npm - auix - Versions diffs - 0.0.1 → 0.0.3 - Mend

auix 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +2056 -151
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 import { formatWithOptions } from "node:util";
-import { dirname, join, resolve, sep } from "node:path";
+import { basename, dirname, join, resolve, sep } from "node:path";
 import g$1 from "node:process";
 import * as tty from "node:tty";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
-import { execSync } from "node:child_process";
-import { createInterface } from "node:readline/promises";
+import { execSync, spawn } from "node:child_process";
+import { createHash, randomUUID } from "node:crypto";
 //#region ../../node_modules/consola/dist/core.mjs
 const LogLevels = {
@@ -959,7 +959,7 @@ function _getDefaultLogLevel() {
 const consola = createConsola();
 //#endregion
-//#region node_modules/citty/dist/index.mjs
+//#region ../../node_modules/citty/dist/index.mjs
 function toArray(val) {
 	if (Array.isArray(val)) return val;
 	return val === void 0 ? [] : [val];
@@ -1164,7 +1164,7 @@ function resolveArgs(argsDef) {
 function defineCommand(def) {
 	return def;
 }
-async function runCommand(cmd, opts) {
+async function runCommand$1(cmd, opts) {
 	const cmdArgs = await resolveValue(cmd.args || {});
 	const parsedArgs = parseArgs(opts.rawArgs, cmdArgs);
 	const context = {
@@ -1183,7 +1183,7 @@ async function runCommand(cmd, opts) {
 			if (subCommandName) {
 				if (!subCommands[subCommandName]) throw new CLIError(`Unknown command \`${subCommandName}\``, "E_UNKNOWN_COMMAND");
 				const subCommand = await resolveValue(subCommands[subCommandName]);
-				if (subCommand) await runCommand(subCommand, { rawArgs: opts.rawArgs.slice(subCommandArgIndex + 1) });
+				if (subCommand) await runCommand$1(subCommand, { rawArgs: opts.rawArgs.slice(subCommandArgIndex + 1) });
 			} else if (!cmd.run) throw new CLIError(`No command specified.`, "E_NO_COMMAND");
 		}
 		if (typeof cmd.run === "function") result = await cmd.run(context);
@@ -1277,7 +1277,7 @@ async function runMain(cmd, opts = {}) {
 			const meta = typeof cmd.meta === "function" ? await cmd.meta() : await cmd.meta;
 			if (!meta?.version) throw new CLIError("No version specified", "E_NO_VERSION");
 			consola.log(meta.version);
-		} else await runCommand(cmd, { rawArgs });
+		} else await runCommand$1(cmd, { rawArgs });
 	} catch (error) {
 		const isCLIError = error instanceof CLIError;
 		if (!isCLIError) consola.error(error, "\n");
@@ -1289,30 +1289,85 @@ async function runMain(cmd, opts = {}) {
 //#endregion
 //#region ../env/dist/index.js
+function parseEnvString(content) {
+	const result = {};
+	for (const line of content.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const eqIndex = trimmed.indexOf("=");
+		if (eqIndex === -1) continue;
+		const key = trimmed.slice(0, eqIndex).trim();
+		let value = trimmed.slice(eqIndex + 1).trim();
+		if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+		result[key] = value;
+	}
+	return result;
+}
 function formatEnvString(vars) {
 	return Object.entries(vars).map(([key, value]) => {
 		return `${key}=${value.includes(" ") || value.includes("#") || value.includes("\n") ? `"${value}"` : value}`;
 	}).join("\n");
 }
+function formatJsonString(vars) {
+	return JSON.stringify(vars, null, 2);
+}
+function formatYamlString(vars) {
+	const specialChars = /[:#{}[\],&*?|<>=!%@`\-\s]/;
+	return Object.entries(vars).map(([key, value]) => {
+		return `${key}: ${value === "" || specialChars.test(value) ? `"${value}"` : value}`;
+	}).join("\n");
+}
+function interpolateEnv(vars) {
+	const result = {};
+	for (const [key, value] of Object.entries(vars)) result[key] = value;
+	const pattern = /\$\{([^}]+)\}/g;
+	for (let i = 0; i < 10; i++) {
+		let changed = false;
+		for (const key of Object.keys(result)) {
+			const value = result[key];
+			if (!pattern.test(value)) continue;
+			pattern.lastIndex = 0;
+			const resolving = /* @__PURE__ */ new Set();
+			resolving.add(key);
+			const newValue = value.replace(pattern, (match, ref) => {
+				if (resolving.has(ref)) return match;
+				if (!(ref in result)) return match;
+				const refValue = result[ref];
+				if (pattern.test(refValue)) {
+					pattern.lastIndex = 0;
+					if ([...refValue.matchAll(/\$\{([^}]+)\}/g)].map((m) => m[1]).some((r) => resolving.has(r))) return match;
+				}
+				pattern.lastIndex = 0;
+				return refValue;
+			});
+			if (newValue !== value) {
+				result[key] = newValue;
+				changed = true;
+			}
+		}
+		if (!changed) break;
+	}
+	return result;
+}
 //#endregion
 //#region src/config.ts
 const CONFIG_DIR = join(homedir(), ".auix");
-const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+const CONFIG_FILE$1 = join(CONFIG_DIR, "config.json");
 const PROJECT_FILE = ".auixrc";
 const DEFAULT_BASE_URL = "https://api.auix.dev";
-const DEFAULT_APP_URL = "https://app.auix.dev";
+const DEFAULT_APP_URL = "https://auix.dev";
 function loadGlobalConfig() {
-	if (!existsSync(CONFIG_FILE)) return {};
+	if (!existsSync(CONFIG_FILE$1)) return {};
 	try {
-		return JSON.parse(readFileSync(CONFIG_FILE, "utf-8"));
+		return JSON.parse(readFileSync(CONFIG_FILE$1, "utf-8"));
 	} catch {
 		return {};
 	}
 }
 function saveGlobalConfig(config) {
 	mkdirSync(CONFIG_DIR, { recursive: true });
-	writeFileSync(CONFIG_FILE, `${JSON.stringify(config, null, 2)}\n`);
+	writeFileSync(CONFIG_FILE$1, `${JSON.stringify(config, null, 2)}\n`);
 }
 function loadProjectConfig() {
 	let dir = process.cwd();
@@ -1343,7 +1398,11 @@ function getApiKey() {
 	if (envKey) return envKey;
 	const config = loadGlobalConfig();
 	if (config.apiKey) return config.apiKey;
-	throw new Error("No API key found. Run `auix login` or set AUIX_API_KEY.");
+}
+function requireApiKey() {
+	const key = getApiKey();
+	if (!key) throw new Error("No API key found. Run `auix login` or set AUIX_API_KEY.");
+	return key;
 }
 function getBaseUrl() {
 	return process.env.AUIX_BASE_URL ?? loadGlobalConfig().baseUrl ?? DEFAULT_BASE_URL;
@@ -1351,6 +1410,21 @@ function getBaseUrl() {
 function getAppUrl() {
 	return process.env.AUIX_APP_URL ?? loadGlobalConfig().appUrl ?? DEFAULT_APP_URL;
 }
+const SESSION_FILE = join(CONFIG_DIR, "session.json");
+function loadSession() {
+	if (!existsSync(SESSION_FILE)) return void 0;
+	try {
+		const session = JSON.parse(readFileSync(SESSION_FILE, "utf-8"));
+		if (new Date(session.expiresAt) <= /* @__PURE__ */ new Date()) return;
+		return session;
+	} catch {
+		return;
+	}
+}
+function saveSession(session) {
+	mkdirSync(CONFIG_DIR, { recursive: true });
+	writeFileSync(SESSION_FILE, `${JSON.stringify(session, null, 2)}\n`);
+}
 //#endregion
 //#region src/utils.ts
@@ -1360,11 +1434,30 @@ async function apiRequest(path, body) {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/json",
-			Authorization: `Bearer ${getApiKey()}`
+			Authorization: `Bearer ${requireApiKey()}`
+		},
+		body: JSON.stringify(body)
+	});
+}
+async function apiRequestWithToken(path, body, token) {
+	const baseUrl = getBaseUrl().replace(/\/$/, "");
+	return fetch(`${baseUrl}${path}`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${token}`
 		},
 		body: JSON.stringify(body)
 	});
 }
+async function apiRequestNoAuth(path, body) {
+	const baseUrl = getBaseUrl().replace(/\/$/, "");
+	return fetch(`${baseUrl}${path}`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body)
+	});
+}
 function logError(message) {
 	console.error(`Error: ${message}`);
 	process.exit(1);
@@ -1374,6 +1467,134 @@ function maskValue(value) {
 	return `${value.slice(0, 2)}****${value.slice(-2)}`;
 }
+//#endregion
+//#region src/commands/branch-create.ts
+const branchCreateCommand = defineCommand({
+	meta: {
+		name: "branch create",
+		description: "Create an env branch"
+	},
+	args: {
+		name: {
+			type: "positional",
+			description: "Branch name",
+			required: true
+		},
+		"base-env": {
+			type: "string",
+			description: "Base environment (development, staging, production)"
+		}
+	},
+	async run({ args }) {
+		const res = await apiRequest("/v1/env/branch/create", {
+			name: args.name,
+			baseEnvironment: args["base-env"]
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create branch (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`Created branch: ${data.name}`);
+	}
+});
+//#endregion
+//#region src/commands/branch-delete.ts
+const branchDeleteCommand = defineCommand({
+	meta: {
+		name: "branch delete",
+		description: "Delete an env branch"
+	},
+	args: { name: {
+		type: "positional",
+		description: "Branch name",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Delete branch "${args.name}" and all its variables?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/branch/delete", { name: args.name });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to delete branch (${res.status}): ${text}`);
+		}
+		console.log(`Deleted branch: ${args.name}`);
+	}
+});
+//#endregion
+//#region src/commands/branch-list.ts
+const branchListCommand = defineCommand({
+	meta: {
+		name: "branch list",
+		description: "List env branches"
