From 428e9caa55e60598e7e81d7f29bd5d7d60b4d935 Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Mon, 22 Dec 2025 21:16:55 +0530
Subject: [PATCH 1/6] feat: add environment variable manager with encryption
 and templates

---
 cortex/cli.py             |  449 ++++++++++++++-
 cortex/env_manager.py     | 1092 +++++++++++++++++++++++++++++++++++++
 docs/ENV_MANAGEMENT.md    |  506 +++++++++++++++++
 examples/env_demo.py      |  431 +++++++++++++++
 requirements.txt          |    3 +
 tests/test_env_manager.py | 1025 ++++++++++++++++++++++++++++++++++
 6 files changed, 3505 insertions(+), 1 deletion(-)
 create mode 100644 cortex/env_manager.py
 create mode 100644 docs/ENV_MANAGEMENT.md
 create mode 100644 examples/env_demo.py
 create mode 100644 tests/test_env_manager.py

diff --git a/cortex/cli.py b/cortex/cli.py
index 996aec2b..735afa31 100644
--- a/cortex/cli.py
+++ b/cortex/cli.py
@@ -9,6 +9,7 @@
 from cortex.branding import VERSION, console, cx_header, cx_print, show_banner
 from cortex.coordinator import InstallationCoordinator, StepStatus
 from cortex.demo import run_demo
+from cortex.env_manager import EnvironmentManager, get_env_manager
 from cortex.installation_history import InstallationHistory, InstallationStatus, InstallationType
 from cortex.llm.interpreter import CommandInterpreter
 from cortex.notification_manager import NotificationManager
@@ -744,6 +745,353 @@ def wizard(self):
         cx_print("Please export your API key in your shell profile.", "info")
         return 0
 
+    def env(self, args: argparse.Namespace) -> int:
+        """Handle environment variable management commands."""
+        import sys
+
+        env_mgr = get_env_manager()
+
+        # Handle subcommand routing
+        action = getattr(args, "env_action", None)
+
+        if not action:
+            self._print_error("Please specify a subcommand (set/get/list/delete/export/import/clear/template)")
+            return 1
+
+        try:
+            if action == "set":
+                return self._env_set(env_mgr, args)
+            elif action == "get":
+                return self._env_get(env_mgr, args)
+            elif action == "list":
+                return self._env_list(env_mgr, args)
+            elif action == "delete":
+                return self._env_delete(env_mgr, args)
+            elif action == "export":
+                return self._env_export(env_mgr, args)
+            elif action == "import":
+                return self._env_import(env_mgr, args)
+            elif action == "clear":
+                return self._env_clear(env_mgr, args)
+            elif action == "template":
+                return self._env_template(env_mgr, args)
+            elif action == "apps":
+                return self._env_list_apps(env_mgr, args)
+            elif action == "load":
+                return self._env_load(env_mgr, args)
+            else:
+                self._print_error(f"Unknown env subcommand: {action}")
+                return 1
+        except Exception as e:
+            self._print_error(f"Environment operation failed: {e}")
+            return 1
+
+    def _env_set(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Set an environment variable."""
+        app = args.app
+        key = args.key
+        value = args.value
+        encrypt = getattr(args, "encrypt", False)
+        var_type = getattr(args, "type", "string") or "string"
+        description = getattr(args, "description", "") or ""
+
+        try:
+            env_mgr.set_variable(
+                app=app,
+                key=key,
+                value=value,
+                encrypt=encrypt,
+                var_type=var_type,
+                description=description,
+            )
+
+            if encrypt:
+                cx_print("🔐 Variable encrypted and stored", "success")
+            else:
+                cx_print("✓ Environment variable set", "success")
+            return 0
+
+        except ValueError as e:
+            self._print_error(str(e))
+            return 1
+        except ImportError as e:
+            self._print_error(str(e))
+            cx_print("Install with: pip install cryptography", "info")
+            return 1
+
+    def _env_get(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Get an environment variable value."""
+        app = args.app
+        key = args.key
+        show_encrypted = getattr(args, "decrypt", False)
+
+        value = env_mgr.get_variable(app, key, decrypt=show_encrypted)
+
+        if value is None:
+            self._print_error(f"Variable '{key}' not found for app '{app}'")
+            return 1
+
+        var_info = env_mgr.get_variable_info(app, key)
+
+        if var_info and var_info.encrypted and not show_encrypted:
+            console.print(f"{key}: [dim][encrypted][/dim]")
+        else:
+            console.print(f"{key}: {value}")
+
+        return 0
+
+    def _env_list(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """List all environment variables for an app."""
+        app = args.app
+        show_encrypted = getattr(args, "decrypt", False)
+
+        variables = env_mgr.list_variables(app)
+
+        if not variables:
+            cx_print(f"No environment variables set for '{app}'", "info")
+            return 0
+
+        cx_header(f"Environment: {app}")
+
+        for var in sorted(variables, key=lambda v: v.key):
+            if var.encrypted:
+                if show_encrypted:
+                    try:
+                        value = env_mgr.encryption.decrypt(var.value)
+                        console.print(f"  {var.key}: {value} [dim](decrypted)[/dim]")
+                    except Exception:
+                        console.print(f"  {var.key}: [red][decryption failed][/red]")
+                else:
+                    console.print(f"  {var.key}: [yellow][encrypted][/yellow]")
+            else:
+                console.print(f"  {var.key}: {var.value}")
+
+            if var.description:
+                console.print(f"    [dim]# {var.description}[/dim]")
+
+        console.print()
+        console.print(f"[dim]Total: {len(variables)} variable(s)[/dim]")
+        return 0
+
+    def _env_delete(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Delete an environment variable."""
+        app = args.app
+        key = args.key
+
+        if env_mgr.delete_variable(app, key):
+            cx_print(f"✓ Deleted '{key}' from '{app}'", "success")
+            return 0
+        else:
+            self._print_error(f"Variable '{key}' not found for app '{app}'")
+            return 1
+
+    def _env_export(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Export environment variables to .env format."""
+        app = args.app
+        include_encrypted = getattr(args, "include_encrypted", False)
+        output_file = getattr(args, "output", None)
+
+        content = env_mgr.export_env(app, include_encrypted=include_encrypted)
+
+        if not content:
+            cx_print(f"No environment variables to export for '{app}'", "info")
+            return 0
+
+        if output_file:
+            try:
+                with open(output_file, "w", encoding="utf-8") as f:
+                    f.write(content)
+                cx_print(f"✓ Exported to {output_file}", "success")
+            except IOError as e:
+                self._print_error(f"Failed to write file: {e}")
+                return 1
+        else:
+            # Print to stdout
+            print(content, end="")
+
+        return 0
+
+    def _env_import(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Import environment variables from .env format."""
+        import sys
+
+        app = args.app
+        input_file = getattr(args, "file", None)
+        encrypt_keys = getattr(args, "encrypt_keys", None)
+
+        try:
+            if input_file:
+                with open(input_file, "r", encoding="utf-8") as f:
+                    content = f.read()
+            elif not sys.stdin.isatty():
+                content = sys.stdin.read()
+            else:
+                self._print_error("No input file specified and stdin is empty")
+                cx_print("Usage: cortex env import <app> <file>", "info")
+                cx_print("   or: cat .env | cortex env import <app>", "info")
+                return 1
+
+            # Parse encrypt-keys argument
+            encrypt_list = []
+            if encrypt_keys:
+                encrypt_list = [k.strip() for k in encrypt_keys.split(",")]
+
+            count, errors = env_mgr.import_env(app, content, encrypt_keys=encrypt_list)
+
+            if errors:
+                for err in errors:
+                    cx_print(f"  ⚠ {err}", "warning")
+
+            if count > 0:
+                cx_print(f"✓ Imported {count} variable(s) to '{app}'", "success")
+            else:
+                cx_print("No variables imported", "info")
+
+            return 0 if not errors else 1
+
+        except FileNotFoundError:
+            self._print_error(f"File not found: {input_file}")
+            return 1
+        except IOError as e:
+            self._print_error(f"Failed to read file: {e}")
+            return 1
+
+    def _env_clear(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Clear all environment variables for an app."""
+        app = args.app
+        force = getattr(args, "force", False)
+
+        # Confirm unless --force is used
+        if not force:
+            confirm = input(f"⚠️  Clear ALL environment variables for '{app}'? (y/n): ")
+            if confirm.lower() != "y":
+                cx_print("Operation cancelled", "info")
+                return 0
+
+        if env_mgr.clear_app(app):
+            cx_print(f"✓ Cleared all variables for '{app}'", "success")
+        else:
+            cx_print(f"No environment data found for '{app}'", "info")
+
+        return 0
+
+    def _env_template(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Handle template subcommands."""
+        template_action = getattr(args, "template_action", None)
+
+        if template_action == "list":
+            return self._env_template_list(env_mgr)
+        elif template_action == "show":
+            return self._env_template_show(env_mgr, args)
+        elif template_action == "apply":
+            return self._env_template_apply(env_mgr, args)
+        else:
+            self._print_error("Please specify: template list, template show <name>, or template apply <name> <app>")
+            return 1
+
+    def _env_template_list(self, env_mgr: EnvironmentManager) -> int:
+        """List available templates."""
+        templates = env_mgr.list_templates()
+
+        cx_header("Available Environment Templates")
+
+        for template in sorted(templates, key=lambda t: t.name):
+            console.print(f"  [green]{template.name}[/green]")
+            console.print(f"    {template.description}")
+            console.print(f"    [dim]{len(template.variables)} variables[/dim]")
+            console.print()
+
+        cx_print("Use 'cortex env template show <name>' for details", "info")
+        return 0
+
+    def _env_template_show(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Show template details."""
+        template_name = args.template_name
+
+        template = env_mgr.get_template(template_name)
+        if not template:
+            self._print_error(f"Template '{template_name}' not found")
+            return 1
+
+        cx_header(f"Template: {template.name}")
+        console.print(f"  {template.description}")
+        console.print()
+
+        console.print("[bold]Variables:[/bold]")
+        for var in template.variables:
+            req = "[red]*[/red]" if var.required else " "
+            default = f" = {var.default}" if var.default else ""
+            console.print(f"  {req} [cyan]{var.name}[/cyan] ({var.var_type}){default}")
+            if var.description:
+                console.print(f"      [dim]{var.description}[/dim]")
+
+        console.print()
+        console.print("[dim]* = required[/dim]")
+        return 0
+
+    def _env_template_apply(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Apply a template to an app."""
+        template_name = args.template_name
+        app = args.app
+
+        # Parse key=value pairs from args
+        values = {}
+        value_args = getattr(args, "values", []) or []
+        for val in value_args:
+            if "=" in val:
+                k, v = val.split("=", 1)
+                values[k] = v
+
+        # Parse encrypt keys
+        encrypt_keys = []
+        encrypt_arg = getattr(args, "encrypt_keys", None)
+        if encrypt_arg:
+            encrypt_keys = [k.strip() for k in encrypt_arg.split(",")]
+
+        result = env_mgr.apply_template(
+            template_name=template_name,
+            app=app,
+            values=values,
+            encrypt_keys=encrypt_keys,
+        )
+
+        if result.valid:
+            cx_print(f"✓ Applied template '{template_name}' to '{app}'", "success")
+            return 0
+        else:
+            self._print_error(f"Failed to apply template '{template_name}'")
+            for err in result.errors:
+                console.print(f"  [red]✗[/red] {err}")
+            return 1
+
+    def _env_list_apps(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """List all apps with stored environments."""
+        apps = env_mgr.list_apps()
+
+        if not apps:
+            cx_print("No applications with stored environments", "info")
+            return 0
+
+        cx_header("Applications with Environments")
+        for app in apps:
+            var_count = len(env_mgr.list_variables(app))
+            console.print(f"  [green]{app}[/green] [dim]({var_count} variables)[/dim]")
+
+        return 0
+
+    def _env_load(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
+        """Load environment variables into current process."""
+        app = args.app
+
+        count = env_mgr.load_to_environ(app)
+
+        if count > 0:
+            cx_print(f"✓ Loaded {count} variable(s) from '{app}' into environment", "success")
+        else:
+            cx_print(f"No variables to load for '{app}'", "info")
+
+        return 0
+
 
 def show_rich_help():
     """Display beautifully formatted help using Rich"""
@@ -767,7 +1115,8 @@ def show_rich_help():
     table.add_row("install <pkg>", "Install software")
     table.add_row("history", "View history")
     table.add_row("rollback <id>", "Undo installation")
-    table.add_row("notify", "Manage desktop notifications")  # Added this line
+    table.add_row("notify", "Manage desktop notifications")
+    table.add_row("env", "Manage environment variables")
     table.add_row("cache stats", "Show LLM cache statistics")
     table.add_row("stack <name>", "Install the stack")
     table.add_row("doctor", "System health check")
@@ -893,6 +1242,102 @@ def main():
     cache_subs = cache_parser.add_subparsers(dest="cache_action", help="Cache actions")
     cache_subs.add_parser("stats", help="Show cache statistics")
 
+    # --- Environment Variable Management Commands ---
+    env_parser = subparsers.add_parser("env", help="Manage environment variables")
+    env_subs = env_parser.add_subparsers(dest="env_action", help="Environment actions")
+
+    # env set <app> <KEY> <VALUE> [--encrypt] [--type TYPE] [--description DESC]
+    env_set_parser = env_subs.add_parser("set", help="Set an environment variable")
+    env_set_parser.add_argument("app", help="Application name")
+    env_set_parser.add_argument("key", help="Variable name")
+    env_set_parser.add_argument("value", help="Variable value")
+    env_set_parser.add_argument(
+        "--encrypt", "-e", action="store_true", help="Encrypt the value"
+    )
+    env_set_parser.add_argument(
+        "--type", "-t", choices=["string", "url", "port", "boolean", "integer", "path"],
+        default="string", help="Variable type for validation"
+    )
+    env_set_parser.add_argument(
+        "--description", "-d", help="Description of the variable"
+    )
+
+    # env get <app> <KEY> [--decrypt]
+    env_get_parser = env_subs.add_parser("get", help="Get an environment variable")
+    env_get_parser.add_argument("app", help="Application name")
+    env_get_parser.add_argument("key", help="Variable name")
+    env_get_parser.add_argument(
+        "--decrypt", action="store_true", help="Decrypt and show encrypted values"
+    )
+
+    # env list <app> [--decrypt]
+    env_list_parser = env_subs.add_parser("list", help="List environment variables")
+    env_list_parser.add_argument("app", help="Application name")
+    env_list_parser.add_argument(
+        "--decrypt", action="store_true", help="Decrypt and show encrypted values"
+    )
+
+    # env delete <app> <KEY>
+    env_delete_parser = env_subs.add_parser("delete", help="Delete an environment variable")
+    env_delete_parser.add_argument("app", help="Application name")
+    env_delete_parser.add_argument("key", help="Variable name")
+
+    # env export <app> [--include-encrypted] [--output FILE]
+    env_export_parser = env_subs.add_parser("export", help="Export variables to .env format")
+    env_export_parser.add_argument("app", help="Application name")
+    env_export_parser.add_argument(
+        "--include-encrypted", action="store_true",
+        help="Include decrypted values of encrypted variables"
+    )
+    env_export_parser.add_argument(
+        "--output", "-o", help="Output file (default: stdout)"
+    )
+
+    # env import <app> [file] [--encrypt-keys KEYS]
+    env_import_parser = env_subs.add_parser("import", help="Import variables from .env format")
+    env_import_parser.add_argument("app", help="Application name")
+    env_import_parser.add_argument("file", nargs="?", help="Input file (default: stdin)")
+    env_import_parser.add_argument(
+        "--encrypt-keys", help="Comma-separated list of keys to encrypt"
+    )
+
+    # env clear <app> [--force]
+    env_clear_parser = env_subs.add_parser("clear", help="Clear all variables for an app")
+    env_clear_parser.add_argument("app", help="Application name")
+    env_clear_parser.add_argument(
+        "--force", "-f", action="store_true", help="Skip confirmation"
+    )
+
+    # env apps - list all apps with environments
+    env_subs.add_parser("apps", help="List all apps with stored environments")
+
+    # env load <app> - load into os.environ
+    env_load_parser = env_subs.add_parser("load", help="Load variables into current environment")
+    env_load_parser.add_argument("app", help="Application name")
+
+    # env template subcommands
+    env_template_parser = env_subs.add_parser("template", help="Manage environment templates")
+    env_template_subs = env_template_parser.add_subparsers(dest="template_action", help="Template actions")
+
+    # env template list
+    env_template_subs.add_parser("list", help="List available templates")
+
+    # env template show <name>
+    env_template_show_parser = env_template_subs.add_parser("show", help="Show template details")
+    env_template_show_parser.add_argument("template_name", help="Template name")
+
+    # env template apply <template> <app> [KEY=VALUE...] [--encrypt-keys KEYS]
+    env_template_apply_parser = env_template_subs.add_parser("apply", help="Apply template to app")
+    env_template_apply_parser.add_argument("template_name", help="Template name")
+    env_template_apply_parser.add_argument("app", help="Application name")
+    env_template_apply_parser.add_argument(
+        "values", nargs="*", help="Variable values as KEY=VALUE pairs"
+    )
+    env_template_apply_parser.add_argument(
+        "--encrypt-keys", help="Comma-separated list of keys to encrypt"
+    )
+    # --------------------------
+
     args = parser.parse_args()
 
