xtra-cli 1.0.0

package/dist/commands/export.js

@@ -0,0 +1,83 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exportCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const sync_1 = require("csv-stringify/sync");
+const config_1 = require("../lib/config");
+exports.exportCommand = new commander_1.Command("export")
+    .description("Export secrets to a file (JSON, Dotenv, CSV)")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-e, --env <environment>", "Environment (development, staging, production)", "development")
+    .option("-b, --branch <branchName>", "Branch Name")
+    .option("-f, --format <format>", "Output format (json, dotenv, csv)", "json")
+    .option("-o, --output <file>", "Output file path (default: stdout)")
+    .action(async (options) => {
+    let { project, env, branch, format, output } = options;
+    // Use config fallback
+    if (!project)
+        project = (0, config_1.getRcConfig)().project;
+    if (!branch) {
+        branch = (0, config_1.getRcConfig)().branch || "main";
+    }
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    const spinner = require("ora")(`Fetching secrets for export (${env} @ ${branch})...`).start();
+    try {
+        const secrets = await api_1.api.getSecrets(project, env, branch);
+        spinner.stop();
+        if (!secrets || Object.keys(secrets).length === 0) {
+            console.warn(chalk_1.default.yellow("No secrets found to export."));
+            return;
+        }
+        let content = "";
+        switch (format.toLowerCase()) {
+            case "json":
+                content = JSON.stringify(secrets, null, 2);
+                break;
+            case "dotenv":
+                content = Object.entries(secrets)
+                    .map(([key, value]) => `${key}="${String(value).replace(/"/g, '\\"')}"`)
+                    .join("\n");
+                break;
+            case "csv":
+                const records = Object.entries(secrets).map(([key, value]) => ({ key, value }));
+                content = (0, sync_1.stringify)(records, { header: true });
+                break;
+            default:
+                console.error(chalk_1.default.red(`Error: Unsupported format '${format}'. Use json, dotenv, or csv.`));
+                process.exit(1);
+        }
+        if (output) {
+            const outputPath = path_1.default.resolve(process.cwd(), output);
+            fs_1.default.writeFileSync(outputPath, content, "utf-8");
+            console.log(chalk_1.default.green(`✔ Secrets exported to ${outputPath}`));
+        }
+        else {
+            console.log(content);
+        }
+        // Log Audit
+        try {
+            const { logAudit } = require("../lib/audit");
+            logAudit("SECRET_EXPORT", project, env, { format, destination: output || "stdout", branch });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.fail("Export failed.");
+        const safeErr = error?.response?.data?.error || error.message || "Unknown error";
+        console.error(chalk_1.default.red(safeErr));
+        process.exit(1);
+    }
+});

