@supatype/cli 0.1.0-alpha.8 → 0.1.0

package/src/binary-cache.ts

@@ -7,10 +7,13 @@
  *
  * Security model:
  *   1. Download checksums.sha256 + checksums.sha256.minisig from CDN.
- *   2. Verify Ed25519 minisign signature on the checksum file using the
- *      embedded public key (SUPATYPE_RELEASE_PUBLIC_KEY).
+ *   2. Verify the Ed25519 minisign signature on the checksum file using the
+ *      release public key (embedded at publish, overridable via
+ *      SUPATYPE_RELEASE_PUBLIC_KEY).
  *   3. Verify SHA256 of the downloaded binary against the signed checksum.
- *   Both checks are mandatory when SUPATYPE_RELEASE_PUBLIC_KEY is set.
+ *   Verification is mandatory and fails closed: if no public key is configured,
+ *   the download errors out rather than silently degrading to SHA256-only.
+ *   The only escape hatch is the explicit SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1.
  */
 
 import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto"
@@ -23,6 +26,7 @@ import {
   openSync,
   readFileSync,
   readSync,
+  rmdirSync,
   statSync,
   unlinkSync,
   writeFileSync,
@@ -31,6 +35,7 @@ import { chmod } from "node:fs/promises"
 import { homedir } from "node:os"
 import { basename, join, resolve, isAbsolute } from "node:path"
 import type { SupatypeProjectConfig } from "./project-config.js"
+import { loadProjectLink, migrateLegacyLinkFiles } from "./link.js"
 import { releasePublicKey } from "./release-public-key.js"
 
 /**
@@ -81,12 +86,16 @@ export function describeActiveOverrides(config: SupatypeProjectConfig): string[]
 
 /**
  * True when this working tree is associated with a remote Supatype Cloud project:
- * `project.ref`, `.supatype/cloud.json` (schema deploy link), or `.supatype/linked.json` (functions link).
+ * `project.ref` or `.supatype/link.json` (cloud kind).
  */
 export function isLinkedToCloudProject(cwd: string, config: SupatypeProjectConfig): boolean {
   const ref = config.project.ref
   if (typeof ref === "string" && ref.trim() !== "") return true
 
+  migrateLegacyLinkFiles(cwd)
+  const link = loadProjectLink(cwd)
+  if (link?.kind === "cloud" && link.projectRef.trim() !== "") return true
+
   const linkedPath = join(cwd, ".supatype", "linked.json")
   if (existsSync(linkedPath)) {
     try {
@@ -112,7 +121,7 @@ export function isLinkedToCloudProject(cwd: string, config: SupatypeProjectConfi
 
 export type { Component, ComponentVersions } from "./components.js"
 export { BINARY_COMPONENTS } from "./components.js"
-import { BINARY_COMPONENTS, type Component } from "./components.js"
+import { BINARY_COMPONENTS, type Component, type ComponentVersions } from "./components.js"
 
 export interface PlatformId {
   os: "linux" | "darwin" | "windows"
@@ -130,17 +139,6 @@ export function postgresArchiveTag(version: string): string {
   return version.split(".")[0]!
 }
 
-/**
- * Supatype release signing public key (minisign format).
- * Generated with: minisign -G
- * Rotate by: generating a new pair, updating this constant, and updating
- * the MINISIGN_PRIVATE_KEY GitHub Actions secret.
- *
- * ⚠ PLACEHOLDER — replace with actual public key before first release.
- * When empty, minisign verification is skipped with a warning (SHA256 only).
- */
-const SUPATYPE_RELEASE_PUBLIC_KEY = ""
-
 // CDN path templates per component.
 const CDN_PATHS: Record<Component, (version: string, platform: PlatformId) => string> = {
   engine:   (v, p) => `/engine/v${v}/supatype-engine-${p.os}-${p.arch}${p.os === "windows" ? ".exe" : ""}`,
@@ -226,7 +224,7 @@ export async function resolveBinary(
   }
 
   const overridePath = config.overrides?.[component === "postgres" ? "postgres_dir" : component]
-  const version = versionFor(component, config)
+  const version = await resolveVersionFor(component, config)
 
   if (version === VERSION_PIN_LOCAL && !overridePath) {
     const key = component === "postgres" ? "postgres_dir" : component
@@ -335,14 +333,14 @@ export async function download(
 
   console.log(`[supatype] Downloading ${component} v${version} (${platform.os}/${platform.arch})...`)
 
