lsh-framework 0.6.0 → 0.8.0

package/README.md

@@ -1,190 +1,452 @@
-# LSH - Enhanced Shell with Job Management
+# LSH - Encrypted Secrets Manager with Automated Rotation
 
-`lsh` is an extensible CLI shell with advanced job management, CI/CD integration, and persistent daemon for reliable job execution. Built with TypeScript, it provides POSIX-compatible shell features with modern enhancements for automation and pipeline orchestration.
+`lsh` is a powerful **encrypted secrets manager** that syncs your `.env` files across all development environments with AES-256 encryption. Built on a robust shell framework with daemon scheduling, it enables **automatic secret rotation**, team collaboration, and seamless multi-environment management.
 
-## Features
+**Never copy .env files again.** Push once, pull anywhere, rotate automatically.
 
-### Core Shell Features
-- **POSIX Shell Compatibility** - Standard shell syntax and builtins
-- **ZSH-Compatible Features** - Extended globbing, parameter expansion, associative arrays
-- **Interactive Terminal UI** - Built with React/Ink for rich terminal experiences
-- **Command History** - Persistent history with search and replay
-- **Tab Completion** - Intelligent completion system
+## Why LSH?
 
-### Job Management
-- **Persistent Job Daemon** - Background daemon for reliable job execution
-- **Cron-Style Scheduling** - Schedule jobs with cron expressions
-- **Job Control** - Start, stop, monitor, and manage background jobs
-- **Job Registry** - Centralized job tracking and persistence
+Traditional secret management tools are either too complex, too expensive, or require vendor lock-in. LSH gives you:
 
-### CI/CD Integration
-- **Webhook Receiver** - GitHub, GitLab, and Jenkins webhook support
-- **Pipeline Orchestration** - Workflow engine for complex pipelines
-- **Build Analytics** - Track build metrics and performance
-- **Cache Management** - Intelligent caching for faster builds
+- **Encrypted sync** across all your machines using Supabase/PostgreSQL
+- **Automatic rotation** with built-in daemon scheduling
+- **Team collaboration** with shared encryption keys
+- **Multi-environment** support (dev/staging/prod)
+- **Self-hosted** - your data, your infrastructure
+- **Free & Open Source** - no per-seat pricing
+
+**Plus, you get a complete shell automation platform as a bonus.**
+
+## Quick Start (30 seconds)
+
+```bash
+# 1. Install
+npm install -g gwicho38-lsh
+
+# 2. Generate encryption key
+lsh lib secrets key
+# Add the output to your .env:
+# LSH_SECRETS_KEY=<your-key>
+
+# 3. Configure Supabase (free tier works!)
+# Add to .env:
+# SUPABASE_URL=https://your-project.supabase.co
+# SUPABASE_ANON_KEY=<your-anon-key>
+
+# 4. Push your secrets
+lsh lib secrets push
+
+# 5. Pull on any other machine
+lsh lib secrets pull
 
-### Security
-- **Command Validation** - Prevents command injection attacks
-- **Environment Variable Validation** - Validates configuration at startup
-- **Webhook Signature Verification** - HMAC verification for webhooks
-- **Secure Defaults** - Fail-safe configuration in production
+# Done! Your secrets are synced.
+```
+
+## Core Features
+
+### 🔐 Secrets Management
+
+- **AES-256 Encryption** - Military-grade encryption for all secrets
+- **Multi-Environment** - Separate configs for dev, staging, and production
+- **Team Sync** - Share encryption keys securely with your team
+- **Masked Viewing** - View secrets safely without exposing full values
+- **Automatic Backup** - Never lose your `.env` files
+- **Version Control** - Track changes to your secrets over time
+
+### 🔄 Automatic Rotation (Unique Feature!)
+
+Use the built-in daemon to automatically rotate secrets on a schedule:
 
