lsh-framework 0.8.0 → 0.8.2

package/README.md

@@ -126,7 +126,7 @@ lsh lib secrets pull --env prod     # for production debugging
 | `lsh lib secrets create` | Create new .env file |
 | `lsh lib secrets delete` | Delete .env file (with confirmation) |
 
-See the complete guide: [SECRETS_GUIDE.md](SECRETS_GUIDE.md)
+See the complete guide: [SECRETS_GUIDE.md](docs/features/secrets/SECRETS_GUIDE.md)
 
 ## Installation
 
@@ -536,10 +536,10 @@ lsh lib daemon start
 
 ## Documentation
 
-- **[SECRETS_GUIDE.md](SECRETS_GUIDE.md)** - Complete secrets management guide
-- **[SECRETS_QUICK_REFERENCE.md](SECRETS_QUICK_REFERENCE.md)** - Quick reference for daily use
+- **[SECRETS_GUIDE.md](docs/features/secrets/SECRETS_GUIDE.md)** - Complete secrets management guide
+- **[SECRETS_QUICK_REFERENCE.md](docs/features/secrets/SECRETS_QUICK_REFERENCE.md)** - Quick reference for daily use
 - **[SECRETS_CHEATSHEET.txt](SECRETS_CHEATSHEET.txt)** - Command cheatsheet
-- **[INSTALL.md](INSTALL.md)** - Detailed installation instructions
+- **[INSTALL.md](docs/deployment/INSTALL.md)** - Detailed installation instructions
 - **[CLAUDE.md](CLAUDE.md)** - Developer guide for contributors
 
 ## Architecture

package/dist/lib/git-utils.js

@@ -0,0 +1,186 @@
+/**
+ * Git Utilities
+ * Helper functions for git repository detection and information extraction
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import { createLogger } from './logger.js';
+const logger = createLogger('GitUtils');
+/**
+ * Check if a directory is inside a git repository
+ */
+export function isInGitRepo(dir = process.cwd()) {
+    try {
+        execSync('git rev-parse --is-inside-work-tree', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get git repository root path
+ */
+export function getGitRootPath(dir = process.cwd()) {
+    try {
+        const output = execSync('git rev-parse --show-toplevel', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Get git remote URL
+ */
+export function getGitRemoteUrl(dir = process.cwd()) {
+    try {
+        const output = execSync('git remote get-url origin', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Extract repository name from git remote URL or directory name
+ */
+export function extractRepoName(remoteUrl, rootPath) {
+    if (remoteUrl) {
+        // Extract from URL patterns:
+        // git@github.com:user/repo.git -> repo
+        // https://github.com/user/repo.git -> repo
+        const match = remoteUrl.match(/[/:]([\w-]+?)(\.git)?$/);
+        if (match) {
+            return match[1];
+        }
+    }
+    if (rootPath) {
+        // Use directory name as fallback
+        return path.basename(rootPath);
+    }
+    return undefined;
+}
+/**
+ * Get current git branch
+ */
+export function getCurrentBranch(dir = process.cwd()) {
+    try {
