lsh-framework 3.1.0 → 3.1.2

package/dist/commands/config.js

@@ -5,11 +5,12 @@
 import { spawn } from 'child_process';
 import { getConfigManager, loadGlobalConfig } from '../lib/config-manager.js';
 import * as fs from 'fs/promises';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Get user's preferred editor
  */
 function getEditor() {
-    return process.env.VISUAL || process.env.EDITOR || 'vi';
+    return process.env[ENV_VARS.VISUAL] || process.env[ENV_VARS.EDITOR] || 'vi';
 }
 /**
  * Open config file in user's editor

package/dist/commands/doctor.js

@@ -8,6 +8,7 @@ import * as path from 'path';
 import { createClient } from '@supabase/supabase-js';
 import { getPlatformPaths, getPlatformInfo } from '../lib/platform-utils.js';
 import { IPFSClientManager } from '../lib/ipfs-client-manager.js';
+import * as os from 'os';
 /**
  * Register doctor commands
  */
@@ -15,6 +16,7 @@ export function registerDoctorCommands(program) {
     program
         .command('doctor')
         .description('Health check and troubleshooting')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('-v, --verbose', 'Show detailed information')
         .option('--json', 'Output results as JSON')
         .action(async (options) => {
@@ -28,12 +30,25 @@ export function registerDoctorCommands(program) {
         }
     });
 }
+/**
+ * Get the base directory for .env files
+ */
+function getBaseDir(globalMode) {
+    return globalMode ? os.homedir() : process.cwd();
+}
 /**
  * Run comprehensive health check
  */
 async function runHealthCheck(options) {
+    const baseDir = getBaseDir(options.global);
     if (!options.json) {
-        console.log(chalk.bold.cyan('\n🏥 LSH Health Check'));
+        if (options.global) {
+            console.log(chalk.bold.cyan('\n🏥 LSH Health Check (Global Workspace)'));
+            console.log(chalk.yellow(`   Location: ${baseDir}`));
+        }
+        else {
+            console.log(chalk.bold.cyan('\n🏥 LSH Health Check'));
+        }
         console.log(chalk.gray('━'.repeat(50)));
         console.log('');
     }
@@ -41,18 +56,20 @@ async function runHealthCheck(options) {
     // Platform check
     checks.push(await checkPlatform(options.verbose));
     // .env file check
-    checks.push(await checkEnvFile(options.verbose));
+    checks.push(await checkEnvFile(options.verbose, baseDir));
     // Encryption key check
-    checks.push(await checkEncryptionKey(options.verbose));
+    checks.push(await checkEncryptionKey(options.verbose, baseDir));
     // Storage backend check
-    const storageChecks = await checkStorageBackend(options.verbose);
+    const storageChecks = await checkStorageBackend(options.verbose, baseDir);
     checks.push(...storageChecks);
-    // Git repository check
-    checks.push(await checkGitRepository(options.verbose));
+    // Git repository check (skip for global mode)
+    if (!options.global) {
+        checks.push(await checkGitRepository(options.verbose));
+    }
     // IPFS client check
     checks.push(await checkIPFSClient(options.verbose));
     // Permissions check
-    checks.push(await checkPermissions(options.verbose));
+    checks.push(await checkPermissions(options.verbose, baseDir));
     // Display results
     if (options.json) {
         console.log(JSON.stringify({ checks, summary: getSummary(checks) }, null, 2));
@@ -86,9 +103,9 @@ async function checkPlatform(verbose) {
 /**
  * Check .env file
  */
-async function checkEnvFile(verbose) {
+async function checkEnvFile(verbose, baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         // Read file directly without access check to avoid TOCTOU race condition
         const content = await fs.readFile(envPath, 'utf-8');
         const lines = content.split('\n').filter(l => l.trim() && !l.startsWith('#'));
@@ -111,9 +128,9 @@ async function checkEnvFile(verbose) {
 /**
  * Check encryption key
  */
-async function checkEncryptionKey(verbose) {
+async function checkEncryptionKey(verbose, baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         const content = await fs.readFile(envPath, 'utf-8');
         const match = content.match(/^LSH_SECRETS_KEY=(.+)$/m);
         if (!match) {
@@ -163,10 +180,10 @@ async function checkEncryptionKey(verbose) {
 /**
  * Check storage backend configuration
  */
-async function checkStorageBackend(verbose) {
+async function checkStorageBackend(verbose, baseDir) {
     const checks = [];
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         const content = await fs.readFile(envPath, 'utf-8');
         const supabaseUrl = content.match(/^SUPABASE_URL=(.+)$/m)?.[1]?.trim();
         const supabaseKey = content.match(/^SUPABASE_ANON_KEY=(.+)$/m)?.[1]?.trim();
@@ -332,7 +349,7 @@ async function checkIPFSClient(verbose) {
 /**
  * Check file permissions
  */
-async function checkPermissions(verbose) {
+async function checkPermissions(verbose, _baseDir) {
     try {
         const paths = getPlatformPaths();
         // Check if we can write to temp directory with secure permissions

package/dist/commands/init.js

@@ -11,6 +11,7 @@ import { createClient } from '@supabase/supabase-js';
 import ora from 'ora';
 import { getPlatformPaths } from '../lib/platform-utils.js';
 import { getGitRepoInfo } from '../lib/git-utils.js';
+import * as os from 'os';
 /**
  * Register init commands
  */
@@ -18,6 +19,7 @@ export function registerInitCommands(program) {
     program
         .command('init')
         .description('Interactive setup wizard (first-time configuration)')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--local', 'Use local-only encryption (no cloud sync)')
         .option('--storacha', 'Use Storacha IPFS network sync (recommended)')
         .option('--supabase', 'Use Supabase cloud storage')
@@ -34,15 +36,30 @@ export function registerInitCommands(program) {
         }
     });
 }
+/**
+ * Get the base directory for .env files
+ */
+function getBaseDir(globalMode) {
+    return globalMode ? os.homedir() : process.cwd();
+}
 /**
  * Run the interactive setup wizard
  */
 async function runSetupWizard(options) {
-    console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Setup Wizard'));
-    console.log(chalk.gray('━'.repeat(50)));
+    const globalMode = options.global ?? false;
+    const baseDir = getBaseDir(globalMode);
+    if (globalMode) {
+        console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Global Setup Wizard'));
+        console.log(chalk.gray('━'.repeat(50)));
+        console.log(chalk.yellow(`\n🌐 Global Mode: Using $HOME (${baseDir})`));
+    }
+    else {
+        console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Setup Wizard'));
+        console.log(chalk.gray('━'.repeat(50)));
+    }
     console.log('');
     // Check if already configured
-    const existingConfig = await checkExistingConfig();
+    const existingConfig = await checkExistingConfig(baseDir);
     if (existingConfig) {
         const { overwrite } = await inquirer.prompt([
             {
@@ -181,16 +198,16 @@ async function runSetupWizard(options) {
         }
     }
     // Save configuration
-    await saveConfiguration(config);
+    await saveConfiguration(config, baseDir, globalMode);
     // Show success message
     showSuccessMessage(config);
 }
 /**
  * Check if LSH is already configured
  */
-async function checkExistingConfig() {
+async function checkExistingConfig(baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir, '.env');
         // Read file directly without access check to avoid TOCTOU race condition
         const content = await fs.readFile(envPath, 'utf-8');
         return content.includes('LSH_SECRETS_KEY') ||
@@ -417,10 +434,10 @@ function generateEncryptionKey() {
 /**
  * Save configuration to .env file
  */
-async function saveConfiguration(config) {
+async function saveConfiguration(config, baseDir, globalMode) {
     const spinner = ora('Saving configuration...').start();
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir, '.env');
         let envContent = '';
         // Try to read existing .env
         try {
@@ -461,8 +478,10 @@ async function saveConfiguration(config) {
         }
         // Write .env file
         await fs.writeFile(envPath, envContent, 'utf-8');
-        // Update .gitignore
-        await updateGitignore();
+        // Update .gitignore (skip for global mode since it's in $HOME)
+        if (!globalMode) {
+            await updateGitignore();
+        }
         spinner.succeed(chalk.green('✅ Configuration saved'));
     }
     catch (error) {

