writeFile(filePath, decrypted, "utf-8");
+      success(`Written to ${filePath}`);
+    }
+    info(`Version: ${download.version}`);
+    await stateManager.recordSync(
+      projectId,
+      environment.id,
+      download.version || 1,
+      download.contentHash || "",
+      "pull"
+    );
+  } catch (err) {
+    error("Failed to pull:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("history").description("Show version history").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").option("-l, --limit <number>", "number of versions to show", "10").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified.");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const limit = parseInt(options.limit);
+    const spinner = createSpinner("Fetching history...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    const environment = environments.find((e) => e.name === envName);
+    if (!environment) {
+      spinner.fail(`Environment "${envName}" not found`);
+      process.exit(1);
+    }
+    const versions = await withAuthGuard(() => client.sync.getVersions(environment.id, parseInt(options.limit)));
+    spinner.stop();
+    if (versions.length === 0) {
+      info("No versions found.");
+      return;
+    }
+    console.log(chalk4.bold("\nVERSION   DATE              AUTHOR        MESSAGE"));
+    console.log(chalk4.dim("\u2500".repeat(70)));
+    for (const version of versions.slice(0, limit)) {
+      const ver = String(version.versionNumber).padEnd(9);
+      const date = formatRelativeTime(version.createdAt).padEnd(17);
+      const author = (version.createdByUser?.slice(0, 12) || "unknown").padEnd(13);
+      const message = version.changeSummary || "";
+      console.log(`${ver} ${date} ${author} ${message}`);
+    }
+    console.log("");
+  } catch (err) {
+    error("Failed to get history:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("diff <v1> <v2>").description("Compare two versions (not supported yet)").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").action(async (v1, v2, options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified.");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const version1 = parseInt(v1);
+    const version2 = parseInt(v2);
+    const spinner = createSpinner("Comparing versions...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    const environment = environments.find((e) => e.name === envName);
+    if (!environment) {
+      spinner.fail(`Environment "${envName}" not found`);
+      process.exit(1);
+    }
+    const [download1, download2] = await Promise.all([
+      client.environments.downloadContent(environment.id, version1),
+      client.environments.downloadContent(environment.id, version2)
+    ]);
+    spinner.stop();
+    console.log(chalk4.bold(`
+Comparing versions ${version1} and ${version2}`));
+    console.log(chalk4.dim("\u2500".repeat(50)));
+    console.log(chalk4.dim(`
+Version ${version1}:`));
+    console.log(`  Content hash: ${generateContentHash(download1.content).slice(0, 16)}...`);
+    console.log(`  Date: ${(/* @__PURE__ */ new Date()).toLocaleString()}`);
+    console.log(chalk4.dim(`
+Version ${version2}:`));
+    console.log(`  Content hash: ${generateContentHash(download2.content).slice(0, 16)}...`);
+    console.log(`  Date: ${(/* @__PURE__ */ new Date()).toLocaleString()}`);
+    if (download1.content !== download2.content) {
+      console.log(chalk4.yellow("\n\u26A0 Content differs between versions"));
+      info("Use `syncenv env pull --version <number>` to view a specific version");
+    } else {
+      console.log(chalk4.green("\n\u2713 Content is identical"));
+    }
+    console.log("");
+  } catch (err) {
+    error("Failed to compare versions:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("rollback <version>").description("Rollback to a specific version").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").option("-y, --yes", "skip confirmation").action(async (version, options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified.");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const targetVersion = parseInt(version);
+    if (!options.yes) {
+      const { confirm } = await inquirer2.prompt([
+        {
+          type: "confirm",
+          name: "confirm",
+          message: `Rollback "${envName}" to version ${targetVersion}? This will create a new version.`,
+          default: false
+        }
+      ]);
+      if (!confirm) {
+        info("Cancelled.");
+        return;
+      }
+    }
+    const userKek = await getOrUnlockUserKEK();
+    if (!userKek) {
+      error("Your encryption keys are locked.");
+      info("Run `syncenv user-keys unlock` to unlock your keys.");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Rolling back...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    const environment = environments.find((e) => e.name === envName);
+    if (!environment) {
+      spinner.fail(`Environment "${envName}" not found`);
+      process.exit(1);
+    }
