@treeseed/cli 0.4.12 → 0.5.1

package/dist/cli/operations-registry.js

@@ -540,6 +540,83 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
     executionMode: "handler",
     handlerName: "auth:whoami"
   })],
+  ["secrets:status", command({
+    options: [{ name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }],
+    examples: ["treeseed secrets:status"],
+    help: {
+      longSummary: ["Secrets:status shows whether the local key agent is running, whether the wrapped machine key exists, and whether the in-memory secret session is currently unlocked."],
+      whenToUse: ["Use this before secret-backed local commands when you need to confirm whether the machine key is already unlocked."],
+      beforeYouRun: ["Decide whether you want the human-readable summary or `--json` for automation."],
+      automationNotes: ["This command is read-only and safe for agents to call before deciding whether an unlock step is required."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:status"
+  })],
+  ["secrets:unlock", command({
+    options: [
+      { name: "fromEnv", flags: "--from-env", description: "Unlock from TREESEED_KEY_PASSPHRASE instead of prompting.", kind: "boolean" },
+      { name: "createIfMissing", flags: "--create-if-missing", description: "Create a wrapped machine key when one does not exist yet.", kind: "boolean" },
+      { name: "allowMigration", flags: "--allow-migration", description: "Allow migration from the legacy plaintext machine-key file.", kind: "boolean" },
+      { name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }
+    ],
+    examples: ["treeseed secrets:unlock", "treeseed secrets:unlock --from-env"],
+    help: {
+      longSummary: ["Secrets:unlock starts or reuses the host-local key agent and unlocks the in-memory machine key from an interactive passphrase prompt or the TREESEED_KEY_PASSPHRASE startup env var."],
+      whenToUse: ["Use this before running local dev, config, deployment, or runner commands that need encrypted local secrets."],
+      beforeYouRun: ["Use a TTY for the interactive prompt path, or set TREESEED_KEY_PASSPHRASE before using `--from-env` in backend startup automation."],
+      automationNotes: ["Backend servers should use `--from-env` only during the explicit startup unlock step, not during arbitrary job execution."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:unlock"
+  })],
+  ["secrets:lock", command({
+    options: [{ name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }],
+    examples: ["treeseed secrets:lock"],
+    help: {
+      longSummary: ["Secrets:lock clears the in-memory machine key from the host-local key agent."],
+      whenToUse: ["Use this when you want to end the current local secret session before the idle timeout expires."],
+      beforeYouRun: ["No additional setup is required."],
+      automationNotes: ["This command is safe to run in automation when a runner host should explicitly clear local secret access."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:lock"
+  })],
+  ["secrets:migrate-key", command({
+    options: [{ name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }],
+    examples: ["treeseed secrets:migrate-key"],
+    help: {
+      longSummary: ["Secrets:migrate-key replaces the legacy plaintext machine-key file with the wrapped passphrase-protected format used by the Treeseed key agent."],
+      whenToUse: ["Use this when status or doctor reports that machine-key migration is still required."],
+      beforeYouRun: ["Run this in a TTY so you can create and confirm the new wrapping passphrase."],
+      automationNotes: ["Prefer this as a one-time operator action rather than an unattended automation step."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:migrate-key"
+  })],
+  ["secrets:rotate-passphrase", command({
+    options: [{ name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }],
+    examples: ["treeseed secrets:rotate-passphrase"],
+    help: {
+      longSummary: ["Secrets:rotate-passphrase re-wraps the existing machine key with a newly entered passphrase without changing the underlying machine key."],
+      whenToUse: ["Use this when the local wrapping passphrase should be changed without re-encrypting the stored secret payloads."],
+      beforeYouRun: ["Unlock the current secret session first, then run this in a TTY so you can enter and confirm the new passphrase."],
+      automationNotes: ["Treat passphrase rotation as an operator-controlled maintenance action, not a normal background job."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:rotate-passphrase"
+  })],
+  ["secrets:rotate-machine-key", command({
+    options: [{ name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }],
+    examples: ["treeseed secrets:rotate-machine-key"],
+    help: {
+      longSummary: ["Secrets:rotate-machine-key generates a new machine key, re-encrypts stored local secrets, and re-wraps the result with the configured passphrase."],
+      whenToUse: ["Use this when the underlying machine key itself must be rotated, such as after a local secret-hygiene event."],
