keyra-cli 0.1.0 → 0.1.2

package/cli/dist/index.js

@@ -0,0 +1,1147 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command as Command12 } from "commander";
+import chalk12 from "chalk";
+
+// src/commands/login.ts
+import { Command } from "commander";
+import inquirer from "inquirer";
+import open from "open";
+import chalk2 from "chalk";
+
+// src/lib/config.ts
+import fs from "fs";
+import path from "path";
+import os from "os";
+var CONFIG_DIR = path.join(os.homedir(), ".keyra");
+var CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
+var PROJECT_CONFIG_FILE = ".keyra.json";
+function ensureConfigDir() {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+function loadConfig() {
+  ensureConfigDir();
+  if (!fs.existsSync(CONFIG_FILE)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveConfig(partial) {
+  ensureConfigDir();
+  const existing = loadConfig();
+  const merged = { ...existing, ...partial };
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2));
+}
+function clearConfig() {
+  ensureConfigDir();
+  if (fs.existsSync(CONFIG_FILE)) {
+    fs.unlinkSync(CONFIG_FILE);
+  }
+}
+function isLoggedIn() {
+  const config = loadConfig();
+  return !!(config.accessToken && config.passphrase);
+}
+function requireAuth() {
+  const config = loadConfig();
+  if (!config.accessToken || !config.passphrase) {
+    throw new Error("Not logged in. Run `keyra-cli login` first.");
+  }
+  return {
+    apiUrl: config.apiUrl || "http://localhost:3000",
+    accessToken: config.accessToken,
+    passphrase: config.passphrase
+  };
+}
+function loadProjectConfig() {
+  const filePath = path.join(process.cwd(), PROJECT_CONFIG_FILE);
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function saveProjectConfig(data) {
+  const filePath = path.join(process.cwd(), PROJECT_CONFIG_FILE);
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+}
+function hasProjectConfig() {
+  return fs.existsSync(path.join(process.cwd(), PROJECT_CONFIG_FILE));
+}
+function requireProjectConfig() {
+  const config = loadProjectConfig();
+  if (!config) {
+    throw new Error("Not in a Keyra project. Run `keyra-cli init` first.");
+  }
+  return config;
+}
+function addToGitignore(entry) {
+  const gitignorePath = path.join(process.cwd(), ".gitignore");
+  if (fs.existsSync(gitignorePath)) {
+    const content = fs.readFileSync(gitignorePath, "utf-8");
+    if (!content.includes(entry)) {
+      fs.appendFileSync(gitignorePath, `
+${entry}
+`);
+    }
+  } else {
+    fs.writeFileSync(gitignorePath, `${entry}
+`);
+  }
+}
+
+// src/lib/api.ts
+function getBaseUrl() {
+  const config = loadConfig();
+  return config.apiUrl || "http://localhost:3000";
+}
+function getHeaders() {
+  const config = loadConfig();
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  if (config.accessToken) {
+    headers["Authorization"] = `Bearer ${config.accessToken}`;
+  }
+  return headers;
+}
+async function handleResponse(res) {
+  if (res.status === 401) {
+    throw new Error("Session expired. Run `keyra-cli login` to re-authenticate.");
+  }
+  if (res.status === 403) {
+    const data = await res.json().catch(() => ({}));
+    const msg = data.error || "";
+    if (msg.toLowerCase().includes("project")) {
+      throw new Error(
+        "Project limit reached for your plan.\n  Upgrade at keyra.dev/dashboard/settings for more projects."
+      );
+    }
+    if (msg.toLowerCase().includes("variable") || msg.toLowerCase().includes("vars")) {
+      throw new Error(
+        "Variable limit reached for this project.\n  Upgrade at keyra.dev/dashboard/settings for more variables."
+      );
+    }
+    if (msg.toLowerCase().includes("sharing") || msg.toLowerCase().includes("share")) {
+      throw new Error(
+        "Sharing requires a Pro plan.\n  Upgrade at keyra.dev/dashboard/settings to enable sharing."