+        const output = execSync('git rev-parse --abbrev-ref HEAD', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Get comprehensive git repository information
+ */
+export function getGitRepoInfo(dir = process.cwd()) {
+    const isGitRepo = isInGitRepo(dir);
+    if (!isGitRepo) {
+        return { isGitRepo: false };
+    }
+    const rootPath = getGitRootPath(dir);
+    const remoteUrl = getGitRemoteUrl(dir);
+    const repoName = extractRepoName(remoteUrl, rootPath);
+    const currentBranch = getCurrentBranch(dir);
+    return {
+        isGitRepo: true,
+        rootPath,
+        repoName,
+        remoteUrl,
+        currentBranch,
+    };
+}
+/**
+ * Check if .env.example exists in the repo
+ */
+export function hasEnvExample(dir = process.cwd()) {
+    const patterns = ['.env.example', '.env.sample', '.env.template'];
+    for (const pattern of patterns) {
+        const filePath = path.join(dir, pattern);
+        if (fs.existsSync(filePath)) {
+            return filePath;
+        }
+    }
+    return undefined;
+}
+/**
+ * Check if .gitignore exists and contains .env
+ */
+export function isEnvIgnored(dir = process.cwd()) {
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (!fs.existsSync(gitignorePath)) {
+        return false;
+    }
+    try {
+        const content = fs.readFileSync(gitignorePath, 'utf8');
+        const lines = content.split('\n');
+        for (const line of lines) {
+            const trimmed = line.trim();
+            // Check for .env or *.env patterns
+            if (trimmed === '.env' || trimmed === '*.env' || trimmed.includes('.env')) {
+                return true;
+            }
+        }
+        return false;
+    }
+    catch (error) {
+        logger.warn(`Failed to read .gitignore: ${error.message}`);
+        return false;
+    }
+}
+/**
+ * Add .env to .gitignore if not already present
+ */
+export function ensureEnvInGitignore(dir = process.cwd()) {
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (isEnvIgnored(dir)) {
+        return; // Already ignored
+    }
+    try {
+        let content = '';
+        if (fs.existsSync(gitignorePath)) {
+            content = fs.readFileSync(gitignorePath, 'utf8');
+            // Ensure newline at end
+            if (!content.endsWith('\n')) {
+                content += '\n';
+            }
+        }
+        content += '\n# Environment variables (managed by LSH)\n.env\n.env.local\n.env.*.local\n';
+        fs.writeFileSync(gitignorePath, content, 'utf8');
+        logger.info('✅ Added .env to .gitignore');
+    }
+    catch (error) {
+        logger.warn(`Failed to update .gitignore: ${error.message}`);
+    }
+}
+export default {
+    isInGitRepo,
+    getGitRootPath,
+    getGitRemoteUrl,
+    extractRepoName,
+    getCurrentBranch,
+    getGitRepoInfo,
+    hasEnvExample,
+    isEnvIgnored,
+    ensureEnvInGitignore,
+};

