cpflow 4.1.1 → 5.0.0.rc.0

data/lib/command/base.rb

@@ -40,6 +40,8 @@ module Command
     WITH_INFO_HEADER = true
     # Which validations to run before the command
     VALIDATIONS = %w[config].freeze
+    # Whether or not to run CLI startup checks such as cpln availability and update checks
+    REQUIRES_STARTUP_CHECKS = true
 
     def initialize(config)
       @config = config
@@ -316,6 +318,18 @@ module Command
       }
     end
 
+    def self.staging_branch_option(required: false)
+      {
+        name: :staging_branch,
+        params: {
+          banner: "BRANCH",
+          desc: "Branch that should auto-deploy staging; defaults to main/master",
+          type: :string,
+          required: required
+        }
+      }
+    end
+
     def self.logs_limit_option(required: false)
       {
         name: :limit,

data/lib/command/cleanup_images.rb

@@ -26,7 +26,7 @@ module Command
 
       progress.puts("Images to delete:")
       images_to_delete.each do |image|
-        created = Shell.color((image[:created]).to_s, :red)
+        created = Shell.color(image[:created].to_s, :red)
         reason = Shell.color(image[:reason], :red)
         progress.puts("  - #{image[:name]} (#{created} - #{reason})")
       end

data/lib/command/cleanup_stale_apps.rb

@@ -22,7 +22,7 @@ module Command
 
       progress.puts("Stale apps:")
       stale_apps.each do |app|
-        progress.puts("  - #{app[:name]} (#{Shell.color((app[:date]).to_s, :red)})")
+        progress.puts("  - #{app[:name]} (#{Shell.color(app[:date].to_s, :red)})")
       end
 
       return unless confirm_delete

data/lib/command/copy_image_from_upstream.rb

@@ -5,14 +5,14 @@ module Command
     NAME = "copy-image-from-upstream"
     OPTIONS = [
       app_option(required: true),
-      upstream_token_option(required: true),
+      upstream_token_option,
       image_option
     ].freeze
     DESCRIPTION = "Copies an image (by default the latest) from a source org to the current org"
     LONG_DESCRIPTION = <<~DESC
       - Copies an image (by default the latest) from a source org to the current org
       - The source app must be specified either through the `CPLN_UPSTREAM` env var or `upstream` in the `.controlplane/controlplane.yml` file
-      - Additionally, the token for the source org must be provided through `--upstream-token` or `-t`
+      - The token for the source org must be provided through `--upstream-token`/`-t` or the `CPLN_UPSTREAM_TOKEN` env var
       - A `cpln` profile will be temporarily created to pull the image from the source org
     DESC
     EXAMPLES = <<~EX
@@ -20,6 +20,9 @@ module Command
       # Copies the latest image from the source org to the current org.
       cpflow copy-image-from-upstream -a $APP_NAME --upstream-token $UPSTREAM_TOKEN
 
+      # Equivalent call using an env var (avoids exposing the token via the OS process table).
+      CPLN_UPSTREAM_TOKEN=$UPSTREAM_TOKEN cpflow copy-image-from-upstream -a $APP_NAME
+
       # Copies a specific image from the source org to the current org.
       cpflow copy-image-from-upstream -a $APP_NAME --upstream-token $UPSTREAM_TOKEN --image appimage:123
       ```
@@ -30,7 +33,9 @@ module Command
 
       @upstream = ENV.fetch("CPLN_UPSTREAM", nil) || config[:upstream]
       @upstream_org = ENV.fetch("CPLN_ORG_UPSTREAM", nil) || config.find_app_config(@upstream)&.dig(:cpln_org)
+      @upstream_token = config.options[:upstream_token] || ENV.fetch("CPLN_UPSTREAM_TOKEN", nil)
       ensure_upstream_org!
+      ensure_upstream_token!
 
       create_upstream_profile
       fetch_upstream_image_url
@@ -51,6 +56,12 @@ module Command
             "and CPLN_ORG_UPSTREAM env var is not set."
     end
 
+    def ensure_upstream_token!
+      return if @upstream_token && !@upstream_token.strip.empty?
+
+      raise "Missing upstream token. Pass `--upstream-token`/`-t` or set the `CPLN_UPSTREAM_TOKEN` env var."
+    end
+
     def create_upstream_profile
       step("Creating upstream profile") do
         loop do
@@ -58,7 +69,7 @@ module Command
           break unless cp.profile_exists?(@upstream_profile)
         end
 
