@suronai/cli 0.1.35 → 0.1.36

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@suronai/cli",
-  "version": "0.1.35",
+  "version": "0.1.36",
   "description": "CLI for Suron — suron login, init, whoami, recover",
   "type": "module",
   "bin": {

package/src/commands/encrypt.js

@@ -0,0 +1,88 @@
+import { Command } from "commander";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { encryptDotenv } from "../utils/dotenvx.js";
+import ui from "../utils/colors.js";
+
+export const encryptCommand = new Command("encrypt")
+  .description("Encrypt new plaintext values added to .env (safe to run any time after init)")
+  .action(async () => {
+    const cwd = process.cwd();
+
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
+    if (!existsSync(join(cwd, ".suron.json"))) {
+      console.error(ui.errBlock(
+        ".suron.json not found",
+        "run suron init first"
+      ));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    if (!existsSync(join(cwd, ".env"))) {
+      console.error(ui.errBlock(".env not found"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    // ── Scan for plaintext values ─────────────────────────────────────────────
+    const envLines = readFileSync(join(cwd, ".env"), "utf-8").split("\n");
+
+    const plaintextKeys = envLines
+      .filter(line => {
+        const t = line.trim();
+        if (!t || t.startsWith("#") || t.startsWith("#/")) return false;
+        const eq = t.indexOf("=");
+        if (eq === -1) return false;
+        const val = t.slice(eq + 1).trim().replace(/^["']|["']$/g, "");
+        return val.length > 0 && !val.startsWith("encrypted:");
+      })
+      .map(line => line.slice(0, line.indexOf("=")).trim());
+
+    if (plaintextKeys.length === 0) {
+      console.log(ui.step("skip", "all values already encrypted"));
+      console.log(ui.blank());
+      console.log(ui.hr());
+      console.log(ui.blank());
+      console.log(ui.infoBlock("to add secrets  ›  edit .env then run  " + ui.code("suron encrypt")));
+      console.log(ui.blank());
+      process.exit(0);
+    }
+
+    console.log(ui.kv("PENDING", String(plaintextKeys.length) + " value" + (plaintextKeys.length === 1 ? "" : "s")));
+    console.log(ui.blank());
+    for (const k of plaintextKeys) {
+      console.log(ui.INDENT + "   " + ui.slate("·  ") + ui.amber(k));
+    }
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
+    // ── Encrypt ───────────────────────────────────────────────────────────────
+    process.stdout.write(ui.INDENT + ui.slate("encrypting ···"));
+
+    try {
+      encryptDotenv(cwd);
+    } catch (err) {
+      process.stdout.write("\r" + " ".repeat(40) + "\r");
+      console.error(ui.errBlock(err.message));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    process.stdout.write("\r" + " ".repeat(40) + "\r");
+
+    console.log(ui.step("done", "encrypted  .env"));
+    console.log(ui.step("done", "cleaned    .env  +  .env.keys"));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.readyBlock([
+      { label: ".env",      note: "encrypted  ·  safe to commit" },
+      { label: ".env.keys", note: "keep safe  ·  never commit" },
+    ]));
+    console.log(ui.blank());
+  });

package/src/commands/init.js

@@ -4,9 +4,7 @@ import { join, basename, relative } from "path";
 import { execSync } from "child_process";
 import { requireApiUrl, prompt } from "../utils/config.js";
 import { encryptDotenv, readPrivateKey } from "../utils/dotenvx.js";
-import c from "../utils/colors.js";
-
-const HR = "  " + c.dim("─".repeat(55));
+import ui from "../utils/colors.js";
 
 export const initCommand = new Command("init")
   .description("Encrypt .env and register this app with Suron")
@@ -15,74 +13,89 @@ export const initCommand = new Command("init")
     const cwd    = process.cwd();
     const apiUrl = requireApiUrl();
 
-    console.log();
+    console.log(ui.logo());
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
 
     if (existsSync(join(cwd, ".suron.json"))) {
-      console.error("  " + c.red("✗") + "  already initialised — .suron.json exists");
-      console.error("       To restore a lost config: " + c.bold("suron recover") + "\n");
+      console.error(ui.errBlock(
+        "already initialised",
+        "to restore a lost config  ›  suron recover"
+      ));
+      console.log(ui.blank());
       process.exit(1);
     }
 
     if (!existsSync(join(cwd, ".env"))) {
-      console.error("  " + c.red("✗") + "  .env not found");
-      console.error("       Create a .env file with your secrets, then run: suron init\n");
+      console.error(ui.errBlock(
+        ".env not found",
+        "create a .env file with your secrets, then run: suron init"
+      ));
+      console.log(ui.blank());
       process.exit(1);
     }
 
     // ── App name ──────────────────────────────────────────────────────────────
-    // Preserve the folder's original casing as the default suggestion.
     const suggested = sanitiseName(basename(cwd) || "myapp");
     let appName;
 
     if (opts.name) {
       appName = sanitiseName(opts.name);
     } else {
-      const raw = await prompt("  App name " + c.dim("· ") + c.dim("[" + suggested + "] › "));
+      process.stdout.write(ui.promptLine("app name  [" + suggested + "]"));
+      const raw = await prompt("");
       appName = sanitiseName(raw || suggested);
     }
 
     if (!appName) {
-      console.error("  " + c.red("✗") + "  App name is required and must contain at least one letter or digit.");
-      console.error("       Example: suron init --name MyApp\n");
+      console.log(ui.blank());
+      console.error(ui.errBlock(
+        "app name required",
+        "example  ›  suron init --name MyApp"
+      ));
+      console.log(ui.blank());
       process.exit(1);
     }
 
