gitignored-cli 0.1.1

package/dist/index.js

@@ -0,0 +1,1407 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/login.ts
+import * as crypto from "crypto";
+import open from "open";
+
+// src/lib/config.ts
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+var CONFIG_DIR = path.join(os.homedir(), ".gitignored");
+var CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
+var KEYS_DIR = path.join(CONFIG_DIR, "keys");
+var DEFAULT_CONFIG = {
+  apiBaseUrl: "http://localhost:3000"
+};
+function ensureConfigDir() {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.mkdirSync(KEYS_DIR, { recursive: true });
+}
+function getConfig() {
+  try {
+    const raw = fs.readFileSync(CONFIG_FILE, "utf-8");
+    const config = { ...DEFAULT_CONFIG, ...JSON.parse(raw) };
+    const envToken = process.env.GITIGNORED_TOKEN;
+    if (envToken) {
+      config.authToken = envToken;
+    }
+    return config;
+  } catch {
+    const config = { ...DEFAULT_CONFIG };
+    const envToken = process.env.GITIGNORED_TOKEN;
+    if (envToken) {
+      config.authToken = envToken;
+    }
+    return config;
+  }
+}
+function saveConfig(partial) {
+  ensureConfigDir();
+  const existing = getConfig();
+  const merged = { ...existing, ...partial };
+  if (process.env.GITIGNORED_TOKEN && merged.authToken === process.env.GITIGNORED_TOKEN) {
+    delete merged.authToken;
+  }
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + "\n");
+}
+function clearConfig() {
+  const config = getConfig();
+  delete config.authToken;
+  delete config.userId;
+  delete config.email;
+  ensureConfigDir();
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + "\n");
+}
+
+// src/lib/api.ts
+var ApiError = class extends Error {
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "ApiError";
+  }
+};
+async function apiClient(path13, options = {}) {
+  const config = getConfig();
+  const url = `${config.apiBaseUrl}${path13}`;
+  const headers = {
+    "Content-Type": "application/json",
+    ...options.headers
+  };
+  if (config.authToken) {
+    headers["Authorization"] = `Bearer ${config.authToken}`;
+  }
+  const response = await fetch(url, {
+    ...options,
+    headers
+  });
+  if (!response.ok) {
+    if (response.status === 401) {
+      throw new ApiError(401, "Session expired. Please run `gitignored login`.");
+    }
+    const body = await response.text();
+    let message;
+    try {
+      const json = JSON.parse(body);
+      message = json.error || json.message || body;
+    } catch {
+      message = body;
+    }
+    throw new ApiError(response.status, message);
+  }
+  return response.json();
+}
+
+// src/lib/crypto.ts
+import nacl from "tweetnacl";
+import { decodeBase64, encodeBase64, decodeUTF8, encodeUTF8 } from "tweetnacl-util";
+function generateKeypair() {
+  return nacl.box.keyPair();
+}
+function generateProjectKey() {
+  return nacl.randomBytes(32);
+}
+function encryptEnv(plaintext, projectKey) {
+  const nonce = nacl.randomBytes(24);
+  const messageBytes = decodeUTF8(plaintext);
+  const ciphertext = nacl.secretbox(messageBytes, nonce, projectKey);
+  const combined = new Uint8Array(nonce.length + ciphertext.length);
+  combined.set(nonce, 0);
+  combined.set(ciphertext, nonce.length);
+  return encodeBase64(combined);
+}
+function decryptEnv(encrypted, projectKey) {
+  const combined = decodeBase64(encrypted);
+  const nonce = combined.slice(0, 24);
+  const ciphertext = combined.slice(24);
+  const plaintext = nacl.secretbox.open(ciphertext, nonce, projectKey);
+  if (!plaintext) {
+    throw new Error("Decryption failed. Invalid key or corrupted data.");
+  }
+  return encodeUTF8(plaintext);
+}
+function encryptProjectKey(projectKey, recipientPublicKey, senderSecretKey) {
+  const nonce = nacl.randomBytes(24);
+  const ciphertext = nacl.box(
+    projectKey,
+    nonce,
+    recipientPublicKey,
+    senderSecretKey
+  );
+  const combined = new Uint8Array(nonce.length + ciphertext.length);
+  combined.set(nonce, 0);
+  combined.set(ciphertext, nonce.length);
+  return encodeBase64(combined);
+}
+
+// src/lib/keystore.ts
+import * as fs2 from "fs";
+import * as path2 from "path";
+import { encodeBase64 as encodeBase642, decodeBase64 as decodeBase642 } from "tweetnacl-util";
+function saveIdentityKeypair(keypair) {
+  ensureConfigDir();
+  const stored = {
+    publicKey: encodeBase642(keypair.publicKey),
+    secretKey: encodeBase642(keypair.secretKey)
+  };
+  const filePath = path2.join(KEYS_DIR, "identity.key");
+  fs2.writeFileSync(filePath, JSON.stringify(stored, null, 2) + "\n", {
+    mode: 384
+  });
+}
+function loadIdentityKeypair() {
+  const filePath = path2.join(KEYS_DIR, "identity.key");
+  try {
+    const raw = fs2.readFileSync(filePath, "utf-8");
+    const stored = JSON.parse(raw);
+    return {
+      publicKey: decodeBase642(stored.publicKey),
+      secretKey: decodeBase642(stored.secretKey)
+    };
+  } catch {
+    return null;
+  }
+}
+function hasIdentityKeypair() {