package/dist/lib/secrets-manager.js

@@ -7,14 +7,20 @@ import * as path from 'path';
 import * as crypto from 'crypto';
 import DatabasePersistence from './database-persistence.js';
 import { createLogger } from './logger.js';
+import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils.js';
 const logger = createLogger('SecretsManager');
 export class SecretsManager {
     persistence;
     encryptionKey;
-    constructor(userId, encryptionKey) {
+    gitInfo;
+    constructor(userId, encryptionKey, detectGit = true) {
         this.persistence = new DatabasePersistence(userId);
         // Use provided key or generate from machine ID + user
         this.encryptionKey = encryptionKey || this.getDefaultEncryptionKey();
+        // Auto-detect git repo context
+        if (detectGit) {
+            this.gitInfo = getGitRepoInfo();
+        }
     }
     /**
      * Get default encryption key from environment or machine
@@ -117,6 +123,11 @@ export class SecretsManager {
         if (!fs.existsSync(envFilePath)) {
             throw new Error(`File not found: ${envFilePath}`);
         }
+        // Validate filename pattern for custom files
+        const filename = path.basename(envFilePath);
+        if (filename !== '.env' && !filename.startsWith('.env.')) {
+            throw new Error(`Invalid filename: ${filename}. Must be '.env' or start with '.env.'`);
+        }
         // Warn if using default key
         if (!process.env.LSH_SECRETS_KEY) {
             logger.warn('⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-specific key.');
@@ -129,9 +140,10 @@ export class SecretsManager {
         const env = this.parseEnvFile(content);
         // Encrypt entire .env content
         const encrypted = this.encrypt(content);
-        // Store in Supabase (using job system for now)
+        // Include filename in job_id for tracking multiple .env files
+        const safeFilename = filename.replace(/[^a-zA-Z0-9._-]/g, '_');
         const secretData = {
-            job_id: `secrets_${environment}_${Date.now()}`,
+            job_id: `secrets_${environment}_${safeFilename}_${Date.now()}`,
             command: 'secrets_sync',
             status: 'completed',
             output: encrypted,
@@ -140,20 +152,31 @@ export class SecretsManager {
             working_directory: process.cwd(),
         };
         await this.persistence.saveJob(secretData);
-        logger.info(`✅ Pushed ${Object.keys(env).length} secrets to Supabase`);
+        logger.info(`✅ Pushed ${Object.keys(env).length} secrets from ${filename} to Supabase`);
     }
     /**
      * Pull .env from Supabase
      */
     async pull(envFilePath = '.env', environment = 'dev', force = false) {
-        logger.info(`Pulling ${environment} secrets from Supabase...`);
-        // Get latest secrets
+        // Validate filename pattern for custom files
+        const filename = path.basename(envFilePath);
+        if (filename !== '.env' && !filename.startsWith('.env.')) {
+            throw new Error(`Invalid filename: ${filename}. Must be '.env' or start with '.env.'`);
+        }
+        logger.info(`Pulling ${filename} (${environment}) from Supabase...`);
+        // Get latest secrets for this specific file
         const jobs = await this.persistence.getActiveJobs();
+        const safeFilename = filename.replace(/[^a-zA-Z0-9._-]/g, '_');
         const secretsJobs = jobs
-            .filter(j => j.command === 'secrets_sync' && j.job_id.includes(environment))
+            .filter(j => {
+            // Match secrets for this environment and filename
+            return j.command === 'secrets_sync' &&
+                j.job_id.includes(environment) &&
+                j.job_id.includes(safeFilename);
+        })
             .sort((a, b) => new Date(b.started_at).getTime() - new Date(a.started_at).getTime());
         if (secretsJobs.length === 0) {
-            throw new Error(`No secrets found for environment: ${environment}`);
+            throw new Error(`No secrets found for file '${filename}' in environment: ${environment}`);
         }
         const latestSecret = secretsJobs[0];
         if (!latestSecret.output) {
@@ -179,13 +202,57 @@ export class SecretsManager {
         const secretsJobs = jobs.filter(j => j.command === 'secrets_sync');
         const envs = new Set();
         for (const job of secretsJobs) {
-            const match = job.job_id.match(/secrets_(.+?)_\d+/);
+            // Updated regex to handle new format with filename
+            const match = job.job_id.match(/secrets_([^_]+)_/);
             if (match) {
                 envs.add(match[1]);
             }
         }
         return Array.from(envs).sort();
     }
+    /**
+     * List all tracked .env files
+     */
+    async listAllFiles() {
+        const jobs = await this.persistence.getActiveJobs();
+        const secretsJobs = jobs.filter(j => j.command === 'secrets_sync');
+        // Group by environment and filename to get latest of each
+        const fileMap = new Map();
+        for (const job of secretsJobs) {
+            // Parse job_id: secrets_${environment}_${safeFilename}_${timestamp}
+            const parts = job.job_id.split('_');