-    console.log("  App name " + c.dim("·") + " " + c.cyan(appName));
-    console.log(HR);
+    console.log(ui.blank());
+    console.log(ui.kv("APP", appName));
+    console.log(ui.kv("DIR", ui.slate(cwd)));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
 
-    // ── Steps tracker ─────────────────────────────────────────────────────────
+    // ── Steps ─────────────────────────────────────────────────────────────────
     const steps = {
-      encrypt:  { label: "Encrypt",  detail: ".env",          status: "pending" },
-      keys:     { label: "Key",      detail: ".env.keys",     status: "pending" },
-      gitignore:{ label: "Gitignore",detail: ".gitignore",    status: "pending" },
-      register: { label: "Register", detail: appName,         status: "pending" },
-      sdk:      { label: "SDK",      detail: "@suronai/sdk",  status: "pending" },
+      encrypt:   { label: "encrypt   .env",         status: "pending" },
+      keys:      { label: "key       .env.keys",     status: "pending" },
+      gitignore: { label: "gitignore .gitignore",    status: "pending" },
+      register:  { label: "register  " + appName,   status: "pending" },
+      sdk:       { label: "sdk       @suronai/sdk",  status: "pending" },
     };
 
-    function printSteps() {
+    const printSteps = () => {
       for (const s of Object.values(steps)) {
-        const dot = s.status === "done"    ? c.green("●")
-                  : s.status === "skip"    ? c.dim("○")
-                  : s.status === "fail"    ? c.red("●")
-                  :                          c.dim("○");
-        const detail = s.status === "fail" ? c.red(s.detail) : c.dim(s.detail);
-        const label  = s.label.padEnd(11);
-        const dots   = c.dim(".".repeat(Math.max(2, 44 - label.length - s.detail.length)));
-        const note   = s.note ? "  " + c.dim(s.note) : "";
-        console.log("  " + dot + "  " + label + detail + dots + (s.status === "done" ? c.green(" done") : s.status === "skip" ? c.dim(" skip") : s.status === "fail" ? c.red(" fail") : "") + note);
+        console.log(ui.step(s.status, s.label, s.note));
       }
-    }
+    };
 
     // ── Encrypt ───────────────────────────────────────────────────────────────
+    steps.encrypt.status  = "run";
+    steps.keys.status     = "run";
     try {
       encryptDotenv(cwd);
-      steps.encrypt.status  = "done";
-      steps.keys.status     = "done";
+      steps.encrypt.status = "done";
+      steps.keys.status    = "done";
     } catch (err) {
       steps.encrypt.status = "fail";
+      steps.keys.status    = "fail";
       printSteps();
-      console.log(HR);
-      console.error("\n  " + c.red("✗") + "  " + err.message + "\n");
+      console.log(ui.blank());
+      console.log(ui.hr());
+      console.log(ui.blank());
+      console.error(ui.errBlock(err.message));
+      console.log(ui.blank());
       process.exit(1);
     }
 
@@ -92,17 +105,22 @@ export const initCommand = new Command("init")
     } catch (err) {
       steps.keys.status = "fail";
       printSteps();
-      console.log(HR);
-      console.error("\n  " + c.red("✗") + "  " + err.message + "\n");
+      console.log(ui.blank());
+      console.log(ui.hr());
+      console.log(ui.blank());
+      console.error(ui.errBlock(err.message));
+      console.log(ui.blank());
       process.exit(1);
     }
 
     // ── .gitignore ────────────────────────────────────────────────────────────
+    steps.gitignore.status = "run";
     const gitignoreResult = ensureGitignore(cwd);
     steps.gitignore.status = "done";
     steps.gitignore.note   = gitignoreResult;
 
     // ── Register ──────────────────────────────────────────────────────────────
+    steps.register.status = "run";
     let res;
     try {
       res = await fetch(`${apiUrl}/cli/register-app`, {
@@ -113,8 +131,11 @@ export const initCommand = new Command("init")
     } catch (err) {
       steps.register.status = "fail";
       printSteps();
-      console.log(HR);
-      console.error("\n  " + c.red("✗") + `  Could not reach Suron API: ${err.message}\n`);
+      console.log(ui.blank());
+      console.log(ui.hr());
+      console.log(ui.blank());
+      console.error(ui.errBlock(`cannot reach API`, err.message));
+      console.log(ui.blank());
       process.exit(1);
     }
 
@@ -123,14 +144,19 @@ export const initCommand = new Command("init")
       try { body = await res.json(); } catch { /* ignore */ }
       steps.register.status = "fail";
       printSteps();
-      console.log(HR);
+      console.log(ui.blank());
+      console.log(ui.hr());
+      console.log(ui.blank());
       if (res.status === 409) {
         const canonical = body?.existing_name ?? appName;
-        console.error("\n  " + c.red("✗") + `  An app named "${c.cyan(String(canonical))}" is already registered (case-insensitive match).`);
-        console.error("       If you lost .suron.json, run: " + c.bold("suron recover --name " + String(canonical)) + "\n");
+        console.error(ui.errBlock(
+          `"${canonical}" already registered`,
+          `to restore a lost config  ›  suron recover --name ${canonical}`
+        ));
       } else {
-        console.error("\n  " + c.red("✗") + `  ${body?.error ?? `register-app failed (${res.status})`}\n`);
+        console.error(ui.errBlock(body?.error ?? `register failed (${res.status})`));
       }
+      console.log(ui.blank());
       process.exit(1);
     }
 