+  const filePath = path2.join(KEYS_DIR, "identity.key");
+  return fs2.existsSync(filePath);
+}
+function saveProjectKey(projectId, key) {
+  ensureConfigDir();
+  const filePath = path2.join(KEYS_DIR, `${projectId}.key`);
+  fs2.writeFileSync(filePath, encodeBase642(key) + "\n", { mode: 384 });
+}
+function loadProjectKey(projectId) {
+  const filePath = path2.join(KEYS_DIR, `${projectId}.key`);
+  try {
+    const raw = fs2.readFileSync(filePath, "utf-8").trim();
+    return decodeBase642(raw);
+  } catch {
+    return null;
+  }
+}
+
+// src/lib/ui.ts
+import chalk from "chalk";
+import ora from "ora";
+function success(msg) {
+  console.log(chalk.green("\u2714") + " " + msg);
+}
+function error(msg) {
+  console.error(chalk.red("\u2718") + " " + msg);
+}
+function warn(msg) {
+  console.warn(chalk.yellow("\u26A0") + " " + msg);
+}
+function info(msg) {
+  console.log(chalk.blue("\u2139") + " " + msg);
+}
+function createSpinner(text) {
+  return ora({ text });
+}
+
+// src/commands/login.ts
+import { encodeBase64 as encodeBase643 } from "tweetnacl-util";
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function registerLoginCommand(program2) {
+  program2.command("login").description("Authenticate with gitignored").action(async () => {
+    try {
+      ensureConfigDir();
+      const code = crypto.randomBytes(16).toString("hex");
+      const config = getConfig();
+      await apiClient("/api/cli/device", {
+        method: "POST",
+        body: JSON.stringify({ code })
+      });
+      const authUrl = `${config.apiBaseUrl}/auth/device?code=${code}`;
+      info(`Opening browser to authorize...`);
+      await open(authUrl);
+      const spinner = createSpinner("Waiting for authorization...").start();
+      while (true) {
+        await sleep(2e3);
+        try {
+          const status = await apiClient(
+            `/api/cli/device/${code}/status`
+          );
+          if (status.status === "approved" && status.token) {
+            spinner.stop();
+            saveConfig({
+              authToken: status.token,
+              userId: status.userId,
+              email: status.email
+            });
+            if (!hasIdentityKeypair()) {
+              const keypair = generateKeypair();
+              saveIdentityKeypair(keypair);
+              await apiClient("/api/cli/keys", {
+                method: "POST",
+                body: JSON.stringify({
+                  publicKey: encodeBase643(keypair.publicKey)
+                })
+              });
+            }
+            success(`Logged in as ${status.email}`);
+            return;
+          }
+        } catch (err) {
+          if (err instanceof ApiError && err.statusCode === 404) {
+            spinner.stop();
+            error("Device code expired. Please try again.");
+            return;
+          }
+        }
+      }
+    } catch (err) {
+      error(
+        `Login failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/logout.ts
+function registerLogoutCommand(program2) {
+  program2.command("logout").description("Sign out and clear credentials").action(async () => {
+    clearConfig();
+    success("Logged out successfully.");
+  });
+}
+
+// src/commands/whoami.ts
+function registerWhoamiCommand(program2) {
+  program2.command("whoami").description("Show current authenticated user").action(async () => {
+    try {
+      const me = await apiClient("/api/cli/me");
+      success(`Logged in as ${me.email} (${me.userId})`);
+    } catch (err) {
+      if (err instanceof ApiError && err.statusCode === 401) {
+        error("Not logged in. Run `gitignored login` to authenticate.");
+      } else {
+        error(
+          `Failed to fetch user: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/new.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+import * as readline from "readline";
+function slugify(name) {
+  return name.toLowerCase().trim().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function promptForName() {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question("Project name: ", (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+function ensureGitignoreEntries(dir, entries) {
+  const gitignorePath = path3.join(dir, ".gitignore");
+  let content = "";
+  try {
+    content = fs3.readFileSync(gitignorePath, "utf-8");
+  } catch {
+  }
+  const lines = content.split("\n");
+  const toAdd = entries.filter((entry) => !lines.includes(entry));
+  if (toAdd.length > 0) {
+    const suffix = content.length > 0 && !content.endsWith("\n") ? "\n" : "";
+    fs3.writeFileSync(
+      gitignorePath,
+      content + suffix + toAdd.join("\n") + "\n"
+    );
+  }
+}
+function registerNewCommand(program2) {
+  program2.command("new").description("Create a new project").option("--name <name>", "Project name").action(async (options) => {
+    try {
+      let name = options.name;
+      if (!name) {
+        name = await promptForName();
+      }
+      if (!name) {
+        error("Project name is required.");