+	},
+	args: {},
+	async run() {
+		const res = await apiRequest("/v1/env/branch/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list branches (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.branches.length === 0) {
+			console.log("No branches found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const nameW = col(data.branches.map((b) => b.name), 4);
+		const baseW = col(data.branches.map((b) => b.baseEnvironment ?? "-"), 8);
+		const header = [
+			"NAME".padEnd(nameW),
+			"BASE ENV".padEnd(baseW),
+			"CREATED"
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const b of data.branches) {
+			const date = new Date(b.createdAt).toLocaleString();
+			const row = [
+				b.name.padEnd(nameW),
+				(b.baseEnvironment ?? "-").padEnd(baseW),
+				date
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.branches.length} branches`);
+	}
+});
+//#endregion
+//#region src/commands/delete.ts
+const deleteCommand = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete an environment variable by ID"
+	},
+	args: { id: {
+		type: "positional",
+		description: "Variable ID (from `auix env list`)",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Delete variable ${args.id}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/delete", { id: args.id });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to delete (${res.status}): ${text}`);
+		}
+		console.log("Deleted.");
+	}
+});
 //#endregion
 //#region src/commands/diff.ts
 const diffCommand = defineCommand({
@@ -1400,6 +1621,10 @@ const diffCommand = defineCommand({
 			type: "string",
 			description: "Project slug"
 		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
 		"show-values": {
 			type: "boolean",
 			description: "Show unmasked values",
@@ -1413,11 +1638,13 @@ const diffCommand = defineCommand({
 		const [res1, res2] = await Promise.all([apiRequest("/v1/env/resolve", {
 			project,
 			environment: args.env1,
-			app
+			app,
+			branch: args.branch
 		}), apiRequest("/v1/env/resolve", {
 			project,
 			environment: args.env2,
-			app
+			app,
+			branch: args.branch
 		})]);
 		if (!res1.ok) {
 			const text = await res1.text().catch(() => "");
@@ -1459,17 +1686,143 @@ const diffCommand = defineCommand({
 });
 //#endregion
-//#region src/commands/list.ts
-const listCommand = defineCommand({
+//#region src/commands/dynamic-create.ts
+const dynamicCreateCommand = defineCommand({
 	meta: {
-		name: "list",
-		description: "List environment variables (values masked)"
+		name: "dynamic create",
+		description: "Create a dynamic secret config"
+	},
+	args: {
+		name: {
+			type: "string",
+			description: "Dynamic secret name",
+			required: true
+		},
+		generator: {
+			type: "string",
+			description: "Generator type (random-password, random-token, random-uuid)",
+			required: true
+		},
+		ttl: {
+			type: "string",
+			description: "TTL in seconds (default: 3600)",
+			default: "3600"
+		}
+	},
+	async run({ args }) {
+		const validGenerators = [
+			"random-password",
+			"random-token",
+			"random-uuid"
+		];
+		if (!validGenerators.includes(args.generator)) logError(`Invalid generator: ${args.generator}. Available: ${validGenerators.join(", ")}`);
+		const ttlSeconds = Number.parseInt(args.ttl, 10);
+		if (Number.isNaN(ttlSeconds) || ttlSeconds <= 0) logError("--ttl must be a positive number of seconds.");
+		const res = await apiRequest("/v1/env/dynamic/create", {
+			name: args.name,
+			generator: args.generator,
+			ttlSeconds
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create dynamic secret (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`\nDynamic secret created`);
+		console.log(`  ID:        ${data.id}`);
+		console.log(`  Name:      ${data.name}`);
+		console.log(`  Generator: ${args.generator}`);
+		console.log(`  TTL:       ${ttlSeconds}s`);
+	}
+});
+//#endregion
+//#region src/commands/dynamic-lease.ts
+const dynamicLeaseCommand = defineCommand({
+	meta: {
+		name: "dynamic lease",
+		description: "Generate a new credential from a dynamic secret"
+	},
+	args: { name: {
+		type: "positional",
+		description: "Dynamic secret name",
+		required: true
+	} },
+	async run({ args }) {
+		const res = await apiRequest("/v1/env/dynamic/lease", { name: args.name });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create lease (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`\nLease created`);
+		console.log(`  Lease ID:  ${data.leaseId}`);
+		console.log(`  Value:     ${data.value}`);
+		console.log(`  Expires:   ${new Date(data.expiresAt).toLocaleString()}`);
+	}
+});
+//#endregion
+//#region src/commands/dynamic-list.ts
+const dynamicListCommand = defineCommand({
+	meta: {
+		name: "dynamic list",
+		description: "List dynamic secret configs"
+	},
+	args: {},
+	async run() {
+		const res = await apiRequest("/v1/env/dynamic/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list dynamic secrets (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.secrets.length === 0) {
+			console.log("No dynamic secrets found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const nameW = col(data.secrets.map((s) => s.name), 4);
+		const genW = col(data.secrets.map((s) => s.generator), 9);
+		const ttlW = col(data.secrets.map((s) => `${s.ttlSeconds}s`), 3);
+		const header = [
+			"ID".padEnd(idW),
+			"NAME".padEnd(nameW),
+			"GENERATOR".padEnd(genW),
+			"TTL".padEnd(ttlW)
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const s of data.secrets) {
+			const row = [
+				s.id.slice(0, idW).padEnd(idW),
+				s.name.padEnd(nameW),
+				s.generator.padEnd(genW),
+				`${s.ttlSeconds}s`.padEnd(ttlW)
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.secrets.length} dynamic secrets`);
+	}
+});
+//#endregion
+//#region src/commands/history.ts
+const historyCommand = defineCommand({
+	meta: {
+		name: "history",
+		description: "Show version history for an environment variable"
 	},
 	args: {
+		key: {
+			type: "positional",
+			description: "Variable key",
+			required: true
+		},
 		env: {
 			type: "string",
-			description: "Environment (development, staging, production)",
-			default: "development"
+			description: "Environment (development, staging, production)"
 		},
 		app: {
 			type: "string",
@@ -1479,6 +1832,10 @@ const listCommand = defineCommand({
 			type: "string",
 			description: "Project slug"
 		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
 		"show-values": {
 			type: "boolean",
 			description: "Show unmasked values",
@@ -1489,118 +1846,423 @@ const listCommand = defineCommand({
 		const projectConfig = loadProjectConfig();
 		const project = args.project ?? projectConfig.project;
 		const app = args.app ?? resolveApp();
-		const res = await apiRequest("/v1/env/resolve", {
+		const res = await apiRequest("/v1/env/history", {
+			key: args.key,
 			project,
 			environment: args.env,
-			app
+			app,
+			branch: args.branch
 		});
 		if (!res.ok) {
 			const text = await res.text().catch(() => "");
-			logError(`Failed to resolve env (${res.status}): ${text}`);
+			logError(`Failed to get history (${res.status}): ${text}`);
 		}
 		const data = await res.json();
-		const entries = Object.entries(data.variables);
-		if (entries.length === 0) {
-			console.log("No variables found.");
+		if (data.versions.length === 0) {
+			console.log("No history found.");
 			return;
 		}
 		const showValues = args["show-values"];
-		for (const [key, value] of entries) {
-			const display = showValues ? value : maskValue(value);
-			console.log(`${key}=${display}`);
+		console.log(`History for ${args.key}\n`);
+		for (const v of data.versions) {
+			const val = showValues ? v.value : maskValue(v.value);
+			const date = new Date(v.createdAt).toLocaleString();
+			const label = v.version === "current" ? "current" : `v${v.version}`;
+			console.log(`  ${label.padEnd(10)} ${val.padEnd(20)} ${date}`);
 		}
-		console.log(`\n${entries.length} variables`);
+		console.log(`\n${data.versions.length} versions`);
 	}
 });
 //#endregion
-//#region src/commands/login.ts
-const CLIENT_ID = "auix-cli";
-const POLL_INTERVAL_MS = 5e3;
-function openBrowser(url) {
-	try {
-		execSync(`${process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"} ${JSON.stringify(url)}`, { stdio: "ignore" });
-	} catch {}
-}
-async function deviceFlow(appUrl) {
-	const base = appUrl.replace(/\/$/, "");
-	const codeRes = await fetch(`${base}/api/auth/device/code`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({ client_id: CLIENT_ID })
-	});
-	if (!codeRes.ok) {
-		const text = await codeRes.text().catch(() => "");
-		logError(`Failed to start device flow (${codeRes.status}): ${text}`);
+//#region src/commands/init.ts
+function detectWorkspaceDirs() {
+	const cwd = process.cwd();
+	const pnpmPath = join(cwd, "pnpm-workspace.yaml");
+	if (existsSync(pnpmPath)) {
+		const content = readFileSync(pnpmPath, "utf-8");
+		const patterns = [];
+		let inPackages = false;
+		for (const line of content.split("\n")) {
+			const trimmed = line.trim();
+			if (trimmed === "packages:" || trimmed === "packages :") {