package/dist/commands/self.js

@@ -9,6 +9,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import chalk from 'chalk';
 import { fileURLToPath } from 'url';
+import { ENV_VARS } from '../constants/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 const selfCommand = new Command('self');
@@ -300,9 +301,9 @@ selfCommand
     console.log();
     // Environment
     console.log(chalk.yellow('Environment:'));
-    console.log('  NODE_ENV:', process.env.NODE_ENV || 'not set');
-    console.log('  HOME:', process.env.HOME || 'not set');
-    console.log('  USER:', process.env.USER || 'not set');
+    console.log('  NODE_ENV:', process.env[ENV_VARS.NODE_ENV] || 'not set');
+    console.log('  HOME:', process.env[ENV_VARS.HOME] || 'not set');
+    console.log('  USER:', process.env[ENV_VARS.USER] || 'not set');
     console.log();
     // Configuration
     const envFile = path.join(process.cwd(), '.env');

package/dist/constants/api.js

@@ -7,7 +7,7 @@ export const ENDPOINTS = {
     // Health and status
     HEALTH: '/health',
     ROOT: '/',
-    // Authentication
+    // Authentication (legacy)
     AUTH: '/api/auth',
     AUTH_REGISTER: '/auth/register',
     AUTH_LOGIN: '/auth/login',
@@ -48,6 +48,39 @@ export const ENDPOINTS = {
     API_ANALYTICS_PREDICTIONS: '/api/analytics/predictions',
     API_ANALYTICS_COSTS: '/api/analytics/costs',
     API_ANALYTICS_BOTTLENECKS: '/api/analytics/bottlenecks',
+    // SaaS API v1 - Authentication
+    API_V1_AUTH_SIGNUP: '/api/v1/auth/signup',
+    API_V1_AUTH_LOGIN: '/api/v1/auth/login',
+    API_V1_AUTH_VERIFY_EMAIL: '/api/v1/auth/verify-email',
+    API_V1_AUTH_RESEND_VERIFICATION: '/api/v1/auth/resend-verification',
+    API_V1_AUTH_REFRESH: '/api/v1/auth/refresh',
+    API_V1_AUTH_ME: '/api/v1/auth/me',
+    // SaaS API v1 - Organizations
+    API_V1_ORGANIZATIONS: '/api/v1/organizations',
+    API_V1_ORGANIZATION: '/api/v1/organizations/:organizationId',
+    API_V1_ORGANIZATION_MEMBERS: '/api/v1/organizations/:organizationId/members',
+    API_V1_ORGANIZATION_TEAMS: '/api/v1/organizations/:organizationId/teams',
+    API_V1_ORGANIZATION_AUDIT: '/api/v1/organizations/:organizationId/audit',
+    API_V1_ORGANIZATION_BILLING_SUBSCRIPTION: '/api/v1/organizations/:organizationId/billing/subscription',
+    API_V1_ORGANIZATION_BILLING_CHECKOUT: '/api/v1/organizations/:organizationId/billing/checkout',
+    // SaaS API v1 - Teams
+    API_V1_TEAM_SECRETS: '/api/v1/teams/:teamId/secrets',
+    API_V1_TEAM_SECRET: '/api/v1/teams/:teamId/secrets/:secretId',
+    API_V1_TEAM_SECRET_RETRIEVE: '/api/v1/teams/:teamId/secrets/:secretId/retrieve',
+    API_V1_TEAM_SECRETS_EXPORT: '/api/v1/teams/:teamId/secrets/export/env',
+    API_V1_TEAM_SECRETS_IMPORT: '/api/v1/teams/:teamId/secrets/import/env',
+    // SaaS API v1 - Webhooks
+    API_V1_WEBHOOKS_STRIPE: '/api/v1/webhooks/stripe',
+    API_V1_BILLING_WEBHOOKS: '/api/v1/billing/webhooks',
+    API_V1_ORGANIZATION_AUDIT_LOGS: '/api/v1/organizations/:organizationId/audit-logs',
+    // API Info/Documentation (patterns)
+    API_V1_ROOT: '/api/v1',
+    API_V1_AUTH_WILDCARD: '/api/v1/auth/*',
+    API_V1_ORGANIZATIONS_WILDCARD: '/api/v1/organizations/*',
+    API_V1_ORG_TEAMS_WILDCARD: '/api/v1/organizations/:id/teams/*',
+    API_V1_TEAMS_SECRETS_WILDCARD: '/api/v1/teams/:id/secrets/*',
+    API_V1_ORG_BILLING_WILDCARD: '/api/v1/organizations/:id/billing/*',
+    API_V1_ORG_AUDIT_LOGS: '/api/v1/organizations/:id/audit-logs',
 };
 export const HTTP_HEADERS = {
     // Standard headers