+        process.exitCode = 1;
+        return;
+      }
+      const slug = slugify(name);
+      const keypair = loadIdentityKeypair();
+      if (!keypair) {
+        error(
+          "No identity keypair found. Run `gitignored login` first."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const projectKey = generateProjectKey();
+      const encryptedProjectKey = encryptProjectKey(
+        projectKey,
+        keypair.publicKey,
+        keypair.secretKey
+      );
+      const project = await apiClient(
+        "/api/projects",
+        {
+          method: "POST",
+          body: JSON.stringify({
+            name,
+            slug,
+            encryptedProjectKey
+          })
+        }
+      );
+      saveProjectKey(project.id, projectKey);
+      const cwd = process.cwd();
+      fs3.writeFileSync(
+        path3.join(cwd, ".gitignored.json"),
+        JSON.stringify(
+          { projectId: project.id, projectSlug: project.slug },
+          null,
+          2
+        ) + "\n"
+      );
+      const envSharedPath = path3.join(cwd, ".env.shared");
+      if (!fs3.existsSync(envSharedPath)) {
+        fs3.writeFileSync(envSharedPath, "");
+      }
+      const envLocalPath = path3.join(cwd, ".env.local");
+      if (!fs3.existsSync(envLocalPath)) {
+        fs3.writeFileSync(envLocalPath, "");
+      }
+      ensureGitignoreEntries(cwd, [".env.local", ".gitignored.json"]);
+      success(
+        `Created project "${name}" (${project.slug})`
+      );
+    } catch (err) {
+      error(
+        `Failed to create project: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/push.ts
+import * as fs4 from "fs";
+import * as path4 from "path";
+import * as readline2 from "readline";
+import { decodeBase64 as decodeBase643 } from "tweetnacl-util";
+function countVars(content) {
+  return content.split("\n").filter((line) => {
+    const trimmed = line.trim();
+    return trimmed.length > 0 && !trimmed.startsWith("#");
+  }).length;
+}
+function loadProjectConfig() {
+  try {
+    const raw = fs4.readFileSync(
+      path4.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function saveProjectConfig(config) {
+  fs4.writeFileSync(
+    path4.join(process.cwd(), ".gitignored.json"),
+    JSON.stringify(config, null, 2) + "\n"
+  );
+}
+function prompt(question) {
+  const rl = readline2.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase());
+    });
+  });
+}
+async function syncPendingKeys(projectId) {
+  try {
+    const pending = await apiClient(
+      `/api/projects/${projectId}/members/pending-keys`
+    );
+    if (pending.length === 0) return;
+    const keypair = loadIdentityKeypair();
+    const projectKey = loadProjectKey(projectId);
+    if (!keypair || !projectKey) return;
+    let shared = 0;
+    for (const member of pending) {
+      try {
+        const recipientPublicKey = decodeBase643(member.publicKey);
+        const encrypted = encryptProjectKey(
+          projectKey,
+          recipientPublicKey,
+          keypair.secretKey
+        );
+        await apiClient(
+          `/api/projects/${projectId}/members/${member.userId}/key`,
+          {
+            method: "POST",
+            body: JSON.stringify({ encryptedProjectKey: encrypted })
+          }
+        );
+        shared++;
+      } catch {
+      }
+    }
+    if (shared > 0) {
+      info(`Shared project key with ${shared} new member${shared !== 1 ? "s" : ""}`);
+    }
+  } catch {
+  }
+}
+function registerPushCommand(program2) {
+  program2.command("push").description("Encrypt and push .env to the server").option("-m, --message <message>", "Commit message").option("-f, --force", "Skip conflict warning").action(async (options) => {
+    try {
+      const config = loadProjectConfig();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const envPath = path4.join(process.cwd(), ".env.shared");
+      let envContent;
+      try {
+        envContent = fs4.readFileSync(envPath, "utf-8");
+      } catch {
+        error("No .env.shared file found.");
+        process.exitCode = 1;
+        return;
+      }
+      const projectKey = loadProjectKey(config.projectId);
+      if (!projectKey) {
+        error(
+          "No project key found. You may need to be invited to this project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      if (!options.force) {
+        try {
+          const versionResult = await apiClient(
+            `/api/projects/${config.projectId}/env/version`
+          );
+          const localVersion = config.lastPushedVersion ?? 0;
+          if (versionResult.version > localVersion && localVersion > 0) {
+            warn(
+              `Server has v${versionResult.version}, you last pushed v${localVersion}. You may be overwriting changes.`
+            );
+            const answer = await prompt("Continue? [y/N] ");
+            if (answer !== "y" && answer !== "yes") {
+              console.log("  Push cancelled.");
+              return;
