@oculum/cli 1.0.9 → 1.0.11

package/dist/index.js

@@ -40915,8 +40915,8 @@ var {
 } = import_index.default;
 
 // src/commands/scan.ts
-var import_path3 = require("path");
-var import_fs4 = require("fs");
+var import_path4 = require("path");
+var import_fs5 = require("fs");
 init_esm7();
 
 // node_modules/chalk/source/vendor/ansi-styles/index.js
@@ -43313,6 +43313,16 @@ function getApiBaseUrl() {
 function setAuthCredentials(apiKey, email, tier) {
   updateConfig({ apiKey, email, tier });
 }
+function syncAuthFromVerification(verifyResponse) {
+  if (!verifyResponse.valid) return;
+  const config = getConfig();
+  if (!config.apiKey) return;
+  const email = verifyResponse.email || config.email;
+  const tier = verifyResponse.tier || config.tier || "free";
+  if (tier !== config.tier || email !== config.email) {
+    setAuthCredentials(config.apiKey, email, tier);
+  }
+}
 
 // src/utils/api.ts
 var APIError = class extends Error {
@@ -43872,8 +43882,83 @@ function validateConfig(config) {
       validated.watch.clear = config.watch.clear;
     }
   }
+  if (config.profiles && typeof config.profiles === "object") {
+    validated.profiles = config.profiles;
+  }
+  if (typeof config.defaultProfile === "string") {
+    validated.defaultProfile = config.defaultProfile;
+  }
   return validated;
 }
+function getProfileConfig(projectConfig, profileName) {
+  if (!projectConfig) return null;
+  const name = profileName || projectConfig.defaultProfile;
+  if (!name) return null;
+  const profile = projectConfig.profiles?.[name];
+  if (!profile) {
+    if (profileName) {
+      console.warn(source_default.yellow(`Warning: Profile "${profileName}" not found in config`));
+    }
+    return null;
+  }
+  return profile;
+}
+
+// src/utils/history.ts
+var import_fs4 = require("fs");
+var import_path3 = require("path");
+var import_os2 = require("os");
+var import_crypto = require("crypto");
+var CONFIG_DIR2 = (0, import_path3.join)((0, import_os2.homedir)(), ".oculum");
+var HISTORY_FILE = (0, import_path3.join)(CONFIG_DIR2, "history.json");
+var MAX_ENTRIES = 25;
+function ensureConfigDir2() {
+  if (!(0, import_fs4.existsSync)(CONFIG_DIR2)) {
+    (0, import_fs4.mkdirSync)(CONFIG_DIR2, { recursive: true });
+  }
+}
+function readHistoryFile() {
+  try {
+    if (!(0, import_fs4.existsSync)(HISTORY_FILE)) return [];
+    const content = (0, import_fs4.readFileSync)(HISTORY_FILE, "utf-8");
+    const parsed = JSON.parse(content);
+    if (!Array.isArray(parsed)) return [];
+    return parsed;
+  } catch {
+    return [];
+  }
+}
+function writeHistoryFile(entries) {
+  ensureConfigDir2();
+  (0, import_fs4.writeFileSync)(HISTORY_FILE, JSON.stringify(entries, null, 2));
+}
+function listScanHistory() {
+  return readHistoryFile();
+}
+function getScanHistoryEntry(id) {
+  return readHistoryFile().find((e2) => e2.id === id);
+}
+function addScanHistoryEntry(input) {
+  const entry = {
+    id: input.id ?? (0, import_crypto.randomUUID)(),
+    createdAt: input.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    targetPath: input.targetPath,
+    options: input.options,
+    result: input.result
+  };
+  const current = readHistoryFile();
+  const updated = [entry, ...current].slice(0, MAX_ENTRIES);
+  writeHistoryFile(updated);
+  return entry;
+}
+function deleteScanHistoryEntry(id) {
+  const current = readHistoryFile();
+  const updated = current.filter((e2) => e2.id !== id);
+  writeHistoryFile(updated);
+}
+function clearScanHistory() {
+  writeHistoryFile([]);
+}
 
 // src/commands/scan.ts
 function getChangedFiles(absolutePath, diff) {
@@ -43890,22 +43975,22 @@ function getChangedFiles(absolutePath, diff) {
       args = ["diff", "--name-only", "HEAD"];
     }
     const out = (0, import_child_process.execFileSync)("git", args, { cwd: gitRoot, stdio: ["ignore", "pipe", "ignore"] }).toString();
-    const files = out.split("\n").map((s) => s.trim()).filter(Boolean).map((p2) => (0, import_path3.resolve)(gitRoot, p2)).filter((p2) => p2.startsWith(absolutePath));
+    const files = out.split("\n").map((s) => s.trim()).filter(Boolean).map((p2) => (0, import_path4.resolve)(gitRoot, p2)).filter((p2) => p2.startsWith(absolutePath));
     return files;
   } catch {
     return [];
   }
 }
 function isScannableFile(filePath) {
-  const ext2 = (0, import_path3.extname)(filePath).toLowerCase();
-  const fileName = (0, import_path3.basename)(filePath);
+  const ext2 = (0, import_path4.extname)(filePath).toLowerCase();
+  const fileName = (0, import_path4.basename)(filePath);
   if (import_scanner.SPECIAL_FILES.includes(fileName)) {
     return true;
   }
   return import_scanner.SCANNABLE_EXTENSIONS.includes(ext2);
 }
 function getLanguage(filePath) {
-  const ext2 = (0, import_path3.extname)(filePath).toLowerCase();
+  const ext2 = (0, import_path4.extname)(filePath).toLowerCase();
   const langMap = {
     ".js": "javascript",
     ".jsx": "javascript",
@@ -43930,15 +44015,15 @@ function getLanguage(filePath) {
   return langMap[ext2] || "text";
 }
 async function collectFiles(targetPath) {
-  const absolutePath = (0, import_path3.resolve)(targetPath);
-  const stats = (0, import_fs4.statSync)(absolutePath);
+  const absolutePath = (0, import_path4.resolve)(targetPath);
+  const stats = (0, import_fs5.statSync)(absolutePath);
   const files = [];