+				inPackages = true;
+				continue;
+			}
+			if (inPackages && trimmed.startsWith("- ")) {
+				const pattern = trimmed.slice(2).replace(/["']/g, "").trim();
+				patterns.push(pattern);
+				continue;
+			}
+			if (inPackages && trimmed && !trimmed.startsWith("-")) inPackages = false;
+		}
+		return expandPatterns(cwd, patterns);
 	}
-	const codeData = await codeRes.json();
-	console.log("Opening browser for authentication...");
-	console.log(`If the browser doesn't open, visit: ${codeData.verification_uri_complete}`);
-	console.log(`Enter code: ${codeData.user_code}\n`);
-	openBrowser(codeData.verification_uri_complete);
-	const deadline = Date.now() + codeData.expires_in * 1e3;
-	const interval = Math.max((codeData.interval || 5) * 1e3, POLL_INTERVAL_MS);
-	while (Date.now() < deadline) {
-		await new Promise((r) => setTimeout(r, interval));
-		const tokenRes = await fetch(`${base}/api/auth/device/token`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-				device_code: codeData.device_code,
-				client_id: CLIENT_ID
-			})
-		});
-		if (tokenRes.ok) return (await tokenRes.json()).access_token;
-		const err = await tokenRes.json().catch(() => ({}));
-		if (err.error === "authorization_pending") continue;
-		if (err.error === "slow_down") continue;
-		if (err.error === "expired_token") logError("Device code expired.");
-		if (err.error === "access_denied") logError("Access denied.");
-		logError(`Unexpected error: ${err.error ?? tokenRes.status}`);
+	const pkgPath = join(cwd, "package.json");
+	if (existsSync(pkgPath)) try {
+		const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+		const workspaces = Array.isArray(pkg.workspaces) ? pkg.workspaces : pkg.workspaces?.packages;
+		if (workspaces && workspaces.length > 0) return expandPatterns(cwd, workspaces);
+	} catch {}
+	return null;
+}
+function expandPatterns(cwd, patterns) {
+	const dirs = [];
+	for (const pattern of patterns) {
+		const clean = pattern.replace(/\/\*$/, "");
+		const parentDir = join(cwd, clean);
+		if (!existsSync(parentDir)) continue;
+		if (pattern.endsWith("/*")) try {
+			const entries = readdirSync(parentDir, { withFileTypes: true });
+			for (const entry of entries) if (entry.isDirectory() && !entry.name.startsWith(".")) {
+				const rel = `${clean}/${entry.name}`;
+				if (existsSync(join(join(cwd, rel), "package.json"))) dirs.push(rel);
+			}
+		} catch {}
+		else if (existsSync(join(parentDir, "package.json"))) dirs.push(clean);
 	}
-	logError("Device code expired. Please try again.");
-	return "";
+	return dirs.length > 0 ? dirs : null;
 }
-async function selectOrganization(appUrl, token) {
-	const base = appUrl.replace(/\/$/, "");
-	const res = await fetch(`${base}/api/auth/organization/list`, { headers: { Authorization: `Bearer ${token}` } });
-	if (!res.ok) logError(`Failed to list organizations (${res.status}).`);
-	const orgs = await res.json();
-	if (orgs.length === 0) logError("No organizations found. Create one at the web dashboard.");
-	if (orgs.length === 1) {
-		console.log(`Organization: ${orgs[0].name} (${orgs[0].slug})`);
-		return orgs[0];
+const initCommand = defineCommand({
+	meta: {
+		name: "init",
+		description: "Initialize project configuration"
+	},
+	args: { project: {
+		type: "string",
+		description: "Project slug (skip selection prompt)"
+	} },
+	async run({ args }) {
+		const rcPath = join(process.cwd(), ".auixrc");
+		if (existsSync(rcPath)) {
+			const overwrite = await consola.prompt(".auixrc already exists. Overwrite?", { type: "confirm" });
+			if (!overwrite || typeof overwrite === "symbol") {
+				console.log("Cancelled.");
+				return;
+			}
+		}
+		let projectSlug = args.project;
+		if (!projectSlug) projectSlug = await selectProject();
+		const config = { project: projectSlug };
+		const workspaceDirs = detectWorkspaceDirs();
+		if (workspaceDirs && workspaceDirs.length > 0) {
+			console.log(`\nDetected monorepo with ${workspaceDirs.length} packages:`);
+			for (const dir of workspaceDirs) console.log(`  ${dir}`);
+			const mapApps = await consola.prompt("\nMap directories to app names?", { type: "confirm" });
+			if (mapApps && typeof mapApps !== "symbol") {
+				const apps = {};
+				for (const dir of workspaceDirs) {
+					const defaultName = basename(dir);
+					const name = await consola.prompt(`App name for ${dir}`, {
+						type: "text",
+						default: defaultName,
+						placeholder: defaultName
+					});
+					if (typeof name === "symbol") {
+						console.log("Cancelled.");
+						return;
+					}
+					const trimmed = name.trim();
+					if (trimmed) apps[dir] = trimmed;
+				}
+				if (Object.keys(apps).length > 0) config.apps = apps;
+			}
+		}
+		writeFileSync(rcPath, `${JSON.stringify(config, null, 2)}\n`);
+		console.log(`\nCreated .auixrc`);
+		console.log(`  project: ${config.project}`);
+		if (config.apps) console.log(`  apps: ${Object.entries(config.apps).map(([d, a]) => `${d} → ${a}`).join(", ")}`);
 	}
-	console.log("Select organization:");
-	for (let i = 0; i < orgs.length; i++) console.log(`  ${i + 1}) ${orgs[i].name} (${orgs[i].slug})`);
-	const rl = createInterface({
-		input: process.stdin,
-		output: process.stdout
-	});
-	const answer = await rl.question("Choice: ");
-	rl.close();
-	const idx = Number.parseInt(answer, 10) - 1;
-	if (Number.isNaN(idx) || idx < 0 || idx >= orgs.length) logError("Invalid selection.");
-	return orgs[idx];
-}
-async function createApiKey(appUrl, token, organizationId) {
-	const base = appUrl.replace(/\/$/, "");
-	const res = await fetch(`${base}/api/cli/create-key`, {
-		method: "POST",
-		headers: {
-			"Content-Type": "application/json",
-			Authorization: `Bearer ${token}`
-		},
-		body: JSON.stringify({ organizationId })
+});
+async function selectProject() {
+	try {
+		const res = await apiRequest("/v1/env/projects/list", {});
+		if (res.ok) {
+			const data = await res.json();
+			if (data.projects && data.projects.length > 0) {
+				const selected = await consola.prompt("Select project", {
+					type: "select",
+					options: data.projects.map((p) => ({
+						label: `${p.name} (${p.slug})`,
+						value: p.slug
+					}))
+				});
+				if (typeof selected === "symbol") logError("Cancelled.");
+				return selected;
+			}
+		}
+	} catch {}
+	const slug = await consola.prompt("Project slug", {
+		type: "text",
+		placeholder: basename(process.cwd()),
+		default: basename(process.cwd())
 	});
-	if (!res.ok) {
-		const text = await res.text().catch(() => "");
-		logError(`Failed to create API key (${res.status}): ${text}`);
-	}
-	return (await res.json()).key;
+	if (typeof slug === "symbol") logError("Cancelled.");
+	const trimmed = slug.trim();
+	if (!trimmed) logError("Project slug cannot be empty.");
+	return trimmed;
 }
-const loginCommand = defineCommand({
+//#endregion
+//#region src/commands/list.ts
+const listCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List environment variables"
+	},
+	args: {
+		env: {
+			type: "string",
+			description: "Filter by environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "Filter by app name"
+		},
+		project: {
+			type: "string",
+			description: "Filter by project slug"
+		},
+		branch: {
+			type: "string",
+			description: "Filter by env branch name"
+		}
+	},
+	async run({ args }) {
+		const projectConfig = loadProjectConfig();
+		const project = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		const res = await apiRequest("/v1/env/list", {
+			project,
+			environment: args.env,
+			app,
+			branch: args.branch
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list variables (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.variables.length === 0) {
+			console.log("No variables found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const keyW = col(data.variables.map((v) => v.key), 3);
+		const prjW = col(data.variables.map((v) => v.project ?? "-"), 7);
+		const envW = col(data.variables.map((v) => v.environment ?? "-"), 3);
+		const appW = col(data.variables.map((v) => v.app ?? "-"), 3);
+		const header = [
+			"ID".padEnd(idW),
+			"KEY".padEnd(keyW),
+			"PROJECT".padEnd(prjW),
+			"ENV".padEnd(envW),
+			"APP".padEnd(appW)
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const v of data.variables) {
+			const row = [
+				v.id.slice(0, idW).padEnd(idW),
+				v.key.padEnd(keyW),
+				(v.project ?? "-").padEnd(prjW),
+				(v.environment ?? "-").padEnd(envW),
+				(v.app ?? "-").padEnd(appW)
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.variables.length} variables`);
+	}
+});
+//#endregion
+//#region src/commands/lock.ts
+const lockCommand = defineCommand({
+	meta: {
+		name: "lock",
+		description: "Lock a config scope"
+	},
+	args: {
+		env: {
+			type: "string",
+			description: "Environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "App name"
+		},
+		project: {
+			type: "string",
+			description: "Project slug"
+		},
+		reason: {
+			type: "string",
+			description: "Reason for locking"
+		}
+	},
+	async run({ args }) {
+		const projectConfig = loadProjectConfig();