-  // ── Fetch checksums + optional minisig ────────────────────────────────────
-  const expectedChecksum = await withRetry(() =>
-    fetchChecksums(checksumsUrl, minisigUrl, name),
-  )
-
-  // ── Stream-download binary with progress ─────────────────────────────────
   const tmpPath = destPath + ".tmp"
   try {
+    // ── Fetch checksums + optional minisig (retried on transient failures) ───
+    const expectedChecksum = await withRetry(() =>
+      fetchChecksums(checksumsUrl, minisigUrl, name),
+    )
+
+    // ── Stream-download binary with progress (retried on transient failures) ─
     await withRetry(() => streamToFileWithProgress(binaryUrl, tmpPath))
 
     // ── Verify SHA256 ────────────────────────────────────────────────────────
@@ -354,9 +352,17 @@ export async function download(
     if (process.platform !== "win32" && EXECUTABLE_COMPONENTS.has(component)) {
       await chmod(destPath, 0o755)
     }
+  } catch (err) {
+    // Never leave a partial binary or an empty version directory behind: a stale
+    // empty dir makes the next resolve look fine while silently lacking a binary.
+    try { if (existsSync(destPath)) unlinkSync(destPath) } catch { /* ignore */ }
+    try { rmdirSync(dir) } catch { /* dir not empty or already removed */ }
+    throw new Error(
+      `Failed to download ${component} v${version} from ${CDN_BASE}: ${(err as Error).message}`,
+    )
   } finally {
     if (existsSync(tmpPath)) {
-      try { require("node:fs").unlinkSync(tmpPath) } catch { /* ignore */ }
+      try { unlinkSync(tmpPath) } catch { /* ignore */ }
     }
   }
 
@@ -379,24 +385,36 @@ async function fetchChecksums(
   const checksumsText = await csResp.text()
 
   const pubKey = releasePublicKey()
-  if (pubKey) {
-    // Minisign signature is required when a public key is embedded.
-    const sigResp = await fetch(minisigUrl)
-    if (!sigResp.ok) {
-      throw new Error(
-        `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
-          "Cannot verify release integrity. Aborting download.",
+  if (!pubKey) {
+    // Fail closed: a missing public key means we cannot verify authenticity, only
+    // integrity (SHA256). Published builds always embed the key, so this only
+    // happens in source/contributor builds — never silently downgrade.
+    if (process.env["SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS"] === "1") {
+      console.warn(
+        "[supatype] \u26a0  SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 — no minisign public " +
+          "key configured; verifying SHA256 only (authenticity NOT checked).",
       )
+      return extractChecksum(checksumsText, binaryFilename)
     }
-    const sigText = await sigResp.text()
-    verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
-  } else {
-    console.warn(
-      "[supatype] \u26a0  Minisign public key not configured — " +
-        "skipping signature verification (SHA256 only).",
+    throw new Error(
+      "No minisign public key configured — cannot verify release authenticity.\n" +
+        "Published @supatype/cli builds embed the key automatically; if you are building " +
+        "from source, set SUPATYPE_RELEASE_PUBLIC_KEY to the release public key, or set " +
+        "SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 to download with SHA256-only verification (unsafe).",
     )
   }
 