   if (stats.isFile()) {
     if (isScannableFile(absolutePath)) {
-      const content = (0, import_fs4.readFileSync)(absolutePath, "utf-8");
+      const content = (0, import_fs5.readFileSync)(absolutePath, "utf-8");
       if (content.length <= import_scanner.MAX_FILE_SIZE) {
         files.push({
-          path: (0, import_path3.relative)(process.cwd(), absolutePath),
+          path: (0, import_path4.relative)(process.cwd(), absolutePath),
           content,
           language: getLanguage(absolutePath),
           size: content.length
@@ -44007,8 +44092,8 @@ async function collectFiles(targetPath) {
       "**/.env.*.local",
       "**/**.env"
     ];
-    const gitignorePath = (0, import_path3.join)(absolutePath, ".gitignore");
-    const hasGitignore = (0, import_fs4.existsSync)(gitignorePath);
+    const gitignorePath = (0, import_path4.join)(absolutePath, ".gitignore");
+    const hasGitignore = (0, import_fs5.existsSync)(gitignorePath);
     const globOptions = {
       cwd: absolutePath,
       ignore: ignorePatterns,
@@ -44022,11 +44107,11 @@ async function collectFiles(targetPath) {
     for (const file of foundFiles) {
       const filePath = String(file);
       try {
-        const fileStats = (0, import_fs4.statSync)(filePath);
+        const fileStats = (0, import_fs5.statSync)(filePath);
         if (fileStats.size > import_scanner.MAX_FILE_SIZE) continue;
-        const content = (0, import_fs4.readFileSync)(filePath, "utf-8");
+        const content = (0, import_fs5.readFileSync)(filePath, "utf-8");
         files.push({
-          path: (0, import_path3.relative)(process.cwd(), filePath),
+          path: (0, import_path4.relative)(process.cwd(), filePath),
           content,
           language: getLanguage(filePath),
           size: content.length
@@ -44038,8 +44123,8 @@ async function collectFiles(targetPath) {
   return files;
 }
 async function collectFilesForScan(targetPath, options) {
-  const absolutePath = (0, import_path3.resolve)(targetPath);
-  const stats = (0, import_fs4.statSync)(absolutePath);
+  const absolutePath = (0, import_path4.resolve)(targetPath);
+  const stats = (0, import_fs5.statSync)(absolutePath);
   if (stats.isFile()) {
     return collectFiles(targetPath);
   }
@@ -44048,13 +44133,13 @@ async function collectFilesForScan(targetPath, options) {
     const files = [];
     for (const filePath of changed) {
       try {
-        if (!(0, import_fs4.existsSync)(filePath)) continue;
+        if (!(0, import_fs5.existsSync)(filePath)) continue;
         if (!isScannableFile(filePath)) continue;
-        const fileStats = (0, import_fs4.statSync)(filePath);
+        const fileStats = (0, import_fs5.statSync)(filePath);
         if (fileStats.size > import_scanner.MAX_FILE_SIZE) continue;
-        const content = (0, import_fs4.readFileSync)(filePath, "utf-8");
+        const content = (0, import_fs5.readFileSync)(filePath, "utf-8");
         files.push({
-          path: (0, import_path3.relative)(process.cwd(), filePath),
+          path: (0, import_path4.relative)(process.cwd(), filePath),
           content,
           language: getLanguage(filePath),
           size: content.length
@@ -44068,7 +44153,7 @@ async function collectFilesForScan(targetPath, options) {
 }
 function createEmptyResult(targetPath) {
   return {
-    repoName: (0, import_path3.basename)((0, import_path3.resolve)(targetPath)),
+    repoName: (0, import_path4.basename)((0, import_path4.resolve)(targetPath)),
     repoUrl: "",
     branch: "local",
     filesScanned: 0,
@@ -44192,6 +44277,13 @@ async function runScanOnce(targetPath, options) {
   const config = getConfig();
   const noColor = options.color === false;
   const cancellationToken = (0, import_scanner.createCancellationToken)();
+  if ((options.depth === "validated" || options.depth === "deep") && isAuthenticated()) {
+    try {
+      const verified = await verifyApiKey(config.apiKey);
+      syncAuthFromVerification(verified);
+    } catch {
+    }
+  }
   if ((options.depth === "validated" || options.depth === "deep") && !isAuthenticated()) {
     if (!options.quiet) {
       console.log("");
@@ -44283,7 +44375,7 @@ async function runScanOnce(targetPath, options) {
         options.depth,
         config.apiKey,
         {
-          name: (0, import_path3.basename)((0, import_path3.resolve)(targetPath)),
+          name: (0, import_path4.basename)((0, import_path4.resolve)(targetPath)),
           url: "",
           branch: "local"
         }
@@ -44295,7 +44387,7 @@ async function runScanOnce(targetPath, options) {
       result = await (0, import_scanner.runScan)(
         files,
         {
-          name: (0, import_path3.basename)((0, import_path3.resolve)(targetPath)),
+          name: (0, import_path4.basename)((0, import_path4.resolve)(targetPath)),
           url: "",
           branch: "local"
         },
@@ -44358,32 +44450,33 @@ Results written to ${options.output}`));
 }
 async function runScan(targetPath, cliOptions) {
   const projectConfig = loadProjectConfig(targetPath, cliOptions.quiet);
-  let scanDepth = cliOptions.mode || cliOptions.depth || "cheap";
+  const profileConfig = getProfileConfig(projectConfig, cliOptions.profile);
+  let scanDepth = cliOptions.mode || cliOptions.depth;
   if (scanDepth === "quick") {
     scanDepth = "cheap";
