@meshxdata/fops 0.0.3 → 0.0.5

package/src/feature-flags.js

@@ -0,0 +1,197 @@
+import fs from "node:fs";
+import path from "node:path";
+import chalk from "chalk";
+import { execa } from "execa";
+import inquirer from "inquirer";
+
+/**
+ * Canonical feature flags — the complete set known to the platform.
+ * Label is a human-readable short description for the toggle UI.
+ */
+const KNOWN_FLAGS = {
+  MX_FF_STORAGE_EXPLORER_ENABLED: "Storage Explorer",
+  MX_FF_USER_MANAGEMENT_ENABLED: "User Management",
+  MX_FF_SETTINGS_PAGE_ENABLED: "Settings Page",
+  MX_FF_ENCRYPTION_STATUS_DISPLAY: "Encryption Status",
+  MX_FF_USER_PAT_ENABLED: "User PAT (Personal Access Tokens)",
+  MX_FF_SENTRY_ENABLED: "Sentry Error Tracking",
+  MX_FF_EXPLORER_ENABLED: "Data Explorer",
+  MX_FF_NEW_PROFILE_ENABLED: "New Profile Page",
+};
+
+/**
+ * Parse docker-compose.yaml for all MX_FF_* entries.
+ * Returns a map: flagName → { value, services: Set<string>, lines: [{ lineNum, original }] }
+ */
+function parseComposeFlags(composePath) {
+  const content = fs.readFileSync(composePath, "utf8");
+  const lines = content.split("\n");
+  const flags = {};
+
+  // Track which service block we're in
+  let currentService = null;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+
+    // Service definition: exactly 2-space indent, ends with colon only
+    const svcMatch = line.match(/^  ([a-z][\w-]+):\s*$/);
+    if (svcMatch) {
+      currentService = svcMatch[1];
+    }
+
+    // Match MX_FF_* in both YAML map and list formats
+    // Map format:  MX_FF_NAME: "value"
+    const mapMatch = line.match(/\b(MX_FF_\w+)\s*:\s*"?(true|false)"?/);
+    // List format:  - MX_FF_NAME=value
+    const listMatch = !mapMatch && line.match(/[-]\s*(MX_FF_\w+)\s*=\s*(true|false)/);
+
+    const match = mapMatch || listMatch;
+    if (match) {
+      const name = match[1];
+      const value = match[2] === "true";
+
+      if (!flags[name]) {
+        flags[name] = { value, services: new Set(), lines: [] };
+      }
+      flags[name].lines.push({ lineNum: i, original: line });
+      if (currentService) flags[name].services.add(currentService);
+      // If any occurrence is true, treat the flag as enabled
+      if (value) flags[name].value = true;
+    }
+  }
+
+  return flags;
+}
+
+/**
+ * Update docker-compose.yaml by flipping flag values on specific lines.
+ */
+function updateComposeFlags(composePath, changes) {
+  const content = fs.readFileSync(composePath, "utf8");
+  const lines = content.split("\n");
+
+  for (const { lineNum, newValue } of changes) {
+    const line = lines[lineNum];
+    lines[lineNum] = line
+      .replace(/(MX_FF_\w+\s*:\s*)"?(true|false)"?/, `$1"${newValue}"`)
+      .replace(/(MX_FF_\w+=)(true|false)/, `$1${newValue}`);
+  }
+
+  fs.writeFileSync(composePath, lines.join("\n"));
+}
+
+/**
+ * Interactive feature flag configuration.
+ * Reads flags from compose, presents toggle UI, applies changes, restarts services.
+ */
+export async function runFeatureFlags(root) {
+  const composePath = path.join(root, "docker-compose.yaml");
+  if (!fs.existsSync(composePath)) {
+    console.log(chalk.red("  No docker-compose.yaml found."));
+    return;
+  }
+
+  console.log(chalk.bold.cyan("\n  Feature Flags\n"));
+
+  // Parse current state from compose
+  const composeFlags = parseComposeFlags(composePath);
+
+  // Build the full flag list: compose flags + canonical flags not yet in compose
+  const allFlags = {};
+  for (const [name, info] of Object.entries(composeFlags)) {
+    allFlags[name] = { ...info, inCompose: true };
+  }
+  for (const name of Object.keys(KNOWN_FLAGS)) {
+    if (!allFlags[name]) {
+      allFlags[name] = { value: false, services: new Set(), lines: [], inCompose: false };
+    }
+  }
+
+  const flagNames = Object.keys(allFlags).sort();
+
+  // Show current state
+  for (const name of flagNames) {
+    const flag = allFlags[name];
+    const label = KNOWN_FLAGS[name] || name;
+    const services = flag.services.size > 0 ? chalk.dim(` (${[...flag.services].join(", ")})`) : "";
+    if (flag.value) {
+      console.log(chalk.green(`  ✓ ${label}`) + services);
+    } else {
+      console.log(chalk.dim(`  · ${label}`) + services);
+    }
+  }
+  console.log("");
+
+  // Checkbox prompt
+  const choices = flagNames.map((name) => ({
+    name: KNOWN_FLAGS[name] || name,
+    value: name,
+    checked: allFlags[name].value,
+  }));
+
+  const { enabled } = await inquirer.prompt([{
+    type: "checkbox",
+    name: "enabled",
+    message: "Toggle feature flags:",
+    choices,
+  }]);
+
+  // Calculate changes
+  const changes = [];
+  const affectedServices = new Set();
+
+  for (const name of flagNames) {
+    const flag = allFlags[name];
+    const newValue = enabled.includes(name);
+
+    if (newValue !== flag.value) {
+      if (flag.inCompose) {
+        for (const line of flag.lines) {
+          changes.push({ lineNum: line.lineNum, newValue: String(newValue) });
+        }
+        for (const svc of flag.services) affectedServices.add(svc);
+      } else if (newValue) {
+        console.log(chalk.yellow(`  ⚠ ${KNOWN_FLAGS[name] || name} not in docker-compose.yaml — add it to service environments to take effect`));
+      }
+    }
+  }
+
+  if (changes.length === 0) {
+    console.log(chalk.dim("\n  No changes.\n"));
+    return;
+  }
+
+  // Apply changes to compose file
+  updateComposeFlags(composePath, changes);
+  console.log(chalk.green(`\n  ✓ Updated ${changes.length} flag value(s) in docker-compose.yaml`));
+
+  if (affectedServices.size === 0) {
+    console.log("");
+    return;
+  }
+
+  // Restart affected services
+  const serviceList = [...affectedServices];
+  console.log(chalk.dim(`  Affected: ${serviceList.join(", ")}`));
+
+  const { restart } = await inquirer.prompt([{
+    type: "confirm",
+    name: "restart",
+    message: `Restart ${serviceList.length} service(s)?`,
+    default: true,
+  }]);
+
+  if (restart) {
+    console.log(chalk.cyan(`\n  ▶ docker compose up -d ${serviceList.join(" ")}\n`));
+    await execa("docker", ["compose", "up", "-d", ...serviceList], {
+      cwd: root,
+      stdio: "inherit",
+      reject: false,
+      timeout: 120_000,
+    });
+    console.log(chalk.green("\n  ✓ Services restarted.\n"));
+  } else {
+    console.log(chalk.dim("\n  Changes saved. Restart manually: docker compose up -d\n"));
+  }
+}

