lsh-framework 0.10.2 → 1.1.0

package/README.md

@@ -32,7 +32,7 @@ npm install -g lsh-framework
 
 # 3. ONE command does everything!
 cd ~/repos/your-project
-lsh lib secrets sync
+lsh sync
 
 # That's it! Smart Sync:
 # ✅ Auto-generates encryption key
@@ -46,7 +46,7 @@ lsh lib secrets sync
 
 ```bash
 # Sync and load secrets into current shell
-eval "$(lsh lib secrets sync --load)"
+eval "$(lsh sync --load)"
 
 # Your secrets are now available!
 echo $DATABASE_URL
@@ -59,7 +59,7 @@ echo $DATABASE_URL
 npm install -g lsh-framework
 
 # 2. Generate encryption key
-lsh lib secrets key
+lsh key
 # Add the output to your .env:
 # LSH_SECRETS_KEY=<your-key>
 
@@ -69,10 +69,10 @@ lsh lib secrets key
 # SUPABASE_ANON_KEY=<your-anon-key>
 
 # 4. Push your secrets
-lsh lib secrets push
+lsh push
 
 # 5. Pull on any other machine
-lsh lib secrets pull
+lsh pull
 
 # Done! Your secrets are synced.
 ```
@@ -85,8 +85,8 @@ lsh lib secrets pull
 
 ```bash
 cd ~/repos/my-app
-lsh lib secrets sync              # Auto-setup and sync
-eval "$(lsh lib secrets sync --load)"  # Sync AND load into shell
+lsh sync              # Auto-setup and sync
+eval "$(lsh sync --load)"  # Sync AND load into shell
 ```
 
 What Smart Sync does automatically:
@@ -100,10 +100,10 @@ What Smart Sync does automatically:
 **Repository Isolation:**
 ```bash
 cd ~/repos/app1
-lsh lib secrets sync  # Stored as: app1_dev
+lsh sync  # Stored as: app1_dev
 
 cd ~/repos/app2
-lsh lib secrets sync  # Stored as: app2_dev (separate!)
+lsh sync  # Stored as: app2_dev (separate!)
 ```
 
 No more conflicts between projects using the same environment names!
@@ -124,16 +124,16 @@ Use the built-in daemon to automatically rotate secrets on a schedule:
 
 ```bash
 # Schedule API key rotation every 30 days
-lsh lib cron add \
+lsh cron add \
   --name "rotate-api-keys" \
   --schedule "0 0 1 * *" \
-  --command "./scripts/rotate-keys.sh && lsh lib secrets push"
+  --command "./scripts/rotate-keys.sh && lsh push"
 
 # Or use interval-based scheduling
-lsh lib cron add \
+lsh cron add \
   --name "sync-secrets" \
   --interval 3600 \
-  --command "lsh lib secrets pull && ./scripts/reload-app.sh"
+  --command "lsh pull && ./scripts/reload-app.sh"
 ```
 
 **No other secrets manager has this built-in!** Most require complex integrations with cron or external tools.
@@ -143,8 +143,8 @@ lsh lib cron add \
 **Setup (One Time):**
 ```bash
 # Project lead:
-lsh lib secrets key                    # Generate shared key
-lsh lib secrets push --env prod        # Push team secrets
+lsh key                    # Generate shared key
+lsh push --env prod        # Push team secrets
 # Share LSH_SECRETS_KEY via 1Password
 ```
 
@@ -155,7 +155,7 @@ lsh lib secrets push --env prod        # Push team secrets
 echo "LSH_SECRETS_KEY=<shared-key>" > .env
 
 # 3. Pull secrets
-lsh lib secrets pull --env prod
+lsh pull --env prod
 
 # 4. Start coding!
 npm start
@@ -165,31 +165,69 @@ npm start
 
 ```bash
 # Development
-lsh lib secrets push --env dev
+lsh push --env dev
 
 # Staging (different values)
-lsh lib secrets push --file .env.staging --env staging
+lsh push --file .env.staging --env staging
 
 # Production (super secret)
-lsh lib secrets push --file .env.production --env prod
+lsh push --file .env.production --env prod
 
 # Pull whatever you need
-lsh lib secrets pull --env dev      # for local dev
-lsh lib secrets pull --env staging  # for testing
-lsh lib secrets pull --env prod     # for production debugging
+lsh pull --env dev      # for local dev
+lsh pull --env staging  # for testing
+lsh pull --env prod     # for production debugging
 ```
 