   }
-  const baseOptions = {
-    depth: scanDepth,
-    format: cliOptions.format ?? "terminal",
-    failOn: cliOptions.failOn ?? "high",
+  const options = {
+    depth: scanDepth ?? profileConfig?.depth ?? projectConfig?.depth ?? "cheap",
+    format: cliOptions.format ?? profileConfig?.format ?? projectConfig?.format ?? "terminal",
+    failOn: cliOptions.failOn ?? profileConfig?.failOn ?? projectConfig?.failOn ?? "high",
     color: cliOptions.color,
-    quiet: cliOptions.quiet,
+    quiet: cliOptions.quiet ?? profileConfig?.quiet ?? projectConfig?.quiet,
     verbose: cliOptions.verbose,
     incremental: cliOptions.incremental,
     diff: cliOptions.diff,
-    output: cliOptions.output
-  };
-  const options = {
-    ...baseOptions,
-    depth: baseOptions.depth ?? projectConfig?.depth ?? "cheap",
-    format: baseOptions.format ?? projectConfig?.format ?? "terminal",
-    failOn: baseOptions.failOn ?? projectConfig?.failOn ?? "high",
-    quiet: baseOptions.quiet ?? projectConfig?.quiet,
-    verbose: baseOptions.verbose,
-    output: baseOptions.output ?? projectConfig?.output
+    output: cliOptions.output ?? profileConfig?.output ?? projectConfig?.output,
+    profile: cliOptions.profile
   };
   try {
-    const { output, exitCode } = await runScanOnce(targetPath, options);
+    const { result, output, exitCode } = await runScanOnce(targetPath, options);
+    try {
+      addScanHistoryEntry({
+        targetPath,
+        options: { depth: options.depth, format: options.format, failOn: options.failOn },
+        result
+      });
+    } catch {
+    }
     console.log(output);
     if (exitCode !== 0) {
       process.exit(exitCode);
@@ -44394,7 +44487,7 @@ async function runScan(targetPath, cliOptions) {
     process.exit(1);
   }
 }
-var scanCommand = new Command("scan").description("Scan a directory or file for security vulnerabilities").argument("[path]", "path to scan", ".").option("-d, --depth <depth>", "scan depth: cheap (free), validated, deep", "cheap").option("-m, --mode <mode>", "alias for --depth (quick, validated, deep)").option("-f, --format <format>", "output format: terminal, json, sarif, markdown", "terminal").option("--fail-on <severity>", "exit with error code if findings at severity", "high").option("--no-color", "disable colored output").option("-q, --quiet", "minimal output for CI (suppress spinners and decorations)").option("-v, --verbose", "show detailed scanner logs (debug mode)").option("-o, --output <file>", "write output to file").option("--incremental", "only scan changed files (requires git)").option("--diff <ref>", "diff against branch/commit for incremental scan").addHelpText("after", `
+var scanCommand = new Command("scan").description("Scan a directory or file for security vulnerabilities").argument("[path]", "path to scan", ".").option("-d, --depth <depth>", "scan depth: cheap (free), validated, deep").option("-m, --mode <mode>", "alias for --depth (quick, validated, deep)").option("-f, --format <format>", "output format: terminal, json, sarif, markdown").option("--fail-on <severity>", "exit with error code if findings at severity").option("--no-color", "disable colored output").option("-q, --quiet", "minimal output for CI (suppress spinners and decorations)").option("-v, --verbose", "show detailed scanner logs (debug mode)").option("-o, --output <file>", "write output to file").option("-p, --profile <name>", "use named profile from oculum.config.json").option("--incremental", "only scan changed files (requires git)").option("--diff <ref>", "diff against branch/commit for incremental scan").addHelpText("after", `
 Scan Modes:
   cheap       Free      Fast pattern matching, runs locally
                         Best for: Quick checks, CI/CD pipelines
@@ -44419,9 +44512,14 @@ Configuration:
   {
     "depth": "validated",
     "failOn": "high",
-    "ignore": ["**/test/**"]
+    "profiles": {
+      "ci": { "depth": "validated", "quiet": true, "format": "sarif" },
+      "strict": { "depth": "validated", "failOn": "medium" }
+    }
   }
 
+  Use profiles: oculum scan . --profile ci
+
 More Help:
   $ oculum help scan-modes             Detailed mode comparison
   $ oculum help ci-setup               CI/CD integration examples
@@ -44551,7 +44649,10 @@ async function status() {
   spinner.succeed("  Authenticated");
   console.log("");
   const email = result.email || config.email || "unknown";
-  const tier = result.tier || config.tier || "free";
+  const tier = result.tier || "free";
+  if (tier !== config.tier || email !== config.email) {
+    setAuthCredentials(config.apiKey, email, tier);
+  }
   const tierBadge = tier === "pro" ? source_default.bgBlue.white(" PRO ") : tier === "enterprise" ? source_default.bgMagenta.white(" ENTERPRISE ") : source_default.bgGray.white(" FREE ");
   console.log(source_default.dim("  Email: ") + source_default.white(email));
   console.log(source_default.dim("  Plan:  ") + tierBadge);
@@ -44595,11 +44696,12 @@ var statusCommand = new Command("status").description("Show current authenticati
 var upgradeCommand = new Command("upgrade").description("Upgrade your subscription").action(upgrade);
 
 // src/commands/watch.ts
-var import_path4 = require("path");
-var import_fs7 = require("fs");
+var import_path5 = require("path");
+var import_fs8 = require("fs");