+      );
+    }
+    if (data.upgrade) {
+      throw new Error(
+        `${msg || "Plan limit reached."}
+  Upgrade at keyra.dev/dashboard/settings`
+      );
+    }
+    throw new Error(msg || "Access denied.");
+  }
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Request failed with status ${res.status}`);
+  }
+  return res.json();
+}
+async function apiGet(path7) {
+  const res = await fetch(`${getBaseUrl()}${path7}`, {
+    method: "GET",
+    headers: getHeaders()
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+async function apiPost(path7, body) {
+  const res = await fetch(`${getBaseUrl()}${path7}`, {
+    method: "POST",
+    headers: getHeaders(),
+    body: JSON.stringify(body)
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+async function createDeviceCode() {
+  return apiPost("/api/cli/auth", {});
+}
+async function pollAuth(deviceCode) {
+  return apiGet(`/api/cli/auth?code=${deviceCode}`);
+}
+async function getProjects() {
+  return apiGet("/api/projects");
+}
+async function createProject(name, description) {
+  return apiPost("/api/projects", { name, description });
+}
+async function getVaultEntries(projectId) {
+  return apiGet(`/api/vault?project_id=${projectId}`);
+}
+async function upsertVaultEntries(projectId, entries) {
+  await apiPost("/api/vault/sync", { projectId, entries });
+}
+async function createShareLink(data) {
+  return apiPost("/api/share", data);
+}
+
+// src/lib/ui.ts
+import readline from "readline";
+import chalk from "chalk";
+import ora from "ora";
+import boxen from "boxen";
+var spinner = (text) => ora({ text, color: "green" });
+var success = (text) => console.log(chalk.green("\u2713"), text);
+var error = (text) => console.log(chalk.red("\u2717"), text);
+var warning = (text) => console.log(chalk.yellow("\u26A0"), text);
+var info = (text) => console.log(chalk.blue("\u2139"), text);
+function banner() {
+  console.log(
+    boxen(
+      chalk.green.bold("Keyra") + chalk.dim(" v0.1.0") + "\n" + chalk.dim("Encrypted .env vault"),
+      {
+        padding: 1,
+        margin: 1,
+        borderStyle: "round",
+        borderColor: "green"
+      }
+    )
+  );
+}
+function printTable(rows) {
+  const maxKeyLen = Math.max(...rows.map((r) => r.key.length), 3);
+  for (const row of rows) {
+    const dots = ".".repeat(Math.max(1, maxKeyLen - row.key.length + 3));
+    const statusIcon = row.status === "present" ? chalk.green("\u2713") : row.status === "missing" ? chalk.red("\u2717") : row.status === "empty" ? chalk.red("\u2717") : chalk.dim("\xB7");
+    const statusText = row.status === "present" ? chalk.green(row.value) : row.status === "missing" ? chalk.red(row.value) : row.status === "empty" ? chalk.red(row.value) : chalk.dim(row.value);
+    console.log(`  ${statusIcon} ${chalk.bold(row.key)} ${chalk.dim(dots)} ${statusText}`);
+  }
+}
+function printBox(content, color = "green") {
+  console.log(
+    boxen(content, {
+      padding: 1,
+      margin: { top: 1, bottom: 1, left: 0, right: 0 },
+      borderStyle: "round",
+      borderColor: color
+    })
+  );
+}
+function promptSecret(question) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+
+// src/commands/login.ts
+var loginCommand = new Command("login").description("Authenticate with Keyra via browser").option("--api-url <url>", "API URL", "https://keyra.dev").action(async (options) => {
+  banner();
+  const baseUrl = options.apiUrl;
+  saveConfig({ apiUrl: baseUrl });
+  const s = spinner("Creating device code...");
+  s.start();
+  let deviceCode;
+  try {
+    const result = await createDeviceCode();
+    deviceCode = result.deviceCode;
+    s.stop();
+  } catch (err) {
+    s.stop();
+    error(err.message);
+    return;
+  }
+  const authUrl = `${baseUrl}/cli/auth?code=${deviceCode}`;
+  console.log();
+  console.log(chalk2.dim("  Opening browser to authenticate..."));
+  console.log(chalk2.dim(`  ${authUrl}`));
+  console.log();
+  try {
+    await open(authUrl);
+  } catch {
+    console.log(chalk2.yellow("  Could not open browser automatically."));
+    console.log(chalk2.yellow(`  Open this URL manually: ${authUrl}`));
+  }
+  const pollSpinner = spinner("Waiting for you to sign in...");
+  pollSpinner.start();
+  const maxAttempts = 150;
+  let accessToken;
+  for (let i = 0; i < maxAttempts; i++) {
+    await new Promise((resolve) => setTimeout(resolve, 2e3));
+    try {
+      const result = await pollAuth(deviceCode);
+      if (result.status === "authorized" && result.accessToken) {
+        accessToken = result.accessToken;
+        break;
+      }
+      if (result.status === "expired") {
+        pollSpinner.stop();
+        error("Authentication timed out. Please try again.");
+        return;
+      }
+    } catch {
+    }
+  }
+  pollSpinner.stop();
+  if (!accessToken) {
+    error("Authentication timed out. Please try again.");
+    return;
+  }
+  success("Signed in successfully!");
+  console.log();
+  const { passphrase } = await inquirer.prompt([
+    {
+      type: "password",
+      name: "passphrase",
+      message: "Enter an encryption passphrase (this encrypts your secrets locally \u2014 remember it!):",
+      mask: "*",
+      validate: (input) => input.length >= 4 || "Passphrase must be at least 4 characters"
+    }
+  ]);
+  const { confirm } = await inquirer.prompt([
+    {
+      type: "password",
+      name: "confirm",
+      message: "Confirm passphrase:",
+      mask: "*",
+      validate: (input) => input === passphrase || "Passphrases do not match"
+    }
+  ]);
+  saveConfig({
+    apiUrl: baseUrl,
+    accessToken,
+    passphrase
+  });
+  printBox(
+    chalk2.green.bold("You're logged in!") + "\n\n" + chalk2.dim("Run ") + chalk2.white("keyra-cli init") + chalk2.dim(" in a project to get started.")