+    const download = await client.environments.downloadContent(environment.id, targetVersion);
+    const project = await withAuthGuard(() => client.projects.get(projectId));
+    let dek;
+    try {
+      dek = decryptDEK(project.encryptedDek, project.dekIv, userKek);
+    } catch (err) {
+      console.error(`Failed to decrypt project key: ${err}`);
+      spinner.fail("Failed to decrypt project key");
+      error("Could not decrypt the project encryption key. Your User KEK may be incorrect.");
+      process.exit(1);
+    }
+    const oldContent = decryptContent(download.content, download.encryptionIv, dek);
+    const encrypted = encryptContent(oldContent, dek);
+    const contentHash = generateContentHash(oldContent);
+    const result = await client.environments.update(environment.id, {
+      encryptedContent: encrypted.encrypted,
+      contentHash,
+      encryptionIv: encrypted.iv,
+      changeSummary: `Rollback to version ${targetVersion}`
+    });
+    spinner.succeed(`Rolled back to version ${targetVersion}`);
+    success(`Created new version ${result.version}`);
+  } catch (err) {
+    error("Failed to rollback:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("list-envs").description("List all environments for a project").option("-p, --project <id>", "project ID").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified. Use --project or run `syncenv init`");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Fetching environments...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    spinner.stop();
+    if (environments.length === 0) {
+      info("No environments found for this project.");
+      info("Create one with `syncenv env create-env`");
+      return;
+    }
+    const project = await withAuthGuard(() => client.projects.get(projectId));
+    console.log(chalk4.bold(`
+Environments for ${project.name}`));
+    console.log(chalk4.dim("\u2500".repeat(70)));
+    console.log(chalk4.bold("NAME        VERSION   SIZE      LAST MODIFIED     DESCRIPTION"));
+    console.log(chalk4.dim("\u2500".repeat(70)));
+    for (const env of environments) {
+      const name = env.name.padEnd(11).slice(0, 11);
+      const version = `v${env.currentVersion || 1}`.padEnd(9);
+      const size = formatBytes(env.contentSize || 0).padEnd(9);
+      const modified = env.lastModifiedAt ? formatRelativeTime(env.lastModifiedAt).padEnd(17) : "--".padEnd(17);
+      const description = env.description || "";
+      console.log(`${name} ${version} ${size} ${modified} ${description}`);
+    }
+    console.log("");
+  } catch (err) {
+    error("Failed to list environments:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("create-env").description("Create a new environment for a project").option("-p, --project <id>", "project ID").option("-n, --name <name>", "environment name").option("-d, --description <description>", "environment description").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified. Use --project or run `syncenv init`");
+      process.exit(1);
+    }
+    let envName = options.name;
+    if (!envName) {
+      const answer = await inquirer2.prompt([
+        {
+          type: "input",
+          name: "name",
+          message: "Environment name:",
+          validate: (input) => {
+            if (!input.trim()) return "Environment name is required";
+            if (!/^[a-z0-9_-]+$/i.test(input))
+              return "Name can only contain letters, numbers, hyphens, and underscores";
+            return true;
+          }
+        }
+      ]);
+      envName = answer.name;
+    }
+    let description = options.description;
+    if (!description) {
+      const answer = await inquirer2.prompt([
+        {
+          type: "input",
+          name: "description",
+          message: "Description (optional):"
+        }
+      ]);
+      description = answer.description;
+    }
+    const spinner = createSpinner("Creating environment...");
+    spinner.start();
+    try {
+      const { encryptContent: encryptContent2, generateContentHash: generateContentHash2 } = await import("./crypto-X7MZU7DV.js");
+      const placeholderContent = `# ${envName} environment
+# Created at ${(/* @__PURE__ */ new Date()).toISOString()}
+`;
+      const contentSize = placeholderContent.length;
+      const encrypted = encryptContent2(placeholderContent, Buffer.alloc(32));
+      const result = await withAuthGuard(
+        () => client.environments.create(projectId, {
+          projectId,
+          name: envName,
+          description: description || void 0,
+          encryptedContent: encrypted.encrypted,
+          contentHash: generateContentHash2(placeholderContent),
+          contentSize,
+          encryptionIv: encrypted.iv
+        })
+      );
+      spinner.succeed(`Environment "${envName}" created`);
+      success(`Environment ID: ${result.id}`);
+      if (config) {
+        config.environments[envName] = {
+          file: envName === "dev" ? ".env" : `.env.${envName}`,
+          requireConfirmation: envName === "production"