+var readline = __toESM(require("readline"));
 
 // ../../node_modules/chokidar/esm/index.js
-var import_fs6 = require("fs");
+var import_fs7 = require("fs");
 var import_promises4 = require("fs/promises");
 var import_events = require("events");
 var sysPath2 = __toESM(require("path"), 1);
@@ -44824,10 +44926,10 @@ function readdirp(root, options = {}) {
 }
 
 // ../../node_modules/chokidar/esm/handler.js
-var import_fs5 = require("fs");
+var import_fs6 = require("fs");
 var import_promises3 = require("fs/promises");
 var sysPath = __toESM(require("path"), 1);
-var import_os2 = require("os");
+var import_os3 = require("os");
 var STR_DATA = "data";
 var STR_END = "end";
 var STR_CLOSE = "close";
@@ -44838,7 +44940,7 @@ var isWindows = pl === "win32";
 var isMacos = pl === "darwin";
 var isLinux = pl === "linux";
 var isFreeBSD = pl === "freebsd";
-var isIBMi = (0, import_os2.type)() === "OS400";
+var isIBMi = (0, import_os3.type)() === "OS400";
 var EVENTS = {
   ALL: "all",
   READY: "ready",
@@ -45162,7 +45264,7 @@ function createFsWatchInstance(path2, options, listener, errHandler, emitRaw) {
     }
   };
   try {
-    return (0, import_fs5.watch)(path2, {
+    return (0, import_fs6.watch)(path2, {
       persistent: options.persistent
     }, handleEvent);
   } catch (error) {
@@ -45245,7 +45347,7 @@ var setFsWatchFileListener = (path2, fullPath, options, handlers) => {
   let cont = FsWatchFileInstances.get(fullPath);
   const copts = cont && cont.options;
   if (copts && (copts.persistent < options.persistent || copts.interval > options.interval)) {
-    (0, import_fs5.unwatchFile)(fullPath);
+    (0, import_fs6.unwatchFile)(fullPath);
     cont = void 0;
   }
   if (cont) {
@@ -45256,7 +45358,7 @@ var setFsWatchFileListener = (path2, fullPath, options, handlers) => {
       listeners: listener,
       rawEmitters: rawEmitter,
       options,
-      watcher: (0, import_fs5.watchFile)(fullPath, options, (curr, prev) => {
+      watcher: (0, import_fs6.watchFile)(fullPath, options, (curr, prev) => {
         foreach(cont.rawEmitters, (rawEmitter2) => {
           rawEmitter2(EV.CHANGE, fullPath, { curr, prev });
         });
@@ -45273,7 +45375,7 @@ var setFsWatchFileListener = (path2, fullPath, options, handlers) => {
     delFromSet(cont, KEY_RAW, rawEmitter);
     if (isEmptySet(cont.listeners)) {
       FsWatchFileInstances.delete(fullPath);
-      (0, import_fs5.unwatchFile)(fullPath);
+      (0, import_fs6.unwatchFile)(fullPath);
       cont.options = cont.watcher = void 0;
       Object.freeze(cont);
     }
@@ -46116,7 +46218,7 @@ var FSWatcher = class extends import_events.EventEmitter {
     const now = /* @__PURE__ */ new Date();
     const writes = this._pendingWrites;
     function awaitWriteFinishFn(prevStat) {
-      (0, import_fs6.stat)(fullPath, (err, curStat) => {
+      (0, import_fs7.stat)(fullPath, (err, curStat) => {
         if (err || !writes.has(path2)) {
           if (err && err.code !== "ENOENT")
             awfEmit(err);
@@ -46293,13 +46395,13 @@ var esm_default = { watch, FSWatcher };
 var import_scanner2 = __toESM(require_dist());
 var import_formatters2 = __toESM(require_formatters());
 function isScannableFile2(filePath) {
-  const ext2 = (0, import_path4.extname)(filePath).toLowerCase();
-  const fileName = (0, import_path4.basename)(filePath);
+  const ext2 = (0, import_path5.extname)(filePath).toLowerCase();
+  const fileName = (0, import_path5.basename)(filePath);
   if (import_scanner2.SPECIAL_FILES.includes(fileName)) return true;
   return import_scanner2.SCANNABLE_EXTENSIONS.includes(ext2);
 }
 function getLanguage2(filePath) {
-  const ext2 = (0, import_path4.extname)(filePath).toLowerCase();
+  const ext2 = (0, import_path5.extname)(filePath).toLowerCase();
   const langMap = {
     ".js": "javascript",
     ".jsx": "javascript",
@@ -46318,11 +46420,11 @@ function getLanguage2(filePath) {
 }
 function readScanFile(filePath) {
   try {
-    const stats = (0, import_fs7.statSync)(filePath);
+    const stats = (0, import_fs8.statSync)(filePath);
     if (stats.size > import_scanner2.MAX_FILE_SIZE) return null;
-    const content = (0, import_fs7.readFileSync)(filePath, "utf-8");
+    const content = (0, import_fs8.readFileSync)(filePath, "utf-8");
     return {
-      path: (0, import_path4.relative)(process.cwd(), filePath),
+      path: (0, import_path5.relative)(process.cwd(), filePath),
       content,
       language: getLanguage2(filePath),
       size: content.length
@@ -46339,7 +46441,7 @@ function debounce(fn, delay) {
   };
 }
 async function watch2(targetPath, options) {
-  const absolutePath = (0, import_path4.resolve)(targetPath);
+  const absolutePath = (0, import_path5.resolve)(targetPath);
   const config = getConfig();
   if ((options.depth === "validated" || options.depth === "deep") && !isAuthenticated()) {
     if (!options.quiet) {
@@ -46349,31 +46451,40 @@ async function watch2(targetPath, options) {
     }
     options.depth = "cheap";
   }
-  if (!options.quiet) {
+  const changedFiles = /* @__PURE__ */ new Set();
+  let isPaused = false;
+  let scanCount = 0;
+  let totalIssues = 0;
+  const showBanner = () => {
+    if (options.quiet) return;
     console.log("");
     console.log(source_default.bold("  \u{1F441}\uFE0F  Oculum Watch Mode"));
-    console.log(source_default.dim("  " + "\u2500".repeat(38)));
