daemora 1.0.2 → 1.0.4

package/src/safety/Sandbox.js

@@ -2,7 +2,7 @@ import { blockedCommands } from "../config/permissions.js";
 import eventBus from "../core/EventBus.js";
 
 /**
- * Sandbox — command execution safety.
+ * Sandbox - command execution safety.
  *
  * Two modes:
  * 1. Blocklist (default): Block known dangerous commands via regex patterns.

package/src/safety/SecretScanner.js

@@ -1,31 +1,87 @@
 import eventBus from "../core/EventBus.js";
 
 /**
- * Secret Scanner — detects and redacts sensitive data in tool I/O.
+ * Secret Scanner - detects and redacts sensitive data in tool I/O.
  *
- * Scans for: API keys, private keys, passwords, AWS keys, tokens,
- * connection strings, .env contents.
+ * Two complementary layers:
+ *
+ * 1. Pattern-based redaction — regex patterns for known secret formats
+ *    (AWS keys, GitHub tokens, OpenAI keys, JWTs, connection strings, etc.)
+ *
+ * 2. Blind env-var redaction — at startup, collect all process.env values whose
+ *    names look like secrets (contain _KEY, _TOKEN, _SECRET, etc.) and redact
+ *    their exact values from any tool output. This catches custom tokens like
+ *    TELEGRAM_BOT_TOKEN, TWILIO_AUTH_TOKEN, DISCORD_BOT_TOKEN that don't match
+ *    any known format pattern.
  */
 
 const SECRET_PATTERNS = [
-  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/g },
-  { name: "AWS Secret Key", pattern: /(?:aws_secret_access_key|secret_key)\s*[:=]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
-  { name: "Generic API Key", pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?([A-Za-z0-9_\-]{20,})['"]?/gi },
-  { name: "Generic Secret", pattern: /(?:secret|password|passwd|pwd|token)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi },
-  { name: "Private Key", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
-  { name: "GitHub Token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g },
-  { name: "Slack Token", pattern: /xox[bprs]-[A-Za-z0-9\-]{10,}/g },
-  { name: "OpenAI Key", pattern: /sk-[A-Za-z0-9]{20,}/g },
-  { name: "Bearer Token", pattern: /Bearer\s+[A-Za-z0-9\-._~+\/]{20,}/g },
-  { name: "Connection String", pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]+/gi },
-  { name: "JWT", pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g },
+  { name: "AWS Access Key",     pattern: /AKIA[0-9A-Z]{16}/g },
+  { name: "AWS Secret Key",     pattern: /(?:aws_secret_access_key|secret_key)\s*[:=]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
+  { name: "Generic API Key",    pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?([A-Za-z0-9_\-]{20,})['"]?/gi },
+  { name: "Generic Secret",     pattern: /(?:secret|password|passwd|pwd|token)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi },
+  { name: "Private Key",        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+  { name: "GitHub Token",       pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g },
+  { name: "Slack Token",        pattern: /xox[bprs]-[A-Za-z0-9\-]{10,}/g },
+  { name: "OpenAI Key",         pattern: /sk-[A-Za-z0-9]{20,}/g },
+  { name: "Anthropic Key",      pattern: /sk-ant-[A-Za-z0-9\-_]{20,}/g },
+  { name: "Google AI Key",      pattern: /AIza[A-Za-z0-9\-_]{35}/g },
+  { name: "Telegram Token",     pattern: /\d{8,12}:[A-Za-z0-9_\-]{35}/g },
+  { name: "Twilio SID",         pattern: /AC[a-f0-9]{32}/g },
+  { name: "Bearer Token",       pattern: /Bearer\s+[A-Za-z0-9\-._~+\/]{20,}/g },
+  { name: "Connection String",  pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]+/gi },
+  { name: "JWT",                pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g },
 ];
 