package/dist/constants/config.js

@@ -8,14 +8,37 @@ export const ENV_VARS = {
     NODE_ENV: 'NODE_ENV',
     USER: 'USER',
     HOSTNAME: 'HOSTNAME',
+    HOME: 'HOME',
+    SHELL: 'SHELL',
+    EDITOR: 'EDITOR',
+    VISUAL: 'VISUAL',
+    // Platform-specific
+    USERPROFILE: 'USERPROFILE',
+    APPDATA: 'APPDATA',
+    LOCALAPPDATA: 'LOCALAPPDATA',
+    COMSPEC: 'COMSPEC',
     // LSH API configuration
     LSH_API_ENABLED: 'LSH_API_ENABLED',
     LSH_API_PORT: 'LSH_API_PORT',
     LSH_API_KEY: 'LSH_API_KEY',
     LSH_JWT_SECRET: 'LSH_JWT_SECRET',
     LSH_ALLOW_DANGEROUS_COMMANDS: 'LSH_ALLOW_DANGEROUS_COMMANDS',
+    // LSH SaaS API
+    LSH_SAAS_API_PORT: 'LSH_SAAS_API_PORT',
+    LSH_SAAS_API_HOST: 'LSH_SAAS_API_HOST',
+    LSH_CORS_ORIGINS: 'LSH_CORS_ORIGINS',
     // Secrets management
     LSH_SECRETS_KEY: 'LSH_SECRETS_KEY',
+    LSH_MASTER_KEY: 'LSH_MASTER_KEY',
+    // Feature flags
+    LSH_LOCAL_STORAGE_QUIET: 'LSH_LOCAL_STORAGE_QUIET',
+    LSH_V1_COMPAT: 'LSH_V1_COMPAT',
+    LSH_STORACHA_ENABLED: 'LSH_STORACHA_ENABLED',
+    DISABLE_IPFS_SYNC: 'DISABLE_IPFS_SYNC',
+    // Logging
+    LSH_LOG_LEVEL: 'LSH_LOG_LEVEL',
+    LSH_LOG_FORMAT: 'LSH_LOG_FORMAT',
+    NO_COLOR: 'NO_COLOR',
     // Webhooks
     LSH_ENABLE_WEBHOOKS: 'LSH_ENABLE_WEBHOOKS',
     WEBHOOK_PORT: 'WEBHOOK_PORT',
@@ -29,28 +52,65 @@ export const ENV_VARS = {
     REDIS_URL: 'REDIS_URL',
     // Monitoring
     MONITORING_API_PORT: 'MONITORING_API_PORT',
+    // Stripe billing
+    STRIPE_SECRET_KEY: 'STRIPE_SECRET_KEY',
+    STRIPE_WEBHOOK_SECRET: 'STRIPE_WEBHOOK_SECRET',
+    STRIPE_PRICE_PRO_MONTHLY: 'STRIPE_PRICE_PRO_MONTHLY',
+    STRIPE_PRICE_PRO_YEARLY: 'STRIPE_PRICE_PRO_YEARLY',
+    STRIPE_PRICE_ENTERPRISE_MONTHLY: 'STRIPE_PRICE_ENTERPRISE_MONTHLY',
+    STRIPE_PRICE_ENTERPRISE_YEARLY: 'STRIPE_PRICE_ENTERPRISE_YEARLY',
+    // Email (Resend)
+    RESEND_API_KEY: 'RESEND_API_KEY',
+    EMAIL_FROM: 'EMAIL_FROM',
+    BASE_URL: 'BASE_URL',
 };
 export const DEFAULTS = {
     // Version
     VERSION: '0.5.1',
     // Ports
     API_PORT: 3030,
+    SAAS_API_PORT: 3031,
     WEBHOOK_PORT: 3033,
     MONITORING_API_PORT: 3031,
+    MONITORING_PORT: 3000,
+    // Hosts
+    DEFAULT_HOST: '0.0.0.0',
+    DEFAULT_CORS_ORIGINS: ['*'],
     // URLs
     REDIS_URL: 'redis://localhost:6379',
     DATABASE_URL: 'postgresql://localhost:5432/cicd',
-    // Timeouts and intervals
+    STRIPE_API_URL: 'https://api.stripe.com/v1',
+    RESEND_API_URL: 'https://api.resend.com/emails',
+    LSH_APP_URL: 'https://app.lsh.dev',
+    LSH_DOCS_URL: 'https://docs.lsh.dev',
+    KUBO_RELEASES_URL: 'https://api.github.com/repos/ipfs/kubo/releases/latest',
+    // Email defaults
+    DEFAULT_EMAIL_FROM: 'noreply@lsh.dev',
+    // Timeouts and intervals (in milliseconds)
     CHECK_INTERVAL_MS: 2000,
     REQUEST_TIMEOUT_MS: 10000,
+    DAEMON_RESTART_DELAY_MS: 1000,
+    JOB_TIMEOUT_1H_MS: 3600000,
+    JOB_TIMEOUT_5M_MS: 300000,
+    JOB_TIMEOUT_1M_MS: 60000,
+    JOB_TIMEOUT_2H_MS: 7200000,
     // Sizes
     MAX_BUFFER_SIZE_BYTES: 1024 * 1024, // 1MB
     MAX_LOG_SIZE_BYTES: 10 * 1024 * 1024, // 10MB
     MAX_COMMAND_LENGTH: 10000,
+    SOCKET_BUFFER_SIZE: 1024,
+    MAX_EVENTS_LIMIT: 100,
+    // History limits
+    MAX_HISTORY_SIZE: 10000,
+    HISTORY_SAVE_INTERVAL_MS: 30000,
     // Limits
     MAX_COMMAND_CHAINS: 5,
     MAX_PIPE_USAGE: 3,
     // Cache and retention
     REDIS_CACHE_EXPIRY_SECONDS: 3600, // 1 hour
     METRICS_RETENTION_SECONDS: 30 * 24 * 60 * 60, // 30 days
+    // Shell defaults
+    DEFAULT_SHELL_UNIX: '/bin/sh',
+    DEFAULT_SHELL_WIN: 'cmd.exe',
+    DEFAULT_EDITOR: 'vi',
 };

package/dist/constants/database.js

@@ -14,6 +14,27 @@ export const TABLES = {
     SHELL_COMPLETIONS: 'shell_completions',
     // CI/CD tables
     PIPELINE_EVENTS: 'pipeline_events',
+    // SaaS tables - Users and Authentication
+    USERS: 'users',
+    USER_SESSIONS: 'user_sessions',
+    // SaaS tables - Organizations and Teams
+    ORGANIZATIONS: 'organizations',
+    ORGANIZATION_MEMBERS: 'organization_members',
+    TEAMS: 'teams',
+    TEAM_MEMBERS: 'team_members',
+    // SaaS tables - Secrets
+    SECRETS: 'secrets',
+    SECRET_ACCESS_LOGS: 'secret_access_logs',
+    SECRET_VERSIONS: 'secret_versions',
+    // SaaS tables - Audit
+    AUDIT_LOGS: 'audit_logs',
+    // SaaS tables - Billing
+    SUBSCRIPTIONS: 'subscriptions',
+    INVOICES: 'invoices',
+    // SaaS tables - Encryption
+    ENCRYPTION_KEYS: 'encryption_keys',
+    // LSH Secrets (legacy name)
+    LSH_SECRETS: 'lsh_secrets',
     // Trading/ML tables (legacy)
     TRADING_DISCLOSURES: 'trading_disclosures',
     POLITICIANS: 'politicians',

package/dist/constants/errors.js

@@ -77,3 +77,27 @@ export const RISK_LEVELS = {
     MEDIUM: 'medium',
     LOW: 'low',
 };
+/**
+ * API Error Codes
+ *
+ * Standard error codes used across the SaaS API and services.
+ */
+export const ERROR_CODES = {
+    // Authentication errors
+    UNAUTHORIZED: 'UNAUTHORIZED',
+    INVALID_CREDENTIALS: 'INVALID_CREDENTIALS',
+    INVALID_TOKEN: 'INVALID_TOKEN',
+    EMAIL_NOT_VERIFIED: 'EMAIL_NOT_VERIFIED',
+    EMAIL_ALREADY_EXISTS: 'EMAIL_ALREADY_EXISTS',
+    // Authorization errors
+    FORBIDDEN: 'FORBIDDEN',
+    // Validation errors
+    INVALID_INPUT: 'INVALID_INPUT',
+    NOT_FOUND: 'NOT_FOUND',
+    ALREADY_EXISTS: 'ALREADY_EXISTS',
+    // Payment errors
+    PAYMENT_REQUIRED: 'PAYMENT_REQUIRED',
+    TIER_LIMIT_EXCEEDED: 'TIER_LIMIT_EXCEEDED',
+    // Server errors
+    INTERNAL_ERROR: 'INTERNAL_ERROR',
+};