+    console.log(source_default.dim("  " + "\u2500".repeat(50)));
     console.log("");
     console.log(source_default.dim("  Watching: ") + source_default.white(absolutePath));
     console.log(source_default.dim("  Depth:    ") + source_default.white(options.depth === "cheap" ? "Quick (pattern matching)" : options.depth));
-    console.log(source_default.dim("  Debounce: ") + source_default.white(`${options.debounce}ms`));
+    console.log(source_default.dim("  Status:   ") + (isPaused ? source_default.yellow("Paused") : source_default.green("Active")));
+    if (scanCount > 0) {
+      console.log(source_default.dim("  Scans:    ") + source_default.white(`${scanCount} (${totalIssues} issues found)`));
+    }
     console.log("");
-    console.log(source_default.dim("  Press ") + source_default.white("Ctrl+C") + source_default.dim(" to stop watching"));
+    console.log(source_default.dim("  Keyboard: ") + source_default.white("[r]") + source_default.dim(" rescan  ") + source_default.white("[c]") + source_default.dim(" clear  ") + source_default.white("[p]") + source_default.dim(" pause  ") + source_default.white("[q]") + source_default.dim(" quit"));
+    console.log(source_default.dim("  " + "\u2500".repeat(50)));
     console.log("");
-  }
-  const changedFiles = /* @__PURE__ */ new Set();
+  };
+  showBanner();
   let isScanning = false;
   const runScanOnChanges = debounce(async () => {
-    if (isScanning || changedFiles.size === 0) return;
+    if (isScanning || changedFiles.size === 0 || isPaused) return;
     isScanning = true;
     const filesToScan = Array.from(changedFiles);
     changedFiles.clear();
     if (options.clearOnScan && !options.quiet) {
       console.clear();
+      showBanner();
     }
     if (!options.quiet) {
       const fileText = filesToScan.length === 1 ? "file" : "files";
-      console.log("");
       console.log(source_default.cyan(`  \u27F3 [${(/* @__PURE__ */ new Date()).toLocaleTimeString()}] Scanning ${filesToScan.length} changed ${fileText}...`));
     }
     const scanFiles = [];
@@ -46383,7 +46494,7 @@ async function watch2(targetPath, options) {
     }
     if (scanFiles.length === 0) {
       if (!options.quiet) {
-        console.log(source_default.dim("No scannable files found."));
+        console.log(source_default.dim("    No scannable files found."));
       }
       isScanning = false;
       return;
@@ -46392,24 +46503,36 @@ async function watch2(targetPath, options) {
       const result = await (0, import_scanner2.runScan)(
         scanFiles,
         {
-          name: (0, import_path4.basename)(absolutePath),
+          name: (0, import_path5.basename)(absolutePath),
           url: "",
           branch: "watch"
         },
         {
           enableAI: options.depth !== "cheap" && isAuthenticated(),
           scanDepth: options.depth,
-          scanMode: "incremental"
+          scanMode: "incremental",
+          quiet: true
+          // Suppress internal scanner logs
         }
       );
+      scanCount++;
+      totalIssues += result.vulnerabilities.length;
+      try {
+        addScanHistoryEntry({
+          targetPath: absolutePath,
+          options: { depth: options.depth, format: "terminal", failOn: "high" },
+          result
+        });
+      } catch {
+      }
       if (result.vulnerabilities.length === 0) {
         if (!options.quiet) {
-          console.log(source_default.green("  \u2713 No issues found"));
+          console.log(source_default.green("    \u2713 No issues found"));
         }
       } else {
         const issueCount = result.vulnerabilities.length;
         const issueText = issueCount === 1 ? "issue" : "issues";
-        console.log(source_default.yellow(`  \u26A0 Found ${issueCount} ${issueText}:`));
+        console.log(source_default.yellow(`    \u26A0 Found ${issueCount} ${issueText}:`));
         console.log((0, import_formatters2.formatTerminalOutput)(result, {
           maxFindingsPerGroup: 5
         }));
@@ -46420,6 +46543,47 @@ async function watch2(targetPath, options) {
     }
     isScanning = false;
   }, options.debounce);
+  const triggerFullRescan = async () => {
+    if (isScanning) return;
+    if (!options.quiet) {
+      console.log(source_default.cyan(`
+  \u27F3 [${(/* @__PURE__ */ new Date()).toLocaleTimeString()}] Triggering full rescan...`));
+    }
+    const { glob: glob3 } = await Promise.resolve().then(() => (init_esm7(), esm_exports));
+    const patterns2 = [
+      "**/*.js",
+      "**/*.jsx",
+      "**/*.ts",
+      "**/*.tsx",
+      "**/*.py",
+      "**/*.go",
+      "**/*.java",
+      "**/*.rb",
+      "**/*.php",
+      "**/*.cs",
+      "**/package.json"
+    ];
+    const ignorePatterns2 = [
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/.git/**",
+      "**/vendor/**",
+      "**/__pycache__/**"
+    ];
+    const allFiles2 = await glob3(patterns2, {
+      cwd: absolutePath,
+      ignore: ignorePatterns2,
+      nodir: true,
+      absolute: true
+    });
+    changedFiles.clear();
+    for (const filePath of allFiles2) {
+      changedFiles.add(filePath);
+    }
+    isScanning = false;
+    runScanOnChanges();
+  };
   const watcher = esm_default.watch(absolutePath, {
     ignored: [
       "**/node_modules/**",
@@ -46439,17 +46603,17 @@ async function watch2(targetPath, options) {