@@ -147,6 +173,7 @@ export const initCommand = new Command("init")
     // ── Install SDK ───────────────────────────────────────────────────────────
     const pkgJsonPath = join(cwd, "package.json");
     let isEsm = false;
+    steps.sdk.status = "run";
 
     if (existsSync(pkgJsonPath)) {
       let alreadyInstalled = false;
@@ -175,51 +202,41 @@ export const initCommand = new Command("init")
     }
 
     printSteps();
-    console.log(HR);
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
 
     // ── Patch entry point ─────────────────────────────────────────────────────
     await patchEntryPoint(cwd, isEsm);
 
     // ── Done ──────────────────────────────────────────────────────────────────
-    console.log();
-    console.log("  " + c.dim("◇") + "  .env encrypted        " + c.dim("safe to commit"));
-    console.log("  " + c.dim("◇") + "  .env.keys             " + c.dim("gitignored, keep it safe"));
-    console.log("  " + c.dim("◇") + "  .suron.json           " + c.dim("safe to commit"));
-    console.log("  " + c.dim("◆") + "  " + c.bold("ready"));
-    console.log();
+    console.log(ui.readyBlock([
+      { label: ".env",        note: "encrypted  ·  safe to commit" },
+      { label: ".env.keys",   note: "gitignored  ·  keep safe" },
+      { label: ".suron.json", note: "safe to commit" },
+    ]));
+    console.log(ui.blank());
   });
 
-/**
- * Ensures standard entries are in .gitignore.
- * Creates the file if it doesn't exist.
- * @param {string} cwd
- * @returns {string} short note for the steps display
- */
-const GITIGNORE_ENTRIES = [
-  "node_modules/",
-  "package-lock.json",
-  ".env.keys",
-];
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+const GITIGNORE_ENTRIES = ["node_modules/", "package-lock.json", ".env.keys"];
 
 function ensureGitignore(cwd) {
   const gitignorePath = join(cwd, ".gitignore");
-
   if (!existsSync(gitignorePath)) {
     writeFileSync(gitignorePath, GITIGNORE_ENTRIES.join("\n") + "\n", "utf-8");
     return "created";
   }
-
   const content  = readFileSync(gitignorePath, "utf-8");
   const existing = new Set(content.split("\n").map(l => l.trim()));
   const missing  = GITIGNORE_ENTRIES.filter(e => !existing.has(e));
-  if (missing.length === 0) return "already set";
-
-  const separator = content.endsWith("\n") ? "" : "\n";
-  writeFileSync(gitignorePath, content + separator + missing.join("\n") + "\n", "utf-8");
+  if (missing.length === 0) return "ok";
+  const sep = content.endsWith("\n") ? "" : "\n";
+  writeFileSync(gitignorePath, content + sep + missing.join("\n") + "\n", "utf-8");
   return "updated";
 }
 
-/** @param {string} cwd @returns {string} */
 function detectPackageManager(cwd) {
   if (existsSync(join(cwd, "pnpm-lock.yaml"))) return "pnpm";
   if (existsSync(join(cwd, "yarn.lock")))       return "yarn";
@@ -227,15 +244,12 @@ function detectPackageManager(cwd) {
   return "npm";
 }
 
-/** @param {string} pm @returns {string} */
 function pmAddCmd(pm) {
   return pm === "npm" ? "install" : "add";
 }
 
 /**
- * Strips everything except letters and digits while preserving the original case.
- * The backend stores names case-sensitively for display but compares lowercase
- * for uniqueness, so "DataHaven" and "datahaven" are the same app.
+ * Strips everything except letters and digits while preserving case.
  * @param {string} name
  * @returns {string}
  */
@@ -259,9 +273,6 @@ async function patchEntryPoint(cwd, isEsm) {
   }
 
   if (!entryPath) {
-    console.log("  " + c.dim("▎"));
-    console.log("  " + c.dim("▎") + "  Add to your app entry point:");
-    console.log("  " + c.dim("▎"));
     printSnippet(isEsm);
     return;
   }
@@ -270,8 +281,6 @@ async function patchEntryPoint(cwd, isEsm) {
   try { src = readFileSync(entryPath, "utf-8"); } catch { return; }
 
   const lines = src.split("\n");
-
-  // Pass 1 — lines containing "dotenv"
   const toReplace   = [];
   const seenIndices = new Set();
 
@@ -295,7 +304,6 @@ async function patchEntryPoint(cwd, isEsm) {
     }
   }
 
-  // Pass 2 — bare config() call (ESM only — import and call are on separate lines)
   if (isEsm) {
     for (let i = 0; i < lines.length; i++) {
       if (seenIndices.has(i)) continue;
@@ -313,9 +321,6 @@ async function patchEntryPoint(cwd, isEsm) {
   }
 
   if (toReplace.length === 0) {
-    console.log("  " + c.dim("▎"));
-    console.log("  " + c.dim("▎") + "  Add to your app entry point:");
-    console.log("  " + c.dim("▎"));
     printSnippet(isEsm);
     return;
   }
@@ -323,46 +328,42 @@ async function patchEntryPoint(cwd, isEsm) {
   const relEntry = relative(cwd, entryPath);
 