package/dist/constants/paths.js

@@ -17,6 +17,9 @@ export const PATHS = {
     DAEMON_JOBS_FILE_TEMPLATE: '/tmp/lsh-daemon-jobs-${USER}.json',
     // Job persistence
     DEFAULT_JOBS_PERSISTENCE_FILE: '/tmp/lsh-jobs.json',
+    // Job registry files
+    JOB_REGISTRY_FILE: '/tmp/lsh-job-registry.json',
+    JOB_LOGS_DIR: '/tmp/lsh-job-logs',
 };
 export const PREFIXES = {
     SESSION_ID: 'lsh_',

package/dist/constants/ui.js

@@ -71,3 +71,83 @@ export const LOG_LEVELS = {
     ERROR: 'ERROR',
     DEBUG: 'DEBUG',
 };
+/**
+ * Emoji prefixes for consistent UI output
+ */
+export const EMOJI = {
+    SUCCESS: '✅',
+    ERROR: '❌',
+    WARNING: '⚠️',
+    INFO: 'ℹ️',
+    TIP: '💡',
+    KEY: '🔑',
+    FILE: '📄',
+    FOLDER: '📁',
+    LIST: '📋',
+    SEARCH: '🔍',
+    LOCATION: '📍',
+    UP: '⬆️',
+    DOWN: '⬇️',
+    CALENDAR: '📅',
+    GEAR: '⚙️',
+};
+/**
+ * Status messages with emoji
+ */
+export const STATUS_MESSAGES = {
+    // Success messages
+    SUCCESS: '✅',
+    SUCCESS_GENERIC: '✅ Success',
+    CONNECTION_SUCCESS: '✅ Connection successful!',
+    CONFIG_SAVED: '✅ Configuration saved',
+    SECRETS_PULLED: '✅ Secrets pulled successfully!',
+    IPFS_INSTALLED: '✅ IPFS client installed',
+    // Error messages
+    ERROR: '❌',
+    ERROR_GENERIC: '❌ Error',
+    CONNECTION_FAILED: '❌ Connection failed',
+    CONFIG_SAVE_FAILED: '❌ Failed to save configuration',
+    PULL_FAILED: '❌ Failed to pull secrets',
+    // Warning messages
+    WARNING: '⚠️',
+    WARNING_GENERIC: '⚠️ Warning',
+    IPFS_NOT_INSTALLED: '⚠️  IPFS client not installed',
+    NOT_GIT_REPO: 'ℹ️  Not in a git repository',
+    // Info messages
+    INFO: 'ℹ️',
+    RECOMMENDATIONS: '💡 Recommendations:',
+    CURRENT_REPO: '📁 Current Repository:',
+};
+/**
+ * Doctor/diagnostic messages
+ */
+export const DOCTOR_MESSAGES = {
+    CHECKING: '🔍 Checking:',
+    ALL_PASSED: '✅ All checks passed!',
+    ISSUES_FOUND: '❌ Issues found',
+    RECOMMENDATIONS: '💡 Recommendations:',
+};
+/**
+ * Init/setup messages
+ */
+export const INIT_MESSAGES = {
+    WELCOME: '🚀 Welcome to LSH Setup',
+    STEP_COMPLETE: '✅ Step complete',
+    SETUP_COMPLETE: '✅ Setup complete!',
+    CONNECTION_TEST_SKIPPED: '⚠️  Connection test skipped. Run "lsh doctor" after setup to verify.',
+};
+/**
+ * Migration messages
+ */
+export const MIGRATION_MESSAGES = {
+    SCANNING: '🔍 Scanning for Firebase references...',
+    MIGRATING: '🔄 Migrating...',
+    COMPLETE: '✅ Migration complete',
+    NO_CHANGES: 'ℹ️  No changes needed',
+};
+/**
+ * Deprecation warnings
+ */
+export const DEPRECATION_WARNINGS = {
+    LIB_COMMANDS: '\x1b[33m⚠️  WARNING: "lsh lib" commands are deprecated as of v1.0.0\x1b[0m',
+};

package/dist/daemon/job-registry.js

@@ -11,6 +11,7 @@ import * as os from 'os';
 import { exec } from 'child_process';
 import { BaseJobManager } from '../lib/base-job-manager.js';
 import MemoryJobStorage from '../lib/job-storage-memory.js';
+import { ENV_VARS } from '../constants/index.js';
 export class JobRegistry extends BaseJobManager {
     config;
     records = new Map(); // jobId -> execution records
@@ -47,7 +48,7 @@ export class JobRegistry extends BaseJobManager {
             outputSize: 0,
             environment: { ...(job.env || {}) },
             workingDirectory: job.cwd || process.cwd(),
-            user: job.user || process.env.USER || 'unknown',
+            user: job.user || process.env[ENV_VARS.USER] || 'unknown',
             hostname: os.hostname(),
             tags: [...(job.tags || [])],
             priority: job.priority || 5,