package/dist/commands/generate.js

@@ -0,0 +1,179 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const yaml_1 = __importDefault(require("yaml"));
+const config_1 = require("../lib/config");
+// Helper: Parse .env file into key-value pairs
+function parseEnvFile(content) {
+    const result = {};
+    const lines = content.split(/\r?\n/);
+    for (const line of lines) {
+        const trimmed = line.trim();
+        // Skip empty lines and comments
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const idx = trimmed.indexOf('=');
+        if (idx === -1)
+            continue;
+        const key = trimmed.substring(0, idx).trim();
+        let value = trimmed.substring(idx + 1).trim();
+        // Remove surrounding quotes if present
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        result[key] = value;
+    }
+    return result;
+}
+// Helper: Merge secrets into existing file content, preserving comments and order
+function mergeEnvContent(existingContent, newSecrets) {
+    const lines = existingContent.split(/\r?\n/);
+    const existingKeys = new Set();
+    const added = [];
+    const updated = [];
+    // First pass: update existing keys
+    const updatedLines = lines.map(line => {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            return line;
+        const idx = trimmed.indexOf('=');
+        if (idx === -1)
+            return line;
+        const key = trimmed.substring(0, idx).trim();
+        existingKeys.add(key);
+        if (key in newSecrets) {
+            const oldValue = parseEnvFile(line)[key];
+            if (oldValue !== newSecrets[key]) {
+                updated.push(key);
+            }
+            return `${key}="${newSecrets[key]}"`;
+        }
+        return line;
+    });
+    // Second pass: add new keys
+    for (const [key, value] of Object.entries(newSecrets)) {
+        if (!existingKeys.has(key)) {
+            updatedLines.push(`${key}="${value}"`);
+            added.push(key);
+        }
+    }
+    return { content: updatedLines.join('\n'), added, updated };
+}
+exports.generateCommand = new commander_1.Command("generate")
+    .description("Generate local configuration files from secrets")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-e, --env <environment>", "Environment (dev, stg, prod)", "dev")
+    .option("-b, --branch <branchName>", "Branch Name")
+    .option("-o, --output <path>", "Output file path (forces complete overwrite)")
+    .option("-f, --format <format>", "Output format (env, json, yaml)", "env")
+    .option("--force", "Skip confirmation prompts", false)
+    .action(async (options) => {
+    let { project, env, branch, output, format, force } = options;
+    // Use config fallback
+    if (!project)
+        project = (0, config_1.getRcConfig)().project;
+    if (!branch) {
+        branch = (0, config_1.getRcConfig)().branch || "main";
+    }
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    // Determine if we should merge or overwrite
+    const shouldMerge = !output && format === "env";
+    // Determine output filename
+    let outputPath = output;
+    if (!outputPath) {
+        switch (format) {
+            case "json":
+                outputPath = "secrets.json";
+                break;
+            case "yaml":
+                outputPath = "secrets.yaml";
+                break;
+            default:
+                outputPath = ".env";
+                break;
+        }
+    }
+    const fullPath = path_1.default.resolve(process.cwd(), outputPath);
+    const fileExists = fs_1.default.existsSync(fullPath);
+    const spinner = (0, ora_1.default)(`Fetching secrets for ${env} (branch: ${branch})...`).start();
+    try {
+        const secrets = await api_1.api.getSecrets(project, env, branch);
+        if (!secrets || Object.keys(secrets).length === 0) {
+            spinner.warn(chalk_1.default.yellow("No secrets found. File not modified."));
+            return;
+        }
+        let content = "";
+        let added = [];
+        let updated = [];
+        // Handle merge for .env format when no -o flag
+        if (shouldMerge && fileExists) {
+            spinner.text = "Merging with existing .env file...";
+            const existingContent = fs_1.default.readFileSync(fullPath, 'utf-8');
+            const mergeResult = mergeEnvContent(existingContent, secrets);
+            content = mergeResult.content;
+            added = mergeResult.added;
+            updated = mergeResult.updated;
+            if (added.length === 0 && updated.length === 0) {
+                spinner.succeed(chalk_1.default.green("No changes needed - .env is already up to date."));
+                return;
+            }
+        }
+        else {
+            // Full overwrite mode
+            switch (format.toLowerCase()) {
+                case "json":
+                    content = JSON.stringify(secrets, null, 2);
+                    break;
+                case "yaml":
+                    content = yaml_1.default.stringify(secrets);
+                    break;
+                case "env":
+                default:
+                    content = Object.entries(secrets)
+                        .map(([key, value]) => `${key}="${value}"`)
+                        .join("\n");
+                    break;
+            }
+        }
+        // Write file
+        fs_1.default.writeFileSync(fullPath, content, "utf-8");
+        // Update manifest
+        const { hash } = require("../lib/crypto");
+        const { updateManifest } = require("../lib/manifest");
+        updateManifest(project, env, secrets, hash);
+        // Show result
+        if (shouldMerge && fileExists) {
+            spinner.succeed(chalk_1.default.green(`Updated ${outputPath}`));
+            if (added.length > 0) {
+                console.log(chalk_1.default.cyan(`  + Added: ${added.join(', ')}`));
+            }
+            if (updated.length > 0) {
+                console.log(chalk_1.default.yellow(`  ~ Updated: ${updated.join(', ')}`));
+            }
+        }
+        else {
+            spinner.succeed(`Generated ${outputPath} (${Object.keys(secrets).length} secrets)`);
+        }
+    }
+    catch (error) {
+        spinner.fail("Failed to generate file.");
+        console.error(chalk_1.default.red(error.message));
+        process.exit(1);
+    }
+});