   });
   watcher.on("change", (filePath) => {
     if (!isScannableFile2(filePath)) return;
-    changedFiles.add((0, import_path4.resolve)(filePath));
+    changedFiles.add((0, import_path5.resolve)(filePath));
     if (!options.quiet) {
-      console.log(source_default.dim(`Changed: ${(0, import_path4.relative)(process.cwd(), filePath)}`));
+      console.log(source_default.dim(`Changed: ${(0, import_path5.relative)(process.cwd(), filePath)}`));
     }
     runScanOnChanges();
   });
   watcher.on("add", (filePath) => {
     if (!isScannableFile2(filePath)) return;
-    changedFiles.add((0, import_path4.resolve)(filePath));
+    changedFiles.add((0, import_path5.resolve)(filePath));
     if (!options.quiet) {
-      console.log(source_default.dim(`Added: ${(0, import_path4.relative)(process.cwd(), filePath)}`));
+      console.log(source_default.dim(`Added: ${(0, import_path5.relative)(process.cwd(), filePath)}`));
     }
     runScanOnChanges();
   });
@@ -46457,13 +46621,47 @@ async function watch2(targetPath, options) {
     const enhanced = enhanceError(error);
     console.error(formatError(enhanced));
   });
-  process.on("SIGINT", () => {
+  const cleanup = () => {
     if (!options.quiet) {
-      console.log(source_default.dim("\n\nStopping watch mode..."));
+      console.log(source_default.dim("\n\n  Stopping watch mode..."));
+      if (scanCount > 0) {
+        console.log(source_default.dim(`  Completed ${scanCount} scans, found ${totalIssues} total issues.`));
+      }
+      console.log("");
+    }
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(false);
     }
     watcher.close();
     process.exit(0);
-  });
+  };
+  if (process.stdin.isTTY && !options.quiet) {
+    readline.emitKeypressEvents(process.stdin);
+    process.stdin.setRawMode(true);
+    process.stdin.on("keypress", (ch, key) => {
+      if (!key) return;
+      if (key.name === "r") {
+        triggerFullRescan();
+      } else if (key.name === "c") {
+        console.clear();
+        showBanner();
+      } else if (key.name === "p") {
+        isPaused = !isPaused;
+        if (isPaused) {
+          console.log(source_default.yellow("\n  \u23F8  Watch paused. Press [p] to resume.\n"));
+        } else {
+          console.log(source_default.green("\n  \u25B6  Watch resumed.\n"));
+          if (changedFiles.size > 0) {
+            runScanOnChanges();
+          }
+        }
+      } else if (key.name === "q" || key.ctrl && key.name === "c") {
+        cleanup();
+      }
+    });
+  } else {
+    process.on("SIGINT", cleanup);
+  }
   if (!options.quiet) {
     console.log(source_default.dim("Performing initial scan..."));
   }
@@ -46507,9 +46705,15 @@ Examples:
   $ oculum watch . --clear      # Clear console between scans
   $ oculum watch . --debounce 1000  # Wait 1s after changes
 
+Keyboard Controls:
+  [r]  Rescan all files
+  [c]  Clear console
+  [p]  Pause/resume watching
+  [q]  Quit watch mode
+
 Tips:
   \u2022 Watch mode uses 'cheap' depth by default for fast feedback
-  \u2022 Press Ctrl+C to stop watching
+  \u2022 Scans are recorded to history (view with: oculum history)
   \u2022 Combine with oculum.config.json for project-specific settings
 `).action((path2, cliOptions) => {
   const projectConfig = loadProjectConfig(path2, cliOptions.quiet);
@@ -47132,59 +47336,6 @@ var Y2 = ({ indicator: t = "dots" } = {}) => {
 // src/commands/ui.ts
 var import_fs11 = require("fs");
 
-// src/utils/history.ts
-var import_fs8 = require("fs");
-var import_path5 = require("path");
-var import_os3 = require("os");
-var import_crypto = require("crypto");
-var CONFIG_DIR2 = (0, import_path5.join)((0, import_os3.homedir)(), ".oculum");
-var HISTORY_FILE = (0, import_path5.join)(CONFIG_DIR2, "history.json");
-var MAX_ENTRIES = 25;
-function ensureConfigDir2() {
-  if (!(0, import_fs8.existsSync)(CONFIG_DIR2)) {
-    (0, import_fs8.mkdirSync)(CONFIG_DIR2, { recursive: true });
-  }
-}
-function readHistoryFile() {
-  try {
-    if (!(0, import_fs8.existsSync)(HISTORY_FILE)) return [];
-    const content = (0, import_fs8.readFileSync)(HISTORY_FILE, "utf-8");
-    const parsed = JSON.parse(content);
-    if (!Array.isArray(parsed)) return [];
-    return parsed;
-  } catch {
-    return [];
-  }
-}
-function writeHistoryFile(entries) {
-  ensureConfigDir2();
-  (0, import_fs8.writeFileSync)(HISTORY_FILE, JSON.stringify(entries, null, 2));
-}
-function listScanHistory() {
-  return readHistoryFile();
-}
-function addScanHistoryEntry(input) {
-  const entry = {
-    id: input.id ?? (0, import_crypto.randomUUID)(),
-    createdAt: input.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
-    targetPath: input.targetPath,
-    options: input.options,
-    result: input.result
-  };
-  const current = readHistoryFile();
-  const updated = [entry, ...current].slice(0, MAX_ENTRIES);
-  writeHistoryFile(updated);
-  return entry;
-}
-function deleteScanHistoryEntry(id) {
-  const current = readHistoryFile();
-  const updated = current.filter((e2) => e2.id !== id);
-  writeHistoryFile(updated);
-}
-function clearScanHistory() {
-  writeHistoryFile([]);
-}
-
 // src/utils/first-run.ts
 var import_fs9 = require("fs");
 var import_path6 = require("path");
@@ -48138,6 +48289,9 @@ async function runAuthFlow() {