package/src/plugins/api.js

@@ -42,5 +42,19 @@ export function createPluginApi(pluginId, registry) {
         search: source.search,
       });
     },
+
+    registerAutoRunPattern(pattern) {
+      registry.autoRunPatterns.push({ pluginId, pattern });
+    },
+
+    registerAgent(agent) {
+      registry.agents.push({
+        pluginId,
+        name: agent.name,
+        description: agent.description || "",
+        systemPrompt: agent.systemPrompt,
+        contextMode: agent.contextMode || "full",
+      });
+    },
   };
 }

package/src/plugins/builtins/stack-api.js

@@ -0,0 +1,36 @@
+import http from "node:http";
+
+/**
+ * Built-in Stack API plugin.
+ * Registers a doctor check (health ping) and auto-run patterns for curl commands.
+ */
+export function register(api) {
+  // Doctor check — ping GET /health on localhost:3090
+  api.registerDoctorCheck({
+    name: "Stack API",
+    fn: async (ok, warn) => {
+      try {
+        const body = await new Promise((resolve, reject) => {
+          const req = http.get("http://localhost:3090/health", { timeout: 3000 }, (res) => {
+            let data = "";
+            res.on("data", (chunk) => { data += chunk; });
+            res.on("end", () => {
+              if (res.statusCode === 200) resolve(data);
+              else reject(new Error(`HTTP ${res.statusCode}`));
+            });
+          });
+          req.on("error", reject);
+          req.on("timeout", () => { req.destroy(); reject(new Error("timeout")); });
+        });
+        ok("Stack API", `healthy — ${body.trim().slice(0, 60)}`);
+      } catch {
+        warn("Stack API", "not reachable on localhost:3090");
+      }
+    },
+  });
+
+  // Auto-run: GET curl commands to the stack API execute without confirmation
+  api.registerAutoRunPattern("curl http://localhost:3090/");
+  api.registerAutoRunPattern("curl -s http://localhost:3090/");
+  api.registerAutoRunPattern("curl --silent http://localhost:3090/");
+}

