npm - @shakecodeslikecray/whiterose - Versions diffs - 0.1.0 → 0.2.2 - Mend

@shakecodeslikecray/whiterose 0.1.0 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import { existsSync, mkdirSync, writeFileSync, readdirSync, readFileSync, statSy
 import { join, isAbsolute, resolve, basename, relative, dirname } from 'path';
 import { execa } from 'execa';
 import { homedir, tmpdir } from 'os';
+import { spawn } from 'child_process';
 import { z } from 'zod';
 import fg3 from 'fast-glob';
 import { createHash } from 'crypto';
@@ -14,6 +15,7 @@ import { render, useApp, useInput, Box, Text } from 'ink';
 import { useState, useEffect } from 'react';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
 import Spinner from 'ink-spinner';
+import * as readline from 'readline';
 var providerChecks = [
   {
@@ -583,7 +585,7 @@ var ClaudeCodeProvider = class {
   // Agentic Prompts
   // ─────────────────────────────────────────────────────────────
   buildAgenticAnalysisPrompt(understanding) {
-    return `You are whiterose, an expert bug hunter. Your task is to explore this codebase and find real bugs.
+    return `You are whiterose, an expert bug hunter. Your task is to explore this codebase and find REAL bugs.
 CODEBASE CONTEXT:
 - Type: ${understanding.summary.type}
@@ -600,66 +602,78 @@ YOUR TASK:
    - Edge cases (empty arrays, zero values, boundaries)
    - Resource leaks (unclosed connections)
+CRITICAL - INLINE VALIDATION:
+Before reporting ANY bug, you MUST try to DISPROVE it:
+1. Check if there's a guard/validation that prevents the issue
+2. Check if the type system guarantees safety
+3. Check if framework behavior handles this case
+4. Check if the code path is actually reachable
+5. Only report the bug if you CANNOT disprove it
 PROTOCOL - You MUST output these markers:
-- Before reading each file, output: ${MARKERS.SCANNING}<filepath>
-- When you find a bug, output: ${MARKERS.BUG}<json>
+- When reading a file, output: ${MARKERS.SCANNING}<filepath>
+- When you find a VALIDATED bug, output: ${MARKERS.BUG}<json>
 - When completely done, output: ${MARKERS.COMPLETE}
 - If you encounter an error, output: ${MARKERS.ERROR}<message>
-BUG JSON FORMAT:
-${MARKERS.BUG}{"file":"src/api/users.ts","line":42,"title":"Null dereference in getUserById","description":"...","severity":"high","category":"null-reference","evidence":["..."],"suggestedFix":"..."}
+BUG JSON FORMAT (only after validation):
+${MARKERS.BUG}{"file":"src/api/users.ts","line":42,"title":"Null dereference in getUserById","description":"...","severity":"high","category":"null-reference","confidence":"high","evidence":["line of code","why it's reachable"],"validationNotes":"Checked for guards - none found. Type allows null.","suggestedFix":"..."}
+SEVERITY GUIDE:
+- critical: Security vulnerabilities, data loss, crashes in production
+- high: Bugs that will definitely cause issues for users
+- medium: Edge cases that may cause issues under certain conditions
+- low: Minor issues, potential improvements
 IMPORTANT:
-- Only report bugs you have HIGH confidence in
-- Include exact line numbers
-- Focus on real bugs, not style issues
-- Explore systematically - check API routes, data handling, auth flows
+- Do NOT report style issues or potential improvements
+- Do NOT report bugs you haven't validated
+- Include EXACT line numbers from the files you read
+- Include validation notes explaining why the bug is real
+- Explore systematically - check entry points, API routes, data flows
-Now explore this codebase and find bugs. Start by reading the main entry points.`;
+Now explore this codebase and find VALIDATED bugs. Start by reading the main entry points.`;
   }
   buildAgenticUnderstandingPrompt(existingDocsSummary) {
     const docsSection = existingDocsSummary ? `
-EXISTING DOCUMENTATION (merge this with your exploration):
+EXISTING DOCUMENTATION:
 ${existingDocsSummary}
 ` : "";
-    return `You are whiterose. Your task is to understand this codebase.
+    return `You are whiterose. Your task is to QUICKLY understand this codebase structure.
 ${docsSection}
-YOUR TASK:
-1. Review the existing documentation above (if any)
-2. Explore the codebase structure to fill in gaps
-3. Read key files (main entry points, config files, core modules)
-4. Build a comprehensive understanding merging docs + code exploration
-5. Identify main features, business rules, and behavioral contracts
+YOUR TASK (be fast, read only key files):
+1. Read package.json or similar config to understand the project type
+2. Read the main entry point (index.ts, main.ts, app.ts, etc.)
