@pugi/cli 0.1.0-beta.9 → 0.1.0-beta.91

package/dist/tui/permissions-picker.js

@@ -0,0 +1,86 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { PERMISSION_MODES, PERMISSION_MODE_GLOSS, } from '../core/permissions/index.js';
+/**
+ * Build the rendered rows from the canonical mode list. We map the
+ * 1-line gloss → row hint so `/permissions` and the picker stay in
+ * sync — a change to `PERMISSION_MODE_GLOSS` shows up here too.
+ */
+const ITEMS = PERMISSION_MODES.map((mode) => ({
+    mode,
+    title: titleCase(mode),
+    hint: PERMISSION_MODE_GLOSS[mode],
+}));
+function titleCase(mode) {
+    return mode.charAt(0).toUpperCase() + mode.slice(1);
+}
+/**
+ * Resolve the initial cursor — prefer the explicit `initialIndex`
+ * (spec / test) when provided, otherwise highlight the row matching
+ * the active mode so the operator opens the picker with their
+ * current selection focused.
+ */
+function resolveInitialIndex(currentMode, override) {
+    if (typeof override === 'number') {
+        return Math.min(Math.max(override, 0), ITEMS.length - 1);
+    }
+    const idx = ITEMS.findIndex((item) => item.mode === currentMode);
+    return idx >= 0 ? idx : 0;
+}
+export function PermissionsPicker(props) {
+    const [index, setIndex] = useState(resolveInitialIndex(props.currentMode, props.initialIndex));
+    useInput((input, key) => {
+        if (key.upArrow || input === 'k') {
+            setIndex((current) => (current === 0 ? ITEMS.length - 1 : current - 1));
+            return;
+        }
+        if (key.downArrow || input === 'j') {
+            setIndex((current) => (current === ITEMS.length - 1 ? 0 : current + 1));
+            return;
+        }
+        if (key.return) {
+            const selected = ITEMS[index];
+            if (selected)
+                props.onSelect(selected.mode);
+            return;
+        }
+        if (key.escape || input === 'q') {
+            props.onCancel();
+            return;
+        }
+        // : number shortcuts mirror the canonical 6-mode order.
+        // Operators coming from the upstream tool reach the same mode with the
+        // same digit (1=default, 2=acceptEdits, …, 6=bypassPermissions).
+        if (input === '1')
+            props.onSelect('default');
+        if (input === '2')
+            props.onSelect('acceptEdits');
+        if (input === '3')
+            props.onSelect('plan');
+        if (input === '4')
+            props.onSelect('auto');
+        if (input === '5')
+            props.onSelect('dontAsk');
+        if (input === '6')
+            props.onSelect('bypassPermissions');
+    });
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 2, paddingY: 1, children: [_jsxs(Box, { children: [_jsx(Text, { bold: true, children: "Permission mode" }), _jsx(Text, { dimColor: true, children: `  (current: ${props.currentMode} — ${props.sourceLabel})` })] }), props.firstRun ? (_jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: "First time? Mode = Ask \u043F\u043E \u0443\u043C\u043E\u043B\u0447\u0430\u043D\u0438\u044E. Use /permissions \u043A change later." }) })) : null, _jsx(Box, { marginTop: 1, flexDirection: "column", children: ITEMS.map((item, itemIndex) => {
+                    const isSelected = itemIndex === index;
+                    const isCurrent = item.mode === props.currentMode;
+                    return (_jsx(PickerRow, { isSelected: isSelected, isCurrent: isCurrent, title: item.title, hint: item.hint }, item.mode));
+                }) }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '↑/↓ select  Enter confirm  Esc cancel' }) })] }));
+}
+function PickerRow({ isSelected, isCurrent, title, hint, }) {
+    // Arrow glyph + padded title so highlighted and dim rows share
+    // column alignment. A trailing ` ●` marks the currently-effective
+    // mode (separate from cursor focus) so an operator instantly sees
+    // which row is "what I have now" vs "what I'm hovering".
+    const indicator = isSelected ? '▸ ' : ' ';
+    // : longest title is `BypassPermissions` (17 chars). Bump the
+    // pad column так the gloss column stays aligned across all 6 rows.