     if not args.command:
@@ -936,6 +1381,8 @@ def main():
                 return cli.cache_stats()
             parser.print_help()
             return 1
+        elif args.command == "env":
+            return cli.env(args)
         else:
             parser.print_help()
             return 1
diff --git a/cortex/env_manager.py b/cortex/env_manager.py
new file mode 100644
index 00000000..86bc72bc
--- /dev/null
+++ b/cortex/env_manager.py
@@ -0,0 +1,1092 @@
+"""
+Environment Variable Manager for Cortex CLI.
+
+Provides first-class environment variable management with:
+- Per-application environment variable storage
+- Encrypted storage for secrets using Fernet encryption
+- Environment templates with validation
+- Integration with services for auto-loading
+
+Storage location: ~/.cortex/environments/<app>.json
+Encryption key: ~/.cortex/.env_key (chmod 600)
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import stat
+import tempfile
+from dataclasses import asdict, dataclass, field
+from enum import Enum
+from pathlib import Path
+from typing import Any, Callable
+
+# Lazy import for cryptography to handle optional dependency
+_fernet_module = None
+
+
+def _get_fernet():
+    """Lazy load Fernet to handle cases where cryptography is not installed."""
+    global _fernet_module
+    if _fernet_module is None:
+        try:
+            from cryptography.fernet import Fernet
+            _fernet_module = Fernet
+        except ImportError:
+            raise ImportError(
+                "cryptography package is required for encryption. "
+                "Install it with: pip install cryptography"
+            )
+    return _fernet_module
+
+
+class VariableType(Enum):
+    """Types of environment variables for validation."""
+    STRING = "string"
+    URL = "url"
+    PORT = "port"
+    BOOLEAN = "boolean"
+    INTEGER = "integer"
+    PATH = "path"
+
+
+@dataclass
+class EnvironmentVariable:
+    """Represents a single environment variable."""
+    key: str
+    value: str
+    encrypted: bool = False
+    description: str = ""
+    var_type: str = "string"
+    
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for JSON serialization."""
+        return {
+            "key": self.key,
+            "value": self.value,
+            "encrypted": self.encrypted,
+            "description": self.description,
+            "var_type": self.var_type,
+        }
+    
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> EnvironmentVariable:
+        """Create from dictionary."""
+        return cls(
+            key=data["key"],
+            value=data["value"],
+            encrypted=data.get("encrypted", False),
+            description=data.get("description", ""),
+            var_type=data.get("var_type", "string"),
+        )
+
+
+@dataclass
+class TemplateVariable:
+    """Definition of a variable in a template."""
+    name: str
+    required: bool = True
+    default: str | None = None
+    var_type: str = "string"
+    description: str = ""
+    validation_pattern: str | None = None
+
+
+@dataclass
+class EnvironmentTemplate:
+    """Reusable environment template definition."""
+    name: str
+    description: str
+    variables: list[TemplateVariable] = field(default_factory=list)
+    
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for JSON serialization."""
+        return {
+            "name": self.name,
+            "description": self.description,
+            "variables": [asdict(v) for v in self.variables],
+        }
+    
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> EnvironmentTemplate:
+        """Create from dictionary."""
+        variables = [
+            TemplateVariable(**v) for v in data.get("variables", [])
+        ]
+        return cls(
+            name=data["name"],
+            description=data["description"],
+            variables=variables,
+        )
+
+
+@dataclass
+class ValidationResult:
+    """Result of environment variable validation."""
+    valid: bool
+    errors: list[str] = field(default_factory=list)
+    warnings: list[str] = field(default_factory=list)
+
+
+# Built-in templates
+BUILTIN_TEMPLATES: dict[str, EnvironmentTemplate] = {
+    "nodejs": EnvironmentTemplate(
+        name="nodejs",
+        description="Standard Node.js application environment",
+        variables=[
+            TemplateVariable(
+                name="NODE_ENV",
+                required=True,
+                default="development",
+                var_type="string",
+                description="Node environment (development, production, test)",
+            ),
+            TemplateVariable(
+                name="PORT",
+                required=False,
+                default="3000",
+                var_type="port",
+                description="Application port",
+            ),
+            TemplateVariable(
+                name="LOG_LEVEL",
+                required=False,
+                default="info",
+                var_type="string",
+                description="Logging level",
+            ),
+        ],
+    ),
+    "python": EnvironmentTemplate(
+        name="python",
+        description="Standard Python application environment",
+        variables=[
+            TemplateVariable(
+                name="PYTHONPATH",
+                required=False,
+                var_type="path",
+                description="Python module search path",
+            ),
+            TemplateVariable(
+                name="PYTHONDONTWRITEBYTECODE",
+                required=False,
+                default="1",
+                var_type="boolean",
+                description="Prevent .pyc file generation",
+            ),
+            TemplateVariable(
+                name="PYTHONUNBUFFERED",
+                required=False,
+                default="1",
+                var_type="boolean",
+                description="Force unbuffered stdout/stderr",
+            ),
+            TemplateVariable(
+                name="LOG_LEVEL",
+                required=False,
+                default="INFO",
+                var_type="string",
+                description="Logging level",
+            ),
+        ],
+    ),
+    "django": EnvironmentTemplate(
+        name="django",
+        description="Django web application environment",
+        variables=[
+            TemplateVariable(
+                name="DJANGO_SETTINGS_MODULE",
+                required=True,
+                var_type="string",
+                description="Django settings module path",
+            ),
+            TemplateVariable(
+                name="SECRET_KEY",
+                required=True,
+                var_type="string",
+                description="Django secret key (should be encrypted)",
+            ),
+            TemplateVariable(
+                name="DEBUG",
+                required=False,
+                default="False",
+                var_type="boolean",
+                description="Django debug mode",
+            ),
+            TemplateVariable(
+                name="ALLOWED_HOSTS",
+                required=False,
+                default="localhost,127.0.0.1",
+                var_type="string",
+                description="Comma-separated allowed hosts",
+            ),
+            TemplateVariable(
+                name="DATABASE_URL",
+                required=False,
+                var_type="url",
+                description="Database connection URL",
+            ),
+        ],
+    ),
+    "flask": EnvironmentTemplate(
+        name="flask",
+        description="Flask web application environment",
+        variables=[
+            TemplateVariable(
+                name="FLASK_APP",
+                required=True,
+                var_type="string",
+                description="Flask application module",
+            ),
+            TemplateVariable(
+                name="FLASK_ENV",
+                required=False,
+                default="development",
+                var_type="string",
+                description="Flask environment",
+            ),
+            TemplateVariable(
+                name="FLASK_DEBUG",
+                required=False,
+                default="0",
+                var_type="boolean",
+                description="Flask debug mode",
+            ),
+            TemplateVariable(
+                name="SECRET_KEY",
+                required=True,
+                var_type="string",
+                description="Flask secret key (should be encrypted)",
+            ),
+        ],
+    ),
+    "docker": EnvironmentTemplate(
+        name="docker",
+        description="Docker containerized application environment",
+        variables=[
+            TemplateVariable(
+                name="DOCKER_HOST",
+                required=False,
+                var_type="url",
+                description="Docker daemon socket",
+            ),
+            TemplateVariable(
+                name="COMPOSE_PROJECT_NAME",
+                required=False,
+                var_type="string",
+                description="Docker Compose project name",
+            ),
+            TemplateVariable(
+                name="COMPOSE_FILE",
+                required=False,
+                default="docker-compose.yml",
+                var_type="path",
+                description="Docker Compose file path",
+            ),
+        ],
+    ),
+    "database": EnvironmentTemplate(
+        name="database",
+        description="Database connection environment",
+        variables=[
+            TemplateVariable(
+                name="DATABASE_URL",
+                required=True,
+                var_type="url",
+                description="Database connection URL",
+            ),
+            TemplateVariable(
+                name="DB_HOST",
+                required=False,
+                default="localhost",
+                var_type="string",
+                description="Database host",
+            ),
+            TemplateVariable(
+                name="DB_PORT",
+                required=False,
+                default="5432",
+                var_type="port",
+                description="Database port",
+            ),
+            TemplateVariable(
+                name="DB_NAME",
+                required=False,
+                var_type="string",
+                description="Database name",
+            ),
+            TemplateVariable(
+                name="DB_USER",
+                required=False,
+                var_type="string",
+                description="Database user",
+            ),
+            TemplateVariable(
+                name="DB_PASSWORD",
+                required=False,
+                var_type="string",
+                description="Database password (should be encrypted)",
+            ),
+        ],
+    ),
+    "aws": EnvironmentTemplate(
+        name="aws",
+        description="AWS cloud services environment",
+        variables=[
+            TemplateVariable(
+                name="AWS_ACCESS_KEY_ID",
+                required=True,
+                var_type="string",
+                description="AWS access key ID (should be encrypted)",
+            ),
+            TemplateVariable(
+                name="AWS_SECRET_ACCESS_KEY",
+                required=True,
+                var_type="string",
+                description="AWS secret access key (should be encrypted)",
+            ),
+            TemplateVariable(
+                name="AWS_DEFAULT_REGION",
+                required=False,
+                default="us-east-1",
+                var_type="string",
+                description="AWS default region",
+            ),
+            TemplateVariable(
+                name="AWS_PROFILE",
+                required=False,
+                var_type="string",
+                description="AWS named profile",
+            ),
+        ],
+    ),
+}
+
+
+class EnvironmentValidator:
+    """Validates environment variable values based on type."""
+    
+    # URL pattern: protocol://host[:port][/path]
+    URL_PATTERN = re.compile(
+        r"^[a-zA-Z][a-zA-Z0-9+.-]*://"  # scheme
+        r"[^\s/$.?#]"  # at least one character for host
+        r"[^\s]*$",  # rest of URL
+        re.IGNORECASE
+    )
+    
+    # Port: 1-65535
+    PORT_PATTERN = re.compile(r"^([1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$")
+    
+    # Boolean: common boolean representations
+    BOOLEAN_VALUES = {"true", "false", "1", "0", "yes", "no", "on", "off"}
+    
+    @classmethod
+    def validate(
+        cls,
+        value: str,
+        var_type: str,
+        custom_pattern: str | None = None,
+    ) -> tuple[bool, str | None]:
+        """
+        Validate a value against a type.
+        
+        Returns:
+            Tuple of (is_valid, error_message)
+        """
+        if custom_pattern:
+            try:
+                if not re.match(custom_pattern, value):
+                    return False, f"Value does not match pattern: {custom_pattern}"
+            except re.error as e:
+                return False, f"Invalid validation pattern: {e}"
+        
+        try:
+            vtype = VariableType(var_type)
+        except ValueError:
+            # Unknown type, treat as string (always valid)
+            return True, None
+        
+        if vtype == VariableType.STRING:
+            return True, None
+        
+        elif vtype == VariableType.URL:
+            if not cls.URL_PATTERN.match(value):
+                return False, f"Invalid URL format: {value}"
+            return True, None
+        
+        elif vtype == VariableType.PORT:
+            if not cls.PORT_PATTERN.match(value):
+                return False, f"Invalid port number: {value} (must be 1-65535)"
+            return True, None
+        
+        elif vtype == VariableType.BOOLEAN:
+            if value.lower() not in cls.BOOLEAN_VALUES:
+                return False, f"Invalid boolean value: {value} (use true/false, 1/0, yes/no, on/off)"
+            return True, None
+        
+        elif vtype == VariableType.INTEGER:
+            try:
+                int(value)
+                return True, None
+            except ValueError:
+                return False, f"Invalid integer value: {value}"
+        
+        elif vtype == VariableType.PATH:
+            # Path validation: just check it's not empty
+            if not value.strip():
+                return False, "Path cannot be empty"
+            return True, None
+        
+        return True, None
+
+
+class EncryptionManager:
+    """Manages encryption keys and encrypts/decrypts values."""
+    
+    def __init__(self, key_path: Path | None = None):
+        """
+        Initialize encryption manager.
+        
+        Args:
+            key_path: Path to encryption key file. Defaults to ~/.cortex/.env_key
+        """
+        if key_path is None:
+            key_path = Path.home() / ".cortex" / ".env_key"
+        self.key_path = key_path
+        self._fernet: Any = None
+    
+    def _ensure_key_exists(self) -> bytes:
+        """Ensure encryption key exists, create if needed."""
+        if self.key_path.exists():
+            return self.key_path.read_bytes()
+        
+        # Create new key
+        Fernet = _get_fernet()
+        key = Fernet.generate_key()
+        
+        # Ensure parent directory exists
+        self.key_path.parent.mkdir(parents=True, exist_ok=True)
+        
+        # Write key with secure permissions (atomic write)
+        fd = os.open(
+            str(self.key_path),
+            os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
+            stat.S_IRUSR | stat.S_IWUSR,  # 0600
+        )
+        try:
+            os.write(fd, key)
+        finally:
+            os.close(fd)
+        
+        return key
+    
+    def _get_fernet(self) -> Any:
+        """Get or create Fernet instance."""
+        if self._fernet is None:
+            Fernet = _get_fernet()
+            key = self._ensure_key_exists()
+            self._fernet = Fernet(key)
+        return self._fernet
+    
+    def encrypt(self, value: str) -> str:
+        """
+        Encrypt a value.
+        
+        Args:
+            value: Plaintext value to encrypt
+            
+        Returns:
+            Base64-encoded encrypted value
+        """
+        fernet = self._get_fernet()
+        encrypted = fernet.encrypt(value.encode("utf-8"))
+        return encrypted.decode("utf-8")
+    
+    def decrypt(self, encrypted_value: str) -> str:
+        """
+        Decrypt a value.
+        
+        Args:
+            encrypted_value: Base64-encoded encrypted value
+            
+        Returns:
+            Decrypted plaintext value
+        """
+        fernet = self._get_fernet()
+        decrypted = fernet.decrypt(encrypted_value.encode("utf-8"))
+        return decrypted.decode("utf-8")
+    
+    def is_key_available(self) -> bool:
+        """Check if encryption is available (key exists or can be created)."""
+        try:
+            self._ensure_key_exists()
+            return True
+        except Exception:
+            return False
+
+
+class EnvironmentStorage:
+    """Manages persistent storage of environment variables."""
+    
+    def __init__(self, base_path: Path | None = None):
+        """
+        Initialize storage.
+        
+        Args:
+            base_path: Base directory for environment storage.
+                       Defaults to ~/.cortex/environments
+        """
+        if base_path is None:
+            base_path = Path.home() / ".cortex" / "environments"
+        self.base_path = base_path
+        self.base_path.mkdir(parents=True, exist_ok=True)
+    
+    def _get_app_path(self, app: str) -> Path:
+        """Get the storage path for an application."""
+        # Sanitize app name for filesystem
+        safe_name = re.sub(r"[^\w\-.]", "_", app)
+        return self.base_path / f"{safe_name}.json"
+    
+    def _get_safe_app_name(self, app: str) -> str:
+        """Get a filesystem-safe version of the app name."""
+        return re.sub(r"[^\w\-.]", "_", app)
+    
+    def load(self, app: str) -> dict[str, EnvironmentVariable]:
+        """
+        Load environment variables for an application.
+        
+        Args:
+            app: Application name
+            
+        Returns:
+            Dictionary mapping variable names to EnvironmentVariable objects
+        """
+        app_path = self._get_app_path(app)
+        
+        if not app_path.exists():
+            return {}
+        
+        try:
+            with open(app_path, "r", encoding="utf-8") as f:
+                data = json.load(f)
+            
+            return {
+                var_data["key"]: EnvironmentVariable.from_dict(var_data)
+                for var_data in data.get("variables", [])
+            }
+        except (json.JSONDecodeError, KeyError) as e:
+            raise ValueError(f"Corrupted environment file for {app}: {e}")
+    
+    def save(self, app: str, variables: dict[str, EnvironmentVariable]) -> None:
+        """
+        Save environment variables for an application (atomic write).
+        
+        Args:
+            app: Application name
+            variables: Dictionary of environment variables
+        """
+        app_path = self._get_app_path(app)
+        
+        data = {
+            "app": app,
+            "variables": [var.to_dict() for var in variables.values()],
+        }
+        
+        # Atomic write: write to temp file, then rename
+        self.base_path.mkdir(parents=True, exist_ok=True)
+        
+        # Use safe app name for temp file prefix
+        safe_prefix = self._get_safe_app_name(app)
+        
+        fd, temp_path = tempfile.mkstemp(
+            dir=self.base_path,
+            suffix=".tmp",
+            prefix=f"{safe_prefix}_",
+        )
+        try:
+            with os.fdopen(fd, "w", encoding="utf-8") as f:
+                json.dump(data, f, indent=2)
+            os.replace(temp_path, app_path)
+        except Exception:
+            # Clean up temp file on failure
+            if os.path.exists(temp_path):
+                os.unlink(temp_path)
+            raise
+    
+    def delete_app(self, app: str) -> bool:
+        """
+        Delete all environment data for an application.
+        
+        Args:
+            app: Application name
+            
+        Returns:
+            True if data was deleted, False if app didn't exist
+        """
+        app_path = self._get_app_path(app)
+        
+        if app_path.exists():
+            app_path.unlink()
+            return True
+        return False
+    
+    def list_apps(self) -> list[str]:
+        """
+        List all applications with stored environments.
+        
+        Returns:
+            List of application names
+        """
+        apps = []
+        for path in self.base_path.glob("*.json"):
+            # Extract app name from filename
+            app_name = path.stem
+            apps.append(app_name)
+        return sorted(apps)
+
+
+class EnvironmentManager:
+    """
+    Main environment manager class.
+    
+    Provides high-level API for managing environment variables
+    with encryption, templates, and validation.
+    """
+    
+    def __init__(
+        self,
+        storage: EnvironmentStorage | None = None,
+        encryption: EncryptionManager | None = None,
+    ):
+        """
+        Initialize the environment manager.
+        
+        Args:
+            storage: Custom storage backend (optional)
+            encryption: Custom encryption manager (optional)
+        """
+        self.storage = storage or EnvironmentStorage()
+        self.encryption = encryption or EncryptionManager()
+        self.templates = dict(BUILTIN_TEMPLATES)
+    
+    def set_variable(
+        self,
+        app: str,
+        key: str,
+        value: str,
+        encrypt: bool = False,
+        var_type: str = "string",
+        description: str = "",
+    ) -> EnvironmentVariable:
+        """
+        Set an environment variable for an application.
+        
+        Args:
+            app: Application name
+            key: Variable name
+            value: Variable value
+            encrypt: Whether to encrypt the value
+            var_type: Variable type for validation
+            description: Optional description
+            
+        Returns:
+            The created/updated EnvironmentVariable
+        """
+        # Validate the value if type is specified
+        if var_type != "string":
+            is_valid, error = EnvironmentValidator.validate(value, var_type)
+            if not is_valid:
+                raise ValueError(error)
+        
+        # Load existing variables
+        variables = self.storage.load(app)
+        
+        # Encrypt if requested
+        stored_value = value
+        if encrypt:
+            stored_value = self.encryption.encrypt(value)
+        
+        # Create or update variable
+        env_var = EnvironmentVariable(
+            key=key,
+            value=stored_value,
+            encrypted=encrypt,
+            description=description,
+            var_type=var_type,
+        )
+        
+        variables[key] = env_var
+        self.storage.save(app, variables)
+        
+        return env_var
+    
+    def get_variable(
+        self,
+        app: str,
+        key: str,
+        decrypt: bool = True,
+    ) -> str | None:
+        """
+        Get an environment variable value.
+        
+        Args:
+            app: Application name
+            key: Variable name
+            decrypt: Whether to decrypt encrypted values
+            
+        Returns:
+            Variable value or None if not found
+        """
+        variables = self.storage.load(app)
+        
+        if key not in variables:
+            return None
+        
+        var = variables[key]
+        
+        if var.encrypted and decrypt:
+            return self.encryption.decrypt(var.value)
+        
+        return var.value
+    
+    def get_variable_info(self, app: str, key: str) -> EnvironmentVariable | None:
+        """
+        Get full information about a variable.
+        
+        Args:
+            app: Application name
+            key: Variable name
+            
+        Returns:
+            EnvironmentVariable object or None if not found
+        """
+        variables = self.storage.load(app)
+        return variables.get(key)
+    
+    def list_variables(self, app: str) -> list[EnvironmentVariable]:
+        """
+        List all environment variables for an application.
+        
+        Args:
+            app: Application name
+            
+        Returns:
+            List of EnvironmentVariable objects
+        """
+        variables = self.storage.load(app)
+        return list(variables.values())
+    
+    def delete_variable(self, app: str, key: str) -> bool:
+        """
+        Delete an environment variable.
+        
+        Args:
+            app: Application name
+            key: Variable name
+            
+        Returns:
+            True if variable was deleted, False if not found
+        """
+        variables = self.storage.load(app)
+        
+        if key not in variables:
+            return False
+        
+        del variables[key]
+        self.storage.save(app, variables)
+        return True
+    
+    def clear_app(self, app: str) -> bool:
+        """
+        Clear all environment variables for an application.
+        
+        Args:
+            app: Application name
+            
+        Returns:
+            True if app existed and was cleared
+        """
+        return self.storage.delete_app(app)
+    
+    def list_apps(self) -> list[str]:
+        """
+        List all applications with stored environments.
+        
+        Returns:
+            List of application names
+        """
+        return self.storage.list_apps()
+    
+    def export_env(self, app: str, include_encrypted: bool = False) -> str:
+        """
+        Export environment variables in .env format.
+        
+        Args:
+            app: Application name
+            include_encrypted: Whether to decrypt and include encrypted values
+            
+        Returns:
+            Environment file content as string
+        """
+        variables = self.storage.load(app)
+        lines = []
+        
+        for var in sorted(variables.values(), key=lambda v: v.key):
+            if var.encrypted:
+                if include_encrypted:
+                    value = self.encryption.decrypt(var.value)
+                    lines.append(f"# [encrypted] {var.description}" if var.description else "# [encrypted]")
+                    lines.append(f'{var.key}="{value}"')
+                else:
+                    lines.append(f"# {var.key}=[encrypted - use --include-encrypted to export]")
+            else:
+                if var.description:
+                    lines.append(f"# {var.description}")
+                # Quote values with special characters
+                if any(c in var.value for c in " \t\n'\"$`\\"):
+                    lines.append(f'{var.key}="{var.value}"')
+                else:
+                    lines.append(f"{var.key}={var.value}")
+        
+        return "\n".join(lines) + "\n" if lines else ""
+    
+    def import_env(
+        self,
+        app: str,
+        content: str,
+        encrypt_keys: list[str] | None = None,
+    ) -> tuple[int, list[str]]:
+        """
+        Import environment variables from .env format.
+        
+        Args:
+            app: Application name
+            content: .env file content
+            encrypt_keys: List of keys to encrypt during import
+            
+        Returns:
+            Tuple of (count of imported variables, list of errors)
+        """
+        encrypt_keys = set(encrypt_keys or [])
+        variables = self.storage.load(app)
+        imported = 0
+        errors = []
+        
+        for line_num, line in enumerate(content.splitlines(), start=1):
+            line = line.strip()
+            
+            # Skip empty lines and comments
+            if not line or line.startswith("#"):
+                continue
+            
+            # Parse KEY=value
+            match = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)$', line)
+            if not match:
+                errors.append(f"Line {line_num}: Invalid format")
+                continue
+            
+            key = match.group(1)
+            value = match.group(2)
+            
+            # Handle quoted values
+            if (value.startswith('"') and value.endswith('"')) or \
+               (value.startswith("'") and value.endswith("'")):
+                value = value[1:-1]
+            
+            # Encrypt if key is in encrypt_keys
+            encrypt = key in encrypt_keys
+            
+            if encrypt:
+                value = self.encryption.encrypt(value)
+            
+            variables[key] = EnvironmentVariable(
+                key=key,
+                value=value,
+                encrypted=encrypt,
+            )
+            imported += 1
+        
+        if imported > 0:
+            self.storage.save(app, variables)
+        
+        return imported, errors
+    
+    def load_to_environ(self, app: str) -> int:
+        """
+        Load environment variables into os.environ.
+        
+        Args:
+            app: Application name
+            
+        Returns:
+            Number of variables loaded
+        """
+        variables = self.storage.load(app)
+        loaded = 0
+        
+        for var in variables.values():
+            if var.encrypted:
+                value = self.encryption.decrypt(var.value)
+            else:
+                value = var.value
+            
+            os.environ[var.key] = value
+            loaded += 1
+        
+        return loaded
+    
+    # Template management
+    
+    def list_templates(self) -> list[EnvironmentTemplate]:
+        """
+        List all available templates.
+        
+        Returns:
+            List of EnvironmentTemplate objects
+        """
+        return list(self.templates.values())
+    
+    def get_template(self, name: str) -> EnvironmentTemplate | None:
+        """
+        Get a template by name.
+        
+        Args:
+            name: Template name
+            
+        Returns:
+            EnvironmentTemplate or None if not found
+        """
+        return self.templates.get(name.lower())
+    
+    def apply_template(
+        self,
+        template_name: str,
+        app: str,