package/dist/commands/history.js

@@ -0,0 +1,77 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rollbackCommand = exports.historyCommand = void 0;
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const api_1 = require("../lib/api");
+const config_1 = require("../lib/config");
+exports.historyCommand = new commander_1.Command("history");
+exports.historyCommand
+    .argument("<key>", "Secret key")
+    .option("-p, --project <id>", "Project ID")
+    .option("-e, --env <environment>", "Environment", "development")
+    .description("View version history of a secret")
+    .action(async (key, options) => {
+    try {
+        let projectId = options.project;
+        if (!projectId) {
+            projectId = (0, config_1.getRcConfig)().project;
+            if (!projectId) {
+                console.error(chalk_1.default.red("Error: Project ID not found. Use -p <id> or run 'xtra project set' first."));
+                process.exit(1);
+            }
+        }
+        const data = await api_1.api.getSecretHistory(projectId, options.env, key);
+        console.log(chalk_1.default.bold(`\nHistory for ${key} (${options.env})`));
+        console.log(chalk_1.default.gray(`Current Version: ${data.currentVersion}\n`));
+        const history = data.history || [];
+        if (history.length === 0) {
+            console.log("No history found.");
+        }
+        else {
+            history.forEach((h) => {
+                const dateStr = new Date(h.updatedAt).toLocaleString();
+                console.log(chalk_1.default.blue(`v${h.version}`) + ` - ${dateStr} by ${h.updatedBy}`);
+                if (h.description)
+                    console.log(chalk_1.default.gray(`  ${h.description}`));
+                console.log("");
+            });
+        }
+    }
+    catch (error) {
+        console.error(chalk_1.default.red("Error fetching history:"), error.message || error);
+    }
+});
+exports.rollbackCommand = new commander_1.Command("rollback");
+exports.rollbackCommand
+    .argument("<key>", "Secret key")
+    .argument("<version>", "Version to rollback to")
+    .option("-p, --project <id>", "Project ID")
+    .option("-e, --env <environment>", "Environment", "development")
+    .description("Rollback a secret to a previous version")
+    .action(async (key, version, options) => {
+    try {
+        let projectId = options.project;
+        if (!projectId) {
+            projectId = (0, config_1.getRcConfig)().project;
+            if (!projectId) {
+                console.error(chalk_1.default.red("Error: Project ID not found. Use -p <id> or run 'xtra project set' first."));
+                process.exit(1);
+            }
+        }
+        console.log(chalk_1.default.yellow(`Rolling back ${key} to v${version}...`));
+        const result = await api_1.api.rollbackSecret(projectId, options.env, key, version);
+        if (result.success) {
+            console.log(chalk_1.default.green(`\nSuccessfully rolled back to v${version} (New current version: v${result.version})`));
+        }
+        else {
+            console.log(chalk_1.default.red("Rollback failed."));
+        }
+    }
+    catch (error) {
+        console.error(chalk_1.default.red("Error rolling back:"), error.message || error);
+    }
+});

package/dist/commands/import.js

@@ -0,0 +1,121 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.importCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const dotenv_1 = __importDefault(require("dotenv"));
+const sync_1 = require("csv-parse/sync");
+const config_1 = require("../lib/config");
+exports.importCommand = new commander_1.Command("import")
+    .description("Import secrets from a file (JSON, Dotenv, CSV)")
+    .argument("<file>", "Path to the file to import")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-e, --env <environment>", "Environment (development, staging, production)", "development")
+    .option("-b, --branch <branchName>", "Branch Name")
+    .option("-f, --format <format>", "Input format (json, dotenv, csv). Auto-detected if omitted.")
+    .option("--prefix <prefix>", "Add prefix to all imported keys")
+    .option("--overwrite", "Overwrite existing secrets (default: merged, but API usually upserts)", true)
+    .action(async (file, options) => {
+    let { project, env, branch, format, prefix } = options;
+    // Use config fallback
+    if (!project)
+        project = (0, config_1.getRcConfig)().project;
+    if (!branch) {
+        branch = (0, config_1.getRcConfig)().branch || "main";
+    }
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    const filePath = path_1.default.resolve(process.cwd(), file);
+    if (!fs_1.default.existsSync(filePath)) {
+        console.error(chalk_1.default.red(`Error: File not found: ${filePath}`));
+        process.exit(1);
+    }
+    let detectedFormat = format;
+    if (!detectedFormat) {
+        const ext = path_1.default.extname(filePath).toLowerCase();
+        if (ext === ".json")
+            detectedFormat = "json";
+        else if (ext === ".env")
+            detectedFormat = "dotenv";
+        else if (ext === ".csv")
+            detectedFormat = "csv";
+        else {
+            console.error(chalk_1.default.red("Error: Could not detect format. Please specify -f <format>"));
+            process.exit(1);
+        }
+    }
+    const spinner = require("ora")(`Reading ${detectedFormat} file...`).start();
+    const fileContent = fs_1.default.readFileSync(filePath, "utf-8");
+    let secrets = {};
+    try {
+        switch (detectedFormat.toLowerCase()) {
+            case "json":
+                secrets = JSON.parse(fileContent);
+                break;
+            case "dotenv":
+                secrets = dotenv_1.default.parse(fileContent);
+                break;
+            case "csv":
+                const records = (0, sync_1.parse)(fileContent, {
+                    columns: true,
+                    skip_empty_lines: true
+                });
+                // Expect header: key, value or Key, Value
+                records.forEach((record) => {
+                    // Try case-insensitive key lookup
+                    const key = record.key || record.Key || record.KEY;
+                    const value = record.value || record.Value || record.VALUE;
+                    if (key) {
+                        secrets[key] = value || "";
+                    }
+                });
+                break;
+            default:
+                spinner.fail(`Unsupported format: ${detectedFormat}`);
+                process.exit(1);
+        }
+        if (Object.keys(secrets).length === 0) {
+            spinner.fail("No valid secrets found in file.");
+            return;
+        }
+        // Apply prefix
+        if (prefix) {
+            const prefixedSecrets = {};
+            Object.entries(secrets).forEach(([key, value]) => {
+                prefixedSecrets[`${prefix}${key}`] = value;
+            });
+            secrets = prefixedSecrets;
+        }
+        // Upload
+        spinner.text = `Importing ${Object.keys(secrets).length} secrets to ${env} (branch: ${branch})...`;
+        await api_1.api.setSecrets(project, env, secrets, undefined, branch);
+        spinner.succeed(`Successfully imported ${Object.keys(secrets).length} secrets.`);
+        // Log Audit
+        try {
+            const { logAudit } = require("../lib/audit");
+            logAudit("SECRET_IMPORT", project, env, {
+                file: path_1.default.basename(filePath),
+                format: detectedFormat,
+                count: Object.keys(secrets).length,
+                branch: branch
+            });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.fail("Import failed.");
+        console.error(chalk_1.default.red(error.message));
+        process.exit(1);
+    }
+});