+        };
+        await saveProjectConfig(config);
+        info(`Updated .envsyncrc with environment "${envName}"`);
+      }
+    } catch (err) {
+      spinner.fail("Failed to create environment");
+      throw err;
+    }
+  } catch (err) {
+    error("Create failed:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("delete-env <id>").description("Delete an environment").option("-f, --force", "skip confirmation").action(async (id, options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const env = await withAuthGuard(() => client.environments.get(id));
+    if (!options.force) {
+      const { confirm } = await inquirer2.prompt([
+        {
+          type: "input",
+          name: "confirm",
+          message: `Type "${env.name}" to confirm deletion:`,
+          validate: (input) => input === env.name || "Type the exact environment name to confirm"
+        }
+      ]);
+      if (!confirm) {
+        info("Cancelled.");
+        return;
+      }
+    }
+    const spinner = createSpinner("Deleting environment...");
+    spinner.start();
+    await withAuthGuard(() => client.environments.delete(id));
+    spinner.succeed(`Environment "${env.name}" deleted`);
+    const config = await loadProjectConfig();
+    if (config && config.environments[env.name]) {
+      delete config.environments[env.name];
+      await saveProjectConfig(config);
+      info("Updated .envsyncrc");
+    }
+  } catch (err) {
+    error("Failed to delete environment:", err.message);
+    process.exit(1);
+  }
+});
+envCommands.command("sync").description("Sync with remote (pull + merge + push in one command)").option("-p, --project <id>", "project ID").option("-e, --env <name>", "environment name").option("-f, --file <path>", "file path").option("--dry-run", "preview changes without applying").option("--strategy <strategy>", "conflict resolution: local-wins, remote-wins, fail-on-conflict", "interactive").option("-y, --yes", "skip confirmation prompts").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const config = await loadProjectConfig();
+    const projectId = options.project || config?.project.id || getConfig("defaultProject");
+    if (!projectId) {
+      error("No project specified. Use --project or run `syncenv init`");
+      process.exit(1);
+    }
+    const envName = options.env || config?.defaults.environment || "dev";
+    const envConfig = config?.environments[envName];
+    const filePath = options.file || envConfig?.file || (envName === "dev" ? ".env" : `.env.${envName}`);
+    info(`Project: ${projectId}`);
+    info(`Environment: ${envName}`);
+    info(`File: ${filePath}`);
+    const userKek = await getOrUnlockUserKEK();
+    if (!userKek) {
+      error("Your encryption keys are locked.");
+      info("Run `syncenv user-keys unlock` to unlock your keys.");
+      process.exit(1);
+    }
+    const stateManager = createStateManager({ projectRoot: process.cwd() });
+    const spinner = createSpinner("Checking remote status...");
+    spinner.start();
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(projectId)
+    );
+    const environment = environments.find((e) => e.name === envName);
+    if (!environment) {
+      spinner.fail(`Environment "${envName}" not found`);
+      info("Use `syncenv env push` to create it first");
+      process.exit(1);
+    }
+    let localContent;
+    try {
+      localContent = await fs2.readFile(filePath, "utf-8");
+    } catch {
+      spinner.text = "Local file not found, pulling from remote...";
+      const download = await client.environments.downloadContent(environment.id);
+      const project2 = await client.projects.get(projectId);
+      const dek2 = decryptDEK(project2.encryptedDek, project2.dekIv, userKek);
+      const decrypted = decryptContent(download.content, download.encryptionIv, dek2);
+      if (!options.dryRun) {
+        await fs2.writeFile(filePath, decrypted, "utf-8");
+        await stateManager.recordSync(projectId, environment.id, download.version || 1, download.contentHash || "", "pull");
+      }
+      spinner.succeed("Pulled from remote");
+      success(`Written to ${filePath}`);
+      return;
+    }
+    const localState = await stateManager.getEnvironmentState(projectId, environment.id);
+    const localContentHash = generateContentHash(localContent);
+    if (localState && localState.lastSync.contentHash === localContentHash) {
+      spinner.succeed("Local file is up to date");
+      info("No changes to sync");
+      return;
+    }
+    spinner.text = "Downloading remote content...";
+    const project = await withAuthGuard(() => client.projects.get(projectId));
+    const dek = decryptDEK(project.encryptedDek, project.dekIv, userKek);
+    const remoteVersion = environment.currentVersion || 1;
+    const remoteDownload = await client.environments.downloadContent(environment.id);
+    const remoteContent = decryptContent(remoteDownload.content, remoteDownload.encryptionIv, dek);
+    let mergedContent;
+    let mergeSource = "push";