+        values: dict[str, str] | None = None,
+        encrypt_keys: list[str] | None = None,
+    ) -> ValidationResult:
+        """
+        Apply a template to an application.
+        
+        Args:
+            template_name: Name of template to apply
+            app: Application name
+            values: Values for template variables
+            encrypt_keys: Keys to encrypt
+            
+        Returns:
+            ValidationResult with any errors/warnings
+        """
+        template = self.get_template(template_name)
+        if not template:
+            return ValidationResult(
+                valid=False,
+                errors=[f"Template '{template_name}' not found"],
+            )
+        
+        values = values or {}
+        encrypt_keys = set(encrypt_keys or [])
+        errors = []
+        warnings = []
+        
+        variables = self.storage.load(app)
+        
+        for tvar in template.variables:
+            if tvar.name in values:
+                # Use provided value
+                value = values[tvar.name]
+            elif tvar.default is not None:
+                # Use default
+                value = tvar.default
+            elif tvar.required:
+                errors.append(f"Required variable '{tvar.name}' not provided")
+                continue
+            else:
+                # Optional with no default - skip
+                continue
+            
+            # Validate value
+            is_valid, error = EnvironmentValidator.validate(
+                value,
+                tvar.var_type,
+                tvar.validation_pattern,
+            )
+            
+            if not is_valid:
+                errors.append(f"{tvar.name}: {error}")
+                continue
+            
+            # Check if should encrypt
+            encrypt = tvar.name in encrypt_keys
+            
+            stored_value = value
+            if encrypt:
+                stored_value = self.encryption.encrypt(value)
+            
+            variables[tvar.name] = EnvironmentVariable(
+                key=tvar.name,
+                value=stored_value,
+                encrypted=encrypt,
+                description=tvar.description,
+                var_type=tvar.var_type,
+            )
+        
+        if not errors:
+            self.storage.save(app, variables)
+        
+        return ValidationResult(
+            valid=len(errors) == 0,
+            errors=errors,
+            warnings=warnings,
+        )
+    
+    def validate_app(
+        self,
+        app: str,
+        template_name: str | None = None,
+    ) -> ValidationResult:
+        """
+        Validate environment variables for an application.
+        
+        Args:
+            app: Application name
+            template_name: Optional template to validate against
+            
+        Returns:
+            ValidationResult with any errors/warnings
+        """
+        variables = self.storage.load(app)
+        errors = []
+        warnings = []
+        
+        # Validate all variable types
+        for var in variables.values():
+            is_valid, error = EnvironmentValidator.validate(
+                var.value if not var.encrypted else "placeholder",
+                var.var_type,
+            )
+            if not is_valid and not var.encrypted:
+                errors.append(f"{var.key}: {error}")
+        
+        # If template specified, check required variables
+        if template_name:
+            template = self.get_template(template_name)
+            if not template:
+                errors.append(f"Template '{template_name}' not found")
+            else:
+                for tvar in template.variables:
+                    if tvar.required and tvar.name not in variables:
+                        errors.append(f"Required variable '{tvar.name}' missing")
+        
+        return ValidationResult(
+            valid=len(errors) == 0,
+            errors=errors,
+            warnings=warnings,
+        )
+
+
+def get_env_manager() -> EnvironmentManager:
+    """Get the default environment manager instance."""
+    return EnvironmentManager()
diff --git a/docs/ENV_MANAGEMENT.md b/docs/ENV_MANAGEMENT.md
new file mode 100644
index 00000000..37249f13
--- /dev/null
+++ b/docs/ENV_MANAGEMENT.md
@@ -0,0 +1,506 @@
+# Environment Variable Management
+
+Cortex provides first-class environment variable management with encryption, templates, validation, and seamless integration with your services.
+
+## Overview
+
+The `cortex env` command group allows you to:
+
+- **Store** environment variables per application
+- **Encrypt** sensitive values at rest
+- **Template** common configurations (Node.js, Python, Django, etc.)
+- **Validate** variable formats (URLs, ports, booleans, etc.)
+- **Export/Import** environment files
+- **Load** variables into running services
+
+## Quick Start
+
+```bash
+# Set a simple variable
+cortex env set myapp DATABASE_URL "postgres://localhost/db"
+✓ Environment variable set
+
+# Set an encrypted secret
+cortex env set myapp API_KEY "secret123" --encrypt
+🔐 Variable encrypted and stored
+
+# List all variables for an app
+cortex env list myapp
+```
+
+## Storage
+
+### Location
+
+Environment variables are stored in JSON files under:
+
+```
+~/.cortex/environments/<app>.json
+```
+
+Each application has its own file, ensuring complete isolation between apps.
+
+### File Format
+
+```json
+{
+  "app": "myapp",
+  "variables": [
+    {
+      "key": "DATABASE_URL",
+      "value": "postgres://localhost/db",
+      "encrypted": false,
+      "description": "Database connection URL",
+      "var_type": "url"
+    },
+    {
+      "key": "API_KEY",
+      "value": "gAAAAABk...encrypted_blob...",
+      "encrypted": true,
+      "description": "External API key",
+      "var_type": "string"
+    }
+  ]
+}
+```
+
+## Commands Reference
+
+### Set a Variable
+
+```bash
+cortex env set <app> <KEY> <VALUE> [options]
+```
+
+**Options:**
+- `--encrypt, -e` - Encrypt the value before storing
+- `--type, -t` - Variable type for validation (string, url, port, boolean, integer, path)
+- `--description, -d` - Description of the variable
+
+**Examples:**
+
+```bash
+# Basic variable
+cortex env set myapp NODE_ENV production
+
+# Encrypted secret
+cortex env set myapp SECRET_KEY "super-secret" --encrypt
+
+# With validation
+cortex env set myapp PORT 3000 --type port
+
+# With description
+cortex env set myapp LOG_LEVEL debug -d "Application logging level"
+```
+
+### Get a Variable
+
+```bash
+cortex env get <app> <KEY> [--decrypt]
+```
+
+**Options:**
+- `--decrypt` - Decrypt and show encrypted values
+
+**Examples:**
+
+```bash
+# Get a plain variable
+cortex env get myapp DATABASE_URL
+DATABASE_URL: postgres://localhost/db
+
+# Get encrypted variable (shows [encrypted] by default)
+cortex env get myapp API_KEY
+API_KEY: [encrypted]
+
+# Decrypt and show
+cortex env get myapp API_KEY --decrypt
+API_KEY: secret123
+```
+
+### List Variables
+
+```bash
+cortex env list <app> [--decrypt]
+```
+
+**Examples:**
+
+```bash
+cortex env list myapp
+# Output:
+# Environment: myapp
+#   DATABASE_URL: postgres://localhost/db
+#   API_KEY: [encrypted]
+#   NODE_ENV: production
+```
+
+### Delete a Variable
+
+```bash
+cortex env delete <app> <KEY>
+```
+
+### Export Variables
+
+Export environment variables in `.env` format:
+
+```bash
+cortex env export <app> [--include-encrypted] [--output FILE]
+```
+
+**Options:**
+- `--include-encrypted` - Decrypt and include encrypted values
+- `--output, -o` - Write to file instead of stdout
+
+**Examples:**
+
+```bash
+# Export to stdout
+cortex env export myapp
+
+# Export to file
+cortex env export myapp -o .env
+
+# Include decrypted secrets (use with caution!)
+cortex env export myapp --include-encrypted > .env
+```
+
+### Import Variables
+
+Import from `.env` format:
+
+```bash
+cortex env import <app> [file] [--encrypt-keys KEYS]
+```
+
+**Options:**
+- `--encrypt-keys` - Comma-separated list of keys to encrypt during import
+
+**Examples:**
+
+```bash
+# Import from file
+cortex env import myapp .env
+
+# Import from stdin
+cat .env | cortex env import myapp
+
+# Import with selective encryption
+cortex env import myapp .env --encrypt-keys "API_KEY,SECRET_KEY,DB_PASSWORD"
+```
+
+### Clear All Variables
+
+```bash
+cortex env clear <app> [--force]
+```
+
+**Options:**
+- `--force, -f` - Skip confirmation prompt
+
+### List Applications
+
+```bash
+cortex env apps
+```
+
+Shows all applications with stored environments.
+
+### Load into Environment
+
+Load variables into the current process's environment:
+
+```bash
+cortex env load <app>
+```
+
+This sets all variables in `os.environ`, decrypting encrypted values automatically.
+
+## Templates
+
+Templates provide pre-defined environment configurations for common frameworks.
+
+### List Available Templates
+
+```bash
+cortex env template list
+```
+
+**Built-in Templates:**
+
+| Template   | Description                        |
+|------------|-----------------------------------|
+| `nodejs`   | Standard Node.js application      |
+| `python`   | Python application                |
+| `django`   | Django web application            |
+| `flask`    | Flask web application             |
+| `docker`   | Docker containerized application  |
+| `database` | Database connection               |
+| `aws`      | AWS cloud services                |
+
+### Show Template Details
+
+```bash
+cortex env template show <template>
+```
+
+**Example:**
+
+```bash
+cortex env template show django
+# Output:
+# Template: django
+#   Django web application environment
+#
+# Variables:
+#   * DJANGO_SETTINGS_MODULE (string)
+#       Django settings module path
+#   * SECRET_KEY (string)
+#       Django secret key (should be encrypted)
+#     DEBUG (boolean) = False
+#       Django debug mode
+#     ALLOWED_HOSTS (string) = localhost,127.0.0.1
+#       Comma-separated allowed hosts
+#     DATABASE_URL (url)
+#       Database connection URL
+#
+# * = required
+```
+
+### Apply a Template
+
+```bash
+cortex env template apply <template> <app> [KEY=VALUE...] [--encrypt-keys KEYS]
+```
+
+**Examples:**
+
+```bash
+# Apply with defaults
+cortex env template apply nodejs myapp
+
+# Apply with custom values
+cortex env template apply django myapp \
+  DJANGO_SETTINGS_MODULE=myapp.settings \
+  SECRET_KEY=my-secret-key \
+  --encrypt-keys SECRET_KEY
+
+# Override defaults
+cortex env template apply nodejs myapp NODE_ENV=production PORT=8080
+```
+
+## Encryption
+
+### How It Works
+
+Cortex uses [Fernet symmetric encryption](https://cryptography.io/en/latest/fernet/) (AES-128-CBC with HMAC) from the `cryptography` library.
+
+**Key Storage:**
+- Encryption key is stored at `~/.cortex/.env_key`
+- File permissions are set to `600` (owner read/write only)
+- Key is automatically generated on first use
+
+### Security Considerations
+
+1. **Key Protection**: The encryption key must be protected. Anyone with access to `~/.cortex/.env_key` can decrypt all secrets.
+
+2. **Backup**: If you lose the key file, encrypted values cannot be recovered. Consider backing up the key securely.
+
+3. **Don't Commit**: Never commit `~/.cortex/` to version control.
+
+4. **Export Caution**: Using `--include-encrypted` exposes secrets in plaintext.
+
+### Rotating Keys
+
+To rotate the encryption key:
+
+```bash
+# 1. Export all apps with decrypted values
+for app in $(cortex env apps | grep -oP '^\s+\K\w+'); do
+  cortex env export $app --include-encrypted > /tmp/${app}.env
+done
+
+# 2. Remove old key
+rm ~/.cortex/.env_key
+
+# 3. Re-import with new encryption
+for app in $(cortex env apps | grep -oP '^\s+\K\w+'); do
+  cortex env import $app /tmp/${app}.env --encrypt-keys "API_KEY,SECRET_KEY,PASSWORD"
+done
+
+# 4. Securely delete temp files
+shred -u /tmp/*.env
+```
+
+## Validation
+
+Variables can be validated against common types:
+
+| Type      | Description                          | Example Values                    |
+|-----------|--------------------------------------|-----------------------------------|
+| `string`  | Any string (no validation)           | `hello`, `anything`               |
+| `url`     | Valid URL with scheme                | `https://example.com`, `redis://localhost:6379` |
+| `port`    | Port number (1-65535)                | `80`, `3000`, `8080`              |
+| `boolean` | Boolean value                        | `true`, `false`, `1`, `0`, `yes`, `no` |
+| `integer` | Integer number                       | `0`, `100`, `-5`                  |
+| `path`    | File system path                     | `/usr/local/bin`, `./config`      |
+
+**Example:**
+
+```bash
+# This succeeds
+cortex env set myapp PORT 3000 --type port
+
+# This fails with validation error
+cortex env set myapp PORT 99999 --type port
+Error: Invalid port number: 99999 (must be 1-65535)
+```
+
+## Integration with Services
+
+### Loading at Service Start
+
+Use `cortex env load` before starting your service:
+
+```bash
+# In your service startup script
+cortex env load myapp && python app.py
+```
+
+### Python Integration
+
+```python
+from cortex.env_manager import get_env_manager
+
+# Load environment for your app
+env_mgr = get_env_manager()
+env_mgr.load_to_environ("myapp")
+
+# Now use os.environ normally
+import os
+database_url = os.environ.get("DATABASE_URL")
+```
+
+### Shell Script Integration
+
+```bash
+#!/bin/bash
+# Load environment and run command
+cortex env load myapp
+exec "$@"
+```
+
+### Docker Integration
+
+```dockerfile
+# Install cortex in your image
+RUN pip install cortex-linux
+
+# Load env at runtime (requires mounted ~/.cortex)
+ENTRYPOINT ["sh", "-c", "cortex env load myapp && exec \"$@\"", "--"]
+CMD ["python", "app.py"]
+```
+
+## Best Practices
+
+1. **Use Templates**: Start with a template and customize rather than creating from scratch.
+
+2. **Encrypt Secrets**: Always use `--encrypt` for passwords, API keys, and sensitive data.
+
+3. **Type Validation**: Use `--type` to catch configuration errors early.
+
+4. **Document Variables**: Use `--description` to explain what each variable does.
+
+5. **App Naming**: Use consistent, descriptive app names (e.g., `myapp-prod`, `myapp-dev`).
+
+6. **Export Regularly**: Keep `.env` exports (without secrets) in version control as documentation.
+
+7. **Audit Access**: Regularly review who has access to `~/.cortex/` on shared systems.
+
+## Troubleshooting
+
+### "cryptography package is required"
+
+Install the cryptography library:
+
+```bash
+pip install cryptography
+```
+
+### "Variable not found"
+
+Check that:
+1. The app name is spelled correctly
+2. The variable was set successfully
+3. You're not confusing app names
+
+```bash
+# List all apps
+cortex env apps
+
+# List variables for specific app
+cortex env list myapp
+```
+
+### "Invalid port/URL/boolean"
+
+The value doesn't match the expected format. Check the validation rules above.
+
+### "Decryption failed"
+
+This usually means:
+1. The encryption key (`~/.cortex/.env_key`) was changed or deleted
+2. The encrypted value was corrupted
+3. The value was encrypted with a different key
+
+### Permission Denied
+
+Check permissions on:
+- `~/.cortex/` directory
+- `~/.cortex/.env_key` file (should be 600)
+- `~/.cortex/environments/` directory
+
+```bash
+chmod 700 ~/.cortex
+chmod 600 ~/.cortex/.env_key
+chmod 700 ~/.cortex/environments
+```
+
+## API Reference
+
+For programmatic access, use the `EnvironmentManager` class:
+
+```python
+from cortex.env_manager import EnvironmentManager, get_env_manager
+
+# Get default manager
+env_mgr = get_env_manager()
+
+# Or create custom instance
+from cortex.env_manager import EnvironmentStorage, EncryptionManager
+env_mgr = EnvironmentManager(
+    storage=EnvironmentStorage(base_path="/custom/path"),
+    encryption=EncryptionManager(key_path="/custom/key"),
+)
+
+# Set variables
+env_mgr.set_variable("myapp", "KEY", "value", encrypt=True)
+
+# Get variables
+value = env_mgr.get_variable("myapp", "KEY", decrypt=True)
+
+# List variables
+for var in env_mgr.list_variables("myapp"):
+    print(f"{var.key}: {var.value if not var.encrypted else '[encrypted]'}")
+
+# Apply templates
+result = env_mgr.apply_template("nodejs", "myapp", values={"PORT": "8080"})
+
+# Export/Import
+content = env_mgr.export_env("myapp", include_encrypted=True)
+count, errors = env_mgr.import_env("myapp", content)
+
+# Load to os.environ
+env_mgr.load_to_environ("myapp")
+```
diff --git a/examples/env_demo.py b/examples/env_demo.py
new file mode 100644
index 00000000..1a1b07f2
--- /dev/null
+++ b/examples/env_demo.py
@@ -0,0 +1,431 @@
+#!/usr/bin/env python3
+"""
+Environment Variable Manager Demo
+
+This script demonstrates the environment variable management features
+of Cortex, including:
+
+- Setting and getting variables
+- Encrypting sensitive values
+- Using templates
+- Importing and exporting
+- Variable validation
+
+Run this script to see the env manager in action:
+    python examples/env_demo.py
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import tempfile
+from pathlib import Path
+
+# Add parent directory to path for imports
+sys.path.insert(0, str(Path(__file__).parent.parent))
+
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from cortex.env_manager import (
+    EnvironmentManager,
+    EnvironmentStorage,
+    EncryptionManager,
+    get_env_manager,
+)
+
+console = Console()
+
+
+def demo_header(title: str) -> None:
+    """Print a demo section header."""
+    console.print()
+    console.print(Panel(f"[bold cyan]{title}[/bold cyan]", expand=False))
+    console.print()
+
+
+def demo_basic_operations(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate basic set/get/list/delete operations."""
+    demo_header("1. Basic Operations")
+
+    app = "demo-app"
+
+    # Set variables
+    console.print("[bold]Setting variables...[/bold]")
+    env_mgr.set_variable(app, "DATABASE_URL", "postgres://localhost:5432/mydb")
+    console.print("  ✓ Set DATABASE_URL")
+
+    env_mgr.set_variable(app, "REDIS_URL", "redis://localhost:6379")
+    console.print("  ✓ Set REDIS_URL")
+
+    env_mgr.set_variable(app, "LOG_LEVEL", "debug", description="Application logging level")
+    console.print("  ✓ Set LOG_LEVEL with description")
+
+    console.print()
+
+    # Get a variable
+    console.print("[bold]Getting a variable...[/bold]")
+    value = env_mgr.get_variable(app, "DATABASE_URL")
+    console.print(f"  DATABASE_URL = {value}")
+
+    console.print()
+
+    # List all variables
+    console.print("[bold]Listing all variables...[/bold]")
+    variables = env_mgr.list_variables(app)
+
+    table = Table(show_header=True, header_style="bold")
+    table.add_column("Key")
+    table.add_column("Value")
+    table.add_column("Description")
+
+    for var in sorted(variables, key=lambda v: v.key):
+        table.add_row(
+            var.key,
+            var.value[:50] + "..." if len(var.value) > 50 else var.value,
+            var.description or "-",
+        )
+
+    console.print(table)
+
+    console.print()
+
+    # Delete a variable
+    console.print("[bold]Deleting REDIS_URL...[/bold]")
+    env_mgr.delete_variable(app, "REDIS_URL")
+    console.print("  ✓ Deleted REDIS_URL")
+
+    # Verify deletion
+    remaining = env_mgr.list_variables(app)
+    console.print(f"  Remaining variables: {len(remaining)}")
+
+
+def demo_encryption(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate encryption features."""
+    demo_header("2. Encryption")
+
+    app = "demo-app"
+
+    # Set encrypted variables
+    console.print("[bold]Setting encrypted variables...[/bold]")
+
+    env_mgr.set_variable(
+        app,
+        "API_KEY",
+        "sk-secret-api-key-12345",
+        encrypt=True,
+        description="External API key",
+    )
+    console.print("  🔐 Set API_KEY (encrypted)")
+
+    env_mgr.set_variable(
+        app,
+        "JWT_SECRET",
+        "super-secret-jwt-signing-key",
+        encrypt=True,
+    )
+    console.print("  🔐 Set JWT_SECRET (encrypted)")
+
+    console.print()
+
+    # Show how encrypted values appear
+    console.print("[bold]Viewing encrypted variables...[/bold]")
+
+    api_key_info = env_mgr.get_variable_info(app, "API_KEY")
+    console.print(f"  API_KEY encrypted: {api_key_info.encrypted}")
+    console.print(f"  API_KEY stored value: {api_key_info.value[:40]}...")
+
+    console.print()
+
+    # Decrypt and show
+    console.print("[bold]Decrypting variables...[/bold]")
+    decrypted = env_mgr.get_variable(app, "API_KEY", decrypt=True)
+    console.print(f"  API_KEY decrypted: {decrypted}")
+
+    console.print()
+
+    # Show in list (encrypted placeholder)
+    console.print("[bold]Variables in list view:[/bold]")
+    for var in env_mgr.list_variables(app):
+        if var.encrypted:
+            console.print(f"  {var.key}: [yellow][encrypted][/yellow]")
+        else:
+            console.print(f"  {var.key}: {var.value}")
+
+
+def demo_validation(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate variable validation."""
+    demo_header("3. Validation")
+
+    app = "demo-validation"
+
+    console.print("[bold]Setting validated variables...[/bold]")
+
+    # Valid port
+    try:
+        env_mgr.set_variable(app, "PORT", "3000", var_type="port")
+        console.print("  ✓ PORT=3000 (valid port)")
+    except ValueError as e:
+        console.print(f"  ✗ PORT: {e}")
+
+    # Valid URL
+    try:
+        env_mgr.set_variable(app, "API_URL", "https://api.example.com", var_type="url")
+        console.print("  ✓ API_URL=https://api.example.com (valid URL)")
+    except ValueError as e:
+        console.print(f"  ✗ API_URL: {e}")
+
+    # Valid boolean
+    try:
+        env_mgr.set_variable(app, "DEBUG", "true", var_type="boolean")
+        console.print("  ✓ DEBUG=true (valid boolean)")
+    except ValueError as e:
+        console.print(f"  ✗ DEBUG: {e}")
+
+    console.print()
+    console.print("[bold]Testing invalid values...[/bold]")
+
+    # Invalid port
+    try:
+        env_mgr.set_variable(app, "BAD_PORT", "99999", var_type="port")
+        console.print("  ✓ BAD_PORT accepted")
+    except ValueError as e:
+        console.print(f"  ✗ BAD_PORT=99999: [red]{e}[/red]")
+
+    # Invalid URL
+    try:
+        env_mgr.set_variable(app, "BAD_URL", "not-a-url", var_type="url")
+        console.print("  ✓ BAD_URL accepted")
+    except ValueError as e:
+        console.print(f"  ✗ BAD_URL=not-a-url: [red]{e}[/red]")
+
+    # Invalid boolean
+    try:
+        env_mgr.set_variable(app, "BAD_BOOL", "maybe", var_type="boolean")
+        console.print("  ✓ BAD_BOOL accepted")
+    except ValueError as e:
+        console.print(f"  ✗ BAD_BOOL=maybe: [red]{e}[/red]")
+
+
+def demo_templates(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate template functionality."""
+    demo_header("4. Templates")
+
+    # List available templates
+    console.print("[bold]Available templates:[/bold]")
+    templates = env_mgr.list_templates()
+
+    for template in sorted(templates, key=lambda t: t.name):
+        console.print(f"  • [green]{template.name}[/green]: {template.description}")
+
+    console.print()
+
+    # Show template details
+    console.print("[bold]Django template details:[/bold]")
+    django = env_mgr.get_template("django")
+    if django:
+        for var in django.variables:
+            req = "[red]*[/red]" if var.required else " "
+            default = f" = {var.default}" if var.default else ""
+            console.print(f"  {req} {var.name} ({var.var_type}){default}")
+
+    console.print()
+
+    # Apply a template
+    console.print("[bold]Applying Node.js template to 'my-node-app'...[/bold]")
+    result = env_mgr.apply_template(
+        "nodejs",
+        "my-node-app",
+        values={
+            "NODE_ENV": "production",
+            "PORT": "8080",
+        },
+    )
+
+    if result.valid:
+        console.print("  ✓ Template applied successfully")
+        console.print()
+        console.print("  [bold]Variables set:[/bold]")
+        for var in env_mgr.list_variables("my-node-app"):
+            console.print(f"    {var.key} = {var.value}")
+    else:
+        console.print("  ✗ Template failed:")
+        for error in result.errors:
+            console.print(f"    - {error}")
+
+
+def demo_export_import(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate export and import functionality."""
+    demo_header("5. Export & Import")
+
+    app = "export-demo"
+
+    # Set up some variables
+    env_mgr.set_variable(app, "DATABASE_URL", "postgres://localhost/db")
+    env_mgr.set_variable(app, "CACHE_URL", "redis://localhost:6379")
+    env_mgr.set_variable(app, "SECRET", "my-secret", encrypt=True)
+
+    console.print("[bold]Exporting to .env format...[/bold]")
+
+    # Export without encrypted
+    content = env_mgr.export_env(app, include_encrypted=False)
+    console.print()
+    console.print("[dim]--- .env content (without secrets) ---[/dim]")
+    console.print(content)
+    console.print("[dim]--- end ---[/dim]")
+
+    console.print()
+
+    # Export with encrypted
+    content_with_secrets = env_mgr.export_env(app, include_encrypted=True)
+    console.print("[bold]Exporting with decrypted secrets...[/bold]")
+    console.print()
+    console.print("[dim]--- .env content (with secrets) ---[/dim]")
+    console.print(content_with_secrets)
+    console.print("[dim]--- end ---[/dim]")
+
+    console.print()
+
+    # Import demonstration
+    console.print("[bold]Importing from .env format...[/bold]")
+
+    import_content = """
+# Production configuration
+NODE_ENV=production
+PORT=3000
+DEBUG=false
+API_ENDPOINT=https://api.example.com
+"""
+
+    count, errors = env_mgr.import_env("import-demo", import_content)
+    console.print(f"  ✓ Imported {count} variables")
+
+    if errors:
+        console.print("  Warnings:")
+        for error in errors:
+            console.print(f"    - {error}")
+
+    console.print()
+    console.print("  Imported variables:")
+    for var in env_mgr.list_variables("import-demo"):
+        console.print(f"    {var.key} = {var.value}")
+
+
+def demo_app_isolation(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate application isolation."""
+    demo_header("6. Application Isolation")
+
+    console.print("[bold]Setting same key in different apps...[/bold]")
+
+    env_mgr.set_variable("app-1", "DATABASE_URL", "postgres://db1.example.com/app1")
+    env_mgr.set_variable("app-2", "DATABASE_URL", "postgres://db2.example.com/app2")
+    env_mgr.set_variable("app-3", "DATABASE_URL", "mysql://db3.example.com/app3")
+
+    console.print()
+    console.print("[bold]Values are isolated per app:[/bold]")
+
+    for app in ["app-1", "app-2", "app-3"]:
+        value = env_mgr.get_variable(app, "DATABASE_URL")
+        console.print(f"  {app}: {value}")
+
+    console.print()
+    console.print("[bold]Listing all apps with environments:[/bold]")
+    apps = env_mgr.list_apps()
+    for app in apps:
+        var_count = len(env_mgr.list_variables(app))
+        console.print(f"  • {app} ({var_count} variables)")
+
+
+def demo_load_to_environ(env_mgr: EnvironmentManager) -> None:
+    """Demonstrate loading variables into os.environ."""
+    demo_header("7. Loading into os.environ")
+
+    app = "environ-demo"
+
+    # Clean up any existing test vars
+    test_keys = ["DEMO_VAR_1", "DEMO_VAR_2", "DEMO_SECRET"]
+    for key in test_keys:
+        if key in os.environ:
+            del os.environ[key]
+
+    # Set some variables
+    env_mgr.set_variable(app, "DEMO_VAR_1", "value1")
+    env_mgr.set_variable(app, "DEMO_VAR_2", "value2")
+    env_mgr.set_variable(app, "DEMO_SECRET", "secret-value", encrypt=True)
+
+    console.print("[bold]Before loading:[/bold]")
+    for key in test_keys:
+        console.print(f"  os.environ.get('{key}'): {os.environ.get(key)}")
+
+    console.print()
+    console.print("[bold]Loading environment...[/bold]")
+    count = env_mgr.load_to_environ(app)
+    console.print(f"  ✓ Loaded {count} variables into os.environ")
+
+    console.print()
+    console.print("[bold]After loading:[/bold]")
+    for key in test_keys:
+        value = os.environ.get(key)
+        console.print(f"  os.environ.get('{key}'): {value}")
+
+    # Clean up
+    for key in test_keys:
+        if key in os.environ:
+            del os.environ[key]
+
+
+def main() -> None:
+    """Run all demos."""
+    console.print()
+    console.print(
+        Panel(
+            "[bold magenta]Cortex Environment Variable Manager Demo[/bold magenta]\n\n"
+            "This demo showcases the environment management features.",
+            expand=False,
+        )
+    )
+
+    # Use a temporary directory for the demo
+    with tempfile.TemporaryDirectory() as tmpdir:
+        tmppath = Path(tmpdir)
+
+        # Create environment manager with temporary storage
+        storage = EnvironmentStorage(base_path=tmppath / "environments")
+        encryption = EncryptionManager(key_path=tmppath / ".env_key")
+        env_mgr = EnvironmentManager(storage=storage, encryption=encryption)
+
+        console.print()
+        console.print(f"[dim]Using temporary storage: {tmpdir}[/dim]")
+
+        # Run demos
+        demo_basic_operations(env_mgr)
+        demo_encryption(env_mgr)
+        demo_validation(env_mgr)
+        demo_templates(env_mgr)
+        demo_export_import(env_mgr)
+        demo_app_isolation(env_mgr)
+        demo_load_to_environ(env_mgr)
+
+        # Summary
+        demo_header("Demo Complete!")
+
+        console.print("[bold]To use in your own projects:[/bold]")
+        console.print()
+        console.print("  # CLI usage")
+        console.print("  [green]cortex env set myapp DATABASE_URL postgres://localhost/db[/green]")
+        console.print("  [green]cortex env set myapp API_KEY secret123 --encrypt[/green]")
+        console.print("  [green]cortex env list myapp[/green]")
+        console.print()
+        console.print("  # Python usage")
+        console.print("  [cyan]from cortex.env_manager import get_env_manager[/cyan]")
+        console.print("  [cyan]env_mgr = get_env_manager()[/cyan]")
+        console.print("  [cyan]env_mgr.set_variable('myapp', 'KEY', 'value')[/cyan]")
+        console.print()
+        console.print("See [bold]docs/ENV_MANAGEMENT.md[/bold] for full documentation.")
+        console.print()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/requirements.txt b/requirements.txt
index 724ed2b3..ad5338f3 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,6 +11,9 @@ PyYAML>=6.0.0
 # Environment variable loading from .env files
 python-dotenv>=1.0.0
 