package/dist/daemon/lshd.js

@@ -14,6 +14,7 @@ import { validateCommand } from '../lib/command-validator.js';
 import { validateEnvironment, printValidationResults } from '../lib/env-validator.js';
 import { createLogger } from '../lib/logger.js';
 import { getPlatformPaths } from '../lib/platform-utils.js';
+import { ENV_VARS, DEFAULTS, ERRORS } from '../constants/index.js';
 const execAsync = promisify(exec);
 export class LSHJobDaemon extends EventEmitter {
     config;
@@ -34,13 +35,13 @@ export class LSHJobDaemon extends EventEmitter {
             logFile: platformPaths.logFile,
             jobsFile: jobsFilePath,
             socketPath: platformPaths.socketPath,
-            checkInterval: 2000, // 2 seconds for better cron accuracy
-            maxLogSize: 10 * 1024 * 1024, // 10MB
+            checkInterval: DEFAULTS.CHECK_INTERVAL_MS,
+            maxLogSize: DEFAULTS.MAX_LOG_SIZE_BYTES,
             autoRestart: true,
-            apiEnabled: process.env.LSH_API_ENABLED === 'true' || false,
-            apiPort: parseInt(process.env.LSH_API_PORT || '3030'),
-            apiKey: process.env.LSH_API_KEY,
-            enableWebhooks: process.env.LSH_ENABLE_WEBHOOKS === 'true',
+            apiEnabled: process.env[ENV_VARS.LSH_API_ENABLED] === 'true' || false,
+            apiPort: parseInt(process.env[ENV_VARS.LSH_API_PORT] || String(DEFAULTS.API_PORT)),
+            apiKey: process.env[ENV_VARS.LSH_API_KEY],
+            enableWebhooks: process.env[ENV_VARS.LSH_ENABLE_WEBHOOKS] === 'true',
             ...config
         };
         this.jobManager = new JobManager(this.config.jobsFile);
@@ -62,9 +63,9 @@ export class LSHJobDaemon extends EventEmitter {
             printValidationResults(envValidation, false);
         }
         // Fail fast in production if validation fails
-        if (!envValidation.isValid && process.env.NODE_ENV === 'production') {
+        if (!envValidation.isValid && process.env[ENV_VARS.NODE_ENV] === 'production') {
             this.log('ERROR', 'Environment validation failed in production');
-            throw new Error('Invalid environment configuration. Check logs for details.');
+            throw new Error(ERRORS.INVALID_ENV_CONFIG);
         }
         // Log warnings even in development
         if (envValidation.warnings.length > 0) {
@@ -124,7 +125,7 @@ export class LSHJobDaemon extends EventEmitter {
      */
     async restart() {
         await this.stop();
-        await new Promise(resolve => setTimeout(resolve, 1000)); // Wait 1 second
+        await new Promise(resolve => setTimeout(resolve, DEFAULTS.DAEMON_RESTART_DELAY_MS));
         await this.start();
     }
     /**
@@ -181,8 +182,8 @@ export class LSHJobDaemon extends EventEmitter {
             }
             // Validate command for security issues
             const validation = validateCommand(job.command, {
-                allowDangerousCommands: process.env.LSH_ALLOW_DANGEROUS_COMMANDS === 'true',
-                maxLength: 10000
+                allowDangerousCommands: process.env[ENV_VARS.LSH_ALLOW_DANGEROUS_COMMANDS] === 'true',
+                maxLength: DEFAULTS.MAX_COMMAND_LENGTH
             });
             if (!validation.isValid) {
                 const errorMsg = `Command validation failed: ${validation.errors.join(', ')}`;
@@ -298,8 +299,7 @@ export class LSHJobDaemon extends EventEmitter {
                 return sanitizedJobs.slice(0, limit);
             }
             // Default limit to prevent oversized responses
-            const defaultLimit = 100;
-            return sanitizedJobs.slice(0, defaultLimit);
+            return sanitizedJobs.slice(0, DEFAULTS.MAX_EVENTS_LIMIT);
         }
         catch (error) {
             this.log('ERROR', `Failed to list jobs: ${error.message}`);
@@ -736,7 +736,6 @@ const cliLogger = createLogger('LSHDaemonCLI');
 const isMainModule = () => {
     try {
         // Use Function constructor to avoid parse-time errors with import.meta
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
         const getImportMetaUrl = new Function('return import.meta.url');
         const metaUrl = getImportMetaUrl();
         return metaUrl === `file://${process.argv[1]}`;
@@ -774,7 +773,7 @@ if (isMainModule()) {
                     schedule: { interval: 0 }, // Run once
                     env: process.env,
                     cwd: process.cwd(),
-                    user: process.env.USER,
+                    user: process.env[ENV_VARS.USER],
                     priority: 5,
                     tags: ['manual'],
                     maxRetries: 0,

package/dist/daemon/saas-api-server.js

@@ -7,6 +7,8 @@ import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { setupSaaSApiRoutes } from './saas-api-routes.js';
 import { getErrorMessage } from '../lib/saas-types.js';
+import { ENV_VARS, DEFAULTS } from '../constants/index.js';
+import { ERROR_CODES } from '../constants/errors.js';
 /**
  * SaaS API Server
  */
@@ -16,11 +18,11 @@ export class SaaSApiServer {
     server;
     constructor(config) {
         this.config = {
-            port: config?.port || parseInt(process.env.LSH_SAAS_API_PORT || '3031'),
-            host: config?.host || process.env.LSH_SAAS_API_HOST || '0.0.0.0',
-            corsOrigins: config?.corsOrigins || (process.env.LSH_CORS_ORIGINS?.split(',') || ['*']),
+            port: config?.port || parseInt(process.env[ENV_VARS.LSH_SAAS_API_PORT] || String(DEFAULTS.SAAS_API_PORT)),
+            host: config?.host || process.env[ENV_VARS.LSH_SAAS_API_HOST] || DEFAULTS.DEFAULT_HOST,
+            corsOrigins: config?.corsOrigins || (process.env[ENV_VARS.LSH_CORS_ORIGINS]?.split(',') || [...DEFAULTS.DEFAULT_CORS_ORIGINS]),
             rateLimitWindowMs: config?.rateLimitWindowMs || 15 * 60 * 1000, // 15 minutes
-            rateLimitMax: config?.rateLimitMax || 100, // Max 100 requests per windowMs
+            rateLimitMax: config?.rateLimitMax || DEFAULTS.MAX_EVENTS_LIMIT, // Max 100 requests per windowMs
         };
         this.app = express();
         this.setupMiddleware();
@@ -113,7 +115,7 @@ export class SaaSApiServer {
             res.status(404).json({
                 success: false,
                 error: {
-                    code: 'NOT_FOUND',
+                    code: ERROR_CODES.NOT_FOUND,
                     message: `Endpoint ${req.method} ${req.path} not found`,
                 },
             });
@@ -127,9 +129,9 @@ export class SaaSApiServer {
         const errorHandler = (err, _req, res, _next) => {
             console.error('API Error:', err);
             // Don't leak error details in production
-            const isDev = process.env.NODE_ENV !== 'production';
+            const isDev = process.env[ENV_VARS.NODE_ENV] !== 'production';
             const statusCode = err.status || 500;
-            const errorCode = err.code || 'INTERNAL_ERROR';
+            const errorCode = err.code || ERROR_CODES.INTERNAL_ERROR;
             res.status(statusCode).json({
                 success: false,
                 error: {

package/dist/lib/base-job-manager.js

@@ -11,6 +11,7 @@
  */
 import { EventEmitter } from 'events';
 import { createLogger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Abstract base class for job managers
  */
@@ -54,7 +55,7 @@ export class BaseJobManager extends EventEmitter {
             createdAt: new Date(),
             env: spec.env,
             cwd: spec.cwd || process.cwd(),
-            user: spec.user || process.env.USER,
+            user: spec.user || process.env[ENV_VARS.USER],
             schedule: spec.schedule,
             tags: spec.tags || [],
             description: spec.description,

package/dist/lib/daemon-client.js

@@ -8,6 +8,7 @@ import { EventEmitter } from 'events';
 import DatabasePersistence from './database-persistence.js';
 import { createLogger } from './logger.js';
 import { getPlatformPaths } from './platform-utils.js';
+import { ENV_VARS } from '../constants/index.js';
 export class DaemonClient extends EventEmitter {
     socketPath;
     socket;
@@ -253,7 +254,7 @@ export class DaemonClient extends EventEmitter {
             schedule: jobSpec.schedule,
             env: jobSpec.environment || {},
             cwd: jobSpec.workingDirectory || process.cwd(),
-            user: jobSpec.user || process.env.USER,
+            user: jobSpec.user || process.env[ENV_VARS.USER],
             priority: jobSpec.priority || 0,
             tags: jobSpec.tags || [],
             enabled: jobSpec.enabled !== false,