+    if (localState && localState.lastSync.version < remoteVersion) {
+      spinner.text = "Merging changes...";
+      const baseDownload = await client.environments.downloadContent(environment.id, localState.lastSync.version);
+      const baseContent = decryptContent(baseDownload.content, baseDownload.encryptionIv, dek);
+      const mergeInput = {
+        base: parseEnvFile(baseContent),
+        local: parseEnvFile(localContent),
+        remote: parseEnvFile(remoteContent)
+      };
+      const mergeResult = threeWayMerge(mergeInput);
+      if (options.dryRun) {
+        spinner.stop();
+        info("\nDry run - would perform the following merge:");
+        info(`  Added: ${mergeResult.statistics.added}`);
+        info(`  Modified: ${mergeResult.statistics.modified}`);
+        info(`  Deleted: ${mergeResult.statistics.deleted}`);
+        info(`  Conflicts: ${mergeResult.statistics.conflicts}`);
+        return;
+      }
+      if (!mergeResult.autoMerged) {
+        spinner.stop();
+        if (options.strategy === "fail-on-conflict") {
+          error(`Merge failed: ${mergeResult.conflicts.length} conflict(s)`);
+          info("Use --strategy=local-wins or --strategy=remote-wins to auto-resolve");
+          process.exit(1);
+        }
+        if (options.strategy === "local-wins") {
+          mergedContent = applyMergeStrategy(mergeInput, "local-wins").mergedContent;
+        } else if (options.strategy === "remote-wins") {
+          mergedContent = applyMergeStrategy(mergeInput, "remote-wins").mergedContent;
+        } else {
+          const interactiveResult = await interactiveMerge(mergeInput, mergeResult, {
+            allowEdit: true,
+            allowBoth: true,
+            allowSkip: true
+          });
+          if (interactiveResult.cancelled) {
+            info("Sync cancelled.");
+            process.exit(0);
+          }
+          mergedContent = interactiveResult.content;
+        }
+        mergeSource = "merge";
+      } else {
+        mergedContent = mergeResult.mergedContent;
+        mergeSource = "merge";
+      }
+      await fs2.writeFile(filePath, mergedContent, "utf-8");
+      success("Merged and updated local file");
+    } else {
+      spinner.stop();
+      if (options.dryRun) {
+        info("\nDry run - would push local changes");
+        return;
+      }
+      mergedContent = localContent;
+      if (!options.yes) {
+        const { confirm } = await inquirer2.prompt([{
+          type: "confirm",
+          name: "confirm",
+          message: `Push local changes to "${envName}"?`,
+          default: true
+        }]);
+        if (!confirm) {
+          info("Cancelled.");
+          return;
+        }
+      }
+    }
+    spinner.start("Pushing to remote...");
+    const encrypted = encryptContent(mergedContent, dek);
+    const newContentHash = generateContentHash(mergedContent);
+    const result = await withAuthGuard(
+      () => client.environments.update(environment.id, {
+        encryptedContent: encrypted.encrypted,
+        contentHash: newContentHash,
+        encryptionIv: encrypted.iv,
+        changeSummary: mergeSource === "merge" ? "Synced with merge" : "Synced local changes"
+      })
+    );
+    await stateManager.recordSync(projectId, environment.id, result.version, newContentHash, mergeSource);
+    spinner.succeed("Sync complete");
+    success(`Environment "${envName}" updated to version ${result.version}`);
+  } catch (err) {
+    error("Sync failed:", err.message);
+    process.exit(1);
+  }
+});
+
+// src/commands/init.ts
+import path from "path";
+import chalk5 from "chalk";
+import { Command as Command4 } from "commander";
+import inquirer3 from "inquirer";
+var initCommand = new Command4("init").description("Initialize a new project configuration").option("-y, --yes", "skip prompts and use defaults").action(async (options) => {
+  try {
+    if (await hasProjectConfig()) {
+      const { overwrite } = await inquirer3.prompt([
+        {
+          type: "confirm",
+          name: "overwrite",
+          message: "Project already initialized. Overwrite?",
+          default: false
+        }
+      ]);
+      if (!overwrite) {
+        info("Cancelled.");
+        return;
+      }
+    }
+    let projectName;
+    let environments;
+    if (options.yes) {
+      projectName = path.basename(process.cwd());
+      environments = ["dev", "staging", "production"];
+    } else {
+      const answers = await inquirer3.prompt([
+        {
+          type: "input",
+          name: "projectName",
+          message: "Project name:",
+          default: path.basename(process.cwd()),
+          validate: (input) => input.length > 0 || "Project name is required"
+        },
+        {
+          type: "checkbox",
+          name: "environments",
+          message: "Select default environments:",
+          choices: [
+            { name: "dev", checked: true },
+            { name: "staging", checked: true },
+            { name: "production", checked: true },