+# Encryption for environment variable secrets
+cryptography>=41.0.0
+
 # Terminal UI
 rich>=13.0.0
 
diff --git a/tests/test_env_manager.py b/tests/test_env_manager.py
new file mode 100644
index 00000000..b31a6d08
--- /dev/null
+++ b/tests/test_env_manager.py
@@ -0,0 +1,1025 @@
+"""
+Comprehensive unit tests for cortex/env_manager.py - Environment Variable Manager
+
+Tests cover:
+- Environment variable storage and retrieval
+- Per-application isolation
+- Encryption and decryption of secrets
+- Environment templates and validation
+- Import/export functionality
+- Edge cases and error handling
+
+Target: >80% code coverage
+"""
+
+import json
+import os
+import stat
+import tempfile
+from pathlib import Path
+from unittest.mock import MagicMock, patch, mock_open
+
+import pytest
+
+from cortex.env_manager import (
+    EnvironmentManager,
+    EnvironmentStorage,
+    EnvironmentVariable,
+    EnvironmentValidator,
+    EncryptionManager,
+    EnvironmentTemplate,
+    TemplateVariable,
+    ValidationResult,
+    VariableType,
+    BUILTIN_TEMPLATES,
+    get_env_manager,
+)
+
+
+# =============================================================================
+# Fixtures
+# =============================================================================
+
+
+@pytest.fixture
+def temp_dir():
+    """Create a temporary directory for tests."""
+    with tempfile.TemporaryDirectory() as tmpdir:
+        yield Path(tmpdir)
+
+
+@pytest.fixture
+def storage(temp_dir):
+    """Create a storage instance with temporary directory."""
+    return EnvironmentStorage(base_path=temp_dir / "environments")
+
+
+@pytest.fixture
+def encryption_manager(temp_dir):
+    """Create an encryption manager with temporary key path."""
+    return EncryptionManager(key_path=temp_dir / ".env_key")
+
+
+@pytest.fixture
+def env_manager(temp_dir):
+    """Create a full environment manager with temporary paths."""
+    storage = EnvironmentStorage(base_path=temp_dir / "environments")
+    encryption = EncryptionManager(key_path=temp_dir / ".env_key")
+    return EnvironmentManager(storage=storage, encryption=encryption)
+
+
+# =============================================================================
+# EnvironmentVariable Tests
+# =============================================================================
+
+
+class TestEnvironmentVariable:
+    """Tests for EnvironmentVariable dataclass."""
+
+    def test_create_basic_variable(self):
+        """Test creating a basic environment variable."""
+        var = EnvironmentVariable(key="DATABASE_URL", value="postgres://localhost/db")
+        assert var.key == "DATABASE_URL"
+        assert var.value == "postgres://localhost/db"
+        assert var.encrypted is False
+        assert var.description == ""
+        assert var.var_type == "string"
+
+    def test_create_encrypted_variable(self):
+        """Test creating an encrypted variable."""
+        var = EnvironmentVariable(
+            key="API_KEY",
+            value="encrypted_value_here",
+            encrypted=True,
+            description="API key for external service",
+            var_type="string",
+        )
+        assert var.encrypted is True
+        assert var.description == "API key for external service"
+
+    def test_to_dict(self):
+        """Test serialization to dictionary."""
+        var = EnvironmentVariable(
+            key="PORT",
+            value="3000",
+            encrypted=False,
+            description="Server port",
+            var_type="port",
+        )
+        data = var.to_dict()
+
+        assert data["key"] == "PORT"
+        assert data["value"] == "3000"
+        assert data["encrypted"] is False
+        assert data["description"] == "Server port"
+        assert data["var_type"] == "port"
+
+    def test_from_dict(self):
+        """Test deserialization from dictionary."""
+        data = {
+            "key": "NODE_ENV",
+            "value": "production",
+            "encrypted": False,
+            "description": "Node environment",
+            "var_type": "string",
+        }
+        var = EnvironmentVariable.from_dict(data)
+
+        assert var.key == "NODE_ENV"
+        assert var.value == "production"
+        assert var.encrypted is False
+
+    def test_from_dict_minimal(self):
+        """Test deserialization with minimal data (defaults)."""
+        data = {"key": "SIMPLE", "value": "test"}
+        var = EnvironmentVariable.from_dict(data)
+
+        assert var.key == "SIMPLE"
+        assert var.encrypted is False
+        assert var.description == ""
+        assert var.var_type == "string"
+
+
+# =============================================================================
+# EnvironmentValidator Tests
+# =============================================================================
+
+
+class TestEnvironmentValidator:
+    """Tests for environment variable validation."""
+
+    def test_validate_string_always_valid(self):
+        """String type should accept any value."""
+        is_valid, error = EnvironmentValidator.validate("anything", "string")
+        assert is_valid is True
+        assert error is None
+
+    def test_validate_valid_url(self):
+        """Test valid URL validation."""
+        valid_urls = [
+            "http://localhost",
+            "https://example.com",
+            "postgres://user:pass@localhost:5432/db",
+            "redis://localhost:6379",
+            "ftp://files.example.com/path",
+        ]
+        for url in valid_urls:
+            is_valid, error = EnvironmentValidator.validate(url, "url")
+            assert is_valid is True, f"URL should be valid: {url}"
+
+    def test_validate_invalid_url(self):
+        """Test invalid URL validation."""
+        invalid_urls = [
+            "not-a-url",
+            "localhost:3000",
+            "//missing-scheme.com",
+        ]
+        for url in invalid_urls:
+            is_valid, error = EnvironmentValidator.validate(url, "url")
+            assert is_valid is False, f"URL should be invalid: {url}"
+            assert "Invalid URL" in error
+
+    def test_validate_valid_port(self):
+        """Test valid port numbers."""
+        valid_ports = ["1", "80", "443", "3000", "8080", "65535"]
+        for port in valid_ports:
+            is_valid, error = EnvironmentValidator.validate(port, "port")
+            assert is_valid is True, f"Port should be valid: {port}"
+
+    def test_validate_invalid_port(self):
+        """Test invalid port numbers."""
+        invalid_ports = ["0", "-1", "65536", "abc", "3000.5"]
+        for port in invalid_ports:
+            is_valid, error = EnvironmentValidator.validate(port, "port")
+            assert is_valid is False, f"Port should be invalid: {port}"
+            assert "Invalid port" in error
+
+    def test_validate_valid_boolean(self):
+        """Test valid boolean values."""
+        valid_booleans = ["true", "false", "True", "FALSE", "1", "0", "yes", "no", "on", "off"]
+        for val in valid_booleans:
+            is_valid, error = EnvironmentValidator.validate(val, "boolean")
+            assert is_valid is True, f"Boolean should be valid: {val}"
+
+    def test_validate_invalid_boolean(self):
+        """Test invalid boolean values."""
+        is_valid, error = EnvironmentValidator.validate("maybe", "boolean")
+        assert is_valid is False
+        assert "Invalid boolean" in error
+
+    def test_validate_valid_integer(self):
+        """Test valid integer values."""
+        valid_integers = ["0", "1", "-5", "12345", "999999999"]
+        for val in valid_integers:
+            is_valid, error = EnvironmentValidator.validate(val, "integer")
+            assert is_valid is True, f"Integer should be valid: {val}"
+
+    def test_validate_invalid_integer(self):
+        """Test invalid integer values."""
+        is_valid, error = EnvironmentValidator.validate("3.14", "integer")
+        assert is_valid is False
+        assert "Invalid integer" in error
+
+    def test_validate_path(self):
+        """Test path validation."""
+        is_valid, error = EnvironmentValidator.validate("/usr/local/bin", "path")
+        assert is_valid is True
+
+        is_valid, error = EnvironmentValidator.validate("", "path")
+        assert is_valid is False
+        assert "cannot be empty" in error
+
+    def test_validate_unknown_type(self):
+        """Unknown types should be treated as strings (always valid)."""
+        is_valid, error = EnvironmentValidator.validate("anything", "unknown_type")
+        assert is_valid is True
+
+    def test_validate_custom_pattern(self):
+        """Test custom regex pattern validation."""
+        # Valid pattern match
+        is_valid, error = EnvironmentValidator.validate(
+            "ABC123", "string", custom_pattern=r"^[A-Z0-9]+$"
+        )
+        assert is_valid is True
+
+        # Invalid pattern match
+        is_valid, error = EnvironmentValidator.validate(
+            "abc", "string", custom_pattern=r"^[A-Z]+$"
+        )
+        assert is_valid is False
+        assert "does not match pattern" in error
+
+    def test_validate_invalid_custom_pattern(self):
+        """Test handling of invalid regex patterns."""
+        is_valid, error = EnvironmentValidator.validate(
+            "test", "string", custom_pattern=r"[invalid"
+        )
+        assert is_valid is False
+        assert "Invalid validation pattern" in error
+
+
+# =============================================================================
+# EncryptionManager Tests
+# =============================================================================
+
+
+class TestEncryptionManager:
+    """Tests for encryption functionality."""
+
+    def test_create_encryption_manager(self, temp_dir):
+        """Test creating an encryption manager."""
+        key_path = temp_dir / ".env_key"
+        manager = EncryptionManager(key_path=key_path)
+        assert manager.key_path == key_path
+
+    def test_encrypt_and_decrypt(self, encryption_manager):
+        """Test encrypting and decrypting a value."""
+        original = "my-secret-value"
+        encrypted = encryption_manager.encrypt(original)
+
+        # Encrypted value should be different from original
+        assert encrypted != original
+        assert len(encrypted) > len(original)  # Fernet adds overhead
+
+        # Should be able to decrypt back to original
+        decrypted = encryption_manager.decrypt(encrypted)
+        assert decrypted == original
+
+    def test_key_file_created_with_secure_permissions(self, temp_dir):
+        """Test that key file is created with chmod 600."""
+        key_path = temp_dir / ".env_key"
+        manager = EncryptionManager(key_path=key_path)
+
+        # Trigger key creation
+        manager.encrypt("test")
+
+        # Check file exists and has correct permissions
+        assert key_path.exists()
+        mode = stat.S_IMODE(key_path.stat().st_mode)
+        assert mode == 0o600, f"Expected 0600, got {oct(mode)}"
+
+    def test_key_persistence(self, temp_dir):
+        """Test that encryption key persists across instances."""
+        key_path = temp_dir / ".env_key"
+
+        # First manager creates key and encrypts
+        manager1 = EncryptionManager(key_path=key_path)
+        encrypted = manager1.encrypt("persistent-secret")
+
+        # Second manager should use same key
+        manager2 = EncryptionManager(key_path=key_path)
+        decrypted = manager2.decrypt(encrypted)
+
+        assert decrypted == "persistent-secret"
+
+    def test_is_key_available(self, encryption_manager):
+        """Test key availability check."""
+        assert encryption_manager.is_key_available() is True
+
+    def test_encrypt_empty_string(self, encryption_manager):
+        """Test encrypting an empty string."""
+        encrypted = encryption_manager.encrypt("")
+        decrypted = encryption_manager.decrypt(encrypted)
+        assert decrypted == ""
+
+    def test_encrypt_unicode(self, encryption_manager):
+        """Test encrypting unicode characters."""
+        original = "héllo wörld 🔐 密码"
+        encrypted = encryption_manager.encrypt(original)
+        decrypted = encryption_manager.decrypt(encrypted)
+        assert decrypted == original
+
+
+# =============================================================================
+# EnvironmentStorage Tests
+# =============================================================================
+
+
+class TestEnvironmentStorage:
+    """Tests for environment storage functionality."""
+
+    def test_create_storage(self, temp_dir):
+        """Test creating storage creates directories."""
+        base_path = temp_dir / "environments"
+        storage = EnvironmentStorage(base_path=base_path)
+        assert base_path.exists()
+
+    def test_save_and_load(self, storage):
+        """Test saving and loading variables."""
+        variables = {
+            "DB_URL": EnvironmentVariable(key="DB_URL", value="postgres://localhost/db"),
+            "PORT": EnvironmentVariable(key="PORT", value="3000", var_type="port"),
+        }
+
+        storage.save("myapp", variables)
+        loaded = storage.load("myapp")
+
+        assert len(loaded) == 2
+        assert loaded["DB_URL"].value == "postgres://localhost/db"
+        assert loaded["PORT"].var_type == "port"
+
+    def test_load_nonexistent_app(self, storage):
+        """Test loading non-existent app returns empty dict."""
+        result = storage.load("nonexistent")
+        assert result == {}
+
+    def test_app_isolation(self, storage):
+        """Test that apps are isolated from each other."""
+        storage.save("app1", {"KEY": EnvironmentVariable(key="KEY", value="value1")})
+        storage.save("app2", {"KEY": EnvironmentVariable(key="KEY", value="value2")})
+
+        app1_vars = storage.load("app1")
+        app2_vars = storage.load("app2")
+
+        assert app1_vars["KEY"].value == "value1"
+        assert app2_vars["KEY"].value == "value2"
+
+    def test_delete_app(self, storage):
+        """Test deleting an application's data."""
+        storage.save("to_delete", {"KEY": EnvironmentVariable(key="KEY", value="val")})
+
+        assert storage.delete_app("to_delete") is True
+        assert storage.load("to_delete") == {}
+
+    def test_delete_nonexistent_app(self, storage):
+        """Test deleting non-existent app returns False."""
+        assert storage.delete_app("nonexistent") is False
+
+    def test_list_apps(self, storage):
+        """Test listing all apps with stored environments."""
+        storage.save("app1", {"K": EnvironmentVariable(key="K", value="v")})
+        storage.save("app2", {"K": EnvironmentVariable(key="K", value="v")})
+        storage.save("app3", {"K": EnvironmentVariable(key="K", value="v")})
+
+        apps = storage.list_apps()
+        assert set(apps) == {"app1", "app2", "app3"}
+
+    def test_list_apps_empty(self, storage):
+        """Test listing apps when none exist."""
+        apps = storage.list_apps()
+        assert apps == []
+
+    def test_safe_app_name(self, storage):
+        """Test that app names are sanitized for filesystem."""
+        # Names with special characters should be sanitized
+        storage.save("my/app:name", {"K": EnvironmentVariable(key="K", value="v")})
+
+        apps = storage.list_apps()
+        assert len(apps) == 1
+        # The app should be accessible
+        loaded = storage.load("my/app:name")
+        assert "K" in loaded
+
+    def test_atomic_write(self, storage, temp_dir):
+        """Test that writes are atomic (no partial files on failure)."""
+        # First, write some valid data
+        storage.save("test_app", {"KEY": EnvironmentVariable(key="KEY", value="original")})
+
+        # Verify original data exists
+        loaded = storage.load("test_app")
+        assert loaded["KEY"].value == "original"
+
+
+# =============================================================================
+# EnvironmentManager Tests
+# =============================================================================
+
+
+class TestEnvironmentManager:
+    """Tests for the main EnvironmentManager class."""
+
+    def test_set_and_get_variable(self, env_manager):
+        """Test setting and getting a variable."""
+        env_manager.set_variable("myapp", "DATABASE_URL", "postgres://localhost/db")
+
+        value = env_manager.get_variable("myapp", "DATABASE_URL")
+        assert value == "postgres://localhost/db"
+
+    def test_set_encrypted_variable(self, env_manager):
+        """Test setting an encrypted variable."""
+        env_manager.set_variable("myapp", "API_KEY", "secret123", encrypt=True)
+
+        # Get with decryption
+        value = env_manager.get_variable("myapp", "API_KEY", decrypt=True)
+        assert value == "secret123"
+
+        # Get without decryption should return encrypted blob
+        var_info = env_manager.get_variable_info("myapp", "API_KEY")
+        assert var_info.encrypted is True
+        assert var_info.value != "secret123"
+
+    def test_get_nonexistent_variable(self, env_manager):
+        """Test getting a non-existent variable returns None."""
+        value = env_manager.get_variable("myapp", "NONEXISTENT")
+        assert value is None
+
+    def test_list_variables(self, env_manager):
+        """Test listing all variables for an app."""
+        env_manager.set_variable("myapp", "VAR1", "value1")
+        env_manager.set_variable("myapp", "VAR2", "value2")
+        env_manager.set_variable("myapp", "VAR3", "value3")
+
+        variables = env_manager.list_variables("myapp")
+        assert len(variables) == 3
+
+        keys = {v.key for v in variables}
+        assert keys == {"VAR1", "VAR2", "VAR3"}
+
+    def test_delete_variable(self, env_manager):
+        """Test deleting a variable."""
+        env_manager.set_variable("myapp", "TO_DELETE", "value")
+
+        assert env_manager.delete_variable("myapp", "TO_DELETE") is True
+        assert env_manager.get_variable("myapp", "TO_DELETE") is None
+
+    def test_delete_nonexistent_variable(self, env_manager):
+        """Test deleting non-existent variable returns False."""
+        result = env_manager.delete_variable("myapp", "NONEXISTENT")
+        assert result is False
+
+    def test_clear_app(self, env_manager):
+        """Test clearing all variables for an app."""
+        env_manager.set_variable("myapp", "VAR1", "value1")
+        env_manager.set_variable("myapp", "VAR2", "value2")
+
+        assert env_manager.clear_app("myapp") is True
+        assert env_manager.list_variables("myapp") == []
+
+    def test_list_apps(self, env_manager):
+        """Test listing all apps."""
+        env_manager.set_variable("app1", "K", "v")
+        env_manager.set_variable("app2", "K", "v")
+
+        apps = env_manager.list_apps()
+        assert set(apps) == {"app1", "app2"}
+
+    def test_set_variable_with_type_validation(self, env_manager):
+        """Test that variable values are validated against type."""
+        # Valid port
+        env_manager.set_variable("myapp", "PORT", "3000", var_type="port")
+        assert env_manager.get_variable("myapp", "PORT") == "3000"
+
+        # Invalid port should raise
+        with pytest.raises(ValueError) as exc_info:
+            env_manager.set_variable("myapp", "BAD_PORT", "99999", var_type="port")
+        assert "Invalid port" in str(exc_info.value)
+
+    def test_export_env(self, env_manager):
+        """Test exporting to .env format."""
+        env_manager.set_variable("myapp", "DATABASE_URL", "postgres://localhost/db")
+        env_manager.set_variable("myapp", "PORT", "3000")
+
+        content = env_manager.export_env("myapp")
+
+        assert "DATABASE_URL=" in content
+        assert "PORT=3000" in content
+