+3. Skim 2-3 core files to understand the architecture
+4. Output your understanding - don't over-explore
 PROTOCOL - You MUST output these markers:
-- Before reading each file, output: ${MARKERS.SCANNING}<filepath>
-- When you have full understanding, output: ${MARKERS.UNDERSTANDING}<json>
-- When completely done, output: ${MARKERS.COMPLETE}
+- When reading a file, output: ${MARKERS.SCANNING}<filepath>
+- When you have understanding, output: ${MARKERS.UNDERSTANDING}<json>
+- When done, output: ${MARKERS.COMPLETE}
 UNDERSTANDING JSON FORMAT:
 ${MARKERS.UNDERSTANDING}{
   "summary": {
-    "type": "api|web-app|cli|library|etc",
-    "framework": "next.js|express|react|etc",
+    "type": "api|web-app|cli|library|monorepo",
+    "framework": "next.js|express|react|fastify|none",
     "language": "typescript|javascript",
-    "description": "2-3 sentence description"
+    "description": "1-2 sentence description of what this project does"
   },
   "features": [
-    {"name": "Feature", "description": "What it does", "priority": "critical|high|medium|low", "constraints": ["business rule 1", "invariant 2"], "relatedFiles": ["path/to/file.ts"]}
+    {"name": "Feature Name", "description": "Brief description", "priority": "critical|high|medium|low", "relatedFiles": ["path/to/file.ts"]}
   ],
-  "contracts": [
-    {"function": "functionName", "file": "path/to/file.ts", "inputs": [], "outputs": {}, "invariants": ["must do X before Y"], "sideEffects": [], "throws": []}
-  ]
+  "contracts": []
 }
 IMPORTANT:
-- Merge existing documentation with what you discover in the code
-- Focus on business rules and invariants (what MUST be true)
-- Identify critical paths (checkout, auth, payments, etc.)
-- Document behavioral contracts for important functions
+- Be FAST - read 3-5 files max
+- Focus on WHAT the project does, not implementation details
+- Identify the main features/capabilities
+- Don't deep-dive into every file
-Now explore this codebase and build understanding.`;
+Now QUICKLY understand this codebase.`;
   }
   buildAdversarialPrompt(bug, fileContent) {
     return `You are a skeptical code reviewer. Try to DISPROVE this bug report.
@@ -688,26 +702,37 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
   // Claude CLI Execution (Agentic Mode)
   // ─────────────────────────────────────────────────────────────
   async runAgenticClaude(prompt, cwd, callbacks) {
+    this.streamBuffer = "";
+    this.fullResponseBuffer = "";
     const claudeCommand = getProviderCommand("claude-code");
-    const args = ["--verbose", "-p", prompt];
-    if (this.unsafeMode) {
-      args.unshift("--dangerously-skip-permissions");
-    }
-    this.currentProcess = execa(
-      claudeCommand,
-      args,
-      {
-        cwd,
-        env: {
-          ...process.env,
-          NO_COLOR: "1"
-        },
-        reject: false
+    const args = [
+      "-p",
+      prompt,
+      "--output-format",
+      "stream-json",
+      "--verbose"
+    ];
+    args.push("--dangerously-skip-permissions");
+    this.currentProcess = spawn(claudeCommand, args, {
+      cwd,
+      env: {
+        ...process.env,
+        NO_COLOR: "1"
+      },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let lastActivity = Date.now();
+    const heartbeat = setInterval(() => {
+      const elapsed = Math.floor((Date.now() - lastActivity) / 1e3);
+      if (elapsed > 10) {
+        this.reportProgress(`Analyzing... (${elapsed}s since last update)`);
       }
-    );
+    }, 5e3);
     let buffer = "";
     this.currentProcess.stdout?.on("data", (chunk) => {
-      buffer += chunk.toString();
+      lastActivity = Date.now();
+      const text3 = chunk.toString();
+      buffer += text3;
       const lines = buffer.split("\n");
       buffer = lines.pop() || "";
       for (const line of lines) {
@@ -715,17 +740,95 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
       }
     });
     this.currentProcess.stderr?.on("data", (chunk) => {
+      lastActivity = Date.now();
       const text3 = chunk.toString().trim();
-      if (text3 && !text3.includes("Loading")) ;
+      if (text3) {
+        this.reportProgress(`Claude: ${text3.slice(0, 50)}...`);
+      }
+    });
+    await new Promise((resolve5, reject) => {
+      const timeout = setTimeout(() => {
+        this.currentProcess?.kill();
+        reject(new Error("Claude analysis timed out after 5 minutes"));
+      }, 3e5);
+      this.currentProcess?.on("exit", (code) => {
+        clearTimeout(timeout);
+        if (code !== 0 && code !== null) {
+          this.reportProgress(`Claude exited with code ${code}`);
+        }
+        resolve5();
+      });
+      this.currentProcess?.on("error", (err) => {
+        clearTimeout(timeout);
+        reject(err);
+      });
     });
-    await this.currentProcess;
+    clearInterval(heartbeat);
     if (buffer.trim()) {
       this.processAgentOutput(buffer, callbacks);
     }
+    if (this.fullResponseBuffer && callbacks.onUnderstanding) {
+      this.tryExtractUnderstandingJson(this.fullResponseBuffer, callbacks);
+    }
     this.currentProcess = void 0;
   }
   processAgentOutput(line, callbacks) {