+  // Minisign signature is mandatory when a public key is configured.
+  const sigResp = await fetch(minisigUrl)
+  if (!sigResp.ok) {
+    throw new Error(
+      `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
+        "Cannot verify release integrity. Aborting download.",
+    )
+  }
+  const sigText = await sigResp.text()
+  verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
+
   return extractChecksum(checksumsText, binaryFilename)
 }
 
@@ -420,10 +438,10 @@ async function fetchChecksums(
 const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex")
 
 /**
- * Verify a minisign signature (Ed25519 legacy mode, algorithm bytes "Ed").
- * Throws if verification fails.
+ * Verify a minisign signature. Supports both Ed25519 legacy mode ("Ed", over the
+ * raw file) and prehashed mode ("ED", over BLAKE2b-512(file)). Throws if invalid.
  */
-function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
+export function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
   // Parse public key: [2 algo][8 keyId][32 ed25519 key]
   const pkLines = pubKeyStr.trim().split("\n")
   const pkBytes = Buffer.from(pkLines[pkLines.length - 1]!.trim(), "base64")
@@ -445,14 +463,17 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const sigKeyId = sigBytes.subarray(2, 10)
   const signature = sigBytes.subarray(10, 74)
 
-  // Only Ed25519 legacy mode ("Ed" = 0x45, 0x64) is supported.
-  // Hashed mode ("ED") requires BLAKE2b prehashing — not implemented.
-  if (algo[0] !== 0x45 || algo[1] !== 0x64) {
+  // Both Ed25519 modes are supported:
+  //   "Ed" (0x45, 0x64) — legacy: signature is over the raw file bytes.
+  //   "ED" (0x45, 0x44) — prehashed: signature is over BLAKE2b-512(file).
+  // Modern minisign (and our release pipeline) default to prehashed mode.
+  if (algo[0] !== 0x45 || (algo[1] !== 0x64 && algo[1] !== 0x44)) {
     throw new Error(
-      "Unsupported minisign algorithm — only Ed25519 legacy mode supported.\n" +
+      "Unsupported minisign algorithm — expected Ed25519 ('Ed' legacy or 'ED' prehashed).\n" +
         `Got: 0x${algo[0]?.toString(16)}${algo[1]?.toString(16)}`,
     )
   }
+  const prehashed = algo[1] === 0x44
 
   if (!sigKeyId.equals(pkKeyId)) {
     throw new Error(
@@ -464,7 +485,13 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const spkiDer = Buffer.concat([ED25519_SPKI_PREFIX, pkEd25519])
   const keyObject = createPublicKey({ key: spkiDer, format: "der", type: "spki" })
 
-  const valid = cryptoVerify(null, fileBytes, keyObject, signature)
+  // Pure Ed25519 (PureEdDSA) verifies over the message directly; for prehashed
+  // minisign the "message" is the BLAKE2b-512 digest of the file.
+  const signedData = prehashed
+    ? createHash("blake2b512").update(fileBytes).digest()
+    : fileBytes
+
+  const valid = cryptoVerify(null, signedData, keyObject, signature)
   if (!valid) {
     throw new Error(
       "Minisign signature verification FAILED — the checksum file may have been tampered with.\n" +
@@ -730,10 +757,30 @@ export function normalisePlatformPath(p: string): string {
   return result
 }
 
