xtra-cli 1.0.0

package/dist/commands/run.js

@@ -0,0 +1,215 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const child_process_1 = require("child_process");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const config_1 = require("../lib/config");
+const crypto_1 = require("../lib/crypto");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const dotenv_1 = __importDefault(require("dotenv"));
+exports.runCommand = new commander_1.Command("run")
+    .description("Run a command with injected secrets")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-e, --env <environment>", "Environment (development, staging, production)", "development")
+    .option("-b, --branch <branchName>", "Branch Name")
+    .option("--shell", "Enable shell mode (needed for npm run, shell built-ins on Windows)", false)
+    .argument("<command>", "Command to run")
+    .argument("[args...]", "Command arguments")
+    .addHelpText("after", `
+Examples:
+  $ xtra run npm start
+  $ xtra run -e production -- npm run build
+  $ xtra run -p proj_123 -b feature-branch -- python script.py
+  $ xtra run --shell "echo $SECRET_KEY"
+`)
+    .action(async (command, args, options) => {
+    // console.log("Run Options:", options);
+    let { project, env, branch, shell: useShell } = options;
+    // Load .xtrarc from CWD first (project-local config), then fall back to global conf store
+    const rc = (0, config_1.getRcConfig)();
+    // Use active branch from config if not specified
+    if (!branch)
+        branch = rc.branch;
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env || rc.env;
+    if (!project)
+        project = rc.project;
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or checkout a branch."));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)(`Fetching secrets for ${env} (branch: ${branch})...`).start();
+    let secrets = null;
+    // ── Local mode override ──────────────────────────────────────────────────
+    // If XTRA_LOCAL_MODE=true or localMode config flag is set,
+    // read from .env.local instead of calling the API.
+    const isLocal = (0, config_1.getConfigValue)("localMode") === true
+        || process.env.XTRA_LOCAL_MODE === "true";
+    if (isLocal) {
+        const localFile = path.resolve(process.cwd(), ".env.local");
+        if (!fs.existsSync(localFile)) {
+            spinner.fail("Local mode is ON but .env.local not found. Run 'xtra local sync' first.");
+            process.exit(1);
+        }
+        const parsed = dotenv_1.default.parse(fs.readFileSync(localFile, "utf8"));
+        secrets = parsed;
+        spinner.succeed(chalk_1.default.yellow(`🔌 Local mode: loaded ${Object.keys(secrets).length} secrets from .env.local`));
+    }
+    else {
+        try {
+            // 1. Fetch Secrets
+            secrets = await api_1.api.getSecrets(project, env, branch);
+            if (!secrets || Object.keys(secrets).length === 0) {
+                spinner.warn(chalk_1.default.yellow("No secrets found for this environment."));
+            }
+            else {
+                spinner.succeed(`Loaded ${Object.keys(secrets).length} secrets (Online).`);
+                // Update manifest
+                try {
+                    const { hash } = require("../lib/crypto");
+                    const { updateManifest } = require("../lib/manifest");
+                    updateManifest(project, env, secrets, hash);
+                }
+                catch (mErr) {
+                    // Manifest update failed
+                }
+                // Cache secrets locally
+                try {
+                    const cacheKey = `cache.${project}.${env}.${branch}`;
+                    const encrypted = (0, crypto_1.encrypt)(JSON.stringify(secrets));
+                    (0, config_1.setConfig)(cacheKey, encrypted);
+                    // console.log(chalk.gray("Secrets cached successfully."));
+                }
+                catch (cacheErr) {
+                    console.error(chalk_1.default.yellow("Warning: Failed to cache secrets."));
+                }
+            }
+        }
+        catch (error) {
+            // Offline fallback
+            const cacheKey = `cache.${project}.${env}.${branch}`;
+            const cachedData = (0, config_1.getConfigValue)(cacheKey);
+            if (cachedData) {
+                try {
+                    const decrypted = (0, crypto_1.decrypt)(cachedData);
+                    secrets = JSON.parse(decrypted);
+                    spinner.warn(chalk_1.default.yellow(`Offline Mode: Loaded ${Object.keys(secrets).length} secrets from cache.`));
+                }