+### 📝 Batch Upsert Secrets
+
+**New in v1.1.0:** Pipe environment variables directly into your `.env` file!
+
+```bash
+# Copy all current environment variables
+printenv | lsh set
+
+# Import from another .env file
+cat .env.backup | lsh set
+
+# Import specific variables
+printenv | grep "^AWS_" | lsh set
+
+# Merge multiple sources
+cat .env.base .env.local | lsh set
+
+# From file with --stdin flag
+lsh set --stdin < .env.production
+
+# Single key-value still works
+lsh set API_KEY sk_live_12345
+lsh set DATABASE_URL postgres://localhost/db
+```
+
+**Features:**
+- ✅ Automatic upsert (updates existing, adds new)
+- ✅ Preserves comments and formatting
+- ✅ Handles quoted values
+- ✅ Validates key names
+- ✅ Shows summary of changes
+
 ## Secrets Commands
 
 | Command | Description |
 |---------|-------------|
-| `lsh lib secrets push` | Upload .env to encrypted cloud storage |
-| `lsh lib secrets pull` | Download .env from cloud storage |
-| `lsh lib secrets list` | List all stored environments |
-| `lsh lib secrets show` | View secrets (masked) |
-| `lsh lib secrets key` | Generate encryption key |
-| `lsh lib secrets create` | Create new .env file |
-| `lsh lib secrets delete` | Delete .env file (with confirmation) |
+| `lsh push` | Upload .env to encrypted cloud storage |
+| `lsh pull` | Download .env from cloud storage |
+| `lsh list` | List secrets in current .env file |
+| `lsh env` | List all stored environments |
+| `lsh key` | Generate encryption key |
+| `lsh create` | Create new .env file |
+| `lsh delete` | Delete .env file (with confirmation) |
+| `lsh sync` | Smart sync (auto-setup and sync) |
+| `lsh status` | Get detailed secrets status |
+| `lsh get <key>` | Get a specific secret value |
+| `lsh set <key> <value>` | Set a single secret value |
+| `printenv \| lsh set` | Batch upsert from stdin (pipe) |
+| `lsh set --stdin < file` | Batch upsert from file |
 
 See the complete guide: [SECRETS_GUIDE.md](docs/features/secrets/SECRETS_GUIDE.md)
 
@@ -217,7 +255,7 @@ lsh self version
 
 ```bash
 # 1. Generate encryption key
-lsh lib secrets key
+lsh key
 
 # 2. Create .env file
 cat > .env <<EOF
@@ -234,7 +272,7 @@ API_KEY=your-api-key
 EOF
 
 # 3. Push to cloud
-lsh lib secrets push --env dev
+lsh push --env dev
 ```
 
 ## Advanced Features (Bonus!)
@@ -247,13 +285,13 @@ Run jobs reliably in the background:
 
 ```bash
 # Start daemon
-lsh lib daemon start
+lsh daemon start
 
 # Check status
-lsh lib daemon status
+lsh daemon status
 
 # Stop daemon
-lsh lib daemon stop
+lsh daemon stop
 ```
 
 ### Cron-Style Scheduling
@@ -262,20 +300,20 @@ Schedule any task with cron expressions:
 
 ```bash
 # Daily backup at midnight
-lsh lib cron add --name "backup" \
+lsh cron add --name "backup" \
   --schedule "0 0 * * *" \
   --command "./backup.sh"
 
 # Every 6 hours
-lsh lib cron add --name "sync" \
+lsh cron add --name "sync" \
   --schedule "0 */6 * * *" \
-  --command "lsh lib secrets pull && ./reload.sh"
+  --command "lsh pull && ./reload.sh"
 
 # List all jobs
-lsh lib cron list
+lsh cron list
 
 # Trigger manually
-lsh lib cron trigger backup
+lsh cron trigger backup
 ```
 