+export function pinnedVersion(component: Component, config: SupatypeProjectConfig): string | undefined {
+  const version = config.versions?.[component]
+  if (typeof version !== "string") return undefined
+  const trimmed = version.trim()
+  return trimmed === "" ? undefined : trimmed
+}
+
+/** Pinned version from config, or latest from CDN when unset. */
+export async function resolveVersionFor(
+  component: Component,
+  config: SupatypeProjectConfig,
+): Promise<string> {
+  const pinned = pinnedVersion(component, config)
+  if (pinned) return pinned
+  return fetchLatestVersion(component)
+}
+
+/** @deprecated Prefer {@link pinnedVersion} or {@link resolveVersionFor}. */
 export function versionFor(component: Component, config: SupatypeProjectConfig): string {
-  const version = config.versions[component]
-  if (typeof version !== "string" || version.trim() === "") {
-    throw new Error(`[supatype] versions.${component} must be set in supatype.config.ts`)
+  const version = pinnedVersion(component, config)
+  if (!version) {
+    throw new Error(
+      `[supatype] versions.${component} is not pinned in supatype.config.ts (omit versions to use latest)`,
+    )
   }
   return version
 }
@@ -780,7 +827,10 @@ export async function fetchAllLatestVersions(): Promise<Record<Component, string
  * Verify all cached binaries for the current platform (used by integration CI).
  * Throws if any cached component is missing or fails format checks.
  */
-export function verifyCachedBinaries(versions: SupatypeProjectConfig["versions"]): void {
+export function verifyCachedBinaries(versions: Partial<ComponentVersions> | undefined): void {
+  if (!versions) {
+    throw new Error("[supatype] verifyCachedBinaries requires pinned versions")
+  }
   const platform = currentPlatform()
   for (const component of BINARY_COMPONENTS) {
     const version = versions[component]
@@ -798,15 +848,15 @@ export function verifyCachedBinaries(versions: SupatypeProjectConfig["versions"]
 }
 
 export async function downloadAll(
-  versions: SupatypeProjectConfig["versions"],
+  versions: Partial<ComponentVersions> | undefined,
   graceful = false,
 ): Promise<void> {
   const platform = currentPlatform()
   const components: Component[] = [...BINARY_COMPONENTS]
-  const fakeConfig = { versions } as SupatypeProjectConfig
+  const latest = await fetchAllLatestVersions()
 
   for (const component of components) {
-    const version = versionFor(component, fakeConfig)
+    const version = versions?.[component] ?? latest[component]
     if (version === VERSION_PIN_LOCAL) continue
     try {
       await download(component, version, platform)

package/src/cli.ts

@@ -7,11 +7,15 @@ import { registerPg } from "./commands/pg.js"
 import { registerPush } from "./commands/push.js"
 import { registerDiff } from "./commands/diff.js"
 import { registerPull } from "./commands/pull.js"
+import { registerDoctor } from "./commands/doctor.js"
+import { registerIntrospect } from "./commands/introspect.js"
+import { registerAdopt } from "./commands/adopt.js"
 import { registerGenerate } from "./commands/generate.js"
 import { registerMigrate } from "./commands/migrate.js"
 import { registerSeed } from "./commands/seed.js"
 import { registerKeys } from "./commands/keys.js"
 import { registerApp } from "./commands/app.js"
+import { registerAdd } from "./commands/add.js"
 import { registerSelfHost } from "./commands/self-host.js"
 import { registerCloud } from "./commands/cloud.js"
 import { registerEngine } from "./commands/engine.js"
@@ -25,8 +29,9 @@ import { registerPlugins } from "./commands/plugins.js"
 import { registerTypes } from "./commands/types.js"
 import { registerMigrateFromV1 } from "./commands/migrate-from-v1.js"
 import { registerSelfUpdate } from "./commands/self-update.js"
+import { reportCliFatal } from "./ui/fatal.js"
 
-export function run(): void {
+export async function run(): Promise<void> {
   const program = new Command()
     .name("supatype")
     .description("Supatype — schema-first Postgres API")
@@ -41,11 +46,15 @@ export function run(): void {
   registerPush(program)
   registerDiff(program)
   registerPull(program)
+  registerDoctor(program)
+  registerIntrospect(program)
+  registerAdopt(program)
   registerGenerate(program)
   registerMigrate(program)
   registerSeed(program)
   registerKeys(program)
   registerApp(program)
+  registerAdd(program)
   registerSelfHost(program)
   registerCloud(program)
   registerEngine(program)
@@ -59,5 +68,10 @@ export function run(): void {
   registerTypes(program)
   registerMigrateFromV1(program)
 