     const trimmed = line.trim();
+    if (!trimmed) return;
+    try {
+      const event = JSON.parse(trimmed);
+      if (event.type === "system") {
+        this.reportProgress("Claude initialized...");
+      } else if (event.type === "stream_event") {
+        const innerEvent = event.event;
+        if (innerEvent?.type === "content_block_delta") {
+          const text3 = innerEvent.delta?.text;
+          if (text3) {
+            this.processTextContent(text3, callbacks);
+          }
+        } else if (innerEvent?.type === "content_block_start") {
+          if (innerEvent.content_block?.type === "tool_use") {
+            const toolName = innerEvent.content_block.name || "tool";
+            this.reportProgress(`Using ${toolName}...`);
+          }
+        }
+      } else if (event.type === "assistant") {
+        const content = event.message?.content || [];
+        for (const item of content) {
+          if (item.type === "text" && item.text) {
+            this.processTextContent(item.text, callbacks);
+          } else if (item.type === "tool_use") {
+            const toolName = item.name || "tool";
+            const input = item.input || {};
+            if (toolName === "Read" && input.file_path) {
+              callbacks.onScanning?.(input.file_path);
+              this.reportProgress(`Reading: ${input.file_path.split("/").pop()}`);
+            } else if (toolName === "Glob" || toolName === "Grep") {
+              this.reportProgress(`Searching: ${input.pattern || "..."}`);
+            } else {
+              this.reportProgress(`Using ${toolName}...`);
+            }
+          }
+        }
+      } else if (event.type === "user") {
+        if (event.tool_use_result) {
+          const numFiles = event.tool_use_result.numFiles;
+          if (numFiles) {
+            this.reportProgress(`Found ${numFiles} files...`);
+          }
+        }
+      } else if (event.type === "result") {
+        if (event.result) {
+          this.processTextContent(event.result, callbacks);
+          this.tryExtractUnderstandingJson(event.result, callbacks);
+        }
+        callbacks.onComplete?.();
+      } else if (event.type === "error") {
+        callbacks.onError?.(event.error || event.message || "Unknown error");
+      }
+      return;
+    } catch {
+    }
     if (trimmed.startsWith(MARKERS.SCANNING)) {
       const file = trimmed.slice(MARKERS.SCANNING.length).trim();
       callbacks.onScanning?.(file);
@@ -742,6 +845,77 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
       callbacks.onError?.(error);
     }
   }
+  // Accumulated text for marker detection in streaming responses
+  streamBuffer = "";
+  // Full response text for fallback extraction
+  fullResponseBuffer = "";
+  processTextContent(text3, callbacks) {
+    this.streamBuffer += text3;
+    this.fullResponseBuffer += text3;
+    const lines = this.streamBuffer.split("\n");
+    this.streamBuffer = lines.pop() || "";
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith(MARKERS.SCANNING)) {
+        callbacks.onScanning?.(trimmed.slice(MARKERS.SCANNING.length).trim());
+      } else if (trimmed.startsWith(MARKERS.BUG)) {
+        callbacks.onBugFound?.(trimmed.slice(MARKERS.BUG.length).trim());
+      } else if (trimmed.startsWith(MARKERS.UNDERSTANDING)) {
+        callbacks.onUnderstanding?.(trimmed.slice(MARKERS.UNDERSTANDING.length).trim());
+      } else if (trimmed.startsWith(MARKERS.COMPLETE)) {
+        callbacks.onComplete?.();
+      } else if (trimmed.startsWith(MARKERS.ERROR)) {
+        callbacks.onError?.(trimmed.slice(MARKERS.ERROR.length).trim());
+      }
+    }
+  }
+  // Try to extract understanding JSON from text without markers
+  tryExtractUnderstandingJson(text3, callbacks) {
+    const codeBlockMatch = text3.match(/```(?:json)?\s*([\s\S]*?)```/);
+    if (codeBlockMatch) {
+      const jsonStr = codeBlockMatch[1].trim();
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.summary && (parsed.summary.type || parsed.summary.language)) {
+          callbacks.onUnderstanding?.(jsonStr);
+          return;
+        }
+      } catch {
+      }
+    }
+    const candidates = [];
+    let depth = 0;
+    let start = -1;
+    for (let i = 0; i < text3.length; i++) {
+      const char = text3[i];
+      if (char === "{") {
+        if (depth === 0) {
+          start = i;
+        }
+        depth++;
+      } else if (char === "}") {
+        depth--;
+        if (depth === 0 && start !== -1) {
+          const candidate = text3.slice(start, i + 1);
+          if (candidate.includes('"summary"') && candidate.includes('"type"')) {
+            candidates.push(candidate);
+          }
+          start = -1;
+        }
+      }
+    }
+    candidates.sort((a, b) => b.length - a.length);
+    for (const jsonStr of candidates) {
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.summary && (parsed.summary.type || parsed.summary.language)) {
+          callbacks.onUnderstanding?.(jsonStr);
+          return;
+        }
+      } catch {
+      }
+    }
+  }
   // Simple non-agentic mode for short prompts (adversarial validation)