package/src/plugins/loader.js

@@ -1,10 +1,50 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import { fileURLToPath } from "node:url";
 import { createRegistry } from "./registry.js";
 import { validateManifest } from "./manifest.js";
 import { discoverPlugins } from "./discovery.js";
 import { createPluginApi } from "./api.js";
+import { loadBuiltinAgents } from "../agent/agents.js";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+/**
+ * Ensure ~/.fops/plugins/node_modules symlinks to the CLI's node_modules.
+ * This lets global plugins resolve bare imports (chalk, execa, inquirer, etc.)
+ * via Node's upward directory walk.
+ */
+function ensurePluginNodeModules() {
+  const cliNodeModules = path.resolve(__dirname, "../../node_modules");
+  const pluginsDir = path.join(os.homedir(), ".fops", "plugins");
+  const link = path.join(pluginsDir, "node_modules");
+
+  if (!fs.existsSync(cliNodeModules)) return;
+  if (!fs.existsSync(pluginsDir)) return;
+
+  try {
+    const stat = fs.lstatSync(link);
+    // Already a symlink — check it points to the right place
+    if (stat.isSymbolicLink()) {
+      const target = fs.readlinkSync(link);
+      if (path.resolve(pluginsDir, target) === cliNodeModules) return;
+      // Stale symlink — remove and recreate
+      fs.unlinkSync(link);
+    } else {
+      // Not a symlink (somehow a real dir) — leave it alone
+      return;
+    }
+  } catch {
+    // Doesn't exist — create it
+  }
+
+  try {
+    fs.symlinkSync(cliNodeModules, link, "junction");
+  } catch {
+    // Non-fatal — plugins that use only node: builtins still work
+  }
+}
 
 /**
  * Parse SKILL.md frontmatter (lightweight, same logic as skills.js).
@@ -37,12 +77,39 @@ function isPluginEnabled(pluginId) {
   return true;
 }
 
+/**
+ * Load built-in plugins from ./builtins/ directory.
+ * Each module must export a register(api) function.
+ */
+async function loadBuiltinPlugins(registry) {
+  const builtinsDir = path.join(__dirname, "builtins");
+  if (!fs.existsSync(builtinsDir)) return;
+
+  const entries = fs.readdirSync(builtinsDir).filter((f) => f.endsWith(".js"));
+  for (const file of entries) {
+    try {
+      const mod = await import(path.join(builtinsDir, file));
+      const plugin = mod.default || mod;
+      if (typeof plugin.register === "function") {
+        const pluginId = `builtin:${path.basename(file, ".js")}`;
+        const api = createPluginApi(pluginId, registry);
+        await plugin.register(api);
+      }
+    } catch (err) {
+      console.error(`  Built-in plugin "${file}" failed to load: ${err.message}`);
+    }
+  }
+}
+
 /**
  * Load and activate all discovered plugins.
  * Returns a populated PluginRegistry.
  */
 export async function loadPlugins() {
+  ensurePluginNodeModules();
   const registry = createRegistry();
+  loadBuiltinAgents(registry);
+  await loadBuiltinPlugins(registry);
   const candidates = discoverPlugins();
 
   for (const candidate of candidates) {

package/src/plugins/registry.js

@@ -11,5 +11,7 @@ export function createRegistry() {
     hooks: [],         // { pluginId, event, handler, priority }
     skills: [],        // { pluginId, name, description, content }
     knowledgeSources: [], // { pluginId, name, description, search }
+    autoRunPatterns: [], // { pluginId, pattern: string } — commands matching these prefixes auto-execute
+    agents: [],        // { pluginId, name, description, systemPrompt, contextMode }
   };
 }

package/src/project.js

@@ -49,12 +49,31 @@ export function rootDir(cwd = process.cwd()) {
   return null;
 }
 
