@pugi/cli 0.1.0-beta.5 → 0.1.0-beta.51

package/dist/tui/repl-render.js

@@ -16,14 +16,20 @@
  * a tiny `event:`/`data:`/`id:` parser. This keeps the dependency
  * graph at zero new packages.
  */
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
 import React from 'react';
 import { render } from 'ink';
 import { Repl } from './repl.js';
 import { printPugMascotPreInk } from './repl-splash-mascot.js';
+import { collectWelcomeData } from './welcome-data.js';
+import { ThemeProvider } from '../core/theme/context.js';
+import { resolveTheme } from '../core/theme/state.js';
 import { ReplSession, } from '../core/repl/session.js';
 import { resolveWorkspaceContext } from '../core/repl/workspace-context.js';
 import { SqliteSessionStore } from '../core/repl/store/index.js';
 import { slugForCwd } from '../core/repl/history.js';
+import { loadSettings } from '../core/settings.js';
 import { WorkingSet, buildRepoSkeleton, loadPugiIgnore, PugiWatcher, } from '../core/context/index.js';
 /**
  * Mount the REPL and resolve when the user exits via Ctrl+C × 2 or
@@ -31,12 +37,85 @@ import { WorkingSet, buildRepoSkeleton, loadPugiIgnore, PugiWatcher, } from '../
  * `pugi resume <sessionId>` once that command exists).
  */
 export async function renderRepl(options) {
+    // beta.9 CEO dogfood 2026-05-26: claim stdin raw mode + alt-screen
+    // BEFORE any async bootstrap step so keystrokes typed during the
+    // [launch -> Ink mount] window cannot echo into the terminal in
+    // cooked mode. Previously openLocalStore (SQLite open) +
+    // bootstrapContext (chokidar start) could take hundreds of ms to
+    // multiple seconds on a fresh install / large repo; during that
+    // window stdin stayed in cooked mode and the terminal echoed
+    // every typed character literally onto the screen below the
+    // pre-printed mascot/header. The visible result was the operator's
+    // "ssssss" landing on the rendered status-bar bottom row (CEO
+    // screenshot 2026-05-26: beta.8 REPL bug 2).
+    //
+    // The claim is idempotent with Ink's own raw-mode enable: Ink
+    // ref-counts setRawMode calls, and Node's stdin.setRawMode is
+    // safe to call twice with the same value. The pre-Ink claim acts
+    // as a "raw-mode floor" - whatever Ink does after mount layers on
+    // top, and our finally{} restore drops the floor only after Ink
+    // has cleanly torn down (or never mounted on a bootstrap crash).
+    const bootstrap = claimTerminalForRepl();
+    // beta.13 auto-init wire (CEO dogfood 2026-05-26): scaffold the
+    // `.pugi/` workspace silently on REPL boot so launching `pugi` in a
+    // fresh cwd no longer demands an explicit `pugi init` round-trip.
+    // Idempotent — every helper inside scaffoldPugiWorkspace is a
+    // `*_IfMissing` write, so re-running over an existing workspace is
+    // a no-op. Fail-safe: any FS / perms error never blocks REPL launch.
+    // Operator escape hatch: PUGI_NO_AUTO_INIT=1.
+    //
+    // Beta.13 P2 fix 2026-05-26: gate the scaffold on project-root markers
+    // so launching `pugi` from `$HOME` / `/tmp` / arbitrary dirs does NOT
+    // sprinkle `.pugi/` directories all over the filesystem. The gate
+    // mirrors `isBoundWorkspace` from workspace-context.ts but also
+    // accepts non-JS roots (Cargo / pyproject / go.mod) because the CLI
+    // is language-agnostic and an operator working in a Rust repo deserves
+    // the same auto-init UX as a Node operator. Already-bound `.pugi/`
+    // dirs also opt back in so the scaffold can fill any missing
+    // sub-artifacts the operator deleted.
+    // Leak L22 (2026-05-27): `--bare` (PUGI_BARE=1) ALSO suppresses the
+    // auto-init scaffold. Bare mode is the deterministic "fresh install
+    // anywhere" path — no `.pugi/` writes, no PUGI.md scaffold, no
+    // settings.json seed. The pre-existing PUGI_NO_AUTO_INIT escape
+    // hatch stays — bare mode just unions with it.