   async runSimpleClaude(prompt, cwd) {
     const claudeCommand = getProviderCommand("claude-code");
@@ -1734,35 +1908,44 @@ async function initCommand(options) {
     process.exit(1);
   }
   p3.intro(chalk.red("whiterose") + chalk.dim(" - initialization"));
-  const providerSpinner = p3.spinner();
-  providerSpinner.start("Detecting available LLM providers...");
-  const availableProviders = await detectProvider();
-  if (availableProviders.length === 0) {
-    providerSpinner.stop("No LLM providers detected");
-    p3.log.error("whiterose requires an LLM provider to function.");
-    p3.log.info("Supported providers: claude-code, aider, codex, opencode");
-    p3.log.info("Install one and ensure it's configured, then run init again.");
-    process.exit(1);
-  }
-  providerSpinner.stop(`Detected providers: ${availableProviders.join(", ")}`);
   let selectedProvider;
-  if (options.skipQuestions) {
-    selectedProvider = availableProviders[0];
-    p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+  if (options.skipProviderDetection && options.provider) {
+    selectedProvider = options.provider;
   } else {
-    const providerChoice = await p3.select({
-      message: "Which LLM provider should whiterose use?",
-      options: availableProviders.map((prov) => ({
-        value: prov,
-        label: prov,
-        hint: prov === "claude-code" ? "recommended" : void 0
-      }))
-    });
-    if (p3.isCancel(providerChoice)) {
-      p3.cancel("Initialization cancelled.");
-      process.exit(0);
+    const providerSpinner = p3.spinner();
+    providerSpinner.start("Detecting available LLM providers...");
+    const availableProviders = await detectProvider();
+    if (availableProviders.length === 0) {
+      providerSpinner.stop("No LLM providers detected");
+      p3.log.error("whiterose requires an LLM provider to function.");
+      p3.log.info("Supported providers: claude-code, aider, codex, opencode");
+      p3.log.info("Install one and ensure it's configured, then run init again.");
+      process.exit(1);
+    }
+    providerSpinner.stop(`Detected providers: ${availableProviders.join(", ")}`);
+    const passedProvider = options.provider;
+    const isPassedProviderAvailable = availableProviders.includes(passedProvider);
+    if (isPassedProviderAvailable) {
+      selectedProvider = passedProvider;
+      p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+    } else if (options.skipQuestions) {
+      selectedProvider = availableProviders[0];
+      p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+    } else {
+      const providerChoice = await p3.select({
+        message: "Which LLM provider should whiterose use?",
+        options: availableProviders.map((prov) => ({
+          value: prov,
+          label: prov,
+          hint: prov === "claude-code" ? "recommended" : void 0
+        }))
+      });
+      if (p3.isCancel(providerChoice)) {
+        p3.cancel("Initialization cancelled.");
+        process.exit(0);
+      }
+      selectedProvider = providerChoice;
     }
-    selectedProvider = providerChoice;
   }
   const verifySpinner = p3.spinner();
   verifySpinner.start("Verifying provider CLI works...");
@@ -1820,10 +2003,6 @@ async function initCommand(options) {
   let understanding;
   try {
     const provider = await getProvider(selectedProvider);
-    if (options.unsafe && "setUnsafeMode" in provider) {
-      provider.setUnsafeMode(true);
-      p3.log.warn("Running in unsafe mode (--unsafe). LLM permission prompts are bypassed.");
-    }
     if ("setProgressCallback" in provider) {
       provider.setProgressCallback((message) => {
         understandingSpinner.message(message);
@@ -2330,10 +2509,10 @@ async function scanCommand(paths, options) {
   if (options.full || paths.length > 0) {
     scanType = "full";
     if (!isQuiet) {
-      const spinner5 = p3.spinner();
-      spinner5.start("Scanning files...");
+      const spinner6 = p3.spinner();
+      spinner6.start("Scanning files...");
       filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
-      spinner5.stop(`Found ${filesToScan.length} files to scan`);
+      spinner6.stop(`Found ${filesToScan.length} files to scan`);
     } else {
       filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
     }
@@ -2364,14 +2543,6 @@ async function scanCommand(paths, options) {
   }
   const providerName = options.provider || config.provider;
   const provider = await getProvider(providerName);
-  if (options.unsafe) {
-    if ("setUnsafeMode" in provider) {
-      provider.setUnsafeMode(true);
-      if (!isQuiet) {
-        p3.log.warn("Running in unsafe mode (--unsafe). LLM permission prompts are bypassed.");
-      }
-    }
-  }
   let bugs;
   if (!isQuiet) {
     const llmSpinner = p3.spinner();
@@ -2408,47 +2579,6 @@ async function scanCommand(paths, options) {
       staticAnalysisResults: staticResults
     });
   }
-  if (options.adversarial && bugs.length > 0) {
-    if (!isQuiet) {
-      const advSpinner = p3.spinner();
-      advSpinner.start("Running adversarial validation...");
-      const validatedBugs = [];
-      for (const bug of bugs) {