-        cp.profile_create(@upstream_profile, config.options[:upstream_token])
+        cp.profile_create(@upstream_profile, @upstream_token)
       end
     end
 

data/lib/command/exists.rb

@@ -9,15 +9,26 @@ module Command
     DESCRIPTION = "Shell-checks if an application (GVC) exists, useful in scripts"
     LONG_DESCRIPTION = <<~DESC
       - Shell-checks if an application (GVC) exists, useful in scripts, e.g.:
+      - Exits 0 when the app exists, 3 when it does not exist, and 64 for other errors.
     DESC
     EXAMPLES = <<~EX
       ```sh
-      if [ cpflow exists -a $APP_NAME ]; ...
+      cpflow exists -a "$APP_NAME"
+      status=$?
+      if [ "$status" -eq 0 ]; then
+        echo "exists"
+      elif [ "$status" -eq 3 ]; then
+        echo "not found"
+      else
+        echo "error: cpflow exists exited $status"
+      fi
       ```
     EX
 
     def call
-      exit(cp.fetch_gvc.nil? ? ExitCode::ERROR_DEFAULT : ExitCode::SUCCESS)
+      exit(cp.fetch_gvc.nil? ? ExitCode::NOT_FOUND : ExitCode::SUCCESS)
+    rescue StandardError => e
+      Shell.abort(e.message)
     end
   end
 end

data/lib/command/generate.rb

@@ -1,32 +1,181 @@
 # frozen_string_literal: true
 
+require "yaml"
+
+require_relative "generator_helpers"
+require_relative "../core/repo_introspection"
+
 module Command
-  class Generator < Thor::Group
+  class Generator < Thor::Group # rubocop:disable Metrics/ClassLength
     include Thor::Actions
+    include GeneratorHelpers
+
+    COMMON_TEMPLATE_FILES = %w[
+      Dockerfile
+      entrypoint.sh
+    ].freeze
+    POSTGRES_TEMPLATE_FILES = %w[
+      controlplane.yml
+      templates/app.yml
+      templates/postgres.yml
+      templates/rails.yml
+      release_script.sh
+    ].freeze
+    SQLITE_TEMPLATE_FILES = %w[
+      controlplane.yml
+      release_script.sh
+      templates/app.yml
+      templates/db.yml
+      templates/rails.yml
+      templates/storage.yml
+    ].freeze
+
+    # Fallback Ruby version when the repo doesn't pin one via `.ruby-version`,
+    # `.tool-versions`, or the `Gemfile`. Keep this on a supported release line
+    # (https://www.ruby-lang.org/en/downloads/branches/).
+    DEFAULT_RUBY_VERSION = "3.3"
 
     def copy_files
-      directory("generator_templates", ".controlplane", verbose: ENV.fetch("HIDE_COMMAND_OUTPUT", nil) != "true")
+      generated_paths = copy_template_files("generator_templates", base_template_files)
+      generated_paths += copy_template_files("generator_templates_sqlite", SQLITE_TEMPLATE_FILES) if sqlite_project?
+      substitute_template_variables(generated_paths)
+      make_shell_scripts_executable(generated_paths)
     end
 