+            { name: "test", checked: false }
+          ],
+          validate: (input) => input.length > 0 || "Select at least one environment"
+        },
+        {
+          type: "confirm",
+          name: "pushOnChange",
+          message: "Auto-push on change?",
+          default: false
+        },
+        {
+          type: "confirm",
+          name: "confirmOverwrite",
+          message: "Confirm before overwriting files?",
+          default: true
+        }
+      ]);
+      projectName = answers.projectName;
+      environments = answers.environments;
+      const envConfig = {};
+      for (const env of environments) {
+        const fileName = env === "dev" ? ".env" : `.env.${env}`;
+        envConfig[env] = {
+          file: fileName,
+          requireConfirmation: env === "production"
+        };
+      }
+      const config = {
+        project: {
+          name: projectName,
+          id: ""
+          // Will be set after creating project on server
+        },
+        defaults: {
+          environment: "dev",
+          pushOnChange: answers.pushOnChange,
+          confirmOverwrite: answers.confirmOverwrite
+        },
+        encryption: {
+          algorithm: "AES-256-GCM",
+          keyDerivation: "Argon2id"
+        },
+        environments: envConfig
+      };
+      await saveProjectConfig(config);
+      success(`Created ${chalk5.cyan(".envsyncrc")}`);
+      console.log("");
+      console.log(chalk5.dim("Next steps:"));
+      console.log(chalk5.dim("  1. Run `syncenv signup` to create an account"));
+      console.log(
+        chalk5.dim("  2. Run `syncenv project create` to create the project on the server")
+      );
+      console.log(chalk5.dim("  3. Run `syncenv push` to upload your .env file"));
+    }
+  } catch (err) {
+    error("Failed to initialize project:", err.message);
+    process.exit(1);
+  }
+});
+
+// src/commands/project.ts
+import chalk6 from "chalk";
+import { Command as Command5 } from "commander";
+import inquirer4 from "inquirer";
+var projectCommands = new Command5("project").description("Project management commands");
+projectCommands.command("list").alias("ls").description("List all projects").option("-s, --search <query>", "search projects by name").option("-l, --limit <number>", "number of projects to show", "20").option("--cursor <cursor>", "cursor for pagination").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Fetching projects...");
+    spinner.start();
+    const limit = parseInt(options.limit) || 20;
+    const result = await withAuthGuard(
+      () => client.projects.list({
+        limit,
+        search: options.search,
+        cursor: options.cursor,
+        sortBy: "updatedAt",
+        sortOrder: "desc"
+      })
+    );
+    spinner.stop();
+    if (result.data.length === 0) {
+      if (options.search) {
+        info(`No projects found matching "${options.search}"`);
+      } else {
+        info("No projects found. Create one with `syncenv project create`");
+      }
+      return;
+    }
+    console.log(chalk6.bold("\nNAME          DESCRIPTION              UPDATED"));
+    console.log(chalk6.dim("\u2500".repeat(70)));
+    for (const project of result.data) {
+      const name = project.name.padEnd(13).slice(0, 13);
+      const description = (project.description || "-").padEnd(24).slice(0, 24);
+      const updated = project.updatedAt ? formatRelativeTime(project.updatedAt) : "--";
+      console.log(`${name} ${description} ${updated}`);
+    }
+    if (result.hasMore) {
+      console.log(chalk6.dim(`
+... and more projects available`));
+      info(`Use --cursor ${result.nextCursor} to see more`);
+    }
+    console.log("");
+  } catch (err) {
+    error("Failed to list projects:", err.message);
+    process.exit(1);
+  }
+});
+projectCommands.command("create [name]").description("Create a new project").option("-d, --description <description>", "project description").action(async (name, options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    let projectName = name;
+    let description = options.description;
+    if (!projectName) {
+      const existingConfig = await loadProjectConfig();
+      if (existingConfig) {
+        projectName = existingConfig.project.name;
+        info(`Using project name from .envsyncrc: ${projectName}`);
+      } else {
+        const answer = await inquirer4.prompt([
+          {
+            type: "input",
+            name: "name",
+            message: "Project name:",
+            validate: (input) => input.length > 0 || "Name is required"
+          }
+        ]);
+        projectName = answer.name;
+      }
+    }
+    if (!description) {
+      const answer = await inquirer4.prompt([
+        {
+          type: "input",
+          name: "description",
+          message: "Description (optional):"
+        }
+      ]);
+      description = answer.description;
+    }
+    const userKek = await getOrUnlockUserKEK();
+    if (!userKek) {
+      error("Your encryption keys are locked.");