-        const result2 = await provider.adversarialValidate(bug, {
-          files: filesToScan,
-          understanding,
-          config,
-          staticAnalysisResults: staticResults
-        });
-        if (result2.survived) {
-          validatedBugs.push({
-            ...bug,
-            confidence: result2.adjustedConfidence || bug.confidence
-          });
-        }
-      }
-      const filtered = bugs.length - validatedBugs.length;
-      advSpinner.stop(`Adversarial validation: ${filtered} false positives filtered`);
-      bugs = validatedBugs;
-    } else {
-      const validatedBugs = [];
-      for (const bug of bugs) {
-        const result2 = await provider.adversarialValidate(bug, {
-          files: filesToScan,
-          understanding,
-          config,
-          staticAnalysisResults: staticResults
-        });
-        if (result2.survived) {
-          validatedBugs.push({
-            ...bug,
-            confidence: result2.adjustedConfidence || bug.confidence
-          });
-        }
-      }
-      bugs = validatedBugs;
-    }
-  }
   const minConfidence = options.minConfidence;
   const confidenceOrder = { high: 3, medium: 2, low: 1 };
   bugs = bugs.filter((bug) => confidenceOrder[bug.confidence.overall] >= confidenceOrder[minConfidence]);
@@ -2481,14 +2611,23 @@ async function scanCommand(paths, options) {
   } else if (options.sarif) {
     console.log(JSON.stringify(outputSarif(result), null, 2));
   } else {
-    if (config.output.sarif) {
-      const sarifPath = join(whiterosePath, "reports", `${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.sarif`);
-      writeFileSync(sarifPath, JSON.stringify(outputSarif(result), null, 2));
-    }
-    if (config.output.markdown) {
-      const markdown = outputMarkdown(result);
-      writeFileSync(join(cwd, config.output.markdownPath), markdown);
+    const outputDir = join(cwd, "whiterose-output");
+    const reportsDir = join(whiterosePath, "reports");
+    const { mkdirSync: mkdirSync2 } = await import('fs');
+    try {
+      mkdirSync2(outputDir, { recursive: true });
+      mkdirSync2(reportsDir, { recursive: true });
+    } catch {
     }
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+    const markdown = outputMarkdown(result);
+    const mdPath = join(outputDir, "bugs.md");
+    writeFileSync(mdPath, markdown);
+    const sarifPath = join(outputDir, "bugs.sarif");
+    writeFileSync(sarifPath, JSON.stringify(outputSarif(result), null, 2));
+    const jsonPath = join(outputDir, "bugs.json");
+    writeFileSync(jsonPath, JSON.stringify(result, null, 2));
+    writeFileSync(join(reportsDir, `${timestamp}.sarif`), JSON.stringify(outputSarif(result), null, 2));
     console.log();
     p3.log.message(chalk.bold("Scan Results"));
     console.log();
@@ -2499,6 +2638,11 @@ async function scanCommand(paths, options) {
     console.log();
     console.log(`  ${chalk.bold("Total:")} ${result.summary.total} bugs found`);
     console.log();
+    p3.log.success("Reports saved:");
+    console.log(`  ${chalk.dim("\u251C")} ${chalk.cyan(mdPath)}`);
+    console.log(`  ${chalk.dim("\u251C")} ${chalk.cyan(sarifPath)}`);
+    console.log(`  ${chalk.dim("\u2514")} ${chalk.cyan(jsonPath)}`);
+    console.log();
     if (result.summary.total > 0) {
       p3.log.info(`Run ${chalk.cyan("whiterose fix")} to fix bugs interactively.`);
     }
@@ -3360,12 +3504,12 @@ function generateDiff(original, fixed, filename) {
   return diff.join("\n");
 }
 async function startFixTUI(bugs, config, options) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve5) => {
     const handleFix = async (bug) => {
       await applyFix(bug, config, options);
     };
     const handleExit = () => {
-      resolve3();
+      resolve5();
     };
     const { unmount, waitUntilExit } = render(
       /* @__PURE__ */ jsx(
@@ -3380,7 +3524,7 @@ async function startFixTUI(bugs, config, options) {
       )
     );
     waitUntilExit().then(() => {
-      resolve3();
+      resolve5();
     });
   });
 }
@@ -3702,21 +3846,21 @@ async function fixSingleBug(bug, config, options) {
     console.log();
   }
   if (!options.dryRun) {
-    const confirm3 = await p3.confirm({
+    const confirm4 = await p3.confirm({
       message: "Apply this fix?",
       initialValue: true
     });
-    if (p3.isCancel(confirm3) || !confirm3) {
+    if (p3.isCancel(confirm4) || !confirm4) {
       p3.cancel("Fix cancelled.");
       process.exit(0);
     }
   }
-  const spinner5 = p3.spinner();
-  spinner5.start(options.dryRun ? "Generating fix preview..." : "Applying fix...");
+  const spinner6 = p3.spinner();
+  spinner6.start(options.dryRun ? "Generating fix preview..." : "Applying fix...");
   try {
     const result = await applyFix(bug, config, options);
     if (result.success) {
-      spinner5.stop(options.dryRun ? "Fix preview generated" : "Fix applied");
+      spinner6.stop(options.dryRun ? "Fix preview generated" : "Fix applied");
       if (result.diff) {
         console.log();
         console.log(chalk.dim("  Changes:"));
@@ -3736,12 +3880,12 @@ async function fixSingleBug(bug, config, options) {