+		const project = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		const res = await apiRequest("/v1/env/lock", {
+			project,
+			environment: args.env,
+			app,
+			reason: args.reason
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to lock (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`Locked (${data.id}).`);
+	}
+});
+//#endregion
+//#region src/commands/lock-status.ts
+const lockStatusCommand = defineCommand({
+	meta: {
+		name: "lock-status",
+		description: "Check if config is locked"
+	},
+	args: {
+		env: {
+			type: "string",
+			description: "Environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "App name"
+		},
+		project: {
+			type: "string",
+			description: "Project slug"
+		}
+	},
+	async run({ args }) {
+		const projectConfig = loadProjectConfig();
+		const project = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		const res = await apiRequest("/v1/env/lock/status", {
+			project,
+			environment: args.env,
+			app
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to check lock status (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.locked) {
+			const parts = [`Locked: ${data.lock.reason ?? "(no reason)"}`];
+			if (data.lock.lockedBy) parts.push(`by ${data.lock.lockedBy}`);
+			if (data.lock.lockedAt) parts.push(`at ${data.lock.lockedAt}`);
+			console.log(parts.join(" "));
+		} else console.log("Unlocked");
+	}
+});
+//#endregion
+//#region src/commands/login.ts
+const CLIENT_ID = "auix-cli";
+const POLL_INTERVAL_MS = 5e3;
+function openBrowser(url) {
+	try {
+		execSync(`${process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"} ${JSON.stringify(url)}`, { stdio: "ignore" });
+	} catch {}
+}
+async function deviceFlow(appUrl) {
+	const base = appUrl.replace(/\/$/, "");
+	const codeRes = await fetch(`${base}/api/auth/device/code`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ client_id: CLIENT_ID })
+	});
+	if (!codeRes.ok) {
+		const text = await codeRes.text().catch(() => "");
+		logError(`Failed to start device flow (${codeRes.status}): ${text}`);
+	}
+	const codeData = await codeRes.json();
+	console.log("Opening browser for authentication...");
+	console.log(`If the browser doesn't open, visit: ${codeData.verification_uri_complete}`);
+	console.log(`Enter code: ${codeData.user_code}\n`);
+	openBrowser(codeData.verification_uri_complete);
+	const deadline = Date.now() + codeData.expires_in * 1e3;
+	const interval = Math.max((codeData.interval || 5) * 1e3, POLL_INTERVAL_MS);
+	while (Date.now() < deadline) {
+		await new Promise((r) => setTimeout(r, interval));
+		const tokenRes = await fetch(`${base}/api/auth/device/token`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+				device_code: codeData.device_code,
+				client_id: CLIENT_ID
+			})
+		});
+		if (tokenRes.ok) return (await tokenRes.json()).access_token;
+		const err = await tokenRes.json().catch(() => ({}));
+		if (err.error === "authorization_pending") continue;
+		if (err.error === "slow_down") continue;
+		if (err.error === "expired_token") logError("Device code expired.");
+		if (err.error === "access_denied") logError("Access denied.");
+		logError(`Unexpected error: ${err.error ?? tokenRes.status}`);
+	}
+	logError("Device code expired. Please try again.");
+	return "";
+}
+async function selectOrganization(appUrl, token) {
+	const base = appUrl.replace(/\/$/, "");
+	const res = await fetch(`${base}/api/auth/organization/list`, { headers: { Authorization: `Bearer ${token}` } });
+	if (!res.ok) logError(`Failed to list organizations (${res.status}).`);
+	const orgs = await res.json();
+	if (orgs.length === 0) logError("No organizations found. Create one at the web dashboard.");
+	if (orgs.length === 1) {
+		console.log(`Organization: ${orgs[0].name} (${orgs[0].slug})`);
+		return orgs[0];
+	}
+	const selected = await consola.prompt("Select organization", {
+		type: "select",
+		options: orgs.map((o) => ({
+			label: `${o.name} (${o.slug})`,
+			value: o.id
+		}))
+	});
+	if (typeof selected === "symbol") logError("Cancelled.");
+	return orgs.find((o) => o.id === selected);
+}
+async function fetchUser(appUrl, token) {
+	const base = appUrl.replace(/\/$/, "");
+	const res = await fetch(`${base}/api/auth/get-session`, { headers: { Authorization: `Bearer ${token}` } });
+	if (!res.ok) return {
+		name: "unknown",
+		email: "unknown"
+	};
+	const data = await res.json();
+	return {
+		name: data.user?.name ?? "unknown",
+		email: data.user?.email ?? "unknown"
+	};
+}
+async function createApiKey$1(appUrl, token, organizationId) {
+	const base = appUrl.replace(/\/$/, "");
+	const res = await fetch(`${base}/api/cli/create-key`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({ organizationId })
+	});
+	if (!res.ok) {
+		const text = await res.text().catch(() => "");
+		logError(`Failed to create API key (${res.status}): ${text}`);
+	}
+	return (await res.json()).key;
+}
+const loginCommand = defineCommand({
 	meta: {
 		name: "login",
 		description: "Authenticate with auix"
@@ -1642,19 +2304,48 @@ const loginCommand = defineCommand({
 			return;
 		}
 		const token = await deviceFlow(appUrl);
-		console.log("Authenticated.\n");
+		const user = await fetchUser(appUrl, token);
+		console.log(`Authenticated as ${user.email}\n`);
 		const org = await selectOrganization(appUrl, token);
 		saveGlobalConfig({
-			apiKey: await createApiKey(appUrl, token, org.id),
+			apiKey: await createApiKey$1(appUrl, token, org.id),
 			baseUrl,
-			appUrl
+			appUrl,
+			user,
+			organization: {
+				name: org.name,
+				slug: org.slug
+			}
 		});
 		console.log(`\nLogged in to ${org.name}.`);
 	}
 });
+//#endregion
+//#region src/commands/logout.ts
+const CONFIG_FILE = join(homedir(), ".auix", "config.json");
+const logoutCommand = defineCommand({
+	meta: {
+		name: "logout",
+		description: "Log out and remove credentials"
+	},
+	async run() {
+		if (!existsSync(CONFIG_FILE)) {
+			console.log("Not logged in.");
+			return;
+		}
+		rmSync(CONFIG_FILE);
+		console.log("Logged out.");
+	}
+});
 //#endregion
 //#region src/commands/pull.ts
+const formatters = {
+	env: formatEnvString,
+	json: formatJsonString,
+	yaml: formatYamlString
+};
 const pullCommand = defineCommand({
 	meta: {
 		name: "pull",
@@ -1663,8 +2354,7 @@ const pullCommand = defineCommand({
 	args: {
 		env: {
 			type: "string",
-			description: "Environment (development, staging, production)",
-			default: "development"
+			description: "Environment (development, staging, production)"
 		},
 		app: {
 			type: "string",
@@ -1674,32 +2364,50 @@ const pullCommand = defineCommand({
 			type: "string",
 			description: "Project slug"
 		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
 		out: {
 			type: "string",
 			description: "Output file path",
 			default: ".env.local"
+		},
+		format: {
+			type: "string",
+			description: "Output format (env, json, yaml)",
+			default: "env"
+		},
+		interpolate: {
+			type: "boolean",
+			description: "Interpolate variable references",
+			default: false
 		}
 	},
 	async run({ args }) {
 		const projectConfig = loadProjectConfig();
 		const project = args.project ?? projectConfig.project;
 		const app = args.app ?? resolveApp();
+		const formatter = formatters[args.format];
+		if (!formatter) logError(`Unknown format: ${args.format}. Use env, json, or yaml.`);
 		const res = await apiRequest("/v1/env/resolve", {
 			project,
 			environment: args.env,
-			app
+			app,
+			branch: args.branch
 		});
 		if (!res.ok) {
 			const text = await res.text().catch(() => "");
 			logError(`Failed to resolve env (${res.status}): ${text}`);
 		}
-		const data = await res.json();
-		const count = Object.keys(data.variables).length;
+		let variables = (await res.json()).variables;
+		const count = Object.keys(variables).length;
 		if (count === 0) {
 			console.log("No variables found.");
 			return;
 		}
-		const content = formatEnvString(data.variables);
+		if (args.interpolate) variables = interpolateEnv(variables);
+		const content = formatter(variables);
 		writeFileSync(args.out, `${content}\n`);
 		console.log(`Pulled ${count} variables → ${args.out}`);
 	}
@@ -1720,8 +2428,7 @@ const pushCommand = defineCommand({
 		},
 		env: {
 			type: "string",
-			description: "Environment (development, staging, production)",
-			default: "development"
+			description: "Environment (development, staging, production)"
 		},
 		app: {
 			type: "string",
@@ -1731,6 +2438,10 @@ const pushCommand = defineCommand({
 			type: "string",
 			description: "Project slug"
 		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
 		overwrite: {
 			type: "boolean",
 			description: "Overwrite existing variables",
@@ -1748,11 +2459,21 @@ const pushCommand = defineCommand({
 			logError(`Cannot read file: ${args.file}`);
 			return;
 		}
+		const parsed = parseEnvString(content);
+		const variables = Object.entries(parsed).map(([key, value]) => ({
+			key,
+			value
+		}));
+		if (variables.length === 0) {
+			console.log("No variables found in file.");
+			return;
+		}
 		const res = await apiRequest("/v1/env/import", {