+    const padded = title.padEnd(18, ' ');
+    const currentMarker = isCurrent ? ' ●' : ' ';
+    return (_jsxs(Text, { children: [_jsxs(Text, { color: isSelected ? 'cyan' : undefined, bold: isSelected, children: [indicator, padded] }), _jsx(Text, { color: isCurrent ? 'green' : undefined, children: currentMarker }), _jsx(Text, { dimColor: true, children: ` ${hint}` })] }));
+}
+//# sourceMappingURL=permissions-picker.js.map

package/dist/tui/render.js

@@ -2,6 +2,7 @@ import React from 'react';
 import { render } from 'ink';
 import { DeviceFlow } from './device-flow.js';
 import { LoginPicker } from './login-picker.js';
+import { PermissionsPicker } from './permissions-picker.js';
 import { Splash } from './splash.js';
 import { collectSplashData } from './splash-data.js';
 /**
@@ -25,7 +26,7 @@ export async function renderSplash(cliVersion) {
  * Sentinel thrown when the user dismisses the login picker via Esc
  * or `q`. The CLI dispatcher catches it, prints a one-line abort
  * message, and exits 130 (the standard exit code for SIGINT-style
- * user cancellations — matches gh CLI, codex, claude-code).
+ * user cancellations — matches gh CLI and peer CLIs).
  */
 export class LoginCancelledError extends Error {
     constructor() {
@@ -66,6 +67,40 @@ export function renderLoginPicker(apiUrl) {
         }));
     });
 }
+/**
+ * Sentinel thrown when the operator dismisses the permissions picker
+ * via Esc / q. Mirrors `LoginCancelledError` — the host catches and
+ * prints a one-line abort message; no mode flip lands.
+ */
+export class PermissionsPickerCancelledError extends Error {
+    constructor() {
+        super('Permissions picker cancelled');
+        this.name = 'PermissionsPickerCancelledError';
+    }
+}
+export function renderPermissionsPicker(options) {
+    return new Promise((resolveMode, rejectMode) => {
+        let settled = false;
+        const finish = (cb) => {
+            if (settled)
+                return;
+            settled = true;
+            instance.unmount();
+            setImmediate(cb);
+        };
+        const instance = render(React.createElement(PermissionsPicker, {
+            currentMode: options.currentMode,
+            sourceLabel: options.sourceLabel,
+            firstRun: options.firstRun ?? false,
+            onSelect: (mode) => {
+                finish(() => resolveMode(mode));
+            },
+            onCancel: () => {
+                finish(() => rejectMode(new PermissionsPickerCancelledError()));
+            },
+        }));
+    });
+}
 /**
  * Mount `<DeviceFlow />` on a TTY and return a handle the host uses to
  * drive the frame. Mirrors `renderLoginPicker`'s lifecycle: we

package/dist/tui/repl-render.js

@@ -1,29 +1,35 @@
 /**
- * Production REPL mount + transport - Sprint α5.7.
+ * Production REPL mount + transport - Sprint .
  *
  * Owns the Ink mount lifecycle for `<Repl />` and wires the real
  * fetch + SSE transport. The CLI dispatcher in `runtime/cli.ts` calls
  * `renderRepl` on the bare-`pugi` path when stdin / stdout are TTYs.
  *
  * The transport speaks to admin-api:
- *   POST /api/pugi/sessions             → { sessionId }
- *   POST /api/pugi/sessions/:id/brief   → { dispatchId }
- *   POST /api/pugi/sessions/:id/stop    → { stopped }
- *   GET  /api/pugi/sessions/:id/stream  → text/event-stream
+ *  POST /api/pugi/sessions            → { sessionId }
+ *  POST /api/pugi/sessions/:id/brief  → { dispatchId }
+ *  POST /api/pugi/sessions/:id/stop   → { stopped }
+ *  GET /api/pugi/sessions/:id/stream → text/event-stream
  *
  * SSE is parsed client-side from a streaming fetch response - Node 22
  * native fetch returns a WHATWG `ReadableStream` which we feed through
  * a tiny `event:`/`data:`/`id:` parser. This keeps the dependency
  * graph at zero new packages.
