@dotenvx/dotenvx 1.55.1 → 1.57.0

package/CHANGELOG.md

@@ -2,7 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.55.1...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.57.0...main)
+
+## [1.57.0](https://github.com/dotenvx/dotenvx/compare/v1.56.0...v1.57.0) (2026-03-19)
+
+### Changed
+
+* color and formatting changes to outputs ([#754](https://github.com/dotenvx/dotenvx/pull/754))
+
+## [1.56.0](https://github.com/dotenvx/dotenvx/compare/v1.55.1...v1.56.0) (2026-03-19)
+
+### Changed
+
+* `ops off` flag — now respected by `get`, `keypair`, `rotate`, and `encrypt` ([#750](https://github.com/dotenvx/dotenvx/pull/750))
+* `--pp` alias — added as shorthand for `--pretty-print`; toward sunsetting `-pp` ([#750](https://github.com/dotenvx/dotenvx/pull/750))
+
+### Removed
+
+* Remove support for `.env.vault` files ([#750](https://github.com/dotenvx/dotenvx/pull/750))
 
 ## [1.55.1](https://github.com/dotenvx/dotenvx/compare/v1.55.0...v1.55.1) (2026-03-13)
 

package/README.md

@@ -632,7 +632,7 @@ Hello development local
 
 ```sh
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 ```
 
 [![encrypted .env](https://github.com/user-attachments/assets/46dfe1a7-a027-4d80-9207-789eccc325dc)](https://dotenvx.com)
@@ -1562,8 +1562,7 @@ Encrypt the contents of a `.env` file to an encrypted `.env` file.
 $ echo "HELLO=World" > .env
 
 $ dotenvx encrypt
-✔ encrypted (.env)
-✔ key added to .env.keys (DOTENV_PRIVATE_KEY)
+◈ encrypted (.env) + key (.env.keys)
 ⮕  next run [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys
 ⮕  next run [DOTENV_PRIVATE_KEY='122...0b8' dotenvx run -- yourcommand] to test decryption locally
 ```
@@ -1578,8 +1577,7 @@ $ echo "HELLO=World" > .env
 $ echo "HELLO=Production" > .env.production
 
 $ dotenvx encrypt -f .env.production
-✔ encrypted (.env.production)
-✔ key added to .env.keys (DOTENV_PRIVATE_KEY_PRODUCTION)
+◈ encrypted (.env.production) + key (.env.keys)
 ⮕  next run [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys
 ⮕  next run [DOTENV_PRIVATE_KEY='bff...bc4' dotenvx run -- yourcommand] to test decryption locally
 ```
@@ -1594,7 +1592,7 @@ $ mkdir -p apps/app1
 $ echo "HELLO=World" > apps/app1/.env
 
 $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
-✔ encrypted (apps/app1/.env)
+◈ encrypted (apps/app1/.env)
 ```
 
 Put it to use.
@@ -1619,7 +1617,7 @@ Specify the key(s) to encrypt by passing `--key`.
 $ echo "HELLO=World\nHELLO2=Universe" > .env
 
 $ dotenvx encrypt -k HELLO2
-✔ encrypted (.env)
+◈ encrypted (.env)
 ```
 
 Even specify a glob pattern.
@@ -1628,7 +1626,7 @@ Even specify a glob pattern.
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 
 $ dotenvx encrypt -k "HE*"
-✔ encrypted (.env)
+◈ encrypted (.env)
 ```
 
 </details>
@@ -1640,7 +1638,7 @@ Specify the key(s) to NOT encrypt by passing `--exclude-key`.
 $ echo "HELLO=World\nHELLO2=Universe" > .env
 
 $ dotenvx encrypt -ek HELLO
-✔ encrypted (.env)
+◈ encrypted (.env)
 ```
 
 Even specify a glob pattern.
@@ -1649,7 +1647,7 @@ Even specify a glob pattern.
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 
 $ dotenvx encrypt -ek "HO*"
-✔ encrypted (.env)
+◈ encrypted (.env)
 ```
 
 </details>
@@ -1684,9 +1682,9 @@ Decrypt the contents of an encrypted `.env` file to an unencrypted `.env` file.
 ```sh
 $ echo "HELLO=World" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx decrypt
-✔ decrypted (.env)
+◇ decrypted (.env)
 ```
 
 </details>
@@ -1699,9 +1697,9 @@ $ echo "HELLO=World" > .env
 $ echo "HELLO=Production" > .env.production
 