     def self.source_root
       Cpflow.root_path.join("lib")
     end
+
+    private
+
+    def copy_template_files(root_dir, relative_paths)
+      relative_paths.map { |relative_path| copy_template_file(root_dir, relative_path) }
+    end
+
+    def copy_template_file(root_dir, relative_path)
+      destination_path = File.join(".controlplane", relative_path)
+      empty_directory(File.dirname(destination_path), verbose: false)
+      copy_file(
+        File.join(root_dir, relative_path),
+        destination_path,
+        force: true,
+        verbose: ENV.fetch("HIDE_COMMAND_OUTPUT", nil) != "true"
+      )
+      destination_path
+    end
+
+    def base_template_files
+      COMMON_TEMPLATE_FILES + (sqlite_project? ? [] : POSTGRES_TEMPLATE_FILES)
+    end
+
+    def template_variables
+      {
+        "__APP_PREFIX__" => inferred_app_prefix,
+        "__RUBY_VERSION__" => inferred_ruby_version,
+        "__ASSET_PRECOMPILE_HOOK_RUN__" => asset_precompile_hook_run
+      }
+    end
+
+    def inferred_app_prefix
+      RepoIntrospection.inferred_app_prefix(Dir.pwd)
+    end
+
+    def inferred_ruby_version
+      RepoIntrospection.inferred_ruby_version_string(Dir.pwd) || DEFAULT_RUBY_VERSION
+    end
+
+    def sqlite_project?
+      return @sqlite_project if instance_variable_defined?(:@sqlite_project)
+
+      @sqlite_project = sqlite_database_in_production?
+    end
+
+    def asset_precompile_hook_run
+      command = normalized_asset_precompile_hook_command
+      return "" unless command
+      return "" unless single_line_asset_precompile_hook?(command)
+
+      "RUN #{command}\n\n"
+    end
+
+    def single_line_asset_precompile_hook?(command)
+      return true unless command.match?(/[\r\n]/)
+
+      Shell.warn("Skipping asset precompile hook: value must be a single line: #{command.inspect}")
+      false
+    end
+
+    def sqlite_database_in_production?
+      RepoIntrospection.sqlite_database_in_production?(Dir.pwd)
+    end
+
+    def normalized_asset_precompile_hook_command
+      command = shakapacker_precompile_hook || react_on_rails_auto_bundle_hook
+      return unless command
+
+      command.start_with?("rake ") ? "bundle exec #{command}" : command
+    end
+
+    def shakapacker_precompile_hook
+      return unless File.file?("config/shakapacker.yml")
+
+      # Parse rather than regex-match: Shakapacker emits an environment-keyed YAML file
+      # (the hook usually lives under `default:` or `production:`), and folded or quoted
+      # multi-line values would also defeat a single-line regex.
+      config = YAML.safe_load(File.read("config/shakapacker.yml"), aliases: true)
+      hook = extract_shakapacker_precompile_hook(config)
+      hook unless hook.nil? || hook.empty?
+    rescue Psych::SyntaxError
+      nil
+    end
+
+    SHAKAPACKER_HOOK_SCOPES = %w[production default].freeze
+    private_constant :SHAKAPACKER_HOOK_SCOPES
+
+    def extract_shakapacker_precompile_hook(config)
+      return nil unless config.is_a?(Hash)
+
+      scoped = SHAKAPACKER_HOOK_SCOPES.filter_map do |key|
+        section = config[key]
+        section["precompile_hook"] if section.is_a?(Hash) && section["precompile_hook"].is_a?(String)
+      end.first
+      scoped || (config["precompile_hook"] if config["precompile_hook"].is_a?(String))
+    end
+
+    def react_on_rails_auto_bundle_hook
+      return unless react_on_rails_auto_load_bundle?
+
+      "bundle exec rake react_on_rails:generate_packs"
+    end
+
+    def react_on_rails_auto_load_bundle?
+      return false unless File.file?("config/initializers/react_on_rails.rb")
+
+      File.readlines("config/initializers/react_on_rails.rb")
+          .reject { |line| line.lstrip.start_with?("#") }
+          .any? { |line| line.match?(/config\.auto_load_bundle\s*=\s*true\b/) }
+    end
   end
 
   class Generate < Base
     NAME = "generate"
     DESCRIPTION = "Creates base Control Plane config and template files"
     LONG_DESCRIPTION = <<~DESC
-      Creates base Control Plane config and template files
+      Creates base Control Plane config and template files for a Rails project:
+      - infers the app prefix from the current directory and wires staging, review, and production entries
+      - infers the Docker base Ruby version from `.ruby-version`, `.tool-versions`, or the app's `Gemfile`
+      - preserves repo-defined asset precompile hooks, including React on Rails auto bundle generation
+      - detects SQLite in `config/database.yml` and generates persistent `db` and `storage` volume templates instead of the default Postgres workload
     DESC
     EXAMPLES = <<~EX
       ```sh
-      # Creates .controlplane directory with Control Plane config and other templates
+      # Creates .controlplane directory with Control Plane config and starter templates
       cpflow generate
       ```
     EX
     WITH_INFO_HEADER = false
     VALIDATIONS = [].freeze
+    REQUIRES_STARTUP_CHECKS = false
 
     def call
       if controlplane_directory_exists?