+    const { isBareMode } = await import('../core/bare-mode/index.js');
+    if (process.env.PUGI_NO_AUTO_INIT !== '1' &&
+        !isBareMode() &&
+        isProjectRoot(process.cwd())) {
+        try {
+            const { scaffoldPugiWorkspace } = await import('../runtime/cli.js');
+            await scaffoldPugiWorkspace({
+                cwd: process.cwd(),
+                noDefaults: true,
+                log: () => {
+                    /* silent — never leak scaffold progress into the REPL alt-screen */
+                },
+            });
+        }
+        catch (err) {
+            // Fail-safe: read-only FS or perms error never blocks REPL launch.
+            // Beta.13 P2 fix 2026-05-26: bare-catch swallowed the diagnostic;
+            // surface it on stderr under PUGI_DEBUG=1 so operator-triage on
+            // "why isn't .pugi/ being created?" has a starting point without
+            // having to re-instrument the bootstrap.
+            if (process.env.PUGI_DEBUG === '1') {
+                const msg = err instanceof Error ? err.message : String(err);
+                process.stderr.write(`[pugi-debug] auto-init failed: ${msg}\n`);
+            }
+        }
+    }
     const transport = createProductionTransport();
     // Auto-bind the workspace context from process.cwd() so Mira knows
     // which repo the operator launched the CLI in. The resolver is
     // best-effort — any FS error falls back to a basename-only summary,
     // never blocks REPL launch. Wave 4 fix 2026-05-25.
     const workspace = options.workspace ?? resolveWorkspaceContext(process.cwd());
+    // Beta.13 P1 fix 2026-05-26: read `ui.cyberZoo` from
+    // `.pugi/settings.json` so the operator's splash posture flows to
+    // admin-api on session open. Without this, the renderer's `cyberZoo`
+    // parameter (added beta.13) was always defaulted to 'on' regardless
+    // of the operator's actual setting.
+    const cyberZoo = readCyberZooSetting(process.cwd());
     // α6.4: open the local SessionStore for `/resume` persistence. The
     // store lives under `~/.pugi/projects/<slug>/`; failure is fail-safe
     // — we log a one-line warning to stderr and continue with the REPL
@@ -64,6 +143,7 @@ export async function renderRepl(options) {
         cliVersion: options.cliVersion,
         transport,
         workspace,
+        cyberZoo,
         store,
         localSessionId: openedSessionId,
         repoSkeleton: skeleton,
@@ -86,21 +166,14 @@ export async function renderRepl(options) {
     // Kick off the connect; the Repl renders the connecting state until
     // the session pushes `connection: 'on_watch'` from the SSE onOpen.
     void session.start();
-    // α6.14.4 CEO dogfood 2026-05-25 (parity with Claude Code): enter
-    // the terminal's alternate screen buffer so the REPL renders on a
-    // fresh "screen" the operator cannot scroll above. On exit, leave
-    // restores the previous terminal contents - the conversation does
-    // not pollute the operator's shell history. Skipped under --no-tty
-    // and when stdout is not a TTY (pipe/CI), where the escapes would
-    // appear as literal characters.
-    // ORDER MATTERS (beta.2 follow-up): alt-screen enter MUST happen
-    // BEFORE the chafa mascot pre-print. Reversed, the alt-screen clear
-    // wiped the freshly-painted pug and the operator saw nothing.
-    const supportsAltScreen = process.stdout.isTTY === true;
-    if (supportsAltScreen) {
-        process.stdout.write('\x1b[?1049h');
-        process.stdout.write('\x1b[H');
-    }
+    // beta.9: drain any keystrokes that landed in stdin between the
+    // pre-Ink raw-mode claim and now. Without this, the queued bytes
+    // would feed Ink's first useInput tick as a flood of "stale"
+    // characters once the InputBox mounts - the operator would see
+    // their pre-typed input materialise in the prompt as if they had
+    // typed it after the REPL became interactive. Idempotent: no-op
+    // when stdin is not a TTY or no bytes were buffered.