+  );
+});
+
+// src/commands/logout.ts
+import { Command as Command2 } from "commander";
+var logoutCommand = new Command2("logout").description("Clear stored credentials").action(() => {
+  clearConfig();
+  success("Logged out. Your vault data is still safe in the cloud.");
+});
+
+// src/commands/init.ts
+import { Command as Command3 } from "commander";
+import path3 from "path";
+import inquirer2 from "inquirer";
+import chalk3 from "chalk";
+
+// src/lib/env-file.ts
+import fs2 from "fs";
+import path2 from "path";
+function parseEnvFile(content) {
+  const vars = {};
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.substring(0, eqIndex).trim();
+    let value = trimmed.substring(eqIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key) {
+      vars[key] = value;
+    }
+  }
+  return vars;
+}
+function toEnvFileString(vars) {
+  const keys = Object.keys(vars).sort();
+  return keys.map((key) => `${key}=${vars[key]}`).join("\n") + "\n";
+}
+var ENV_FILES = [".env", ".env.local", ".env.development"];
+function readEnvFile(dir) {
+  const baseDir = dir || process.cwd();
+  for (const filename of ENV_FILES) {
+    const filePath = path2.join(baseDir, filename);
+    if (fs2.existsSync(filePath)) {
+      const content = fs2.readFileSync(filePath, "utf-8");
+      return { vars: parseEnvFile(content), filename };
+    }
+  }
+  return null;
+}
+function writeEnvFile(vars, dir, filename = ".env") {
+  const baseDir = dir || process.cwd();
+  const filePath = path2.join(baseDir, filename);
+  fs2.writeFileSync(filePath, toEnvFileString(vars));
+}
+
+// src/lib/encryption.ts
+import crypto from "crypto";
+function encrypt(text, passphrase) {
+  const salt = crypto.randomBytes(16);
+  const key = crypto.pbkdf2Sync(passphrase, salt, 1e5, 32, "sha256");
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+  let encrypted = cipher.update(text, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const authTag = cipher.getAuthTag().toString("hex");
+  return {
+    encrypted,
+    iv: iv.toString("hex"),
+    salt: salt.toString("hex"),
+    authTag
+  };
+}
+function decrypt(encrypted, iv, salt, authTag, passphrase) {
+  const key = crypto.pbkdf2Sync(
+    passphrase,
+    Buffer.from(salt, "hex"),
+    1e5,
+    32,
+    "sha256"
+  );
+  const decipher = crypto.createDecipheriv(
+    "aes-256-gcm",
+    key,
+    Buffer.from(iv, "hex")
+  );
+  decipher.setAuthTag(Buffer.from(authTag, "hex"));
+  let decrypted = decipher.update(encrypted, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+  return decrypted;
+}
+
+// src/commands/init.ts
+var initCommand = new Command3("init").description("Link current directory to a Keyra project").action(async () => {
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  if (hasProjectConfig()) {
+    const existing = loadProjectConfig();
+    info(
+      `This project is already linked to vault project: ${chalk3.bold(existing?.projectName)}`
+    );
+    info("Run `keyra-cli push` or `keyra-cli pull` to sync.");
+    return;
+  }
+  const folderName = path3.basename(process.cwd());
+  const { name } = await inquirer2.prompt([
+    {
+      type: "input",
+      name: "name",
+      message: "Project name:",
+      default: folderName,
+      validate: (input) => input.trim().length > 0 || "Name is required"
+    }
+  ]);
+  const s = spinner("Creating project...");
+  s.start();
+  let project;
+  try {
+    project = await createProject(name.trim());
+    s.stop();
+    success(`Project "${project.name}" created`);
+  } catch (err) {
+    s.stop();
+    error(err.message);
+    return;
+  }
+  const envData = readEnvFile();
+  if (envData) {
+    const varCount = Object.keys(envData.vars).length;
+    const { importVars } = await inquirer2.prompt([
+      {
+        type: "confirm",
+        name: "importVars",
+        message: `Found ${envData.filename} with ${varCount} variable${varCount !== 1 ? "s" : ""}. Import them to your vault?`,
+        default: true
+      }
+    ]);
+    if (importVars) {
+      const uploadSpinner = spinner("Encrypting and uploading...");
+      uploadSpinner.start();
+      try {
+        const entries = Object.entries(envData.vars).map(([key, value]) => {
+          const encrypted = encrypt(value, config.passphrase);
+          return {
+            key_name: key,
+            encrypted_value: encrypted.encrypted,
+            iv: encrypted.iv,
+            salt: encrypted.salt,
+            auth_tag: encrypted.authTag,
+            category: guessCategory(key)
+          };
+        });
+        await upsertVaultEntries(project.id, entries);
+        uploadSpinner.stop();
+        success(`Imported ${entries.length} variable${entries.length !== 1 ? "s" : ""} to vault`);
+      } catch (err) {
+        uploadSpinner.stop();
+        error(`Failed to import: ${err.message}`);
+      }
+    }
+  }
+  saveProjectConfig({
+    projectId: project.id,
+    projectName: project.name
+  });
+  addToGitignore(".keyra.json");
+  printBox(
+    chalk3.green.bold(`Project "${project.name}" created and linked.`) + "\n\n" + chalk3.dim("Use ") + chalk3.white("keyra-cli push") + chalk3.dim(" and ") + chalk3.white("keyra-cli pull") + chalk3.dim(" to sync.")