  */
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
 import React from 'react';
 import { render } from 'ink';
 import { Repl } from './repl.js';
 import { printPugMascotPreInk } from './repl-splash-mascot.js';
+import { collectWelcomeData } from './welcome-data.js';
+import { ThemeProvider } from '../core/theme/context.js';
+import { resolveTheme } from '../core/theme/state.js';
 import { ReplSession, } from '../core/repl/session.js';
 import { resolveWorkspaceContext } from '../core/repl/workspace-context.js';
 import { SqliteSessionStore } from '../core/repl/store/index.js';
 import { slugForCwd } from '../core/repl/history.js';
+import { loadSettings } from '../core/settings.js';
 import { WorkingSet, buildRepoSkeleton, loadPugiIgnore, PugiWatcher, } from '../core/context/index.js';
 /**
  * Mount the REPL and resolve when the user exits via Ctrl+C × 2 or
@@ -31,7 +37,7 @@ import { WorkingSet, buildRepoSkeleton, loadPugiIgnore, PugiWatcher, } from '../
  * `pugi resume <sessionId>` once that command exists).
  */
 export async function renderRepl(options) {
-    // beta.9 CEO dogfood 2026-05-26: claim stdin raw mode + alt-screen
+    // beta.9 CEO dogfood: claim stdin raw mode + alt-screen
     // BEFORE any async bootstrap step so keystrokes typed during the
     // [launch -> Ink mount] window cannot echo into the terminal in
     // cooked mode. Previously openLocalStore (SQLite open) +
@@ -41,7 +47,7 @@ export async function renderRepl(options) {
     // every typed character literally onto the screen below the
     // pre-printed mascot/header. The visible result was the operator's
     // "ssssss" landing on the rendered status-bar bottom row (CEO
-    // screenshot 2026-05-26: beta.8 REPL bug 2).
+    // screenshot: beta.8 REPL bug 2).
     //
     // The claim is idempotent with Ink's own raw-mode enable: Ink
     // ref-counts setRawMode calls, and Node's stdin.setRawMode is
@@ -50,13 +56,67 @@ export async function renderRepl(options) {
     // top, and our finally{} restore drops the floor only after Ink
     // has cleanly torn down (or never mounted on a bootstrap crash).
     const bootstrap = claimTerminalForRepl();
+    // beta.13 auto-init wire (CEO dogfood): scaffold the
+    // `.pugi/` workspace silently on REPL boot so launching `pugi` in a
+    // fresh cwd no longer demands an explicit `pugi init` round-trip.
+    // Idempotent — every helper inside scaffoldPugiWorkspace is a
+    // `*_IfMissing` write, so re-running over an existing workspace is
+    // a no-op. Fail-safe: any FS / perms error never blocks REPL launch.
+    // Operator escape hatch: PUGI_NO_AUTO_INIT=1.
+    //
+    // Beta.13 P2 fix: gate the scaffold on project-root markers
+    // so launching `pugi` from `$HOME` / `/tmp` / arbitrary dirs does NOT
+    // sprinkle `.pugi/` directories all over the filesystem. The gate
+    // mirrors `isBoundWorkspace` from workspace-context.ts but also
+    // accepts non-JS roots (Cargo / pyproject / go.mod) because the CLI
+    // is language-agnostic and an operator working in a Rust repo deserves
+    // the same auto-init UX as a Node operator. Already-bound `.pugi/`
+    // dirs also opt back in so the scaffold can fill any missing
+    // sub-artifacts the operator deleted.
+    // `--bare` (PUGI_BARE=1) ALSO suppresses the
+    // auto-init scaffold. Bare mode is the deterministic "fresh install
+    // anywhere" path — no `.pugi/` writes, no PUGI.md scaffold, no
+    // settings.json seed. The pre-existing PUGI_NO_AUTO_INIT escape
+    // hatch stays — bare mode just unions with it.
+    const { isBareMode } = await import('../core/bare-mode/index.js');
+    if (process.env.PUGI_NO_AUTO_INIT !== '1' &&
+        !isBareMode() &&
+        isProjectRoot(process.cwd())) {
+        try {
+            const { scaffoldPugiWorkspace } = await import('../runtime/cli.js');
+            await scaffoldPugiWorkspace({
+                cwd: process.cwd(),
+                noDefaults: true,
+                log: () => {
+                    /* silent — never leak scaffold progress into the REPL alt-screen */
+                },
+            });
+        }
+        catch (err) {
+            // Fail-safe: read-only FS or perms error never blocks REPL launch.
+            // Beta.13 P2 fix: bare-catch swallowed the diagnostic;
+            // surface it on stderr under PUGI_DEBUG=1 so operator-triage on
+            // "why isn't .pugi/ being created?" has a starting point without
+            // having to re-instrument the bootstrap.