+    drainBufferedStdin(process.stdin);
     // α6.14.2 wave 5: paint the chafa-baked brand-pug ANSI render to
     // stdout BEFORE Ink mounts (but AFTER alt-screen enter). Ink's
     // layout engine would mis-measure the truecolor escape sequences,
@@ -111,33 +184,55 @@ export async function renderRepl(options) {
     // (operator opted out via --no-splash), we suppress the pre-print
     // too so the boot stays silent.
     const mascotPrePrinted = options.skipSplash === true ? false : printPugMascotPreInk(process.stdout);
-    const instance = render(React.createElement(Repl, {
+    // Leak L30 (2026-05-27): resolve the active theme ONCE at mount
+    // and wrap `<Repl />` in `<ThemeProvider>` so every Ink consumer
+    // (`<Header>`, `<DoctorTable>`, `<StyleTable>`, `<ThemeTable>`,
+    // …) picks up the same color tokens. The provider is stable for
+    // the lifetime of the REPL — operator `/theme <name>` writes to
+    // disk + appends a system line, and the next `pugi` launch re-
+    // mounts with the new slug. Re-mounting mid-session would race
+    // against Ink's raw-mode handler so we deliberately keep the
+    // session-lifetime contract instead of polling the config file.
+    const resolvedTheme = resolveTheme({
+        workspaceRoot: process.cwd(),
+        env: process.env,
+    });
+    // CEO P0 #2 (2026-05-29): collect welcome banner data BEFORE Ink
+    // mounts so the banner paints on the first frame instead of swapping
+    // in mid-render. The collector swallows every IO error so а missing
+    // CHANGELOG / unreadable credential / malformed settings never
+    // blocks the boot.
+    let welcomeData;
+    if (options.skipSplash !== true) {
+        try {
+            welcomeData = collectWelcomeData({
+                cliVersion: options.cliVersion,
+                cwd: process.cwd(),
+            });
+        }
+        catch {
+            welcomeData = undefined;
+        }
+    }
+    const instance = render(React.createElement(ThemeProvider, { slug: resolvedTheme.slug }, React.createElement(Repl, {
         session,
         updateBanner: options.updateBanner ?? null,
         skipSplash: options.skipSplash === true,
         hideToolStream: options.hideToolStream === true,
         mascotPrePrinted,
-    }));
-    const restoreAltScreen = () => {
-        if (supportsAltScreen) {
-            try {
-                process.stdout.write('\x1b[?1049l');
-            }
-            catch {
-                /* shutdown race — terminal already detached */
-            }
-        }
-    };
+        welcomeData,
+        autoInitStatus: options.autoInitStatus ?? null,
+    })));
     // Make sure we leave the alt screen on abrupt exits too. Without
     // this the operator's shell stays "frozen" on the Pugi splash.
-    process.once('exit', restoreAltScreen);
-    process.once('SIGINT', restoreAltScreen);
-    process.once('SIGTERM', restoreAltScreen);
+    process.once('exit', bootstrap.restore);
+    process.once('SIGINT', bootstrap.restore);
+    process.once('SIGTERM', bootstrap.restore);
     try {
         await instance.waitUntilExit();
     }
     finally {
-        restoreAltScreen();
+        bootstrap.restore();
         session.close();
         if (store) {
             try {
@@ -157,6 +252,138 @@ export async function renderRepl(options) {
         }
     }
 }
+export function claimTerminalForRepl(stdin = process.stdin, stdout = process.stdout) {
+    const isStdoutTty = stdout.isTTY === true;
+    const isStdinTty = stdin.isTTY === true && typeof stdin.setRawMode === 'function';
+    let altScreenEntered = false;
+    if (isStdoutTty) {
+        try {
+            stdout.write('\x1b[?1049h');
+            stdout.write('\x1b[H');
+            altScreenEntered = true;
+        }
+        catch {
+            /* terminal already detached */
+        }
+    }
+    let rawModeClaimed = false;
+    if (isStdinTty) {
+        try {
+            stdin.setEncoding('utf8');
+            stdin.setRawMode(true);
+            // Resume so the kernel actually delivers bytes to Node's event
+            // loop. Without resume, raw mode is set but data does not flow
+            // until something else (e.g. Ink) attaches a 'data' listener.