package/dist/commands/init.js

@@ -0,0 +1,205 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = void 0;
+/**
+ * init.ts — Bootstrap a new project with .xtrarc and recommended structure
+ */
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const inquirer_1 = __importDefault(require("inquirer"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_1 = require("../lib/config");
+const RC_FILE = ".xtrarc";
+exports.initCommand = new commander_1.Command("init")
+    .description("Bootstrap a new project — creates .xtrarc and recommended structure")
+    .option("--project <id>", "Project ID (skip prompt)")
+    .option("--env <env>", "Default environment", "development")
+    .option("--branch <branch>", "Default branch", "main")
+    .option("-y, --yes", "Accept all defaults without prompting", false)
+    .action(async (options) => {
+    const cwd = process.cwd();
+    const rcPath = path.join(cwd, RC_FILE);
+    console.log(chalk_1.default.bold("\n🚀 xtra init — setting up your project\n"));
+    // Warn if already initialized
+    if (fs.existsSync(rcPath)) {
+        const { overwrite } = await inquirer_1.default.prompt([{
+                type: "confirm",
+                name: "overwrite",
+                message: chalk_1.default.yellow(`.xtrarc already exists. Overwrite it?`),
+                default: false,
+            }]);
+        if (!overwrite) {
+            console.log(chalk_1.default.gray("Aborted."));
+            return;
+        }
+    }
+    let { project, env, branch } = options;
+    // Interactive prompts if not --yes
+    if (!options.yes) {
+        // ── API Projects Fetch ─────────────────────────────────────────────
+        const { getAuthToken } = await Promise.resolve().then(() => __importStar(require("../lib/config")));
+        const token = getAuthToken();
+        const ora = (await Promise.resolve().then(() => __importStar(require("ora")))).default;
+        let remoteProjects = [];
+        if (!token) {
+            console.log(chalk_1.default.yellow("  ℹ  Not logged in — project list unavailable. Run `xtra login` first."));
+            console.log(chalk_1.default.yellow("     You can still enter a Project ID manually below.\n"));
+        }
+        else {
+            const apiSpinner = ora("Fetching your projects...").start();
+            try {
+                const { api } = await Promise.resolve().then(() => __importStar(require("../lib/api")));
+                const result = await api.getProjects();
+                // API might return { projects: [...] } or directly an array
+                remoteProjects = Array.isArray(result) ? result : result.projects ?? [];
+                if (remoteProjects.length === 0) {
+                    apiSpinner.warn(chalk_1.default.yellow("No projects found in your workspace. Create one at xtra-security.vercel.app first."));
+                }
+                else {
+                    apiSpinner.succeed(`Found ${remoteProjects.length} project${remoteProjects.length > 1 ? "s" : ""}`);
+                }
+            }
+            catch (err) {
+                const reason = err?.response?.status === 401
+                    ? "session expired — run `xtra login` again"
+                    : err?.response?.data?.error || err?.message || "network error";
+                apiSpinner.warn(chalk_1.default.yellow(`Could not fetch projects (${reason}). Enter the Project ID manually.`));
+            }
+        }
+        const fallbackProject = project || (0, config_1.getConfigValue)("project") || "";
+        const { project: selectedProject } = await inquirer_1.default.prompt([
+            {
+                type: remoteProjects.length > 0 ? "list" : "input",
+                name: "project",
+                message: remoteProjects.length > 0 ? "Select a project:" : "Project ID:",
+                choices: remoteProjects.length > 0
+                    ? remoteProjects.map(p => ({ name: `${p.name} (${p.id})`, value: p.id }))