package/dist/lib/database-persistence.js

@@ -5,6 +5,7 @@
 import { supabaseClient, isSupabaseConfigured } from './supabase-client.js';
 import * as os from 'os';
 import { LocalStorageAdapter } from './local-storage-adapter.js';
+import { ENV_VARS } from '../constants/index.js';
 export class DatabasePersistence {
     client;
     localStorage;
@@ -16,7 +17,7 @@ export class DatabasePersistence {
         if (this.useLocalStorage) {
             // Using local storage is normal when Supabase is not configured
             // Only show this message once per session to avoid noise
-            if (!process.env.LSH_LOCAL_STORAGE_QUIET) {
+            if (!process.env[ENV_VARS.LSH_LOCAL_STORAGE_QUIET]) {
                 console.log('ℹ️  Using local storage (Supabase not configured)');
             }
             this.localStorage = new LocalStorageAdapter(userId);

package/dist/lib/ipfs-secrets-storage.js

@@ -8,6 +8,7 @@ import * as os from 'os';
 import * as crypto from 'crypto';
 import { createLogger } from './logger.js';
 import { getStorachaClient } from './storacha-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const logger = createLogger('IPFSSecretsStorage');
 /**
  * IPFS Secrets Storage
@@ -25,7 +26,7 @@ export class IPFSSecretsStorage {
     metadataPath;
     metadata;
     constructor() {
-        const homeDir = process.env.HOME || os.homedir();
+        const homeDir = process.env[ENV_VARS.HOME] || os.homedir();
         const lshDir = path.join(homeDir, '.lsh');
         this.cacheDir = path.join(lshDir, 'secrets-cache');
         this.metadataPath = path.join(lshDir, 'secrets-metadata.json');

package/dist/lib/ipfs-sync-logger.js

@@ -7,6 +7,7 @@ import * as path from 'path';
 import * as os from 'os';
 import * as crypto from 'crypto';
 import { getGitRepoInfo } from './git-utils.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * IPFS Sync Logger
  *
@@ -36,7 +37,7 @@ export class IPFSSyncLogger {
      * Check if IPFS sync is enabled
      */
     isEnabled() {
-        return process.env.DISABLE_IPFS_SYNC !== 'true';
+        return process.env[ENV_VARS.DISABLE_IPFS_SYNC] !== 'true';
     }
     /**
      * Record a sync operation to IPFS
@@ -195,7 +196,7 @@ export class IPFSSyncLogger {
      * Get encryption key fingerprint
      */
     getKeyFingerprint() {
-        const key = process.env.LSH_SECRETS_KEY || 'default';
+        const key = process.env[ENV_VARS.LSH_SECRETS_KEY] || 'default';
         return `sha256:${crypto.createHash('sha256').update(key).digest('hex').substring(0, 16)}`;
     }
     /**

package/dist/lib/logger.js

@@ -3,6 +3,7 @@
  * Centralized logging utility with support for different log levels,
  * structured logging, and environment-based configuration.
  */
+import { ENV_VARS } from '../constants/index.js';
 export var LogLevel;
 (function (LogLevel) {
     LogLevel[LogLevel["DEBUG"] = 0] = "DEBUG";
@@ -41,7 +42,7 @@ const colors = {
  * Get log level from environment variable
  */
 function getLogLevelFromEnv() {
-    const level = process.env.LSH_LOG_LEVEL?.toUpperCase();
+    const level = process.env[ENV_VARS.LSH_LOG_LEVEL]?.toUpperCase();
     switch (level) {
         case 'DEBUG':
             return LogLevel.DEBUG;
@@ -54,7 +55,7 @@ function getLogLevelFromEnv() {
         case 'NONE':
             return LogLevel.NONE;
         default:
-            return process.env.NODE_ENV === 'production' ? LogLevel.INFO : LogLevel.DEBUG;
+            return process.env[ENV_VARS.NODE_ENV] === 'production' ? LogLevel.INFO : LogLevel.DEBUG;
     }
 }
 /**
@@ -66,8 +67,8 @@ export class Logger {
         this.config = {
             level: config?.level ?? getLogLevelFromEnv(),
             enableTimestamp: config?.enableTimestamp ?? true,
-            enableColors: config?.enableColors ?? (!process.env.NO_COLOR && process.stdout.isTTY),
-            enableJSON: config?.enableJSON ?? (process.env.LSH_LOG_FORMAT === 'json'),
+            enableColors: config?.enableColors ?? (!process.env[ENV_VARS.NO_COLOR] && process.stdout.isTTY),
+            enableJSON: config?.enableJSON ?? (process.env[ENV_VARS.LSH_LOG_FORMAT] === 'json'),
             context: config?.context,
         };
     }

package/dist/lib/lsh-config.js

@@ -10,6 +10,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import { logger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 export class LshConfigManager {
     configPath;
     config;
@@ -66,7 +67,7 @@ export class LshConfigManager {
             return this.config.keys[repoName].key;
         }
         // Fall back to environment variables
-        const envKey = process.env.LSH_SECRETS_KEY || process.env.LSH_MASTER_KEY;
+        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY] || process.env[ENV_VARS.LSH_MASTER_KEY];
         if (envKey) {
             logger.debug(`Using encryption key from environment for ${repoName}`);
             return envKey;

package/dist/lib/lshrc-init.js

@@ -6,13 +6,14 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import { fileURLToPath } from 'url';
+import { ENV_VARS } from '../constants/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export class LshrcManager {
     lshrcPath;
     constructor(lshrcPath) {
-        // Use process.env.HOME if set (for testability), fallback to os.homedir()
-        const homeDir = process.env.HOME || os.homedir();
+        // Use process.env[ENV_VARS.HOME] if set (for testability), fallback to os.homedir()
+        const homeDir = process.env[ENV_VARS.HOME] || os.homedir();
         this.lshrcPath = lshrcPath || path.join(homeDir, '.lshrc');
     }
     /**

package/dist/lib/platform-utils.js

@@ -4,6 +4,7 @@
  */
 import * as path from 'path';
 import * as os from 'os';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Get platform-specific paths
  * Handles differences between Windows, macOS, and Linux
@@ -31,7 +32,7 @@ export function getPlatformPaths(appName = 'lsh') {
     // Linux: ~/.config/lsh
     let configDir;
     if (isWindows) {
-        configDir = path.join(process.env.APPDATA || path.join(homeDir, 'AppData', 'Roaming'), appName);
+        configDir = path.join(process.env[ENV_VARS.APPDATA] || path.join(homeDir, 'AppData', 'Roaming'), appName);
     }
     else if (isMac) {
         configDir = path.join(homeDir, 'Library', 'Application Support', appName);
@@ -45,7 +46,7 @@ export function getPlatformPaths(appName = 'lsh') {
     // Linux: ~/.local/share/lsh
     let dataDir;
     if (isWindows) {
-        dataDir = path.join(process.env.LOCALAPPDATA || path.join(homeDir, 'AppData', 'Local'), appName);
+        dataDir = path.join(process.env[ENV_VARS.LOCALAPPDATA] || path.join(homeDir, 'AppData', 'Local'), appName);
     }
     else if (isMac) {
         dataDir = path.join(homeDir, 'Library', 'Application Support', appName);
@@ -134,9 +135,9 @@ export async function ensureDir(dirPath) {
  */
 export function getDefaultShell() {
     if (isWindows()) {
-        return process.env.COMSPEC || 'cmd.exe';
+        return process.env[ENV_VARS.COMSPEC] || 'cmd.exe';
     }
-    return process.env.SHELL || '/bin/sh';
+    return process.env[ENV_VARS.SHELL] || '/bin/sh';
 }
 /**
  * Get path separator for current platform