         const verified = await verifyApiKey(config.apiKey);
         if (verified.valid && verified.tier) {
           currentTier = verified.tier;
+          if (currentTier !== config.tier || verified.email && verified.email !== config.email) {
+            setAuthCredentials(config.apiKey, verified.email || config.email, currentTier);
+          }
         }
       } catch {
       }
@@ -48167,9 +48321,14 @@ async function runAuthFlow() {
           s.stop("Stored credentials are invalid or expired.");
           continue;
         }
+        const email = verified.email || getConfig().email || "unknown";
+        const tier = verified.tier || "free";
+        if (tier !== getConfig().tier || email !== getConfig().email) {
+          setAuthCredentials(getConfig().apiKey, email, tier);
+        }
         s.stop("Authenticated");
-        M2.info(`Email: ${verified.email || getConfig().email || "unknown"}`);
-        M2.info(`Tier: ${verified.tier || getConfig().tier || "unknown"}`);
+        M2.info(`Email: ${email}`);
+        M2.info(`Tier: ${tier}`);
       } catch (err) {
         s.stop("Verification failed");
         M2.error(String(err));
@@ -48921,6 +49080,200 @@ function showTroubleshooting() {
   console.log(source_default.white("  - Get support: ") + source_default.cyan("support@oculum.dev\n"));
 }
 
+// src/commands/history.ts
+function formatDate3(isoString) {
+  const date = new Date(isoString);
+  return date.toLocaleString("en-US", {
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit"
+  });
+}
+function truncate(str, maxLen) {
+  if (str.length <= maxLen) return str;
+  return str.slice(0, maxLen - 2) + "..";
+}
+function getStatusBadge(entry) {
+  const { severityCounts } = entry.result;
+  if (severityCounts.critical > 0 || severityCounts.high > 0) {
+    return source_default.red("FAIL");
+  }
+  return source_default.green("PASS");
+}
+function getTotalIssues(entry) {
+  const { severityCounts } = entry.result;
+  return severityCounts.critical + severityCounts.high + severityCounts.medium + severityCounts.low + severityCounts.info;
+}
+function showHistoryList() {
+  const entries = listScanHistory();
+  if (entries.length === 0) {
+    console.log(source_default.dim("\nNo scan history found."));
+    console.log(source_default.dim("Run a scan with: oculum scan .\n"));
+    return;
+  }
+  console.log(source_default.bold("\nRecent Scans"));
+  console.log(source_default.dim("\u2500".repeat(70)));
+  console.log();
+  console.log(
+    source_default.dim("  ID        ") + source_default.dim("Date              ") + source_default.dim("Path                    ") + source_default.dim("Issues  ") + source_default.dim("Status")
+  );
+  console.log(source_default.dim("  " + "\u2500".repeat(66)));
+  for (const entry of entries) {
+    const id = entry.id.slice(0, 8);
+    const date = formatDate3(entry.createdAt);
+    const path2 = truncate(entry.targetPath, 22);
+    const issues = getTotalIssues(entry);
+    const status2 = getStatusBadge(entry);
+    console.log(
+      `  ${source_default.cyan(id)}  ${source_default.white(date.padEnd(16))}  ${source_default.dim(path2.padEnd(22))}  ${String(issues).padEnd(6)}  ` + status2
+    );
+  }
+  console.log();
+  console.log(source_default.dim("\u2500".repeat(70)));
+  console.log(source_default.dim("Run 'oculum history show <id>' for details"));
+  console.log(source_default.dim("Run 'oculum history clear' to clear all history\n"));
+}
+function showScanDetails(id) {
+  const entry = getScanHistoryEntry(id);
+  if (!entry) {
+    const entries = listScanHistory();
+    const partial = entries.find((e2) => e2.id.startsWith(id));
+    if (partial) {
+      showScanDetailsForEntry(partial);
+      return;
+    }
+    console.log(source_default.red(`
+Scan not found: ${id}`));
+    console.log(source_default.dim("Run 'oculum history' to see available scans\n"));
+    return;
+  }
+  showScanDetailsForEntry(entry);
+}
+function showScanDetailsForEntry(entry) {
+  const { result, options, targetPath, createdAt, id } = entry;
+  const { severityCounts, vulnerabilities, filesScanned, scanDuration } = result;
+  console.log(source_default.bold("\nScan Details"));
+  console.log(source_default.dim("\u2500".repeat(50)));
+  console.log();
+  console.log(source_default.white("  ID:       ") + source_default.cyan(id.slice(0, 8)));
+  console.log(source_default.white("  Date:     ") + formatDate3(createdAt));
+  console.log(source_default.white("  Path:     ") + targetPath);
+  console.log(source_default.white("  Depth:    ") + options.depth);
+  console.log(source_default.white("  Files:    ") + filesScanned);
+  console.log(source_default.white("  Duration: ") + `${(scanDuration / 1e3).toFixed(1)}s`);
+  console.log();
+  console.log(source_default.bold("  Findings"));
+  console.log(source_default.dim("  " + "\u2500".repeat(30)));
+  const severities = [
+    { name: "Critical", count: severityCounts.critical, color: source_default.red },
+    { name: "High", count: severityCounts.high, color: source_default.yellow },
+    { name: "Medium", count: severityCounts.medium, color: source_default.magenta },
+    { name: "Low", count: severityCounts.low, color: source_default.blue },
+    { name: "Info", count: severityCounts.info, color: source_default.gray }
+  ];
+  for (const { name, count, color } of severities) {