+// ── Blind env-var redaction setup ─────────────────────────────────────────────
+// Collect values of env vars whose NAMES suggest they hold secrets.
+// Done once at module load — captures all secrets including ones that don't
+// match any regex pattern above (e.g. DISCORD_BOT_TOKEN, LINE_CHANNEL_SECRET).
+const SENSITIVE_NAME_PATTERN = /(_KEY|_TOKEN|_SECRET|_PASSWORD|_PASS|_PWD|_SID|_AUTH|_PRIVATE|_CREDENTIAL|_API|_WEBHOOK)$/i;
+
+const _sensitiveEnvValues = new Set();
+for (const [envKey, val] of Object.entries(process.env)) {
+  if (val && val.length >= 8 && SENSITIVE_NAME_PATTERN.test(envKey)) {
+    _sensitiveEnvValues.add(val);
+  }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+
 class SecretScanner {
   constructor() {
     this.detectionCount = 0;
   }
 
+  /**
+   * Add new secret values to the blind redaction set at runtime.
+   * Called by AgentLoop when tenant API keys are resolved.
+   * @param {string[]} values
+   */
+  addKnownSecrets(values) {
+    for (const v of values) {
+      if (v && v.length >= 8) _sensitiveEnvValues.add(v);
+    }
+  }
+
+  /**
+   * Blind-redact exact env var values from text.
+   * Handles secrets that don't match any regex pattern.
+   * @param {string} text
+   * @returns {{ redacted: string, count: number }}
+   */
+  _blindRedactEnv(text) {
+    let out = text;
+    let count = 0;
+    for (const val of _sensitiveEnvValues) {
+      if (out.includes(val)) {
+        // Use split+join instead of replaceAll for safety with special regex chars
+        out = out.split(val).join("[REDACTED:ENV_SECRET]");
+        count++;
+      }
+    }
+    return { redacted: out, count };
+  }
+
   /**
    * Scan text for secrets and return findings.
    * @param {string} text - Text to scan
@@ -40,13 +96,11 @@ class SecretScanner {
     let redacted = text;
 
     for (const { name, pattern } of SECRET_PATTERNS) {
-      // Reset regex state
       pattern.lastIndex = 0;
       let match;
 
       while ((match = pattern.exec(text)) !== null) {
         const value = match[0];
-        // Skip very short matches or common false positives
         if (value.length < 8) continue;
 
         secrets.push({
@@ -55,8 +109,7 @@ class SecretScanner {
           position: match.index,
         });
 
-        // Redact in output
-        redacted = redacted.replace(value, `[REDACTED:${name}]`);
+        redacted = redacted.split(value).join(`[REDACTED:${name}]`);
       }
     }
 
@@ -68,24 +121,33 @@ class SecretScanner {
       });
     }
 
-    return {
-      found: secrets.length > 0,
-      secrets,
-      redacted,
-    };
+    return { found: secrets.length > 0, secrets, redacted };
   }
 
   /**
    * Scan and redact tool output before feeding back to agent.
+   * Applies BOTH pattern-based AND blind env-var redaction.
    */
   redactOutput(text) {
+    // Layer 1: pattern-based
     const result = this.scan(text);
-    if (result.found) {
-      console.log(
-        `      [SecretScanner] Redacted ${result.secrets.length} secret(s): ${result.secrets.map((s) => s.type).join(", ")}`
-      );
+    let out = result.redacted;
+
+    // Layer 2: blind env-var values
+    const { redacted: blindRedacted, count: blindCount } = this._blindRedactEnv(out);
+    out = blindRedacted;
+
+    const totalFound = result.secrets.length + blindCount;
+    if (totalFound > 0) {
+      const types = [
+        ...result.secrets.map((s) => s.type),
+        ...(blindCount > 0 ? [`ENV_SECRET(x${blindCount})`] : []),
+      ];
+      console.log(`      [SecretScanner] Redacted ${totalFound} secret(s): ${types.join(", ")}`);
+      this.detectionCount += blindCount;
     }
-    return result.redacted;
+
+    return out;
   }
 
   /**

package/src/safety/SecretVault.js

@@ -5,7 +5,7 @@ import { config } from "../config/default.js";
 import eventBus from "../core/EventBus.js";
 
 /**
- * Secret Vault — encrypted secret storage.
+ * Secret Vault - encrypted secret storage.
  *
  * All API keys, tokens, and credentials are encrypted at rest using
  * AES-256-GCM with a user-provided master passphrase.
@@ -88,7 +88,7 @@ class SecretVault {
   }
 