package/dist/lib/saas-auth.js

@@ -6,6 +6,7 @@ import { randomBytes } from 'crypto';
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
 import { getSupabaseClient } from './supabase-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const BCRYPT_ROUNDS = 12;
 const TOKEN_EXPIRY = 7 * 24 * 60 * 60; // 7 days in seconds
 const REFRESH_TOKEN_EXPIRY = 30 * 24 * 60 * 60; // 30 days
@@ -32,7 +33,7 @@ export async function verifyPassword(password, hash) {
  * Generate JWT access token
  */
 export function generateAccessToken(userId, email) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }
@@ -50,7 +51,7 @@ export function generateAccessToken(userId, email) {
  * Generate JWT refresh token
  */
 export function generateRefreshToken(userId) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }
@@ -67,7 +68,7 @@ export function generateRefreshToken(userId) {
  * Verify and decode JWT token
  */
 export function verifyToken(token) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }

package/dist/lib/saas-billing.js

@@ -4,22 +4,23 @@
  */
 import { getSupabaseClient } from './supabase-client.js';
 import { auditLogger } from './saas-audit.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Stripe Pricing IDs (set via environment variables)
  */
 export const STRIPE_PRICE_IDS = {
-    pro_monthly: process.env.STRIPE_PRICE_PRO_MONTHLY || '',
-    pro_yearly: process.env.STRIPE_PRICE_PRO_YEARLY || '',
-    enterprise_monthly: process.env.STRIPE_PRICE_ENTERPRISE_MONTHLY || '',
-    enterprise_yearly: process.env.STRIPE_PRICE_ENTERPRISE_YEARLY || '',
+    pro_monthly: process.env[ENV_VARS.STRIPE_PRICE_PRO_MONTHLY] || '',
+    pro_yearly: process.env[ENV_VARS.STRIPE_PRICE_PRO_YEARLY] || '',
+    enterprise_monthly: process.env[ENV_VARS.STRIPE_PRICE_ENTERPRISE_MONTHLY] || '',
+    enterprise_yearly: process.env[ENV_VARS.STRIPE_PRICE_ENTERPRISE_YEARLY] || '',
 };
 /**
  * Billing Service
  */
 export class BillingService {
     supabase = getSupabaseClient();
-    stripeSecretKey = process.env.STRIPE_SECRET_KEY || '';
-    stripeWebhookSecret = process.env.STRIPE_WEBHOOK_SECRET || '';
+    stripeSecretKey = process.env[ENV_VARS.STRIPE_SECRET_KEY] || '';
+    stripeWebhookSecret = process.env[ENV_VARS.STRIPE_WEBHOOK_SECRET] || '';
     stripeApiUrl = 'https://api.stripe.com/v1';
     /**
      * Create Stripe customer

package/dist/lib/saas-email.js

@@ -2,6 +2,7 @@
  * LSH SaaS Email Service
  * Email sending using Resend API
  */
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Email Service
  */
@@ -10,10 +11,10 @@ export class EmailService {
     resendApiUrl = 'https://api.resend.com/emails';
     constructor(config) {
         this.config = {
-            apiKey: config?.apiKey || process.env.RESEND_API_KEY || '',
-            fromEmail: config?.fromEmail || process.env.EMAIL_FROM || 'noreply@lsh.dev',
+            apiKey: config?.apiKey || process.env[ENV_VARS.RESEND_API_KEY] || '',
+            fromEmail: config?.fromEmail || process.env[ENV_VARS.EMAIL_FROM] || 'noreply@lsh.dev',
             fromName: config?.fromName || 'LSH Secrets Manager',
-            baseUrl: config?.baseUrl || process.env.BASE_URL || 'https://app.lsh.dev',
+            baseUrl: config?.baseUrl || process.env[ENV_VARS.BASE_URL] || 'https://app.lsh.dev',
         };
         if (!this.config.apiKey) {
             console.warn('RESEND_API_KEY not set - emails will not be sent');

package/dist/lib/saas-encryption.js

@@ -4,6 +4,7 @@
  */
 import { randomBytes, createCipheriv, createDecipheriv, createHash, pbkdf2Sync } from 'crypto';
 import { getSupabaseClient } from './supabase-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const ALGORITHM = 'aes-256-cbc';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16; // 128 bits
@@ -14,7 +15,7 @@ const PBKDF2_ITERATIONS = 100000;
  * This key is used to encrypt/decrypt team encryption keys
  */
 function getMasterKey() {
-    const masterKeyHex = process.env.LSH_MASTER_KEY || process.env.LSH_SECRETS_KEY;
+    const masterKeyHex = process.env[ENV_VARS.LSH_MASTER_KEY] || process.env[ENV_VARS.LSH_SECRETS_KEY];
     if (!masterKeyHex) {
         throw new Error('LSH_MASTER_KEY or LSH_SECRETS_KEY environment variable must be set for encryption');
     }