+            stdin.resume();
+            rawModeClaimed = true;
+        }
+        catch {
+            /* raw mode unsupported - the operator's shell still works */
+        }
+    }
+    let restored = false;
+    const restore = () => {
+        if (restored)
+            return;
+        restored = true;
+        if (rawModeClaimed && isStdinTty) {
+            try {
+                stdin.setRawMode(false);
+            }
+            catch {
+                /* terminal already detached */
+            }
+        }
+        if (altScreenEntered) {
+            try {
+                stdout.write('\x1b[?1049l');
+            }
+            catch {
+                /* shutdown race - terminal already detached */
+            }
+        }
+    };
+    return { altScreenEntered, rawModeClaimed, restore };
+}
+/**
+ * Read and discard any bytes buffered in stdin between
+ * `claimTerminalForRepl()` and the Ink mount. Returns the number of
+ * bytes drained so tests can assert the behaviour without intercepting
+ * the side effect.
+ *
+ * `stdin.read()` is a no-op when no data is buffered, so this is safe
+ * to call whether or not the operator actually typed during bootstrap.
+ * Wrapped in try/catch because a closed / piped stdin will throw on
+ * read in some Node versions.
+ */
+export function drainBufferedStdin(stdin = process.stdin) {
+    if (stdin.isTTY !== true)
+        return 0;
+    try {
+        let bytesDrained = 0;
+        // Loop until read() returns null - readable streams may chunk
+        // buffered bytes across multiple read() calls when the operator
+        // typed faster than the kernel could deliver to Node's loop.
+        for (;;) {
+            const chunk = stdin.read();
+            if (chunk === null)
+                return bytesDrained;
+            bytesDrained += typeof chunk === 'string' ? chunk.length : chunk.byteLength;
+        }
+    }
+    catch {
+        return 0;
+    }
+}
+/**
+ * Project-root probe — beta.13 P2 fix 2026-05-26.
+ *
+ * Beta.13 auto-init was unconditional and silently created `.pugi/` in
+ * every cwd the REPL was launched from, including `$HOME` and `/tmp`.
+ * Operators who ran `pugi` to ask a quick question outside of any
+ * project ended up with stray `.pugi/` directories polluting their
+ * filesystem. The gate looks for any of six project-root markers
+ * before scaffolding:
+ *
+ *   - `package.json`     — JS / TS workspaces
+ *   - `.git`             — any cloned repo regardless of language
+ *   - `.pugi`            — already-bound Pugi workspace (re-scaffold
+ *                          fills any missing artifacts the operator
+ *                          deleted, idempotent over existing files)
+ *   - `Cargo.toml`       — Rust crates
+ *   - `pyproject.toml`   — Python projects (PEP 518)
+ *   - `go.mod`           — Go modules
+ *
+ * The probe is six cheap `existsSync` calls; the cost is negligible
+ * compared with the alt-screen + Ink mount that follows. Exported so a
+ * future unit spec can lock the contract.
+ */
+export function isProjectRoot(cwd) {
+    // ESM static imports — `require()` is not defined in a `"type": "module"`
+    // bundle and would throw `ReferenceError: require is not defined` the
+    // moment the REPL bootstrap calls this gate. Beta.16 P0 fix 2026-05-27.
+    return (existsSync(resolve(cwd, 'package.json')) ||
+        existsSync(resolve(cwd, '.git')) ||
+        existsSync(resolve(cwd, '.pugi')) ||
+        existsSync(resolve(cwd, 'Cargo.toml')) ||
+        existsSync(resolve(cwd, 'pyproject.toml')) ||
+        existsSync(resolve(cwd, 'go.mod')));
+}
+/**
+ * Read the operator's cyber-zoo posture from `.pugi/settings.json`.
+ * Best-effort: when the file is missing / malformed, fall through to
+ * the historical 'on' default so the REPL never refuses to launch on
+ * a settings error. Beta.13 P1 fix 2026-05-26.
+ */
+function readCyberZooSetting(cwd) {
+    try {
+        const settings = loadSettings(cwd);
+        return settings.ui?.cyberZoo ?? 'on';
+    }
+    catch {
+        return 'on';
+    }
+}
 /**
  * Open the local SessionStore for the REPL bootstrap. Returns
  * `{ store: null, openedSessionId: undefined }` on any error so the
@@ -248,13 +475,20 @@ async function bootstrapContext(input) {
 /* ------------------------------------------------------------------ */
 /* Production transport                                               */
 /* ------------------------------------------------------------------ */
-function createProductionTransport() {
+export function createProductionTransport() {
     return {
-        async createSession({ apiUrl, apiKey, workspace }) {
+        async createSession({ apiUrl, apiKey, workspace, cyberZoo }) {
             // Forward the workspace bundle in the POST body so admin-api can
             // surface `<workspace-context>` in Mira's prompt. Older admin-api
             // builds ignore unknown fields, so this stays forward-compatible.