+      info("Run `syncenv user-keys unlock` to unlock your keys before creating a project.");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Creating project...");
+    spinner.start();
+    const { generateDEK, encryptDEK } = await import("./crypto-X7MZU7DV.js");
+    const dek = generateDEK();
+    const dekEncryption = encryptDEK(dek, userKek);
+    const project = await withAuthGuard(
+      () => client.projects.create({
+        name: projectName,
+        slug: projectName.toLowerCase().replace(/\s+/g, "-"),
+        description,
+        encryptedDek: dekEncryption.encrypted,
+        dekIv: dekEncryption.iv
+      })
+    );
+    spinner.succeed(`Project "${projectName}" created`);
+    const config = await loadProjectConfig();
+    if (config) {
+      config.project.id = project.id;
+      await saveProjectConfig(config);
+      success("Updated .envsyncrc with project ID");
+    } else {
+      await saveProjectConfig({
+        project: {
+          name: projectName,
+          id: project.id
+        },
+        defaults: {
+          environment: "dev",
+          pushOnChange: false,
+          confirmOverwrite: true
+        },
+        encryption: {
+          algorithm: "AES-256-GCM",
+          keyDerivation: "Argon2id"
+        },
+        environments: {
+          dev: { file: ".env" }
+        }
+      });
+      success("Created .envsyncrc");
+    }
+    info(`Project ID: ${project.id}`);
+    info("Default environments: dev, staging, prod");
+  } catch (err) {
+    error("Failed to create project:", err.message);
+    process.exit(1);
+  }
+});
+projectCommands.command("get <id>").description("Get project details").action(async (id) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Fetching project...");
+    spinner.start();
+    const project = await withAuthGuard(() => client.projects.get(id));
+    spinner.stop();
+    console.log(chalk6.bold("\nProject Details"));
+    console.log(chalk6.dim("\u2500".repeat(40)));
+    console.log(`Name:        ${project.name}`);
+    console.log(`ID:          ${project.id}`);
+    console.log(`Slug:        ${project.slug}`);
+    if (project.description) {
+      console.log(`Description: ${project.description}`);
+    }
+    console.log(`Created:     ${new Date(project.createdAt).toLocaleString()}`);
+    console.log(`Updated:     ${new Date(project.updatedAt).toLocaleString()}`);
+    const { data: environments } = await withAuthGuard(
+      () => client.environments.listByProject(id)
+    );
+    if (environments?.length > 0) {
+      console.log(chalk6.bold("\nEnvironments:"));
+      for (const env of environments) {
+        console.log(`  \u2022 ${env.name} (v${env.currentVersion || 1})`);
+      }
+    }
+  } catch (err) {
+    error("Failed to get project:", err.message);
+    process.exit(1);
+  }
+});
+projectCommands.command("delete <id>").description("Delete a project").option("-f, --force", "skip confirmation").action(async (id, options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const project = await withAuthGuard(() => client.projects.get(id));
+    if (!options.force) {
+      const { confirm } = await inquirer4.prompt([
+        {
+          type: "input",
+          name: "confirm",
+          message: `Type "${project.name}" to confirm deletion:`,
+          validate: (input) => input === project.name || "Type the exact project name to confirm"
+        }
+      ]);
+      if (!confirm) {
+        info("Cancelled.");
+        return;
+      }
+    }
+    const spinner = createSpinner("Deleting project...");
+    spinner.start();
+    await withAuthGuard(() => client.projects.delete(id));
+    spinner.succeed(`Project "${project.name}" deleted`);
+    const config = await loadProjectConfig();
+    if (config && config.project.id === id) {
+      config.project.id = "";
+      await saveProjectConfig(config);
+      info("Cleared project ID from .envsyncrc");
+    }
+  } catch (err) {
+    error("Failed to delete project:", err.message);
+    process.exit(1);
+  }
+});
+projectCommands.command("use <id>").description("Set default project").action(async (id) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const project = await withAuthGuard(() => client.projects.get(id));
+    setConfig("defaultProject", id);
+    success(`Set "${project.name}" as default project`);
+  } catch (err) {
+    error("Failed to set default project:", err.message);
+    process.exit(1);
+  }
+});
+
+// src/commands/user-keys.ts
+import chalk7 from "chalk";
+import { Command as Command6 } from "commander";
+import inquirer5 from "inquirer";
+var userKeysCommands = new Command6("user-keys").description(
+  "User encryption key management commands"
+);
+async function hasUserKeys() {
+  try {
+    await withAuthGuard(() => client.userKeys.get());
+    return true;
+  } catch (err) {
+    if (err.message?.includes("404")) {
+      return false;
+    }
+    throw err;
+  }
+}