   /**
-   * Lock the vault — clear decrypted secrets from memory.
+   * Lock the vault - clear decrypted secrets from memory.
    */
   lock() {
     this.secrets = null;

package/src/scheduler/Heartbeat.js

@@ -5,7 +5,7 @@ import taskQueue from "../core/TaskQueue.js";
 import eventBus from "../core/EventBus.js";
 
 /**
- * Heartbeat — periodic proactive check.
+ * Heartbeat - periodic proactive check.
  *
  * Reads HEARTBEAT.md for user-defined checks.
  * Every N minutes, creates a task: "Check status per HEARTBEAT.md"
@@ -28,12 +28,12 @@ class Heartbeat {
    */
   start() {
     if (!config.daemonMode) {
-      console.log(`[Heartbeat] Skipped — daemon mode not enabled`);
+      console.log(`[Heartbeat] Skipped - daemon mode not enabled`);
       return;
     }
 
     if (!existsSync(this.heartbeatPath)) {
-      console.log(`[Heartbeat] No HEARTBEAT.md found — heartbeat disabled`);
+      console.log(`[Heartbeat] No HEARTBEAT.md found - heartbeat disabled`);
       return;
     }
 

package/src/scheduler/Scheduler.js

@@ -7,7 +7,7 @@ import taskQueue from "../core/TaskQueue.js";
 import eventBus from "../core/EventBus.js";
 
 /**
- * Scheduler — cron-based task scheduling.
+ * Scheduler - cron-based task scheduling.
  *
  * Schedules stored in data/schedules.json.
  * Each schedule creates a Task when its cron expression triggers.
@@ -22,7 +22,7 @@ class Scheduler {
   }
 
   /**
-   * Start the scheduler — load and activate all schedules.
+   * Start the scheduler - load and activate all schedules.
    */
   start() {
     this.loadSchedules();
@@ -35,12 +35,12 @@ class Scheduler {
 
     this.running = true;
     console.log(
-      `[Scheduler] Started — ${this.schedules.size} schedule(s) loaded`
+      `[Scheduler] Started - ${this.schedules.size} schedule(s) loaded`
     );
   }
 
   /**
-   * Stop the scheduler — cancel all cron jobs.
+   * Stop the scheduler - cancel all cron jobs.
    */
   stop() {
     for (const [id, job] of this.cronJobs) {
@@ -92,7 +92,7 @@ class Scheduler {
   }
 
   /**
-   * Update an existing schedule (patch — only fields provided are changed).
+   * Update an existing schedule (patch - only fields provided are changed).
    * @param {string} id - Schedule ID (full or prefix)
    * @param {object} patch - Fields to update: cronExpression, taskInput, name, enabled
    */
@@ -105,7 +105,7 @@ class Scheduler {
     const schedule = this.schedules.get(fullId);
     if (!schedule) throw new Error(`Schedule not found: ${id}`);
 
-    // Update cron expression — requires restarting the cron job
+    // Update cron expression - requires restarting the cron job
     if (patch.cronExpression && patch.cronExpression !== schedule.cronExpression) {
       if (!cron.validate(patch.cronExpression)) {
         throw new Error(`Invalid cron expression: ${patch.cronExpression}`);

package/src/setup/theme.js

@@ -1,110 +1,215 @@
 import chalk from "chalk";
 