+    def test_export_env_with_encrypted(self, env_manager):
+        """Test exporting with encrypted variables."""
+        env_manager.set_variable("myapp", "PUBLIC_KEY", "public_value")
+        env_manager.set_variable("myapp", "SECRET_KEY", "secret_value", encrypt=True)
+
+        # Without include_encrypted
+        content = env_manager.export_env("myapp", include_encrypted=False)
+        assert "PUBLIC_KEY=public_value" in content
+        assert "secret_value" not in content
+        assert "[encrypted" in content.lower()
+
+        # With include_encrypted
+        content_with = env_manager.export_env("myapp", include_encrypted=True)
+        assert "SECRET_KEY=" in content_with
+        assert "secret_value" in content_with
+
+    def test_import_env(self, env_manager):
+        """Test importing from .env format."""
+        content = """
+# Database configuration
+DATABASE_URL=postgres://localhost/db
+PORT=3000
+NODE_ENV=production
+"""
+        count, errors = env_manager.import_env("myapp", content)
+
+        assert count == 3
+        assert errors == []
+        assert env_manager.get_variable("myapp", "DATABASE_URL") == "postgres://localhost/db"
+        assert env_manager.get_variable("myapp", "PORT") == "3000"
+        assert env_manager.get_variable("myapp", "NODE_ENV") == "production"
+
+    def test_import_env_with_quotes(self, env_manager):
+        """Test importing values with quotes."""
+        content = '''
+DOUBLE_QUOTED="hello world"
+SINGLE_QUOTED='another value'
+NO_QUOTES=simple
+'''
+        count, errors = env_manager.import_env("myapp", content)
+
+        assert count == 3
+        assert env_manager.get_variable("myapp", "DOUBLE_QUOTED") == "hello world"
+        assert env_manager.get_variable("myapp", "SINGLE_QUOTED") == "another value"
+        assert env_manager.get_variable("myapp", "NO_QUOTES") == "simple"
+
+    def test_import_env_with_encryption(self, env_manager):
+        """Test importing with selective encryption."""
+        content = """
+PUBLIC_VAR=public_value
+SECRET_VAR=secret_value
+"""
+        count, errors = env_manager.import_env(
+            "myapp", content, encrypt_keys=["SECRET_VAR"]
+        )
+
+        assert count == 2
+
+        # PUBLIC_VAR should not be encrypted
+        public_info = env_manager.get_variable_info("myapp", "PUBLIC_VAR")
+        assert public_info.encrypted is False
+
+        # SECRET_VAR should be encrypted
+        secret_info = env_manager.get_variable_info("myapp", "SECRET_VAR")
+        assert secret_info.encrypted is True
+        assert env_manager.get_variable("myapp", "SECRET_VAR", decrypt=True) == "secret_value"
+
+    def test_import_env_invalid_lines(self, env_manager):
+        """Test importing with invalid lines."""
+        content = """
+VALID=value
+invalid line without equals
+ALSO_VALID=another
+"""
+        count, errors = env_manager.import_env("myapp", content)
+
+        assert count == 2
+        assert len(errors) == 1
+        assert "Line 3" in errors[0]
+
+    def test_load_to_environ(self, env_manager):
+        """Test loading variables into os.environ."""
+        env_manager.set_variable("myapp", "TEST_VAR_1", "value1")
+        env_manager.set_variable("myapp", "TEST_VAR_2", "value2")
+        env_manager.set_variable("myapp", "TEST_VAR_SECRET", "secret", encrypt=True)
+
+        # Clean up any existing test vars
+        for key in ["TEST_VAR_1", "TEST_VAR_2", "TEST_VAR_SECRET"]:
+            if key in os.environ:
+                del os.environ[key]
+
+        count = env_manager.load_to_environ("myapp")
+
+        assert count == 3
+        assert os.environ.get("TEST_VAR_1") == "value1"
+        assert os.environ.get("TEST_VAR_2") == "value2"
+        assert os.environ.get("TEST_VAR_SECRET") == "secret"  # Decrypted
+
+        # Clean up
+        for key in ["TEST_VAR_1", "TEST_VAR_2", "TEST_VAR_SECRET"]:
+            if key in os.environ:
+                del os.environ[key]
+
+
+# =============================================================================
+# Template Tests
+# =============================================================================
+
+
+class TestEnvironmentTemplates:
+    """Tests for environment templates."""
+
+    def test_builtin_templates_exist(self):
+        """Test that built-in templates are defined."""
+        assert "nodejs" in BUILTIN_TEMPLATES
+        assert "python" in BUILTIN_TEMPLATES
+        assert "django" in BUILTIN_TEMPLATES
+        assert "flask" in BUILTIN_TEMPLATES
+        assert "docker" in BUILTIN_TEMPLATES
+        assert "database" in BUILTIN_TEMPLATES
+        assert "aws" in BUILTIN_TEMPLATES
+
+    def test_list_templates(self, env_manager):
+        """Test listing available templates."""
+        templates = env_manager.list_templates()
+
+        assert len(templates) >= 7  # At least the built-in ones
+        names = {t.name for t in templates}
+        assert "nodejs" in names
+        assert "python" in names
+
+    def test_get_template(self, env_manager):
+        """Test getting a template by name."""
+        template = env_manager.get_template("nodejs")
+
+        assert template is not None
+        assert template.name == "nodejs"
+        assert "Node" in template.description
+
+        # Should have expected variables
+        var_names = {v.name for v in template.variables}
+        assert "NODE_ENV" in var_names
+        assert "PORT" in var_names
+
+    def test_get_nonexistent_template(self, env_manager):
+        """Test getting a non-existent template returns None."""
+        result = env_manager.get_template("nonexistent")
+        assert result is None
+
+    def test_apply_template_with_defaults(self, env_manager):
+        """Test applying a template using default values."""
+        result = env_manager.apply_template("nodejs", "myapp")
+
+        assert result.valid is True
+        assert result.errors == []
+
+        # Check defaults were applied
+        assert env_manager.get_variable("myapp", "NODE_ENV") == "development"
+        assert env_manager.get_variable("myapp", "PORT") == "3000"
+
+    def test_apply_template_with_custom_values(self, env_manager):
+        """Test applying a template with custom values."""
+        result = env_manager.apply_template(
+            "nodejs",
+            "myapp",
+            values={
+                "NODE_ENV": "production",
+                "PORT": "8080",
+            },
+        )
+
+        assert result.valid is True
+        assert env_manager.get_variable("myapp", "NODE_ENV") == "production"
+        assert env_manager.get_variable("myapp", "PORT") == "8080"
+
+    def test_apply_template_missing_required(self, env_manager):
+        """Test applying a template with missing required variables."""
+        result = env_manager.apply_template(
+            "django",
+            "myapp",
+            values={},  # Missing DJANGO_SETTINGS_MODULE and SECRET_KEY
+        )
+
+        assert result.valid is False
+        assert any("DJANGO_SETTINGS_MODULE" in e for e in result.errors)
+        assert any("SECRET_KEY" in e for e in result.errors)
+
+    def test_apply_template_invalid_value(self, env_manager):
+        """Test applying a template with invalid values."""
+        result = env_manager.apply_template(
+            "nodejs",
+            "myapp",
+            values={
+                "PORT": "not-a-port",
+            },
+        )
+
+        assert result.valid is False
+        assert any("PORT" in e for e in result.errors)
+
+    def test_apply_template_with_encryption(self, env_manager):
+        """Test applying a template with some values encrypted."""
+        result = env_manager.apply_template(
+            "django",
+            "myapp",
+            values={
+                "DJANGO_SETTINGS_MODULE": "myapp.settings",
+                "SECRET_KEY": "my-secret-key",
+            },
+            encrypt_keys=["SECRET_KEY"],
+        )
+
+        assert result.valid is True
+
+        # SECRET_KEY should be encrypted
+        var_info = env_manager.get_variable_info("myapp", "SECRET_KEY")
+        assert var_info.encrypted is True
+
+    def test_apply_nonexistent_template(self, env_manager):
+        """Test applying a non-existent template."""
+        result = env_manager.apply_template("nonexistent", "myapp")
+
+        assert result.valid is False
+        assert any("not found" in e for e in result.errors)
+
+    def test_validate_app_valid(self, env_manager):
+        """Test validating an app with valid variables."""
+        env_manager.set_variable("myapp", "PORT", "3000", var_type="port")
+        env_manager.set_variable("myapp", "DEBUG", "true", var_type="boolean")
+
+        result = env_manager.validate_app("myapp")
+
+        assert result.valid is True
+        assert result.errors == []
+
+    def test_validate_app_against_template(self, env_manager):
+        """Test validating an app against a template."""
+        # Set some variables but miss required ones
+        env_manager.set_variable("myapp", "NODE_ENV", "production")
+
+        result = env_manager.validate_app("myapp", template_name="django")
+
+        assert result.valid is False
+        assert any("DJANGO_SETTINGS_MODULE" in e for e in result.errors)
+
+
+# =============================================================================
+# Template Dataclass Tests
+# =============================================================================
+
+
+class TestTemplateDataclasses:
+    """Tests for template-related dataclasses."""
+
+    def test_template_variable_creation(self):
+        """Test creating a TemplateVariable."""
+        var = TemplateVariable(
+            name="DATABASE_URL",
+            required=True,
+            default=None,
+            var_type="url",
+            description="Database connection URL",
+        )
+
+        assert var.name == "DATABASE_URL"
+        assert var.required is True
+        assert var.default is None
+        assert var.var_type == "url"
+
+    def test_template_to_dict(self):
+        """Test converting template to dictionary."""
+        template = EnvironmentTemplate(
+            name="test",
+            description="Test template",
+            variables=[
+                TemplateVariable(name="VAR1", required=True),
+                TemplateVariable(name="VAR2", required=False, default="default"),
+            ],
+        )
+
+        data = template.to_dict()
+
+        assert data["name"] == "test"
+        assert data["description"] == "Test template"
+        assert len(data["variables"]) == 2
+
+    def test_template_from_dict(self):
+        """Test creating template from dictionary."""
+        data = {
+            "name": "custom",
+            "description": "Custom template",
+            "variables": [
+                {"name": "CUSTOM_VAR", "required": True, "var_type": "string"},
+            ],
+        }
+
+        template = EnvironmentTemplate.from_dict(data)
+
+        assert template.name == "custom"
+        assert len(template.variables) == 1
+        assert template.variables[0].name == "CUSTOM_VAR"
+
+
+# =============================================================================
+# ValidationResult Tests
+# =============================================================================
+
+
+class TestValidationResult:
+    """Tests for ValidationResult dataclass."""
+
+    def test_valid_result(self):
+        """Test creating a valid result."""
+        result = ValidationResult(valid=True)
+        assert result.valid is True
+        assert result.errors == []
+        assert result.warnings == []
+
+    def test_invalid_result_with_errors(self):
+        """Test creating an invalid result with errors."""
+        result = ValidationResult(
+            valid=False,
+            errors=["Error 1", "Error 2"],
+            warnings=["Warning 1"],
+        )
+        assert result.valid is False
+        assert len(result.errors) == 2
+        assert len(result.warnings) == 1
+
+
+# =============================================================================
+# get_env_manager Tests
+# =============================================================================
+
+
+class TestGetEnvManager:
+    """Tests for the get_env_manager factory function."""
+
+    def test_get_env_manager_returns_instance(self):
+        """Test that get_env_manager returns an EnvironmentManager instance."""
+        manager = get_env_manager()
+        assert isinstance(manager, EnvironmentManager)
+
+    def test_get_env_manager_uses_default_paths(self):
+        """Test that default manager uses expected paths."""
+        manager = get_env_manager()
+
+        # Should use ~/.cortex/environments
+        expected_base = Path.home() / ".cortex" / "environments"
+        assert manager.storage.base_path == expected_base
+
+        # Should use ~/.cortex/.env_key
+        expected_key = Path.home() / ".cortex" / ".env_key"
+        assert manager.encryption.key_path == expected_key
+
+
+# =============================================================================
+# Edge Cases and Error Handling
+# =============================================================================
+
+
+class TestEdgeCases:
+    """Tests for edge cases and error handling."""
+
+    def test_empty_app_name(self, env_manager):
+        """Test handling of empty app name."""
+        # Should still work (empty string is valid)
+        env_manager.set_variable("", "KEY", "value")
+        assert env_manager.get_variable("", "KEY") == "value"
+
+    def test_special_characters_in_value(self, env_manager):
+        """Test handling of special characters in values."""
+        special_value = "value with $pecial ch@rs & 'quotes' \"double\" and=equals"
+        env_manager.set_variable("myapp", "SPECIAL", special_value)
+
+        retrieved = env_manager.get_variable("myapp", "SPECIAL")
+        assert retrieved == special_value
+
+    def test_multiline_value(self, env_manager):
+        """Test handling of multiline values."""
+        multiline = "line1\nline2\nline3"
+        env_manager.set_variable("myapp", "MULTILINE", multiline)
+
+        retrieved = env_manager.get_variable("myapp", "MULTILINE")
+        assert retrieved == multiline
+
+    def test_unicode_in_value(self, env_manager):
+        """Test handling of unicode characters."""
+        unicode_value = "日本語 中文 한국어 🎉"
+        env_manager.set_variable("myapp", "UNICODE", unicode_value)
+
+        retrieved = env_manager.get_variable("myapp", "UNICODE")
+        assert retrieved == unicode_value
+
+    def test_very_long_value(self, env_manager):
+        """Test handling of very long values."""
+        long_value = "x" * 100000  # 100KB
+        env_manager.set_variable("myapp", "LONG", long_value)
+
+        retrieved = env_manager.get_variable("myapp", "LONG")
+        assert retrieved == long_value
+
+    def test_concurrent_writes_same_app(self, env_manager):
+        """Test that multiple writes to same app don't lose data."""
+        # Write multiple variables rapidly
+        for i in range(10):
+            env_manager.set_variable("myapp", f"VAR_{i}", f"value_{i}")
+
+        # All should be present
+        for i in range(10):
+            assert env_manager.get_variable("myapp", f"VAR_{i}") == f"value_{i}"
+
+    def test_overwrite_variable(self, env_manager):
+        """Test overwriting an existing variable."""
+        env_manager.set_variable("myapp", "KEY", "original")
+        env_manager.set_variable("myapp", "KEY", "updated")
+
+        assert env_manager.get_variable("myapp", "KEY") == "updated"
+
+    def test_overwrite_plain_with_encrypted(self, env_manager):
+        """Test overwriting a plain variable with encrypted one."""
+        env_manager.set_variable("myapp", "KEY", "plain_value", encrypt=False)
+        env_manager.set_variable("myapp", "KEY", "secret_value", encrypt=True)
+
+        var_info = env_manager.get_variable_info("myapp", "KEY")
+        assert var_info.encrypted is True
+        assert env_manager.get_variable("myapp", "KEY", decrypt=True) == "secret_value"
+
+
+# =============================================================================
+# Integration Tests
+# =============================================================================
+
+
+class TestIntegration:
+    """Integration tests combining multiple features."""
+
+    def test_full_workflow(self, env_manager):
+        """Test a complete workflow: set, list, export, import, delete."""
+        # Set some variables
+        env_manager.set_variable("myapp", "DATABASE_URL", "postgres://localhost/db")
+        env_manager.set_variable("myapp", "API_KEY", "secret123", encrypt=True)
+        env_manager.set_variable("myapp", "DEBUG", "false")
+
+        # List variables
+        variables = env_manager.list_variables("myapp")
+        assert len(variables) == 3
+
+        # Export
+        content = env_manager.export_env("myapp", include_encrypted=True)
+        assert "DATABASE_URL=" in content
+        assert "API_KEY=" in content
+        assert "secret123" in content
+
+        # Clear and reimport
+        env_manager.clear_app("myapp")
+        assert env_manager.list_variables("myapp") == []
+
+        # Import (without encryption this time)
+        count, errors = env_manager.import_env("myapp", content)
+        assert count >= 2  # At least DATABASE_URL and DEBUG
+
+        # Verify
+        assert env_manager.get_variable("myapp", "DATABASE_URL") == "postgres://localhost/db"
+
+    def test_template_then_customize(self, env_manager):
+        """Test applying a template then customizing values."""
+        # Apply template
+        result = env_manager.apply_template(
+            "nodejs",
+            "myapp",
+            values={"NODE_ENV": "development"},
+        )
+        assert result.valid is True
+
+        # Customize
+        env_manager.set_variable("myapp", "NODE_ENV", "production")
+        env_manager.set_variable("myapp", "CUSTOM_VAR", "custom_value")
+
+        # Verify
+        assert env_manager.get_variable("myapp", "NODE_ENV") == "production"
+        assert env_manager.get_variable("myapp", "CUSTOM_VAR") == "custom_value"
+        assert env_manager.get_variable("myapp", "PORT") == "3000"  # From template
+
+    def test_multiple_apps_isolation(self, env_manager):
+        """Test that multiple apps remain fully isolated."""
+        # Set same key with different values in different apps
+        env_manager.set_variable("app1", "DATABASE_URL", "postgres://host1/db1")
+        env_manager.set_variable("app2", "DATABASE_URL", "postgres://host2/db2")
+        env_manager.set_variable("app3", "DATABASE_URL", "postgres://host3/db3")
+
+        # Apply different templates
+        env_manager.apply_template("nodejs", "app1", values={"NODE_ENV": "dev"})
+        env_manager.apply_template("python", "app2")
+
+        # Verify isolation
+        assert env_manager.get_variable("app1", "DATABASE_URL") == "postgres://host1/db1"
+        assert env_manager.get_variable("app2", "DATABASE_URL") == "postgres://host2/db2"
+        assert env_manager.get_variable("app3", "DATABASE_URL") == "postgres://host3/db3"
+
+        # app1 has NODE_ENV, app2 has PYTHONUNBUFFERED, app3 has neither
+        assert env_manager.get_variable("app1", "NODE_ENV") == "dev"
+        assert env_manager.get_variable("app2", "PYTHONUNBUFFERED") == "1"
+        assert env_manager.get_variable("app3", "NODE_ENV") is None
+
+        # Clearing one app doesn't affect others
+        env_manager.clear_app("app2")
+        assert env_manager.get_variable("app1", "DATABASE_URL") == "postgres://host1/db1"
+        assert env_manager.get_variable("app3", "DATABASE_URL") == "postgres://host3/db3"