+            if (process.env.PUGI_DEBUG === '1') {
+                const msg = err instanceof Error ? err.message : String(err);
+                process.stderr.write(`[pugi-debug] auto-init failed: ${msg}\n`);
+            }
+        }
+    }
     const transport = createProductionTransport();
-    // Auto-bind the workspace context from process.cwd() so Mira knows
+    // Auto-bind the workspace context from process.cwd() so Pugi knows
     // which repo the operator launched the CLI in. The resolver is
     // best-effort — any FS error falls back to a basename-only summary,
-    // never blocks REPL launch. Wave 4 fix 2026-05-25.
+    // never blocks REPL launch. fix.
     const workspace = options.workspace ?? resolveWorkspaceContext(process.cwd());
-    // α6.4: open the local SessionStore for `/resume` persistence. The
+    // Beta.13 P1 fix: read `ui.cyberZoo` from
+    // `.pugi/settings.json` so the operator's splash posture flows to
+    // admin-api on session open. Without this, the renderer's `cyberZoo`
+    // parameter (added beta.13) was always defaulted to 'on' regardless
+    // of the operator's actual setting.
+    const cyberZoo = readCyberZooSetting(process.cwd());
+    // : open the local SessionStore for `/resume` persistence. The
     // store lives under `~/.pugi/projects/<slug>/`; failure is fail-safe
     // — we log a one-line warning to stderr and continue with the REPL
     // in memory-only mode. Lock-busy errors get the friendliest message
@@ -68,7 +128,7 @@ export async function renderRepl(options) {
         workspaceRoot: process.cwd(),
         resumeLocalSessionId: options.resumeLocalSessionId,
     });
-    // α6.5 three-tier context bootstrap. The skeleton + working set
+    // three-tier context bootstrap. The skeleton + working set
     // + watcher are local-first and best-effort: every step is wrapped
     // in try/catch so an unreadable workspace never blocks REPL launch.
     // Opt-out via PUGI_DISABLE_CONTEXT=1 for hermetic test runs.
@@ -83,6 +143,7 @@ export async function renderRepl(options) {
         cliVersion: options.cliVersion,
         transport,
         workspace,
+        cyberZoo,
         store,
         localSessionId: openedSessionId,
         repoSkeleton: skeleton,
@@ -113,7 +174,7 @@ export async function renderRepl(options) {
     // typed it after the REPL became interactive. Idempotent: no-op
     // when stdin is not a TTY or no bytes were buffered.
     drainBufferedStdin(process.stdin);
-    // α6.14.2 wave 5: paint the chafa-baked brand-pug ANSI render to
+    // wave 5: paint the chafa-baked brand-pug ANSI render to
     // stdout BEFORE Ink mounts (but AFTER alt-screen enter). Ink's
     // layout engine would mis-measure the truecolor escape sequences,
     // so the pug must land verbatim. The flag is passed into <Repl />
@@ -123,13 +184,45 @@ export async function renderRepl(options) {
     // (operator opted out via --no-splash), we suppress the pre-print
     // too so the boot stays silent.
     const mascotPrePrinted = options.skipSplash === true ? false : printPugMascotPreInk(process.stdout);
-    const instance = render(React.createElement(Repl, {
+    // resolve the active theme ONCE at mount
+    // and wrap `<Repl />` in `<ThemeProvider>` so every Ink consumer
+    // (`<Header>`, `<DoctorTable>`, `<StyleTable>`, `<ThemeTable>`,
+    // …) picks up the same color tokens. The provider is stable for
+    // the lifetime of the REPL — operator `/theme <name>` writes to
+    // disk + appends a system line, and the next `pugi` launch re-
+    // mounts with the new slug. Re-mounting mid-session would race
+    // against Ink's raw-mode handler so we deliberately keep the
+    // session-lifetime contract instead of polling the config file.
+    const resolvedTheme = resolveTheme({
+        workspaceRoot: process.cwd(),
+        env: process.env,
+    });
+    // CEO P0 #2 : collect welcome banner data BEFORE Ink
+    // mounts so the banner paints on the first frame instead of swapping
+    // in mid-render. The collector swallows every IO error so а missing
+    // CHANGELOG / unreadable credential / malformed settings never
+    // blocks the boot.