 /**
- * Daemora CLI Theme — professional color palette and symbols.
- * No emojis. Clean Unicode symbols only.
+ * Daemora CLI Theme
+ * Color palette matches the UI exactly:
+ *   Cyan   #00d9ff  — primary brand / headings / CTAs
+ *   Teal   #4ECDC4  — secondary / commands / accents
+ *   Red    #ff4458  — danger / features (matches logo horns)
+ *   Green  #00ff88  — success / security / live badges
+ *   Amber  #ffaa00  — warning / scheduling / [NEW] badges
+ *   Muted  #64748b  — slate-500 body text
+ *   Dim    #94a3b8  — slate-400 captions
  */
-
-const P = {
-  brand:   "#7C6AFF",
-  accent:  "#4ECDC4",
-  success: "#2ECC71",
-  warning: "#F1C40F",
-  error:   "#E74C3C",
-  muted:   "#7F8C8D",
-  info:    "#3498DB",
-  dim:     "#555E68",
+export const P = {
+  cyan:    "#00d9ff",
+  teal:    "#4ECDC4",
+  red:     "#ff4458",
+  green:   "#00ff88",
+  amber:   "#ffaa00",
+  muted:   "#64748b",
+  dim:     "#94a3b8",
+  border:  "#1f1f2e",
+  // semantic aliases
+  get brand()   { return this.cyan; },
+  get accent()  { return this.teal; },
+  get success() { return this.green; },
+  get warning() { return this.amber; },
+  get error()   { return this.red; },
 };
 
 export const t = {
-  brand:   (s) => chalk.hex(P.brand)(s),
-  accent:  (s) => chalk.hex(P.accent)(s),
-  success: (s) => chalk.hex(P.success)(s),
-  warning: (s) => chalk.hex(P.warning)(s),
-  error:   (s) => chalk.hex(P.error)(s),
+  brand:   (s) => chalk.hex(P.cyan)(s),
+  accent:  (s) => chalk.hex(P.teal)(s),
+  success: (s) => chalk.hex(P.green)(s),
+  warning: (s) => chalk.hex(P.amber)(s),
+  error:   (s) => chalk.hex(P.red)(s),
   muted:   (s) => chalk.hex(P.muted)(s),
-  info:    (s) => chalk.hex(P.info)(s),
   dim:     (s) => chalk.hex(P.dim)(s),
   bold:    (s) => chalk.bold(s),
-  h:       (s) => chalk.bold.hex(P.brand)(s),
-  cmd:     (s) => chalk.hex(P.accent)(s),
+  h:       (s) => chalk.bold.hex(P.cyan)(s),
+  h2:      (s) => chalk.bold.hex(P.teal)(s),
+  cmd:     (s) => chalk.hex(P.teal)(s),
+  new:     (s) => chalk.hex(P.amber)(s),
 };
 
 export const S = {
-  check:   chalk.hex(P.success)("\u2714"),
-  cross:   chalk.hex(P.error)("\u2718"),
-  arrow:   chalk.hex(P.brand)("\u25B8"),
-  dot:     chalk.hex(P.muted)("\u00B7"),
-  bar:     chalk.hex(P.dim)("\u2502"),
-  dash:    chalk.hex(P.dim)("\u2500"),
-  diamond: chalk.hex(P.brand)("\u25C6"),
-  shield:  chalk.hex(P.success)("\u25C8"),
-  lock:    chalk.hex(P.warning)("\u25A3"),
-  gear:    chalk.hex(P.muted)("\u25CB"),
-  bolt:    chalk.hex(P.warning)("\u25CF"),
+  check:   chalk.hex(P.green)("✔"),
+  cross:   chalk.hex(P.red)("✘"),
+  arrow:   chalk.hex(P.cyan)("▸"),
+  dot:     chalk.hex(P.muted)("·"),
+  bar:     chalk.hex(P.muted)("│"),
+  dash:    chalk.hex(P.border)("─"),
+  diamond: chalk.hex(P.cyan)("◆"),
+  shield:  chalk.hex(P.green)("◈"),
+  lock:    chalk.hex(P.amber)("▣"),
+  gear:    chalk.hex(P.muted)("○"),
+  bolt:    chalk.hex(P.cyan)("●"),
+  eye:     chalk.hex(P.red)("◉"),
+  star:    chalk.hex(P.amber)("★"),
 };
 