   // ── Diff preview ───────────────────────────────────────────────────────────
-  console.log("  " + c.dim("▎"));
-  console.log("  " + c.dim("▎  ") + c.dim(relEntry));
-  console.log("  " + c.dim("▎"));
+  console.log(ui.kv("ENTRY", relEntry, 8));
+  console.log(ui.blank());
 
   for (const { content, replacement } of toReplace) {
-    console.log("  " + c.dim("▎  ") + c.red("⁻") + "  " + c.dim(content.trim()));
+    console.log(ui.diff("remove", content.trim()));
     if (replacement !== null) {
       for (const l of replacement.split("\n")) {
-        console.log("  " + c.dim("▎  ") + c.green("⁺") + "  " + c.cyan(l.trim()));
+        console.log(ui.diff("add", l.trim()));
       }
     } else {
-      console.log("  " + c.dim("▎  ") + c.yellow("?") + "  " + c.dim("(no automatic replacement — update manually)"));
+      console.log(ui.diff("unknown", ""));
     }
-    console.log("  " + c.dim("▎"));
+    console.log(ui.blank());
   }
 
-  const answer = await prompt("  " + c.dim("▎") + "  apply? " + c.dim("[Y/n] › "));
+  process.stdout.write(ui.promptLine("apply patch?  [Y/n]"));
+  const answer = await prompt("");
   const confirmed = answer === "" || /^y(es)?$/i.test(answer);
-  console.log(HR);
+  console.log(ui.blank());
+  console.log(ui.hr());
+  console.log(ui.blank());
 
   if (!confirmed) {
-    console.log();
-    console.log("  " + c.dim("skipped — add manually:"));
-    console.log();
     printSnippet(isEsm);
     return;
   }
 
-  // Apply
   const indexMap = new Map(toReplace.map(r => [r.index, r]));
   const outLines = lines.map((line, i) => {
     const r = indexMap.get(i);
     return (r && r.replacement !== null) ? r.replacement : line;
   });
 
-  // Move await config() to right after last import block (ESM)
   if (isEsm) {
-    const callLineIndex  = outLines.findIndex(l => /^\s*await config\s*\(/.test(l));
+    const callLineIndex   = outLines.findIndex(l => /^\s*await config\s*\(/.test(l));
     const lastImportIndex = outLines.reduce((last, l, i) => l.trimStart().startsWith("import ") ? i : last, -1);
-
     if (callLineIndex !== -1 && callLineIndex > lastImportIndex + 2) {
       const callLine = outLines[callLineIndex];
       outLines.splice(callLineIndex, 1);
@@ -375,20 +376,22 @@ async function patchEntryPoint(cwd, isEsm) {
   try {
     writeFileSync(entryPath, outLines.join("\n"), "utf-8");
   } catch (err) {
-    console.error("  " + c.red("✗") + "  Could not write " + relEntry + ": " + err.message);
+    console.error(ui.errBlock("could not write " + relEntry, err.message));
     printSnippet(isEsm);
   }
 }
 
-/** @param {boolean} isEsm */
 function printSnippet(isEsm) {
+  console.log(ui.infoBlock("add to your entry point:"));
+  console.log(ui.blank());
   if (isEsm) {
-    console.log("  " + c.dim("▎  ") + c.cyan("import") + " { config } from " + c.green("'@suronai/sdk'"));
-    console.log("  " + c.dim("▎  ") + c.cyan("await") + " config()");
+    console.log(ui.INDENT + "   " + ui.amber('import { config } from "@suronai/sdk"'));
+    console.log(ui.INDENT + "   " + ui.amber("await config()"));
   } else {
-    console.log("  " + c.dim("▎  ") + "const { config } = " + c.cyan("require") + "(" + c.green("'@suronai/sdk'") + ")");
-    console.log("  " + c.dim("▎  ") + c.cyan("await") + " config()");
+    console.log(ui.INDENT + "   " + ui.amber('const { config } = require("@suronai/sdk")'));
+    console.log(ui.INDENT + "   " + ui.amber("await config()"));
   }
-  console.log("  " + c.dim("▎"));
-  console.log(HR);
+  console.log(ui.blank());
+  console.log(ui.hr());
+  console.log(ui.blank());
 }

package/src/commands/login.js

@@ -1,56 +1,83 @@
 import { Command } from "commander";
 import { getApiUrl, saveConfig, prompt } from "../utils/config.js";
-import c from "../utils/colors.js";
+import ui from "../utils/colors.js";
 
 export const loginCommand = new Command("login")
   .description("Configure the Suron API URL")
   .action(async () => {
-    console.log("\n" + c.bold("  Suron") + "  —  configure your backend\n");
+    console.log(ui.logo());
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
 
     let apiUrl = getApiUrl();
 
     if (apiUrl) {
-      console.log("  Current URL  " + c.cyan(apiUrl));
-      const change = await prompt("  Change it? (y/N) › ");
+      console.log(ui.kv("ENDPOINT", apiUrl));
+      console.log(ui.blank());
+      process.stdout.write(ui.promptLine("replace?  [y/N]"));
+      const change = await prompt("");
       if (change.toLowerCase() !== "y") {
-        console.log("\n  " + c.green("✓") + "  No changes made.\n");
+        console.log(ui.blank());
+        console.log(ui.okBlock("no changes"));
+        console.log(ui.blank());
         return;
       }
+      console.log(ui.blank());
     }
 