+                catch (decryptErr) {
+                    spinner.fail("Failed to fetch secrets and cache is corrupt.");
+                    process.exit(1);
+                }
+            }
+            else {
+                spinner.fail("Failed to fetch secrets and no local cache available.");
+                if (error.response) {
+                    if (error.response.status === 404) {
+                        console.error(chalk_1.default.red(`\nError: Project '${project}' not found or you don't have access.`));
+                    }
+                    else if (error.response.status === 401) {
+                        console.error(chalk_1.default.red(`\nError: Unauthorized. Please run 'xtra login' again.`));
+                    }
+                    else {
+                        console.error(chalk_1.default.red(`\nError: ${error.response.data.error || error.message}`));
+                    }
+                }
+                else {
+                    console.error(chalk_1.default.red(`\nError: ${error.message}`));
+                }
+                process.exit(1);
+            }
+        } // end try/catch (cloud mode)
+    } // end else (cloud mode)
+    // Log Audit (Always)
+    try {
+        const { logAudit } = require("../lib/audit");
+        // Only log if we have secrets
+        if (secrets && Object.keys(secrets).length > 0) {
+            logAudit("SECRET_ACCESS", project, env, { method: "run", keys: Object.keys(secrets), branch });
+        }
+    }
+    catch (e) {
+        console.error("Audit Error:", e);
+    }
+    // 2. Prepare Environment
+    const envVars = {
+        ...process.env,
+        ...secrets, // Overwrite local env with injected secrets
+    };
+    // 3. Spawn Child Process — shell: false by default to prevent command injection
+    // When --shell is passed (e.g. for npm run start on Windows), allow shell mode
+    const SHELL_UNSAFE = /[;&|`$<>\\\n]/g;
+    if (!useShell && SHELL_UNSAFE.test(command)) {
+        console.error(chalk_1.default.red("Error: Command contains unsafe characters. Use --shell if intentional."));
+        process.exit(1);
+    }
+    // Production confirmation gate
+    if (env === "production") {
+        const inquirer = require("inquirer");
+        const { confirm } = await inquirer.prompt([{
+                type: "confirm",
+                name: "confirm",
+                message: chalk_1.default.red(`⚠ You are about to run a command in PRODUCTION with ${Object.keys(secrets || {}).length} injected secrets. Continue?`),
+                default: false,
+            }]);
+        if (!confirm) {
+            console.log(chalk_1.default.yellow("Aborted."));
+            return;
+        }
+    }
+    console.log(chalk_1.default.gray(`> ${command} ${args.join(" ")}`));
+    const isWindows = process.platform === "win32";
+    const child = (0, child_process_1.spawn)(command, args, {
+        env: envVars,
+        stdio: "inherit",
+        shell: useShell || isWindows, // Auto-enable shell on Windows for better compatibility (e.g. npm, etc)
+    });
+    child.on("exit", (code) => {
+        process.exit(code ?? 0);
+    });
+    child.on("error", (err) => {
+        console.error(chalk_1.default.red(`Failed to start command: ${err.message}`));
+        process.exit(1);
+    });
+});

package/dist/commands/scan.js

@@ -0,0 +1,127 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanCommand = void 0;
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const child_process_1 = require("child_process");
+exports.scanCommand = new commander_1.Command("scan")
+    .description("Scan project for secrets and configuration leaks")
+    .option("--staged", "Scan only staged files (for pre-commit hooks)", false)
+    .option("--install-hook", "Install the git pre-commit hook")
+    .action(async (options) => {
+    const { staged, installHook } = options;
+    // Install Hook
+    if (installHook) {
+        installGitHook();
+        return;
+    }
+    // Scanning Logic
+    console.log(chalk_1.default.bold("XtraSync Secret Scan"));
+    let issues = 0;
+    // 1. Check .env tracking
+    if (isEnvFileTracked()) {
+        console.error(chalk_1.default.red("CRITICAL: .env file is tracked by git!"));
+        issues++;
+    }
+    else {
+        // console.log(chalk.green("✔ .env file is safe (not tracked)."));
+    }
+    // 2. Scan Files
+    const filesToScan = staged ? getStagedFiles() : getAllFiles();
+    // Pattern: xs_ (Looking for API keys or similar tokens if we had a specific format)
+    // Also naive check for "password", "secret", "key" = "..."