+// ─── Gradient helpers ──────────────────────────────────────────────────────
+
+/** Interpolate a single hex colour component */
+function lerp(a, b, t) { return Math.round(a + (b - a) * t); }
+
+/**
+ * Render a string with a left→right cyan→teal gradient.
+ * One chalk call per visible character — fast enough for a one-shot banner.
+ */
+function gradientLine(line) {
+  const [cyR, cyG, cyB] = [0x00, 0xd9, 0xff]; // #00d9ff
+  const [tlR, tlG, tlB] = [0x4e, 0xcd, 0xc4]; // #4ECDC4
+  let out = "";
+  const len = line.length;
+  for (let i = 0; i < len; i++) {
+    const frac = len > 1 ? i / (len - 1) : 0;
+    out += chalk.rgb(
+      lerp(cyR, tlR, frac),
+      lerp(cyG, tlG, frac),
+      lerp(cyB, tlB, frac),
+    )(line[i]);
+  }
+  return out;
+}
+
+// ─── Banner ────────────────────────────────────────────────────────────────
+
+/**
+ * DAEMORA ASCII art — figlet "Doom" font.
+ * Width: ~65 chars — fits a standard 80-col terminal.
+ */
+const DAEMORA_ART = [
+  "██████╗  █████╗ ███████╗███╗   ███╗ ██████╗ ██████╗  █████╗ ",
+  "██╔══██╗██╔══██╗██╔════╝████╗ ████║██╔═══██╗██╔══██╗██╔══██╗",
+  "██║  ██║███████║█████╗  ██╔████╔██║██║   ██║██████╔╝███████║",
+  "██║  ██║██╔══██║██╔══╝  ██║╚██╔╝██║██║   ██║██╔══██╗██╔══██║",
+  "██████╔╝██║  ██║███████╗██║ ╚═╝ ██║╚██████╔╝██║  ██║██║  ██║",
+  "╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝",
+];
+
+/** Logo mark — small demon eye motif drawn with ASCII */
+function logoMark() {
+  return [
+    chalk.hex(P.red)("    ▲               ▲"),
+    chalk.hex(P.red)("   ▲ ▲             ▲ ▲"),
+    chalk.hex(P.dim)("  ╔═══════════════════╗"),
+    chalk.hex(P.dim)("  ║") +
+      chalk.hex(P.muted)("  ") +
+      chalk.hex(P.red)("◤▬▬▬▬◥") +
+      chalk.hex(P.muted)("   ") +
+      chalk.hex(P.red)("◤▬▬▬▬◥") +
+      chalk.hex(P.muted)("  ") +
+      chalk.hex(P.dim)("║"),
+    chalk.hex(P.dim)("  ║") +
+      chalk.hex(P.muted)("    ") +
+      chalk.hex(P.red)("◉") +
+      chalk.hex(P.muted)("         ") +
+      chalk.hex(P.red)("◉") +
+      chalk.hex(P.muted)("    ") +
+      chalk.hex(P.dim)("║"),
+    chalk.hex(P.dim)("  ╚═══════════════════╝"),
+    chalk.hex(P.cyan)("    ◦               ◦"),
+  ].join("\n");
+}
+
 export function banner() {
-  const w = 56;
-  const line = chalk.hex(P.brand)("\u2501".repeat(w));
-  const dimLine = chalk.hex(P.dim)("\u2500".repeat(w));
-  console.log("");
-  console.log(line);
+  const w = 67;
+  const topLine = chalk.hex(P.cyan)("━".repeat(w));
+  const botLine = chalk.hex(P.teal)("─".repeat(w));
+
+  console.log("\n" + topLine);
   console.log("");
-  console.log(chalk.bold.hex(P.brand)(
-    "      \u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588"
-  ));
-  console.log(chalk.bold.hex(P.brand)(
-    "      \u2588\u2588   \u2588\u2588 \u2588\u2588       \u2588\u2588       \u2588\u2588 \u2588\u2588"
-  ));
-  console.log(chalk.bold.hex(P.brand)(
-    "      \u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588 \u2588\u2588  \u2588\u2588\u2588\u2588\u2588"
-  ));
-  console.log(chalk.bold.hex(P.brand)(
-    "      \u2588\u2588   \u2588\u2588 \u2588\u2588       \u2588\u2588   \u2588\u2588 \u2588\u2588      \u2588\u2588"
-  ));
-  console.log(chalk.bold.hex(P.brand)(
-    "      \u2588\u2588   \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588"
-  ));
+
+  // Gradient DAEMORA lettering
+  for (const line of DAEMORA_ART) {
+    console.log("  " + gradientLine(line));
+  }
+
   console.log("");
-  console.log(chalk.hex(P.muted)("           Your 24/7 AI Digital Worker"));
-  console.log(dimLine);
+  console.log(
+    "  " +
+    chalk.hex(P.muted)("           ") +
+    chalk.hex(P.cyan)("◉") +
+    chalk.hex(P.dim)("       Your 24/7 AI Agent       ") +
+    chalk.hex(P.red)("◉"),
+  );
+  console.log(botLine);
   console.log("");
 }
 