+            }
+          }
+        } catch {
+        }
+      }
+      const encryptedPayload = encryptEnv(envContent, projectKey);
+      const result = await apiClient(
+        `/api/projects/${config.projectId}/env`,
+        {
+          method: "POST",
+          body: JSON.stringify({
+            encryptedPayload,
+            message: options.message
+          })
+        }
+      );
+      config.lastPushedVersion = result.version;
+      saveProjectConfig(config);
+      const vars = countVars(envContent);
+      success(`Pushed v${result.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+      await syncPendingKeys(config.projectId);
+    } catch (err) {
+      error(
+        `Push failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/pull.ts
+import * as fs5 from "fs";
+import * as path5 from "path";
+import { decodeBase64 as decodeBase644 } from "tweetnacl-util";
+function countVars2(content) {
+  return content.split("\n").filter((line) => {
+    const trimmed = line.trim();
+    return trimmed.length > 0 && !trimmed.startsWith("#");
+  }).length;
+}
+function loadProjectConfig2() {
+  try {
+    const raw = fs5.readFileSync(
+      path5.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function syncPendingKeys2(projectId) {
+  try {
+    const pending = await apiClient(
+      `/api/projects/${projectId}/members/pending-keys`
+    );
+    if (pending.length === 0) return;
+    const keypair = loadIdentityKeypair();
+    const projectKey = loadProjectKey(projectId);
+    if (!keypair || !projectKey) return;
+    let shared = 0;
+    for (const member of pending) {
+      try {
+        const recipientPublicKey = decodeBase644(member.publicKey);
+        const encrypted = encryptProjectKey(
+          projectKey,
+          recipientPublicKey,
+          keypair.secretKey
+        );
+        await apiClient(
+          `/api/projects/${projectId}/members/${member.userId}/key`,
+          {
+            method: "POST",
+            body: JSON.stringify({ encryptedProjectKey: encrypted })
+          }
+        );
+        shared++;
+      } catch {
+      }
+    }
+    if (shared > 0) {
+      info(`Shared project key with ${shared} new member${shared !== 1 ? "s" : ""}`);
+    }
+  } catch {
+  }
+}
+function registerPullCommand(program2) {
+  program2.command("pull").description("Pull and decrypt .env from the server").option("--token <token>", "Auth token (for CI/CD)").option("--project <slug>", "Project slug (for CI/CD)").action(async (options) => {
+    try {
+      if (options.token) {
+        process.env.GITIGNORED_TOKEN = options.token;
+      }
+      let projectId;
+      if (options.project) {
+        const result2 = await apiClient(
+          "/api/projects"
+        );
+        const projects = Array.isArray(result2) ? result2 : result2.projects;
+        const project = projects?.find((p) => p.slug === options.project);
+        if (!project) {
+          error(`Project "${options.project}" not found.`);
+          process.exitCode = 1;
+          return;
+        }
+        projectId = project.id;
+      } else {
+        const config = loadProjectConfig2();
+        if (!config) {
+          error(
+            "No .gitignored.json found. Run `gitignored new` to create a project, or use --project <slug>."
+          );
+          process.exitCode = 1;
+          return;
+        }
+        projectId = config.projectId;
+      }
+      const projectKey = loadProjectKey(projectId);
+      if (!projectKey) {
+        error(
+          "No project key found. You may need to be invited to this project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const result = await apiClient(
+        `/api/projects/${projectId}/env`
+      );
+      if (!result.encryptedPayload) {
+        error("No environment snapshot found. Run `gitignored push` first.");
+        process.exitCode = 1;
+        return;
+      }
+      const decrypted = decryptEnv(result.encryptedPayload, projectKey);
+      fs5.writeFileSync(
+        path5.join(process.cwd(), ".env.shared"),
+        decrypted
+      );
+      const vars = countVars2(decrypted);
+      success(`Pulled v${result.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+      await syncPendingKeys2(projectId);
+    } catch (err) {
+      error(
+        `Pull failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/invite.ts
+import * as fs6 from "fs";
+import * as path6 from "path";
+function loadProjectConfig3() {
+  try {
+    const raw = fs6.readFileSync(
+      path6.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function registerInviteCommand(program2) {
+  program2.command("invite <email>").description("Invite a team member to a project").option("--role <role>", "Role to assign (member, readonly)", "member").action(async (email, options) => {
+    try {
+      const config = loadProjectConfig3();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const invitation = await apiClient(