-  program.parse()
+  try {
+    await program.parseAsync(process.argv)
+  } catch (err) {
+    reportCliFatal(err)
+    process.exit(1)
+  }
 }

package/src/commands/add.ts

@@ -0,0 +1,97 @@
+import type { Command } from "commander"
+import * as p from "@clack/prompts"
+import { loadConfig } from "../config.js"
+import { selfHostTlsEnabled } from "../project-config.js"
+import { updateServerConfigInProject } from "../app-config.js"
+import { ensureNotCancelled, printLogo } from "../ui/prompts.js"
+import { file, error, info, plain } from "../ui/messages.js"
+import { nextSteps } from "../ui/next-steps.js"
+
+export function registerAdd(program: Command): void {
+  const addCmd = program
+    .command("add")
+    .description("Add capabilities to an existing project")
+
+  addCmd
+    .command("domain [domain]")
+    .description("Add a custom domain with automatic HTTPS (self-host)")
+    .option("--email <email>", "Email for Let's Encrypt TLS certificates")
+    .action(async (domainArg: string | undefined, opts: { email?: string }) => {
+      await addDomain(domainArg, opts.email)
+    })
+}
+
+async function promptDomain(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide domain:",
+      placeholder: "demo.supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Domain is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function promptEmail(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide email for TLS",
+      placeholder: "hello@supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Email is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function addDomain(domainArg?: string, emailArg?: string): Promise<void> {
+  const cwd = process.cwd()
+  const interactive = !domainArg?.trim() || !emailArg?.trim()
+
+  if (interactive) {
+    printLogo()
+    p.intro("Add a custom domain")
+  }
+
+  const domain = await promptDomain(domainArg)
+  const email = await promptEmail(emailArg)
+
+  try {
+    const configPath = updateServerConfigInProject(cwd, { domain, tlsEmail: email })
+    if (interactive) {
+      p.outro(`Updated ${configPath}`)
+    } else {
+      file("updated", configPath)
+    }
+    printDomainNextSteps(cwd, domain)
+  } catch (err) {
+    error((err as Error).message)
+    process.exit(1)
+  }
+}
+
+function printDomainNextSteps(cwd: string, domain: string): void {
+  let tlsActive = true
+  try {
+    tlsActive = selfHostTlsEnabled(loadConfig(cwd))
+  } catch {
+    // config re-load is best-effort for the warning below
+  }
+
+  info(`Domain set to ${domain} with automatic HTTPS.`)
+  if (!tlsActive) {
+    plain(
+      "\nNote: a supatype.local.config.ts override (server.mode=dev) is suppressing HTTPS locally.\n" +
+        "That file is gitignored, so HTTPS still activates on your production server.",
+    )
+  }
+  nextSteps("Go live:", [
+    `Point DNS: an A record for ${domain} -> your server's public IP`,
+    "Open ports 80 and 443 on the server firewall",
+    "supatype self-host compose up -d   # Kong provisions HTTPS automatically",
+    `Platform URL: https://${domain}`,
+  ])
+  plain("  App, REST, Auth, Storage, Realtime, Functions, and Studio — one HTTPS domain.")
+  plain("  Certificates persist in the valkey-data volume.\n")
+}

package/src/commands/admin.ts

@@ -4,12 +4,14 @@
 // {ref}_auth.users table. Used for initial setup and ongoing admin management.
 
 import type { Command } from "commander"
-import { createInterface } from "node:readline"
 import { randomBytes, scrypt } from "node:crypto"
 import { promisify } from "node:util"
 import { loadConfig } from "../config.js"
 import { connectionString } from "../project-config.js"
 import { signJwt } from "../jwt.js"
+import { confirm as uiConfirm } from "../ui/confirm.js"
+import { error, info, plain } from "../ui/messages.js"
+import { promptText } from "../ui/prompts.js"
 
 const scryptAsync = promisify(scrypt)
 