+/**
+ * Check whether the Foundation project is fully initialised.
+ * Returns null when ready, or a short reason string when not.
+ */
+export function checkInitState(root) {
+  if (!root) return "no project root";
+  if (!fs.existsSync(path.join(root, ".env"))) return "missing .env";
+  // Check that at least one submodule dir has content
+  const markers = ["foundation-backend", "foundation-frontend", "foundation-storage-engine"];
+  const empty = markers.filter((d) => {
+    const dir = path.join(root, d);
+    if (!fs.existsSync(dir)) return true;
+    try { return fs.readdirSync(dir).length === 0; } catch { return true; }
+  });
+  if (empty.length === markers.length) return "submodules not cloned";
+  return null;
+}
+
 export function requireRoot(program) {
   const r = rootDir();
   if (!r) {
     console.error(
-      chalk.red("Not a Foundation project (no docker-compose + Makefile). Run from foundation-compose or set FOUNDATION_ROOT.")
+      chalk.red("Not a Foundation project (no docker-compose + Makefile).")
     );
+    console.error(chalk.dim("  Run `fops init` to set up, or set FOUNDATION_ROOT."));
     program.error({ exitCode: 1 });
   }
   return r;

package/src/setup/aws.js

@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import readline from "node:readline";
 import chalk from "chalk";
 import { execa } from "execa";
 import inquirer from "inquirer";
@@ -32,8 +31,8 @@ export function saveFopsConfig(config) {
  */
 export async function promptAwsSsoConfig() {
   console.log(chalk.cyan("\n  AWS SSO Configuration\n"));
-  console.log(chalk.gray("  We'll set up an AWS CLI profile for ECR image pulls."));
-  console.log(chalk.gray("  You can find these values in your AWS SSO portal.\n"));
+  console.log(chalk.dim("  We'll set up an AWS CLI profile for ECR image pulls."));
+  console.log(chalk.dim("  You can find these values in your AWS SSO portal.\n"));
 
   const answers = await inquirer.prompt([
     {
@@ -138,20 +137,6 @@ export function detectAwsSsoProfiles() {
   return profiles;
 }
 
-/**
- * Simple readline prompt helper.
- */
-function ask(question, defaultVal) {
-  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  const suffix = defaultVal ? chalk.gray(` (${defaultVal})`) : "";
-  return new Promise((resolve) => {
-    rl.question(`  ${question}${suffix}: `, (answer) => {
-      rl.close();
-      resolve(answer.trim() || defaultVal || "");
-    });
-  });
-}
-
 /**
  * Check if ~/.aws/config has an sso-session block with sso_start_url.
  * If not, prompt user for the values and write them.
@@ -164,40 +149,37 @@ export async function ensureSsoConfig() {
   if (/sso_start_url\s*=/.test(content)) return; // already configured
 
   console.log(chalk.cyan("\n  AWS SSO is not configured. Let's set it up.\n"));
-  console.log(chalk.gray("  You can find these values in your AWS SSO portal.\n"));
-
-  const sessionName = await ask("SSO session name", "meshx");
-  const startUrl = await ask("SSO start URL");
-  const ssoRegion = await ask("SSO region", "us-east-1");
-  const accountId = await ask("AWS account ID");
-  const roleName = await ask("SSO role name", "AdministratorAccess");
-  const region = await ask("Default region", ssoRegion);
-  const profileName = await ask("Profile name", "dev");
-
-  if (!startUrl || !accountId) {
-    throw new Error("SSO start URL and account ID are required");
-  }
+  console.log(chalk.dim("  You can find these values in your AWS SSO portal.\n"));
+
+  const answers = await inquirer.prompt([
+    { type: "input", name: "sessionName", message: "SSO session name:", default: "me-central-1" },
+    { type: "input", name: "startUrl", message: "SSO start URL:", validate: (v) => v?.trim() ? true : "Required." },
+    { type: "input", name: "ssoRegion", message: "SSO region:", default: "us-east-1" },
+    { type: "input", name: "accountId", message: "AWS account ID:", validate: (v) => /^\d{12}$/.test(v?.trim()) ? true : "Must be 12 digits." },
+    { type: "input", name: "roleName", message: "SSO role name:", default: "AdministratorAccess" },
+    { type: "input", name: "profileName", message: "Profile name:", default: "dev" },
+    { type: "input", name: "region", message: "Default region:", default: (a) => a.ssoRegion },
+  ]);
 