 ### RESTful API
@@ -284,7 +322,7 @@ Control everything via HTTP API:
 
 ```bash
 # Start API server
-LSH_API_KEY=your-key lsh lib api start --port 3030
+LSH_API_KEY=your-key lsh api start --port 3030
 
 # Use the API
 curl -H "X-API-Key: your-key" http://localhost:3030/api/jobs
@@ -368,13 +406,13 @@ LSH validates all environment variables at startup and fails fast if:
 **Solution:**
 ```bash
 # Laptop
-lsh lib secrets push --env dev
+lsh push --env dev
 
 # Desktop
-lsh lib secrets pull --env dev
+lsh pull --env dev
 
 # Cloud server
-lsh lib secrets pull --env dev
+lsh pull --env dev
 
 # All synced!
 ```
@@ -386,11 +424,11 @@ lsh lib secrets pull --env dev
 **Solution:**
 ```bash
 # New team member (after getting LSH_SECRETS_KEY from 1Password)
-cd ~/projects/service-1 && lsh lib secrets pull --env dev
-cd ~/projects/service-2 && lsh lib secrets pull --env dev
-cd ~/projects/service-3 && lsh lib secrets pull --env dev
-cd ~/projects/service-4 && lsh lib secrets pull --env dev
-cd ~/projects/service-5 && lsh lib secrets pull --env dev
+cd ~/projects/service-1 && lsh pull --env dev
+cd ~/projects/service-2 && lsh pull --env dev
+cd ~/projects/service-3 && lsh pull --env dev
+cd ~/projects/service-4 && lsh pull --env dev
+cd ~/projects/service-5 && lsh pull --env dev
 
 # Done in 30 seconds instead of 30 minutes
 ```
@@ -411,7 +449,7 @@ NEW_KEY=$(curl -X POST https://api.provider.com/keys/rotate)
 sed -i "s/API_KEY=.*/API_KEY=$NEW_KEY/" .env
 
 # Push to cloud
-lsh lib secrets push --env prod
+lsh push --env prod
 
 # Notify team
 echo "API keys rotated at $(date)" | mail -s "Key Rotation" team@company.com
@@ -430,18 +468,18 @@ lsh lib cron add --name "rotate-keys" \
 **Solution:**
 ```bash
 # Push from local dev
-lsh lib secrets push --file .env.development --env dev
+lsh push --file .env.development --env dev
 
 # Push staging config
-lsh lib secrets push --file .env.staging --env staging
+lsh push --file .env.staging --env staging
 
 # Push production config (from secure machine only)
-lsh lib secrets push --file .env.production --env prod
+lsh push --file .env.production --env prod
 
 # CI/CD pulls the right one
 # In .github/workflows/deploy.yml:
 - name: Get secrets
-  run: lsh lib secrets pull --env ${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
+  run: lsh pull --env ${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
 ```
 
 ## Comparison with Other Tools
@@ -504,7 +542,7 @@ LSH_ALLOW_DANGEROUS_COMMANDS=false  # Keep false in production
 
 ```bash
 # Encryption key for secrets
-lsh lib secrets key
+lsh key
 
 # API key for HTTP API
 openssl rand -hex 32
@@ -561,10 +599,10 @@ lsh --version
 
 ```bash
 # Check stored environments
-lsh lib secrets list
+lsh list
 
 # Push if missing
-lsh lib secrets push --env dev
+lsh push --env dev
 ```
 
 ### "Decryption failed"
@@ -574,8 +612,8 @@ lsh lib secrets push --env dev
 # Make sure LSH_SECRETS_KEY matches the one used to encrypt
 