+            if (parts.length >= 3 && parts[0] === 'secrets') {
+                const environment = parts[1];
+                // Handle both old and new format
+                let filename = '.env';
+                if (parts.length >= 4) {
+                    // New format with filename
+                    const timestamp = parts[parts.length - 1];
+                    // Reconstruct filename from middle parts
+                    const filenameParts = parts.slice(2, -1);
+                    if (filenameParts.length > 0) {
+                        // Convert underscores back to dots for the extension
+                        filename = filenameParts.join('_');
+                        // Fix the extension dots that were replaced
+                        filename = filename.replace(/^env_/, '.env.');
+                        if (filename === 'env') {
+                            filename = '.env';
+                        }
+                    }
+                }
+                const key = `${environment}_${filename}`;
+                const existing = fileMap.get(key);
+                if (!existing || new Date(job.completed_at || job.started_at) > new Date(existing.updated)) {
+                    fileMap.set(key, {
+                        filename,
+                        environment,
+                        updated: new Date(job.completed_at || job.started_at).toLocaleString()
+                    });
+                }
+            }
+        }
+        return Array.from(fileMap.values()).sort((a, b) => a.filename.localeCompare(b.filename) || a.environment.localeCompare(b.environment));
+    }
     /**
      * Show secrets (masked)
      */
@@ -267,7 +334,329 @@ export class SecretsManager {
         return status;
     }
     /**
-     * Sync command - check status and suggest actions
+     * Get repo-aware environment namespace
+     * Returns environment name with repo context if in a git repo
+     */
+    getRepoAwareEnvironment(environment) {
+        if (this.gitInfo?.repoName) {
+            return `${this.gitInfo.repoName}_${environment}`;
+        }
+        return environment;
+    }
+    /**
+     * Generate encryption key if not set
+     */
+    async ensureEncryptionKey() {
+        if (process.env.LSH_SECRETS_KEY) {
+            return true; // Key already set
+        }
+        logger.warn('⚠️  No encryption key found. Generating a new key...');
+        const key = crypto.randomBytes(32).toString('hex');
+        // Try to add to .env file
+        const envPath = path.join(process.cwd(), '.env');
+        try {
+            let content = '';
+            if (fs.existsSync(envPath)) {
+                content = fs.readFileSync(envPath, 'utf8');
+                if (!content.endsWith('\n')) {
+                    content += '\n';
+                }
+            }
+            // Check if LSH_SECRETS_KEY already exists (but empty)
+            if (content.includes('LSH_SECRETS_KEY=')) {
+                content = content.replace(/LSH_SECRETS_KEY=.*$/m, `LSH_SECRETS_KEY=${key}`);
+            }
+            else {
+                content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
+            }
+            fs.writeFileSync(envPath, content, 'utf8');
+            // Set in current process
+            process.env.LSH_SECRETS_KEY = key;
+            this.encryptionKey = key;
+            logger.info('✅ Generated and saved encryption key to .env');
+            logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
+            return true;
+        }
+        catch (error) {
+            logger.error(`Failed to save encryption key: ${error.message}`);
+            logger.info('Please set it manually:');
+            logger.info(`export LSH_SECRETS_KEY=${key}`);
+            return false;
+        }
+    }
+    /**
+     * Create .env from .env.example if available
+     */
+    async createEnvFromExample(envFilePath) {
+        const examplePath = hasEnvExample(process.cwd());
+        if (!examplePath) {
+            // Create minimal template
+            const template = `# Environment Configuration
+# Generated by LSH Secrets Manager
+
+# Application
+NODE_ENV=development
+
+# Database
+DATABASE_URL=
+
+# API Keys
+API_KEY=
+
+# LSH Secrets Encryption Key (auto-generated)
+LSH_SECRETS_KEY=${this.encryptionKey}
+
+# Add your environment variables below
+`;
+            try {
+                fs.writeFileSync(envFilePath, template, 'utf8');
+                logger.info(`✅ Created ${envFilePath} from template`);
+                return true;
+            }
+            catch (error) {
+                logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+                return false;
+            }
+        }
+        // Copy from example
+        try {
+            const content = fs.readFileSync(examplePath, 'utf8');
+            let newContent = content;
+            // Add encryption key if not present
+            if (!content.includes('LSH_SECRETS_KEY')) {
+                newContent += `\n# LSH Secrets Encryption Key (auto-generated)\nLSH_SECRETS_KEY=${this.encryptionKey}\n`;
+            }
+            fs.writeFileSync(envFilePath, newContent, 'utf8');