   // Ensure ~/.aws directory exists
   const awsDir = path.join(os.homedir(), ".aws");
   if (!fs.existsSync(awsDir)) fs.mkdirSync(awsDir, { mode: 0o700 });
 
-  const block = `
-[sso-session ${sessionName}]
-sso_start_url = ${startUrl}
-sso_region = ${ssoRegion}
+  const block = `[sso-session ${answers.sessionName.trim()}]
+sso_start_url = ${answers.startUrl.trim()}
+sso_region = ${answers.ssoRegion.trim()}
 sso_registration_scopes = sso:account:access
 
-[profile ${profileName}]
-sso_session = ${sessionName}
-sso_account_id = ${accountId}
-sso_role_name = ${roleName}
-region = ${region}
+[profile ${answers.profileName.trim()}]
+sso_session = ${answers.sessionName.trim()}
+sso_account_id = ${answers.accountId.trim()}
+sso_role_name = ${answers.roleName.trim()}
+region = ${answers.region.trim()}
 output = json
 `;
 
-  fs.appendFileSync(configPath, block);
-  console.log(chalk.green(`\n  ✓ Written to ~/.aws/config (profile: ${profileName})`));
+  fs.writeFileSync(configPath, block);
+  console.log(chalk.green(`\n  ✓ Written to ~/.aws/config (profile: ${answers.profileName.trim()})`));
 }
 
 /**
@@ -212,7 +194,7 @@ export async function fixAwsSso() {
   }
 
   const profile = profiles[0];
-  console.log(chalk.gray(`  Using AWS profile: ${profile.name}`));
+  console.log(chalk.dim(`  Using AWS profile: ${profile.name}`));
   console.log(chalk.cyan(`  ▶ aws sso login --profile ${profile.name}`));
 
   // Open /dev/tty directly so SSO login gets a real terminal even when
@@ -220,13 +202,44 @@ export async function fixAwsSso() {
   let ttyFd;
   try { ttyFd = fs.openSync("/dev/tty", "r"); } catch { ttyFd = null; }
 
-  await execa("aws", ["sso", "login", "--profile", profile.name], {
+  const { exitCode } = await execa("aws", ["sso", "login", "--profile", profile.name], {
     stdio: [ttyFd ?? "inherit", "inherit", "inherit"],
     reject: false,
     timeout: 120_000,
   });
 
   if (ttyFd !== null) fs.closeSync(ttyFd);
+
+  if (exitCode !== 0) {
+    // SSO login failed — likely bad config. Remove it and re-run setup.
+    console.log(chalk.yellow("  SSO login failed — re-running setup with new values...\n"));
+    const configPath = path.join(os.homedir(), ".aws", "config");
+    if (fs.existsSync(configPath)) fs.unlinkSync(configPath);
+    await ensureSsoConfig();
+
+    const retryProfiles = detectAwsSsoProfiles();
+    if (retryProfiles.length === 0) {
+      throw new Error("No SSO profiles found after config — check ~/.aws/config");
+    }
+
+    const retryProfile = retryProfiles[0];
+    console.log(chalk.cyan(`  ▶ aws sso login --profile ${retryProfile.name}`));
+
+    let retryTtyFd;
+    try { retryTtyFd = fs.openSync("/dev/tty", "r"); } catch { retryTtyFd = null; }
+
+    const { exitCode: retryCode } = await execa("aws", ["sso", "login", "--profile", retryProfile.name], {
+      stdio: [retryTtyFd ?? "inherit", "inherit", "inherit"],
+      reject: false,
+      timeout: 120_000,
+    });
+
+    if (retryTtyFd !== null) fs.closeSync(retryTtyFd);
+
+    if (retryCode !== 0) {
+      throw new Error("SSO login failed. Check your SSO start URL and region in ~/.aws/config");
+    }
+  }
 }
 