 # Generate new key and re-push
-lsh lib secrets key
-lsh lib secrets push
+lsh key
+lsh push
 ```
 
 ### "Supabase not configured"
@@ -675,7 +713,7 @@ See API endpoints documentation in the Advanced Features section.
 
 ## Roadmap
 
-- [ ] CLI command shortcuts (`lsh push` instead of `lsh lib secrets push`)
+- [ ] CLI command shortcuts (`lsh push` instead of `lsh push`)
 - [ ] Built-in secret rotation templates (AWS, GCP, Azure)
 - [ ] Web dashboard for team secret management
 - [ ] Audit logging for secret access

package/dist/cli.js

@@ -85,9 +85,9 @@ program
             console.log('  status                  Get detailed secrets status');
             console.log('');
             console.log('🔄 Automation (Schedule secret rotation):');
-            console.log('  lib cron add            Schedule automatic tasks');
-            console.log('  lib cron list           List scheduled jobs');
-            console.log('  lib daemon start        Start persistent daemon');
+            console.log('  cron add                Schedule automatic tasks');
+            console.log('  cron list               List scheduled jobs');
+            console.log('  daemon start            Start persistent daemon');
             console.log('');
             console.log('🚀 Quick Start:');
             console.log('  lsh key                           # Generate encryption key');
@@ -95,10 +95,10 @@ program
             console.log('  lsh pull --env dev                # Pull on another machine');
             console.log('');
             console.log('📚 More Commands:');
-            console.log('  lib api                 API server management');
-            console.log('  lib supabase            Supabase database management');
-            console.log('  lib daemon              Daemon management');
-            console.log('  lib cron                Cron job management');
+            console.log('  api                     API server management');
+            console.log('  supabase                Supabase database management');
+            console.log('  daemon                  Daemon management');
+            console.log('  cron                    Cron job management');
             console.log('  self                    Self-management commands');
             console.log('  self zsh                ZSH compatibility commands');
             console.log('  -i, --interactive       Start interactive shell');
@@ -217,9 +217,13 @@ function findSimilarCommands(input, validCommands) {
 (async () => {
     // REPL interactive shell
     await init_ishell(program);
-    // Library commands (parent for service commands)
+    // Flatten all service commands to top-level (no more 'lib' parent)
+    await init_supabase(program);
+    await init_daemon(program);
+    await init_cron(program);
+    registerApiCommands(program);
+    // Legacy 'lib' command group with deprecation warnings
     const libCommand = await init_lib(program);
-    // Nest service commands under lib
     await init_supabase(libCommand);
     await init_daemon(libCommand);
     await init_cron(libCommand);
@@ -596,13 +600,13 @@ function showDetailedHelp() {
     console.log('  self zsh                ZSH compatibility commands');
     console.log('  self zsh-import         Import ZSH configs (aliases, functions, exports)');
     console.log('');
-    console.log('Library Commands (lsh lib <command>):');
-    console.log('  lib api                 API server management');
-    console.log('  lib supabase            Supabase database management');
-    console.log('  lib daemon              Daemon management');
-    console.log('  lib daemon job          Job management');
-    console.log('  lib daemon db           Database integration');
-    console.log('  lib cron                Cron job management');
+    console.log('Service Commands:');
+    console.log('  api                     API server management');
+    console.log('  supabase                Supabase database management');
+    console.log('  daemon                  Daemon management');
+    console.log('  daemon job              Job management');
+    console.log('  daemon db               Database integration');
+    console.log('  cron                    Cron job management');
     console.log('');
     console.log('Examples:');
     console.log('');
@@ -632,13 +636,13 @@ function showDetailedHelp() {
     console.log('    lsh secrets pull                    # Pull secrets from cloud');
     console.log('    lsh secrets list                    # List environments');
     console.log('');
-    console.log('  Library Services:');
-    console.log('    lsh lib daemon start                # Start daemon');
-    console.log('    lsh lib daemon status               # Check daemon status');
-    console.log('    lsh lib daemon job list             # List all jobs');
-    console.log('    lsh lib cron list                   # List cron jobs');
-    console.log('    lsh lib api start                   # Start API server');
-    console.log('    lsh lib api key                     # Generate API key');
+    console.log('  Service Operations:');
+    console.log('    lsh daemon start                    # Start daemon');
+    console.log('    lsh daemon status                   # Check daemon status');
+    console.log('    lsh daemon job list                 # List all jobs');
+    console.log('    lsh cron list                       # List cron jobs');
+    console.log('    lsh api start                       # Start API server');
+    console.log('    lsh api key                         # Generate API key');
     console.log('');
     console.log('Features:');