 $ dotenvx encrypt -f .env.production
-✔ encrypted (.env.production)
+◈ encrypted (.env.production)
 $ dotenvx decrypt -f .env.production
-✔ decrypted (.env.production)
+◇ decrypted (.env.production)
 ```
 
 </details>
@@ -1714,9 +1712,9 @@ $ mkdir -p apps/app1
 $ echo "HELLO=World" > apps/app1/.env
 
 $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
-✔ encrypted (apps/app1/.env)
+◈ encrypted (apps/app1/.env)
 $ dotenvx decrypt -fk .env.keys -f apps/app1/.env
-✔ decrypted (apps/app1/.env)
+◇ decrypted (apps/app1/.env)
 ```
 
 </details>
@@ -1727,9 +1725,9 @@ Decrypt the contents of a specified key inside an encrypted `.env` file.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx decrypt -k HELLO
-✔ decrypted (.env)
+◇ decrypted (.env)
 ```
 
 Even specify a glob pattern.
@@ -1737,9 +1735,9 @@ Even specify a glob pattern.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx decrypt -k "HE*"
-✔ encrypted (.env)
+◇ decrypted (.env)
 ```
 
 </details>
@@ -1750,9 +1748,9 @@ Decrypt the contents inside an encrypted `.env` file except for an excluded key.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx decrypt -ek HOLA
-✔ decrypted (.env)
+◇ decrypted (.env)
 ```
 
 Even specify a glob pattern.
@@ -1760,9 +1758,9 @@ Even specify a glob pattern.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx decrypt -ek "HO*"
-✔ encrypted (.env)
+◇ decrypted (.env)
 ```
 
 </details>
@@ -1933,9 +1931,9 @@ Rotate public/private keys for `.env` file and re-encrypt all encrypted values.
 ```sh
 $ echo "HELLO=World" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx rotate
-✔ rotated (.env)
+⟳ rotated (.env)
 ```
 
 </details>
@@ -1948,9 +1946,9 @@ $ echo "HELLO=World" > .env
 $ echo "HELLO=Production" > .env.production
 
 $ dotenvx encrypt -f .env.production
-✔ encrypted (.env.production)
+◈ encrypted (.env.production)
 $ dotenvx rotate -f .env.production
-✔ rotated (.env.production)
+⟳ rotated (.env.production)
 ```
 
 </details>
@@ -1963,9 +1961,9 @@ $ mkdir -p apps/app1
 $ echo "HELLO=World" > apps/app1/.env
 
 $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
-✔ encrypted (apps/app1/.env)
+◈ encrypted (apps/app1/.env)
 $ dotenvx rotate -fk .env.keys -f apps/app1/.env
-✔ rotated (apps/app1/.env)
+⟳ rotated (apps/app1/.env)
 ```
 
 </details>
@@ -1976,9 +1974,9 @@ Rotate the contents of a specified key inside an encrypted `.env` file.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx rotate -k HELLO
-✔ rotated (.env)
+⟳ rotated (.env)
 ```
 
 Even specify a glob pattern.
@@ -1986,9 +1984,9 @@ Even specify a glob pattern.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx rotate -k "HE*"
-✔ rotated (.env)
+⟳ rotated (.env)
 ```
 
 </details>
@@ -1999,9 +1997,9 @@ Rotate the encrypted contents inside an encrypted `.env` file except for an excl
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx rotate -ek HOLA
-✔ rotated (.env)
+⟳ rotated (.env)
 ```
 
 Even specify a glob pattern.
@@ -2009,9 +2007,9 @@ Even specify a glob pattern.
 ```sh
 $ echo "HELLO=World\nHOLA=Mundo" > .env
 $ dotenvx encrypt
-✔ encrypted (.env)
+◈ encrypted (.env)
 $ dotenvx rotate -ek "HO*"
-✔ rotated (.env)
+⟳ rotated (.env)
 ```
 
 </details>
@@ -2126,7 +2124,7 @@ In one command, generate a `.env.example` file from your current `.env` file con
 $ echo "HELLO=World" > .env
 
 $ dotenvx ext genexample
-✔ updated .env.example (1)
+▣ generated (.env.example)
 ```
 
 ```ini
@@ -2144,7 +2142,7 @@ $ echo "HELLO=World" > .env
 $ echo "DB_HOST=example.com" > .env.production
 
 $ dotenvx ext genexample -f .env -f .env.production
-✔ updated .env.example (2)
+▣ generated (.env.example)
 ```
 
 ```ini
@@ -2164,7 +2162,7 @@ $ mkdir -p apps/backend
 $ echo "HELLO=Backend" > apps/backend/.env
 
 $ dotenvx ext genexample apps/backend
-✔ updated .env.example (1)
+▣ generated (.env.example)
 ```
 
 ```ini
@@ -2179,7 +2177,7 @@ Gitignore your `.env` files.
 