+userKeysCommands.command("setup").description("Initialize your encryption keys (first time setup)").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const hasKeys = await hasUserKeys();
+    if (hasKeys) {
+      warning("You already have encryption keys set up.");
+      const { overwrite } = await inquirer5.prompt([
+        {
+          type: "confirm",
+          name: "overwrite",
+          message: "Do you want to re-setup your keys? This will invalidate existing project access.",
+          default: false
+        }
+      ]);
+      if (!overwrite) {
+        info("Cancelled.");
+        return;
+      }
+    }
+    const { password } = await inquirer5.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Create encryption password:",
+        mask: "*",
+        validate: (input) => {
+          if (input.length < 8) return "Password must be at least 8 characters";
+          return true;
+        }
+      }
+    ]);
+    await inquirer5.prompt([
+      {
+        type: "password",
+        name: "confirmPassword",
+        message: "Confirm encryption password:",
+        mask: "*",
+        validate: (input) => {
+          if (input !== password) return "Passwords do not match";
+          return true;
+        }
+      }
+    ]);
+    const spinner = createSpinner("Setting up encryption keys...");
+    spinner.start();
+    try {
+      const { encryptedUserKek, kekIv, kekSalt } = await setupUserKEK(password);
+      await withAuthGuard(
+        () => client.userKeys.create({
+          encryptedUserKek,
+          kekIv,
+          kekSalt
+        })
+      );
+      await unlockAndStoreKEK(
+        password,
+        { encryptedUserKek, kekIv, kekSalt },
+        false
+        // Don't remember, just cache in memory
+      );
+      spinner.succeed("Encryption keys set up successfully");
+      success("Your encryption keys are ready");
+      info("Your keys are encrypted with your password and stored securely");
+      warning("Remember your encryption password! It cannot be recovered.");
+    } catch (err) {
+      spinner.fail("Failed to set up encryption keys");
+      throw err;
+    }
+  } catch (err) {
+    error("Setup failed:", err.message);
+    process.exit(1);
+  }
+});
+userKeysCommands.command("unlock").description("Unlock your encryption keys for this session").option("--remember", "Remember KEK in system keychain (allows unlocking without password)").action(async (options) => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const hasKeys = await hasUserKeys();
+    if (!hasKeys) {
+      error("You do not have encryption keys set up yet.");
+      info("Run `syncenv user-keys setup` to create your keys.");
+      process.exit(1);
+    }
+    const cached = await getUserKEK();
+    if (cached) {
+      const remaining = Math.round(getKEKTimeRemaining() / 6e4);
+      info(`Your encryption keys are already unlocked (${remaining} minutes remaining).`);
+      return;
+    }
+    const userKeys = await withAuthGuard(() => client.userKeys.get());
+    const { password } = await inquirer5.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Enter your encryption password:",
+        mask: "*"
+      }
+    ]);
+    const spinner = createSpinner("Unlocking encryption keys...");
+    spinner.start();
+    try {
+      await unlockAndStoreKEK(password, userKeys, options.remember);
+      spinner.succeed("Encryption keys unlocked");
+      success("Your keys are now available for this session");
+      if (options.remember) {
+        info("Keys are stored in system keychain for future sessions");
+      }
+      info("Keys will auto-lock after 30 minutes of inactivity");
+      info("Run `syncenv user-keys lock` to lock immediately");
+    } catch (err) {
+      console.error(`Faild to unlock encryption keys: ${err}`);
+      spinner.fail("Failed to unlock encryption keys");
+      error("Incorrect password. Please try again.");
+      process.exit(1);
+    }
+  } catch (err) {
+    error("Unlock failed:", err.message);
+    process.exit(1);
+  }
+});
+userKeysCommands.command("lock").description("Lock (clear) your encryption keys from memory").option("--forget", "Also remove from system keychain").action(async (options) => {
+  try {
+    await lockKEK(options.forget);
+    success("Encryption keys locked");
+    if (options.forget) {
+      info("Keys removed from system keychain");
+    } else {
+      info("Keys cleared from memory (still in keychain for next unlock)");
+    }
+    info("Run `syncenv user-keys unlock` to unlock again");
+  } catch (err) {
+    error("Lock failed:", err.message);
+    process.exit(1);
+  }
+});
+userKeysCommands.command("status").description("Check your encryption key status").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    console.log(chalk7.bold("\nEncryption Key Status"));
+    console.log(chalk7.dim("\u2500".repeat(40)));
+    const hasKeys = await hasUserKeys();
+    if (!hasKeys) {
+      console.log(`Setup: ${chalk7.yellow("Not set up")}`);
+      info("\nRun `syncenv user-keys setup` to create your encryption keys");