-			content,
+			variables,
 			project,
 			environment: args.env,
 			app,
+			branch: args.branch,
 			overwrite: args.overwrite
 		});
 		if (!res.ok) {
@@ -1765,22 +2486,26 @@ const pushCommand = defineCommand({
 });
 //#endregion
-//#region src/commands/set.ts
-const setCommand = defineCommand({
+//#region src/commands/rollback.ts
+const rollbackCommand = defineCommand({
 	meta: {
-		name: "set",
-		description: "Set a single environment variable"
+		name: "rollback",
+		description: "Rollback a variable to a previous version"
 	},
 	args: {
-		pair: {
+		key: {
 			type: "positional",
-			description: "KEY=VALUE pair",
+			description: "Variable key",
+			required: true
+		},
+		version: {
+			type: "positional",
+			description: "Version number to rollback to",
 			required: true
 		},
 		env: {
 			type: "string",
-			description: "Environment (development, staging, production)",
-			default: "development"
+			description: "Environment (development, staging, production)"
 		},
 		app: {
 			type: "string",
@@ -1790,34 +2515,1126 @@ const setCommand = defineCommand({
 			type: "string",
 			description: "Project slug"
 		},
-		secret: {
-			type: "boolean",
-			description: "Mark as secret",
-			default: true
+		branch: {
+			type: "string",
+			description: "Env branch name"
 		}
 	},
 	async run({ args }) {
-		const eqIndex = args.pair.indexOf("=");
-		if (eqIndex === -1) logError("Expected KEY=VALUE format.");
-		const key = args.pair.slice(0, eqIndex);
-		const value = args.pair.slice(eqIndex + 1);
-		if (!/^[A-Z_][A-Z0-9_]*$/.test(key)) logError("Invalid key. Use uppercase letters, digits, and underscores.");
+		const versionNum = Number.parseInt(args.version, 10);
+		if (Number.isNaN(versionNum) || versionNum <= 0) logError("Version must be a positive integer.");
+		const confirmed = await consola.prompt(`Rollback ${args.key} to v${versionNum}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
 		const projectConfig = loadProjectConfig();
 		const project = args.project ?? projectConfig.project;
 		const app = args.app ?? resolveApp();
-		const res = await apiRequest("/v1/env/set", {
-			key,
-			value,
+		const res = await apiRequest("/v1/env/rollback", {
+			key: args.key,
+			version: versionNum,
 			project,
 			environment: args.env,
 			app,
-			isSecret: args.secret
+			branch: args.branch
 		});
 		if (!res.ok) {
 			const text = await res.text().catch(() => "");
-			logError(`Failed to set variable (${res.status}): ${text}`);
+			logError(`Failed to rollback (${res.status}): ${text}`);
 		}
-		console.log(`Set ${key}`);
+		console.log(`Rolled back ${args.key} to v${versionNum}.`);
+	}
+});
+//#endregion
+//#region src/commands/rotation-create.ts
+const rotationCreateCommand = defineCommand({
+	meta: {
+		name: "rotation create",
+		description: "Set up a rotation policy for an env variable"
+	},
+	args: {
+		key: {
+			type: "string",
+			description: "Environment variable key",
+			required: true
+		},
+		generator: {
+			type: "string",
+			description: "Generator (random-password, random-token, random-uuid)",
+			required: true
+		},
+		interval: {
+			type: "string",
+			description: "Rotation interval in days",
+			required: true
+		},
+		env: {
+			type: "string",
+			description: "Scope: environment"
+		},
+		app: {
+			type: "string",
+			description: "Scope: app name"
+		},
+		project: {
+			type: "string",
+			description: "Scope: project slug"
+		}
+	},
+	async run({ args }) {
+		const intervalDays = Number.parseInt(args.interval, 10);
+		if (Number.isNaN(intervalDays) || intervalDays <= 0) logError("--interval must be a positive number of days.");
+		const body = {
+			key: args.key,
+			generator: args.generator,
+			intervalDays
+		};
+		if (args.project) body.project = args.project;
+		if (args.env) body.environment = args.env;
+		if (args.app) body.app = args.app;
+		const res = await apiRequest("/v1/env/rotation/create", body);
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create rotation policy (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`\nRotation policy created: ${data.id}`);
+		console.log(`Key: ${args.key}`);
+		console.log(`Generator: ${args.generator}`);
+		console.log(`Interval: ${intervalDays} days`);
+	}
+});
+//#endregion
+//#region src/commands/rotation-list.ts
+function formatDate$1(date) {
+	if (!date) return "-";
+	return new Date(date).toLocaleDateString();
+}
+const rotationListCommand = defineCommand({
+	meta: {
+		name: "rotation list",
+		description: "List rotation policies"
+	},
+	args: {},
+	async run() {
+		const res = await apiRequest("/v1/env/rotation/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list rotation policies (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.policies.length === 0) {
+			console.log("No rotation policies found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const keyW = col(data.policies.map((p) => p.key), 3);
+		const genW = col(data.policies.map((p) => p.generator), 9);
+		const intW = col(data.policies.map((p) => `${p.intervalDays}d`), 8);
+		const lastW = col(data.policies.map((p) => formatDate$1(p.lastRotatedAt)), 12);
+		const nextW = col(data.policies.map((p) => formatDate$1(p.nextRotationAt)), 13);
+		const header = [
+			"ID".padEnd(idW),
+			"KEY".padEnd(keyW),
+			"GENERATOR".padEnd(genW),
+			"INTERVAL".padEnd(intW),
+			"LAST ROTATED".padEnd(lastW),
+			"NEXT ROTATION".padEnd(nextW)
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const p of data.policies) {
+			const row = [
+				p.id.slice(0, idW).padEnd(idW),
+				p.key.padEnd(keyW),
+				p.generator.padEnd(genW),
+				`${p.intervalDays}d`.padEnd(intW),
+				formatDate$1(p.lastRotatedAt).padEnd(lastW),
+				formatDate$1(p.nextRotationAt).padEnd(nextW)
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.policies.length} policies`);
+	}
+});
+//#endregion
+//#region src/commands/rotation-rotate.ts
+const rotationRotateCommand = defineCommand({
+	meta: {
+		name: "rotation rotate",
+		description: "Manually trigger rotation for a policy"
+	},
+	args: { id: {
+		type: "positional",
+		description: "Policy ID (from `auix env rotation list`)",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Rotate credentials for policy ${args.id}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/rotation/rotate", { id: args.id });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to rotate (${res.status}): ${text}`);
+		}
+		console.log("Rotated successfully.");
+	}
+});
+//#endregion
+//#region src/commands/run.ts
+const FINGERPRINT_DIR = join(homedir(), ".auix");
+const FINGERPRINT_FILE = join(FINGERPRINT_DIR, "fingerprint");
+function computeHash(vars) {
+	const input = Object.entries(vars).sort(([a], [b]) => a.localeCompare(b)).map(([k, v]) => `${k}=${v}`).join("\n");
+	return createHash("sha256").update(input).digest("hex");
+}
+function getFingerprint() {
+	if (existsSync(FINGERPRINT_FILE)) {
+		const stored = readFileSync(FINGERPRINT_FILE, "utf-8").trim();
+		if (stored) return stored;
+	}
+	const id = randomUUID();
+	mkdirSync(FINGERPRINT_DIR, { recursive: true });
+	writeFileSync(FINGERPRINT_FILE, id);
+	return id;
+}
+async function ensureToken(project) {
+	const apiKey = getApiKey();
+	if (apiKey) return apiKey;
+	const session = loadSession();
+	if (session && session.project === project) return session.token;
+	const fingerprint = getFingerprint();
+	let gitRemote;
+	try {
+		gitRemote = execSync("git remote get-url origin", {
+			encoding: "utf-8",
+			timeout: 3e3,
+			stdio: [
+				"pipe",
+				"pipe",
+				"pipe"
+			]
+		}).trim();
+	} catch {}
+	const isCI = !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.CIRCLECI);
+	const res = await apiRequestNoAuth("/v1/auth/anonymous/register", {
+		fingerprint,
+		project,
+		meta: {
+			os: process.platform,
+			arch: process.arch,
+			nodeVersion: process.version,
+			cliVersion: "0.0.3",
+			shell: process.env.SHELL ?? process.env.COMSPEC,
+			ci: isCI || void 0,
+			ciName: process.env.GITHUB_ACTIONS ? "github-actions" : process.env.GITLAB_CI ? "gitlab-ci" : process.env.CIRCLECI ? "circleci" : void 0,
+			gitRemote,
+			timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+			locale: Intl.DateTimeFormat().resolvedOptions().locale
+		}
+	});
+	if (!res.ok) {
+		const text = await res.text().catch(() => "");
+		if (res.status === 403) logError("Contributor access is not enabled for this project.");
+		if (res.status === 429) {
+			const data = JSON.parse(text);
+			logError(`Rate limited. Resets at ${data.resetsAt ? new Date(data.resetsAt).toLocaleString() : "later"}.\n  Run \`auix login\` to let project owners know who you are.`);
+		}
+		logError(`Failed to register anonymous session (${res.status}): ${text}`);
+	}
+	const data = await res.json();
+	saveSession({
+		token: data.token,
+		fingerprint,
+		project,
+		expiresAt: data.expiresAt
+	});
+	console.log("Created anonymous session (expires %s)", data.expiresAt);
+	return data.token;
+}
+const runCommand = defineCommand({
+	meta: {
+		name: "run",