+    let welcomeData;
+    if (options.skipSplash !== true) {
+        try {
+            welcomeData = collectWelcomeData({
+                cliVersion: options.cliVersion,
+                cwd: process.cwd(),
+            });
+        }
+        catch {
+            welcomeData = undefined;
+        }
+    }
+    const instance = render(React.createElement(ThemeProvider, { slug: resolvedTheme.slug }, React.createElement(Repl, {
         session,
         updateBanner: options.updateBanner ?? null,
         skipSplash: options.skipSplash === true,
         hideToolStream: options.hideToolStream === true,
         mascotPrePrinted,
-    }));
+        welcomeData,
+        autoInitStatus: options.autoInitStatus ?? null,
+    })));
     // Make sure we leave the alt screen on abrupt exits too. Without
     // this the operator's shell stays "frozen" on the Pugi splash.
     process.once('exit', bootstrap.restore);
@@ -242,6 +335,55 @@ export function drainBufferedStdin(stdin = process.stdin) {
         return 0;
     }
 }
+/**
+ * Project-root probe — beta.13 P2 fix.
+ *
+ * Beta.13 auto-init was unconditional and silently created `.pugi/` in
+ * every cwd the REPL was launched from, including `$HOME` and `/tmp`.
+ * Operators who ran `pugi` to ask a quick question outside of any
+ * project ended up with stray `.pugi/` directories polluting their
+ * filesystem. The gate looks for any of six project-root markers
+ * before scaffolding:
+ *
+ *  - `package.json`    — JS / TS workspaces
+ *  - `.git`            — any cloned repo regardless of language
+ *  - `.pugi`           — already-bound Pugi workspace (re-scaffold
+ *                         fills any missing artifacts the operator
+ *                         deleted, idempotent over existing files)
+ *  - `Cargo.toml`      — Rust crates
+ *  - `pyproject.toml`  — Python projects (PEP 518)
+ *  - `go.mod`          — Go modules
+ *
+ * The probe is six cheap `existsSync` calls; the cost is negligible
+ * compared with the alt-screen + Ink mount that follows. Exported so a
+ * future unit spec can lock the contract.
+ */
+export function isProjectRoot(cwd) {
+    // ESM static imports — `require()` is not defined in a `"type": "module"`
+    // bundle and would throw `ReferenceError: require is not defined` the
+    // moment the REPL bootstrap calls this gate. Beta.16 P0 fix.
+    return (existsSync(resolve(cwd, 'package.json')) ||
+        existsSync(resolve(cwd, '.git')) ||
+        existsSync(resolve(cwd, '.pugi')) ||
+        existsSync(resolve(cwd, 'Cargo.toml')) ||
+        existsSync(resolve(cwd, 'pyproject.toml')) ||
+        existsSync(resolve(cwd, 'go.mod')));
+}
+/**
+ * Read the operator's cyber-zoo posture from `.pugi/settings.json`.
+ * Best-effort: when the file is missing / malformed, fall through to
+ * the historical 'on' default so the REPL never refuses to launch on
+ * a settings error. Beta.13 P1 fix.
+ */
+function readCyberZooSetting(cwd) {
+    try {
+        const settings = loadSettings(cwd);
+        return settings.ui?.cyberZoo ?? 'on';
+    }
+    catch {
+        return 'on';
+    }
+}
 /**
  * Open the local SessionStore for the REPL bootstrap. Returns
  * `{ store: null, openedSessionId: undefined }` on any error so the
@@ -279,11 +421,11 @@ async function openLocalStore(input) {
     }
 }
 /**
- * Bootstrap the α6.5 three-tier context primitives:
+ * Bootstrap the three-tier context primitives:
  *
- *   - Tier 0: `RepoSkeleton` (~5KB ASCII tree + meta) for prompt injection.
- *   - Tier 1: `WorkingSet` LRU bounded at 50 entries.
- *   - Filewatch: chokidar started against cwd, ignore-filtered.
+ *  - Tier 0: `RepoSkeleton` (~5KB ASCII tree + meta) for prompt injection.
+ *  - Tier 1: `WorkingSet` LRU bounded at 50 entries.
+ *  - Filewatch: chokidar started against cwd, ignore-filtered.
  *
  * The bootstrap is fail-safe: every primitive is wrapped so the REPL
  * still launches when (e.g.) chokidar refuses to start on a
@@ -331,15 +473,22 @@ async function bootstrapContext(input) {
     return { skeleton, workingSet, watcher };
 }
 /* ------------------------------------------------------------------ */
-/* Production transport                                               */
+/* Production transport                                              */
 /* ------------------------------------------------------------------ */
 export function createProductionTransport() {
     return {
-        async createSession({ apiUrl, apiKey, workspace }) {
+        async createSession({ apiUrl, apiKey, workspace, cyberZoo }) {
             // Forward the workspace bundle in the POST body so admin-api can
-            // surface `<workspace-context>` in Mira's prompt. Older admin-api
+            // surface `<workspace-context>` in Pugi's prompt. Older admin-api
             // builds ignore unknown fields, so this stays forward-compatible.