+    const patterns = [
+        { name: "Xtra API Key", regex: /xs_[a-zA-Z0-9]{10,}/ },
+        // Add more patterns here
+    ];
+    filesToScan.forEach(file => {
+        try {
+            // Skip binary or large files?
+            if (!fs_1.default.existsSync(file))
+                return;
+            const content = fs_1.default.readFileSync(file, "utf-8");
+            patterns.forEach(p => {
+                if (p.regex.test(content)) {
+                    console.error(chalk_1.default.red(`[${file}] Potential Secret Detected: ${p.name}`));
+                    issues++;
+                }
+            });
+        }
+        catch (e) {
+            // Ignore (e.g. dir or binary)
+        }
+    });
+    if (issues > 0) {
+        console.error(chalk_1.default.red(`\n✖ Scan failed. found ${issues} issues.`));
+        process.exit(1);
+    }
+    else {
+        console.log(chalk_1.default.green("\n✔ Scan passed. No secrets found."));
+    }
+});
+function installGitHook() {
+    const hookDir = path_1.default.join(process.cwd(), ".git", "hooks");
+    const hookPath = path_1.default.join(hookDir, "pre-commit");
+    if (!fs_1.default.existsSync(hookDir)) {
+        console.error(chalk_1.default.red("Error: .git directory not found. Is this a git repository?"));
+        return;
+    }
+    const hookContent = `#!/bin/sh
+# XtraSync Secret Scan
+echo "Running XtraSync Secret Scan..."
+
+# Check if 'xtra' is globally installed or use local script
+if command -v xtra >/dev/null 2>&1; then
+  xtra scan --staged
+elif [ -f "./node_modules/.bin/xtra" ]; then
+  ./node_modules/.bin/xtra scan --staged
+else
+  # Using the binary directly if running in dev environment (unlikely in prod use case)
+  # For dev testing:
+  if [ -f "./dist/bin/xtra.js" ]; then
+    node ./dist/bin/xtra.js scan --staged
+  else
+    echo "Warning: XtraSync CLI not found. Skipping scan."
+  fi
+fi
+
+# Exit code of scan is passed through
+`;
+    fs_1.default.writeFileSync(hookPath, hookContent, { mode: 0o755 });
+    console.log(chalk_1.default.green("✔ Pre-commit hook installed successfully."));
+}
+function isEnvFileTracked() {
+    try {
+        // git ls-files --error-unmatch .env
+        (0, child_process_1.execSync)("git ls-files --error-unmatch .env", { stdio: "ignore" });
+        return true; // Command succeeded, file is tracked
+    }
+    catch (e) {
+        return false; // Command failed, file not tracked
+    }
+}
+function getStagedFiles() {
+    try {
+        const output = (0, child_process_1.execSync)("git diff --cached --name-only", { encoding: "utf-8" });
+        return output.split("\n").filter(f => f.trim().length > 0);
+    }
+    catch (e) {
+        return [];
+    }
+}
+function getAllFiles() {
+    // Naive implementation for now, or recurse. 
+    // Usually 'git ls-files' is better if generic scan.