data/lib/command/generate_github_actions.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require "json"
+require "pathname"
+
+require_relative "generator_helpers"
+
+module Command
+  class GithubActionsGenerator < Thor::Group
+    include Thor::Actions
+    include GeneratorHelpers
+
+    argument :staging_branch, type: :string, required: false
+
+    def copy_files
+      relative_paths = generated_files
+      copy_template_files(relative_paths)
+      substitute_template_variables(relative_paths)
+      make_shell_scripts_executable(relative_paths)
+    end
+
+    def self.source_root
+      Cpflow.root_path.join("lib")
+    end
+
+    private
+
+    def copy_template_files(relative_paths)
+      relative_paths.each do |relative_path|
+        empty_directory(File.dirname(relative_path), verbose: false)
+        copy_file(
+          File.join("github_flow_templates", relative_path),
+          relative_path,
+          force: true,
+          verbose: ENV.fetch("HIDE_COMMAND_OUTPUT", nil) != "true"
+        )
+      end
+    end
+
+    def template_variables
+      {
+        "__CPFLOW_VERSION__" => ::Cpflow::VERSION,
+        "__STAGING_BRANCH_FILTER__" => staging_branch_filter,
+        "__STAGING_APP_BRANCH_EXPRESSION__" => staging_app_branch_expression
+      }
+    end
+
+    def generated_files
+      # Keep file discovery centralized on the command class so existence checks and
+      # Thor's template copy list cannot drift.
+      GenerateGithubActions.generated_files
+    end
+
+    def staging_branch_filter
+      branches = staging_branch ? [staging_branch] : %w[main master]
+      # JSON string literals are valid YAML flow-sequence scalars, so this keeps
+      # the generated branch list readable while still escaping branch names.
+      branches.map(&:to_json).join(", ")
+    end
+
+    def staging_app_branch_expression
+      return "${{ vars.STAGING_APP_BRANCH }}" unless staging_branch
+
+      # `valid_staging_branch?` excludes quotes, so this single-quoted GitHub
+      # expression literal cannot be broken by the generated branch name.
+      "${{ vars.STAGING_APP_BRANCH || '#{staging_branch}' }}"
+    end
+  end
+
+  class GenerateGithubActions < Base
+    NAME = "generate-github-actions"
+    OPTIONS = [staging_branch_option].freeze
+    DESCRIPTION = "Creates GitHub Actions templates for review apps, staging deploys, and production promotion"
+    LONG_DESCRIPTION = <<~DESC
+      Creates GitHub Actions templates for a Heroku Flow style Control Plane pipeline:
+      - on-demand review apps for pull requests
+      - automatic staging deploys from your main branch
+      - manual promotion from staging to production
+      - nightly cleanup and PR help workflows
+
+      Pass `--staging-branch BRANCH` when staging should auto-deploy from a branch
+      other than `main` or `master`; the generator will bake that branch into the
+      GitHub Actions push trigger and use it as the default STAGING_APP_BRANCH.
+    DESC
+    EXAMPLES = <<~EX
+      ```sh
+      # Creates .github/actions and .github/workflows files for the Control Plane flow
+      cpflow generate-github-actions
+
+      # Creates the flow with staging deploys triggered from develop
+      cpflow generate-github-actions --staging-branch develop
+      ```
+    EX
+    WITH_INFO_HEADER = false
+    VALIDATIONS = [].freeze
+    REQUIRES_STARTUP_CHECKS = false
+
+    # Resolve template root from __dir__ rather than Cpflow.root_path because this file is
+    # loaded before `module Cpflow` finishes defining its class methods.
+    TEMPLATE_ROOT = Pathname.new(File.expand_path("../github_flow_templates", __dir__))
+
+    def self.generated_files
+      ensure_template_root!
+
+      Dir.glob(TEMPLATE_ROOT.join("**", "*").to_s, File::FNM_DOTMATCH)
+         .select { |path| File.file?(path) }
+         .map { |path| Pathname.new(path).relative_path_from(TEMPLATE_ROOT).to_s }
+         .sort
+         .freeze
+    end
+
+    def self.ensure_template_root!
+      raise "cpflow template directory not found: #{TEMPLATE_ROOT}" unless TEMPLATE_ROOT.directory?
+    end
+
+    def call
+      self.class.ensure_template_root!
+      branch = staging_branch
+
+      if (existing = existing_files).any?
+        files = existing.map { |path| "- #{path}" }.join("\n")
+        Shell.warn("The following files already exist:\n#{files}\n\n" \
+                   "Remove or rename them before running `cpflow #{NAME}` again.")
+        return
+      end
+
+      GithubActionsGenerator.start([branch].compact)
+    end
+
+    private
+
+    def existing_files
+      @existing_files ||= self.class.generated_files.select { |path| File.exist?(path) }
+    end
+
+    def staging_branch
+      branch = config.options[:staging_branch].to_s.strip
+      return nil if branch.empty?
+
+      unless valid_staging_branch?(branch)
+        Shell.abort(
+          "Invalid --staging-branch value: #{branch.inspect}. " \
+          "Use a valid git branch name containing only alphanumerics, dots, slashes, underscores, hyphens, and @."
+        )
+      end
+
+      branch
+    end
+
+    def valid_staging_branch?(branch)
+      return false unless branch.match?(%r{\A[a-zA-Z0-9._/@-]+\z})
+
+      valid_git_branch_shape?(branch) && valid_git_branch_components?(branch)
+    end
+
+    def valid_git_branch_shape?(branch)
+      return false if branch.start_with?("-", "/", ".")
+      return false if branch.end_with?("/", ".")
+      return false if branch.include?("@{")
+
+      !branch.include?("..")
+    end
+
+    def valid_git_branch_components?(branch)
+      branch.split("/").none? do |component|
+        component.empty? || component.start_with?(".") || component.end_with?(".lock")
+      end
+    end
+  end
+end