-            // Wave 4 fix 2026-05-25.
+            // fix.
+            //
+            // Beta.13 P1 fix: also forward `cyberZoo` so admin-api
+            // can render Pugi's `<cyber-zoo>` marker matching the operator's
+            // `.pugi/settings.json::ui.cyberZoo` toggle instead of the
+            // historical 'on' default. Only included on the wire when set
+            // explicitly so a missing setting still survives older admin-api
+            // builds that do not declare the DTO field.
             const body = {};
             if (workspace?.workspaceCwd)
                 body.workspaceCwd = workspace.workspaceCwd;
@@ -347,6 +496,8 @@ export function createProductionTransport() {
                 body.workspaceSlug = workspace.workspaceSlug;
             if (workspace?.workspaceSummary)
                 body.workspaceSummary = workspace.workspaceSummary;
+            if (cyberZoo === 'on' || cyberZoo === 'off')
+                body.cyberZoo = cyberZoo;
             const response = await fetch(joinUrl(apiUrl, '/api/pugi/sessions'), {
                 method: 'POST',
                 headers: jsonHeaders(apiKey),
@@ -392,7 +543,7 @@ export function createProductionTransport() {
             if (lastEventId) {
                 headers['Last-Event-ID'] = lastEventId;
             }
-            // beta.9 CEO dogfood 2026-05-26: hard timeout on the SSE
+            // beta.9 CEO dogfood: hard timeout on the SSE
             // handshake so a CDN/proxy that buffers the response (or an
             // admin-api that accepted the route but never flushed headers)
             // cannot freeze the REPL in `connecting` forever. The 5s budget
@@ -468,7 +619,7 @@ export function createProductionTransport() {
     };
 }
 /* ------------------------------------------------------------------ */
-/* SSE parser                                                         */
+/* SSE parser                                                        */
 /* ------------------------------------------------------------------ */
 /**
  * Minimal SSE parser. Reads a UTF-8 stream of `id:` / `event:` / `data:`
@@ -532,7 +683,7 @@ async function consumeSseStream(body, onEvent) {
     }
 }
 /* ------------------------------------------------------------------ */
-/* Small helpers                                                      */
+/* Small helpers                                                     */
 /* ------------------------------------------------------------------ */
 function jsonHeaders(apiKey) {
     return {

package/dist/tui/repl-splash-art.js

@@ -1,9 +1,9 @@
 /**
- * ASCII pug mascot for the REPL boot splash (α6.14 wave 3).
+ * ASCII pug mascot for the REPL boot splash .
  *
  * Hand-crafted at 9 rows × 20 columns to read as a pug at a single
  * glance — references the cyber-zoo hero glyph in
- * `apps/clawhost-web/public/brand/hero-pug.png`: blocky pug face with
+ * `apps/console-web/public/brand/hero-pug.png`: blocky pug face with
  * angular ear flaps on either side of the head, forehead crease,
  * angular cyan eyes (`◉`), smushed snout, undershot jaw, and a small
  * cyan circuit chip (`▐■▌`) on the lower-right cheek.
@@ -15,30 +15,30 @@
  * columns cyan (#3DA9FC, brandbook §05).
  *
  * Convention:
- *   - PUG_MASCOT[i]            = one row of the silhouette
- *   - PUG_MASCOT_CYAN_MASK[i]  = parallel boolean array, true => that
- *                                column renders cyan instead of gray
+ *  - PUG_MASCOT[i]           = one row of the silhouette
+ *  - PUG_MASCOT_CYAN_MASK[i] = parallel boolean array, true => that
+ *                               column renders cyan instead of gray
  *
  * Both arrays MUST stay the same length and each mask row MUST be the
  * same length as the corresponding art row. A unit test enforces this.