-### API & Integration
-- **RESTful API** - HTTP API for job control and monitoring
-- **JWT Authentication** - Secure API access with token-based auth
-- **ML Pipeline Support** - Integration with machine learning workflows
-- **Database Persistence** - PostgreSQL/Supabase for data storage
+```bash
+# Schedule API key rotation every 30 days
+lsh lib cron add \
+  --name "rotate-api-keys" \
+  --schedule "0 0 1 * *" \
+  --command "./scripts/rotate-keys.sh && lsh lib secrets push"
+
+# Or use interval-based scheduling
+lsh lib cron add \
+  --name "sync-secrets" \
+  --interval 3600 \
+  --command "lsh lib secrets pull && ./scripts/reload-app.sh"
+```
+
+**No other secrets manager has this built-in!** Most require complex integrations with cron or external tools.
+
+### 👥 Team Collaboration
+
+**Setup (One Time):**
+```bash
+# Project lead:
+lsh lib secrets key                    # Generate shared key
+lsh lib secrets push --env prod        # Push team secrets
+# Share LSH_SECRETS_KEY via 1Password
+```
+
+**Team members:**
+```bash
+# 1. Get key from 1Password
+# 2. Add to .env
+echo "LSH_SECRETS_KEY=<shared-key>" > .env
+
+# 3. Pull secrets
+lsh lib secrets pull --env prod
+
+# 4. Start coding!
+npm start
+```
+
+### 🌍 Multi-Environment Workflow
+
+```bash
+# Development
+lsh lib secrets push --env dev
+
+# Staging (different values)
+lsh lib secrets push --file .env.staging --env staging
+
+# Production (super secret)
+lsh lib secrets push --file .env.production --env prod
+
+# Pull whatever you need
+lsh lib secrets pull --env dev      # for local dev
+lsh lib secrets pull --env staging  # for testing
+lsh lib secrets pull --env prod     # for production debugging
+```
+
+## Secrets Commands
+
+| Command | Description |
+|---------|-------------|
+| `lsh lib secrets push` | Upload .env to encrypted cloud storage |
+| `lsh lib secrets pull` | Download .env from cloud storage |
+| `lsh lib secrets list` | List all stored environments |
+| `lsh lib secrets show` | View secrets (masked) |
+| `lsh lib secrets key` | Generate encryption key |
+| `lsh lib secrets create` | Create new .env file |
+| `lsh lib secrets delete` | Delete .env file (with confirmation) |
+
+See the complete guide: [SECRETS_GUIDE.md](SECRETS_GUIDE.md)
 
 ## Installation
 
 ### Prerequisites
-- Node.js 18.0.0 or higher
-- npm 8.0.0 or higher
-- PostgreSQL (optional, for persistence features)
-- Redis (optional, for caching)
-
-### Quick Start
+- Node.js 20.18.0 or higher
+- npm 10.0.0 or higher
+- Supabase account (free tier works) OR PostgreSQL database
 
-**Install from npm:**
+### Install from npm
 
 ```bash
 npm install -g gwicho38-lsh
 ```
 
-**Verify installation:**
+### Verify installation
 
 ```bash
 lsh --version
 lsh self version
 ```
 
-For detailed installation options, see [INSTALL.md](INSTALL.md).
+### Initial Setup
 