+      beforeYouRun: ["Unlock the current secret session and make sure TREESEED_KEY_PASSPHRASE is set for the non-interactive re-wrap step."],
+      automationNotes: ["This command mutates local encrypted state and should be run intentionally rather than as part of routine startup automation."]
+    },
+    executionMode: "handler",
+    handlerName: "secrets:rotate-machine-key"
+  })],
   ["template", command({
     usage: "treeseed template [list|show|validate] [id]",
     arguments: [
@@ -622,15 +699,27 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
   ["config", command({
     options: [
       { name: "full", flags: "--full", description: "Open the advanced full editor directly in human interactive mode.", kind: "boolean" },
+      { name: "mouse", flags: "--mouse", description: "Opt into mouse capture for the config UI. Keyboard-first terminal behavior remains the default.", kind: "boolean" },
       { name: "environment", flags: "--environment <scope>", description: "Select all environments or limit configuration to local, staging, or prod. Defaults to all.", kind: "enum", repeatable: true, values: ["all", "local", "staging", "prod"] },
       { name: "sync", flags: "--sync <mode>", description: "Sync hosted secrets/variables to GitHub, Cloudflare, Railway, or all providers. Defaults to all.", kind: "enum", values: ["none", "github", "cloudflare", "railway", "all"] },
+      { name: "nonInteractive", flags: "--non-interactive", description: "Apply resolved values without opening the interactive UI. Required for non-TTY automation unless using an operational mode such as --print-env-only.", kind: "boolean" },
+      { name: "installMissingTooling", flags: "--install-missing-tooling", description: "Install missing config verification tooling such as `gh-act` during the run instead of only reporting it.", kind: "boolean" },
       { name: "printEnv", flags: "--print-env", description: "Print resolved environment values before remote initialization.", kind: "boolean" },
       { name: "printEnvOnly", flags: "--print-env-only", description: "Print resolved environment values, check provider connections, and exit without prompting or initializing remote resources.", kind: "boolean" },
       { name: "showSecrets", flags: "--show-secrets", description: "Print full secret values in environment reports instead of masking them.", kind: "boolean" },
       { name: "rotateMachineKey", flags: "--rotate-machine-key", description: "Regenerate the local home machine key and re-encrypt stored Treeseed secrets and remote auth sessions.", kind: "boolean" },
+      { name: "connectMarket", flags: "--connect-market", description: "Pair the current local repo to a Knowledge Coop project and register the hybrid runner connection.", kind: "boolean" },
+      { name: "marketBaseUrl", flags: "--market-base-url <url>", description: "Knowledge Coop control-plane base URL for --connect-market. Defaults to the active remote host.", kind: "string" },
+      { name: "marketTeamId", flags: "--market-team-id <id>", description: "Team ID to record in the local Knowledge Coop pairing metadata.", kind: "string" },
+      { name: "marketTeamSlug", flags: "--market-team-slug <slug>", description: "Team slug to record in the local Knowledge Coop pairing metadata.", kind: "string" },
+      { name: "marketProjectId", flags: "--market-project-id <id>", description: "Project ID to pair with when using --connect-market.", kind: "string" },
+      { name: "marketProjectSlug", flags: "--market-project-slug <slug>", description: "Project slug to record in the local Knowledge Coop pairing metadata.", kind: "string" },
+      { name: "marketProjectApiBaseUrl", flags: "--market-project-api-base-url <url>", description: "Override the project API base URL recorded on the Knowledge Coop project connection.", kind: "string" },
+      { name: "marketAccessToken", flags: "--market-access-token <token>", description: "Explicit Knowledge Coop access token to use for pairing. Prefer an existing remote session when possible.", kind: "string" },
+      { name: "rotateRunnerToken", flags: "--rotate-runner-token", description: "Rotate the project runner credential while pairing the local hybrid repo.", kind: "boolean" },
       { name: "json", flags: "--json", description: "Emit machine-readable JSON instead of human-readable text.", kind: "boolean" }
     ],
-    examples: ["treeseed config", "treeseed config --full", "treeseed config --environment all", "treeseed config --environment local --sync none", "treeseed config --environment staging --print-env-only --show-secrets", "treeseed config --rotate-machine-key"],
+    examples: ["treeseed config", "treeseed config --full --mouse", "treeseed config --environment all", "treeseed config --environment local --sync none", "treeseed config --environment local --sync none --non-interactive", "treeseed config --environment staging --print-env-only --show-secrets", "treeseed config --rotate-machine-key", "treeseed config --connect-market --market-project-id kc_proj_123"],