+            logger.info(`✅ Created ${envFilePath} from ${path.basename(examplePath)}`);
+            return true;
+        }
+        catch (error) {
+            logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+            return false;
+        }
+    }
+    /**
+     * Generate shell export commands for loading .env file
+     */
+    generateExportCommands(envFilePath) {
+        if (!fs.existsSync(envFilePath)) {
+            return '# No .env file found\n';
+        }
+        const content = fs.readFileSync(envFilePath, 'utf8');
+        const lines = content.split('\n');
+        const exports = [];
+        for (const line of lines) {
+            // Skip comments and empty lines
+            if (line.trim().startsWith('#') || !line.trim()) {
+                continue;
+            }
+            // Parse KEY=VALUE
+            const match = line.match(/^([^=]+)=(.*)$/);
+            if (match) {
+                const key = match[1].trim();
+                let value = match[2].trim();
+                // Remove quotes if present (we'll add them back for the export)
+                if ((value.startsWith('"') && value.endsWith('"')) ||
+                    (value.startsWith("'") && value.endsWith("'"))) {
+                    value = value.slice(1, -1);
+                }
+                // Escape special characters for shell
+                const escapedValue = value
+                    .replace(/\\/g, '\\\\')
+                    .replace(/"/g, '\\"')
+                    .replace(/\$/g, '\\$')
+                    .replace(/`/g, '\\`');
+                exports.push(`export ${key}="${escapedValue}"`);
+            }
+        }
+        return exports.join('\n') + '\n';
+    }
+    /**
+     * Smart sync command - automatically set up and synchronize secrets
+     * This is the new enhanced sync that does everything automatically
+     */
+    async smartSync(envFilePath = '.env', environment = 'dev', autoExecute = true, loadMode = false) {
+        // Use repo-aware environment if in git repo
+        const effectiveEnv = this.getRepoAwareEnvironment(environment);
+        const displayEnv = this.gitInfo?.repoName ? `${this.gitInfo.repoName}/${environment}` : environment;
+        // In load mode, redirect output to stderr so stdout only has export commands
+        const out = loadMode ? console.error : console.log;
+        out(`\n🔍 Smart sync for: ${displayEnv}\n`);
+        // Show git repo context if detected
+        if (this.gitInfo?.isGitRepo) {
+            out('📁 Git Repository:');
+            out(`   Repo: ${this.gitInfo.repoName || 'unknown'}`);
+            if (this.gitInfo.currentBranch) {
+                out(`   Branch: ${this.gitInfo.currentBranch}`);
+            }
+            out();
+        }
+        // Step 1: Ensure encryption key exists
+        if (!process.env.LSH_SECRETS_KEY) {
+            logger.info('🔑 No encryption key found...');
+            await this.ensureEncryptionKey();
+            out();
+        }
+        // Step 2: Ensure .gitignore includes .env
+        if (this.gitInfo?.isGitRepo) {
+            ensureEnvInGitignore(process.cwd());
+        }
+        // Step 3: Check current status
+        const status = await this.status(envFilePath, effectiveEnv);
+        out('📊 Current Status:');
+        out(`   Encryption key: ${status.keySet ? '✅' : '❌'}`);
+        out(`   Local ${envFilePath}: ${status.localExists ? `✅ (${status.localKeys} keys)` : '❌'}`);
+        out(`   Cloud storage: ${status.cloudExists ? `✅ (${status.cloudKeys} keys)` : '❌'}`);
+        if (status.cloudExists && status.keyMatches !== undefined) {
+            out(`   Key matches: ${status.keyMatches ? '✅' : '❌'}`);
+        }
+        out();
+        // Step 4: Determine action and execute if auto mode
+        let action = 'in-sync';
+        if (status.cloudExists && status.keyMatches === false) {
+            action = 'key-mismatch';
+            out('⚠️  Encryption key mismatch!');
+            out('   The local key does not match the cloud storage.');
+            out('   Please use the original key or push new secrets with:');
+            out(`   lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+            out();
+            return;
+        }
+        if (!status.localExists && !status.cloudExists) {
+            action = 'create-and-push';
+            out('🆕 No secrets found locally or in cloud');
+            out('   Creating new .env file...');
+            if (autoExecute) {
+                await this.createEnvFromExample(envFilePath);
+                out('   Pushing to cloud...');
+                await this.push(envFilePath, effectiveEnv);
+                out();
+                out('✅ Setup complete! Edit your .env and run sync again to update.');
+            }
+            else {
+                out('💡 Run: lsh lib secrets create && lsh lib secrets push');
+            }
+            out();
+            // Output export commands in load mode
+            if (loadMode && fs.existsSync(envFilePath)) {
+                console.log(this.generateExportCommands(envFilePath));
+            }
+            return;
+        }