-    const input = await prompt("  Convex deployment URL › ");
+    process.stdout.write(ui.promptLine("convex deployment URL"));
+    const input = await prompt("");
+
     if (!input) {
-      console.error("\n  " + c.red("✗") + "  URL is required.\n");
+      console.log(ui.blank());
+      console.error(ui.errBlock("URL required"));
+      console.log(ui.blank());
       process.exit(1);
     }
-    apiUrl = input.replace(/\/$/, "");
 
-    process.stdout.write("\n  Verifying connection...");
+    apiUrl = input.trim().replace(/\/$/, "");
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
+    // Verify
+    process.stdout.write(ui.INDENT + ui.slate("verifying ···"));
 
+    let verified = false;
     try {
       const res = await fetch(`${apiUrl}/cli/verify`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({}),
       });
+      verified = res.ok;
       if (!res.ok) {
         const text = await res.text().catch(() => "");
-        process.stdout.write("\r" + " ".repeat(30) + "\r");
-        console.error("  " + c.red("✗") + `  Backend returned ${res.status}: ${text}\n`);
+        process.stdout.write("\r" + " ".repeat(40) + "\r");
+        console.error(ui.errBlock(`backend returned ${res.status}`, text || undefined));
+        console.log(ui.blank());
         process.exit(1);
       }
     } catch {
-      process.stdout.write("\r" + " ".repeat(30) + "\r");
-      console.error("  " + c.red("✗") + `  Could not reach ${c.cyan(apiUrl)}`);
-      console.error("       Is the Convex deployment running?\n");
+      process.stdout.write("\r" + " ".repeat(40) + "\r");
+      console.error(ui.errBlock(
+        `cannot reach ${apiUrl}`,
+        "is the convex deployment running?"
+      ));
+      console.log(ui.blank());
       process.exit(1);
     }
 
-    process.stdout.write("\r" + " ".repeat(30) + "\r");
+    process.stdout.write("\r" + " ".repeat(40) + "\r");
 
     saveConfig({ apiUrl });
 
-    console.log("  " + c.green("✓") + "  Connected");
-    console.log("  " + c.green("✓") + "  Saved to ~/.suron-config");
-    console.log("\n  Next:  cd your-project && " + c.bold("suron init") + "\n");
+    console.log(ui.step("done",  "connection verified"));
+    console.log(ui.step("done",  "saved  ~/.suron-config"));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.infoBlock("next  ›  cd your-project  &&  " + ui.code("suron init")));
+    console.log(ui.blank());
   });

package/src/commands/recover.js

@@ -2,7 +2,7 @@ import { Command } from "commander";
 import { existsSync, writeFileSync } from "fs";
 import { join, basename } from "path";
 import { requireApiUrl, prompt } from "../utils/config.js";
-import c from "../utils/colors.js";
+import ui from "../utils/colors.js";
 
 export const recoverCommand = new Command("recover")
   .description("Restore a lost .suron.json by looking up your app name")
@@ -11,38 +11,52 @@ export const recoverCommand = new Command("recover")
     const cwd    = process.cwd();
     const apiUrl = requireApiUrl();
 
-    console.log("\n" + c.bold("  suron recover") + "  —  " + c.dim(cwd) + "\n");
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.kv("DIR", ui.slate(cwd)));
+    console.log(ui.blank());
 
     if (existsSync(join(cwd, ".suron.json"))) {
-      console.log("  " + c.yellow("⚠") + "  .suron.json already exists here.");
-      const answer = await prompt("  Overwrite it? [y/N] › ");
+      console.log(ui.infoBlock(".suron.json already exists here"));
+      console.log(ui.blank());
+      process.stdout.write(ui.promptLine("overwrite?  [y/N]"));
+      const answer = await prompt("");
       if (!/^y(es)?$/i.test(answer)) {
-        console.log("  " + c.dim("Cancelled.\n"));
+        console.log(ui.blank());
+        console.log(ui.infoBlock("cancelled"));
+        console.log(ui.blank());
         process.exit(0);
       }
+      console.log(ui.blank());
     }
 
     // ── App name ──────────────────────────────────────────────────────────────
-    // Names are case-insensitive for lookup — "datahaven" finds "DataHaven".
-    // We preserve the input casing here; the backend returns the canonical name.
     let appName;
     if (opts.name) {
-      // Strip non-alphanumeric but preserve case — backend does case-insensitive match.
       appName = opts.name.replace(/[^a-zA-Z0-9]/g, "");
-      console.log("  App name     " + c.cyan(appName));
     } else {
       const suggested = sanitiseName(basename(cwd) || "myapp");
-      const raw = await prompt(`  App name [${c.dim(suggested)}] › `);
+      process.stdout.write(ui.promptLine("app name  [" + suggested + "]"));
+      const raw = await prompt("");
       appName = sanitiseName(raw || suggested);
     }
 
     if (!appName) {
-      console.error("  " + c.red("✗") + "  App name is required and must contain at least one letter or digit.\n");
+      console.log(ui.blank());
+      console.error(ui.errBlock("app name required"));
+      console.log(ui.blank());
       process.exit(1);
     }
 