 ```sh
 $ dotenvx ext gitignore
-✔ ignored .env* (.gitignore)
+▣ ignored .env* (.gitignore)
 ```
 
 </details>
@@ -2189,7 +2187,7 @@ Gitignore specific pattern(s) of `.env` files.
 
 ```sh
 $ dotenvx ext gitignore --pattern .env.keys
-✔ ignored .env.keys (.gitignore)
+▣ ignored .env.keys (.gitignore)
 ```
 
 </details>
@@ -2623,7 +2621,7 @@ Log in.
 $ dotenvx-ops login
 press Enter to open [https://ops.dotenvx.com/login/device] and enter code [D9C1-03BC]... (Y/n)
 ⠹ waiting on browser authorization
-✔ logged in [username] to this device and activated token [dxo_6kjPifI…]
+◈ logged in [username] to this device and activated token [dxo_6kjPifI…]
 ```
 
 </details>
@@ -2633,7 +2631,7 @@ Log out.
 
 ```sh
 $ dotenvx ops logout
-✔ logged out [username] from this device and revoked token [dxo_5ZrwRXV…]
+◈ logged out [username] from this device and revoked token [dxo_5ZrwRXV…]
 ```
 
 </details>

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.55.1",
+  "version": "1.57.0",
   "name": "@dotenvx/dotenvx",
   "description": "a secure dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -35,8 +35,8 @@
   "scripts": {
     "standard": "standard",
     "standard:fix": "standard --fix",
-    "test": "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
-    "test-coverage": "tap run --show-full-coverage --timeout=60000",
+    "test": "tap run --test-env=DOTENVX_OPS_OFF=true --allow-empty-coverage --disable-coverage --timeout=60000",
+    "test-coverage": "tap run --test-env=DOTENVX_OPS_OFF=true --show-full-coverage --timeout=60000",
     "testshell": "bash shellspec",
     "prerelease": "npm test && npm run testshell",
     "release": "standard-version"

package/src/cli/actions/decrypt.js

@@ -70,9 +70,9 @@ function decrypt () {
       }
 
       if (changedFilepaths.length > 0) {
-        logger.success(`✔ decrypted (${changedFilepaths.join(',')})`)
+        logger.success(`◇ decrypted (${changedFilepaths.join(',')})`)
       } else if (unchangedFilepaths.length > 0) {
-        logger.info(`no changes (${unchangedFilepaths})`)
+        logger.info(`○ no changes (${unchangedFilepaths})`)
       } else {
         // do nothing - scenario when no .env files found
       }

package/src/cli/actions/encrypt.js

@@ -4,7 +4,7 @@ const { logger } = require('./../../shared/logger')
 const Encrypt = require('./../../lib/services/encrypt')
 
 const catchAndLog = require('../../lib/helpers/catchAndLog')
-const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
+const localDisplayPath = require('../../lib/helpers/localDisplayPath')
 
 function encrypt () {
   const options = this.opts()
@@ -53,26 +53,22 @@ function encrypt () {
       }
 
       if (changedFilepaths.length > 0) {
-        logger.success(`✔ encrypted (${changedFilepaths.join(',')})`)
+        const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+        let msg = `◈ encrypted (${changedFilepaths.join(',')})`
+        if (keyAddedEnv) {
+          const envKeysFilepath = localDisplayPath(keyAddedEnv.envKeysFilepath)
+          msg += ` + key (${envKeysFilepath})`
+        }
+        logger.success(msg)
       } else if (unchangedFilepaths.length > 0) {
-        logger.info(`no changes (${unchangedFilepaths})`)
+        logger.info(`○ no changes (${unchangedFilepaths})`)
       } else {
         // do nothing - scenario when no .env files found
       }
 
       for (const processedEnv of processedEnvs) {
         if (processedEnv.privateKeyAdded) {
-          // Ops hook point (first-time key created for this env file):
-          // gate with `opsOn` and an Ops-installed check before calling your
-          // Ops service (for example: backup/register processedEnv.privateKey).
-          logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
-          // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
-
-          if (!isIgnoringDotenvKeys()) {
-            logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')
-          }
-
-          logger.help(`⮕  next run: [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx run -- yourcommand] to test decryption locally`)
+          // intentionally quiet: success line already communicates key creation
         }
       }
     } catch (error) {

package/src/cli/actions/ext/genexample.js

@@ -1,4 +1,5 @@
 const fsx = require('./../../../lib/helpers/fsx')
+const path = require('path')
 const main = require('./../../../lib/main')
 const { logger } = require('./../../../shared/logger')
 