       }
       p3.outro(chalk.green("Fix complete!"));
     } else {
-      spinner5.stop("Fix failed");
+      spinner6.stop("Fix failed");
       p3.log.error(result.error || "Unknown error");
       process.exit(1);
     }
   } catch (error) {
-    spinner5.stop("Fix failed");
+    spinner6.stop("Fix failed");
     p3.log.error(error.message);
     process.exit(1);
   }
@@ -3922,6 +4066,160 @@ async function reportCommand(options) {
     p3.log.success(`Report written to ${options.output}`);
   }
 }
+function getPathCompletions(partial) {
+  try {
+    if (!partial) partial = ".";
+    const resolved = resolve(partial);
+    let dir;
+    let prefix;
+    if (partial.endsWith("/") || existsSync(resolved) && statSync(resolved).isDirectory()) {
+      dir = resolved;
+      prefix = "";
+    } else {
+      dir = dirname(resolved);
+      prefix = basename(partial);
+    }
+    if (!existsSync(dir)) {
+      return [];
+    }
+    const entries = readdirSync(dir, { withFileTypes: true });
+    const matches = entries.filter((entry) => entry.isDirectory()).filter((entry) => entry.name.toLowerCase().startsWith(prefix.toLowerCase())).filter((entry) => !entry.name.startsWith(".") || prefix.startsWith(".")).map((entry) => {
+      if (partial.endsWith("/") || prefix === "") {
+        return partial + entry.name + "/";
+      }
+      const base = partial.slice(0, partial.length - prefix.length);
+      return base + entry.name + "/";
+    }).sort();
+    return matches;
+  } catch {
+    return [];
+  }
+}
+function longestCommonPrefix(strings) {
+  if (strings.length === 0) return "";
+  if (strings.length === 1) return strings[0];
+  let prefix = strings[0];
+  for (let i = 1; i < strings.length; i++) {
+    while (!strings[i].startsWith(prefix)) {
+      prefix = prefix.slice(0, -1);
+      if (prefix === "") return "";
+    }
+  }
+  return prefix;
+}
+function pathInput(options) {
+  return new Promise((resolvePromise) => {
+    const { message, defaultValue = "", validate } = options;
+    const promptText = chalk.cyan("\u25C6") + " " + chalk.bold(message);
+    const hint = defaultValue ? chalk.dim(` (default: ${defaultValue})`) : "";
+    const tabHint = chalk.dim(" [Tab to autocomplete]");
+    process.stdout.write(promptText + hint + tabHint + "\n");
+    process.stdout.write(chalk.cyan("\u2502") + " ");
+    let input = "";
+    let cursorPos = 0;
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+    }
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    const redrawLine = () => {
+      readline.clearLine(process.stdout, 0);
+      readline.cursorTo(process.stdout, 0);
+      process.stdout.write(chalk.cyan("\u2502") + " " + input);
+      readline.cursorTo(process.stdout, 2 + cursorPos);
+    };
+    const cleanup = () => {
+      if (process.stdin.isTTY) {
+        process.stdin.setRawMode(false);
+      }
+      process.stdin.pause();
+      process.stdin.removeAllListeners("data");
+    };
+    const finish = (result) => {
+      cleanup();
+      console.log();
+      resolvePromise(result);
+    };
+    process.stdin.on("data", (key) => {
+      const code = key.charCodeAt(0);
+      if (code === 3) {
+        console.log();
+        finish(null);
+        return;
+      }
+      if (code === 13) {
+        const finalPath = input.trim() || defaultValue;
+        if (validate) {
+          const error = validate(finalPath);
+          if (error) {
+            console.log();
+            process.stdout.write(chalk.red("\u2502") + " " + chalk.red(error) + "\n");
+            process.stdout.write(chalk.cyan("\u2502") + " " + input);
+            return;
+          }
+        }
+        finish(finalPath);
+        return;
+      }
+      if (code === 9) {
+        const completions = getPathCompletions(input || ".");
+        if (completions.length === 1) {
+          input = completions[0];
+          cursorPos = input.length;
+          redrawLine();
+        } else if (completions.length > 1) {
+          const common = longestCommonPrefix(completions);
+          if (common.length > input.length) {
+            input = common;
+            cursorPos = input.length;
+            redrawLine();
+          } else {
+            console.log();
+            const maxShow = 10;
+            const shown = completions.slice(0, maxShow);
+            process.stdout.write(chalk.dim("\u2502 ") + shown.map((c) => chalk.cyan(basename(c.slice(0, -1)))).join("  "));
+            if (completions.length > maxShow) {
+              process.stdout.write(chalk.dim(` ... +${completions.length - maxShow} more`));
+            }
+            console.log();
+            process.stdout.write(chalk.cyan("\u2502") + " " + input);
+          }
+        }
+        return;
+      }
+      if (code === 127 || code === 8) {
+        if (cursorPos > 0) {
+          input = input.slice(0, cursorPos - 1) + input.slice(cursorPos);
+          cursorPos--;
+          redrawLine();
+        }
+        return;
+      }
+      if (key === "\x1B[D") {
+        if (cursorPos > 0) {
+          cursorPos--;
+          redrawLine();
+        }
+        return;
+      }