+    console.log(ui.blank());
+    console.log(ui.kv("LOOKUP", appName));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
     // ── Look up app ───────────────────────────────────────────────────────────
-    console.log("\n  " + c.dim("Looking up app..."));
+    process.stdout.write(ui.INDENT + ui.slate("querying ···"));
 
     let res;
     try {
@@ -52,44 +66,47 @@ export const recoverCommand = new Command("recover")
         body: JSON.stringify({ name: appName }),
       });
     } catch (err) {
-      console.error("\n  " + c.red("✗") + `  Could not reach Suron API: ${err.message}\n`);
+      process.stdout.write("\r" + " ".repeat(40) + "\r");
+      console.error(ui.errBlock(`cannot reach API`, err.message));
+      console.log(ui.blank());
       process.exit(1);
     }
 
+    process.stdout.write("\r" + " ".repeat(40) + "\r");
+
     if (!res.ok) {
       let body = {};
       try { body = await res.json(); } catch { /* ignore */ }
       if (res.status === 404) {
-        console.error("\n  " + c.red("✗") + `  No app named "${c.cyan(appName)}" found.`);
-        console.error("       Lookup is case-insensitive — check spelling (letters and numbers only).\n");
+        console.error(ui.errBlock(
+          `"${appName}" not found`,
+          "lookup is case-insensitive — check spelling"
+        ));
       } else {
-        console.error("\n  " + c.red("✗") + `  ${body?.error ?? `recover-app failed (${res.status})`}\n`);
+        console.error(ui.errBlock(body?.error ?? `recover failed (${res.status})`));
       }
+      console.log(ui.blank());
       process.exit(1);
     }
 
     const { app_id, name } = await res.json();
 
     // ── Write .suron.json ─────────────────────────────────────────────────────
-    // Use the canonical name returned by the server (original registration casing).
     writeFileSync(
       join(cwd, ".suron.json"),
       JSON.stringify({ app: name, id: app_id, api_url: apiUrl }, null, 2) + "\n",
       "utf-8"
     );
 
-    console.log();
-    console.log("  " + c.green("✓") + "  .suron.json restored");
-    console.log("  " + c.dim("    app:  ") + c.cyan(name));
-    console.log("  " + c.dim("    id:   ") + c.cyan(app_id));
-    console.log();
+    console.log(ui.step("done", ".suron.json written"));
+    console.log(ui.blank());
+    console.log(ui.kv("APP", name));
+    console.log(ui.kv("ID",  app_id));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
   });
 
-/**
- * Strips non-alphanumeric characters while preserving case.
- * @param {string} name
- * @returns {string}
- */
 function sanitiseName(name) {
   return name.replace(/[^a-zA-Z0-9]/g, "");
 }

package/src/commands/whoami.js

@@ -1,13 +1,17 @@
 import { Command } from "commander";
 import { requireApiUrl } from "../utils/config.js";
-import c from "../utils/colors.js";
+import ui from "../utils/colors.js";
 
 export const whoamiCommand = new Command("whoami")
   .description("Show configured Suron API URL")
   .action(() => {
     const apiUrl = requireApiUrl();
-    console.log();
-    console.log("  " + c.bold("API URL")     + "    " + c.cyan(apiUrl));
-    console.log("  " + c.bold("Config file") + "  ~/.suron-config");
-    console.log();
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.kv("ENDPOINT",   apiUrl));
+    console.log(ui.kv("CONFIG",     "~/.suron-config"));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
   });

package/src/index.js

@@ -4,6 +4,7 @@ import { Command } from "commander";
 import { createRequire } from "module";
 import { loginCommand }   from "./commands/login.js";
 import { initCommand }    from "./commands/init.js";
+import { encryptCommand } from "./commands/encrypt.js";
 import { whoamiCommand }  from "./commands/whoami.js";
 import { recoverCommand } from "./commands/recover.js";
 
@@ -19,6 +20,7 @@ program
 
 program.addCommand(loginCommand);
 program.addCommand(initCommand);
+program.addCommand(encryptCommand);
 program.addCommand(whoamiCommand);
 program.addCommand(recoverCommand);
 