+		description: "Run a command with resolved environment variables"
+	},
+	args: {
+		env: {
+			type: "string",
+			description: "Environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "App name"
+		},
+		project: {
+			type: "string",
+			description: "Project slug"
+		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
+		interpolate: {
+			type: "boolean",
+			description: "Interpolate variable references",
+			default: false
+		},
+		watch: {
+			type: "boolean",
+			description: "Watch for changes and restart",
+			default: false
+		},
+		"watch-interval": {
+			type: "string",
+			description: "Poll interval in ms",
+			default: "5000"
+		}
+	},
+	async run({ args }) {
+		const dashIndex = process.argv.indexOf("--");
+		const command = dashIndex !== -1 ? process.argv.slice(dashIndex + 1) : [];
+		if (command.length === 0) logError("No command specified. Usage: auix run -- <command>");
+		const projectConfig = loadProjectConfig();
+		const projectSlug = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		if (!projectSlug) logError("No project specified. Use --project or create .auixrc with `auix env init`.");
+		const token = await ensureToken(projectSlug);
+		const resolvePayload = {
+			project: projectSlug,
+			environment: args.env,
+			app,
+			branch: args.branch
+		};
+		const resolveVars = async () => {
+			const res = await apiRequestWithToken("/v1/env/resolve", resolvePayload, token);
+			if (!res.ok) {
+				const text = await res.text().catch(() => "");
+				logError(`Failed to resolve env (${res.status}): ${text}`);
+			}
+			let variables = (await res.json()).variables;
+			if (args.interpolate) variables = interpolateEnv(variables);
+			return variables;
+		};
+		const spawnChild = (vars) => {
+			const count = Object.keys(vars).length;
+			console.log(`Injecting ${count} variables`);
+			return spawn(command[0], command.slice(1), {
+				stdio: "inherit",
+				env: {
+					...process.env,
+					...vars
+				}
+			});
+		};
+		let variables = await resolveVars();
+		let child = spawnChild(variables);
+		if (!args.watch) {
+			child.on("close", (code) => {
+				process.exit(code ?? 1);
+			});
+			return;
+		}
+		let currentHash = computeHash(variables);
+		const interval = Number.parseInt(args["watch-interval"], 10);
+		console.log("Watching for changes...");
+		const timer = setInterval(async () => {
+			try {
+				const res = await apiRequestWithToken("/v1/env/check", resolvePayload, token);
+				if (!res.ok) return;
+				if ((await res.json()).hash === currentHash) return;
+				console.log("Env vars changed, restarting...");
+				child.kill("SIGTERM");
+				variables = await resolveVars();
+				currentHash = computeHash(variables);
+				child = spawnChild(variables);
+			} catch {}
+		}, interval);
+		const cleanup = () => {
+			clearInterval(timer);
+			child.kill("SIGTERM");
+			process.exit(0);
+		};
+		process.on("SIGINT", cleanup);
+		process.on("SIGTERM", cleanup);
+	}
+});
+//#endregion
+//#region src/commands/set.ts
+const setCommand = defineCommand({
+	meta: {
+		name: "set",
+		description: "Set a single environment variable"
+	},
+	args: {
+		pair: {
+			type: "positional",
+			description: "KEY=VALUE pair",
+			required: true
+		},
+		env: {
+			type: "string",
+			description: "Environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "App name"
+		},
+		project: {
+			type: "string",
+			description: "Project slug"
+		},
+		branch: {
+			type: "string",
+			description: "Env branch name"
+		},
+		secret: {
+			type: "boolean",
+			description: "Mark as secret",
+			default: true
+		},
+		description: {
+			type: "string",
+			description: "Variable description"
+		}
+	},
+	async run({ args }) {
+		const eqIndex = args.pair.indexOf("=");
+		if (eqIndex === -1) logError("Expected KEY=VALUE format.");
+		const key = args.pair.slice(0, eqIndex);
+		const value = args.pair.slice(eqIndex + 1);
+		if (!/^[A-Z_][A-Z0-9_]*$/.test(key)) logError("Invalid key. Use uppercase letters, digits, and underscores.");
+		const projectConfig = loadProjectConfig();
+		const project = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		const res = await apiRequest("/v1/env/set", {
+			key,
+			value,
+			project,
+			environment: args.env,
+			app,
+			branch: args.branch,
+			isSecret: args.secret,
+			description: args.description
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to set variable (${res.status}): ${text}`);
+		}
+		console.log(`Set ${key}`);
+	}
+});
+//#endregion
+//#region src/commands/share-access.ts
+const shareAccessCommand = defineCommand({
+	meta: {
+		name: "share access",
+		description: "Access a shared secret by ID"
+	},
+	args: { id: {
+		type: "positional",
+		description: "The share link ID",
+		required: true
+	} },
+	async run({ args }) {
+		const res = await apiRequest("/v1/env/share/access", { id: args.id });
+		if (res.status === 404) logError("Share link not found.");
+		if (res.status === 410) logError("Share link has expired or has already been accessed.");
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to access share link (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(data.value);
+	}
+});
+//#endregion
+//#region src/commands/share-create.ts
+const shareCreateCommand = defineCommand({
+	meta: {
+		name: "share create",
+		description: "Create a one-time share link for a secret"
+	},
+	args: {
+		value: {
+			type: "positional",
+			description: "The secret value to share",
+			required: true
+		},
+		expires: {
+			type: "string",
+			description: "Expiry in minutes (default: 60, max: 10080)",
+			default: "60"
+		}
+	},
+	async run({ args }) {
+		const expiresInMinutes = Number.parseInt(args.expires, 10);
+		if (Number.isNaN(expiresInMinutes) || expiresInMinutes < 1 || expiresInMinutes > 10080) logError("--expires must be between 1 and 10080 minutes (7 days).");
+		const res = await apiRequest("/v1/env/share/create", {
+			value: args.value,
+			expiresInMinutes
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create share link (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		const appUrl = getAppUrl().replace(/\/$/, "");
+		console.log(`\nShare URL: ${appUrl}/share/${data.id}`);
+		console.log(`Expires at: ${data.expiresAt}`);
+		console.log("\nThis link can only be accessed once.");
+	}
+});
+//#endregion
+//#region src/commands/switch.ts
+async function createApiKey(appUrl, token, organizationId) {
+	const base = appUrl.replace(/\/$/, "");
+	const res = await fetch(`${base}/api/cli/create-key`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({ organizationId })
+	});
+	if (!res.ok) {
+		const text = await res.text().catch(() => "");
+		logError(`Failed to create API key (${res.status}): ${text}`);
+	}
+	return (await res.json()).key;
+}
+const switchCommand = defineCommand({
+	meta: {
+		name: "switch",
+		description: "Switch to a different organization"
+	},
+	async run() {
+		const config = loadGlobalConfig();
+		const appUrl = config.appUrl ?? getAppUrl();
+		if (!config.apiKey) logError("Not logged in. Run `auix login`.");
+		const base = appUrl.replace(/\/$/, "");
+		consola.info("Re-authenticating to switch organization...\n");
+		const codeRes = await fetch(`${base}/api/auth/device/code`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ client_id: "auix-cli" })
+		});
+		if (!codeRes.ok) logError("Failed to start authentication. Is the server running?");
+		const codeData = await codeRes.json();
+		console.log(`Open: ${codeData.verification_uri_complete}`);
+		console.log(`Code: ${codeData.user_code}\n`);
+		try {
+			const { execSync } = await import("node:child_process");
+			execSync(`${process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"} ${JSON.stringify(codeData.verification_uri_complete)}`, { stdio: "ignore" });
+		} catch {}
+		const deadline = Date.now() + codeData.expires_in * 1e3;
+		const interval = Math.max((codeData.interval || 5) * 1e3, 5e3);
+		let token = "";
+		while (Date.now() < deadline) {
+			await new Promise((r) => setTimeout(r, interval));
+			const tokenRes = await fetch(`${base}/api/auth/device/token`, {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+					device_code: codeData.device_code,
+					client_id: "auix-cli"
+				})
+			});
+			if (tokenRes.ok) {
+				token = (await tokenRes.json()).access_token;
+				break;
+			}
+			const err = await tokenRes.json().catch(() => ({}));
+			if (err.error === "authorization_pending" || err.error === "slow_down") continue;
+			if (err.error === "expired_token") logError("Code expired.");
+			if (err.error === "access_denied") logError("Access denied.");
+			logError(`Unexpected error: ${err.error ?? tokenRes.status}`);
+		}
+		if (!token) logError("Code expired. Try again.");
+		const orgsRes = await fetch(`${base}/api/auth/organization/list`, { headers: { Authorization: `Bearer ${token}` } });
+		if (!orgsRes.ok) logError("Failed to list organizations.");
+		const orgs = await orgsRes.json();
+		if (orgs.length === 0) logError("No organizations found.");
+		const selected = await consola.prompt("Select organization", {