+      if (key === "\x1B[C") {
+        if (cursorPos < input.length) {
+          cursorPos++;
+          redrawLine();
+        }
+        return;
+      }
+      if (key.startsWith("\x1B")) {
+        return;
+      }
+      if (code >= 32 && code < 127) {
+        input = input.slice(0, cursorPos) + key + input.slice(cursorPos);
+        cursorPos++;
+        redrawLine();
+      }
+    });
+  });
+}
 // src/cli/index.ts
 var BANNER = `
@@ -3935,94 +4233,132 @@ ${chalk.red(" \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255
 ${chalk.dim(`  "I've been staring at your code for a long time."`)}
 `;
 var program = new Command();
-program.name("whiterose").description("AI-powered bug hunter that uses your existing LLM subscription").version("0.1.0").hook("preAction", () => {
+program.name("whiterose").description("AI-powered bug hunter that uses your existing LLM subscription").version("0.2.2").hook("preAction", () => {
   const args = process.argv.slice(2);
   if (!args.includes("--help") && !args.includes("-h") && args.length > 0) {
     console.log(BANNER);
   }
 });
-program.command("init").description("Initialize whiterose for this project (scans codebase, asks questions, generates config)").option("-p, --provider <provider>", "LLM provider to use", "claude-code").option("--skip-questions", "Skip interactive questions, use defaults").option("--force", "Overwrite existing .whiterose directory").option("--unsafe", "Bypass LLM permission prompts (use with caution)").action(initCommand);
-program.command("scan [paths...]").description("Scan for bugs in the codebase").option("-f, --full", "Force full scan (ignore cache)").option("--json", "Output as JSON only").option("--sarif", "Output as SARIF only").option("-p, --provider <provider>", "Override LLM provider").option("-c, --category <categories...>", "Filter by bug categories").option("--min-confidence <level>", "Minimum confidence level to report", "low").option("--no-adversarial", "Skip adversarial validation (faster, less accurate)").option("--unsafe", "Bypass LLM permission prompts (use with caution)").action(scanCommand);
-program.command("fix [bugId]").description("Fix bugs interactively or by ID").option("--dry-run", "Show proposed fixes without applying").option("--branch <name>", "Create fixes in a new branch").option("--sarif <path>", "Load bugs from an external SARIF file").option("--github <url>", "Load bug from a GitHub issue URL").option("--describe", "Manually describe a bug to fix").action(fixCommand);
+program.command("init").description("Initialize whiterose for this project (scans codebase, asks questions, generates config)").option("-p, --provider <provider>", "LLM provider to use", "claude-code").option("--skip-questions", "Skip interactive questions, use defaults").option("--force", "Overwrite existing .whiterose directory").action(initCommand);
+program.command("scan [paths...]").description("Scan for bugs in the codebase (includes inline validation)").option("-f, --full", "Force full scan (ignore cache)").option("--json", "Output as JSON only").option("--sarif", "Output as SARIF only").option("-p, --provider <provider>", "Override LLM provider").option("-c, --category <categories...>", "Filter by bug categories").option("--min-confidence <level>", "Minimum confidence level to report", "low").action(scanCommand);
+program.command("fix [bugId]").description("Fix bugs interactively or by ID").option("--dry-run", "Show proposed fixes without applying").option("--branch <name>", "Create fixes in a new branch").option("--sarif <path>", "Load bugs from an external SARIF file").option("--github <url>", "Load bug from a GitHub issue URL").option("--describe", "Manually describe a bug to fix").option("--unsafe", "Skip all permission prompts (full trust mode)").action(fixCommand);
 program.command("refresh").description("Rebuild codebase understanding from scratch").option("--keep-config", "Keep existing config, only regenerate understanding").action(refreshCommand);
 program.command("status").description("Show whiterose status (cache, last scan, provider)").action(statusCommand);
 program.command("report").description("Generate BUGS.md from last scan").option("-o, --output <path>", "Output path", "BUGS.md").option("--format <format>", "Output format (markdown, sarif, json)", "markdown").action(reportCommand);
-async function showInteractiveMenu() {
+async function showInteractiveWizard() {
   console.log(BANNER);
+  p3.intro(chalk.red("whiterose") + chalk.dim(" - AI Bug Hunter"));
   const cwd = process.cwd();
-  const whiterosePath = join(cwd, ".whiterose");
+  const defaultPath = cwd;
+  const repoPath = await pathInput({
+    message: "Repository path",
+    defaultValue: defaultPath,
+    validate: (value) => {
+      const path = value || defaultPath;
+      if (!existsSync(path)) {
+        return "Directory does not exist";
+      }
+      return void 0;
+    }
+  });
+  if (repoPath === null) {
+    p3.cancel("Cancelled.");
+    process.exit(0);
+  }
+  const targetPath = resolve(repoPath || defaultPath);
+  const projectName = basename(targetPath);