+// ─── Step header (progress bar) ────────────────────────────────────────────
+
 export function stepHeader(current, total, title) {
-  const filled = Math.round((current / total) * 20);
-  const empty = 20 - filled;
-  const bar = chalk.hex(P.brand)("\u2588".repeat(filled)) + chalk.hex(P.dim)("\u2591".repeat(empty));
-  const label = chalk.hex(P.dim)(`[${current}/${total}]`);
-  console.log(`\n  ${bar}  ${label}  ${chalk.bold(title)}\n`);
+  const filled = Math.round((current / total) * 22);
+  const empty  = 22 - filled;
+  const bar =
+    chalk.hex(P.cyan)("█".repeat(filled)) +
+    chalk.hex(P.border)("░".repeat(empty));
+  const label = chalk.hex(P.muted)(`[${current}/${total}]`);
+  const w = 67;
+  const line = chalk.hex(P.border)("─".repeat(w));
+  console.log(`\n${line}`);
+  console.log(`  ${bar}  ${label}  ${chalk.bold.hex(P.teal)(title)}`);
+  console.log(`${line}\n`);
 }
 
+// ─── Key/value row ─────────────────────────────────────────────────────────
+
 export function kv(key, value) {
   console.log(`  ${S.bar}  ${t.muted(key)}  ${value}`);
 }
 
+// ─── Summary table ─────────────────────────────────────────────────────────
+
 export function summaryTable(title, rows) {
   const maxKey = Math.max(...rows.map(([k]) => k.length), 10);
-  const w = maxKey + 30;
-  const line = chalk.hex(P.dim)("\u2500".repeat(w));
-  console.log(`\n  ${t.h(title)}`);
-  console.log(`  ${line}`);
+  const w = maxKey + 34;
+  const topLine = chalk.hex(P.cyan)("━".repeat(w));
+  const rowLine = chalk.hex(P.border)("─".repeat(w));
+  console.log(`\n  ${chalk.bold.hex(P.cyan)(title)}`);
+  console.log(`  ${topLine}`);
   for (const [key, val] of rows) {
     const k = t.muted(key.padEnd(maxKey));
     console.log(`  ${S.bar}  ${k}  ${val}`);
   }
-  console.log(`  ${line}`);
+  console.log(`  ${rowLine}`);
 }
 
+// ─── Complete banner ────────────────────────────────────────────────────────
+
 export function completeBanner(lines) {
-  const w = 56;
-  const line = chalk.hex(P.success)("\u2501".repeat(w));
+  const w = 67;
+  const line = chalk.hex(P.green)("━".repeat(w));
   console.log(`\n${line}`);
-  console.log(`  ${S.check}  ${chalk.bold.hex(P.success)("Setup Complete")}`);
+  console.log(`  ${S.check}  ${chalk.bold.hex(P.green)("Setup Complete")}`);
+  console.log(`  ${chalk.hex(P.dim)("─".repeat(w - 2))}`);
   console.log("");
   for (const l of lines) {
     console.log(`  ${l}`);
   }
   console.log(`${line}\n`);
 }
+
+// ─── Section header (for info commands) ────────────────────────────────────
+
+export function sectionHeader(title, subtitle = "") {
+  const w = 67;
+  const topLine = chalk.hex(P.cyan)("━".repeat(w));
+  const botLine = chalk.hex(P.border)("─".repeat(w));
+  console.log(`\n${topLine}`);
+  const sub = subtitle ? `  ${chalk.hex(P.muted)(subtitle)}` : "";
+  console.log(`  ${chalk.bold.hex(P.cyan)(title)}${sub}`);
+  console.log(`${botLine}`);
+}