+      return;
+    }
+    console.log(`Setup: ${chalk7.green("\u2713 Complete")}`);
+    const cached = isKEKCached();
+    if (cached) {
+      const remaining = Math.round(getKEKTimeRemaining() / 6e4);
+      console.log(`Session: ${chalk7.green("\u2713 Unlocked")} (${remaining} min remaining)`);
+      info("\nYour encryption keys are active for this session");
+    } else {
+      console.log(`Session: ${chalk7.yellow("\u25CB Locked")}`);
+      info("\nRun `syncenv user-keys unlock` to unlock your keys");
+    }
+    const userKeys = await withAuthGuard(() => client.userKeys.get());
+    console.log(`
+Key Version: ${userKeys.version || 1}`);
+    console.log(`Algorithm: AES-256-GCM with PBKDF2`);
+    console.log("");
+  } catch (err) {
+    error("Status check failed:", err.message);
+    process.exit(1);
+  }
+});
+userKeysCommands.command("rotate").description("Re-encrypt your keys with a new password").action(async () => {
+  try {
+    if (!isAuthenticated()) {
+      error("Not authenticated. Run `syncenv auth login` first.");
+      process.exit(1);
+    }
+    const hasKeys = await hasUserKeys();
+    if (!hasKeys) {
+      error("You do not have encryption keys set up yet.");
+      info("Run `syncenv user-keys setup` to create your keys.");
+      process.exit(1);
+    }
+    const userKeys = await withAuthGuard(() => client.userKeys.get());
+    const { oldPassword } = await inquirer5.prompt([
+      {
+        type: "password",
+        name: "oldPassword",
+        message: "Enter your current encryption password:",
+        mask: "*"
+      }
+    ]);
+    const { newPassword } = await inquirer5.prompt([
+      {
+        type: "password",
+        name: "newPassword",
+        message: "Enter your new encryption password:",
+        mask: "*",
+        validate: (input) => {
+          if (input.length < 8) return "Password must be at least 8 characters";
+          return true;
+        }
+      }
+    ]);
+    await inquirer5.prompt([
+      {
+        type: "password",
+        name: "confirmPassword",
+        message: "Confirm your new encryption password:",
+        mask: "*",
+        validate: (input) => {
+          if (input !== newPassword) return "Passwords do not match";
+          return true;
+        }
+      }
+    ]);
+    const spinner = createSpinner("Re-encrypting keys...");
+    spinner.start();
+    try {
+      const userKek = await unlockUserKEK(
+        oldPassword,
+        userKeys.encryptedUserKek,
+        userKeys.kekIv,
+        userKeys.kekSalt
+      );
+      if (!userKek) {
+        spinner.fail("Failed to unlock keys");
+        error("Incorrect current password.");
+        process.exit(1);
+      }
+      const { encryptedUserKek, kekIv, kekSalt } = await reencryptUserKEK(userKek, newPassword);
+      await withAuthGuard(
+        () => client.userKeys.update({
+          encryptedUserKek,
+          kekIv,
+          kekSalt
+        })
+      );
+      const { saveEncryptedKEK, saveKEKPassword, getKEKPassword } = await import("./secure-storage-UEK3LD5L.js");
+      saveEncryptedKEK({ encryptedUserKek, kekIv, kekSalt });
+      const existingPassword = await getKEKPassword();
+      if (existingPassword) {
+        await saveKEKPassword(newPassword);
+      }
+      spinner.succeed("Keys re-encrypted successfully");
+      success("Your encryption password has been changed");
+      warning("Remember your new password! It cannot be recovered.");
+    } catch (err) {
+      spinner.fail("Failed to re-encrypt keys");
+      throw err;
+    }
+  } catch (err) {
+    error("Rotation failed:", err.message);
+    process.exit(1);
+  }
+});
+
+// src/index.ts
+async function main() {
+  const program = new Command7();
+  await loadConfig();
+  program.name("syncenv").description("CLI for SyncEnv - Secure environment variable synchronization").version("0.1.0").option("-v, --verbose", "enable verbose logging").option("--api-url <url>", "API base URL", process.env.SYNCENV_API_URL || "http://localhost:8787").hook("preAction", (thisCommand) => {
+    const opts = thisCommand.opts();
+    if (opts.verbose) {
+      process.env.SYNCENV_VERBOSE = "true";
+    }
+    if (opts.apiUrl) {
+      process.env.SYNCENV_API_URL = opts.apiUrl;
+    }
+  });
+  program.addCommand(authCommands);
+  program.addCommand(projectCommands);
+  program.addCommand(envCommands);
+  program.addCommand(userKeysCommands);
+  program.addCommand(initCommand);
+  program.addCommand(doctorCommand);
+  program.exitOverride();
+  try {
+    await program.parseAsync(process.argv);
+  } catch (error2) {
+    if (error2.code === "commander.help") {
+      process.exit(0);
+    }
+    if (error2.code === "commander.version") {
+      process.exit(0);
+    }
+    if (error2.code === "commander.helpDisplayed") {
+      process.exit(0);
+    }
+    console.error(chalk8.red("\nError:"), error2.message || error2);
+    if (process.env.SYNCENV_VERBOSE) {
+      console.error(error2.stack);
+    }
+    process.exit(1);
+  }
+}
+main();