-### From Source
+```bash
+# 1. Generate encryption key
+lsh lib secrets key
+
+# 2. Create .env file
+cat > .env <<EOF
+# Supabase (for encrypted storage)
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_ANON_KEY=your-anon-key
+
+# Encryption key (generated above)
+LSH_SECRETS_KEY=your-key-here
+
+# Your application secrets
+DATABASE_URL=postgresql://localhost/mydb
+API_KEY=your-api-key
+EOF
+
+# 3. Push to cloud
+lsh lib secrets push --env dev
+```
+
+## Advanced Features (Bonus!)
+
+Because LSH is built on a complete shell framework, you also get powerful automation capabilities:
+
+### Persistent Daemon
+
+Run jobs reliably in the background:
 
 ```bash
-# Clone the repository
-git clone https://github.com/gwicho38/lsh.git
-cd lsh
+# Start daemon
+lsh lib daemon start
 
-# Install dependencies
-npm install
+# Check status
+lsh lib daemon status
 
-# Build TypeScript
-npm run build
+# Stop daemon
+lsh lib daemon stop
+```
 
-# Link globally (optional)
-npm link
+### Cron-Style Scheduling
+
+Schedule any task with cron expressions:
+
+```bash
+# Daily backup at midnight
+lsh lib cron add --name "backup" \
+  --schedule "0 0 * * *" \
+  --command "./backup.sh"
+
+# Every 6 hours
+lsh lib cron add --name "sync" \
+  --schedule "0 */6 * * *" \
+  --command "lsh lib secrets pull && ./reload.sh"
+
+# List all jobs
+lsh lib cron list
 
-# Run
-lsh
+# Trigger manually
+lsh lib cron trigger backup
 ```
 
-## Quick Start
+### RESTful API
 
-### Interactive Shell
+Control everything via HTTP API:
 
 ```bash
-# Start interactive shell
-lsh
+# Start API server
+LSH_API_KEY=your-key lsh lib api start --port 3030
+
+# Use the API
+curl -H "X-API-Key: your-key" http://localhost:3030/api/jobs
+```
+
+### CI/CD Integration
+
+- **Webhook Receiver** - GitHub, GitLab, Jenkins webhook support
+- **Build Analytics** - Track build metrics and performance
+- **Pipeline Orchestration** - Workflow engine for complex pipelines
+
+### POSIX Shell Features
+
+LSH is also a full POSIX-compatible shell with ZSH enhancements:
+
+- Extended globbing patterns
+- Parameter expansion
+- Associative arrays
+- Command history and tab completion
+- Interactive mode
+
+```bash
+# Use as interactive shell
+lsh -i
 
 # Execute commands
-lsh> ls -la
-lsh> echo "Hello, LSH!"
-lsh> cd /tmp && pwd
+lsh -c "echo 'Hello World'"
+
+# Run scripts
+lsh -s script.sh
 ```
 
-### Daemon Mode
+## Security
+
+### Encryption
+
+- **Algorithm**: AES-256-CBC
+- **Key Management**: User-controlled encryption keys
+- **Storage**: Encrypted at rest in Supabase/PostgreSQL
+- **Transport**: HTTPS for all API calls
+
+### Best Practices
 
+**✅ DO:**
+- Generate unique keys per project
+- Share keys via 1Password/LastPass
+- Use different keys for personal vs team projects
+- Rotate keys periodically
+- Keep backups of your .env files
+
+**❌ DON'T:**
+- Commit `LSH_SECRETS_KEY` to git
+- Share keys in plain text (Slack, email, etc.)
+- Reuse keys across projects
+- Store production secrets in dev environment
+
+### Command Validation
+
+All commands are validated to prevent injection attacks:
+
+```typescript
+import { validateCommand } from './lib/command-validator.js';
+
+// Automatically validates and sanitizes
+const result = await validateCommand(userInput);
+```
+
+### Environment Validation
+
+LSH validates all environment variables at startup and fails fast if:
+- Required secrets are missing or too short
+- Invalid URL formats
+- Dangerous commands enabled in production
+
+## Use Cases
+
+### 1. Multi-Machine Development
+
+**Problem:** You develop on a laptop, desktop, and cloud server. Copying .env files manually is tedious.
+
+**Solution:**
 ```bash
-# Start the persistent daemon
-lsh daemon start
+# Laptop
+lsh lib secrets push --env dev
+
+# Desktop
+lsh lib secrets pull --env dev
 
-# Check daemon status
-lsh daemon status
+# Cloud server
+lsh lib secrets pull --env dev
 
-# Stop the daemon
-lsh daemon stop
+# All synced!
 ```
 
-### Job Management
+### 2. Team Onboarding
+
+**Problem:** New team member needs to set up 5 microservices with different env vars.
 