 /**
@@ -358,8 +371,8 @@ export async function checkEcrRepos(dir, awsConfig) {
     const missing = neededRepos.filter((r) => !existingRepos.includes(r));
     if (missing.length > 0) {
       console.log(chalk.yellow("\n⚠ These ECR repos are referenced but don't exist (will need local build):"));
-      for (const r of missing) console.log(chalk.gray(`  ✗ ${r}`));
-      console.log(chalk.gray("  These services will be built from source instead.\n"));
+      for (const r of missing) console.log(chalk.dim(`  ✗ ${r}`));
+      console.log(chalk.dim("  These services will be built from source instead.\n"));
     } else {
       console.log(chalk.green("All required ECR repos exist."));
     }

package/src/setup/setup.js

@@ -24,7 +24,7 @@ export function runSetup(dir, opts = {}) {
         fs.copyFileSync(envExample, envPath);
         console.log(chalk.green("Created .env from .env.example. Edit .env with your settings."));
       } else if (fs.existsSync(envPath)) {
-        console.log(chalk.gray(".env already exists."));
+        console.log(chalk.dim(".env already exists."));
       }
     }
     if (netrcCheck) {
@@ -33,25 +33,26 @@ export function runSetup(dir, opts = {}) {
       const hasGitHub = hasNetrc && fs.readFileSync(netrcPath, "utf8").includes("machine github.com");
       if (!hasGitHub) {
         console.log(chalk.yellow("⚠ GitHub: ensure ~/.netrc has credentials for github.com (needed for submodules)."));
-        console.log(chalk.gray("  See README: Configure GitHub Authentication"));
+        console.log(chalk.dim("  See README: Configure GitHub Authentication"));
       }
     }
     if (submodules) {
       console.log(chalk.blue(`Initializing git submodules (checking out ${CLONE_BRANCH})...`));
       try {
-        await execa("git", ["submodule", "update", "--init", "--remote", "--recursive"], { cwd: dir, stdio: "inherit" });
+        await execa("git", ["submodule", "update", "--init", "--force", "--remote", "--recursive"], { cwd: dir, stdio: "inherit" });
         // Check out the target branch on each submodule
         await execa("git", ["submodule", "foreach", `git fetch origin && git checkout origin/${CLONE_BRANCH} 2>/dev/null || git checkout origin/main`], { cwd: dir, stdio: "inherit" });
         console.log(chalk.green(`Submodules initialized — on ${CLONE_BRANCH} (falling back to main).`));
       } catch {
-        console.log(chalk.yellow(`⚠ Some submodules had issues. Attempting to check out ${CLONE_BRANCH} individually...`));
+        console.log(chalk.yellow(`⚠ Some submodules had issues. Attempting to recover individually...`));
         try {
-          await execa("git", ["submodule", "init"], { cwd: dir, stdio: "inherit" });
+          await execa("git", ["submodule", "absorbgitdirs"], { cwd: dir, stdio: "inherit" });
+          await execa("git", ["submodule", "update", "--init", "--force", "--recursive"], { cwd: dir, stdio: "inherit" });
           await execa("git", ["submodule", "foreach", `git fetch origin && git checkout origin/${CLONE_BRANCH} 2>/dev/null || git checkout origin/main`], { cwd: dir, stdio: "inherit" });
           console.log(chalk.green("Submodules recovered."));
         } catch {
           console.log(chalk.yellow("Some submodules still failed. Fix manually with:"));
-          console.log(chalk.gray(`  cd ${dir} && git submodule foreach 'git checkout ${CLONE_BRANCH} || git checkout main && git pull'`));
+          console.log(chalk.dim(`  cd ${dir} && git submodule foreach 'git checkout ${CLONE_BRANCH} || git checkout main && git pull'`));
         }
       }
     }
@@ -101,7 +102,7 @@ export function runSetup(dir, opts = {}) {
           else fs.writeFileSync(awsConfigPath, ssoConfig, { mode: 0o600 });
           console.log(chalk.green(`  Created AWS profile '${awsConfig.profileName}' in ~/.aws/config`));
         } else {
-          console.log(chalk.gray("  Skipping AWS setup. Private ECR images won't be available."));
+          console.log(chalk.dim("  Skipping AWS setup. Private ECR images won't be available."));
           console.log(chalk.blue("Downloading public container images..."));
           try {
             await make(dir, "download");
@@ -157,8 +158,8 @@ export function runSetup(dir, opts = {}) {
         await make(dir, "download");
       } catch {
         console.log(chalk.yellow("\n⚠ Some images failed to download. Public images are fine."));
-        console.log(chalk.gray(`  For private ECR images, ensure: aws sso login --profile ${awsConfig.profileName}`));
-        console.log(chalk.gray("  Then re-run: fops init --download\n"));
+        console.log(chalk.dim(`  For private ECR images, ensure: aws sso login --profile ${awsConfig.profileName}`));
+        console.log(chalk.dim("  Then re-run: fops init --download\n"));
       }
     }
     console.log(chalk.green("Setup complete. Run: fops up"));