Update enroll single-shot

enroll single-shot.-.md

@@ -9,7 +9,14 @@ This is the convenience "do the whole thing" mode: it collects a harvest bundle
 ## Synopsis
 
 ```bash
-enroll single-shot   --harvest <DIR>   --out <DIR|FILE>   [--fqdn <HOST>]   [--dangerous]   [--sops <GPG_FPR...>]   [--jinjaturtle | --no-jinjaturtle]   [--remote-host <HOST> [--remote-user <USER>] [--remote-port <PORT>] [--no-sudo]]
+enroll single-shot   \
+  --harvest <DIR>   \
+  --out <DIR|FILE>   \
+  [--fqdn <HOST>]   \
+  [--dangerous]   \
+  [--sops <GPG_FPR...>]   \
+  [--jinjaturtle | --no-jinjaturtle]   \
+  [--remote-host <HOST>]  [--remote-user <USER>]  [--remote-port <PORT>]  [--no-sudo]]
 ```
 
 ---
@@ -67,7 +74,7 @@ Disables "likely secret" safety checks, potentially collecting:
 - API tokens
 - other credentials
 
-Strongly consider using `--sops` when you enable `--dangerous`.
+**NOTE**: Strongly consider using `--sops` when you enable `--dangerous`.
 
 ### `--sops <GPG_FINGERPRINT...>`
 Enable SOPS "encrypt at rest" mode for single-shot.
@@ -79,7 +86,7 @@ In single-shot, `--sops` affects **both** phases:
 
 Requires `sops` available on `PATH`.
 
-> If you want plaintext harvest but encrypted manifest (or the other way around), use `enroll harvest` and `enroll manifest` separately instead of single-shot.
+**NOTE**: If you want plaintext harvest but encrypted manifest (or the other way around), use `enroll harvest` and `enroll manifest` separately instead of `enroll single-shot`.
 
 ### JinjaTurtle integration
 
@@ -104,7 +111,7 @@ SSH username (default: local `$USER`).
 SSH port (default: `22`).
 
 #### `--no-sudo`
-Don’t use sudo on the remote host (may result in partial harvest).
+Don't use sudo on the remote host (may result in partial harvest).
 
 ---