     console.log('  ✅ POSIX Shell Compliance (85-95%)');

package/dist/lib/job-manager.js

@@ -170,7 +170,6 @@ export class JobManager extends BaseJobManager {
             job.process.kill(signal);
         }
         catch (error) {
-            const err = error;
             this.logger.error(`Failed to kill job ${jobId}`, error);
         }
         // Update status

package/dist/lib/secrets-manager.js

@@ -462,8 +462,8 @@ export class SecretsManager {
             return true;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Failed to save encryption key: ${error.message}`);
+            const _err = error;
+            logger.error(`Failed to save encryption key: ${_err.message}`);
             logger.info('Please set it manually:');
             logger.info(`export LSH_SECRETS_KEY=${key}`);
             return false;
@@ -499,8 +499,8 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 return true;
             }
             catch (error) {
-                const err = error;
-                logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+                const _err = error;
+                logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
                 return false;
             }
         }
@@ -517,8 +517,8 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             return true;
         }
         catch (error) {
-            const err = error;
-            logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+            const _err = error;
+            logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
             return false;
         }
     }

package/dist/lib/zsh-compatibility.js

@@ -330,7 +330,6 @@ export class ZshCompatibility {
     /**
      * Generate completions based on patterns
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async generateCompletions(context, patterns) {
         const completions = [];
         for (const pattern of patterns) {

package/dist/pipeline/mcli-bridge.js

@@ -170,10 +170,11 @@ export class MCLIBridge extends EventEmitter {
                 await this.jobTracker.completeExecution(execution.id, result, metrics, artifacts);
                 break;
             case 'failed':
-            case 'error':
+            case 'error': {
                 const errorObj = error;
                 await this.jobTracker.failExecution(execution.id, errorObj?.message || 'Job failed in MCLI', error);
                 break;
+            }
             case 'cancelled':
                 await this.jobTracker.updateJobStatus(pipelineJobId, JobStatus.CANCELLED);
                 break;

package/dist/services/lib/lib.js

@@ -68,7 +68,7 @@ async function _makeCommand(commander) {
 export async function init_lib(program) {
     const lib = program
         .command("lib")
-        .description("LSH library and service commands");
+        .description("⚠️  DEPRECATED: Use top-level commands instead (daemon, cron, api, supabase)");
     // Load and register dynamic commands
     const commands = await loadCommands();
     for (const commandName of Object.keys(commands)) {
@@ -80,6 +80,16 @@ export async function init_lib(program) {
             .description("commandName")
             .usage(`${commandName} used as follows:`);
     }
+    // Show deprecation warning when 'lib' is used
+    lib.hook('preAction', (_thisCommand, _actionCommand) => {
+        console.warn('\x1b[33m⚠️  WARNING: "lsh lib" commands are deprecated as of v1.0.0\x1b[0m');
+        console.warn('\x1b[33m   Use top-level commands instead:\x1b[0m');
+        console.warn('\x1b[33m   - lsh daemon (instead of lsh lib daemon)\x1b[0m');
+        console.warn('\x1b[33m   - lsh cron (instead of lsh lib cron)\x1b[0m');
+        console.warn('\x1b[33m   - lsh api (instead of lsh lib api)\x1b[0m');
+        console.warn('\x1b[33m   - lsh supabase (instead of lsh lib supabase)\x1b[0m');
+        console.warn('');
+    });
     // Optional: Enhance the 'lib' command group with additional descriptions and error handling
     lib
         .showHelpAfterError("Command not recognized, here's some help.")

package/dist/services/secrets/secrets.js

@@ -351,52 +351,31 @@ API_KEY=
             process.exit(1);
         }
     });
-    // Set a specific secret value
+    // Set a specific secret value or batch upsert from stdin
     program
-        .command('set <key> <value>')
-        .description('Set a specific secret value in .env file')
+        .command('set [key] [value]')
+        .description('Set a specific secret value in .env file, or batch upsert from stdin (KEY=VALUE format)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('--stdin', 'Read KEY=VALUE pairs from stdin (one per line)')
         .action(async (key, value, options) => {
         try {
             const envPath = path.resolve(options.file);
-            // Validate key format
-            if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
-                console.error(`❌ Invalid key format: ${key}. Must be a valid environment variable name.`);
-                process.exit(1);
+            // Check if we should read from stdin
+            const isStdin = options.stdin || (!key && !value);
+            if (isStdin) {
+                // Batch mode: read from stdin
+                await batchSetSecrets(envPath);
             }
-            let content = '';
-            let found = false;
-            if (fs.existsSync(envPath)) {
-                content = fs.readFileSync(envPath, 'utf8');
-                const lines = content.split('\n');
-                const newLines = [];
-                for (const line of lines) {
-                    if (line.trim().startsWith('#') || !line.trim()) {