     notes: ["Does not create branch preview deployments. Use `treeseed switch <branch> --preview` for that."],
     help: {
       workflowPosition: "configure runtime",
@@ -640,10 +729,10 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
       ],
       whenToUse: [
         "Use this during first-run setup, after new required environment variables are introduced, or when provider-backed configuration drift must be repaired.",
-        "Use the startup wizard for onboarding and the full editor when you need complete per-variable control."
+        "Use the startup wizard for onboarding and the full editor when you need complete per-variable control. Terminal-native copy, selection, and paste are the default interaction model."
       ],
       beforeYouRun: [
-        "Decide whether you want human interactive mode or machine-readable `--json` output before invoking the command.",
+        "Decide whether you want human interactive mode, explicit `--non-interactive` application, or machine-readable `--json` output before invoking the command.",
         "Choose the environment scope you care about: all, local, staging, or prod.",
         "If you plan to sync hosted state, make sure GitHub, Cloudflare, and Railway authentication is already configured or be ready to log in first."
       ],
@@ -655,21 +744,29 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
       examples: [
         example("treeseed config", "Run the startup wizard", "Open the newcomer-friendly configuration wizard in human TTY mode."),
         example("treeseed config --full", "Open the advanced editor directly", "Skip the startup wizard and go straight to the full configuration surface."),
+        example("treeseed config --full --mouse", "Opt into mouse capture for the editor", "Keep the keyboard-first defaults unless you explicitly want click and wheel interaction inside the config UI."),
         example("treeseed config --environment local --sync none", "Edit local values without provider sync", "Limit the session to local values and avoid hosted synchronization while iterating locally."),
+        example("treeseed config --environment local --sync none --non-interactive", "Apply deterministic local config in automation", "Use the resolved current and suggested values without opening the interactive UI."),
         example("treeseed config --environment staging --print-env-only --show-secrets", "Inspect a resolved environment report", "Print the resolved staging environment with full secret visibility and exit."),
-        example("treeseed config --rotate-machine-key", "Rotate the local secret encryption key", "Regenerate the machine key and re-encrypt locally stored Treeseed secrets.")
+        example("treeseed config --rotate-machine-key", "Rotate the local secret encryption key", "Regenerate the machine key and re-encrypt locally stored Treeseed secrets."),
+        example("treeseed config --connect-market --market-project-id kc_proj_123", "Pair a hybrid repo to Knowledge Coop", "Register the current local repo as the hybrid runner connection for an existing Knowledge Coop project.")
       ],
       optionDetails: [
         detail("--full", "Enter the advanced editor directly instead of the startup wizard."),
+        detail("--mouse", "Opt into terminal mouse capture for clicking, scrolling, and focus changes inside the config UI."),
         detail("--environment <scope>", "Filter configuration to `all`, `local`, `staging`, or `prod`."),
         detail("--sync <mode>", "Choose which provider surfaces should receive synchronized values after local updates are applied."),
+        detail("--non-interactive", "Apply resolved values without opening the interactive editor. Use this for automation when you do not want `--json` output."),
+        detail("--install-missing-tooling", "Allow config to install missing verification helpers such as the GitHub `gh-act` extension instead of only reporting them."),
         detail("--print-env", "Print the resolved environment values before remote initialization continues."),
         detail("--print-env-only", "Print the environment report and exit without interactive editing or remote initialization."),
-        detail("--rotate-machine-key", "Rotate the local machine key used for encrypted Treeseed secret storage.")
+        detail("--rotate-machine-key", "Rotate the local machine key used for encrypted Treeseed secret storage."),
+        detail("--connect-market", "Pair the current repo to a Knowledge Coop project and store the resulting market connection metadata locally.")
       ],
       automationNotes: [
-        "Use `--json` for non-interactive flows. Human TTY mode is where the startup wizard and full editor appear.",
-        "`--print-env-only` and `--rotate-machine-key` are operational paths that bypass the interactive UI.",
+        "Use `--json` for machine-readable automation, or `--non-interactive` when you want deterministic application without interactive UI.",