+  );
+});
+function guessCategory(key) {
+  const k = key.toUpperCase();
+  if (k.includes("OPENAI") || k.includes("ANTHROPIC") || k.includes("AI"))
+    return "ai";
+  if (k.includes("DATABASE") || k.includes("DB_") || k.includes("POSTGRES") || k.includes("MYSQL") || k.includes("MONGO") || k.includes("REDIS") || k.includes("SUPABASE"))
+    return "database";
+  if (k.includes("AUTH") || k.includes("JWT") || k.includes("SESSION") || k.includes("NEXTAUTH") || k.includes("CLERK"))
+    return "auth";
+  if (k.includes("STRIPE") || k.includes("PAYMENT") || k.includes("PAYPAL"))
+    return "payment";
+  if (k.includes("VERCEL") || k.includes("AWS") || k.includes("GCP") || k.includes("AZURE") || k.includes("HEROKU") || k.includes("DEPLOY"))
+    return "hosting";
+  if (k.includes("SMTP") || k.includes("EMAIL") || k.includes("SENDGRID") || k.includes("RESEND") || k.includes("MAILGUN"))
+    return "email";
+  if (k.includes("ANALYTICS") || k.includes("MIXPANEL") || k.includes("GA_") || k.includes("POSTHOG") || k.includes("SENTRY"))
+    return "analytics";
+  return "general";
+}
+
+// src/commands/push.ts
+import { Command as Command4 } from "commander";
+import chalk4 from "chalk";
+var pushCommand = new Command4("push").description("Push local .env to vault").action(async () => {
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  let projectConfig;
+  try {
+    projectConfig = requireProjectConfig();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  const envData = readEnvFile();
+  if (!envData) {
+    warning("No .env file found in current directory.");
+    return;
+  }
+  const vars = envData.vars;
+  const varCount = Object.keys(vars).length;
+  if (varCount === 0) {
+    warning("No variables found in .env file.");
+    return;
+  }
+  let projectPassword = null;
+  try {
+    const projects = await getProjects();
+    const project = projects.find((p) => p.id === projectConfig.projectId);
+    if (project?.has_project_password) {
+      projectPassword = await promptSecret("Project password: ");
+      const blob = JSON.parse(project.project_password_salt);
+      try {
+        const result = decrypt(blob.encrypted, blob.iv, blob.salt, blob.authTag, projectPassword);
+        if (result !== "keyra-verified") {
+          error("Incorrect project password");
+          return;
+        }
+      } catch {
+        error("Incorrect project password");
+        return;
+      }
+    }
+  } catch (err) {
+    error("Failed to fetch project info: " + err.message);
+    return;
+  }
+  const s = spinner("Encrypting and uploading " + varCount + " variable" + (varCount !== 1 ? "s" : "") + "...");
+  s.start();
+  try {
+    const entries = Object.entries(vars).map(([key, value]) => {
+      let encrypted;
+      if (projectPassword) {
+        const inner = encrypt(value, projectPassword);
+        const innerJson = JSON.stringify(inner);
+        encrypted = encrypt(innerJson, config.passphrase);
+      } else {
+        encrypted = encrypt(value, config.passphrase);
+      }
+      return {
+        key_name: key,
+        encrypted_value: encrypted.encrypted,
+        iv: encrypted.iv,
+        salt: encrypted.salt,
+        auth_tag: encrypted.authTag,
+        category: guessCategory2(key)
+      };
+    });
+    await upsertVaultEntries(projectConfig.projectId, entries);
+    s.stop();
+    success(
+      "Pushed " + varCount + " variable" + (varCount !== 1 ? "s" : "") + " to vault " + chalk4.dim("(" + projectConfig.projectName + ")")
+    );
+  } catch (err) {
+    s.stop();
+    error(err.message);
+  }
+});
+function guessCategory2(key) {
+  const k = key.toUpperCase();
+  if (k.includes("OPENAI") || k.includes("ANTHROPIC") || k.includes("AI"))
+    return "ai";
+  if (k.includes("DATABASE") || k.includes("DB_") || k.includes("POSTGRES") || k.includes("MYSQL") || k.includes("MONGO") || k.includes("REDIS") || k.includes("SUPABASE"))
+    return "database";
+  if (k.includes("AUTH") || k.includes("JWT") || k.includes("SESSION") || k.includes("NEXTAUTH") || k.includes("CLERK"))
+    return "auth";
+  if (k.includes("STRIPE") || k.includes("PAYMENT") || k.includes("PAYPAL"))
+    return "payment";
+  if (k.includes("VERCEL") || k.includes("AWS") || k.includes("GCP") || k.includes("AZURE") || k.includes("HEROKU"))
+    return "hosting";