+			type: "select",
+			options: orgs.map((o) => ({
+				label: `${o.name} (${o.slug})`,
+				value: o.id
+			}))
+		});
+		if (typeof selected === "symbol") logError("Cancelled.");
+		const org = orgs.find((o) => o.id === selected);
+		const apiKey = await createApiKey(appUrl, token, org.id);
+		saveGlobalConfig({
+			...config,
+			apiKey,
+			organization: {
+				name: org.name,
+				slug: org.slug
+			}
+		});
+		console.log(`Switched to ${org.name}.`);
+	}
+});
+//#endregion
+//#region src/commands/sync-add.ts
+const syncAddCommand = defineCommand({
+	meta: {
+		name: "sync add",
+		description: "Add an env sync target"
+	},
+	args: {
+		provider: {
+			type: "string",
+			description: "Provider (vercel, github-actions, aws-ssm)",
+			required: true
+		},
+		name: {
+			type: "string",
+			description: "Target name",
+			required: true
+		},
+		env: {
+			type: "string",
+			description: "Scope: environment"
+		},
+		app: {
+			type: "string",
+			description: "Scope: app name"
+		},
+		project: {
+			type: "string",
+			description: "Scope: project slug"
+		},
+		"auto-sync": {
+			type: "boolean",
+			description: "Enable automatic sync",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const provider = args.provider;
+		const valid = [
+			"vercel",
+			"github-actions",
+			"aws-ssm"
+		];
+		if (!valid.includes(provider)) logError(`Invalid provider: ${provider}. Must be one of: ${valid.join(", ")}`);
+		const credentials = {};
+		if (provider === "vercel" || provider === "github-actions") {
+			const token = await consola.prompt("API token:", { type: "text" });
+			if (!token || typeof token === "symbol") logError("Token is required.");
+			credentials.token = token;
+		} else if (provider === "aws-ssm") {
+			const accessKeyId = await consola.prompt("AWS Access Key ID:", { type: "text" });
+			if (!accessKeyId || typeof accessKeyId === "symbol") logError("Access Key ID is required.");
+			credentials.accessKeyId = accessKeyId;
+			const secretAccessKey = await consola.prompt("AWS Secret Access Key:", { type: "text" });
+			if (!secretAccessKey || typeof secretAccessKey === "symbol") logError("Secret Access Key is required.");
+			credentials.secretAccessKey = secretAccessKey;
+		}
+		const scope = {};
+		if (args.project) scope.project = args.project;
+		if (args.env) scope.environment = args.env;
+		if (args.app) scope.app = args.app;
+		const res = await apiRequest("/v1/env/sync/targets/create", {
+			provider,
+			name: args.name,
+			credentials,
+			scope: Object.keys(scope).length > 0 ? scope : void 0,
+			autoSync: args["auto-sync"]
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to add sync target (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`Added sync target: ${args.name} (${data.id.slice(0, 8)})`);
+	}
+});
+//#endregion
+//#region src/commands/sync-list.ts
+const syncListCommand = defineCommand({
+	meta: {
+		name: "sync list",
+		description: "List env sync targets"
+	},
+	args: {},
+	async run() {
+		const res = await apiRequest("/v1/env/sync/targets/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list sync targets (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.targets.length === 0) {
+			console.log("No sync targets found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const provW = col(data.targets.map((t) => t.provider), 8);
+		const nameW = col(data.targets.map((t) => t.name), 4);
+		const formatScope = (s) => {
+			if (!s) return "-";
+			const parts = [];
+			if (s.project) parts.push(`prj:${s.project}`);
+			if (s.environment) parts.push(`env:${s.environment}`);
+			if (s.app) parts.push(`app:${s.app}`);
+			return parts.length > 0 ? parts.join(",") : "-";
+		};
+		const scopeW = col(data.targets.map((t) => formatScope(t.scope)), 5);
+		const autoW = 9;
+		const header = [
+			"ID".padEnd(idW),
+			"PROVIDER".padEnd(provW),
+			"NAME".padEnd(nameW),
+			"SCOPE".padEnd(scopeW),
+			"AUTO-SYNC".padEnd(autoW),
+			"LAST SYNCED"
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const t of data.targets) {
+			const synced = t.lastSyncedAt ? new Date(t.lastSyncedAt).toLocaleString() : "-";
+			const row = [
+				t.id.slice(0, idW).padEnd(idW),
+				t.provider.padEnd(provW),
+				t.name.padEnd(nameW),
+				formatScope(t.scope).padEnd(scopeW),
+				(t.autoSync ? "yes" : "no").padEnd(autoW),
+				synced
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.targets.length} targets`);
+	}
+});
+//#endregion
+//#region src/commands/sync-push.ts
+const syncPushCommand = defineCommand({
+	meta: {
+		name: "sync push",
+		description: "Push env vars to a sync target"
+	},
+	args: {
+		name: {
+			type: "string",
+			description: "Target name"
+		},
+		id: {
+			type: "string",
+			description: "Target ID"
+		}
+	},
+	async run({ args }) {
+		let targetId = args.id;
+		if (!targetId && !args.name) logError("Provide --name or --id to identify the target.");
+		if (!targetId && args.name) {
+			const listRes = await apiRequest("/v1/env/sync/targets/list", {});
+			if (!listRes.ok) {
+				const text = await listRes.text().catch(() => "");
+				logError(`Failed to list targets (${listRes.status}): ${text}`);
+			}
+			const match = (await listRes.json()).targets.find((t) => t.name === args.name);
+			if (!match) logError(`No sync target found with name: ${args.name}`);
+			targetId = match.id;
+		}
+		console.log("Syncing...");
+		const res = await apiRequest("/v1/env/sync/push", { targetId });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to sync (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.status === "success") console.log(`Synced ${data.variableCount} variables.`);
+		else logError(`Sync failed: ${data.error}`);
+	}
+});
+//#endregion
+//#region src/commands/sync-remove.ts
+const syncRemoveCommand = defineCommand({
+	meta: {
+		name: "sync remove",
+		description: "Remove an env sync target"
+	},
+	args: { id: {
+		type: "positional",
+		description: "Target ID (from `auix env sync list`)",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Delete sync target ${args.id}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/sync/targets/delete", { id: args.id });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to delete (${res.status}): ${text}`);
+		}
+		console.log("Deleted.");
+	}
+});
+//#endregion
+//#region src/commands/token-create.ts
+const tokenCreateCommand = defineCommand({
+	meta: {
+		name: "token create",
+		description: "Create a service token"
+	},
+	args: {
+		name: {
+			type: "string",
+			description: "Token name",
+			required: true
+		},
+		permissions: {
+			type: "string",
+			description: "Comma-separated permissions (env:read,env:write,env:delete,env:admin)",
+			default: "env:read"
+		},
+		env: {
+			type: "string",
+			description: "Scope: environment"
+		},
+		app: {
+			type: "string",
+			description: "Scope: app name"
+		},
+		project: {
+			type: "string",
+			description: "Scope: project slug"
+		},
+		expires: {
+			type: "string",
+			description: "Expiry in days (e.g. 30)"
+		}
+	},
+	async run({ args }) {
+		const permissions = args.permissions.split(",").map((p) => p.trim());
+		const scope = {};
+		if (args.project) scope.project = args.project;
+		if (args.env) scope.environment = args.env;
+		if (args.app) scope.app = args.app;
+		const body = {
+			name: args.name,
+			permissions
+		};
+		if (Object.keys(scope).length > 0) body.scope = scope;
+		if (args.expires) {
+			const days = Number.parseInt(args.expires, 10);
+			if (Number.isNaN(days) || days <= 0) logError("--expires must be a positive number of days.");
+			body.expiresInDays = days;
+		}
+		const res = await apiRequest("/v1/env/tokens/create", body);
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create token (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`\nToken created: ${data.id}`);
+		console.log(`Key: ${data.key}`);
+		console.log("\nSave this key — it won't be shown again.");
+	}
+});
+//#endregion
+//#region src/commands/token-list.ts
+function formatScope(scope) {
+	if (!scope) return "-";
+	const parts = [];
+	if (scope.project) parts.push(`prj:${scope.project}`);
+	if (scope.environment) parts.push(`env:${scope.environment}`);
+	if (scope.app) parts.push(`app:${scope.app}`);
+	return parts.length > 0 ? parts.join(",") : "-";
+}
+function formatDate(date) {
+	if (!date) return "-";
+	return new Date(date).toLocaleDateString();
+}
+const tokenListCommand = defineCommand({
+	meta: {
+		name: "token list",
+		description: "List service tokens"
+	},
+	args: {},
+	async run() {
+		const res = await apiRequest("/v1/env/tokens/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list tokens (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.tokens.length === 0) {
+			console.log("No service tokens found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const nameW = col(data.tokens.map((t) => t.name), 4);
+		const permW = col(data.tokens.map((t) => t.permissions.join(",")), 11);
+		const scopeW = col(data.tokens.map((t) => formatScope(t.scope)), 5);
+		const expW = col(data.tokens.map((t) => formatDate(t.expiresAt)), 7);