+        "`--print-env-only`, `--rotate-machine-key`, and `--connect-market` are operational paths that bypass the interactive UI.",
+        "Config reports missing tooling by default. Use `--install-missing-tooling` when you want the command to attempt installation.",
         "Shared versus scoped environment semantics are resolved inside the SDK; the CLI help should be treated as the operator-facing explanation layer."
       ],
       warnings: [
@@ -850,7 +947,25 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
   ["lint", command({ examples: ["treeseed lint"], help: { longSummary: ["Lint runs the project linting and related surface checks for the current tenant."], examples: [example("treeseed lint", "Run lint", "Execute the lint checks for the current project."), example("trsd lint", "Use the short alias", "Run the same lint checks through the shorter entrypoint."), example("treeseed lint && treeseed test:unit", "Lint before unit tests", "Use lint as a first local verification step.")] }, executionMode: "adapter" })],
   ["test", command({ examples: ["treeseed test"], help: { longSummary: ["Test runs the default Treeseed test surface for the current project."], examples: [example("treeseed test", "Run the default test suite", "Execute the standard project test flow."), example("trsd test", "Use the short alias", "Run the same test surface with the shorter entrypoint."), example("treeseed test && treeseed build", "Verify before building", "Run tests before the build step in a local verification loop.")] }, executionMode: "adapter" })],
   ["test:unit", command({ examples: ["treeseed test:unit"], help: { longSummary: ["Test:unit runs workspace unit tests in dependency order."], examples: [example("treeseed test:unit", "Run unit tests", "Execute the package unit test flow."), example("trsd test:unit", "Use the short alias", "Run the same unit tests via the short entrypoint."), example("treeseed test:unit && treeseed check", "Unit tests then validation", "Combine focused tests with broader tenant validation.")] }, executionMode: "adapter" })],
-  ["preflight", command({ examples: ["treeseed preflight"], help: { longSummary: ["Preflight checks local prerequisites and authentication state before heavier workflows run."], examples: [example("treeseed preflight", "Run the preflight checklist", "Inspect local prerequisites and auth readiness."), example("trsd preflight", "Use the short alias", "Run the same readiness check via the short entrypoint."), example("treeseed preflight && treeseed dev", "Validate before starting local runtime", "Confirm readiness before launching the integrated dev surface.")] }, executionMode: "adapter" })],
+  ["preflight", command({
+    options: [
+      { name: "launch", flags: "--launch", description: "Validate managed Knowledge Coop launch prerequisites, provider auth, and required live configuration.", kind: "boolean" }
+    ],
+    examples: ["treeseed preflight", "treeseed preflight --launch"],
+    help: {
+      longSummary: ["Preflight checks local prerequisites and authentication state before heavier workflows run."],
+      examples: [
+        example("treeseed preflight", "Run the preflight checklist", "Inspect local prerequisites and auth readiness."),
+        example("treeseed preflight --launch", "Validate live launch readiness", "Check managed Knowledge Coop launch prerequisites before creating live GitHub, Cloudflare, and Railway resources."),
+        example("trsd preflight", "Use the short alias", "Run the same readiness check via the short entrypoint."),
+        example("treeseed preflight && treeseed dev", "Validate before starting local runtime", "Confirm readiness before launching the integrated dev surface.")
+      ]
+    },
+    executionMode: "adapter",
+    buildAdapterInput: (invocation) => ({
+      launch: invocation.args.launch === true
+    })
+  })],
   ["auth:check", command({ examples: ["treeseed auth:check"], executionMode: "adapter", buildAdapterInput: () => ({ requireAuth: true }) })],
   ["test:e2e", command({ examples: ["treeseed test:e2e"], executionMode: "adapter" })],
   ["test:e2e:local", command({ examples: ["treeseed test:e2e:local"], executionMode: "adapter" })],
@@ -860,7 +975,6 @@ const CLI_COMMAND_OVERLAYS = /* @__PURE__ */ new Map([
   ["test:release:full", command({ examples: ["treeseed test:release:full", "treeseed release:verify"], executionMode: "adapter" })],
   ["release:publish:changed", command({ examples: ["treeseed release:publish:changed"], executionMode: "adapter" })],
   ["astro", command({ examples: ["treeseed astro -- --help"], executionMode: "adapter", buildAdapterInput: PASS_THROUGH_ARGS })],
-  ["sync:devvars", command({ examples: ["treeseed sync:devvars"], executionMode: "adapter" })],
   ["mailpit:up", command({ examples: ["treeseed mailpit:up"], executionMode: "adapter" })],
   ["mailpit:down", command({ examples: ["treeseed mailpit:down"], executionMode: "adapter" })],
   ["mailpit:logs", command({ examples: ["treeseed mailpit:logs"], executionMode: "adapter" })],