data/lib/command/generator_helpers.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Command
+  module GeneratorHelpers
+    private
+
+    def substitute_template_variables(file_paths, replacements = template_variables)
+      Array(file_paths).each do |path|
+        next unless File.file?(path)
+
+        contents = File.read(path)
+        updated_contents = replacements.reduce(contents) do |memo, (placeholder, value)|
+          # Block form avoids regex-style back-reference interpretation (\1, \&, \\) in `value`.
+          memo.gsub(placeholder) { value }
+        end
+
+        next if updated_contents == contents
+
+        File.write(path, updated_contents)
+      end
+    end
+
+    def make_shell_scripts_executable(file_paths)
+      Array(file_paths).each do |path|
+        next unless File.file?(path) && File.extname(path) == ".sh"
+
+        FileUtils.chmod(0o755, path)
+      end
+    end
+  end
+end

data/lib/command/github_flow_readiness.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Command
+  class GithubFlowReadiness < Base
+    NAME = "github-flow-readiness"
+    DESCRIPTION = "Checks whether the current repo is ready for the Control Plane GitHub flow rollout"
+    LONG_DESCRIPTION = <<~DESC
+      Checks the current repository for common rollout blockers before adding the Control Plane GitHub flow:
+      - Rails runtime scaffold present
+      - modern Ruby and Bundler toolchain
+      - installable exact-pinned direct gem and npm package versions
+      - production Dockerfile presence and SQLite production hints
+    DESC
+    EXAMPLES = <<~EX
+      ```sh
+      # Checks the current repo for common rollout blockers
+      cpflow github-flow-readiness
+      ```
+    EX
+    WITH_INFO_HEADER = false
+    VALIDATIONS = [].freeze
+    REQUIRES_STARTUP_CHECKS = false
+
+    def call
+      service = GithubFlowReadinessService.new
+
+      service.results.each do |result|
+        Shell.info("[#{result.status.to_s.upcase}] #{result.message}")
+      end
+
+      Shell.info("")
+      Shell.info(service.summary)
+
+      exit(ExitCode::ERROR_DEFAULT) if service.blockers?
+    end
+  end
+end

data/lib/command/ps_wait.rb

@@ -11,6 +11,7 @@ module Command
     DESCRIPTION = "Waits for workloads in app to be ready after re-deployment"
     LONG_DESCRIPTION = <<~DESC
       - Waits for workloads in app to be ready after re-deployment
+      - Use Unix timeout command to set a maximum wait time (e.g., `timeout 300 cpflow ps:wait ...`)
     DESC
     EXAMPLES = <<~EX
       ```sh
@@ -18,7 +19,10 @@ module Command
       cpflow ps:wait -a $APP_NAME
 
