CLI Commands Reference
Setup Commands
`ctx-sync init`
Initialize ctx-sync on a new machine. Generates encryption keys and sets up the sync repository.
BASHctx-sync init
The remote URL should point to a dedicated private repository you created for ctx-sync (e.g. git@github.com:you/dev-context.git), not one of your project repos. See Getting Started for setup steps.
Options:
| Flag | Description |
|---|---|
--restore |
Restore mode — paste an existing private key instead of generating a new one |
--skip-backup |
Skip the key backup prompt (not recommended) |
--remote <url> |
Git remote URL for syncing (SSH or HTTPS) |
--no-interactive |
Skip interactive prompts (use defaults) |
--stdin |
Read private key from stdin (for --restore) |
`ctx-sync init --restore`
Set up ctx-sync on a new machine using an existing private key.
BASHctx-sync init --restore
You will be prompted to paste your private key and provide the Git remote URL.
Project Management
`ctx-sync track`
Track the current project. Auto-detects Git state, .env files, Docker services, and prompts for mental context.
BASHctx-sync track
Options:
| Flag | Description |
|---|---|
--yes |
Skip confirmation prompts (auto-accept defaults) |
--no-interactive |
Non-interactive mode for CI/scripts |
`ctx-sync list`
List all tracked projects.
BASHctx-sync list
`ctx-sync status`
Show the sync status — pending changes, last sync time, and remote state.
BASHctx-sync status
`ctx-sync restore `
Restore a project's full context on the current machine.
BASHctx-sync restore my-app
This displays your mental context, decrypts environment variables, and shows all commands (Docker, services) for explicit approval before execution.
Commands are always shown for review before execution. There is no flag to skip command confirmation. This prevents remote code execution from compromised repos.
Environment Variables
`ctx-sync env import `
Import environment variables from a .env file. All values are encrypted by default.
BASHctx-sync env import .env
Options:
| Flag | Description |
|---|---|
--stdin |
Read from stdin instead of a file |
--allow-plain |
Allow safe-listed keys to be stored unencrypted |
`ctx-sync env add `
Add a single environment variable. Value is entered via hidden interactive prompt — never passed as a CLI argument.
BASHctx-sync env add STRIPE_KEY
Options:
| Flag | Description |
|---|---|
--stdin |
Read value from stdin pipe |
--from-fd N |
Read value from file descriptor N |
Values are never accepted as CLI arguments to prevent exposure in shell history and process lists. Use interactive prompt, stdin, or file descriptor instead.
`ctx-sync env scan`
Scan the current shell environment and select variables to track.
BASHctx-sync env scan my-app
`ctx-sync env list `
List all tracked environment variables for a project. Values are hidden by default.
BASHctx-sync env list my-app
Options:
| Flag | Description |
|---|---|
--show-values |
Show decrypted values (use with caution) |
Syncing
`ctx-sync sync`
Sync context with the remote — pushes local changes and pulls remote updates.
BASHctx-sync sync
`ctx-sync push`
Push local context to the remote.
BASHctx-sync push
`ctx-sync pull`
Pull remote context to the local machine.
BASHctx-sync pull
Mental Context
`ctx-sync note `
Update mental context — current task, blockers, next steps, breadcrumbs, and links.
BASHctx-sync note my-app
Use `ctx-sync note` at the end of each session to capture what you were doing, where you left off, and what you planned to do next. Your future self will thank you.
`ctx-sync show `
Display the full context for a project — Git state, environment variables, Docker services, and mental context.
BASHctx-sync show my-app
Docker
`ctx-sync docker start `
Start tracked Docker services for a project. Commands are shown for confirmation before execution.
BASHctx-sync docker start my-app
`ctx-sync docker stop `
Stop tracked Docker services.
BASHctx-sync docker stop my-app
`ctx-sync docker status`
Show the status of tracked Docker services.
BASHctx-sync docker status
Key Management
`ctx-sync key show`
Display your public key. The private key is never shown.
BASHctx-sync key show
`ctx-sync key rotate`
Rotate your encryption key. Generates a new key pair and re-encrypts all state files.
BASHctx-sync key rotate
What it does:
- Generates a new key pair
- Re-encrypts all state files with the new key
- Rewrites Git history to remove old encrypted blobs
- Force-pushes to remote
After rotation, all other machines must run `ctx-sync key update`. Failure to do so will prevent decryption on those machines.
`ctx-sync key verify`
Verify key file permissions and integrity.
BASHctx-sync key verify
`ctx-sync key update`
Update the private key on this machine after a key rotation on another machine.
BASHctx-sync key update
Team Management
`ctx-sync team add`
Add a team member as a recipient for encrypted state.
BASHctx-sync team add --name "Alice" --key age1alice...
`ctx-sync team remove `
Remove a team member and re-encrypt all shared state.
BASHctx-sync team remove alice
`ctx-sync team list`
List all team members and their public keys.
BASHctx-sync team list
`ctx-sync team revoke `
Immediately revoke a key and re-encrypt all shared secrets.
BASHctx-sync team revoke age1bob...
Configuration
`ctx-sync config safe-list`
View the current safe-list of environment variable keys that may be stored unencrypted.
BASHctx-sync config safe-list
`ctx-sync config safe-list add `
Add a key to the safe-list.
BASHctx-sync config safe-list add MY_SAFE_VAR
`ctx-sync config safe-list remove `
Remove a key from the safe-list.
BASHctx-sync config safe-list remove MY_SAFE_VAR
Security
`ctx-sync audit`
Run a comprehensive security audit of your ctx-sync setup.
BASHctx-sync audit
Checks:
- Key file permissions (must be 600)
- Config directory permissions (must be 700)
- Git remote transport security (SSH or HTTPS only)
- Git history for plaintext leaks
- Repository size
- All state files are encrypted
Make `ctx-sync audit` part of your routine. It catches permission drift, insecure remotes, and accidentally committed plaintext files.