package/dist/cli/registry.d.ts

@@ -22,6 +22,12 @@ export declare const COMMAND_HANDLERS: {
     readonly 'auth:login': import("./operations-types.js").TreeseedCommandHandler;
     readonly 'auth:logout': import("./operations-types.js").TreeseedCommandHandler;
     readonly 'auth:whoami': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:status': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:unlock': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:lock': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:migrate-key': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:rotate-passphrase': import("./operations-types.js").TreeseedCommandHandler;
+    readonly 'secrets:rotate-machine-key': import("./operations-types.js").TreeseedCommandHandler;
 };
 export declare const TRESEED_COMMAND_SPECS: TreeseedCommandSpec[];
 export declare function findCommandSpec(name: string | null | undefined): import("./operations-types.js").TreeseedOperationSpec | null;

package/dist/cli/registry.js

@@ -18,6 +18,14 @@ import { handleSync } from "./handlers/sync.js";
 import { handleAuthLogin } from "./handlers/auth-login.js";
 import { handleAuthLogout } from "./handlers/auth-logout.js";
 import { handleAuthWhoAmI } from "./handlers/auth-whoami.js";
+import {
+  handleSecretsLock,
+  handleSecretsMigrateKey,
+  handleSecretsRotateMachineKey,
+  handleSecretsRotatePassphrase,
+  handleSecretsStatus,
+  handleSecretsUnlock
+} from "./handlers/secrets.js";
 import { handleTasks } from "./handlers/tasks.js";
 import { handleSwitch } from "./handlers/switch.js";
 import { handleStage } from "./handlers/stage.js";
@@ -46,7 +54,13 @@ const COMMAND_HANDLERS = {
   export: handleExport,
   "auth:login": handleAuthLogin,
   "auth:logout": handleAuthLogout,
-  "auth:whoami": handleAuthWhoAmI
+  "auth:whoami": handleAuthWhoAmI,
+  "secrets:status": handleSecretsStatus,
+  "secrets:unlock": handleSecretsUnlock,
+  "secrets:lock": handleSecretsLock,
+  "secrets:migrate-key": handleSecretsMigrateKey,
+  "secrets:rotate-passphrase": handleSecretsRotatePassphrase,
+  "secrets:rotate-machine-key": handleSecretsRotateMachineKey
 };
 const TRESEED_COMMAND_SPECS = TRESEED_OPERATION_SPECS;
 function findCommandSpec(name) {