+    if (count > 0) {
+      console.log(`  ${color(name.padEnd(10))} ${count}`);
+    }
+  }
+  const total = getTotalIssues(entry);
+  if (total === 0) {
+    console.log(source_default.green("  No issues found"));
+  }
+  if (vulnerabilities.length > 0) {
+    console.log();
+    console.log(source_default.bold("  Top Findings"));
+    console.log(source_default.dim("  " + "\u2500".repeat(30)));
+    const topFindings = vulnerabilities.slice(0, 5);
+    for (const finding of topFindings) {
+      const severityColor = finding.severity === "critical" ? source_default.red : finding.severity === "high" ? source_default.yellow : finding.severity === "medium" ? source_default.magenta : finding.severity === "low" ? source_default.blue : source_default.gray;
+      console.log(
+        `  ${severityColor(finding.severity.toUpperCase().padEnd(8))} ` + source_default.white(truncate(finding.title, 40))
+      );
+      console.log(source_default.dim(`           ${finding.filePath}:${finding.lineNumber}`));
+    }
+    if (vulnerabilities.length > 5) {
+      console.log(source_default.dim(`  ... and ${vulnerabilities.length - 5} more`));
+    }
+  }
+  console.log();
+  console.log(source_default.dim("\u2500".repeat(50)));
+  console.log(source_default.dim(`Run 'oculum history delete ${id.slice(0, 8)}' to remove this scan
+`));
+}
+function clearHistory() {
+  const entries = listScanHistory();
+  if (entries.length === 0) {
+    console.log(source_default.dim("\nNo history to clear.\n"));
+    return;
+  }
+  clearScanHistory();
+  console.log(source_default.green(`
+Cleared ${entries.length} scan entries.
+`));
+}
+function deleteEntry(id) {
+  const entry = getScanHistoryEntry(id);
+  if (!entry) {
+    const entries = listScanHistory();
+    const partial = entries.find((e2) => e2.id.startsWith(id));
+    if (partial) {
+      deleteScanHistoryEntry(partial.id);
+      console.log(source_default.green(`
+Deleted scan ${partial.id.slice(0, 8)}
+`));
+      return;
+    }
+    console.log(source_default.red(`
+Scan not found: ${id}
+`));
+    return;
+  }
+  deleteScanHistoryEntry(entry.id);
+  console.log(source_default.green(`
+Deleted scan ${entry.id.slice(0, 8)}
+`));
+}
+var historyCommand = new Command("history").description("View and manage scan history").argument("[subcommand]", "show, clear, or delete").argument("[id]", "scan ID for show/delete").action((subcommand, id) => {
+  if (!subcommand) {
+    showHistoryList();
+    return;
+  }
+  switch (subcommand) {
+    case "show":
+      if (!id) {
+        console.log(source_default.red("\nPlease provide a scan ID"));
+        console.log(source_default.dim("Usage: oculum history show <id>\n"));
+        return;
+      }
+      showScanDetails(id);
+      break;
+    case "clear":
+      clearHistory();
+      break;
+    case "delete":
+      if (!id) {
+        console.log(source_default.red("\nPlease provide a scan ID"));
+        console.log(source_default.dim("Usage: oculum history delete <id>\n"));
+        return;
+      }
+      deleteEntry(id);
+      break;
+    default:
+      showScanDetails(subcommand);
+  }
+}).addHelpText("after", `
+Examples:
+  $ oculum history              List recent scans
+  $ oculum history show abc123  View scan details
+  $ oculum history abc123       Quick access (same as show)
+  $ oculum history delete abc   Delete a scan by ID
+  $ oculum history clear        Clear all history
+
+Note: History stores up to 25 recent scans locally.
+`);
+
 // src/utils/ci-detect.ts
 var CI_ENV_VARS = [
   "CI",
@@ -48982,7 +49335,7 @@ function shouldRunUI() {
   return isOcAlias || isUICommand;
 }
 var program2 = new Command();
-program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.8").addHelpText("after", `
+program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.9").addHelpText("after", `
 Quick Start:
   $ oculum scan .          Scan current directory (free)
   $ oculum ui              Interactive mode with guided setup
@@ -48991,6 +49344,7 @@ Quick Start:
 Common Commands:
   scan [path]              Scan files for security vulnerabilities
   watch [path]             Watch files and scan on changes
+  history                  View and manage scan history
   ui                       Interactive terminal UI
   login                    Authenticate with Oculum
   status                   Check authentication status
@@ -49013,6 +49367,7 @@ program2.addCommand(usageCommand);
 program2.addCommand(watchCommand);
 program2.addCommand(uiCommand);
 program2.addCommand(helpCommand);
+program2.addCommand(historyCommand);
 async function main2() {
   const interactive = isInteractiveTerminal();
   if (interactive && shouldRunUI()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oculum/cli",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "AI-native security scanner CLI for detecting vulnerabilities in AI-generated code, BYOK patterns, and modern web applications",
   "main": "dist/index.js",
   "bin": {
@@ -19,7 +19,7 @@
     "url": "https://github.com/flexipie/oculum/issues"
   },
   "scripts": {
-    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"1.0.8\"'",
+    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"1.0.9\"'",
     "dev": "npm run build -- --watch",
     "test": "echo \"No tests configured yet\"",
     "lint": "eslint src/"