+  const whiterosePath = join(targetPath, ".whiterose");
   const isInitialized = existsSync(whiterosePath);
-  if (isInitialized) {
-    console.log(chalk.dim(`  Project: ${chalk.white(cwd.split("/").pop())}`));
-    console.log(chalk.dim(`  Status: ${chalk.green("initialized")}`));
+  const detectSpinner = p3.spinner();
+  detectSpinner.start("Detecting LLM providers...");
+  const availableProviders = await detectProvider();
+  detectSpinner.stop(`Found ${availableProviders.length} provider(s)`);
+  if (availableProviders.length === 0) {
+    p3.log.error("No LLM providers detected on your system.");
     console.log();
-  } else {
-    console.log(chalk.dim(`  Project: ${chalk.white(cwd.split("/").pop())}`));
-    console.log(chalk.dim(`  Status: ${chalk.yellow("not initialized")}`));
+    console.log(chalk.dim("  Supported providers:"));
+    console.log(chalk.dim("  - claude-code: ") + chalk.cyan("npm install -g @anthropic-ai/claude-code"));
+    console.log(chalk.dim("  - aider: ") + chalk.cyan("pip install aider-chat"));
     console.log();
+    p3.outro(chalk.red("Install a provider and try again."));
+    process.exit(1);
+  }
+  let selectedProvider;
+  if (availableProviders.length === 1) {
+    selectedProvider = availableProviders[0];
+    p3.log.info(`Using ${chalk.cyan(selectedProvider)} (only available provider)`);
+  } else {
+    const providerChoice = await p3.select({
+      message: "Select LLM provider",
+      options: availableProviders.map((provider) => ({
+        value: provider,
+        label: provider,
+        hint: provider === "claude-code" ? "recommended" : void 0
+      }))
+    });
+    if (p3.isCancel(providerChoice)) {
+      p3.cancel("Cancelled.");
+      process.exit(0);
+    }
+    selectedProvider = providerChoice;
   }
-  const menuOptions = [];
   if (!isInitialized) {
-    menuOptions.push({
-      value: "init",
-      label: "Initialize",
-      hint: "set up whiterose for this project"
+    p3.log.warn(`Project "${projectName}" is not initialized.`);
+    const shouldInit = await p3.confirm({
+      message: "Initialize whiterose for this project?",
+      initialValue: true
     });
+    if (p3.isCancel(shouldInit) || !shouldInit) {
+      p3.cancel("Cannot scan without initialization.");
+      process.exit(0);
+    }
+    process.chdir(targetPath);
+    await initCommand({
+      provider: selectedProvider,
+      skipQuestions: false,
+      force: false,
+      // Read-only operations auto-approve, unsafe only matters for fix
+      skipProviderDetection: true
+      // Already verified in wizard
+    });
+    console.log();
   } else {
-    menuOptions.push(
-      { value: "scan", label: "Scan", hint: "find bugs in the codebase" },
-      { value: "fix", label: "Fix", hint: "fix bugs interactively" },
-      { value: "status", label: "Status", hint: "show current status" },
-      { value: "report", label: "Report", hint: "generate bug report" },
-      { value: "refresh", label: "Refresh", hint: "rebuild codebase understanding" }
-    );
+    process.chdir(targetPath);
   }
-  menuOptions.push({ value: "help", label: "Help", hint: "show all commands" });
-  menuOptions.push({ value: "exit", label: "Exit" });
-  const choice = await p3.select({
-    message: "What would you like to do?",
-    options: menuOptions
+  const scanDepth = await p3.select({
+    message: "Scan depth",
+    options: [
+      {
+        value: "quick",
+        label: "Quick scan",
+        hint: "faster, incremental changes only"
+      },
+      {
+        value: "deep",
+        label: "Deep scan",
+        hint: "thorough, full codebase analysis (recommended)"
+      }
+    ],
+    initialValue: "deep"
   });
-  if (p3.isCancel(choice) || choice === "exit") {
-    p3.outro(chalk.dim("Goodbye."));
+  if (p3.isCancel(scanDepth)) {
+    p3.cancel("Cancelled.");
     process.exit(0);
   }
   console.log();
-  switch (choice) {
-    case "init":
-      await initCommand({ provider: "claude-code", skipQuestions: false, force: false, unsafe: false });
-      break;
-    case "scan":
-      await scanCommand([], {
-        full: false,
-        json: false,
-        sarif: false,
-        provider: void 0,
-        category: void 0,
-        minConfidence: "low",
-        adversarial: true,
-        unsafe: false
-      });
-      break;
-    case "fix":
-      await fixCommand(void 0, { dryRun: false });
-      break;
-    case "status":
-      await statusCommand();
-      break;
-    case "report":
-      await reportCommand({ output: "BUGS.md", format: "markdown" });
-      break;
-    case "refresh":
-      await refreshCommand();
-      break;
-    case "help":
-      program.help();
-      break;
-  }
+  p3.log.step("Starting scan...");
+  console.log();
+  await scanCommand([], {
+    full: scanDepth === "deep",
+    json: false,
+    sarif: false,
+    provider: selectedProvider,
+    category: void 0,
+    minConfidence: "low"
+  });
 }
 if (process.argv.length === 2) {
-  showInteractiveMenu().catch((error) => {
+  showInteractiveWizard().catch((error) => {
     console.error(chalk.red("Error:"), error.message);
     process.exit(1);
   });