package/dist/cli/repair.js

@@ -1,4 +1,4 @@
-import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
 import {
   createDefaultTreeseedMachineConfig,
@@ -8,7 +8,7 @@ import {
   loadDeployState,
   loadTreeseedMachineConfig,
   resolveTreeseedMachineEnvironmentValues,
-  writeTreeseedLocalEnvironmentFiles,
+  warnDeprecatedTreeseedLocalEnvFiles,
   writeTreeseedMachineConfig,
   createPersistentDeployTarget,
   ensureGeneratedWranglerConfig
@@ -17,11 +17,9 @@ function applyTreeseedSafeRepairs(tenantRoot) {
   const actions = [];
   ensureTreeseedGitignoreEntries(tenantRoot);
   actions.push({ id: "gitignore", detail: "Ensured Treeseed gitignore entries are present." });
-  const envLocalPath = resolve(tenantRoot, ".env.local");
-  const envLocalExamplePath = resolve(tenantRoot, ".env.local.example");
-  if (!existsSync(envLocalPath) && existsSync(envLocalExamplePath)) {
-    copyFileSync(envLocalExamplePath, envLocalPath);
-    actions.push({ id: "env-local", detail: "Created .env.local from .env.local.example." });
+  const deprecatedFiles = warnDeprecatedTreeseedLocalEnvFiles(tenantRoot);
+  if (deprecatedFiles.length > 0) {
+    actions.push({ id: "deprecated-local-env", detail: "Detected deprecated .env.local/.dev.vars files that Treeseed now ignores." });
   }
   const deployConfig = loadCliDeployConfig(tenantRoot);
   const { configPath } = getTreeseedMachineConfigPaths(tenantRoot);
@@ -38,8 +36,6 @@ function applyTreeseedSafeRepairs(tenantRoot) {
   actions.push({ id: "machine-key", detail: "Ensured the Treeseed machine key exists." });
   const machineConfig = loadTreeseedMachineConfig(tenantRoot);
   writeTreeseedMachineConfig(tenantRoot, machineConfig);
-  writeTreeseedLocalEnvironmentFiles(tenantRoot);
-  actions.push({ id: "local-env", detail: "Regenerated .env.local and .dev.vars from the current machine config." });
   const stateRoot = resolve(tenantRoot, ".treeseed", "state", "environments");
   if (existsSync(stateRoot)) {
     for (const scope of ["local", "staging", "prod"]) {

package/dist/cli/ui/framework.d.ts

@@ -53,6 +53,7 @@ export declare function scrollOffsetByDelta(state: ScrollRegionState, delta: num
 export declare function scrollOffsetByPage(state: ScrollRegionState, pages: number): number;
 export declare function ensureVisible(index: number, offset: number, viewportSize: number): number;
 export declare function truncateLine(value: string, width: number): string;
+export declare function formatSecretMaskedValue(value: string): string;
 export declare function wrapText(value: string, width: number): string[];
 export declare function containsPoint(rect: UiRect, x: number, y: number): boolean;
 export declare function findClickableRegion(regions: UiClickRegion[], x: number, y: number): UiClickRegion | null;
@@ -120,6 +121,7 @@ type TextInputFieldProps = {
     secret?: boolean;
     placeholder?: string;
     cursorPosition?: number;
+    helperText?: string;
 };
 export declare function TextInputField(props: TextInputFieldProps): any;
 type TextAreaFieldProps = {