+**Solution:**
 ```bash
-# Add a scheduled job (runs every day at midnight)
-lsh cron add --name "daily-backup" --schedule "0 0 * * *" --command "backup.sh"
+# New team member (after getting LSH_SECRETS_KEY from 1Password)
+cd ~/projects/service-1 && lsh lib secrets pull --env dev
+cd ~/projects/service-2 && lsh lib secrets pull --env dev
+cd ~/projects/service-3 && lsh lib secrets pull --env dev
+cd ~/projects/service-4 && lsh lib secrets pull --env dev
+cd ~/projects/service-5 && lsh lib secrets pull --env dev
+
+# Done in 30 seconds instead of 30 minutes
+```
 
-# List all jobs
-lsh cron list
+### 3. Automated Secret Rotation
 
-# Trigger a job manually
-lsh cron trigger daily-backup
+**Problem:** Security policy requires API keys to be rotated every 30 days.
 
-# Remove a job
-lsh cron remove daily-backup
+**Solution:**
+```bash
+# Create rotation script
+cat > rotate-keys.sh <<'EOF'
+#!/bin/bash
+# Generate new API key from provider
+NEW_KEY=$(curl -X POST https://api.provider.com/keys/rotate)
+
+# Update .env
+sed -i "s/API_KEY=.*/API_KEY=$NEW_KEY/" .env
+
+# Push to cloud
+lsh lib secrets push --env prod
+
+# Notify team
+echo "API keys rotated at $(date)" | mail -s "Key Rotation" team@company.com
+EOF
+
+# Schedule it
+lsh lib cron add --name "rotate-keys" \
+  --schedule "0 0 1 * *" \
+  --command "./rotate-keys.sh"
 ```
 
-### API Server
+### 4. Multi-Environment Deployment
 
+**Problem:** Managing different configs for dev, staging, and production.
+
+**Solution:**
 ```bash
-# Start API server
-lsh api start --port 3030
+# Push from local dev
+lsh lib secrets push --file .env.development --env dev
+
+# Push staging config
+lsh lib secrets push --file .env.staging --env staging
 
-# With authentication
-LSH_API_KEY=your_secret_key lsh api start
+# Push production config (from secure machine only)
+lsh lib secrets push --file .env.production --env prod
+
+# CI/CD pulls the right one
+# In .github/workflows/deploy.yml:
+- name: Get secrets
+  run: lsh lib secrets pull --env ${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
 ```
 
+## Comparison with Other Tools
+
+| Feature | LSH | dotenv-vault | 1Password | Doppler | HashiCorp Vault |
+|---------|-----|--------------|-----------|---------|-----------------|
+| **Cost** | Free | Free tier | $3-8/mo/user | $5-10/user | Free (complex) |
+| **Encryption** | AES-256 | ✓ | ✓ | ✓ | ✓ |
+| **Self-Hosted** | ✓ (Supabase) | ✗ | ✗ | ✗ | ✓ (complex) |
+| **Auto Rotation** | ✓ Built-in | ✗ | Manual | ✗ | ✓ (complex) |
+| **Team Sync** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| **CLI Native** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| **Setup Time** | 2 min | 5 min | 10 min | 10 min | 30+ min |
+| **Daemon/Cron** | ✓ Built-in | ✗ | ✗ | ✗ | ✗ |
+| **Learning Curve** | Easy | Easy | Medium | Medium | Hard |
+
+**LSH is the only tool that combines:**
+- Simple, fast setup
+- Built-in scheduling for rotation
+- Self-hosted option (no vendor lock-in)
+- Completely free
+
 ## Configuration
 