+  if (k.includes("SMTP") || k.includes("EMAIL") || k.includes("SENDGRID") || k.includes("RESEND") || k.includes("MAILGUN"))
+    return "email";
+  if (k.includes("ANALYTICS") || k.includes("MIXPANEL") || k.includes("GA_") || k.includes("POSTHOG") || k.includes("SENTRY"))
+    return "analytics";
+  return "general";
+}
+
+// src/commands/pull.ts
+import { Command as Command5 } from "commander";
+import fs3 from "fs";
+import path4 from "path";
+import chalk5 from "chalk";
+var pullCommand = new Command5("pull").description("Pull vault variables to local .env").option("-f, --file <filename>", "Output filename", ".env").action(async (options) => {
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  let projectConfig;
+  try {
+    projectConfig = requireProjectConfig();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  let projectPassword = null;
+  try {
+    const projects = await getProjects();
+    const project = projects.find((p) => p.id === projectConfig.projectId);
+    if (project?.has_project_password) {
+      projectPassword = await promptSecret("Project password: ");
+      const blob = JSON.parse(project.project_password_salt);
+      try {
+        const result = decrypt(blob.encrypted, blob.iv, blob.salt, blob.authTag, projectPassword);
+        if (result !== "keyra-verified") {
+          error("Incorrect project password");
+          return;
+        }
+      } catch {
+        error("Incorrect project password");
+        return;
+      }
+    }
+  } catch (err) {
+    error("Failed to fetch project info: " + err.message);
+    return;
+  }
+  const s = spinner("Pulling from vault...");
+  s.start();
+  try {
+    const entries = await getVaultEntries(projectConfig.projectId);
+    if (entries.length === 0) {
+      s.stop();
+      warning("No variables found in vault. Push some first with `keyra-cli push`.");
+      return;
+    }
+    const vars = {};
+    for (const entry of entries) {
+      if (projectPassword) {
+        const innerJson = decrypt(entry.encrypted_value, entry.iv, entry.salt, entry.auth_tag, config.passphrase);
+        const inner = JSON.parse(innerJson);
+        vars[entry.key_name] = decrypt(inner.encrypted, inner.iv, inner.salt, inner.authTag, projectPassword);
+      } else {
+        vars[entry.key_name] = decrypt(entry.encrypted_value, entry.iv, entry.salt, entry.auth_tag, config.passphrase);
+      }
+    }
+    const existed = fs3.existsSync(path4.join(process.cwd(), options.file));
+    writeEnvFile(vars, void 0, options.file);
+    s.stop();
+    success(
+      "Pulled " + entries.length + " variable" + (entries.length !== 1 ? "s" : "") + " from vault -> " + options.file + " " + chalk5.dim("(" + projectConfig.projectName + ")")
+    );
+    if (existed) {
+      warning("Existing " + options.file + " was overwritten");
+    }
+  } catch (err) {
+    s.stop();
+    error(err.message);
+  }
+});
+
+// src/commands/validate.ts
+import { Command as Command6 } from "commander";
+import chalk6 from "chalk";
+var validateCommand = new Command6("validate").description("Check local .env has all required vault variables").action(async () => {
+  let projectConfig;
+  try {
+    projectConfig = requireProjectConfig();
+  } catch (err) {
+    error(err.message);
+    process.exit(1);
+    return;
+  }
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    process.exit(1);
+    return;
+  }
+  const s = spinner("Checking vault...");
+  s.start();
+  let entries;
+  try {
+    entries = await getVaultEntries(projectConfig.projectId);
+    s.stop();
+  } catch (err) {
+    s.stop();
+    error(err.message);
+    process.exit(1);
+    return;
+  }
+  if (entries.length === 0) {
+    warning("No variables in vault to validate against.");
+    return;
+  }
+  const envData = readEnvFile();
+  const localVars = envData?.vars ?? {};
+  const rows = [];
+  let passed = 0;
+  let issues = 0;
+  for (const entry of entries) {
+    const localValue = localVars[entry.key_name];
+    if (localValue === void 0) {
+      rows.push({
+        key: entry.key_name,
+        value: "MISSING",
+        status: "missing"
+      });
+      issues++;
+    } else if (localValue.trim() === "") {
+      rows.push({
+        key: entry.key_name,
+        value: "EMPTY",
+        status: "empty"
+      });
+      issues++;
+    } else {