@@ -21,9 +22,9 @@ function genexample (directory) {
     fsx.writeFileX(exampleFilepath, envExampleFile)
 
     if (addedKeys.length > 0) {
-      logger.success(`updated .env.example (${addedKeys.length})`)
+      logger.success(`▣ generated (${path.basename(exampleFilepath)})`)
     } else {
-      logger.info('no changes (.env.example)')
+      logger.info('○ no changes (.env.example)')
     }
   } catch (error) {
     logger.error(error.message)

package/src/cli/actions/ext/gitignore.js

@@ -34,9 +34,9 @@ class Generic {
     })
 
     if (changedPatterns.length > 0) {
-      logger.success(`✔ ignored ${this.patterns} (${this.filename})`)
+      logger.success(`▣ ignored ${this.patterns} (${this.filename})`)
     } else {
-      logger.info(`no changes (${this.filename})`)
+      logger.info(`○ no changes (${this.filename})`)
     }
   }
 }

package/src/cli/actions/get.js

@@ -12,6 +12,7 @@ function get (key) {
 
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
+  const prettyPrint = options.prettyPrint || options.pp
 
   const ignore = options.ignore || []
 
@@ -24,7 +25,8 @@ function get (key) {
   }
 
   try {
-    const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all, options.envKeysFile).run()
+    const opsOn = options.opsOff !== true
+    const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, opsOn).run()
 
     for (const error of errors || []) {
       if (options.strict) throw error // throw immediately if strict
@@ -65,7 +67,7 @@ function get (key) {
         console.log(inline)
       } else {
         let space = 0
-        if (options.prettyPrint) {
+        if (prettyPrint) {
           space = 2
         }
 

package/src/cli/actions/keypair.js

@@ -9,8 +9,9 @@ function keypair (key) {
 
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
+  const prettyPrint = options.prettyPrint || options.pp
 
-  const results = main.keypair(options.envFile, key, options.envKeysFile)
+  const results = main.keypair(options.envFile, key, options.envKeysFile, options.opsOff)
 
   if (typeof results === 'object' && results !== null) {
     // inline shell format - env $(dotenvx keypair --format=shell) your-command
@@ -25,7 +26,7 @@ function keypair (key) {
     // json format
     } else {
       let space = 0
-      if (options.prettyPrint) {
+      if (prettyPrint) {
         space = 2
       }
 

package/src/cli/actions/rotate.js

@@ -4,24 +4,27 @@ const { logger } = require('./../../shared/logger')
 const Rotate = require('./../../lib/services/rotate')
 
 const catchAndLog = require('../../lib/helpers/catchAndLog')
-const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
+const localDisplayPath = require('../../lib/helpers/localDisplayPath')
 
 function rotate () {
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
   const envs = this.envs
+  const opsOn = options.opsOff !== true
 
   // stdout - should not have a try so that exit codes can surface to stdout
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile).run()
+    } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
       console.log(processedEnv.envSrc)
-      console.log('')
-      console.log(processedEnv.envKeysSrc)
+      if (processedEnv.privateKeyAdded) {
+        console.log('')
+        console.log(processedEnv.envKeysSrc)
+      }
     }
     process.exit(0) // exit early
   } else {
@@ -30,7 +33,7 @@ function rotate () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile).run()
+      } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`rotating ${processedEnv.envFilepath} (${processedEnv.filepath})`)
@@ -46,7 +49,9 @@ function rotate () {
           }
         } else if (processedEnv.changed) {
           fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
-          fsx.writeFileX(processedEnv.envKeysFilepath, processedEnv.envKeysSrc)
+          if (processedEnv.privateKeyAdded) {
+            fsx.writeFileX(processedEnv.envKeysFilepath, processedEnv.envKeysSrc)
+          }
 
           logger.verbose(`rotated ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         } else {
@@ -55,25 +60,18 @@ function rotate () {
       }
 