+        if (status.localExists && !status.cloudExists) {
+            action = 'push';
+            out('⬆️  Local .env exists but not in cloud');
+            if (autoExecute) {
+                out('   Pushing to cloud...');
+                await this.push(envFilePath, effectiveEnv);
+                out('✅ Secrets pushed to cloud!');
+            }
+            else {
+                out(`💡 Run: lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+            }
+            out();
+            // Output export commands in load mode
+            if (loadMode && fs.existsSync(envFilePath)) {
+                console.log(this.generateExportCommands(envFilePath));
+            }
+            return;
+        }
+        if (!status.localExists && status.cloudExists && status.keyMatches) {
+            action = 'pull';
+            out('⬇️  Cloud secrets available but no local file');
+            if (autoExecute) {
+                out('   Pulling from cloud...');
+                await this.pull(envFilePath, effectiveEnv, false);
+                out('✅ Secrets pulled from cloud!');
+            }
+            else {
+                out(`💡 Run: lsh lib secrets pull -f ${envFilePath} -e ${environment}`);
+            }
+            out();
+            // Output export commands in load mode
+            if (loadMode && fs.existsSync(envFilePath)) {
+                console.log(this.generateExportCommands(envFilePath));
+            }
+            return;
+        }
+        if (status.localExists && status.cloudExists && status.keyMatches) {
+            if (status.localModified && status.cloudModified) {
+                const localNewer = status.localModified > status.cloudModified;
+                const timeDiff = Math.abs(status.localModified.getTime() - status.cloudModified.getTime());
+                const minutesDiff = Math.floor(timeDiff / (1000 * 60));
+                // If difference is less than 1 minute, consider in sync
+                if (minutesDiff < 1) {
+                    out('✅ Local and cloud are in sync!');
+                    out();
+                    if (!loadMode) {
+                        this.showLoadInstructions(envFilePath);
+                    }
+                    else if (fs.existsSync(envFilePath)) {
+                        console.log(this.generateExportCommands(envFilePath));
+                    }
+                    return;
+                }
+                if (localNewer) {
+                    action = 'push';
+                    out('⬆️  Local file is newer than cloud');
+                    out(`   Local: ${status.localModified.toLocaleString()}`);
+                    out(`   Cloud: ${status.cloudModified.toLocaleString()}`);
+                    if (autoExecute) {
+                        out('   Pushing to cloud...');
+                        await this.push(envFilePath, effectiveEnv);
+                        out('✅ Secrets synced to cloud!');
+                    }
+                    else {
+                        out(`💡 Run: lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+                    }
+                }
+                else {
+                    action = 'pull';
+                    out('⬇️  Cloud is newer than local file');
+                    out(`   Local: ${status.localModified.toLocaleString()}`);
+                    out(`   Cloud: ${status.cloudModified.toLocaleString()}`);
+                    if (autoExecute) {
+                        out('   Pulling from cloud (backup created)...');
+                        await this.pull(envFilePath, effectiveEnv, false);
+                        out('✅ Secrets synced from cloud!');
+                    }
+                    else {
+                        out(`💡 Run: lsh lib secrets pull -f ${envFilePath} -e ${environment}`);
+                    }
+                }
+                out();
+                if (!loadMode) {
+                    this.showLoadInstructions(envFilePath);
+                }
+                else if (fs.existsSync(envFilePath)) {
+                    console.log(this.generateExportCommands(envFilePath));
+                }
+                return;
+            }
+        }
+        // Default: everything is in sync
+        out('✅ Secrets are synchronized!');
+        out();
+        if (!loadMode) {
+            this.showLoadInstructions(envFilePath);
+        }
+        else if (fs.existsSync(envFilePath)) {
+            console.log(this.generateExportCommands(envFilePath));
+        }
+    }
+    /**
+     * Show instructions for loading secrets
+     */
+    showLoadInstructions(envFilePath) {
+        console.log('📝 To load secrets in your current shell:');
+        console.log(`   export $(cat ${envFilePath} | grep -v '^#' | xargs)`);
+        console.log();
+        console.log('   Or for safer loading (preserves quotes):');
+        console.log(`   set -a; source ${envFilePath}; set +a`);
+        console.log();
+    }
+    /**
+     * Sync command - check status and suggest actions (legacy, kept for compatibility)
      */
     async sync(envFilePath = '.env', environment = 'dev') {
         console.log(`\n🔍 Checking secrets status for environment: ${environment}\n`);