+        `/api/projects/${config.projectId}/invitations`,
+        {
+          method: "POST",
+          body: JSON.stringify({ email, role: options.role })
+        }
+      );
+      success(`Invitation sent to ${invitation.email} (${invitation.role})`);
+    } catch (err) {
+      error(
+        `Invite failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/members.ts
+import * as fs7 from "fs";
+import * as path7 from "path";
+import chalk2 from "chalk";
+function loadProjectConfig4() {
+  try {
+    const raw = fs7.readFileSync(
+      path7.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function formatDate(dateStr) {
+  const d = new Date(dateStr);
+  return d.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric"
+  });
+}
+function registerMembersCommand(program2) {
+  program2.command("members").description("List project members").action(async () => {
+    try {
+      const config = loadProjectConfig4();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const members = await apiClient(
+        `/api/projects/${config.projectId}/members`
+      );
+      if (members.length === 0) {
+        info("No members found.");
+      } else {
+        console.log(chalk2.bold("\nMembers:"));
+        for (const m of members) {
+          const role = chalk2.dim(`(${m.role})`);
+          const joined = chalk2.dim(`joined ${formatDate(m.joinedAt)}`);
+          console.log(`  ${m.userId}  ${role}  ${joined}`);
+        }
+      }
+      const invitations = await apiClient(
+        `/api/projects/${config.projectId}/invitations`
+      );
+      const pending = invitations.filter(
+        (inv) => !inv.accepted && new Date(inv.expiresAt) > /* @__PURE__ */ new Date()
+      );
+      if (pending.length > 0) {
+        console.log(chalk2.bold("\nPending Invitations:"));
+        for (const inv of pending) {
+          const role = chalk2.dim(`(${inv.role})`);
+          const expires = chalk2.dim(`expires ${formatDate(inv.expiresAt)}`);
+          console.log(`  ${inv.email}  ${role}  ${expires}`);
+        }
+      }
+      console.log("");
+    } catch (err) {
+      error(
+        `Failed to list members: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/list.ts
+import chalk3 from "chalk";
+function formatDate2(dateStr) {
+  if (!dateStr) return chalk3.dim("\u2014");
+  const date = new Date(dateStr);
+  return date.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric"
+  });
+}
+function registerListCommand(program2) {
+  program2.command("list").description("List all projects").action(async () => {
+    try {
+      const result = await apiClient(
+        "/api/projects"
+      );
+      const projects = Array.isArray(result) ? result : result.projects;
+      if (!projects || projects.length === 0) {
+        console.log(chalk3.dim("  No projects found. Run `gitignored new` to create one."));
+        return;
+      }
+      console.log();
+      console.log(chalk3.bold("  Your projects"));
+      console.log();
+      console.log(
+        "  " + chalk3.dim(
+          "NAME".padEnd(24) + "SLUG".padEnd(20) + "ROLE".padEnd(12) + "MEMBERS".padEnd(10) + "UPDATED"
+        )
+      );
+      console.log("  " + chalk3.dim("-".repeat(78)));
+      for (const project of projects) {
+        const name = project.name.padEnd(24);
+        const slug = chalk3.cyan(project.slug.padEnd(20));
+        const role = (project.role || "owner").padEnd(12);
+        const members = String(project.memberCount ?? "\u2014").padEnd(10);
+        const updated = chalk3.dim(formatDate2(project.updatedAt || project.createdAt));
+        console.log(`  ${name}${slug}${role}${members}${updated}`);
+      }
+      console.log();
+    } catch (err) {
+      error(
+        `List failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/switch.ts
+import * as fs8 from "fs";
+import * as path8 from "path";
+function countVars3(content) {
+  return content.split("\n").filter((line) => {
+    const trimmed = line.trim();
+    return trimmed.length > 0 && !trimmed.startsWith("#");
+  }).length;
+}
+function registerSwitchCommand(program2) {
+  program2.command("switch <slug>").description("Switch active project").action(async (slug) => {
+    try {
+      const result = await apiClient(
+        "/api/projects"
+      );
+      const projects = Array.isArray(result) ? result : result.projects;
+      const project = projects?.find((p) => p.slug === slug);
+      if (!project) {
+        error(`Project "${slug}" not found.`);
+        process.exitCode = 1;
+        return;
+      }
+      const configPath = path8.join(process.cwd(), ".gitignored.json");
+      const configData = {
+        projectId: project.id,
+        projectSlug: project.slug
+      };
+      fs8.writeFileSync(configPath, JSON.stringify(configData, null, 2) + "\n");
+      const projectKey = loadProjectKey(project.id);
+      if (!projectKey) {
+        warn(
+          "No project key found locally. You may need to be invited to this project."