       if (changedFilepaths.length > 0) {
-        logger.success(`✔ rotated (${changedFilepaths.join(',')})`)
+        const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+        let msg = `⟳ rotated (${changedFilepaths.join(',')})`
+        if (keyAddedEnv) {
+          const envKeysFilepath = localDisplayPath(keyAddedEnv.envKeysFilepath)
+          msg += ` + key (${envKeysFilepath})`
+        }
+        logger.success(msg)
       } else if (unchangedFilepaths.length > 0) {
-        logger.info(`no changes (${unchangedFilepaths})`)
+        logger.info(`○ no changes (${unchangedFilepaths})`)
       } else {
         // do nothing - scenario when no .env files found
       }
-
-      for (const processedEnv of processedEnvs) {
-        if (processedEnv.privateKeyAdded) {
-          logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
-          // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
-
-          if (!isIgnoringDotenvKeys()) {
-            logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')
-          }
-
-          logger.help(`⮕  next run: [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx get] to test decryption locally`)
-        }
-      }
     } catch (error) {
       catchAndLog(error)
       process.exit(1)

package/src/cli/actions/run.js

@@ -5,7 +5,6 @@ const executeCommand = require('./../../lib/helpers/executeCommand')
 const Run = require('./../../lib/services/run')
 
 const conventions = require('./../../lib/helpers/conventions')
-const DeprecationNotice = require('./../../lib/helpers/deprecationNotice')
 
 async function run () {
   const commandArgs = this.args
@@ -41,26 +40,14 @@ async function run () {
       envs = this.envs
     }
 
-    new DeprecationNotice().dotenvKey() // DEPRECATION NOTICE
-
     const {
       processedEnvs,
       readableStrings,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, options.overload, process.env.DOTENV_KEY, process.env, options.envKeysFile, opsOn).run()
-
-    if (opsOn) {
-      // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
-      // try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
-    }
+    } = new Run(envs, options.overload, process.env, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
-      if (processedEnv.type === 'envVaultFile') {
-        logger.verbose(`loading env from encrypted ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-        logger.debug(`decrypting encrypted env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-      }
-
       if (processedEnv.type === 'envFile') {
         logger.verbose(`loading env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
       }

package/src/cli/actions/set.js

@@ -4,7 +4,7 @@ const { logger } = require('./../../shared/logger')
 const Sets = require('./../../lib/services/sets')
 
 const catchAndLog = require('../../lib/helpers/catchAndLog')
-const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
+const localDisplayPath = require('../../lib/helpers/localDisplayPath')
 
 function set (key, value) {
   logger.debug(`key: ${key}`)
@@ -22,12 +22,13 @@ function set (key, value) {
   try {
     const envs = this.envs
     const envKeysFilepath = options.envKeysFile
+    const opsOn = options.opsOff !== true
 
     const {
       processedEnvs,
       changedFilepaths,
       unchangedFilepaths
-    } = new Sets(key, value, envs, encrypt, envKeysFilepath).run()
+    } = new Sets(key, value, envs, encrypt, envKeysFilepath, opsOn).run()
 
     let withEncryption = ''
 
@@ -56,26 +57,25 @@ function set (key, value) {
       }
     }
 
+    const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+    const keyAddedSuffix = keyAddedEnv ? ` + key (${localDisplayPath(keyAddedEnv.envKeysFilepath)})` : ''
+
     if (changedFilepaths.length > 0) {
-      logger.success(`✔ set ${key}${withEncryption} (${changedFilepaths.join(',')})`)
+      if (encrypt) {
+        logger.success(`◈ encrypted ${key} (${changedFilepaths.join(',')})${keyAddedSuffix}`)
+      } else {
+        logger.success(`◇ set ${key} (${changedFilepaths.join(',')})`)
+      }
+    } else if (encrypt && keyAddedEnv) {
+      const keyAddedEnvFilepath = keyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
+      logger.success(`◈ encrypted ${key} (${keyAddedEnvFilepath})${keyAddedSuffix}`)
     } else if (unchangedFilepaths.length > 0) {
-      logger.info(`no changes (${unchangedFilepaths})`)
+      logger.info(`○ no changes (${unchangedFilepaths})`)
     } else {
       // do nothing
     }
 
-    for (const processedEnv of processedEnvs) {
-      if (processedEnv.privateKeyAdded) {
-        logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
-        // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
-
-        if (!isIgnoringDotenvKeys()) {
-          logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')
-        }
-
-        logger.help(`⮕  next run: [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx get ${key}] to test decryption locally`)
-      }
-    }
+    // intentionally quiet: success line communicates key creation
   } catch (error) {
     catchAndLog(error)
     process.exit(1)

package/src/cli/commands/ext.js

@@ -10,9 +10,6 @@ ext
   .description('🔌 extensions')
   .allowUnknownOption()
 
-// list known extensions here you want to display
-ext.addHelpText('after', '  vault                             🔐 manage .env.vault files')
-
 ext
   .argument('[command]', 'dynamic ext command')
   .argument('[args...]', 'dynamic ext command arguments')