             // Wave 4 fix 2026-05-25.
+            //
+            // Beta.13 P1 fix 2026-05-26: also forward `cyberZoo` so admin-api
+            // can render Mira's `<cyber-zoo>` marker matching the operator's
+            // `.pugi/settings.json::ui.cyberZoo` toggle instead of the
+            // historical 'on' default. Only included on the wire when set
+            // explicitly so a missing setting still survives older admin-api
+            // builds that do not declare the DTO field.
             const body = {};
             if (workspace?.workspaceCwd)
                 body.workspaceCwd = workspace.workspaceCwd;
@@ -262,6 +496,8 @@ function createProductionTransport() {
                 body.workspaceSlug = workspace.workspaceSlug;
             if (workspace?.workspaceSummary)
                 body.workspaceSummary = workspace.workspaceSummary;
+            if (cyberZoo === 'on' || cyberZoo === 'off')
+                body.cyberZoo = cyberZoo;
             const response = await fetch(joinUrl(apiUrl, '/api/pugi/sessions'), {
                 method: 'POST',
                 headers: jsonHeaders(apiKey),
@@ -307,6 +543,31 @@ function createProductionTransport() {
             if (lastEventId) {
                 headers['Last-Event-ID'] = lastEventId;
             }
+            // beta.9 CEO dogfood 2026-05-26: hard timeout on the SSE
+            // handshake so a CDN/proxy that buffers the response (or an
+            // admin-api that accepted the route but never flushed headers)
+            // cannot freeze the REPL in `connecting` forever. The 5s budget
+            // is generous - admin-api routinely responds in <500ms when
+            // healthy - but tight enough that an operator who launched
+            // `pugi` and is staring at the screen will see the status flip
+            // to `reconnecting` instead of an indefinite hang. The
+            // AbortController bound to the fetch aborts the in-flight
+            // request when the timer fires, which surfaces as an
+            // `AbortError` and routes through the existing onError handler
+            // (which calls scheduleReconnect via the session). The timer
+            // is cleared the moment onOpen fires so a slow-but-eventually-
+            // successful handshake still works.
+            const handshakeDeadlineMs = 5_000;
+            const handshakeTimer = setTimeout(() => {
+                controller.abort();
+                // onError is called from the catch block below (the abort
+                // synthesises an AbortError that consumeSseStream / fetch
+                // will throw). No explicit onError call here - we let the
+                // catch path normalise the error message so the operator
+                // sees the consistent "SSE handshake timed out (5s)" prose
+                // through the same plumbing that surfaces every other
+                // transport failure.
+            }, handshakeDeadlineMs);
             void (async () => {
                 try {
                     const response = await fetch(url, {
@@ -320,6 +581,9 @@ function createProductionTransport() {
                     if (!response.body) {
                         throw new Error('SSE response has no body');
                     }
+                    // Handshake survived; cancel the deadline so a slow
+                    // first-event stream does not get aborted later.
+                    clearTimeout(handshakeTimer);
                     onOpen();
                     await consumeSseStream(response.body, onEvent);
                     // Server closed the stream cleanly. Treat as an error so
@@ -329,13 +593,27 @@ function createProductionTransport() {
                     onError(new Error('SSE stream ended'));
                 }
                 catch (error) {
-                    if (controller.signal.aborted)
+                    clearTimeout(handshakeTimer);
+                    if (controller.signal.aborted) {
+                        // Distinguish operator-driven close (session.close())
+                        // from the handshake-deadline abort. The session sets a
+                        // `closed` flag before calling controller.abort(); the
+                        // handshake-deadline abort fires while the session is
+                        // still expecting onOpen. We cannot read session state
+                        // from here, so we surface a single error class with a
+                        // clear message - the session-side onError handler
+                        // already short-circuits when `closed=true`.