+        );
+        success(`Switched to ${project.name} (${project.slug})`);
+        return;
+      }
+      try {
+        const pullResult = await apiClient(
+          `/api/projects/${project.id}/env`
+        );
+        if (pullResult.encryptedPayload) {
+          const decrypted = decryptEnv(pullResult.encryptedPayload, projectKey);
+          fs8.writeFileSync(
+            path8.join(process.cwd(), ".env.shared"),
+            decrypted
+          );
+          const vars = countVars3(decrypted);
+          info(`Pulled v${pullResult.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+        }
+      } catch {
+        warn("Could not pull latest .env.shared. Run `gitignored pull` manually.");
+      }
+      success(`Switched to ${project.name} (${project.slug})`);
+    } catch (err) {
+      error(
+        `Switch failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/log.ts
+import * as fs9 from "fs";
+import * as path9 from "path";
+import chalk4 from "chalk";
+function loadProjectConfig5() {
+  try {
+    const raw = fs9.readFileSync(
+      path9.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function formatDate3(dateStr) {
+  const date = new Date(dateStr);
+  const now = /* @__PURE__ */ new Date();
+  const diffMs = now.getTime() - date.getTime();
+  const diffDays = Math.floor(diffMs / (1e3 * 60 * 60 * 24));
+  if (diffDays === 0) {
+    const diffHours = Math.floor(diffMs / (1e3 * 60 * 60));
+    if (diffHours === 0) {
+      const diffMins = Math.floor(diffMs / (1e3 * 60));
+      return diffMins <= 1 ? "just now" : `${diffMins} minutes ago`;
+    }
+    return `${diffHours} hour${diffHours !== 1 ? "s" : ""} ago`;
+  }
+  if (diffDays === 1) return "yesterday";
+  if (diffDays < 7) return `${diffDays} days ago`;
+  return date.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric"
+  });
+}
+function registerLogCommand(program2) {
+  program2.command("log").description("Show push history for the project").option("-a, --all", "Show full history").action(async (options) => {
+    try {
+      const config = loadProjectConfig5();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const limit = options.all ? 100 : 20;
+      let page = 1;
+      const allSnapshots = [];
+      while (true) {
+        const result = await apiClient(
+          `/api/projects/${config.projectId}/env/history?page=${page}&limit=${limit}`
+        );
+        allSnapshots.push(...result.snapshots);
+        if (!options.all || allSnapshots.length >= result.total) break;
+        page++;
+      }
+      if (allSnapshots.length === 0) {
+        console.log(chalk4.dim("  No history found. Run `gitignored push` to create the first snapshot."));
+        return;
+      }
+      console.log();
+      console.log(chalk4.bold(`  History for ${config.projectSlug}`));
+      console.log();
+      console.log(
+        "  " + chalk4.dim(
+          "VERSION".padEnd(10) + "AUTHOR".padEnd(28) + "MESSAGE".padEnd(32) + "DATE"
+        )
+      );
+      console.log("  " + chalk4.dim("-".repeat(85)));
+      for (const entry of allSnapshots) {
+        const version = chalk4.cyan(`v${entry.version}`.padEnd(10));
+        const author = (entry.author?.email || entry.authorId || "unknown").padEnd(28);
+        const message = (entry.message || chalk4.dim("no message")).toString().padEnd(32);
+        const date = chalk4.dim(formatDate3(entry.createdAt));
+        console.log(`  ${version}${author}${message}${date}`);
+      }
+      console.log();
+    } catch (err) {
+      error(
+        `Log failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/rollback.ts
+import * as fs10 from "fs";
+import * as path10 from "path";
+import * as readline3 from "readline";
+import chalk5 from "chalk";
+function loadProjectConfig6() {
+  try {
+    const raw = fs10.readFileSync(
+      path10.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function prompt2(question) {
+  const rl = readline3.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase());
+    });
+  });
+}
+function showDiff(currentContent, oldContent) {
+  const currentLines = currentContent.split("\n").filter((l) => l.trim() && !l.trim().startsWith("#"));
+  const oldLines = oldContent.split("\n").filter((l) => l.trim() && !l.trim().startsWith("#"));
+  const currentSet = new Set(currentLines);
+  const oldSet = new Set(oldLines);
+  const removed = currentLines.filter((l) => !oldSet.has(l));
+  const added = oldLines.filter((l) => !currentSet.has(l));
+  if (removed.length === 0 && added.length === 0) {
+    console.log(chalk5.dim("  No differences detected."));
+    return;
+  }
+  console.log();
+  for (const line of removed) {
+    console.log(chalk5.red(`  - ${line}`));
+  }
+  for (const line of added) {
+    console.log(chalk5.green(`  + ${line}`));
+  }
+  console.log();
+}
+function registerRollbackCommand(program2) {
+  program2.command("rollback <version>").description("Rollback to a previous version").action(async (versionStr) => {
+    try {
+      const version = parseInt(versionStr, 10);
+      if (isNaN(version) || version < 1) {
+        error("Version must be a positive integer.");
+        process.exitCode = 1;
+        return;
+      }
+      const config = loadProjectConfig6();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const projectKey = loadProjectKey(config.projectId);
+      if (!projectKey) {
+        error(
+          "No project key found. You may need to be invited to this project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const oldSnapshot = await apiClient(
+        `/api/projects/${config.projectId}/env/${version}`
+      );
+      if (!oldSnapshot.encryptedPayload) {
+        error(`Version ${version} not found.`);
+        process.exitCode = 1;
+        return;
+      }