package/src/utils/colors.js

@@ -1,11 +1,181 @@
-// Minimal ANSI helpers — no deps, works in any Node.js
-export const c = {
-  bold:   (s) => `\x1b[1m${s}\x1b[0m`,
-  dim:    (s) => `\x1b[2m${s}\x1b[0m`,
-  green:  (s) => `\x1b[32m${s}\x1b[0m`,
-  red:    (s) => `\x1b[31m${s}\x1b[0m`,
-  yellow: (s) => `\x1b[33m${s}\x1b[0m`,
-  cyan:   (s) => `\x1b[36m${s}\x1b[0m`,
+/**
+ * SURON — Terminal Design System
+ *
+ * Aesthetic: Dieter Rams × Teenage Engineering
+ * Principle: Less, but better. Every character earns its place.
+ *
+ * Palette:
+ *   Amber      — primary signal, values, focus       #FFB347 → \x1b[38;5;214m
+ *   Warm white — labels, structural text             \x1b[97m
+ *   Slate      — secondary / dim                     \x1b[2m
+ *   Green      — success / done                      \x1b[38;5;71m
+ *   Red        — error / fail                        \x1b[38;5;167m
+ *   No blue. No purple. No cyan.
+ *
+ * Grid: all content lives at a 2-space left indent.
+ * Rule width: 58 chars of content (60 total with indent).
+ */
+
+const ESC = "\x1b[";
+const R   = "\x1b[0m";
+
+// Core palette
+const amber     = (s) => `${ESC}38;5;214m${s}${R}`;
+const warm      = (s) => `${ESC}97m${s}${R}`;
+const slate     = (s) => `${ESC}2m${s}${R}`;
+const green     = (s) => `${ESC}38;5;71m${s}${R}`;
+const red       = (s) => `${ESC}38;5;167m${s}${R}`;
+const bold      = (s) => `${ESC}1m${s}${R}`;
+const italic    = (s) => `${ESC}3m${s}${R}`;
+
+// Semantic aliases
+const value     = amber;   // user-supplied values, app names, URLs
+const label     = slate;   // column headers, static labels
+const ok        = green;   // success states
+const fail      = red;     // error states
+const em        = warm;    // emphasis within a line
+
+// ── Structural primitives ────────────────────────────────────────────────────
+
+const INDENT    = "  ";
+const COL_W     = 58;
+
+/** Horizontal rule — thin, full-width */
+const hr        = () => INDENT + slate("─".repeat(COL_W));
+
+/** Thick rule — section separator */
+const hrThick   = () => INDENT + slate("━".repeat(COL_W));
+
+/** Blank line */
+const blank     = () => "";
+
+/** Section header — sparse, uppercase, no decoration */
+const header    = (text) =>
+  INDENT + bold(warm(text.toUpperCase()));
+
+/**
+ * Key-value row — strict two-column layout
+ * key is left-padded to `keyWidth` (default 14), value is amber
+ * @param {string} key
+ * @param {string} val
+ * @param {number} [keyWidth=14]
+ */
+const kv        = (key, val, keyWidth = 14) =>
+  INDENT + label(key.padEnd(keyWidth)) + value(val);
+
+/**
+ * Status row — used in step lists
+ * States: "pending" | "run" | "done" | "skip" | "fail"
+ * @param {"pending"|"run"|"done"|"skip"|"fail"} state
+ * @param {string} text
+ * @param {string} [note]
+ */
+const STATUS_GLYPHS = {
+  pending: slate("·"),
+  run:     amber("▶"),
+  done:    green("✔"),
+  skip:    slate("○"),
+  fail:    red("✘"),
+};
+const STATUS_LABELS = {
+  pending: slate("···"),
+  run:     amber("RUN"),
+  done:    green("OK "),
+  skip:    slate("SKP"),
+  fail:    red("ERR"),
+};
+
+const step = (state, text, note) => {
+  const glyph  = STATUS_GLYPHS[state] ?? STATUS_GLYPHS.pending;
+  const status = STATUS_LABELS[state] ?? STATUS_LABELS.pending;
+  const body   = state === "fail"   ? red(text)
+               : state === "done"   ? slate(text)
+               : state === "skip"   ? slate(text)
+               : state === "run"    ? warm(text)
+               :                      slate(text);
+  const tail   = note ? "  " + slate(italic(note)) : "";
+  return INDENT + glyph + "  " + status + "  " + body + tail;
+};
+
+/**
+ * Inline prompt indicator — shown before user input
+ * @param {string} question
+ * @returns {string}
+ */
+const promptLine = (question) =>
+  INDENT + amber("▸") + "  " + warm(question) + "  " + slate("›") + " ";
+
+/**
+ * Error block — tight, no wasted space
+ * @param {string} msg
+ * @param {string} [hint]
+ */
+const errBlock = (msg, hint) => {
+  const lines = [INDENT + red("✘") + "  " + red(msg)];
+  if (hint) lines.push(INDENT + "   " + slate(hint));
+  return lines.join("\n");
 };
 
-export default c;
+/**
+ * Success block
+ * @param {string} msg
+ */
+const okBlock  = (msg) =>
+  INDENT + green("✔") + "  " + ok(msg);
+
+/**
+ * Info block (neutral)
+ * @param {string} msg
+ */
+const infoBlock = (msg) =>
+  INDENT + slate("·") + "  " + slate(msg);
+
+/**
+ * Code / path snippet — amber, stencil feel
+ * @param {string} text
+ */
+const code     = (text) =>
+  amber(text);
+
+/**
+ * Diff line — used in entry-point patching
+ * @param {"remove"|"add"|"unknown"} type
+ * @param {string} text
+ */
+const diff = (type, text) => {
+  if (type === "remove")  return INDENT + "   " + red("−") + "  " + slate(text);
+  if (type === "add")     return INDENT + "   " + green("+") + "  " + amber(text);
+  return                         INDENT + "   " + slate("?") + "  " + slate("(manual update required)");
+};
+
+/**
+ * Logo / wordmark — sparse, dot-matrix feel
+ * Only shown once per session (login/init headers).
+ */
+const logo = () => [
+  blank(),
+  INDENT + bold(warm("SURON")) + "  " + slate("·  secrets delivery"),
+].join("\n");
+
+/**
+ * Final "ready" block shown at end of init/encrypt
+ * @param {Array<{label:string, note:string}>} facts
+ */
+const readyBlock = (facts) => {
+  const lines = facts.map(f =>
+    INDENT + green("·") + "  " + label(f.label.padEnd(16)) + slate(f.note)
+  );
+  lines.push(blank());
+  lines.push(INDENT + green("▶") + "  " + bold(ok("READY")));
+  return lines.join("\n");
+};
+
+export default {
+  // palette
+  amber, warm, slate, green, red, bold, italic, value, label, ok, fail, em,
+  // layout
+  hr, hrThick, blank, header, kv, step, promptLine, errBlock, okBlock,
+  infoBlock, code, diff, logo, readyBlock,
+  // constants
+  INDENT, COL_W,
+};

package/src/utils/config.js

@@ -2,7 +2,7 @@ import { homedir } from "os";
 import { join } from "path";
 import { readFileSync, writeFileSync, existsSync } from "fs";
 import readline from "readline";
-import c from "./colors.js";
+import ui from "./colors.js";
 
 const CONFIG_PATH = join(homedir(), ".suron-config");
 