+                        onError(new Error(`SSE handshake timed out after ${handshakeDeadlineMs}ms`));
                         return;
+                    }
                     onError(error instanceof Error ? error : new Error(String(error)));
                 }
             })();
             return {
-                close: () => controller.abort(),
+                close: () => {
+                    clearTimeout(handshakeTimer);
+                    controller.abort();
+                },
             };
         },
     };

package/dist/tui/repl-splash-art.js

@@ -3,7 +3,7 @@
  *
  * Hand-crafted at 9 rows × 20 columns to read as a pug at a single
  * glance — references the cyber-zoo hero glyph in
- * `apps/clawhost-web/public/brand/hero-pug.png`: blocky pug face with
+ * `apps/console-web/public/brand/hero-pug.png`: blocky pug face with
  * angular ear flaps on either side of the head, forehead crease,
  * angular cyan eyes (`◉`), smushed snout, undershot jaw, and a small
  * cyan circuit chip (`▐■▌`) on the lower-right cheek.

package/dist/tui/repl-splash-mascot.js

@@ -22,7 +22,7 @@
  *
  * Generation (operator-side, one-shot):
  *   chafa --size 80x40 --symbols=vhalf --colors=full \
- *     apps/clawhost-web/public/brand/hero-pug.png \
+ *     apps/console-web/public/brand/hero-pug.png \
  *     > apps/pugi-cli/assets/pugi-mascot.ansi
  *
  * The output is committed verbatim to the repo and shipped inside the
@@ -48,9 +48,21 @@ import { fileURLToPath } from 'node:url';
  * — two directory hops up from this file. In a local `pnpm dev`
  * checkout the structure is the same (`src/tui/` ⇒ `../../assets/`)
  * because tsx re-resolves the same relative tree.
+ *
+ * CEO P0 #2 (2026-05-29) — banner mascot bake. The prozr2 portrait is
+ * the canonical brand-pug glyph from `apps/console-web/public/brand/
+ * Pugi-prozr2.png`, baked к а 16x8 vhalf truecolor render. We prefer
+ * the prozr2 bake when it ships alongside the CLI (small — ~900 bytes,
+ * shaped for the compact welcome-banner left column) and fall back к
+ * the legacy 40KB `pugi-mascot.ansi` (hero-pug 80x40) when prozr2 is
+ * missing — preserves the splash-mascot install surface for any
+ * tarball that predates the bake.
  */
 export function pugMascotAssetPath() {
     const here = dirname(fileURLToPath(import.meta.url));
+    const prozr2 = resolvePath(here, '..', '..', 'assets', 'pugi-prozr2-mascot.ansi');
+    if (existsSync(prozr2))
+        return prozr2;
     return resolvePath(here, '..', '..', 'assets', 'pugi-mascot.ansi');
 }
 /**
@@ -89,21 +101,33 @@ export function loadPugMascotAnsi() {
         //    icon, clipboard, hyperlinks, color-palette change). Drop them
         //    so a corrupted asset cannot rename the operator's terminal tab
         //    or smuggle a hyperlink into the splash region.
-        // 2. Drop CSI ? <mode> [hl] for mouse-tracking and screen-buffer
-        //    switch modes (1000, 1001, 1002, 1003, 1004, 1005, 1006, 1015,
-        //    1049, 47, 1047, 1048). These would either start swallowing
-        //    mouse input or flip the terminal into the alternate screen.
+        // 2. Drop ALL CSI ? <numbers and semicolons> [lh] (DEC private-mode
+        //    set / reset). The legitimate chafa output for a splash is
+        //    truecolor SGR (`CSI 38;2;R;G;B m`) plus cursor-positioning —
+        //    no private-mode toggle ever appears там legitimately. A
+        //    permissive deny-all pattern covers every disruptive private
+        //    mode in one regex:
+        //      - cursor visibility (25)
+        //      - alt-screen buffer  (47, 1047, 1048, 1049)
+        //      - mouse tracking     (1000, 1001, 1002, 1003, 1004, 1005, 1006, 1015)
+        //      - bracketed paste    (2004)
+        //      - focus reporting    (1004)
+        //      - multi-mode forms   (e.g. `CSI ? 47 ; 1049 h` — legal per
+        //        xterm ctlseqs but missed by the previous single-mode regex)
+        //      - any future private mode a corrupt asset might emit
+        //    Allowlisting the modes the splash needs is impossible because
+        //    the splash needs ZERO of them — chafa renders glyph-by-glyph,
+        //    not via private-mode toggles. A pure deny-all is strictly
+        //    safer than enumerating known-bad modes one-by-one.
         // 3. Drop CSI 6 n (cursor-position report). Would inject a fake
         //    CPR into the operator's stdin stream.