package/dist/services/secrets/secrets.js

@@ -48,9 +48,24 @@ export async function init_secrets(program) {
         .command('list [environment]')
         .alias('ls')
         .description('List all stored environments or show secrets for specific environment')
-        .action(async (environment) => {
+        .option('--all-files', 'List all tracked .env files across environments')
+        .action(async (environment, options) => {
         try {
             const manager = new SecretsManager();
+            // If --all-files flag is set, list all tracked files
+            if (options.allFiles) {
+                const files = await manager.listAllFiles();
+                if (files.length === 0) {
+                    console.log('No .env files found. Push your first file with: lsh secrets push --file <filename>');
+                    return;
+                }
+                console.log('\n📦 Tracked .env files:\n');
+                for (const file of files) {
+                    console.log(`  • ${file.filename} (${file.environment}) - Last updated: ${file.updated}`);
+                }
+                console.log();
+                return;
+            }
             // If environment specified, show secrets for that environment
             if (environment) {
                 await manager.show(environment);
@@ -154,19 +169,29 @@ API_KEY=
             process.exit(1);
         }
     });
-    // Sync command - check status and suggest actions
+    // Sync command - automatically set up and synchronize secrets
     secretsCmd
         .command('sync')
-        .description('Check secrets sync status and show recommended actions')
+        .description('Automatically set up and synchronize secrets (smart mode)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('--dry-run', 'Show what would be done without executing')
+        .option('--legacy', 'Use legacy sync mode (suggestions only)')
+        .option('--load', 'Output eval-able export commands for loading secrets')
         .action(async (options) => {
         try {
             const manager = new SecretsManager();
-            await manager.sync(options.file, options.env);
+            if (options.legacy) {
+                // Use legacy sync (suggestions only)
+                await manager.sync(options.file, options.env);
+            }
+            else {
+                // Use new smart sync (auto-execute)
+                await manager.smartSync(options.file, options.env, !options.dryRun, options.load);
+            }
         }
         catch (error) {
-            console.error('❌ Failed to check sync status:', error.message);
+            console.error('❌ Failed to sync:', error.message);
             process.exit(1);
         }
     });
@@ -187,6 +212,95 @@ API_KEY=
             process.exit(1);
         }
     });
+    // Get a specific secret value
+    secretsCmd
+        .command('get <key>')
+        .description('Get a specific secret value from .env file')
+        .option('-f, --file <path>', 'Path to .env file', '.env')
+        .action(async (key, options) => {
+        try {
+            const envPath = path.resolve(options.file);
+            if (!fs.existsSync(envPath)) {
+                console.error(`❌ File not found: ${envPath}`);
+                process.exit(1);
+            }
+            const content = fs.readFileSync(envPath, 'utf8');
+            const lines = content.split('\n');
+            for (const line of lines) {
+                if (line.trim().startsWith('#') || !line.trim())
+                    continue;
+                const match = line.match(/^([^=]+)=(.*)$/);
+                if (match && match[1].trim() === key) {
+                    let value = match[2].trim();
+                    // Remove quotes if present
+                    if ((value.startsWith('"') && value.endsWith('"')) ||
+                        (value.startsWith("'") && value.endsWith("'"))) {
+                        value = value.slice(1, -1);
+                    }
+                    console.log(value);
+                    return;
+                }
+            }
+            console.error(`❌ Key '${key}' not found in ${options.file}`);
+            process.exit(1);
+        }
+        catch (error) {
+            console.error('❌ Failed to get secret:', error.message);
+            process.exit(1);
+        }
+    });
+    // Set a specific secret value
+    secretsCmd
+        .command('set <key> <value>')
+        .description('Set a specific secret value in .env file')
+        .option('-f, --file <path>', 'Path to .env file', '.env')
+        .action(async (key, value, options) => {
+        try {
+            const envPath = path.resolve(options.file);
+            // Validate key format
+            if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+                console.error(`❌ Invalid key format: ${key}. Must be a valid environment variable name.`);
+                process.exit(1);
+            }
+            let content = '';
+            let found = false;
+            if (fs.existsSync(envPath)) {
+                content = fs.readFileSync(envPath, 'utf8');
+                const lines = content.split('\n');
+                const newLines = [];
+                for (const line of lines) {
+                    if (line.trim().startsWith('#') || !line.trim()) {
+                        newLines.push(line);
+                        continue;
+                    }
+                    const match = line.match(/^([^=]+)=(.*)$/);
+                    if (match && match[1].trim() === key) {
+                        // Quote values with spaces or special characters
+                        const needsQuotes = /[\s#]/.test(value);
+                        const quotedValue = needsQuotes ? `"${value}"` : value;
+                        newLines.push(`${key}=${quotedValue}`);
+                        found = true;
+                    }
+                    else {
+                        newLines.push(line);
+                    }
+                }
+                content = newLines.join('\n');
+            }
+            // If key wasn't found, append it
+            if (!found) {
+                const needsQuotes = /[\s#]/.test(value);
+                const quotedValue = needsQuotes ? `"${value}"` : value;
+                content = content.trimRight() + `\n${key}=${quotedValue}\n`;
+            }
+            fs.writeFileSync(envPath, content, 'utf8');
+            console.log(`✅ Set ${key} in ${options.file}`);
+        }
+        catch (error) {
+            console.error('❌ Failed to set secret:', error.message);
+            process.exit(1);
+        }
+    });
     // Delete .env file with confirmation
     secretsCmd
         .command('delete')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Encrypted secrets manager with automatic rotation, team sync, and multi-environment support. Built on a powerful shell with daemon scheduling and CI/CD integration.",
   "main": "dist/app.js",
   "bin": {