From 2d6f42cc1db9009e79ac2c6d7d8b0817786a425c Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Mon, 22 Dec 2025 21:38:35 +0530
Subject: [PATCH 2/6] fix: resolve ruff lint errors and PEP8 issues

---
 cortex/cli.py                                |  58 ++--
 cortex/coordinator.py                        |   4 +-
 cortex/doctor.py                             |   2 +-
 cortex/env_manager.py                        | 322 ++++++++++---------
 cortex/hardware_detection.py                 |   4 +-
 cortex/installation_history.py               |   2 +-
 cortex/installation_verifier.py              |   3 +-
 cortex/kernel_features/accelerator_limits.py |   2 +-
 cortex/kernel_features/kv_cache_manager.py   |   2 +-
 cortex/kernel_features/model_lifecycle.py    |   2 +-
 cortex/llm_router.py                         |  13 +-
 cortex/logging_system.py                     |   4 +-
 cortex/progress_indicators.py                |   2 +-
 cortex/progress_tracker.py                   |   4 +-
 cortex/transaction_history.py                |   2 +-
 docs/ENV_MANAGEMENT.md                       |   2 +-
 examples/env_demo.py                         |   3 +-
 examples/parallel_llm_demo.py                |  18 +-
 examples/progress_demo.py                    |   3 +-
 examples/standalone_demo.py                  |   2 +-
 requirements.txt                             |   2 +-
 src/intent/llm_agent.py                      |   3 -
 src/intent/planner.py                        |   2 -
 test_parallel_llm.py                         |  29 +-
 tests/test_cli.py                            |   1 -
 tests/test_coordinator.py                    |   4 -
 tests/test_env_manager.py                    |  27 +-
 tests/test_interpreter.py                    |   1 -
 tests/test_llm_router.py                     |  12 +-
 tests/test_logging_system.py                 |   1 +
 tests/unit/test_progress_tracker.py          |   2 +-
 31 files changed, 273 insertions(+), 265 deletions(-)

diff --git a/cortex/cli.py b/cortex/cli.py
index 735afa31..0641ac4b 100644
--- a/cortex/cli.py
+++ b/cortex/cli.py
@@ -463,7 +463,7 @@ def parallel_log_callback(message: str, level: str = "info"):
 
                 coordinator = InstallationCoordinator(
                     commands=commands,
-                    descriptions=[f"Step {i+1}" for i in range(len(commands))],
+                    descriptions=[f"Step {i + 1}" for i in range(len(commands))],
                     timeout=300,
                     stop_on_error=True,
                     progress_callback=progress_callback,
@@ -592,7 +592,7 @@ def history(self, limit: int = 20, status: str | None = None, show_id: str | Non
                     date = r.timestamp[:19].replace("T", " ")
                     packages = ", ".join(r.packages[:2])
                     if len(r.packages) > 2:
-                        packages += f" +{len(r.packages)-2}"
+                        packages += f" +{len(r.packages) - 2}"
 
                     print(
                         f"{r.id:<18} {date:<20} {r.operation_type.value:<12} {packages:<30} {r.status.value:<15}"
@@ -755,7 +755,9 @@ def env(self, args: argparse.Namespace) -> int:
         action = getattr(args, "env_action", None)
 
         if not action:
-            self._print_error("Please specify a subcommand (set/get/list/delete/export/import/clear/template)")
+            self._print_error(
+                "Please specify a subcommand (set/get/list/delete/export/import/clear/template)"
+            )
             return 1
 
         try:
@@ -857,9 +859,9 @@ def _env_list(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> in
             if var.encrypted:
                 if show_encrypted:
                     try:
-                        value = env_mgr.encryption.decrypt(var.value)
+                        value = env_mgr.get_variable(app, var.key, decrypt=True)
                         console.print(f"  {var.key}: {value} [dim](decrypted)[/dim]")
-                    except Exception:
+                    except ValueError:
                         console.print(f"  {var.key}: [red][decryption failed][/red]")
                 else:
                     console.print(f"  {var.key}: [yellow][encrypted][/yellow]")
@@ -902,7 +904,7 @@ def _env_export(self, env_mgr: EnvironmentManager, args: argparse.Namespace) ->
                 with open(output_file, "w", encoding="utf-8") as f:
                     f.write(content)
                 cx_print(f"✓ Exported to {output_file}", "success")
-            except IOError as e:
+            except OSError as e:
                 self._print_error(f"Failed to write file: {e}")
                 return 1
         else:
@@ -921,7 +923,7 @@ def _env_import(self, env_mgr: EnvironmentManager, args: argparse.Namespace) ->
 
         try:
             if input_file:
-                with open(input_file, "r", encoding="utf-8") as f:
+                with open(input_file, encoding="utf-8") as f:
                     content = f.read()
             elif not sys.stdin.isatty():
                 content = sys.stdin.read()
@@ -952,7 +954,7 @@ def _env_import(self, env_mgr: EnvironmentManager, args: argparse.Namespace) ->
         except FileNotFoundError:
             self._print_error(f"File not found: {input_file}")
             return 1
-        except IOError as e:
+        except OSError as e:
             self._print_error(f"Failed to read file: {e}")
             return 1
 
@@ -986,7 +988,9 @@ def _env_template(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -
         elif template_action == "apply":
             return self._env_template_apply(env_mgr, args)
         else:
-            self._print_error("Please specify: template list, template show <name>, or template apply <name> <app>")
+            self._print_error(
+                "Please specify: template list, template show <name>, or template apply <name> <app>"
+            )
             return 1
 
     def _env_template_list(self, env_mgr: EnvironmentManager) -> int:
@@ -1251,16 +1255,15 @@ def main():
     env_set_parser.add_argument("app", help="Application name")
     env_set_parser.add_argument("key", help="Variable name")
     env_set_parser.add_argument("value", help="Variable value")
+    env_set_parser.add_argument("--encrypt", "-e", action="store_true", help="Encrypt the value")
     env_set_parser.add_argument(
-        "--encrypt", "-e", action="store_true", help="Encrypt the value"
-    )
-    env_set_parser.add_argument(
-        "--type", "-t", choices=["string", "url", "port", "boolean", "integer", "path"],
-        default="string", help="Variable type for validation"
-    )
-    env_set_parser.add_argument(
-        "--description", "-d", help="Description of the variable"
+        "--type",
+        "-t",
+        choices=["string", "url", "port", "boolean", "integer", "path"],
+        default="string",
+        help="Variable type for validation",
     )
+    env_set_parser.add_argument("--description", "-d", help="Description of the variable")
 
     # env get <app> <KEY> [--decrypt]
     env_get_parser = env_subs.add_parser("get", help="Get an environment variable")
@@ -1286,27 +1289,22 @@ def main():
     env_export_parser = env_subs.add_parser("export", help="Export variables to .env format")
     env_export_parser.add_argument("app", help="Application name")
     env_export_parser.add_argument(
-        "--include-encrypted", action="store_true",
-        help="Include decrypted values of encrypted variables"
-    )
-    env_export_parser.add_argument(
-        "--output", "-o", help="Output file (default: stdout)"
+        "--include-encrypted",
+        action="store_true",
+        help="Include decrypted values of encrypted variables",
     )
+    env_export_parser.add_argument("--output", "-o", help="Output file (default: stdout)")
 
     # env import <app> [file] [--encrypt-keys KEYS]
     env_import_parser = env_subs.add_parser("import", help="Import variables from .env format")
     env_import_parser.add_argument("app", help="Application name")
     env_import_parser.add_argument("file", nargs="?", help="Input file (default: stdin)")
-    env_import_parser.add_argument(
-        "--encrypt-keys", help="Comma-separated list of keys to encrypt"
-    )
+    env_import_parser.add_argument("--encrypt-keys", help="Comma-separated list of keys to encrypt")
 
     # env clear <app> [--force]
     env_clear_parser = env_subs.add_parser("clear", help="Clear all variables for an app")
     env_clear_parser.add_argument("app", help="Application name")
-    env_clear_parser.add_argument(
-        "--force", "-f", action="store_true", help="Skip confirmation"
-    )
+    env_clear_parser.add_argument("--force", "-f", action="store_true", help="Skip confirmation")
 
     # env apps - list all apps with environments
     env_subs.add_parser("apps", help="List all apps with stored environments")
@@ -1317,7 +1315,9 @@ def main():
 
     # env template subcommands
     env_template_parser = env_subs.add_parser("template", help="Manage environment templates")
-    env_template_subs = env_template_parser.add_subparsers(dest="template_action", help="Template actions")
+    env_template_subs = env_template_parser.add_subparsers(
+        dest="template_action", help="Template actions"
+    )
 
     # env template list
     env_template_subs.add_parser("list", help="List available templates")
diff --git a/cortex/coordinator.py b/cortex/coordinator.py
index 549ca4c7..ac19bf80 100644
--- a/cortex/coordinator.py
+++ b/cortex/coordinator.py
@@ -73,7 +73,7 @@ def __init__(
 
         self.steps = [
             InstallationStep(
-                command=cmd, description=descriptions[i] if descriptions else f"Step {i+1}"
+                command=cmd, description=descriptions[i] if descriptions else f"Step {i + 1}"
             )
             for i, cmd in enumerate(commands)
         ]
@@ -250,7 +250,7 @@ def execute(self) -> InstallationResult:
                         self._rollback()
 
                     total_duration = time.time() - start_time
-                    self._log(f"Installation failed at step {i+1}")
+                    self._log(f"Installation failed at step {i + 1}")
 
                     return InstallationResult(
                         success=False,
diff --git a/cortex/doctor.py b/cortex/doctor.py
index 057bed87..0c1251c6 100644
--- a/cortex/doctor.py
+++ b/cortex/doctor.py
@@ -315,7 +315,7 @@ def _check_api_keys(self) -> None:
             self._print_check(
                 "WARN",
                 "No API keys configured (required for cloud models)",
-                "Configure API key: export ANTHROPIC_API_KEY=sk-... " "or run 'cortex wizard'",
+                "Configure API key: export ANTHROPIC_API_KEY=sk-... or run 'cortex wizard'",
             )
 
     def _check_disk_space(self) -> None:
diff --git a/cortex/env_manager.py b/cortex/env_manager.py
index 86bc72bc..44e023d0 100644
--- a/cortex/env_manager.py
+++ b/cortex/env_manager.py
@@ -21,7 +21,7 @@
 from dataclasses import asdict, dataclass, field
 from enum import Enum
 from pathlib import Path
-from typing import Any, Callable
+from typing import Any
 
 # Lazy import for cryptography to handle optional dependency
 _fernet_module = None
@@ -33,6 +33,7 @@ def _get_fernet():
     if _fernet_module is None:
         try:
             from cryptography.fernet import Fernet
+
             _fernet_module = Fernet
         except ImportError:
             raise ImportError(
@@ -44,6 +45,7 @@ def _get_fernet():
 
 class VariableType(Enum):
     """Types of environment variables for validation."""
+
     STRING = "string"
     URL = "url"
     PORT = "port"
@@ -55,12 +57,13 @@ class VariableType(Enum):
 @dataclass
 class EnvironmentVariable:
     """Represents a single environment variable."""
+
     key: str
     value: str
     encrypted: bool = False
     description: str = ""
     var_type: str = "string"
-    
+
     def to_dict(self) -> dict[str, Any]:
         """Convert to dictionary for JSON serialization."""
         return {
@@ -70,7 +73,7 @@ def to_dict(self) -> dict[str, Any]:
             "description": self.description,
             "var_type": self.var_type,
         }
-    
+
     @classmethod
     def from_dict(cls, data: dict[str, Any]) -> EnvironmentVariable:
         """Create from dictionary."""
@@ -86,6 +89,7 @@ def from_dict(cls, data: dict[str, Any]) -> EnvironmentVariable:
 @dataclass
 class TemplateVariable:
     """Definition of a variable in a template."""
+
     name: str
     required: bool = True
     default: str | None = None
@@ -97,10 +101,11 @@ class TemplateVariable:
 @dataclass
 class EnvironmentTemplate:
     """Reusable environment template definition."""
+
     name: str
     description: str
     variables: list[TemplateVariable] = field(default_factory=list)
-    
+
     def to_dict(self) -> dict[str, Any]:
         """Convert to dictionary for JSON serialization."""
         return {
@@ -108,13 +113,11 @@ def to_dict(self) -> dict[str, Any]:
             "description": self.description,
             "variables": [asdict(v) for v in self.variables],
         }
-    
+
     @classmethod
     def from_dict(cls, data: dict[str, Any]) -> EnvironmentTemplate:
         """Create from dictionary."""
-        variables = [
-            TemplateVariable(**v) for v in data.get("variables", [])
-        ]
+        variables = [TemplateVariable(**v) for v in data.get("variables", [])]
         return cls(
             name=data["name"],
             description=data["description"],
@@ -125,6 +128,7 @@ def from_dict(cls, data: dict[str, Any]) -> EnvironmentTemplate:
 @dataclass
 class ValidationResult:
     """Result of environment variable validation."""
+
     valid: bool
     errors: list[str] = field(default_factory=list)
     warnings: list[str] = field(default_factory=list)
@@ -367,21 +371,23 @@ class ValidationResult:
 
 class EnvironmentValidator:
     """Validates environment variable values based on type."""
-    
+
     # URL pattern: protocol://host[:port][/path]
     URL_PATTERN = re.compile(
         r"^[a-zA-Z][a-zA-Z0-9+.-]*://"  # scheme
         r"[^\s/$.?#]"  # at least one character for host
         r"[^\s]*$",  # rest of URL
-        re.IGNORECASE
+        re.IGNORECASE,
     )
-    
+
     # Port: 1-65535
-    PORT_PATTERN = re.compile(r"^([1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$")
-    
+    PORT_PATTERN = re.compile(
+        r"^([1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$"
+    )
+
     # Boolean: common boolean representations
     BOOLEAN_VALUES = {"true", "false", "1", "0", "yes", "no", "on", "off"}
-    
+
     @classmethod
     def validate(
         cls,
@@ -391,7 +397,7 @@ def validate(
     ) -> tuple[bool, str | None]:
         """
         Validate a value against a type.
-        
+
         Returns:
             Tuple of (is_valid, error_message)
         """
@@ -401,54 +407,57 @@ def validate(
                     return False, f"Value does not match pattern: {custom_pattern}"
             except re.error as e:
                 return False, f"Invalid validation pattern: {e}"
-        
+
         try:
             vtype = VariableType(var_type)
         except ValueError:
             # Unknown type, treat as string (always valid)
             return True, None
-        
+
         if vtype == VariableType.STRING:
             return True, None
-        
+
         elif vtype == VariableType.URL:
             if not cls.URL_PATTERN.match(value):
                 return False, f"Invalid URL format: {value}"
             return True, None
-        
+
         elif vtype == VariableType.PORT:
             if not cls.PORT_PATTERN.match(value):
                 return False, f"Invalid port number: {value} (must be 1-65535)"
             return True, None
-        
+
         elif vtype == VariableType.BOOLEAN:
             if value.lower() not in cls.BOOLEAN_VALUES:
-                return False, f"Invalid boolean value: {value} (use true/false, 1/0, yes/no, on/off)"
+                return (
+                    False,
+                    f"Invalid boolean value: {value} (use true/false, 1/0, yes/no, on/off)",
+                )
             return True, None
-        
+
         elif vtype == VariableType.INTEGER:
             try:
                 int(value)
                 return True, None
             except ValueError:
                 return False, f"Invalid integer value: {value}"
-        
+
         elif vtype == VariableType.PATH:
             # Path validation: just check it's not empty
             if not value.strip():
                 return False, "Path cannot be empty"
             return True, None
-        
+
         return True, None
 
 
 class EncryptionManager:
     """Manages encryption keys and encrypts/decrypts values."""
-    
+
     def __init__(self, key_path: Path | None = None):
         """
         Initialize encryption manager.
-        
+
         Args:
             key_path: Path to encryption key file. Defaults to ~/.cortex/.env_key
         """
@@ -456,19 +465,19 @@ def __init__(self, key_path: Path | None = None):
             key_path = Path.home() / ".cortex" / ".env_key"
         self.key_path = key_path
         self._fernet: Any = None
-    
+
     def _ensure_key_exists(self) -> bytes:
         """Ensure encryption key exists, create if needed."""
         if self.key_path.exists():
             return self.key_path.read_bytes()
-        
+
         # Create new key
         Fernet = _get_fernet()
         key = Fernet.generate_key()
-        
+
         # Ensure parent directory exists
         self.key_path.parent.mkdir(parents=True, exist_ok=True)
-        
+
         # Write key with secure permissions (atomic write)
         fd = os.open(
             str(self.key_path),
@@ -479,9 +488,9 @@ def _ensure_key_exists(self) -> bytes:
             os.write(fd, key)
         finally:
             os.close(fd)
-        
+
         return key
-    
+
     def _get_fernet(self) -> Any:
         """Get or create Fernet instance."""
         if self._fernet is None:
@@ -489,35 +498,41 @@ def _get_fernet(self) -> Any:
             key = self._ensure_key_exists()
             self._fernet = Fernet(key)
         return self._fernet
-    
+
     def encrypt(self, value: str) -> str:
         """
         Encrypt a value.
-        
+
         Args:
             value: Plaintext value to encrypt
-            
+
         Returns:
             Base64-encoded encrypted value
         """
         fernet = self._get_fernet()
         encrypted = fernet.encrypt(value.encode("utf-8"))
         return encrypted.decode("utf-8")
-    
+
     def decrypt(self, encrypted_value: str) -> str:
         """
         Decrypt a value.
-        
+
         Args:
             encrypted_value: Base64-encoded encrypted value
-            
+
         Returns:
             Decrypted plaintext value
+
+        Raises:
+            ValueError: If decryption fails (invalid key, corrupted data, etc.)
         """
-        fernet = self._get_fernet()
-        decrypted = fernet.decrypt(encrypted_value.encode("utf-8"))
-        return decrypted.decode("utf-8")
-    
+        try:
+            fernet = self._get_fernet()
+            decrypted = fernet.decrypt(encrypted_value.encode("utf-8"))
+            return decrypted.decode("utf-8")
+        except Exception as e:
+            raise ValueError(f"Decryption failed: {e}") from e
+
     def is_key_available(self) -> bool:
         """Check if encryption is available (key exists or can be created)."""
         try:
@@ -529,11 +544,11 @@ def is_key_available(self) -> bool:
 