package/dist/cli/ui/framework.js

@@ -48,6 +48,25 @@ function truncateLine(value, width) {
   }
   return `${value.slice(0, Math.max(0, width - 1))}\u2026`;
 }
+function formatSecretMaskedValue(value) {
+  if (!value) {
+    return "(unset)";
+  }
+  const normalized = value.replace(/\r\n/g, "\n").replace(/\r/g, "\n").replace(/[\u0000-\u0008\u000b\u000c\u000e-\u001f\u007f]/g, "").replace(/\n+/g, " ").trim();
+  if (!normalized) {
+    return "(unset)";
+  }
+  if (normalized.length === 1) {
+    return `${normalized} [1]`;
+  }
+  const maxRevealedTotal = Math.max(2, Math.floor(normalized.length * 0.25));
+  const revealPerSide = Math.min(3, Math.max(1, Math.floor(maxRevealedTotal / 2)));
+  const leading = normalized.slice(0, revealPerSide);
+  const trailing = normalized.slice(Math.max(revealPerSide, normalized.length - revealPerSide));
+  const maskedCount = Math.max(0, normalized.length - leading.length - trailing.length);
+  const maskedMiddle = "*".repeat(maskedCount);
+  return `${leading}${maskedMiddle}${trailing} [${normalized.length}]`;
+}
 function wrapText(value, width) {
   if (width <= 0) {
     return [""];
@@ -186,29 +205,40 @@ function FieldCard(props) {
     ))
   );
 }
-function TextInputField(props) {
-  const height = props.height ?? 4;
+function renderTextInputContent(props) {
   const safeCursor = Math.max(0, Math.min(props.cursorPosition ?? props.value.length, props.value.length));
-  const visibleValue = props.secret && props.value ? "\u2022".repeat(props.value.length) : props.value;
-  const placeholder = props.placeholder ?? "(empty)";
-  let inputLine = visibleValue;
-  if (props.focused) {
-    const beforeCursor = visibleValue.slice(0, safeCursor);
-    const afterCursor = visibleValue.slice(safeCursor);
-    inputLine = `${beforeCursor}\u2588${afterCursor}`;
-  } else if (!inputLine) {
-    inputLine = placeholder;
+  const placeholder = props.placeholder ?? "";
+  const contentWidth = Math.max(1, props.width - 2);
+  if (!props.focused && !props.value) {
+    return React.createElement(Text, { color: "gray" }, truncateLine(placeholder || " ".repeat(contentWidth), contentWidth));
   }
-  return React.createElement(FieldCard, {
-    width: props.width,
-    height,
-    title: props.label,
-    focused: props.focused,
-    lines: [
-      inputLine || "\u2588",
-      props.value.length > 0 ? "Type a replacement value or leave this as-is." : placeholder
-    ]
-  });
+  const visibleValue = props.secret && props.value.length > 0 ? formatSecretMaskedValue(props.value) : props.value;
+  if (!props.focused) {
+    return React.createElement(Text, null, truncateLine(visibleValue || placeholder, contentWidth));
+  }
+  const preservedPrefix = visibleValue.slice(0, safeCursor);
+  const visiblePrefix = preservedPrefix.slice(Math.max(0, preservedPrefix.length - Math.max(0, contentWidth - 1)));
+  const cursorCell = visibleValue[safeCursor] ?? " ";
+  const padding = " ".repeat(Math.max(0, contentWidth - visiblePrefix.length - 1));
+  return React.createElement(
+    Text,
+    null,
+    visiblePrefix,
+    React.createElement(Text, { color: "black", backgroundColor: "cyan" }, cursorCell),
+    padding
+  );
+}
+function TextInputField(props) {
+  const height = props.height ?? 4;
+  const placeholder = props.placeholder ?? "";
+  const helperText = props.helperText ?? (props.value.length > 0 ? props.secret ? "Secret value captured. Paste or type a replacement, or leave this as-is." : "Type a replacement value or leave this as-is." : placeholder);
+  return React.createElement(
+    Box,
+    { flexDirection: "column", width: props.width, height, borderStyle: "round", borderColor: props.focused ? "cyan" : "blue", overflow: "hidden" },
+    React.createElement(Text, { color: "blue", bold: true }, truncateLine(props.label, props.width - 2)),
+    renderTextInputContent(props),
+    React.createElement(Text, { color: "gray" }, truncateLine(helperText || " ", props.width - 2))
+  );
 }
 function TextAreaField(props) {
   return React.createElement(FieldCard, {
@@ -216,7 +246,7 @@ function TextAreaField(props) {
     height: props.height,
     title: props.label,
     focused: props.focused,
-    lines: wrapText(props.value || "(empty)", Math.max(1, props.width - 2))
+    lines: wrapText(props.value || "Value is unset.", Math.max(1, props.width - 2))
   });
 }
 function ActionButton(props) {
@@ -286,6 +316,7 @@ export {
   ensureVisible,
   findClickableRegion,
   findScrollRegion,
+  formatSecretMaskedValue,
   popNavigationEntry,
   pushNavigationEntry,
   routeWheelDeltaToScrollRegion,

package/dist/cli/ui/mouse.d.ts

@@ -8,4 +8,6 @@ export type TerminalMouseEvent = {
     ctrl: boolean;
 };
 export declare function parseTerminalMouseInput(input: string): TerminalMouseEvent[];
-export declare function useTerminalMouse(onEvent: (event: TerminalMouseEvent) => void): void;
+export declare function useTerminalMouse(onEvent: (event: TerminalMouseEvent) => void, options?: {
+    enabled?: boolean;
+}): void;