 ### Environment Variables
 
-Copy `.env.example` to `.env` and configure:
+Copy `.env.example` to `.env`:
 
 ```bash
-# Core Configuration
-NODE_ENV=development                    # Environment mode
-LSH_API_ENABLED=true                    # Enable API server
-LSH_API_PORT=3030                       # API server port
-
-# Security (REQUIRED in production)
-LSH_API_KEY=<generate-32-char-key>      # API authentication key
-LSH_JWT_SECRET=<generate-32-char-secret> # JWT signing secret
-LSH_ALLOW_DANGEROUS_COMMANDS=false      # Allow risky commands (use with caution)
-
-# Webhooks
-LSH_ENABLE_WEBHOOKS=true                # Enable webhook receiver
-WEBHOOK_PORT=3033                       # Webhook receiver port
-GITHUB_WEBHOOK_SECRET=<your-secret>     # GitHub webhook secret
-GITLAB_WEBHOOK_SECRET=<your-secret>     # GitLab webhook secret
-JENKINS_WEBHOOK_SECRET=<your-secret>    # Jenkins webhook secret
-
-# Database (Optional)
-DATABASE_URL=postgresql://localhost:5432/cicd
+# Secrets Management (Required)
 SUPABASE_URL=https://your-project.supabase.co
 SUPABASE_ANON_KEY=<your-anon-key>
+LSH_SECRETS_KEY=<generate-with-lsh-lib-secrets-key>
+
+# Optional: Advanced Features
+
+# API Server
+LSH_API_ENABLED=true
+LSH_API_PORT=3030
+LSH_API_KEY=<generate-32-char-key>
+LSH_JWT_SECRET=<generate-32-char-secret>
+
+# Webhooks (for CI/CD integration)
+LSH_ENABLE_WEBHOOKS=true
+WEBHOOK_PORT=3033
+GITHUB_WEBHOOK_SECRET=<your-secret>
+GITLAB_WEBHOOK_SECRET=<your-secret>
+
+# Database (alternative to Supabase)
+DATABASE_URL=postgresql://localhost:5432/lsh
 
-# Caching (Optional)
+# Caching
 REDIS_URL=redis://localhost:6379
 
-# Monitoring
-MONITORING_API_PORT=3031                # Monitoring API port
+# Security
+LSH_ALLOW_DANGEROUS_COMMANDS=false  # Keep false in production
 ```
 
-### Security Best Practices
+### Generate Secrets
 
-**🔒 Production Deployment:**
-
-1. **Always set secrets** - API keys and JWT secrets are mandatory in production
-2. **Generate strong keys** - Use `openssl rand -hex 32` for secrets
-3. **Enable webhook verification** - Set webhook secrets when using webhooks
-4. **Review dangerous commands** - Keep `LSH_ALLOW_DANGEROUS_COMMANDS=false`
-5. **Use environment variables** - Never commit `.env` to version control
+```bash
+# Encryption key for secrets
+lsh lib secrets key
 
-**Environment Validation:**
+# API key for HTTP API
+openssl rand -hex 32
 
-LSH validates environment variables at startup and fails fast in production if:
-- Required secrets are missing or too short
-- Invalid URL formats
-- Dangerous commands enabled in production
+# JWT secret
+openssl rand -hex 32
+```
 
 ## Development
 
@@ -194,206 +456,192 @@ LSH validates environment variables at startup and fails fast in production if:
 # Build TypeScript
 npm run build
 
-# Watch mode for development
+# Watch mode
 npm run watch
 
-# Type checking only
+# Type checking
 npm run typecheck
 ```
 
 ### Testing
 
 ```bash
-# Run all tests
+# Run tests
 npm test
 
-# Run tests with coverage
+# With coverage
 npm run test:coverage
 
-# Run integration tests
-npm run test:integration
-
-# Lint code
+# Lint
 npm run lint
 
-# Auto-fix lint issues
+# Auto-fix
 npm run lint:fix
 ```
 
-**Current Test Coverage:** ~1.5% (baseline established, actively improving)
-
-**Well-tested modules:**
-- `command-validator.ts` - 100% coverage
-- `env-validator.ts` - 74% coverage
-
-### Electron App
+### From Source
 