package/dist/lib/secrets-manager.js

@@ -9,6 +9,7 @@ import { createLogger, LogLevel } from './logger.js';
 import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils.js';
 import { IPFSSyncLogger } from './ipfs-sync-logger.js';
 import { IPFSSecretsStorage } from './ipfs-secrets-storage.js';
+import { ENV_VARS } from '../constants/index.js';
 const logger = createLogger('SecretsManager');
 export class SecretsManager {
     storage;
@@ -18,7 +19,7 @@ export class SecretsManager {
     homeDir;
     constructor(userIdOrOptions, encryptionKey, detectGit) {
         this.storage = new IPFSSecretsStorage();
-        this.homeDir = process.env.HOME || process.env.USERPROFILE || '';
+        this.homeDir = process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '';
         // Handle both legacy and new constructor signatures
         let options;
         if (typeof userIdOrOptions === 'object') {
@@ -73,12 +74,13 @@ export class SecretsManager {
      */
     getDefaultEncryptionKey() {
         // Check for explicit key
-        if (process.env.LSH_SECRETS_KEY) {
-            return process.env.LSH_SECRETS_KEY;
+        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
+        if (envKey) {
+            return envKey;
         }
         // Generate from machine ID and user
-        const machineId = process.env.HOSTNAME || 'localhost';
-        const user = process.env.USER || 'unknown';
+        const machineId = process.env[ENV_VARS.HOSTNAME] || 'localhost';
+        const user = process.env[ENV_VARS.USER] || 'unknown';
         const seed = `${machineId}-${user}-lsh-secrets`;
         // Create deterministic key
         return crypto.createHash('sha256').update(seed).digest('hex');
@@ -242,7 +244,7 @@ export class SecretsManager {
         // Get the effective environment name (repo-aware)
         const effectiveEnv = this.getRepoAwareEnvironment(environment);
         // Warn if using default key
-        if (!process.env.LSH_SECRETS_KEY) {
+        if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
             logger.warn('⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-specific key.');
             logger.warn('   To share secrets across machines, generate a key with: lsh key');
             logger.warn('   Then add LSH_SECRETS_KEY=<key> to your .env on all machines');
@@ -428,7 +430,7 @@ export class SecretsManager {
             cloudExists: false,
             cloudKeys: 0,
             cloudModified: undefined,
-            keySet: !!process.env.LSH_SECRETS_KEY,
+            keySet: !!process.env[ENV_VARS.LSH_SECRETS_KEY],
             keyMatches: undefined,
             suggestions: [],
         };
@@ -476,7 +478,7 @@ export class SecretsManager {
             return 'dev';
         }
         // Check for v1 compatibility mode
-        if (process.env.LSH_V1_COMPAT === 'true') {
+        if (process.env[ENV_VARS.LSH_V1_COMPAT] === 'true') {
             return 'dev'; // v1.x behavior
         }
         // v2.0 behavior: use repo name as default in git repos
@@ -516,7 +518,7 @@ export class SecretsManager {
      * Generate encryption key if not set
      */
     async ensureEncryptionKey() {
-        if (process.env.LSH_SECRETS_KEY) {
+        if (process.env[ENV_VARS.LSH_SECRETS_KEY]) {
             return true; // Key already set
         }
         logger.warn('⚠️  No encryption key found. Generating a new key...');
@@ -540,7 +542,7 @@ export class SecretsManager {
             }
             fs.writeFileSync(envPath, content, 'utf8');
             // Set in current process
-            process.env.LSH_SECRETS_KEY = key;
+            process.env[ENV_VARS.LSH_SECRETS_KEY] = key;
             this.encryptionKey = key;
             logger.info('✅ Generated and saved encryption key to .env');
             logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
@@ -677,7 +679,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out();
             }
             // Step 1: Ensure encryption key exists
-            if (!process.env.LSH_SECRETS_KEY) {
+            if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();

package/dist/lib/storacha-client.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { homedir } from 'os';
 import { logger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 export class StorachaClient {
     client = null;
     configPath;
@@ -35,7 +36,7 @@ export class StorachaClient {
             logger.warn('Failed to load Storacha config, using defaults');
         }
         // Default to enabled unless explicitly disabled
-        const envDisabled = process.env.LSH_STORACHA_ENABLED === 'false';
+        const envDisabled = process.env[ENV_VARS.LSH_STORACHA_ENABLED] === 'false';
         return {
             enabled: !envDisabled,
         };
@@ -57,7 +58,7 @@ export class StorachaClient {
      */
     isEnabled() {
         // Explicitly disabled via env var
-        if (process.env.LSH_STORACHA_ENABLED === 'false') {
+        if (process.env[ENV_VARS.LSH_STORACHA_ENABLED] === 'false') {
             return false;
         }
         // Use config setting (defaults to true)

package/dist/lib/supabase-client.js

@@ -3,13 +3,14 @@
  * Provides database connectivity for LSH features
  */
 import { createClient } from '@supabase/supabase-js';
+import { ENV_VARS } from '../constants/index.js';
 export class SupabaseClient {
     client;
     config;
     constructor(config) {
-        const url = config?.url || process.env.SUPABASE_URL;
-        const anonKey = config?.anonKey || process.env.SUPABASE_ANON_KEY;
-        const databaseUrl = config?.databaseUrl || process.env.DATABASE_URL;
+        const url = config?.url || process.env[ENV_VARS.SUPABASE_URL];
+        const anonKey = config?.anonKey || process.env[ENV_VARS.SUPABASE_ANON_KEY];
+        const databaseUrl = config?.databaseUrl || process.env[ENV_VARS.DATABASE_URL];
         if (!url || !anonKey) {
             throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
         }
@@ -76,7 +77,7 @@ function getDefaultClient() {
  * Check if Supabase is configured and available
  */
 export function isSupabaseConfigured() {
-    return !!(process.env.SUPABASE_URL && process.env.SUPABASE_ANON_KEY);
+    return !!(process.env[ENV_VARS.SUPABASE_URL] && process.env[ENV_VARS.SUPABASE_ANON_KEY]);
 }
 export const supabaseClient = {
     getClient() {
@@ -114,8 +115,8 @@ export const supabaseClient = {
  * @throws {Error} If SUPABASE_URL or SUPABASE_ANON_KEY are not set
  */
 export function getSupabaseClient() {
-    const url = process.env.SUPABASE_URL;
-    const key = process.env.SUPABASE_ANON_KEY;
+    const url = process.env[ENV_VARS.SUPABASE_URL];
+    const key = process.env[ENV_VARS.SUPABASE_ANON_KEY];
     if (!url || !key) {
         throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
     }

package/dist/services/secrets/secrets.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as readline from 'readline';
 import { getGitRepoInfo } from '../../lib/git-utils.js';
+import { ENV_VARS } from '../../constants/index.js';
 export async function init_secrets(program) {
     // Push secrets to cloud
     program
@@ -222,10 +223,12 @@ export async function init_secrets(program) {
         .command('create')
         .description('Create a new .env file')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('-t, --template', 'Create with common template variables')
         .action(async (options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             // Check if file already exists
             if (fs.existsSync(envPath)) {
                 console.log(`❌ File already exists: ${envPath}`);
@@ -882,6 +885,7 @@ API_KEY=
     program
         .command('clear')
         .description('Clear local metadata and cache to resolve stuck registries')
+        .option('-g, --global', 'Use global workspace ($HOME) - default behavior')
         .option('--repo <name>', 'Clear metadata for specific repo only')
         .option('--cache', 'Also clear local encrypted secrets cache')
         .option('--storacha', 'Also delete old Storacha uploads (registries and secrets)')
@@ -889,7 +893,7 @@ API_KEY=
         .option('-y, --yes', 'Skip confirmation prompts')
         .action(async (options) => {
         try {
-            const lshDir = path.join(process.env.HOME || process.env.USERPROFILE || '', '.lsh');
+            const lshDir = path.join(process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '', '.lsh');
             const metadataPath = path.join(lshDir, 'secrets-metadata.json');
             const cacheDir = path.join(lshDir, 'secrets-cache');
             // Determine what we're clearing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {
@@ -17,7 +17,7 @@
   "scripts": {
     "build": "tsc",
     "watch": "tsc --watch",
-    "test": "node --experimental-vm-modules ./node_modules/.bin/jest",
+    "test": "node --experimental-vm-modules ./node_modules/.bin/jest --runInBand",
     "test:ci": "node --experimental-vm-modules ./node_modules/.bin/jest --runInBand",
     "test:coverage": "node --experimental-vm-modules ./node_modules/.bin/jest --coverage --runInBand",
     "clean": "rm -rf ./build; rm -rf ./bin; rm -rf ./dist",