+      const oldContent = decryptEnv(oldSnapshot.encryptedPayload, projectKey);
+      const envPath = path10.join(process.cwd(), ".env.shared");
+      let currentContent = "";
+      try {
+        currentContent = fs10.readFileSync(envPath, "utf-8");
+      } catch {
+      }
+      if (currentContent) {
+        console.log(chalk5.bold(`
+  Changes from current to v${version}:`));
+        showDiff(currentContent, oldContent);
+      } else {
+        warn("No local .env.shared found. Will create one from the rollback.");
+      }
+      const answer = await prompt2(`Rollback to v${version}? [y/N] `);
+      if (answer !== "y" && answer !== "yes") {
+        console.log(chalk5.dim("  Rollback cancelled."));
+        return;
+      }
+      const encryptedPayload = encryptEnv(oldContent, projectKey);
+      const result = await apiClient(
+        `/api/projects/${config.projectId}/env`,
+        {
+          method: "POST",
+          body: JSON.stringify({
+            encryptedPayload,
+            message: `Rollback to v${version}`
+          })
+        }
+      );
+      fs10.writeFileSync(envPath, oldContent);
+      success(`Rolled back to v${version} (pushed as v${result.version})`);
+    } catch (err) {
+      error(
+        `Rollback failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/diff.ts
+import * as fs11 from "fs";
+import * as path11 from "path";
+import chalk6 from "chalk";
+function loadProjectConfig7() {
+  try {
+    const raw = fs11.readFileSync(
+      path11.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function parseEnvContent(content) {
+  const map = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const value = trimmed.slice(eqIdx + 1).trim();
+    map.set(key, value);
+  }
+  return map;
+}
+function registerDiffCommand(program2) {
+  program2.command("diff").description("Compare local .env with remote version").action(async () => {
+    try {
+      const config = loadProjectConfig7();
+      if (!config) {
+        error(
+          "No .gitignored.json found. Run `gitignored new` to create a project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const projectKey = loadProjectKey(config.projectId);
+      if (!projectKey) {
+        error(
+          "No project key found. You may need to be invited to this project."
+        );
+        process.exitCode = 1;
+        return;
+      }
+      const envPath = path11.join(process.cwd(), ".env.shared");
+      let localContent;
+      try {
+        localContent = fs11.readFileSync(envPath, "utf-8");
+      } catch {
+        error("No .env.shared file found locally.");
+        process.exitCode = 1;
+        return;
+      }
+      const result = await apiClient(
+        `/api/projects/${config.projectId}/env`
+      );
+      if (!result.encryptedPayload) {
+        error("No environment snapshot found on server.");
+        process.exitCode = 1;
+        return;
+      }
+      const remoteContent = decryptEnv(result.encryptedPayload, projectKey);
+      const localVars = parseEnvContent(localContent);
+      const remoteVars = parseEnvContent(remoteContent);
+      const added = [];
+      const removed = [];
+      const changed = [];
+      for (const [key, value] of remoteVars) {
+        if (!localVars.has(key)) {
+          added.push(`${key}=${value}`);
+        } else if (localVars.get(key) !== value) {
+          changed.push({ key, local: localVars.get(key), remote: value });
+        }
+      }
+      for (const key of localVars.keys()) {
+        if (!remoteVars.has(key)) {
+          removed.push(`${key}=${localVars.get(key)}`);
+        }
+      }
+      if (added.length === 0 && removed.length === 0 && changed.length === 0) {
+        info("Local and remote are in sync.");
+        return;
+      }
+      console.log();
+      console.log(chalk6.bold(`  Diff: local vs server (v${result.version})`));
+      console.log();
+      if (added.length > 0) {
+        console.log(chalk6.green.bold("  Added on server:"));
+        for (const line of added) {
+          console.log(chalk6.green(`    + ${line}`));
+        }
+        console.log();
+      }
+      if (removed.length > 0) {
+        console.log(chalk6.red.bold("  Only in local:"));
+        for (const line of removed) {
+          console.log(chalk6.red(`    - ${line}`));
+        }
+        console.log();
+      }
+      if (changed.length > 0) {
+        console.log(chalk6.yellow.bold("  Changed:"));
+        for (const { key, local, remote } of changed) {
+          console.log(chalk6.yellow(`    ~ ${key}`));
+          console.log(chalk6.red(`      local:  ${local}`));
+          console.log(chalk6.green(`      remote: ${remote}`));
+        }
+        console.log();
+      }
+    } catch (err) {
+      error(
+        `Diff failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/start.ts
+import * as fs12 from "fs";
+import * as path12 from "path";
+import * as readline4 from "readline";
+import chalk7 from "chalk";
+function countVars4(content) {
+  return content.split("\n").filter((line) => {
+    const trimmed = line.trim();
+    return trimmed.length > 0 && !trimmed.startsWith("#");
+  }).length;
+}
+function loadProjectConfig8() {
+  try {
+    const raw = fs12.readFileSync(
+      path12.join(process.cwd(), ".gitignored.json"),
+      "utf-8"
+    );
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function prompt3(question) {
+  const rl = readline4.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase());
+    });
+  });
+}
+function registerStartCommand(program2) {
+  program2.command("start").description("Watch mode: sync .env changes in real-time").action(async () => {
+    const configResult = loadProjectConfig8();
+    if (!configResult) {
+      error(
+        "No .gitignored.json found. Run `gitignored new` to create a project."