 ```bash
-# Run as desktop application
-npm run electron
-
-# Development mode
-npm run electron-dev
-
-# Access dashboards
-npm run dashboard
+git clone https://github.com/gwicho38/lsh.git
+cd lsh
+npm install
+npm run build
+npm link
+lsh --version
 ```
 
-## Architecture
-
-### Core Components
+## Troubleshooting
 
-- **`src/lib/shell-executor.ts`** - Main shell command executor
-- **`src/lib/job-manager.ts`** - Job lifecycle management
-- **`src/daemon/lshd.ts`** - Persistent background daemon
-- **`src/daemon/api-server.ts`** - RESTful API server
-- **`src/cicd/webhook-receiver.ts`** - CI/CD webhook integration
+### "No secrets found"
 
-### Data Flow
+```bash
+# Check stored environments
+lsh lib secrets list
 
-```
-User Command → Parser → AST → Executor → Output
-                                ↓
-                          Job Manager
-                                ↓
-                          Daemon (persistent)
-                                ↓
-                          Database/Redis
+# Push if missing
+lsh lib secrets push --env dev
 ```
 
-### Security Architecture
+### "Decryption failed"
 
-```
-API Request → JWT Validation → Command Validation → Execution
-Webhook → HMAC Verification → Event Processing → Job Trigger
-Daemon Startup → Env Validation → Fail Fast if Invalid
-```
+```bash
+# Wrong encryption key!
+# Make sure LSH_SECRETS_KEY matches the one used to encrypt
 
-## API Reference
+# Generate new key and re-push
+lsh lib secrets key
+lsh lib secrets push
+```
 
-### Authentication
+### "Supabase not configured"
 
 ```bash
-# Include API key in header
-curl -H "X-API-Key: your_api_key" http://localhost:3030/api/status
+# Add to .env:
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_ANON_KEY=your-anon-key
 ```
 
-### Endpoints
-
-**Job Management:**
-- `GET /api/jobs` - List all jobs
-- `POST /api/jobs` - Create a new job
-- `GET /api/jobs/:id` - Get job details
-- `POST /api/jobs/:id/trigger` - Trigger job execution
-- `DELETE /api/jobs/:id` - Remove a job
-
-**Daemon Control:**
-- `GET /api/status` - Daemon status
-- `GET /api/metrics` - System metrics
-
-**Webhooks:**
-- `POST /webhooks/github` - GitHub webhook endpoint
-- `POST /webhooks/gitlab` - GitLab webhook endpoint
-- `POST /webhooks/jenkins` - Jenkins webhook endpoint
-
-## Troubleshooting
-
-### Common Issues
+### Daemon won't start
 
-**Daemon won't start:**
 ```bash
 # Check if already running
 ps aux | grep lshd
 
-# Check PID file
-cat /tmp/lsh-job-daemon-$USER.pid
-
 # Remove stale PID file
 rm /tmp/lsh-job-daemon-$USER.pid
+
+# Restart
+lsh lib daemon start
 ```
 
-**Tests failing:**
-```bash
-# Clear Jest cache
-npm test -- --clearCache
+## Documentation
+
+- **[SECRETS_GUIDE.md](SECRETS_GUIDE.md)** - Complete secrets management guide
+- **[SECRETS_QUICK_REFERENCE.md](SECRETS_QUICK_REFERENCE.md)** - Quick reference for daily use
+- **[SECRETS_CHEATSHEET.txt](SECRETS_CHEATSHEET.txt)** - Command cheatsheet
+- **[INSTALL.md](INSTALL.md)** - Detailed installation instructions
+- **[CLAUDE.md](CLAUDE.md)** - Developer guide for contributors
+
+## Architecture
 
-# Check Node version
-node --version  # Should be 18+
+### Secrets Flow
+
+```
+Local .env → Encrypt (AES-256) → Supabase/PostgreSQL
+                                       ↓
+                                  Pull on any machine
+                                       ↓
+                            Decrypt → Local .env
 ```
 
-**Environment validation errors:**
-```bash
-# Check your .env file matches .env.example
-cp .env.example .env
-# Edit .env with your values
+### Rotation Flow
 
-# Generate secrets
-openssl rand -hex 32
+```
+Cron Schedule → Daemon → Rotation Script → Update .env → Push to cloud
+                                                              ↓
+                                                    Notify team/reload apps
 ```
 