 class EnvironmentStorage:
     """Manages persistent storage of environment variables."""
-    
+
     def __init__(self, base_path: Path | None = None):
         """
         Initialize storage.
-        
+
         Args:
             base_path: Base directory for environment storage.
                        Defaults to ~/.cortex/environments
@@ -542,64 +557,64 @@ def __init__(self, base_path: Path | None = None):
             base_path = Path.home() / ".cortex" / "environments"
         self.base_path = base_path
         self.base_path.mkdir(parents=True, exist_ok=True)
-    
+
     def _get_app_path(self, app: str) -> Path:
         """Get the storage path for an application."""
         # Sanitize app name for filesystem
         safe_name = re.sub(r"[^\w\-.]", "_", app)
         return self.base_path / f"{safe_name}.json"
-    
+
     def _get_safe_app_name(self, app: str) -> str:
         """Get a filesystem-safe version of the app name."""
         return re.sub(r"[^\w\-.]", "_", app)
-    
+
     def load(self, app: str) -> dict[str, EnvironmentVariable]:
         """
         Load environment variables for an application.
-        
+
         Args:
             app: Application name
-            
+
         Returns:
             Dictionary mapping variable names to EnvironmentVariable objects
         """
         app_path = self._get_app_path(app)
-        
+
         if not app_path.exists():
             return {}
-        
+
         try:
-            with open(app_path, "r", encoding="utf-8") as f:
+            with open(app_path, encoding="utf-8") as f:
                 data = json.load(f)
-            
+
             return {
                 var_data["key"]: EnvironmentVariable.from_dict(var_data)
                 for var_data in data.get("variables", [])
             }
         except (json.JSONDecodeError, KeyError) as e:
             raise ValueError(f"Corrupted environment file for {app}: {e}")
-    
+
     def save(self, app: str, variables: dict[str, EnvironmentVariable]) -> None:
         """
         Save environment variables for an application (atomic write).
-        
+
         Args:
             app: Application name
             variables: Dictionary of environment variables
         """
         app_path = self._get_app_path(app)
-        
+
         data = {
             "app": app,
             "variables": [var.to_dict() for var in variables.values()],
         }
-        
+
         # Atomic write: write to temp file, then rename
         self.base_path.mkdir(parents=True, exist_ok=True)
-        
+
         # Use safe app name for temp file prefix
         safe_prefix = self._get_safe_app_name(app)
-        
+
         fd, temp_path = tempfile.mkstemp(
             dir=self.base_path,
             suffix=".tmp",
@@ -614,28 +629,28 @@ def save(self, app: str, variables: dict[str, EnvironmentVariable]) -> None:
             if os.path.exists(temp_path):
                 os.unlink(temp_path)
             raise
-    
+
     def delete_app(self, app: str) -> bool:
         """
         Delete all environment data for an application.
-        
+
         Args:
             app: Application name
-            
+
         Returns:
             True if data was deleted, False if app didn't exist
         """
         app_path = self._get_app_path(app)
-        
+
         if app_path.exists():
             app_path.unlink()
             return True
         return False
-    
+
     def list_apps(self) -> list[str]:
         """
         List all applications with stored environments.
-        
+
         Returns:
             List of application names
         """
@@ -650,11 +665,11 @@ def list_apps(self) -> list[str]:
 class EnvironmentManager:
     """
     Main environment manager class.
-    
+
     Provides high-level API for managing environment variables
     with encryption, templates, and validation.
     """
-    
+
     def __init__(
         self,
         storage: EnvironmentStorage | None = None,
@@ -662,7 +677,7 @@ def __init__(
     ):
         """
         Initialize the environment manager.
-        
+
         Args:
             storage: Custom storage backend (optional)
             encryption: Custom encryption manager (optional)
@@ -670,7 +685,7 @@ def __init__(
         self.storage = storage or EnvironmentStorage()
         self.encryption = encryption or EncryptionManager()
         self.templates = dict(BUILTIN_TEMPLATES)
-    
+
     def set_variable(
         self,
         app: str,
@@ -682,7 +697,7 @@ def set_variable(
     ) -> EnvironmentVariable:
         """
         Set an environment variable for an application.
-        
+
         Args:
             app: Application name
             key: Variable name
@@ -690,7 +705,7 @@ def set_variable(
             encrypt: Whether to encrypt the value
             var_type: Variable type for validation
             description: Optional description
-            
+
         Returns:
             The created/updated EnvironmentVariable
         """
@@ -699,15 +714,15 @@ def set_variable(
             is_valid, error = EnvironmentValidator.validate(value, var_type)
             if not is_valid:
                 raise ValueError(error)
-        
+
         # Load existing variables
         variables = self.storage.load(app)
-        
+
         # Encrypt if requested
         stored_value = value
         if encrypt:
             stored_value = self.encryption.encrypt(value)
-        
+
         # Create or update variable
         env_var = EnvironmentVariable(
             key=key,
@@ -716,12 +731,12 @@ def set_variable(
             description=description,
             var_type=var_type,
         )
-        
+
         variables[key] = env_var
         self.storage.save(app, variables)
-        
+
         return env_var
-    
+
     def get_variable(
         self,
         app: str,
@@ -730,114 +745,116 @@ def get_variable(
     ) -> str | None:
         """
         Get an environment variable value.
-        
+
         Args:
             app: Application name
             key: Variable name
             decrypt: Whether to decrypt encrypted values
-            
+
         Returns:
             Variable value or None if not found
         """
         variables = self.storage.load(app)
-        
+
         if key not in variables:
             return None
-        
+
         var = variables[key]
-        
+
         if var.encrypted and decrypt:
             return self.encryption.decrypt(var.value)
-        
+
         return var.value
-    
+
     def get_variable_info(self, app: str, key: str) -> EnvironmentVariable | None:
         """
         Get full information about a variable.
-        
+
         Args:
             app: Application name
             key: Variable name
-            
+
         Returns:
             EnvironmentVariable object or None if not found
         """
         variables = self.storage.load(app)
         return variables.get(key)
-    
+
     def list_variables(self, app: str) -> list[EnvironmentVariable]:
         """
         List all environment variables for an application.
-        
+
         Args:
             app: Application name
-            
+
         Returns:
             List of EnvironmentVariable objects
         """
         variables = self.storage.load(app)
         return list(variables.values())
-    
+
     def delete_variable(self, app: str, key: str) -> bool:
         """
         Delete an environment variable.
-        
+
         Args:
             app: Application name
             key: Variable name
-            
+
         Returns:
             True if variable was deleted, False if not found
         """
         variables = self.storage.load(app)
-        
+
         if key not in variables:
             return False
-        
+
         del variables[key]
         self.storage.save(app, variables)
         return True
-    
+
     def clear_app(self, app: str) -> bool:
         """
         Clear all environment variables for an application.
-        
+
         Args:
             app: Application name
-            
+
         Returns:
             True if app existed and was cleared
         """
         return self.storage.delete_app(app)
-    
+
     def list_apps(self) -> list[str]:
         """
         List all applications with stored environments.
-        
+
         Returns:
             List of application names
         """
         return self.storage.list_apps()
-    
+
     def export_env(self, app: str, include_encrypted: bool = False) -> str:
         """
         Export environment variables in .env format.
-        
+
         Args:
             app: Application name
             include_encrypted: Whether to decrypt and include encrypted values
-            
+
         Returns:
             Environment file content as string
         """
         variables = self.storage.load(app)
         lines = []
-        
+
         for var in sorted(variables.values(), key=lambda v: v.key):
             if var.encrypted:
                 if include_encrypted:
                     value = self.encryption.decrypt(var.value)
-                    lines.append(f"# [encrypted] {var.description}" if var.description else "# [encrypted]")
+                    lines.append(
+                        f"# [encrypted] {var.description}" if var.description else "# [encrypted]"
+                    )
                     lines.append(f'{var.key}="{value}"')
                 else:
                     lines.append(f"# {var.key}=[encrypted - use --include-encrypted to export]")
@@ -849,9 +866,9 @@ def export_env(self, app: str, include_encrypted: bool = False) -> str:
                     lines.append(f'{var.key}="{var.value}"')
                 else:
                     lines.append(f"{var.key}={var.value}")
-        
+
         return "\n".join(lines) + "\n" if lines else ""
-    
+
     def import_env(
         self,
         app: str,
@@ -860,12 +877,12 @@ def import_env(
     ) -> tuple[int, list[str]]:
         """
         Import environment variables from .env format.
-        
+
         Args:
             app: Application name
             content: .env file content
             encrypt_keys: List of keys to encrypt during import
-            
+
         Returns:
             Tuple of (count of imported variables, list of errors)
         """
@@ -873,93 +890,94 @@ def import_env(
         variables = self.storage.load(app)
         imported = 0
         errors = []
-        
+
         for line_num, line in enumerate(content.splitlines(), start=1):
             line = line.strip()
-            
+
             # Skip empty lines and comments
             if not line or line.startswith("#"):
                 continue
-            
+
             # Parse KEY=value
-            match = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)$', line)
+            match = re.match(r"^([A-Za-z_][A-Za-z0-9_]*)=(.*)$", line)
             if not match:
                 errors.append(f"Line {line_num}: Invalid format")
                 continue
-            
+
             key = match.group(1)
             value = match.group(2)
-            
+
             # Handle quoted values
-            if (value.startswith('"') and value.endswith('"')) or \
-               (value.startswith("'") and value.endswith("'")):
+            if (value.startswith('"') and value.endswith('"')) or (
+                value.startswith("'") and value.endswith("'")
+            ):
                 value = value[1:-1]
-            
+
             # Encrypt if key is in encrypt_keys
             encrypt = key in encrypt_keys
-            
+
             if encrypt:
                 value = self.encryption.encrypt(value)
-            
+
             variables[key] = EnvironmentVariable(
                 key=key,
                 value=value,
                 encrypted=encrypt,
             )
             imported += 1
-        
+
         if imported > 0:
             self.storage.save(app, variables)
-        
+
         return imported, errors
-    
+
     def load_to_environ(self, app: str) -> int:
         """
         Load environment variables into os.environ.
-        
+
         Args:
             app: Application name
-            
+
         Returns:
             Number of variables loaded
         """
         variables = self.storage.load(app)
         loaded = 0
-        
+
         for var in variables.values():
             if var.encrypted:
                 value = self.encryption.decrypt(var.value)
             else:
                 value = var.value
-            
+
             os.environ[var.key] = value
             loaded += 1
-        
+
         return loaded
-    
+
     # Template management
-    
+
     def list_templates(self) -> list[EnvironmentTemplate]:
         """
         List all available templates.
-        
+
         Returns:
             List of EnvironmentTemplate objects
         """
         return list(self.templates.values())
-    
+
     def get_template(self, name: str) -> EnvironmentTemplate | None:
         """
         Get a template by name.
-        
+
         Args:
             name: Template name
-            
+
         Returns:
             EnvironmentTemplate or None if not found
         """
         return self.templates.get(name.lower())
-    
+
     def apply_template(
         self,
         template_name: str,
@@ -969,13 +987,13 @@ def apply_template(
     ) -> ValidationResult:
         """
         Apply a template to an application.
-        
+
         Args:
             template_name: Name of template to apply
             app: Application name
             values: Values for template variables
             encrypt_keys: Keys to encrypt
-            
+
         Returns:
             ValidationResult with any errors/warnings
         """
@@ -985,14 +1003,14 @@ def apply_template(
                 valid=False,
                 errors=[f"Template '{template_name}' not found"],
             )
-        
+
         values = values or {}
         encrypt_keys = set(encrypt_keys or [])
         errors = []
         warnings = []
-        
+
         variables = self.storage.load(app)
-        
+
         for tvar in template.variables:
             if tvar.name in values:
                 # Use provided value
@@ -1006,25 +1024,25 @@ def apply_template(
             else:
                 # Optional with no default - skip
                 continue
-            
+
             # Validate value
             is_valid, error = EnvironmentValidator.validate(
                 value,
                 tvar.var_type,
                 tvar.validation_pattern,
             )
-            
+
             if not is_valid:
                 errors.append(f"{tvar.name}: {error}")
                 continue
-            
+
             # Check if should encrypt
             encrypt = tvar.name in encrypt_keys
-            
+
             stored_value = value
             if encrypt:
                 stored_value = self.encryption.encrypt(value)
-            
+
             variables[tvar.name] = EnvironmentVariable(
                 key=tvar.name,
                 value=stored_value,
@@ -1032,16 +1050,16 @@ def apply_template(
                 description=tvar.description,
                 var_type=tvar.var_type,
             )
-        
+
         if not errors:
             self.storage.save(app, variables)
-        
+
         return ValidationResult(
             valid=len(errors) == 0,
             errors=errors,
             warnings=warnings,
         )
-    
+
     def validate_app(
         self,
         app: str,
@@ -1049,18 +1067,18 @@ def validate_app(
     ) -> ValidationResult:
         """
         Validate environment variables for an application.
-        
+
         Args:
             app: Application name
             template_name: Optional template to validate against
-            
+
         Returns:
             ValidationResult with any errors/warnings
         """
         variables = self.storage.load(app)
         errors = []
         warnings = []
-        
+
         # Validate all variable types
         for var in variables.values():
             is_valid, error = EnvironmentValidator.validate(
@@ -1069,7 +1087,7 @@ def validate_app(
             )
             if not is_valid and not var.encrypted:
                 errors.append(f"{var.key}: {error}")
-        
+
         # If template specified, check required variables
         if template_name:
             template = self.get_template(template_name)
@@ -1079,7 +1097,7 @@ def validate_app(
                 for tvar in template.variables:
                     if tvar.required and tvar.name not in variables:
                         errors.append(f"Required variable '{tvar.name}' missing")
-        
+
         return ValidationResult(
             valid=len(errors) == 0,
             errors=errors,
diff --git a/cortex/hardware_detection.py b/cortex/hardware_detection.py
index a61eb0e4..fc8fc166 100644
--- a/cortex/hardware_detection.py
+++ b/cortex/hardware_detection.py
@@ -686,7 +686,7 @@ def get_cpu_cores() -> int:
     print("\n⚡ Quick Detection:")
     start = time.time()
     quick = detector.detect_quick()
-    print(f"  Time: {(time.time() - start)*1000:.0f}ms")
+    print(f"  Time: {(time.time() - start) * 1000:.0f}ms")
     print(f"  CPU Cores: {quick['cpu_cores']}")
     print(f"  RAM: {quick['ram_gb']} GB")
     print(f"  NVIDIA GPU: {quick['has_nvidia']}")
@@ -696,7 +696,7 @@ def get_cpu_cores() -> int:
     print("\n🔍 Full Detection:")
     start = time.time()
     info = detector.detect()
-    print(f"  Time: {(time.time() - start)*1000:.0f}ms")
+    print(f"  Time: {(time.time() - start) * 1000:.0f}ms")
 
     print("\n📋 System:")
     print(f"  Hostname: {info.hostname}")
diff --git a/cortex/installation_history.py b/cortex/installation_history.py
index 1c3289a4..131222ea 100644
--- a/cortex/installation_history.py
+++ b/cortex/installation_history.py
@@ -690,7 +690,7 @@ def cleanup_old_records(self, days: int = 90):
                 date = r.timestamp[:19].replace("T", " ")
                 packages = ", ".join(r.packages[:2])
                 if len(r.packages) > 2:
-                    packages += f" +{len(r.packages)-2}"
+                    packages += f" +{len(r.packages) - 2}"
 
                 print(
                     f"{r.id:<18} {date:<20} {r.operation_type.value:<12} {packages:<30} {r.status.value:<15}"
diff --git a/cortex/installation_verifier.py b/cortex/installation_verifier.py
index 706728fe..c4a4a7c5 100644
--- a/cortex/installation_verifier.py
+++ b/cortex/installation_verifier.py
@@ -309,8 +309,7 @@ def verify_package(
         elif passed_tests > 0:
             status = VerificationStatus.PARTIAL
             message = (
-                f"⚠️ {package_name} partially verified "
-                f"({passed_tests}/{total_tests} tests passed)"
+                f"⚠️ {package_name} partially verified ({passed_tests}/{total_tests} tests passed)"
             )
         else:
             status = VerificationStatus.UNKNOWN
diff --git a/cortex/kernel_features/accelerator_limits.py b/cortex/kernel_features/accelerator_limits.py
index 47a6f370..bb6ab443 100644
--- a/cortex/kernel_features/accelerator_limits.py
+++ b/cortex/kernel_features/accelerator_limits.py
@@ -98,7 +98,7 @@ def status(self):
         for p in profiles:
             gpus = ",".join(map(str, p.gpu_ids)) or "-"
             print(
-                f"{p.name:<20} {p.preset:<12} {p.cpu_quota/100:.0f}{'':<5} {p.memory_max/1e9:.0f}G{'':<5} {gpus:<10}"
+                f"{p.name:<20} {p.preset:<12} {p.cpu_quota / 100:.0f}{'':<5} {p.memory_max / 1e9:.0f}G{'':<5} {gpus:<10}"
             )
 
 
diff --git a/cortex/kernel_features/kv_cache_manager.py b/cortex/kernel_features/kv_cache_manager.py
index 3d7f7610..bd56a2d6 100644
--- a/cortex/kernel_features/kv_cache_manager.py
+++ b/cortex/kernel_features/kv_cache_manager.py
@@ -131,7 +131,7 @@ def status(self, name: str = None):
         for item in pools:
             if item:
                 cfg = item[0] if isinstance(item, tuple) else item
-                print(f"{cfg.name:<20} {cfg.size_bytes/1e9:.1f}G{'':<6} {cfg.policy:<10}")
+                print(f"{cfg.name:<20} {cfg.size_bytes / 1e9:.1f}G{'':<6} {cfg.policy:<10}")
 
 
 def main():
diff --git a/cortex/kernel_features/model_lifecycle.py b/cortex/kernel_features/model_lifecycle.py
index 4f215640..d0460b7f 100644
--- a/cortex/kernel_features/model_lifecycle.py
+++ b/cortex/kernel_features/model_lifecycle.py
@@ -94,7 +94,7 @@ def generate(self, config: ModelConfig) -> str:
 [Service]
 Type=simple
 ExecStart={cmd}
-Environment=CUDA_VISIBLE_DEVICES={','.join(map(str, config.gpu_ids))}
+Environment=CUDA_VISIBLE_DEVICES={",".join(map(str, config.gpu_ids))}
 CPUQuota={int(config.cpu_limit * 100)}%
 MemoryMax={config.memory_limit}
 Restart={config.restart_policy}
diff --git a/cortex/llm_router.py b/cortex/llm_router.py
index d43f9eaa..f3612646 100644
--- a/cortex/llm_router.py
+++ b/cortex/llm_router.py
@@ -759,7 +759,10 @@ async def query_multiple_packages(
             {
                 "messages": [
                     {"role": "system", "content": default_system},
-                    {"role": "user", "content": f"What are the installation requirements for {pkg}?"},
+                    {
+                        "role": "user",
+                        "content": f"What are the installation requirements for {pkg}?",
+                    },
                 ],
                 "task_type": TaskType.DEPENDENCY_RESOLUTION,
             }
@@ -798,8 +801,7 @@ async def diagnose_errors_parallel(
             print(f"{error}: {diagnosis.content}")
     """
     system_prompt = (
-        "You are a Linux system debugging expert. "
-        "Analyze error messages and provide solutions."
+        "You are a Linux system debugging expert. Analyze error messages and provide solutions."
     )
     if context:
         system_prompt += f"\n\nSystem context: {context}"
@@ -857,7 +859,10 @@ async def check_hardware_configs_parallel(
             {
                 "messages": [
                     {"role": "system", "content": system_prompt},
-                    {"role": "user", "content": f"Check configuration requirements for {component}"},
+                    {
+                        "role": "user",
+                        "content": f"Check configuration requirements for {component}",
+                    },
                 ],
                 "task_type": TaskType.CONFIGURATION,
             }
diff --git a/cortex/logging_system.py b/cortex/logging_system.py
index 2503a7a3..1994188d 100644
--- a/cortex/logging_system.py
+++ b/cortex/logging_system.py
@@ -179,7 +179,9 @@ def _setup_error_handler(self):
         error_file = self.log_dir / f"{self.name}.error.log"
 
         error_handler = RotatingFileHandler(
-            error_file, maxBytes=5 * 1024 * 1024, backupCount=3  # 5MB
+            error_file,
+            maxBytes=5 * 1024 * 1024,
+            backupCount=3,  # 5MB
         )
         error_handler.setLevel(logging.ERROR)
 
diff --git a/cortex/progress_indicators.py b/cortex/progress_indicators.py
index a16ba1d4..1ce1e2b4 100644
--- a/cortex/progress_indicators.py
+++ b/cortex/progress_indicators.py
@@ -291,7 +291,7 @@ def progress_bar(
             for i, item in enumerate(items):
                 pct = (i + 1) / total * 100
                 bar = "█" * int(pct / 5) + "░" * (20 - int(pct / 5))
-                sys.stdout.write(f"\r{description}: [{bar}] {i+1}/{total}")
+                sys.stdout.write(f"\r{description}: [{bar}] {i + 1}/{total}")
                 sys.stdout.flush()
                 yield item
             print()  # Newline after completion
diff --git a/cortex/progress_tracker.py b/cortex/progress_tracker.py
index 4ce0f915..e7add13d 100644
--- a/cortex/progress_tracker.py
+++ b/cortex/progress_tracker.py
@@ -582,7 +582,9 @@ async def live_progress(self):
         # Add tasks for each stage
         for i, stage in enumerate(self.stages):
             task_id = self.progress_obj.add_task(
-                stage.name, total=100, visible=(i == 0)  # Only show first stage initially
+                stage.name,
+                total=100,
+                visible=(i == 0),  # Only show first stage initially
             )
             self.task_ids[i] = task_id
 
diff --git a/cortex/transaction_history.py b/cortex/transaction_history.py
index 790ac6e2..77ebe107 100644
--- a/cortex/transaction_history.py
+++ b/cortex/transaction_history.py
@@ -354,7 +354,7 @@ def _assess_rollback_safety(self, transaction: Transaction):
             if any(crit in pkg for crit in critical_packages):
                 transaction.is_rollback_safe = False
                 transaction.rollback_warning = (
-                    f"Rolling back {pkg} may affect system stability. " "Proceed with caution."
+                    f"Rolling back {pkg} may affect system stability. Proceed with caution."
                 )
                 break
 
diff --git a/docs/ENV_MANAGEMENT.md b/docs/ENV_MANAGEMENT.md
index 37249f13..6a1b8c61 100644
--- a/docs/ENV_MANAGEMENT.md
+++ b/docs/ENV_MANAGEMENT.md
@@ -34,7 +34,7 @@ cortex env list myapp
 
 Environment variables are stored in JSON files under:
 