-                        newLines.push(line);
-                        continue;
-                    }
-                    const match = line.match(/^([^=]+)=(.*)$/);
-                    if (match && match[1].trim() === key) {
-                        // Quote values with spaces or special characters
-                        const needsQuotes = /[\s#]/.test(value);
-                        const quotedValue = needsQuotes ? `"${value}"` : value;
-                        newLines.push(`${key}=${quotedValue}`);
-                        found = true;
-                    }
-                    else {
-                        newLines.push(line);
-                    }
+            else {
+                // Single mode: set one key-value pair
+                if (!key || value === undefined) {
+                    console.error('❌ Usage: lsh set <key> <value>');
+                    console.error('   Or pipe input: printenv | lsh set');
+                    console.error('   Or use stdin: lsh set --stdin < file.env');
+                    process.exit(1);
                 }
-                content = newLines.join('\n');
-            }
-            // If key wasn't found, append it
-            if (!found) {
-                const needsQuotes = /[\s#]/.test(value);
-                const quotedValue = needsQuotes ? `"${value}"` : value;
-                content = content.trimRight() + `\n${key}=${quotedValue}\n`;
+                await setSingleSecret(envPath, key, value);
             }
-            fs.writeFileSync(envPath, content, 'utf8');
-            console.log(`✅ Set ${key} in ${options.file}`);
         }
         catch (error) {
             const err = error;
@@ -404,6 +383,199 @@ API_KEY=
             process.exit(1);
         }
     });
+    /**
+     * Set a single secret value
+     */
+    async function setSingleSecret(envPath, key, value) {
+        // Validate key format
+        if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+            console.error(`❌ Invalid key format: ${key}. Must be a valid environment variable name.`);
+            process.exit(1);
+        }
+        let content = '';
+        let found = false;
+        if (fs.existsSync(envPath)) {
+            content = fs.readFileSync(envPath, 'utf8');
+            const lines = content.split('\n');
+            const newLines = [];
+            for (const line of lines) {
+                if (line.trim().startsWith('#') || !line.trim()) {
+                    newLines.push(line);
+                    continue;
+                }
+                const match = line.match(/^([^=]+)=(.*)$/);
+                if (match && match[1].trim() === key) {
+                    // Quote values with spaces or special characters
+                    const needsQuotes = /[\s#]/.test(value);
+                    const quotedValue = needsQuotes ? `"${value}"` : value;
+                    newLines.push(`${key}=${quotedValue}`);
+                    found = true;
+                }
+                else {
+                    newLines.push(line);
+                }
+            }
+            content = newLines.join('\n');
+        }
+        // If key wasn't found, append it
+        if (!found) {
+            const needsQuotes = /[\s#]/.test(value);
+            const quotedValue = needsQuotes ? `"${value}"` : value;
+            content = content.trimRight() + `\n${key}=${quotedValue}\n`;
+        }
+        fs.writeFileSync(envPath, content, 'utf8');
+        console.log(`✅ Set ${key}`);
+    }
+    /**
+     * Batch upsert secrets from stdin
+     */
+    async function batchSetSecrets(envPath) {
+        return new Promise((resolve, reject) => {
+            let inputData = '';
+            const stdin = process.stdin;
+            // Check if stdin is a TTY (interactive terminal)
+            if (stdin.isTTY) {
+                console.error('❌ No input provided. Please pipe data or use --stdin flag.');
+                console.error('');
+                console.error('Examples:');
+                console.error('  printenv | lsh set');
+                console.error('  lsh set --stdin < .env.backup');
+                console.error('  echo "API_KEY=secret123" | lsh set');
+                process.exit(1);
+            }
+            stdin.setEncoding('utf8');
+            stdin.on('data', (chunk) => {
+                inputData += chunk;
+            });
+            stdin.on('end', () => {
+                try {
+                    const lines = inputData.split('\n').filter(line => line.trim());
+                    if (lines.length === 0) {
+                        console.error('❌ No valid KEY=VALUE pairs found in input');
+                        process.exit(1);
+                    }
+                    // Read existing .env file
+                    let content = '';
+                    const existingKeys = new Map();
+                    if (fs.existsSync(envPath)) {
+                        content = fs.readFileSync(envPath, 'utf8');
+                        const existingLines = content.split('\n');
+                        for (const line of existingLines) {
+                            if (line.trim().startsWith('#') || !line.trim())
+                                continue;
+                            const match = line.match(/^([^=]+)=(.*)$/);
+                            if (match) {
+                                existingKeys.set(match[1].trim(), line);
+                            }
+                        }
+                    }
+                    const updates = [];
+                    const errors = [];
+                    const newKeys = new Map();