+		const usedW = col(data.tokens.map((t) => formatDate(t.lastUsedAt)), 9);
+		const header = [
+			"ID".padEnd(idW),
+			"NAME".padEnd(nameW),
+			"PERMISSIONS".padEnd(permW),
+			"SCOPE".padEnd(scopeW),
+			"EXPIRES".padEnd(expW),
+			"LAST USED".padEnd(usedW)
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const t of data.tokens) {
+			const row = [
+				t.id.slice(0, idW).padEnd(idW),
+				t.name.padEnd(nameW),
+				t.permissions.join(",").padEnd(permW),
+				formatScope(t.scope).padEnd(scopeW),
+				formatDate(t.expiresAt).padEnd(expW),
+				formatDate(t.lastUsedAt).padEnd(usedW)
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.tokens.length} tokens`);
+	}
+});
+//#endregion
+//#region src/commands/token-revoke.ts
+const tokenRevokeCommand = defineCommand({
+	meta: {
+		name: "token revoke",
+		description: "Revoke a service token"
+	},
+	args: { id: {
+		type: "positional",
+		description: "Token ID (from `auix env token list`)",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Revoke token ${args.id}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/tokens/revoke", { id: args.id });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to revoke token (${res.status}): ${text}`);
+		}
+		console.log("Revoked.");
+	}
+});
+//#endregion
+//#region src/commands/unlock.ts
+const unlockCommand = defineCommand({
+	meta: {
+		name: "unlock",
+		description: "Unlock a config scope"
+	},
+	args: {
+		env: {
+			type: "string",
+			description: "Environment (development, staging, production)"
+		},
+		app: {
+			type: "string",
+			description: "App name"
+		},
+		project: {
+			type: "string",
+			description: "Project slug"
+		}
+	},
+	async run({ args }) {
+		const confirmed = await consola.prompt("Unlock this config scope?", { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const projectConfig = loadProjectConfig();
+		const project = args.project ?? projectConfig.project;
+		const app = args.app ?? resolveApp();
+		const res = await apiRequest("/v1/env/unlock", {
+			project,
+			environment: args.env,
+			app
+		});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to unlock (${res.status}): ${text}`);
+		}
+		console.log("Unlocked.");
+	}
+});
+//#endregion
+//#region src/commands/webhook-add.ts
+const VALID_EVENTS = [
+	"env:created",
+	"env:updated",
+	"env:deleted"
+];
+const webhookAddCommand = defineCommand({
+	meta: {
+		name: "add",
+		description: "Register a webhook for env var changes"
+	},
+	args: {
+		url: {
+			type: "positional",
+			description: "Webhook URL",
+			required: true
+		},
+		events: {
+			type: "string",
+			description: "Comma-separated events (env:created,env:updated,env:deleted)",
+			default: "env:created,env:updated,env:deleted"
+		},
+		env: {
+			type: "string",
+			description: "Scope: environment filter"
+		},
+		app: {
+			type: "string",
+			description: "Scope: app filter"
+		},
+		project: {
+			type: "string",
+			description: "Scope: project filter"
+		}
+	},
+	async run({ args }) {
+		const events = args.events.split(",").map((e) => e.trim());
+		for (const e of events) if (!VALID_EVENTS.includes(e)) logError(`Invalid event "${e}". Valid: ${VALID_EVENTS.join(", ")}`);
+		const scope = {};
+		if (args.project) scope.project = args.project;
+		if (args.env) scope.environment = args.env;
+		if (args.app) scope.app = args.app;
+		const body = {
+			url: args.url,
+			events
+		};
+		if (Object.keys(scope).length > 0) body.scope = scope;
+		const res = await apiRequest("/v1/env/webhooks/create", body);
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to create webhook (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		console.log(`Created webhook ${data.id}`);
+	}
+});
+//#endregion
+//#region src/commands/webhook-list.ts
+const webhookListCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List registered webhooks"
+	},
+	async run() {
+		const res = await apiRequest("/v1/env/webhooks/list", {});
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to list webhooks (${res.status}): ${text}`);
+		}
+		const data = await res.json();
+		if (data.webhooks.length === 0) {
+			console.log("No webhooks found.");
+			return;
+		}
+		const col = (vals, min) => Math.max(min, ...vals.map((v) => v.length));
+		const idW = 8;
+		const urlW = col(data.webhooks.map((w) => w.url), 3);
+		const evtW = col(data.webhooks.map((w) => w.events.join(",")), 6);
+		const enW = 7;
+		const header = [
+			"ID".padEnd(idW),
+			"URL".padEnd(urlW),
+			"EVENTS".padEnd(evtW),
+			"ENABLED".padEnd(enW)
+		].join("  ");
+		console.log(header);
+		console.log("-".repeat(header.length));
+		for (const w of data.webhooks) {
+			const row = [
+				w.id.slice(0, idW).padEnd(idW),
+				w.url.padEnd(urlW),
+				w.events.join(",").padEnd(evtW),
+				String(w.enabled).padEnd(enW)
+			].join("  ");
+			console.log(row);
+		}
+		console.log(`\n${data.webhooks.length} webhooks`);
+	}
+});
+//#endregion
+//#region src/commands/webhook-remove.ts
+const webhookRemoveCommand = defineCommand({
+	meta: {
+		name: "remove",
+		description: "Remove a webhook by ID"
+	},
+	args: { id: {
+		type: "positional",
+		description: "Webhook ID (from `auix env webhook list`)",
+		required: true
+	} },
+	async run({ args }) {
+		const confirmed = await consola.prompt(`Remove webhook ${args.id}?`, { type: "confirm" });
+		if (!confirmed || typeof confirmed === "symbol") {
+			console.log("Cancelled.");
+			return;
+		}
+		const res = await apiRequest("/v1/env/webhooks/delete", { id: args.id });
+		if (!res.ok) {
+			const text = await res.text().catch(() => "");
+			logError(`Failed to remove webhook (${res.status}): ${text}`);
+		}
+		console.log("Removed.");
+	}
+});
+//#endregion
+//#region src/commands/whoami.ts
+const whoamiCommand = defineCommand({
+	meta: {
+		name: "whoami",
+		description: "Show current authentication"
+	},
+	async run() {
+		const config = loadGlobalConfig();
+		if (!config.apiKey) logError("Not logged in. Run `auix login`.");
+		if (config.user) console.log(`User: ${config.user.name} (${config.user.email})`);
+		if (config.organization) console.log(`Org:  ${config.organization.name} (${config.organization.slug})`);
+		console.log(`Key:  ${config.apiKey.slice(0, 12)}...`);
+		console.log(`API:  ${config.baseUrl ?? "https://api.auix.dev"}`);
+		console.log(`App:  ${config.appUrl ?? "https://auix.dev"}`);
 	}
 });
@@ -1826,22 +3643,110 @@ const setCommand = defineCommand({
 runMain(defineCommand({
 	meta: {
 		name: "auix",
-		version: "0.0.0",
+		version: "0.0.3",
 		description: "AUIX CLI"
 	},
 	subCommands: {
 		login: loginCommand,
+		logout: logoutCommand,
+		whoami: whoamiCommand,
+		switch: switchCommand,
 		env: defineCommand({
 			meta: {
 				name: "env",
 				description: "Manage environment variables"
 			},
 			subCommands: {
+				init: initCommand,
+				run: runCommand,
 				pull: pullCommand,
 				push: pushCommand,
 				list: listCommand,
 				set: setCommand,
-				diff: diffCommand
+				delete: deleteCommand,
+				diff: diffCommand,
+				history: historyCommand,
+				rollback: rollbackCommand,
+				lock: lockCommand,
+				unlock: unlockCommand,
+				"lock-status": lockStatusCommand,
+				branch: defineCommand({
+					meta: {
+						name: "branch",
+						description: "Manage env branches"
+					},
+					subCommands: {
+						create: branchCreateCommand,
+						list: branchListCommand,
+						delete: branchDeleteCommand
+					}
+				}),
+				token: defineCommand({
+					meta: {
+						name: "token",
+						description: "Manage service tokens"
+					},
+					subCommands: {
+						create: tokenCreateCommand,
+						list: tokenListCommand,
+						revoke: tokenRevokeCommand
+					}
+				}),
+				webhook: defineCommand({
+					meta: {
+						name: "webhook",
+						description: "Manage env change webhooks"
+					},
+					subCommands: {
+						add: webhookAddCommand,
+						list: webhookListCommand,
+						remove: webhookRemoveCommand
+					}
+				}),
+				share: defineCommand({
+					meta: {
+						name: "share",
+						description: "One-time encrypted share links"
+					},
+					subCommands: {
+						create: shareCreateCommand,
+						access: shareAccessCommand
+					}
+				}),
+				sync: defineCommand({
+					meta: {
+						name: "sync",
+						description: "Sync env vars to external providers"
+					},
+					subCommands: {
+						add: syncAddCommand,
+						list: syncListCommand,
+						push: syncPushCommand,
+						remove: syncRemoveCommand
+					}
+				}),
+				rotation: defineCommand({
+					meta: {
+						name: "rotation",
+						description: "Manage credential rotation policies"
+					},
+					subCommands: {
+						create: rotationCreateCommand,
+						list: rotationListCommand,
+						rotate: rotationRotateCommand
+					}
+				}),
+				dynamic: defineCommand({
+					meta: {
+						name: "dynamic",
+						description: "Manage dynamic (ephemeral) secrets"
+					},
+					subCommands: {
+						create: dynamicCreateCommand,
+						list: dynamicListCommand,
+						lease: dynamicLeaseCommand
+					}
+				})
 			}
 		})
 	}