  */
 /* eslint-disable no-irregular-whitespace */
 export const PUG_MASCOT = [
-    '   ▄▀▀▀▄▄▄▀▀▀▄    ',
-    '  █▄▄       ▄▄█   ',
-    '  █  ▀▄▄▄▄▄▀  █   ',
-    '  █  ◉     ◉  █   ',
-    '   ▀▄  ▀█▀  ▄▀    ',
-    '     █▀▀▀▀▀█      ',
-    '     █▒▒▒▒▒█ ▐■▌  ',
-    '      ▀▄▄▄▀       ',
-    '        ▀         ',
+    '  ▄▀▀▀▄▄▄▀▀▀▄   ',
+    ' █▄▄      ▄▄█  ',
+    ' █ ▀▄▄▄▄▄▀ █  ',
+    ' █ ◉    ◉ █  ',
+    '  ▀▄ ▀█▀ ▄▀   ',
+    '    █▀▀▀▀▀█     ',
+    '    █▒▒▒▒▒█ ▐■▌ ',
+    '     ▀▄▄▄▀      ',
+    '       ▀        ',
 ];
 /**
  * Cyan accents are derived from the source characters so the art file
  * stays the single source of truth. Two glyph classes get colored:
- *   - `◉`     -> the two cyan eyes on row 3
- *   - `▐■▌`   -> the cyan chip cluster on row 6 (right cheek)
+ *  - `◉`    -> the two cyan eyes on row 3
+ *  - `▐■▌`  -> the cyan chip cluster on row 6 (right cheek)
  *
  * Everything else renders gray. The derivation runs at module load,
  * which keeps the mask trivially auditable from the source array.

package/dist/tui/repl-splash-mascot.js

@@ -1,14 +1,14 @@
 /**
- * Chafa-validated brand-pug ANSI loader (α6.14.4 wave 6, mascot regen).
+ * Chafa-validated brand-pug ANSI loader .
  *
- * CEO dogfood 2026-05-25 (first pass, α6.14.2 wave 5): the hand-crafted
+ * CEO dogfood (first pass, wave 5): the hand-crafted
  * 9-row ASCII pug in `repl-splash-art.ts` reads as "точно не похожа" —
  * too abstract to carry the brand at boot. This module loads a pre-baked
  * truecolor ANSI render of the canonical hero-pug PNG (cyber-zoo pug
  * face with cyan eyes + circuit + chip) so the splash matches the brand
  * glyph the operator already sees on pugi.io.
  *
- * CEO dogfood 2026-05-25 (α6.14.4): the first chafa bake at 32x16 still
+ * CEO dogfood : the first chafa bake at 32x16 still
  * read as "monitor on stand", not pug — too few rows to resolve the
  * snout / eyes / wrinkles. The vertical resolution was the bottleneck:
  * 16 char rows ≈ 16 pixel rows with the block symbol set. The fresh
@@ -21,9 +21,9 @@
  * gates at 100KB so we stay well under cap.
  *
  * Generation (operator-side, one-shot):
- *   chafa --size 80x40 --symbols=vhalf --colors=full \
- *     apps/clawhost-web/public/brand/hero-pug.png \
- *     > apps/pugi-cli/assets/pugi-mascot.ansi
+ *  chafa --size 80x40 --symbols=vhalf --colors=full \
+ *    apps/console-web/public/brand/hero-pug.png \
+ *    > apps/pugi-cli/assets/pugi-mascot.ansi
  *
  * The output is committed verbatim to the repo and shipped inside the
  * `@pugi/cli` npm tarball under `assets/pugi-mascot.ansi` (the
@@ -33,7 +33,7 @@
  * corruption, dev cwd drift), the splash falls back to the hand-crafted
  * `PUG_MASCOT` art so the boot never crashes.
  *
- * The pre-Ink write convention mirrors the Claude Code Chrome plugin
+ * The pre-Ink write convention mirrors the the upstream tool Chrome plugin
  * splash pattern: raw bytes go to `process.stdout` BEFORE the Ink
  * render mount, so the terminal interprets the truecolor escapes
  * directly instead of Ink trying to layout-engine over them.
@@ -48,9 +48,21 @@ import { fileURLToPath } from 'node:url';
  * — two directory hops up from this file. In a local `pnpm dev`
  * checkout the structure is the same (`src/tui/` ⇒ `../../assets/`)
  * because tsx re-resolves the same relative tree.
+ *
+ * CEO P0 #2 — banner mascot bake. The prozr2 portrait is
+ * the canonical brand-pug glyph from `apps/console-web/public/brand/
+ * Pugi-prozr2.png`, baked к а 16x8 vhalf truecolor render. We prefer
+ * the prozr2 bake when it ships alongside the CLI (small — ~900 bytes,
+ * shaped for the compact welcome-banner left column) and fall back к
+ * the legacy 40KB `pugi-mascot.ansi` (hero-pug 80x40) when prozr2 is
+ * missing — preserves the splash-mascot install surface for any
+ * tarball that predates the bake.