-**Lint errors:**
-```bash
-# Auto-fix what's possible
-npm run lint:fix
+### Security Architecture
 
-# Check specific file
-npx eslint src/your-file.ts
+```
+API Request → JWT Validation → Command Validation → Execution
+Webhook → HMAC Verification → Event Processing → Job Trigger
+Daemon Startup → Env Validation → Fail Fast if Invalid
+Secrets → AES-256 Encryption → Encrypted Storage
 ```
 
-## Contributing
+## API Reference
 
-Contributions are welcome! Please:
+### Secrets API
 
-1. **Fork the repository**
-2. **Create a feature branch** - `git checkout -b feature/your-feature`
-3. **Make your changes**
-4. **Add tests** - Ensure tests pass with `npm test`
-5. **Lint your code** - Run `npm run lint:fix`
-6. **Commit your changes** - Follow conventional commit format
-7. **Push to your fork** - `git push origin feature/your-feature`
-8. **Create a Pull Request**
+All secrets commands are available programmatically:
 
-### Code Style
+```typescript
+import SecretsManager from 'lsh-framework/dist/lib/secrets-manager.js';
 
-- Use TypeScript with proper types (avoid `any`)
-- Prefix unused variables with `_` (e.g., `_unusedVar`)
-- Add tests for new features
-- Follow existing code structure
-- Update documentation for user-facing changes
+const manager = new SecretsManager();
 
-### Running in Development
+// Push secrets
+await manager.push('.env', 'production');
 
-```bash
-# Terminal 1: Watch TypeScript compilation
-npm run watch
+// Pull secrets
+await manager.pull('.env', 'production');
 
-# Terminal 2: Run tests in watch mode
-npm test -- --watch
+// List environments
+const envs = await manager.listEnvironments();
 
-# Terminal 3: Run the shell
-node dist/cli.js
+// Show secrets (masked)
+await manager.show('production');
 ```
 
-## License
+### REST API
 
-ISC
+See API endpoints documentation in the Advanced Features section.
 
-## Project Status
+## Roadmap
 
-**Active Development** - This project is under active development. Features and APIs may change.
+- [ ] CLI command shortcuts (`lsh push` instead of `lsh lib secrets push`)
+- [ ] Built-in secret rotation templates (AWS, GCP, Azure)
+- [ ] Web dashboard for team secret management
+- [ ] Audit logging for secret access
+- [ ] Integration with cloud secret managers (AWS Secrets Manager, etc.)
+- [ ] Automatic secret expiration warnings
+- [ ] Git hooks for secret validation
 
-**Current Focus:**
-- Improving test coverage (target: 70%)
-- Reducing lint errors
-- Adding comprehensive documentation
-- Refactoring large modules
+## Contributing
 
-## Credits
+Contributions welcome! Please:
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/your-feature`
+3. Make your changes
+4. Add tests: `npm test`
+5. Lint: `npm run lint:fix`
+6. Commit and push
+7. Create a Pull Request
 
-- [awesome-micro-npm](https://github.com/parro-it/awesome-micro-npm-packages)
+## License
+
+MIT
 
 ## Support
 
-For issues, questions, or contributions:
 - **Issues**: https://github.com/gwicho38/lsh/issues
 - **Discussions**: https://github.com/gwicho38/lsh/discussions
+- **Documentation**: See docs/ folder
+
+## Credits
+
+Built with:
+- TypeScript for type safety
+- Supabase for encrypted storage
+- Node.js crypto for AES-256 encryption
+- Commander.js for CLI framework
+- React/Ink for terminal UI
+
+---
+
+**Made with ❤️ for developers tired of copying .env files**
+
+**Stop copying. Start syncing. Automate rotation.**