       # Waits for a specific workload in app.
-      cpflow ps:swait -a $APP_NAME -w $WORKLOAD_NAME
+      cpflow ps:wait -a $APP_NAME -w $WORKLOAD_NAME
+
+      # Waits for all workloads with a 5-minute timeout.
+      timeout 300 cpflow ps:wait -a $APP_NAME
       ```
     EX
 

data/lib/command/run.rb

@@ -48,7 +48,7 @@ module Command
       - By default, the job is stopped if it takes longer than 6 hours to finish
         (can be configured though `runner_job_timeout` in `controlplane.yml`)
     DESC
-    EXAMPLES = <<~EX
+    EXAMPLES = <<~EX.freeze
       ```sh
       # Opens shell (bash by default).
       cpflow run -a $APP_NAME
@@ -97,7 +97,7 @@ module Command
 
     attr_reader :interactive, :detached, :location, :original_workload, :runner_workload,
                 :default_image, :default_cpu, :default_memory, :job_timeout, :job_history_limit,
-                :container, :expected_deployed_version, :job, :replica, :command
+                :container, :job, :replica, :command
 
     def call # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
       @interactive = config.options[:interactive] || interactive_command?
@@ -126,10 +126,7 @@ module Command
       end
 
       create_runner_workload if cp.fetch_workload(runner_workload).nil?
-      wait_for_runner_workload_deploy
       update_runner_workload
-      wait_for_runner_workload_update if expected_deployed_version
-
       start_job
       wait_for_replica_for_job
 
@@ -191,7 +188,7 @@ module Command
         }
 
         # Create runner workload
-        cp.apply_hash("kind" => "workload", "name" => runner_workload, "spec" => spec)
+        cp.apply_hash({ "kind" => "workload", "name" => runner_workload, "spec" => spec }, wait: true)
       end
     end
 
@@ -242,21 +239,7 @@ module Command
       return unless should_update
 
       step("Updating runner workload '#{runner_workload}'") do
-        # Update runner workload
-        @expected_deployed_version = (cp.cron_workload_deployed_version(runner_workload) || 0) + 1
-        cp.apply_hash("kind" => "workload", "name" => runner_workload, "spec" => spec)
-      end
-    end
-
-    def wait_for_runner_workload_deploy
-      step("Waiting for runner workload '#{runner_workload}' to be deployed", retry_on_failure: true) do
-        !cp.cron_workload_deployed_version(runner_workload).nil?
-      end
-    end
-
-    def wait_for_runner_workload_update
-      step("Waiting for runner workload '#{runner_workload}' to be updated", retry_on_failure: true) do
-        (cp.cron_workload_deployed_version(runner_workload) || 0) >= expected_deployed_version
+        cp.apply_hash({ "kind" => "workload", "name" => runner_workload, "spec" => spec }, wait: true)
       end
     end
 

data/lib/command/terraform/generate.rb

@@ -14,6 +14,7 @@ module Command
         - Generates terraform configuration files based on `controlplane.yml` and `templates/` config
       DESC
       WITH_INFO_HEADER = false
+      REQUIRES_STARTUP_CHECKS = false
 
       def call
         Array(config.app || config.apps.keys).each do |app|

data/lib/command/version.rb

@@ -10,6 +10,7 @@ module Command
     DESC
     WITH_INFO_HEADER = false
     VALIDATIONS = [].freeze
+    REQUIRES_STARTUP_CHECKS = false
 
     def call
       puts Cpflow::VERSION

data/lib/constants/exit_code.rb

@@ -2,6 +2,7 @@
 
 module ExitCode
   SUCCESS = 0
+  NOT_FOUND = 3
   ERROR_DEFAULT = 64
   INTERRUPT = 130
 end

data/lib/core/config.rb

@@ -25,7 +25,7 @@ class Config # rubocop:disable Metrics/ClassLength
     return unless trace_mode
 
     ControlplaneApiDirect.trace = trace_mode
-    Shell.warn("Trace mode is enabled, this will print sensitive information to the console.")
+    Shell.warn("Trace mode is enabled. Sensitive data is redacted, but please review output before sharing.")
   end
 
   def org