+    try {
+        const output = (0, child_process_1.execSync)("git ls-files", { encoding: "utf-8" });
+        return output.split("\n").filter(f => f.trim().length > 0);
+    }
+    catch (e) {
+        return [];
+    }
+}

package/dist/commands/secrets.js

@@ -0,0 +1,305 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const table_1 = require("table");
+const config_1 = require("../lib/config");
+exports.secretsCommand = new commander_1.Command("secrets")
+    .description("Manage secrets (List, Set, Delete)")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-e, --env <environment>", "Environment (development, staging, production)", "development")
+    .option("-b, --branch <branchName>", "Branch Name");
+// LIST
+exports.secretsCommand
+    .command("list")
+    .description("List all secrets for a project/environment")
+    .option("--show", "Reveal secret values", false)
+    .addHelpText("after", `
+Examples:
+  $ xtra secrets list
+  $ xtra secrets list -e production --show
+`)
+    .action(async (options) => {
+    const parentOpts = exports.secretsCommand.opts();
+    let { project, env, branch } = parentOpts;
+    // Load .xtrarc from CWD (local project config has priority over global conf store)
+    const rc = (0, config_1.getRcConfig)();
+    if (!project)
+        project = rc.project;
+    if (!branch)
+        branch = rc.branch;
+    if (!env || env === "development")
+        env = rc.env; // only override if still at default
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    const { show } = options;
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run `xtra init` first."));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)(`Fetching secrets for ${env} (branch: ${branch})...`).start();
+    try {
+        const secrets = await api_1.api.getSecrets(project, env, branch);
+        spinner.stop();
+        if (!secrets || Object.keys(secrets).length === 0) {
+            console.log(chalk_1.default.yellow("No secrets found."));
+            return;
+        }
+        if (show) {
+            console.log(chalk_1.default.red("⚠ Warning: Secret values will be visible in your terminal and shell history!"));
+        }
+        const data = [
+            [chalk_1.default.bold("Key"), chalk_1.default.bold("Value"), chalk_1.default.bold("Env")]
+        ];
+        Object.entries(secrets).forEach(([key, value]) => {
+            data.push([
+                key,
+                show ? value : "********",
+                env
+            ]);
+        });
+        console.log((0, table_1.table)(data));
+        // Audit Log
+        try {
+            const { logAudit } = await Promise.resolve().then(() => __importStar(require("../lib/audit")));
+            logAudit("SECRET_LIST", project, env, { branch, count: Object.keys(secrets).length });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.fail("Failed to fetch secrets");
+        console.error(chalk_1.default.red(error.message));
+    }
+});
+// SET
+exports.secretsCommand
+    .command("set")
+    .description("Set one or more secrets (KEY=VALUE)")
+    .argument("<secrets...>", "Secrets to set (format: KEY=VALUE)")
+    .option("-f, --force", "Force update (overwrite remote changes without warning)", false)
+    .addHelpText("after", `
+Examples:
+  $ xtra secrets set API_KEY=xyz
+  $ xtra secrets set DB_USER=admin DB_PASS=secret -e staging
+`)
+    .action(async (args, options) => {
+    const parentOpts = exports.secretsCommand.opts();
+    let { project, env, branch } = parentOpts;
+    // Use active branch from config if not specified
+    if (!branch) {
+        branch = (0, config_1.getConfigValue)("branch") || "main";
+    }
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    if (!project) {
+        project = (0, config_1.getConfigValue)("project");
+    }
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    // Parse key=value pairs
+    const payload = {};
+    args.forEach((arg) => {
+        const idx = arg.indexOf("=");
+        if (idx === -1) {
+            console.warn(chalk_1.default.yellow(`Skipping invalid format: ${arg} (expected KEY=VALUE)`));
+            return;
+        }
+        const key = arg.substring(0, idx);
+        const value = arg.substring(idx + 1);
+        payload[key] = value;
+    });
+    if (Object.keys(payload).length === 0) {
+        console.error(chalk_1.default.red("No valid secrets provided."));
+        return;
+    }
+    // 🔒 Production gate: require explicit confirmation before writing to production
+    if (env === "production" && !options.force) {
+        const inquirer = require("inquirer");
+        const { confirm } = await inquirer.prompt([{
+                type: "confirm",
+                name: "confirm",
+                message: chalk_1.default.red(`⚠  You are about to SET ${Object.keys(payload).length} secret(s) in PRODUCTION. Are you sure?`),
+                default: false,
+            }]);
+        if (!confirm) {
+            console.log(chalk_1.default.yellow("Aborted."));
+            return;
+        }
+    }
+    const spinner = (0, ora_1.default)(`Setting ${Object.keys(payload).length} secrets for ${env} (branch: ${branch})...`);
+    if (options.force) {
+        spinner.start();
+    }
+    try {
+        let expectedVersions = undefined;
+        if (!options.force) {
+            // Fetch current versions for optimistic locking