+      rows.push({
+        key: entry.key_name,
+        value: "present",
+        status: "present"
+      });
+      passed++;
+    }
+  }
+  console.log();
+  printTable(rows);
+  console.log();
+  const total = entries.length;
+  if (issues === 0) {
+    console.log(
+      chalk6.green.bold(`  ${passed} of ${total} checks passed. All good!`)
+    );
+  } else {
+    console.log(
+      chalk6.yellow(
+        `  ${passed} of ${total} checks passed. ${issues} issue${issues !== 1 ? "s" : ""} found.`
+      )
+    );
+  }
+  console.log();
+  process.exit(issues > 0 ? 1 : 0);
+});
+
+// src/commands/share.ts
+import { Command as Command7 } from "commander";
+import crypto2 from "crypto";
+import chalk7 from "chalk";
+var shareCommand = new Command7("share").description("Create an encrypted share link for your .env").action(async () => {
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  let projectConfig;
+  try {
+    projectConfig = requireProjectConfig();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  const envData = readEnvFile();
+  if (!envData) {
+    warning("No .env file found in current directory.");
+    return;
+  }
+  const varCount = Object.keys(envData.vars).length;
+  if (varCount === 0) {
+    warning("No variables found in .env file.");
+    return;
+  }
+  const s = spinner("Creating share link...");
+  s.start();
+  try {
+    const oneTimeKey = crypto2.randomBytes(32).toString("hex");
+    const envContent = toEnvFileString(envData.vars);
+    const encrypted = encrypt(envContent, oneTimeKey);
+    const result = await createShareLink({
+      project_id: projectConfig.projectId,
+      encrypted_data: encrypted.encrypted,
+      iv: encrypted.iv,
+      salt: encrypted.salt,
+      auth_tag: encrypted.authTag
+    });
+    s.stop();
+    const shareUrl = result.url || `${config.apiUrl}/share/${result.token}`;
+    printBox(
+      chalk7.green.bold("Share link created!") + chalk7.dim(` (${varCount} variables)`) + "\n\n" + chalk7.white.bold("Link ") + chalk7.dim("(expires in 24h, viewable once):") + "\n" + chalk7.cyan(shareUrl) + "\n\n" + chalk7.white.bold("Decryption key ") + chalk7.dim("(send separately!):") + "\n" + chalk7.yellow(oneTimeKey) + "\n\n" + chalk7.yellow("\u26A0 The link and key should be sent via different channels for security.")
+    );
+  } catch (err) {
+    s.stop();
+    error(err.message);
+  }
+});
+
+// src/commands/list.ts
+import { Command as Command8 } from "commander";
+import chalk8 from "chalk";
+var listCommand = new Command8("list").alias("ls").description("List all your projects").action(async () => {
+  try {
+    requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  const s = spinner("Loading projects...");
+  s.start();
+  try {
+    const projects = await getProjects();
+    s.stop();
+    if (projects.length === 0) {
+      info("No projects yet. Run `keyra-cli init` in a project folder.");
+      return;
+    }
+    console.log();
+    console.log(chalk8.bold(`  ${projects.length} project${projects.length !== 1 ? "s" : ""}:`));
+    console.log();
+    const maxName = Math.max(...projects.map((p) => p.name.length), 4);
+    console.log(
+      chalk8.dim(
+        `  ${"Name".padEnd(maxName + 2)}${"Vars".padEnd(8)}Last Synced`
+      )
+    );
+    console.log(chalk8.dim(`  ${"\u2500".repeat(maxName + 2 + 8 + 20)}`));
+    for (const project of projects) {
+      const name = chalk8.green(project.name.padEnd(maxName + 2));
+      const vars = String(project.var_count).padEnd(8);
+      const synced = project.last_synced_at ? new Date(project.last_synced_at).toLocaleDateString() : chalk8.dim("never");
+      console.log(`  ${name}${vars}${synced}`);
+    }
+    console.log();
+  } catch (err) {
+    s.stop();
+    error(err.message);
+  }
+});
+
+// src/commands/status.ts
+import { Command as Command9 } from "commander";
+import chalk9 from "chalk";
+var statusCommand = new Command9("status").description("Show current project status").action(async () => {
+  const projectConfig = loadProjectConfig();
+  if (!projectConfig) {
+    info("Not in a Keyra project. Run `keyra-cli init` first.");
+    return;
+  }
+  console.log();
+  console.log(chalk9.bold("  Keyra Status"));
+  console.log(chalk9.dim(`  ${"\u2500".repeat(40)}`));
+  console.log(`  ${chalk9.dim("Project:")}  ${chalk9.green(projectConfig.projectName)}`);