-```
+```text
 ~/.cortex/environments/<app>.json
 ```
 
diff --git a/examples/env_demo.py b/examples/env_demo.py
index 1a1b07f2..33b5e637 100644
--- a/examples/env_demo.py
+++ b/examples/env_demo.py
@@ -30,10 +30,9 @@
 from rich.table import Table
 
 from cortex.env_manager import (
+    EncryptionManager,
     EnvironmentManager,
     EnvironmentStorage,
-    EncryptionManager,
-    get_env_manager,
 )
 
 console = Console()
diff --git a/examples/parallel_llm_demo.py b/examples/parallel_llm_demo.py
index ffaf59f9..d1930d2e 100644
--- a/examples/parallel_llm_demo.py
+++ b/examples/parallel_llm_demo.py
@@ -12,6 +12,7 @@
 
 import asyncio
 import time
+
 from cortex.llm_router import (
     LLMRouter,
     TaskType,
@@ -35,14 +36,12 @@ async def demo_multi_package_queries():
     print(f"\nQuerying {len(packages)} packages in parallel...")
     start_time = time.time()
 
-    responses = await query_multiple_packages(
-        router, packages, max_concurrent=5
-    )
+    responses = await query_multiple_packages(router, packages, max_concurrent=5)
 
     elapsed = time.time() - start_time
 
     print(f"\n✅ Completed in {elapsed:.2f} seconds")
-    print(f"   Average time per package: {elapsed/len(packages):.2f}s\n")
+    print(f"   Average time per package: {elapsed / len(packages):.2f}s\n")
 
     for pkg, response in responses.items():
         print(f"📦 {pkg}:")
@@ -82,7 +81,7 @@ async def demo_parallel_error_diagnosis():
     elapsed = time.time() - start_time
 
     print(f"\n✅ Completed in {elapsed:.2f} seconds")
-    print(f"   Average time per error: {elapsed/len(errors):.2f}s\n")
+    print(f"   Average time per error: {elapsed / len(errors):.2f}s\n")
 
     for error, diagnosis in zip(errors, diagnoses):
         print(f"🔍 Error: {error[:60]}...")
@@ -116,7 +115,7 @@ async def demo_hardware_config_checks():
     elapsed = time.time() - start_time
 
     print(f"\n✅ Completed in {elapsed:.2f} seconds")
-    print(f"   Average time per component: {elapsed/len(components):.2f}s\n")
+    print(f"   Average time per component: {elapsed / len(components):.2f}s\n")
 
     for component, config in configs.items():
         print(f"🖥️  {component}:")
@@ -162,7 +161,7 @@ async def demo_batch_completion():
     elapsed = time.time() - start_time
 
     print(f"\n✅ Completed in {elapsed:.2f} seconds")
-    print(f"   Average time per request: {elapsed/len(requests):.2f}s\n")
+    print(f"   Average time per request: {elapsed / len(requests):.2f}s\n")
 
     task_names = ["Chat", "System Op", "Error Debug", "Code Gen"]
     for i, (task_name, response) in enumerate(zip(task_names, responses)):
@@ -211,7 +210,9 @@ async def demo_sequential_vs_parallel():
 
     speedup = elapsed_seq / elapsed_par if elapsed_par > 0 else 1.0
     print(f"\n⚡ Speedup: {speedup:.2f}x")
-    print(f"   Time saved: {elapsed_seq - elapsed_par:.2f}s ({((elapsed_seq - elapsed_par)/elapsed_seq*100):.1f}%)")
+    print(
+        f"   Time saved: {elapsed_seq - elapsed_par:.2f}s ({((elapsed_seq - elapsed_par) / elapsed_seq * 100):.1f}%)"
+    )
 
 
 async def main():
@@ -251,4 +252,3 @@ async def main():
 
 if __name__ == "__main__":
     asyncio.run(main())
-
diff --git a/examples/progress_demo.py b/examples/progress_demo.py
index 08e85e8c..637a0c22 100644
--- a/examples/progress_demo.py
+++ b/examples/progress_demo.py
@@ -185,7 +185,8 @@ async def main():
     print("\n\n[Demo 2] Multiple Package Installation")
     print("-" * 60)
     tracker2 = ProgressTracker(
-        "Installing Development Tools", enable_notifications=False  # Disable notifications for demo
+        "Installing Development Tools",
+        enable_notifications=False,  # Disable notifications for demo
     )
     await run_with_progress(tracker2, demo_multi_package_installation)
 
diff --git a/examples/standalone_demo.py b/examples/standalone_demo.py
index 1ce2c077..2269cb34 100644
--- a/examples/standalone_demo.py
+++ b/examples/standalone_demo.py
@@ -101,7 +101,7 @@ async def demo_cancelled_operation(tracker: ProgressTracker):
 
     stages = []
     for i in range(10):
-        idx = tracker.add_stage(f"Processing step {i+1}")
+        idx = tracker.add_stage(f"Processing step {i + 1}")
         stages.append(idx)
 
     for idx in stages:
diff --git a/requirements.txt b/requirements.txt
index ad5338f3..166a777e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,7 +12,7 @@ PyYAML>=6.0.0
 python-dotenv>=1.0.0
 
 # Encryption for environment variable secrets
-cryptography>=41.0.0
+cryptography>=42.0.0
 
 # Terminal UI
 rich>=13.0.0
diff --git a/src/intent/llm_agent.py b/src/intent/llm_agent.py
index 195a42f0..8c6c215a 100644
--- a/src/intent/llm_agent.py
+++ b/src/intent/llm_agent.py
@@ -25,7 +25,6 @@ class LLMIntentAgent:
     """
 
     def __init__(self, api_key: str | None = None, model: str = "claude-3-5-sonnet-20240620"):
-
         # LLM is enabled ONLY if SDK + API key is available
         if Anthropic is None or api_key is None:
             self.llm = None
@@ -91,7 +90,6 @@ def process(self, text: str):
     # LLM enhancement of intents
     # ----------------------------------------------
     def enhance_intents_with_llm(self, text: str, intents: list[Intent]) -> list[Intent]:
-
         prompt = f"""
 You are an installation-intent expert. Convert the user request into structured intents.
 
@@ -139,7 +137,6 @@ def enhance_intents_with_llm(self, text: str, intents: list[Intent]) -> list[Int
     # LLM optimization suggestions
     # ----------------------------------------------
     def suggest_optimizations(self, text: str) -> list[str]:
-
         prompt = f"""
 User request: "{text}"
 
diff --git a/src/intent/planner.py b/src/intent/planner.py
index 37ca704d..1d67637c 100644
--- a/src/intent/planner.py
+++ b/src/intent/planner.py
@@ -4,7 +4,6 @@
 
 
 class InstallationPlanner:
-
     GPU_PACKAGES = ["cuda", "cudnn", "pytorch", "tensorflow"]
 
     def build_plan(self, intents: list[Intent]) -> list[str]:
@@ -19,7 +18,6 @@ def build_plan(self, intents: list[Intent]) -> list[str]:
         # 2. Add installation steps based on intent order
         for intent in intents:
             if intent.action == "install" and intent.target not in installed:
-
                 if intent.target == "cuda":
                     plan.append("Install CUDA 12.3 + drivers")
 
diff --git a/test_parallel_llm.py b/test_parallel_llm.py
index 41b62142..f154f2b8 100755
--- a/test_parallel_llm.py
+++ b/test_parallel_llm.py
@@ -48,7 +48,7 @@ async def test_async_completion():
         )
         elapsed = time.time() - start
 
-        print(f"✅ Async completion successful!")
+        print("✅ Async completion successful!")
         print(f"   Provider: {response.provider.value}")
         print(f"   Latency: {elapsed:.2f}s")
         print(f"   Response: {response.content[:100]}")
@@ -95,9 +95,9 @@ async def test_batch_processing():
         responses = await router.complete_batch(requests, max_concurrent=3)
         elapsed = time.time() - start
 
-        print(f"✅ Batch processing successful!")
+        print("✅ Batch processing successful!")
         print(f"   Total time: {elapsed:.2f}s")
-        print(f"   Average per request: {elapsed/len(requests):.2f}s")
+        print(f"   Average per request: {elapsed / len(requests):.2f}s")
 
         for i, response in enumerate(responses, 1):
             if response.model == "error":
@@ -109,6 +109,7 @@ async def test_batch_processing():
     except Exception as e:
         print(f"❌ Batch processing failed: {e}")
         import traceback
+
         traceback.print_exc()
         return False
 
@@ -142,7 +143,7 @@ async def test_rate_limiting():
         responses = await router.complete_batch(requests, max_concurrent=2)
         elapsed = time.time() - start
 
-        print(f"✅ Rate limiting working!")
+        print("✅ Rate limiting working!")
         print(f"   Total time: {elapsed:.2f}s")
         print(f"   Semaphore value: {router._rate_limit_semaphore._value}")
         return True
@@ -169,9 +170,7 @@ async def test_helper_functions():
     try:
         print("\n4a. Testing query_multiple_packages...")
         packages = ["nginx", "postgresql"]
-        responses = await query_multiple_packages(
-            router, packages, max_concurrent=2
-        )
+        responses = await query_multiple_packages(router, packages, max_concurrent=2)
         print(f"   ✅ Queried {len(responses)} packages")
         results.append(True)
     except Exception as e:
@@ -182,9 +181,7 @@ async def test_helper_functions():
     try:
         print("\n4b. Testing diagnose_errors_parallel...")
         errors = ["Test error 1", "Test error 2"]
-        diagnoses = await diagnose_errors_parallel(
-            router, errors, max_concurrent=2
-        )
+        diagnoses = await diagnose_errors_parallel(router, errors, max_concurrent=2)
         print(f"   ✅ Diagnosed {len(diagnoses)} errors")
         results.append(True)
     except Exception as e:
@@ -195,9 +192,7 @@ async def test_helper_functions():
     try:
         print("\n4c. Testing check_hardware_configs_parallel...")
         components = ["nvidia_gpu", "intel_cpu"]
-        configs = await check_hardware_configs_parallel(
-            router, components, max_concurrent=2
-        )
+        configs = await check_hardware_configs_parallel(router, components, max_concurrent=2)
         print(f"   ✅ Checked {len(configs)} components")
         results.append(True)
     except Exception as e:
@@ -233,8 +228,9 @@ async def test_performance_comparison():
         print("Simulating sequential execution...")
         start_seq = time.time()
         for req in requests:
-            await router.acomplete(**{k: v for k, v in req.items() if k != "task_type"}, 
-                                 task_type=req["task_type"])
+            await router.acomplete(
+                **{k: v for k, v in req.items() if k != "task_type"}, task_type=req["task_type"]
+            )
         elapsed_seq = time.time() - start_seq
 
         # Parallel execution
@@ -244,7 +240,7 @@ async def test_performance_comparison():
         elapsed_par = time.time() - start_par
 
         speedup = elapsed_seq / elapsed_par if elapsed_par > 0 else 1.0
-        print(f"\n✅ Performance comparison:")
+        print("\n✅ Performance comparison:")
         print(f"   Sequential: {elapsed_seq:.2f}s")
         print(f"   Parallel: {elapsed_par:.2f}s")
         print(f"   Speedup: {speedup:.2f}x")
@@ -316,4 +312,3 @@ async def main():
 if __name__ == "__main__":
     success = asyncio.run(main())
     sys.exit(0 if success else 1)
-
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 8b658bf9..047f9a46 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -9,7 +9,6 @@
 
 
 class TestCortexCLI(unittest.TestCase):
-
     def setUp(self):
         self.cli = CortexCLI()
 
diff --git a/tests/test_coordinator.py b/tests/test_coordinator.py
index 8d9d80b1..a0ad03d4 100644
--- a/tests/test_coordinator.py
+++ b/tests/test_coordinator.py
@@ -16,7 +16,6 @@
 
 
 class TestInstallationStep(unittest.TestCase):
-
     def test_step_creation(self):
         step = InstallationStep(command="echo test", description="Test step")
         self.assertEqual(step.command, "echo test")
@@ -33,7 +32,6 @@ def test_step_duration(self):
 
 
 class TestInstallationCoordinator(unittest.TestCase):
-
     def test_initialization(self):
         commands = ["echo 1", "echo 2"]
         coordinator = InstallationCoordinator(commands)
@@ -320,7 +318,6 @@ def test_step_timing(self, mock_run):
 
 
 class TestInstallDocker(unittest.TestCase):
-
     @patch("subprocess.run")
     def test_install_docker_success(self, mock_run):
         mock_result = Mock()
@@ -349,7 +346,6 @@ def test_install_docker_failure(self, mock_run):
 
 
 class TestInstallationPlans(unittest.TestCase):
-
     def test_example_cuda_install_plan_structure(self):
         plan = example_cuda_install_plan()
 
diff --git a/tests/test_env_manager.py b/tests/test_env_manager.py
index b31a6d08..fe23c064 100644
--- a/tests/test_env_manager.py
+++ b/tests/test_env_manager.py
@@ -17,25 +17,24 @@
 import stat
 import tempfile
 from pathlib import Path
-from unittest.mock import MagicMock, patch, mock_open
+from unittest.mock import MagicMock, mock_open, patch
 
 import pytest
 
 from cortex.env_manager import (
+    BUILTIN_TEMPLATES,
+    EncryptionManager,
     EnvironmentManager,
     EnvironmentStorage,
-    EnvironmentVariable,
-    EnvironmentValidator,
-    EncryptionManager,
     EnvironmentTemplate,
+    EnvironmentValidator,
+    EnvironmentVariable,
     TemplateVariable,
     ValidationResult,
     VariableType,
-    BUILTIN_TEMPLATES,
     get_env_manager,
 )
 
-
 # =============================================================================
 # Fixtures
 # =============================================================================
@@ -243,9 +242,7 @@ def test_validate_custom_pattern(self):
         assert is_valid is True
 
         # Invalid pattern match
-        is_valid, error = EnvironmentValidator.validate(
-            "abc", "string", custom_pattern=r"^[A-Z]+$"
-        )
+        is_valid, error = EnvironmentValidator.validate("abc", "string", custom_pattern=r"^[A-Z]+$")
         assert is_valid is False
         assert "does not match pattern" in error
 
@@ -548,11 +545,11 @@ def test_import_env(self, env_manager):
 
     def test_import_env_with_quotes(self, env_manager):
         """Test importing values with quotes."""
-        content = '''
+        content = """
 DOUBLE_QUOTED="hello world"
 SINGLE_QUOTED='another value'
 NO_QUOTES=simple
-'''
+"""
         count, errors = env_manager.import_env("myapp", content)
 
         assert count == 3
@@ -566,9 +563,7 @@ def test_import_env_with_encryption(self, env_manager):
 PUBLIC_VAR=public_value
 SECRET_VAR=secret_value
 """
-        count, errors = env_manager.import_env(
-            "myapp", content, encrypt_keys=["SECRET_VAR"]
-        )
+        count, errors = env_manager.import_env("myapp", content, encrypt_keys=["SECRET_VAR"])
 
         assert count == 2
 
@@ -916,8 +911,8 @@ def test_very_long_value(self, env_manager):
         retrieved = env_manager.get_variable("myapp", "LONG")
         assert retrieved == long_value
 
-    def test_concurrent_writes_same_app(self, env_manager):
-        """Test that multiple writes to same app don't lose data."""
+    def test_rapid_sequential_writes_same_app(self, env_manager):
+        """Test that multiple rapid sequential writes to same app don't lose data."""
         # Write multiple variables rapidly
         for i in range(10):
             env_manager.set_variable("myapp", f"VAR_{i}", f"value_{i}")
diff --git a/tests/test_interpreter.py b/tests/test_interpreter.py
index 3ff9b5d5..af49cb4f 100644
--- a/tests/test_interpreter.py
+++ b/tests/test_interpreter.py
@@ -10,7 +10,6 @@
 
 
 class TestCommandInterpreter(unittest.TestCase):
-
     def setUp(self):
         self.api_key = "test-api-key"
 
diff --git a/tests/test_llm_router.py b/tests/test_llm_router.py
index e240c7ce..31f2c0eb 100644
--- a/tests/test_llm_router.py
+++ b/tests/test_llm_router.py
@@ -92,7 +92,9 @@ class TestFallbackBehavior(unittest.TestCase):
     def test_fallback_to_kimi_when_claude_unavailable(self):
         """Should fallback to Kimi K2 if Claude unavailable."""
         router = LLMRouter(
-            claude_api_key=None, kimi_api_key="test-kimi-key", enable_fallback=True  # No Claude
+            claude_api_key=None,
+            kimi_api_key="test-kimi-key",
+            enable_fallback=True,  # No Claude
         )
 
         # User chat normally goes to Claude, should fallback to Kimi
@@ -103,7 +105,9 @@ def test_fallback_to_kimi_when_claude_unavailable(self):
     def test_fallback_to_claude_when_kimi_unavailable(self):
         """Should fallback to Claude if Kimi K2 unavailable."""
         router = LLMRouter(
-            claude_api_key="test-claude-key", kimi_api_key=None, enable_fallback=True  # No Kimi
+            claude_api_key="test-claude-key",
+            kimi_api_key=None,
+            enable_fallback=True,  # No Kimi
         )
 
         # System ops normally go to Kimi, should fallback to Claude
@@ -707,9 +711,7 @@ def test_check_hardware_configs_parallel(self, mock_async_openai):
 
         async def run_test():
             components = ["nvidia_gpu", "intel_cpu"]
-            configs = await check_hardware_configs_parallel(
-                router, components, max_concurrent=2
-            )
+            configs = await check_hardware_configs_parallel(router, components, max_concurrent=2)
             self.assertEqual(len(configs), 2)
             self.assertIn("nvidia_gpu", configs)
             self.assertIn("intel_cpu", configs)
diff --git a/tests/test_logging_system.py b/tests/test_logging_system.py
index 30de2740..50d2dd84 100644
--- a/tests/test_logging_system.py
+++ b/tests/test_logging_system.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 """Unit tests for Cortex Logging System"""
+
 import json
 import os
 import sys
diff --git a/tests/unit/test_progress_tracker.py b/tests/unit/test_progress_tracker.py
index b010c7d1..e560900f 100644
--- a/tests/unit/test_progress_tracker.py
+++ b/tests/unit/test_progress_tracker.py
@@ -488,7 +488,7 @@ def test_time_estimation_accuracy(self):
 
         # Add 3 stages
         for i in range(3):
-            idx = tracker.add_stage(f"Stage {i+1}")
+            idx = tracker.add_stage(f"Stage {i + 1}")
 
         # Complete first stage in 0.2s
         tracker.start_stage(0)

From 6f39fa826613de7f7a7b5d310c6b577b3413d674 Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Mon, 22 Dec 2025 21:48:25 +0530
Subject: [PATCH 3/6] test: replace insecure ftp URL with secure protocol

---
 tests/test_env_manager.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_env_manager.py b/tests/test_env_manager.py
index fe23c064..ac424967 100644
--- a/tests/test_env_manager.py
+++ b/tests/test_env_manager.py
@@ -160,7 +160,7 @@ def test_validate_valid_url(self):
             "https://example.com",
             "postgres://user:pass@localhost:5432/db",
             "redis://localhost:6379",
-            "ftp://files.example.com/path",
+            "sftp://files.example.com/path",
         ]
         for url in valid_urls:
             is_valid, error = EnvironmentValidator.validate(url, "url")

From 3a61150c48a5001fc43da44aa542a3a6fa1fc207 Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Tue, 23 Dec 2025 11:36:57 +0530
Subject: [PATCH 4/6] fix: sort imports in dependency_check.py (I001)

---
 cortex/dependency_check.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cortex/dependency_check.py b/cortex/dependency_check.py
index c78cc138..49a25bb3 100644
--- a/cortex/dependency_check.py
+++ b/cortex/dependency_check.py
@@ -2,9 +2,11 @@
 Dependency Check Module for Cortex Linux
 Verifies all required dependencies are installed before the main application runs.
 """
+
 import sys
 from typing import NamedTuple
 
+
 class DependencyStatus(NamedTuple):
     name: str
     installed: bool

From d035c664be8e123b3b9c053625a2a057c24cba63 Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Tue, 23 Dec 2025 12:00:09 +0530
Subject: [PATCH 5/6] refactor(cli): improve exception handling per reviewer
 feedback

- Replace broad Exception blocks with specific exceptions (ValueError, OSError, ImportError)
- Add verbose traceback printing for unexpected exceptions
- Only suggest pip install cryptography when ImportError mentions it
- Return success (0) for partial imports with warnings
- Remove unused sys import in env() method
---
 cortex/cli.py | 83 ++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 72 insertions(+), 11 deletions(-)

diff --git a/cortex/cli.py b/cortex/cli.py
index f7023212..03a0e36f 100644
--- a/cortex/cli.py
+++ b/cortex/cli.py
@@ -456,13 +456,23 @@ def parallel_log_callback(message: str, level: str = "info"):
                             print(f"   View details: cortex history show {install_id}")
                         return 1
 
-                    except Exception as e:
+                    except (ValueError, OSError) as e:
                         if install_id:
                             history.update_installation(
                                 install_id, InstallationStatus.FAILED, str(e)
                             )
                         self._print_error(f"Parallel execution failed: {str(e)}")
                         return 1
+                    except Exception as e:
+                        if install_id:
+                            history.update_installation(
+                                install_id, InstallationStatus.FAILED, str(e)
+                            )
+                        self._print_error(f"Unexpected parallel execution error: {str(e)}")
+                        if self.verbose:
+                            import traceback
+                            traceback.print_exc()
+                        return 1
 
                 coordinator = InstallationCoordinator(
                     commands=commands,
@@ -519,10 +529,18 @@ def parallel_log_callback(message: str, level: str = "info"):
                 history.update_installation(install_id, InstallationStatus.FAILED, str(e))
             self._print_error(f"API call failed: {str(e)}")
             return 1
+        except OSError as e:
+            if install_id:
+                history.update_installation(install_id, InstallationStatus.FAILED, str(e))
+            self._print_error(f"System error: {str(e)}")
+            return 1
         except Exception as e:
             if install_id:
                 history.update_installation(install_id, InstallationStatus.FAILED, str(e))
             self._print_error(f"Unexpected error: {str(e)}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
             return 1
 
     def cache_stats(self) -> int:
@@ -539,9 +557,15 @@ def cache_stats(self) -> int:
             cx_print(f"Hit rate: {hit_rate}", "info")
             cx_print(f"Saved calls (approx): {stats.hits}", "info")
             return 0
-        except Exception as e:
+        except (ImportError, OSError) as e:
             self._print_error(f"Unable to read cache stats: {e}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected error reading cache stats: {e}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def history(self, limit: int = 20, status: str | None = None, show_id: str | None = None):
         """Show installation history"""
@@ -602,9 +626,15 @@ def history(self, limit: int = 20, status: str | None = None, show_id: str | Non
                     )
 
                 return 0
-        except Exception as e:
+        except (ValueError, OSError) as e:
             self._print_error(f"Failed to retrieve history: {str(e)}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected error retrieving history: {str(e)}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def rollback(self, install_id: str, dry_run: bool = False):
         """Rollback an installation"""
@@ -623,9 +653,15 @@ def rollback(self, install_id: str, dry_run: bool = False):
             else:
                 self._print_error(message)
                 return 1
-        except Exception as e:
+        except (ValueError, OSError) as e:
             self._print_error(f"Rollback failed: {str(e)}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected rollback error: {str(e)}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def _get_prefs_manager(self):
         """Lazy initialize preferences manager"""
@@ -652,9 +688,15 @@ def check_pref(self, key: str | None = None):
                 print_all_preferences(manager)
                 return 0
 
-        except Exception as e:
+        except (ValueError, OSError) as e:
             self._print_error(f"Failed to read preferences: {str(e)}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected error reading preferences: {str(e)}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def edit_pref(self, action: str, key: str | None = None, value: str | None = None):
         """Edit user preferences (add/set, delete/remove, list)"""
@@ -701,9 +743,15 @@ def edit_pref(self, action: str, key: str | None = None, value: str | None = Non
                 self._print_error(f"Unknown action: {action}")
                 return 1
 
-        except Exception as e:
+        except (ValueError, OSError) as e:
             self._print_error(f"Failed to edit preferences: {str(e)}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected error editing preferences: {str(e)}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def status(self):
         """Show system status including security features"""
@@ -750,8 +798,6 @@ def wizard(self):
 
     def env(self, args: argparse.Namespace) -> int:
         """Handle environment variable management commands."""
-        import sys
-
         env_mgr = get_env_manager()
 
         # Handle subcommand routing
@@ -787,9 +833,15 @@ def env(self, args: argparse.Namespace) -> int:
             else:
                 self._print_error(f"Unknown env subcommand: {action}")
                 return 1
-        except Exception as e:
+        except (ValueError, OSError) as e:
             self._print_error(f"Environment operation failed: {e}")
             return 1
+        except Exception as e:
+            self._print_error(f"Unexpected error: {e}")
+            if self.verbose:
+                import traceback
+                traceback.print_exc()
+            return 1
 
     def _env_set(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
         """Set an environment variable."""
@@ -821,7 +873,8 @@ def _env_set(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int
             return 1
         except ImportError as e:
             self._print_error(str(e))
-            cx_print("Install with: pip install cryptography", "info")
+            if "cryptography" in str(e).lower():
+                cx_print("Install with: pip install cryptography", "info")
             return 1
 
     def _env_get(self, env_mgr: EnvironmentManager, args: argparse.Namespace) -> int:
@@ -952,7 +1005,8 @@ def _env_import(self, env_mgr: EnvironmentManager, args: argparse.Namespace) ->
             else:
                 cx_print("No variables imported", "info")
 
-            return 0 if not errors else 1
+            # Return success (0) even with partial errors - some vars imported successfully
+            return 0
 
         except FileNotFoundError:
             self._print_error(f"File not found: {input_file}")
@@ -1392,8 +1446,15 @@ def main():
     except KeyboardInterrupt:
         print("\n❌ Operation cancelled", file=sys.stderr)
         return 130
+    except (ValueError, ImportError, OSError) as e:
+        print(f"❌ Error: {e}", file=sys.stderr)
+        return 1
     except Exception as e:
         print(f"❌ Unexpected error: {e}", file=sys.stderr)
+        # Print traceback if verbose mode was requested
+        if "--verbose" in sys.argv or "-v" in sys.argv:
+            import traceback
+            traceback.print_exc()
         return 1
 
 

From 4005fbdd3c12c354ee31a9123ae7fd63d3b01495 Mon Sep 17 00:00:00 2001
From: Jay Surse <jay@cortex.local>
Date: Tue, 23 Dec 2025 12:06:56 +0530
Subject: [PATCH 6/6] style: format cli.py with black

---
 cortex/cli.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cortex/cli.py b/cortex/cli.py
index 03a0e36f..2d954d5c 100644
--- a/cortex/cli.py
+++ b/cortex/cli.py
@@ -471,6 +471,7 @@ def parallel_log_callback(message: str, level: str = "info"):
                         self._print_error(f"Unexpected parallel execution error: {str(e)}")
                         if self.verbose:
                             import traceback
+
                             traceback.print_exc()
                         return 1
 
@@ -540,6 +541,7 @@ def parallel_log_callback(message: str, level: str = "info"):
             self._print_error(f"Unexpected error: {str(e)}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -564,6 +566,7 @@ def cache_stats(self) -> int:
             self._print_error(f"Unexpected error reading cache stats: {e}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -633,6 +636,7 @@ def history(self, limit: int = 20, status: str | None = None, show_id: str | Non
             self._print_error(f"Unexpected error retrieving history: {str(e)}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -660,6 +664,7 @@ def rollback(self, install_id: str, dry_run: bool = False):
             self._print_error(f"Unexpected rollback error: {str(e)}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -695,6 +700,7 @@ def check_pref(self, key: str | None = None):
             self._print_error(f"Unexpected error reading preferences: {str(e)}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -750,6 +756,7 @@ def edit_pref(self, action: str, key: str | None = None, value: str | None = Non
             self._print_error(f"Unexpected error editing preferences: {str(e)}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -840,6 +847,7 @@ def env(self, args: argparse.Namespace) -> int:
             self._print_error(f"Unexpected error: {e}")
             if self.verbose:
                 import traceback
+
                 traceback.print_exc()
             return 1
 
@@ -1454,6 +1462,7 @@ def main():
         # Print traceback if verbose mode was requested
         if "--verbose" in sys.argv or "-v" in sys.argv:
             import traceback
+
             traceback.print_exc()
         return 1