package/dist/cli/ui/mouse.js

@@ -41,7 +41,7 @@ function parseTerminalMouseInput(input) {
   }
   return events;
 }
-function useTerminalMouse(onEvent) {
+function useTerminalMouse(onEvent, options = {}) {
   const { stdin } = useStdin();
   const { stdout } = useStdout();
   const handlerRef = React.useRef(onEvent);
@@ -49,7 +49,7 @@ function useTerminalMouse(onEvent) {
     handlerRef.current = onEvent;
   }, [onEvent]);
   React.useEffect(() => {
-    if (!stdin || !stdout || !process.stdin.isTTY || !process.stdout.isTTY) {
+    if (options.enabled === false || !stdin || !stdout || !process.stdin.isTTY || !process.stdout.isTTY) {
       return;
     }
     stdout.write("\x1B[?1000h\x1B[?1006h");
@@ -64,7 +64,7 @@ function useTerminalMouse(onEvent) {
       stdin.off("data", handleData);
       stdout.write("\x1B[?1000l\x1B[?1006l");
     };
-  }, [stdin, stdout]);
+  }, [options.enabled, stdin, stdout]);
 }
 export {
   parseTerminalMouseInput,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/cli",
-  "version": "0.4.12",
+  "version": "0.5.1",
   "description": "Operator-facing Treeseed CLI package.",
   "license": "AGPL-3.0-only",
   "repository": {
@@ -20,7 +20,8 @@
   "types": "./dist/index.d.ts",
   "files": [
     "README.md",
-    "dist"
+    "dist",
+    "scripts/verify-driver.mjs"
   ],
   "publishConfig": {
     "access": "public"
@@ -34,16 +35,16 @@
     "build:dist": "node ./scripts/run-ts.mjs ./scripts/build-dist.ts",
     "prepack": "npm run build:dist",
     "verify:direct": "npm run release:verify",
-    "verify:local": "node --input-type=module -e \"process.env.TREESEED_VERIFY_DRIVER='direct'; await import('@treeseed/sdk/scripts/verify-driver')\"",
-    "verify:action": "node --input-type=module -e \"process.env.TREESEED_VERIFY_DRIVER='act'; await import('@treeseed/sdk/scripts/verify-driver')\"",
-    "verify": "node --input-type=module -e \"await import('@treeseed/sdk/scripts/verify-driver')\"",
+    "verify:local": "node --input-type=module -e \"process.env.TREESEED_VERIFY_DRIVER='direct'; await import('./scripts/verify-driver.mjs')\"",
+    "verify:action": "node --input-type=module -e \"process.env.TREESEED_VERIFY_DRIVER='act'; await import('./scripts/verify-driver.mjs')\"",
+    "verify": "node --input-type=module -e \"await import('./scripts/verify-driver.mjs')\"",
     "release:setup": "npm run setup:ci",
     "release:check-tag": "node ./scripts/run-ts.mjs ./scripts/assert-release-tag-version.ts",
     "release:verify": "node ./scripts/run-ts.mjs ./scripts/release-verify.ts",
     "release:publish": "node ./scripts/run-ts.mjs ./scripts/publish-package.ts"
   },
   "dependencies": {
-    "@treeseed/sdk": "^0.4.13",
+    "@treeseed/sdk": "^0.5.3",
     "ink": "^7.0.0",
     "react": "^19.2.5"
   },

package/scripts/verify-driver.mjs

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+
+function runDirectVerify() {
+	const result = spawnSync('npm', ['run', 'verify:direct'], {
+		cwd: process.cwd(),
+		env: process.env,
+		stdio: 'inherit',
+	});
+	process.exit(result.status ?? 1);
+}
+
+const entrypointCheckOnly = process.env.TREESEED_VERIFY_ENTRYPOINT_CHECK === 'true';
+
+try {
+	await import('@treeseed/sdk/scripts/verify-driver');
+	if (entrypointCheckOnly) {
+		process.exit(0);
+	}
+} catch (error) {
+	if (error && typeof error === 'object' && 'code' in error && error.code === 'ERR_MODULE_NOT_FOUND') {
+		if (entrypointCheckOnly) {
+			process.stderr.write('Treeseed cli verify: @treeseed/sdk is required for verify entrypoint resolution.\n');
+			process.exit(1);
+		}
+		if (process.env.TREESEED_VERIFY_DRIVER === 'act') {
+			process.stderr.write('Treeseed cli verify: `act` mode requires @treeseed/sdk to be installed.\n');
+			process.exit(1);
+		}
+		runDirectVerify();
+	}
+	throw error;
+}