@@ -36,22 +38,22 @@ export function registerAdmin(program: Command): void {
         const config = loadConfig(cwd)
         const connection = opts.connection ?? connectionString(config)
 
-        const email = opts.email ?? (await prompt("Admin email: "))
+        const email = opts.email ?? (await promptText("Admin email"))
         if (!email || !email.includes("@")) {
-          console.error("A valid email address is required.")
+          error("A valid email address is required.")
           process.exit(1)
         }
 
         const password =
-          opts.password ?? (await prompt("Admin password (min 8 chars): "))
+          opts.password ?? (await promptText("Admin password (min 8 chars)"))
         if (!password || password.length < 8) {
-          console.error("Password must be at least 8 characters.")
+          error("Password must be at least 8 characters.")
           process.exit(1)
         }
 
         const role = opts.role
 
-        console.log(`\nCreating admin user: ${email} (role: ${role})...`)
+        info(`Creating admin user: ${email} (role: ${role})...`)
 
         // We use pg directly to insert into the auth.users table
         const pg = await importPg()
@@ -88,12 +90,8 @@ export function registerAdmin(program: Command): void {
           )
 
           if (existing.rows.length > 0) {
-            console.error(
-              `\nUser with email "${email}" already exists.`,
-            )
-            console.log(
-              `To update their role, use: supatype admin set-role --email ${email} --role ${role}`,
-            )
+            error(`User with email "${email}" already exists.`)
+            info(`To update their role, use: supatype admin set-role --email ${email} --role ${role}`)
             process.exit(1)
           }
 
@@ -119,17 +117,15 @@ export function registerAdmin(program: Command): void {
 
           const user = result.rows[0] as { id: string; email: string }
 
-          console.log(`\nAdmin user created successfully.`)
-          console.log(`  ID:    ${user.id}`)
-          console.log(`  Email: ${user.email}`)
-          console.log(`  Role:  ${role}`)
-          console.log(
-            `\nThis user can now log in to the admin panel at /admin\n`,
-          )
+          info("Admin user created successfully.")
+          plain(`  ID:    ${user.id}`)
+          plain(`  Email: ${user.email}`)
+          plain(`  Role:  ${role}`)
+          info("This user can now log in to the admin panel at /admin")
         } catch (err) {
           const message =
             err instanceof Error ? err.message : "Unknown error"
-          console.error(`\nFailed to create admin user: ${message}`)
+          error(`Failed to create admin user: ${message}`)
           process.exit(1)
         } finally {
           await pool.end()
@@ -163,7 +159,7 @@ export function registerAdmin(program: Command): void {
           )
 
           if (result.rows.length === 0) {
-            console.error(`\nNo user found with email "${opts.email}".`)
+            error(`No user found with email "${opts.email}".`)
             process.exit(1)
           }
 
@@ -173,14 +169,14 @@ export function registerAdmin(program: Command): void {
             raw_app_meta_data: Record<string, unknown>
           }
 
-          console.log(`\nRole updated successfully.`)
-          console.log(`  ID:    ${user.id}`)
-          console.log(`  Email: ${user.email}`)
-          console.log(`  Role:  ${opts.role}\n`)
+          info("Role updated successfully.")
+          plain(`  ID:    ${user.id}`)
+          plain(`  Email: ${user.email}`)
+          plain(`  Role:  ${opts.role}`)
         } catch (err) {
           const message =
             err instanceof Error ? err.message : "Unknown error"
-          console.error(`\nFailed to update role: ${message}`)
+          error(`Failed to update role: ${message}`)
           process.exit(1)
         } finally {
           await pool.end()
@@ -210,17 +206,15 @@ export function registerAdmin(program: Command): void {
         )
 
         if (result.rows.length === 0) {
-          console.log("\nNo admin users found.")
-          console.log(
-            "Create one with: supatype admin create-user --email admin@example.com --role admin\n",
-          )
+          info("No admin users found.")
+          info("Create one with: supatype admin create-user --email admin@example.com --role admin")
           return
         }
 