  */
 export function pugMascotAssetPath() {
     const here = dirname(fileURLToPath(import.meta.url));
+    const prozr2 = resolvePath(here, '..', '..', 'assets', 'pugi-prozr2-mascot.ansi');
+    if (existsSync(prozr2))
+        return prozr2;
     return resolvePath(here, '..', '..', 'assets', 'pugi-mascot.ansi');
 }
 /**
@@ -83,27 +95,39 @@ export function loadPugMascotAnsi() {
         if (!raw || raw.length === 0)
             return null;
         // 1. Drop OSC sequences. Two terminator forms:
-        //      ESC ] ... BEL          (0x1b 0x5d ... 0x07)
-        //      ESC ] ... ESC \        (0x1b 0x5d ... 0x1b 0x5c, the ST form)
-        //    A truecolor splash never needs OSC (those are for window title,
-        //    icon, clipboard, hyperlinks, color-palette change). Drop them
-        //    so a corrupted asset cannot rename the operator's terminal tab
-        //    or smuggle a hyperlink into the splash region.
-        // 2. Drop CSI ? <mode> [hl] for mouse-tracking and screen-buffer
-        //    switch modes (1000, 1001, 1002, 1003, 1004, 1005, 1006, 1015,
-        //    1049, 47, 1047, 1048). These would either start swallowing
-        //    mouse input or flip the terminal into the alternate screen.
+        //     ESC ] ... BEL         (0x1b 0x5d ... 0x07)
+        //     ESC ] ... ESC \       (0x1b 0x5d ... 0x1b 0x5c, the ST form)
+        //   A truecolor splash never needs OSC (those are for window title,
+        //   icon, clipboard, hyperlinks, color-palette change). Drop them
+        //   so a corrupted asset cannot rename the operator's terminal tab
+        //   or smuggle a hyperlink into the splash region.
+        // 2. Drop ALL CSI ? <numbers and semicolons> [lh] (DEC private-mode
+        //   set / reset). The legitimate chafa output for a splash is
+        //   truecolor SGR (`CSI 38;2;R;G;B m`) plus cursor-positioning —
+        //   no private-mode toggle ever appears там legitimately. A
+        //   permissive deny-all pattern covers every disruptive private
+        //   mode in one regex:
+        //     - cursor visibility (25)
+        //     - alt-screen buffer (47, 1047, 1048, 1049)
+        //     - mouse tracking    (1000, 1001, 1002, 1003, 1004, 1005, 1006, 1015)
+        //     - bracketed paste   (2004)
+        //     - focus reporting   (1004)
+        //     - multi-mode forms  (e.g. `CSI ? 47 ; 1049 h` — legal per
+        //       xterm ctlseqs but missed by the previous single-mode regex)
+        //     - any future private mode a corrupt asset might emit
+        //   Allowlisting the modes the splash needs is impossible because
+        //   the splash needs ZERO of them — chafa renders glyph-by-glyph,
+        //   not via private-mode toggles. A pure deny-all is strictly
+        //   safer than enumerating known-bad modes one-by-one.
         // 3. Drop CSI 6 n (cursor-position report). Would inject a fake
-        //    CPR into the operator's stdin stream.
+        //   CPR into the operator's stdin stream.
         // 4. Drop CSI [23]J / CSI [23]K (full screen / line clear). A
-        //    chafa render uses cursor-positioning per row, not bulk
-        //    erases; bulk clears would wipe whatever the operator already
-        //    had on screen above the splash.
-        // The cursor-hide/show wrappers (CSI ? 25 [lh]) are handled by
-        // the same CSI-?-mode pattern as the mouse / alt-screen modes.
+        //   chafa render uses cursor-positioning per row, not bulk
+        //   erases; bulk clears would wipe whatever the operator already
+        //   had on screen above the splash.
         const stripped = raw
             .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '')
-            .replace(/\x1b\[\?(?:25|47|1000|1001|1002|1003|1004|1005|1006|1015|1047|1048|1049)[lh]/g, '')
+            .replace(/\x1b\[\?[0-9;]+[lh]/g, '')
             .replace(/\x1b\[6n/g, '')
             .replace(/\x1b\[[23]?[JK]/g, '');
         if (stripped.trim().length === 0)