+                    : undefined,
+                default: fallbackProject,
+                validate: (v) => v.trim() ? true : "Project ID is required",
+            }
+        ]);
+        project = selectedProject.trim();
+        // Fetch branches for selected project
+        let remoteBranches = [];
+        const branchSpinner = ora("Fetching branches...").start();
+        try {
+            const { api } = await Promise.resolve().then(() => __importStar(require("../lib/api")));
+            remoteBranches = await api.getBranches(project);
+            branchSpinner.stop();
+        }
+        catch (err) {
+            branchSpinner.warn(chalk_1.default.yellow("Could not fetch branches."));
+        }
+        const answers = await inquirer_1.default.prompt([
+            {
+                type: "list",
+                name: "env",
+                message: "Default environment:",
+                choices: ["development", "staging", "production"],
+                default: env || "development",
+            },
+            {
+                type: remoteBranches.length > 0 ? "list" : "input",
+                name: "branch",
+                message: remoteBranches.length > 0 ? "Default branch:" : "Default branch name:",
+                choices: remoteBranches.length > 0
+                    ? remoteBranches.map(b => ({ name: b.name, value: b.name }))
+                    : undefined,
+                default: branch || (remoteBranches.length > 0 ? remoteBranches[0].name : "main"),
+            },
+            {
+                type: "confirm",
+                name: "addGitignore",
+                message: "Add .xtrarc to .gitignore? (recommended)",
+                default: true,
+            },
+        ]);
+        env = answers.env;
+        branch = answers.branch;
+        // Add to .gitignore
+        if (answers.addGitignore) {
+            const gitignorePath = path.join(cwd, ".gitignore");
+            let existing = "";
+            try {
+                existing = fs.readFileSync(gitignorePath, "utf8");
+            }
+            catch (_) { }
+            if (!existing.includes(".xtrarc")) {
+                fs.appendFileSync(gitignorePath, "\n# XtraSecurity config\n.xtrarc\n");
+                console.log(chalk_1.default.gray("  ✔ Added .xtrarc to .gitignore"));
+            }
+        }
+    }
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required."));
+        process.exit(1);
+    }
+    // Write .xtrarc
+    const rc = {
+        project,
+        env,
+        branch,
+        apiUrl: process.env.XTRA_API_URL || "https://xtra-security.vercel.app/api",
+        createdAt: new Date().toISOString(),
+    };
+    fs.writeFileSync(rcPath, JSON.stringify(rc, null, 2), "utf8");
+    // ── Sync global conf store so `xtra run` / `xtra secrets` pick up the new values ──
+    (0, config_1.setConfig)("project", project);
+    (0, config_1.setConfig)("env", env);
+    (0, config_1.setConfig)("branch", branch);
+    // Summary
+    console.log(chalk_1.default.gray(`     Branch   : ${chalk_1.default.white(branch)}`));
+    console.log();
+    // ── Audit Log (Local Chain) ─────────────────────────────────────────
+    try {
+        const { logAudit } = await Promise.resolve().then(() => __importStar(require("../lib/audit")));
+        logAudit("PROJECT_INIT", project, env, { branch, rcPath });
+    }
+    catch (e) {
+        // Non-fatal if audit fails
+    }
+    console.log(chalk_1.default.bold("  Next steps:"));
+    console.log(chalk_1.default.gray("    xtra login                   # authenticate"));
+    console.log(chalk_1.default.gray("    xtra secrets list            # view secrets"));
+    console.log(chalk_1.default.gray("    xtra run node app.js         # inject and run"));
+    console.log(chalk_1.default.gray("    xtra doctor                  # verify everything works"));
+    console.log();
+});