-        console.log(
+        plain(
           "\n  ID                                     Email                          Role         Created",
         )
-        console.log("  " + "-".repeat(100))
+        plain("  " + "-".repeat(100))
         for (const row of result.rows) {
           const r = row as {
             id: string
@@ -229,15 +223,15 @@ export function registerAdmin(program: Command): void {
             created_at: string
           }
           const date = new Date(r.created_at).toISOString().slice(0, 10)
-          console.log(
+          plain(
             `  ${r.id}  ${r.email.padEnd(30)} ${r.role.padEnd(12)} ${date}`,
           )
         }
-        console.log()
+        plain()
       } catch (err) {
         const message =
           err instanceof Error ? err.message : "Unknown error"
-        console.error(`\nFailed to list admin users: ${message}`)
+        error(`Failed to list admin users: ${message}`)
         process.exit(1)
       } finally {
         await pool.end()
@@ -278,30 +272,22 @@ export async function promptFirstAdminUser(
     if (count > 0) return
 
     // No admin users — prompt to create one
-    console.log("\n  No admin users found for the admin panel.")
-    const createAdmin = await confirm(
-      "  Create an admin user now? [y/N] ",
-    )
+    info("No admin users found for the admin panel.")
+    const createAdmin = await uiConfirm("Create an admin user now?")
     if (!createAdmin) {
-      console.log(
-        "  Skipped. You can create one later with: supatype admin create-user\n",
-      )
+      info("Skipped. You can create one later with: supatype admin create-user")
       return
     }
 
-    const email = await prompt("  Admin email: ")
+    const email = await promptText("Admin email")
     if (!email || !email.includes("@")) {
-      console.log("  Invalid email. Skipping admin user creation.\n")
+      info("Invalid email. Skipping admin user creation.")
       return
     }
 
-    const password = await prompt(
-      "  Admin password (min 8 chars): ",
-    )
+    const password = await promptText("Admin password (min 8 chars)")
     if (!password || password.length < 8) {
-      console.log(
-        "  Password too short. Skipping admin user creation.\n",
-      )
+      info("Password too short. Skipping admin user creation.")
       return
     }
 
@@ -325,8 +311,8 @@ export async function promptFirstAdminUser(
       [email.toLowerCase(), passwordHash, appMetadata],
     )
 
-    console.log(`\n  Admin user "${email}" created (role: admin).`)
-    console.log(`  Log in at /admin after starting the dev server.\n`)
+    info(`Admin user "${email}" created (role: admin).`)
+    info("Log in at /admin after starting the dev server.")
   } catch {
     // Non-fatal — if auth schema doesn't exist yet, skip silently
   } finally {
@@ -340,9 +326,7 @@ async function importPg(): Promise<typeof import("pg")> {
   try {
     return await import("pg")
   } catch {
-    console.error(
-      "pg package is required for admin commands. Install it with: pnpm add pg",
-    )
+    error("pg package is required for admin commands. Install it with: pnpm add pg")
     process.exit(1)
   }
 }
@@ -352,21 +336,3 @@ async function hashPassword(password: string): Promise<string> {
   const derived = (await scryptAsync(password, salt, 64)) as Buffer
   return `${salt}:${derived.toString("hex")}`
 }
-
-function prompt(question: string): Promise<string> {
-  const rl = createInterface({
-    input: process.stdin,
-    output: process.stdout,
-  })
-  return new Promise((resolve) => {
-    rl.question(question, (answer) => {
-      rl.close()
-      resolve(answer.trim())
-    })
-  })
-}
-
-async function confirm(question: string): Promise<boolean> {
-  const answer = await prompt(question)
-  return answer.toLowerCase() === "y"
-}