+  console.log(`  ${chalk9.dim("ID:")}       ${chalk9.dim(projectConfig.projectId)}`);
+  if (!isLoggedIn()) {
+    console.log();
+    info("Not logged in. Run `keyra-cli login` to sync.");
+    return;
+  }
+  let config;
+  try {
+    config = requireAuth();
+  } catch (err) {
+    error(err.message);
+    return;
+  }
+  const s = spinner("Checking vault...");
+  s.start();
+  try {
+    const entries = await getVaultEntries(projectConfig.projectId);
+    s.stop();
+    console.log(`  ${chalk9.dim("Vault:")}    ${entries.length} variable${entries.length !== 1 ? "s" : ""}`);
+    const envData = readEnvFile();
+    if (envData) {
+      const localKeys = new Set(Object.keys(envData.vars));
+      const vaultKeys = new Set(entries.map((e) => e.key_name));
+      const onlyLocal = [...localKeys].filter((k) => !vaultKeys.has(k));
+      const onlyVault = [...vaultKeys].filter((k) => !localKeys.has(k));
+      const inBoth = [...localKeys].filter((k) => vaultKeys.has(k));
+      console.log(`  ${chalk9.dim("Local:")}    ${localKeys.size} variable${localKeys.size !== 1 ? "s" : ""} (${envData.filename})`);
+      console.log();
+      if (onlyLocal.length === 0 && onlyVault.length === 0) {
+        console.log(chalk9.green("  \u2713 Local and vault keys are in sync"));
+      } else {
+        if (onlyLocal.length > 0) {
+          console.log(
+            chalk9.yellow(
+              `  \u26A0 ${onlyLocal.length} key${onlyLocal.length !== 1 ? "s" : ""} only in local: ${onlyLocal.join(", ")}`
+            )
+          );
+        }
+        if (onlyVault.length > 0) {
+          console.log(
+            chalk9.yellow(
+              `  \u26A0 ${onlyVault.length} key${onlyVault.length !== 1 ? "s" : ""} only in vault: ${onlyVault.join(", ")}`
+            )
+          );
+        }
+      }
+    } else {
+      console.log(`  ${chalk9.dim("Local:")}    ${chalk9.yellow("no .env file found")}`);
+    }
+    console.log();
+  } catch (err) {
+    s.stop();
+    error(err.message);
+  }
+});
+
+// src/commands/guard.ts
+import { Command as Command10 } from "commander";
+import fs4 from "fs";
+import path5 from "path";
+import chalk10 from "chalk";
+var HOOK_MARKER = "# keyra-guard";
+var PRE_COMMIT_HOOK = `#!/bin/sh
+${HOOK_MARKER}
+# Keyra Git Guardian \u2014 blocks accidental .env commits
+# https://keyra.dev
+
+staged=$(git diff --cached --name-only 2>/dev/null)
+
+for file in $staged; do
+  if echo "$file" | grep -qE '(^|\\.)\\.env(\\..*)?$'; then
+    echo ""
+    echo "  \\033[0;31m\u2717 Keyra Git Guardian blocked your commit\\033[0m"
+    echo "  \\033[0;33m\u26A0 Detected .env file in staged changes: $file\\033[0m"
+    echo ""
+    echo "  Commit secrets to your Keyra vault instead:"
+    echo "    keyra-cli push"
+    echo ""
+    exit 1
+  fi
+done
+`;
+var guardCommand = new Command10("guard").description("Install a pre-commit hook to block accidental .env commits").action(async () => {
+  let gitDir = null;
+  let dir = process.cwd();
+  for (let i = 0; i < 10; i++) {
+    const candidate = path5.join(dir, ".git");
+    if (fs4.existsSync(candidate) && fs4.statSync(candidate).isDirectory()) {
+      gitDir = candidate;
+      break;
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  if (!gitDir) {
+    error("Not inside a git repository.");
+    process.exit(1);
+  }
+  const hooksDir = path5.join(gitDir, "hooks");
+  if (!fs4.existsSync(hooksDir)) {
+    fs4.mkdirSync(hooksDir, { recursive: true });
+  }
+  const hookPath = path5.join(hooksDir, "pre-commit");
+  if (fs4.existsSync(hookPath)) {
+    const existing = fs4.readFileSync(hookPath, "utf-8");
+    if (existing.includes(HOOK_MARKER)) {
+      warning("Git Guardian is already installed in this repository.");
+      return;
+    }
+    fs4.appendFileSync(hookPath, "\n" + PRE_COMMIT_HOOK);
+    success("Git Guardian appended to existing pre-commit hook.");
+  } else {
+    fs4.writeFileSync(hookPath, PRE_COMMIT_HOOK);
+  }
+  try {
+    fs4.chmodSync(hookPath, 493);
+  } catch {
+  }
+  printBox(
+    chalk10.green.bold("Git Guardian installed") + "\n\n" + chalk10.dim("Pre-commit hook added to: ") + chalk10.white(hookPath) + "\n\n" + chalk10.dim("Now if you accidentally stage a .env file,\n") + chalk10.dim("git commit will be blocked automatically."),