         // 4. Drop CSI [23]J / CSI [23]K (full screen / line clear). A
         //    chafa render uses cursor-positioning per row, not bulk
         //    erases; bulk clears would wipe whatever the operator already
         //    had on screen above the splash.
-        // The cursor-hide/show wrappers (CSI ? 25 [lh]) are handled by
-        // the same CSI-?-mode pattern as the mouse / alt-screen modes.
         const stripped = raw
             .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '')
-            .replace(/\x1b\[\?(?:25|47|1000|1001|1002|1003|1004|1005|1006|1015|1047|1048|1049)[lh]/g, '')
+            .replace(/\x1b\[\?[0-9;]+[lh]/g, '')
             .replace(/\x1b\[6n/g, '')
             .replace(/\x1b\[[23]?[JK]/g, '');
         if (stripped.trim().length === 0)

package/dist/tui/repl-splash.js

@@ -67,7 +67,7 @@ export function ReplSplash(props) {
     // pugs. The header card still renders inline so wordmark + status
     // rows stay attached to the splash flow.
     const showHandCraftedMascot = props.mascotPrePrinted !== true;
-    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsxs(Box, { flexDirection: "row", children: [showHandCraftedMascot ? _jsx(MascotColumn, {}) : null, _jsxs(Box, { flexDirection: "column", marginLeft: showHandCraftedMascot ? 2 : 0, marginTop: 1, children: [_jsxs(Box, { children: [_jsx(Text, { bold: true, children: "Pugi" }), _jsx(Text, { bold: true, color: "cyan", children: ".io" }), _jsx(Text, { dimColor: true, children: `  v${props.cliVersion}` })] }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(HeaderRow, { label: "Plan", value: props.plan ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Model", value: props.model ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Tenant", value: props.tenant ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Workspace", value: props.workspaceLabel })] })] })] }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '─'.repeat(40) }) }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { dimColor: true, children: "Tips for getting started:" }), _jsx(TipRow, { index: 1, text: "Type a brief, the workforce dispatches" }), _jsx(TipRow, { index: 2, text: "/help for slash commands, /web <url> to pull a page" }), _jsx(TipRow, { index: 3, text: "/skills install <name> for Anthropic / OpenClaw skills" })] })] }));
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsxs(Box, { flexDirection: "row", children: [showHandCraftedMascot ? _jsx(MascotColumn, {}) : null, _jsxs(Box, { flexDirection: "column", marginLeft: showHandCraftedMascot ? 2 : 0, marginTop: 1, children: [_jsxs(Box, { children: [_jsx(Text, { bold: true, children: "Pugi" }), _jsx(Text, { bold: true, color: "#3da9fc", children: ".io" }), _jsx(Text, { dimColor: true, children: `  v${props.cliVersion}` })] }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(HeaderRow, { label: "Plan", value: props.plan ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Model", value: props.model ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Tenant", value: props.tenant ?? PLACEHOLDER }), _jsx(HeaderRow, { label: "Workspace", value: props.workspaceLabel })] })] })] }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '─'.repeat(40) }) }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { dimColor: true, children: "Tips for getting started:" }), _jsx(TipRow, { index: 1, text: "Type a brief, the workforce dispatches" }), _jsx(TipRow, { index: 2, text: "/help for slash commands, /web <url> to pull a page" }), _jsx(TipRow, { index: 3, text: "/skills install <name> for Anthropic / OpenClaw skills" })] })] }));
 }
 /**
  * Renders the multi-line ASCII pug. Each row is split into colored
@@ -105,7 +105,7 @@ function MascotRow({ row, mask, }) {
     if (buffer.length > 0) {
         runs.push({ text: buffer, cyan: bufferCyan });
     }
-    return (_jsx(Text, { children: runs.map((run, runIndex) => run.cyan ? (_jsx(Text, { color: "cyan", children: run.text }, runIndex)) : (_jsx(Text, { color: "gray", children: run.text }, runIndex))) }));
+    return (_jsx(Text, { children: runs.map((run, runIndex) => run.cyan ? (_jsx(Text, { color: "#3da9fc", children: run.text }, runIndex)) : (_jsx(Text, { color: "gray", children: run.text }, runIndex))) }));
 }
 function HeaderRow({ label, value }) {
     const padded = `${label}:`.padEnd(11, ' ');