+            spinner.text = "Fetching current versions...";
+            spinner.start();
+            try {
+                const remoteSecrets = await api_1.api.getSecretVersions(project, env, branch);
+                expectedVersions = {};
+                spinner.stop();
+                // Populate expected versions for keys we are updating
+                Object.keys(payload).forEach(key => {
+                    if (remoteSecrets[key]) {
+                        expectedVersions[key] = remoteSecrets[key].version;
+                    }
+                });
+            }
+            catch (verErr) {
+                spinner.warn(chalk_1.default.yellow("Could not fetch remote versions. Conflict detection disabled."));
+            }
+        }
+        spinner.start(`Updating secrets...`);
+        await api_1.api.setSecrets(project, env, payload, expectedVersions, branch);
+        spinner.succeed("Secrets updated successfully.");
+        // Log Audit
+        try {
+            const { logAudit } = require("../lib/audit");
+            logAudit("SECRET_UPDATE", project, env, { keys: Object.keys(payload), branch });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.stop();
+        if (error.response && error.response.status === 409) {
+            // Conflict Detected
+            const conflicts = error.response.data.conflicts || [];
+            console.log(chalk_1.default.red("\n⚠ Conflict Detected! The following secrets have changed remotely:\n"));
+            const conflictTable = [[chalk_1.default.bold("Key"), chalk_1.default.bold("Remote Version"), chalk_1.default.bold("Remote Value")]];
+            conflicts.forEach((c) => {
+                conflictTable.push([c.key, c.actual, c.remoteValue]);
+            });
+            console.log((0, table_1.table)(conflictTable));
+            const inquirer = require("inquirer");
+            const { confirm } = await inquirer.prompt([{
+                    type: "confirm",
+                    name: "confirm",
+                    message: "Do you want to overwrite these changes exactly as you specified?",
+                    default: false
+                }]);
+            if (confirm) {
+                const retrySpinner = (0, ora_1.default)("Overwriting secrets...").start();
+                try {
+                    // Start retry with Force (no expectedVersions)
+                    await api_1.api.setSecrets(project, env, payload, undefined, branch);
+                    retrySpinner.succeed("Secrets overwritten successfully.");
+                    // Log Audit Force
+                    try {
+                        const { logAudit } = require("../lib/audit");
+                        logAudit("SECRET_UPDATE_FORCE", project, env, { keys: Object.keys(payload), branch });
+                    }
+                    catch (e) { }
+                }
+                catch (retryErr) {
+                    retrySpinner.fail("Failed to overwrite secrets.");
+                    console.error(chalk_1.default.red(retryErr.message));
+                }
+            }
+            else {
+                console.log(chalk_1.default.yellow("Update cancelled."));
+            }
+            return; // Handled
+        }
+        if (spinner.isSpinning)
+            spinner.fail("Failed to update secrets");
+        if (error.response && error.response.data && error.response.data.error) {
+            console.error(chalk_1.default.red(`Server Error: ${error.response.data.error}`));
+        }
+        else {
+            console.error(chalk_1.default.red(error.message));
+        }
+    }
+});
+// LINK
+exports.secretsCommand
+    .command("link")
+    .description("Link a secret to another secret (Reference)")
+    .argument("<key>", "Key of the secret to create (e.g. DB_URL)")
+    .requiredOption("--source <source>", "Source path (format: project/env/key)")
+    .addHelpText("after", `
+Examples:
+  $ xtra secrets link SHARED_DB_URL --source shared-proj/production/DB_URL
+`)
+    .action(async (key, options) => {
+    const parentOpts = exports.secretsCommand.opts();
+    let { project, env } = parentOpts;
+    // Normalize Env
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    const { source } = options;
+    if (!project) {
+        project = (0, config_1.getConfigValue)("project");
+    }
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    // Parse Source: "proj-123/prod/DATABASE_URL"
+    const parts = source.split("/");
+    if (parts.length !== 3) {
+        console.error(chalk_1.default.red("Error: Source must be in format 'projectId/env/key'"));
+        return;
+    }
+    const [sourceProjectId, sourceEnv, sourceKey] = parts;
+    const spinner = (0, ora_1.default)(`Linking ${key} to ${source}...`).start();
+    try {
+        await api_1.api.linkSecret(project, env, key, sourceProjectId, sourceEnv, sourceKey);
+        spinner.succeed(chalk_1.default.green(`Secret '${key}' successfully linked to '${sourceKey}'`));
+        // Audit log
+        try {
+            const { logAudit } = require("../lib/audit");
+            logAudit("SECRET_LINKED", project, env, { key, source });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.fail("Failed to link secret");
+        const safeErr = error?.response?.data?.error || error.message || "Unknown error";
+        console.error(chalk_1.default.red(`Server Error: ${safeErr}`));
+    }
+});