+    "green"
+  );
+});
+
+// src/commands/scan.ts
+import { Command as Command11 } from "commander";
+import fs5 from "fs";
+import path6 from "path";
+import crypto3 from "crypto";
+import chalk11 from "chalk";
+async function checkHibp(value) {
+  const hash = crypto3.createHash("sha1").update(value).digest("hex").toUpperCase();
+  const prefix = hash.slice(0, 5);
+  const suffix = hash.slice(5);
+  try {
+    const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
+      headers: { "Add-Padding": "true" }
+    });
+    if (!res.ok) return 0;
+    const text = await res.text();
+    for (const line of text.split("\n")) {
+      const [lineSuffix, countStr] = line.trim().split(":");
+      if (lineSuffix === suffix) return parseInt(countStr, 10) || 0;
+    }
+    return 0;
+  } catch {
+    return 0;
+  }
+}
+async function parseEnvFile2(filePath) {
+  const content = fs5.readFileSync(filePath, "utf-8");
+  const result = {};
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const value = trimmed.slice(eqIdx + 1).trim().replace(/^['"]|['"]$/g, "");
+    if (key && value) result[key] = value;
+  }
+  return result;
+}
+var scanCommand = new Command11("scan").description("Check secrets for known data breaches using HaveIBeenPwned").option("-f, --file <path>", "Path to .env file to scan", ".env").option("--project <id>", "Scan a vault project instead of a local file").action(async (opts) => {
+  const s = spinner("Preparing scan...").start();
+  let secrets = {};
+  if (opts.project) {
+    const config = requireAuth();
+    try {
+      const entries = await apiGet(`/api/vault?project_id=${opts.project}`);
+      for (const entry of entries) {
+        try {
+          const value = decrypt(
+            entry.encrypted_value,
+            entry.iv,
+            entry.salt,
+            entry.auth_tag,
+            config.passphrase
+          );
+          secrets[entry.key_name] = value;
+        } catch {
+        }
+      }
+    } catch (err) {
+      s.fail("Failed to fetch vault entries.");
+      error(err.message);
+      process.exit(1);
+    }
+  } else {
+    const filePath = path6.resolve(process.cwd(), opts.file);
+    if (!fs5.existsSync(filePath)) {
+      s.fail(`File not found: ${filePath}`);
+      process.exit(1);
+    }
+    try {
+      secrets = await parseEnvFile2(filePath);
+    } catch {
+      s.fail(`Failed to read ${opts.file}`);
+      process.exit(1);
+    }
+  }
+  const keys = Object.keys(secrets);
+  if (keys.length === 0) {
+    s.stop();
+    info("No secrets found to scan.");
+    return;
+  }
+  s.text = `Scanning ${keys.length} secret${keys.length === 1 ? "" : "s"} against breach databases...`;
+  const breached = [];
+  for (const key of keys) {
+    const value = secrets[key];
+    if (!value || value.length < 8) continue;
+    const count = await checkHibp(value);
+    if (count > 0) {
+      breached.push({ key, count });
+    }
+  }
+  s.stop();
+  console.log("");
+  if (breached.length === 0) {
+    printBox(
+      chalk11.green.bold("No breaches detected") + "\n\n" + chalk11.dim(`Scanned ${keys.length} secret${keys.length === 1 ? "" : "s"} \xB7 0 found in breach databases`),
+      "green"
+    );
+  } else {
+    printBox(
+      chalk11.red.bold(`${breached.length} secret${breached.length === 1 ? "" : "s"} found in breach databases`) + "\n\n" + breached.map(
+        ({ key, count }) => chalk11.red("\u2717") + " " + chalk11.bold(key) + chalk11.dim(` \u2014 seen ${count.toLocaleString()} times`)
+      ).join("\n") + "\n\n" + chalk11.yellow("Rotate these secrets immediately."),
+      "red"
+    );
+    process.exit(1);
+  }
+});
+
+// src/index.ts
+var program = new Command12();
+program.name("keyra-cli").description("Encrypted .env vault. Sync, share, never lose an API key.").version("0.1.0");
+program.addCommand(loginCommand);
+program.addCommand(logoutCommand);
+program.addCommand(initCommand);
+program.addCommand(pushCommand);
+program.addCommand(pullCommand);
+program.addCommand(validateCommand);
+program.addCommand(shareCommand);
+program.addCommand(listCommand);
+program.addCommand(statusCommand);
+program.addCommand(guardCommand);
+program.addCommand(scanCommand);
+program.parseAsync(process.argv).catch((err) => {
+  console.error(chalk12.red("Error:"), err.message);
+  process.exit(1);
+});