+                    // Parse input lines
+                    for (const line of lines) {
+                        const trimmed = line.trim();
+                        // Skip comments and empty lines
+                        if (trimmed.startsWith('#') || !trimmed)
+                            continue;
+                        // Parse KEY=VALUE format
+                        const match = trimmed.match(/^([^=]+)=(.*)$/);
+                        if (!match) {
+                            errors.push(`Invalid format: ${trimmed}`);
+                            continue;
+                        }
+                        const key = match[1].trim();
+                        let value = match[2].trim();
+                        // Validate key format
+                        if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+                            errors.push(`Invalid key format: ${key}`);
+                            continue;
+                        }
+                        // Remove surrounding quotes if present
+                        if ((value.startsWith('"') && value.endsWith('"')) ||
+                            (value.startsWith("'") && value.endsWith("'"))) {
+                            value = value.slice(1, -1);
+                        }
+                        // Track if this is an update or addition
+                        const action = existingKeys.has(key) ? 'updated' : 'added';
+                        updates.push({ key, value, action });
+                        newKeys.set(key, value);
+                    }
+                    // Build new content
+                    const newLines = [];
+                    let hasContent = false;
+                    if (fs.existsSync(envPath)) {
+                        const existingLines = content.split('\n');
+                        for (const line of existingLines) {
+                            if (line.trim().startsWith('#') || !line.trim()) {
+                                newLines.push(line);
+                                continue;
+                            }
+                            const match = line.match(/^([^=]+)=(.*)$/);
+                            if (match) {
+                                const key = match[1].trim();
+                                if (newKeys.has(key)) {
+                                    // Update existing key
+                                    const value = newKeys.get(key);
+                                    const needsQuotes = /[\s#]/.test(value);
+                                    const quotedValue = needsQuotes ? `"${value}"` : value;
+                                    newLines.push(`${key}=${quotedValue}`);
+                                    newKeys.delete(key); // Mark as processed
+                                    hasContent = true;
+                                }
+                                else {
+                                    // Keep existing line
+                                    newLines.push(line);
+                                    hasContent = true;
+                                }
+                            }
+                            else {
+                                newLines.push(line);
+                            }
+                        }
+                    }
+                    // Add new keys that weren't in the existing file
+                    for (const [key, value] of newKeys.entries()) {
+                        const needsQuotes = /[\s#]/.test(value);
+                        const quotedValue = needsQuotes ? `"${value}"` : value;
+                        if (hasContent) {
+                            newLines.push(`${key}=${quotedValue}`);
+                        }
+                        else {
+                            newLines.push(`${key}=${quotedValue}`);
+                            hasContent = true;
+                        }
+                    }
+                    // Write updated content
+                    let finalContent = newLines.join('\n');
+                    if (hasContent && !finalContent.endsWith('\n')) {
+                        finalContent += '\n';
+                    }
+                    fs.writeFileSync(envPath, finalContent, 'utf8');
+                    // Report results
+                    const added = updates.filter(u => u.action === 'added').length;
+                    const updated = updates.filter(u => u.action === 'updated').length;
+                    console.log(`✅ Batch upsert complete:`);
+                    if (added > 0)
+                        console.log(`   Added: ${added} key(s)`);
+                    if (updated > 0)
+                        console.log(`   Updated: ${updated} key(s)`);
+                    if (errors.length > 0) {
+                        console.log('');
+                        console.log('⚠️  Skipped invalid entries:');
+                        errors.forEach(err => console.log(`   ${err}`));
+                    }
+                    resolve();
+                }
+                catch (error) {
+                    reject(error);
+                }
+            });
+            stdin.on('error', (error) => {
+                reject(error);
+            });
+        });
+    }
     // Delete .env file with confirmation
     program
         .command('delete')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "0.10.2",
+  "version": "1.1.0",
   "description": "Encrypted secrets manager with automatic rotation, team sync, and multi-environment support. Built on a powerful shell with daemon scheduling and CI/CD integration.",
   "main": "dist/app.js",
   "bin": {