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const keyResult = loadProjectKey(configResult.projectId);
+    if (!keyResult) {
+      error(
+        "No project key found. You may need to be invited to this project."
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const config = configResult;
+    const projectKey = keyResult;
+    const envPath = path12.join(process.cwd(), ".env.shared");
+    let localVersion = 0;
+    let isPushing = false;
+    let isPrompting = false;
+    try {
+      const result = await apiClient(
+        `/api/projects/${config.projectId}/env`
+      );
+      if (result.encryptedPayload) {
+        const decrypted = decryptEnv(result.encryptedPayload, projectKey);
+        fs12.writeFileSync(envPath, decrypted);
+        localVersion = result.version;
+        const vars = countVars4(decrypted);
+        success(`Pulled v${result.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+      } else {
+        info("No remote snapshot found. Watching for local changes.");
+      }
+    } catch (err) {
+      warn(
+        `Could not pull latest: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    console.log();
+    console.log(chalk7.cyan("  Watching for changes... (Ctrl+C to stop)"));
+    console.log();
+    const pollInterval = setInterval(async () => {
+      if (isPushing || isPrompting) return;
+      try {
+        const versionResult = await apiClient(
+          `/api/projects/${config.projectId}/env/version`
+        );
+        if (versionResult.version > localVersion) {
+          info(`New version detected: v${versionResult.version}`);
+          const pullResult = await apiClient(
+            `/api/projects/${config.projectId}/env`
+          );
+          if (pullResult.encryptedPayload) {
+            const decrypted = decryptEnv(pullResult.encryptedPayload, projectKey);
+            if (watcher) {
+              watcher.close();
+            }
+            fs12.writeFileSync(envPath, decrypted);
+            localVersion = pullResult.version;
+            const vars = countVars4(decrypted);
+            success(`Auto-pulled v${pullResult.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+            watcher = startWatcher();
+          }
+        }
+      } catch {
+      }
+    }, 1e4);
+    function startWatcher() {
+      try {
+        return fs12.watch(envPath, { persistent: true }, async (_eventType) => {
+          if (isPushing || isPrompting) return;
+          await new Promise((r) => setTimeout(r, 200));
+          isPrompting = true;
+          try {
+            const answer = await prompt3("  Local changes detected. Push? [y/N] ");
+            if (answer === "y" || answer === "yes") {
+              isPushing = true;
+              try {
+                const content = fs12.readFileSync(envPath, "utf-8");
+                const encryptedPayload = encryptEnv(content, projectKey);
+                const result = await apiClient(
+                  `/api/projects/${config.projectId}/env`,
+                  {
+                    method: "POST",
+                    body: JSON.stringify({ encryptedPayload })
+                  }
+                );
+                localVersion = result.version;
+                const vars = countVars4(content);
+                success(`Pushed v${result.version} (${vars} var${vars !== 1 ? "s" : ""})`);
+              } catch (pushErr) {
+                error(
+                  `Push failed: ${pushErr instanceof Error ? pushErr.message : String(pushErr)}`
+                );
+              } finally {
+                isPushing = false;
+              }
+            }
+          } finally {
+            isPrompting = false;
+          }
+        });
+      } catch {
+        return null;
+      }
+    }
+    let watcher = startWatcher();
+    const cleanup = () => {
+      console.log();
+      info("Stopping watch mode. Goodbye!");
+      clearInterval(pollInterval);
+      if (watcher) {
+        watcher.close();
+      }
+      process.exit(0);
+    };
+    process.on("SIGINT", cleanup);
+    process.on("SIGTERM", cleanup);
+  });
+}
+
+// src/commands/keys.ts
+function registerKeysCommand(program2) {
+  const keys = program2.command("keys").description("Manage encryption keys");
+  keys.command("sync").description("Sync encryption keys with the server").action(async () => {
+    info("Not implemented yet");
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("gitignored").description("Zero-knowledge .env sharing for developer teams").version("0.1.0");
+registerLoginCommand(program);
+registerLogoutCommand(program);
+registerWhoamiCommand(program);
+registerNewCommand(program);
+registerPushCommand(program);
+registerPullCommand(program);
+registerInviteCommand(program);
+registerMembersCommand(program);
+registerListCommand(program);
+registerSwitchCommand(program);
+registerLogCommand(program);
+registerRollbackCommand(program);
+registerDiffCommand(program);
+registerStartCommand(program);
+registerKeysCommand(program);
+program.parse(process.argv);