@@ -49,7 +49,9 @@ export function getApiUrl() {
 export function requireApiUrl() {
   const url = getApiUrl();
   if (!url) {
-    console.error(c.red("  error:") + " not configured. Run: suron login");
+    console.error(ui.blank());
+    console.error(ui.errBlock("not configured", "run: suron login"));
+    console.error(ui.blank());
     process.exit(1);
   }
   return url;

package/src/utils/dotenvx.js

@@ -1,25 +1,73 @@
 import { execSync } from "child_process";
-import { existsSync, readFileSync } from "fs";
+import { existsSync, readFileSync, writeFileSync } from "fs";
 import { join } from "path";
 
 /**
- * Encrypts .env in-place using dotenvx.
- * On success: .env is encrypted, .env.keys contains the private key.
- * If dotenvx exits 0 but .env.keys doesn't exist, the file was already
- * encrypted — readPrivateKey() will throw a clear error explaining that.
+ * Strips the dotenvx banner comment block from a string of file content.
+ *
+ * dotenvx injects a block like this into both .env and .env.keys on every
+ * encrypt call:
+ *
+ *   #/------------------!DOTENV_PRIVATE_KEYS!---...
+ *   #/ private decryption keys. DO NOT commit ...
+ *   #/     [how it works](https://dotenvx.com/encryption)
+ *   #/           backup with: `dotenvx ops backup`
+ *   #/----------------------------------------------------------/
+ *
+ * These lines all start with "#/" which regular user comments never do
+ * (user comments use a plain "#" prefix), so this is a safe, targeted strip.
+ *
+ * @param {string} content  Raw file content
+ * @returns {string}        Content with all #/ banner lines removed
+ */
+export function stripDotenvxComments(content) {
+  return content
+    .split("\n")
+    .filter(line => !line.startsWith("#/"))
+    .join("\n")
+    .replace(/\n{3,}/g, "\n\n")  // collapse excess blank lines left behind
+    .trimStart();
+}
+
+/**
+ * Strips dotenvx banner comments from .env and .env.keys in-place.
+ * Called automatically by encryptDotenv() after every encrypt run,
+ * but exported so callers can run it standalone if needed.
+ * @param {string} cwd
+ */
+export function cleanDotenvComments(cwd) {
+  for (const filename of [".env", ".env.keys"]) {
+    const filePath = join(cwd, filename);
+    if (!existsSync(filePath)) continue;
+    const raw = readFileSync(filePath, "utf-8");
+    const cleaned = stripDotenvxComments(raw);
+    if (cleaned !== raw) writeFileSync(filePath, cleaned, "utf-8");
+  }
+}
+
+/**
+ * Encrypts .env in-place using dotenvx, then strips the injected banner
+ * comments from both .env and .env.keys automatically.
+ *
+ * Idempotent — dotenvx only encrypts new plaintext values and leaves
+ * already-encrypted values untouched, reusing the existing keypair.
+ * Safe to call on first init AND any time new values are added to .env.
+ *
  * @param {string} cwd
  */
 export function encryptDotenv(cwd) {
   if (!existsSync(join(cwd, ".env"))) {
     throw new Error(`.env not found in ${cwd}`);
   }
+
   // Strip all dotenvx keypair vars from the child environment.
-  // If dotenvx sees DOTENV_PRIVATE_KEY *or* DOTENV_PUBLIC_KEY already set
-  // it reuses that keypair and skips writing .env.keys entirely, which
-  // breaks readPrivateKey() immediately after.
+  // If dotenvx sees DOTENV_PRIVATE_KEY or DOTENV_PUBLIC_KEY already set
+  // it may skip writing .env.keys, breaking readPrivateKey() on first run.
   const env = { ...process.env };
   for (const k of Object.keys(env)) {
-    if (k.startsWith("DOTENV_PRIVATE_KEY") || k.startsWith("DOTENV_PUBLIC_KEY")) delete env[k];
+    if (k.startsWith("DOTENV_PRIVATE_KEY") || k.startsWith("DOTENV_PUBLIC_KEY")) {
+      delete env[k];
+    }
   }
 
   try {
@@ -35,6 +83,9 @@ export function encryptDotenv(cwd) {
     if (stdout) process.stdout.write(stdout);
     throw new Error(`dotenvx encrypt failed: ${stderr || err}`);
   }
+
+  // Always strip the banner dotenvx injects on every encrypt call.
+  cleanDotenvComments(cwd);
 }
 
 /**
@@ -57,5 +108,3 @@ export function readPrivateKey(cwd) {
   }
   return match[1].trim();
 }
-
-