@shakecodeslikecray/whiterose 0.2.0 → 0.2.3

package/dist/cli/index.js

@@ -6,6 +6,7 @@ import { existsSync, mkdirSync, writeFileSync, readdirSync, readFileSync, statSy
 import { join, isAbsolute, resolve, basename, relative, dirname } from 'path';
 import { execa } from 'execa';
 import { homedir, tmpdir } from 'os';
+import { spawn } from 'child_process';
 import { z } from 'zod';
 import fg3 from 'fast-glob';
 import { createHash } from 'crypto';
@@ -14,6 +15,7 @@ import { render, useApp, useInput, Box, Text } from 'ink';
 import { useState, useEffect } from 'react';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
 import Spinner from 'ink-spinner';
+import * as readline from 'readline';
 
 var providerChecks = [
   {
@@ -583,7 +585,7 @@ var ClaudeCodeProvider = class {
   // Agentic Prompts
   // ─────────────────────────────────────────────────────────────
   buildAgenticAnalysisPrompt(understanding) {
-    return `You are whiterose, an expert bug hunter. Your task is to explore this codebase and find real bugs.
+    return `You are whiterose, an expert bug hunter. Your task is to explore this codebase and find REAL bugs.
 
 CODEBASE CONTEXT:
 - Type: ${understanding.summary.type}
@@ -600,66 +602,78 @@ YOUR TASK:
    - Edge cases (empty arrays, zero values, boundaries)
    - Resource leaks (unclosed connections)
 
+CRITICAL - INLINE VALIDATION:
+Before reporting ANY bug, you MUST try to DISPROVE it:
+1. Check if there's a guard/validation that prevents the issue
+2. Check if the type system guarantees safety
+3. Check if framework behavior handles this case
+4. Check if the code path is actually reachable
+5. Only report the bug if you CANNOT disprove it
+
 PROTOCOL - You MUST output these markers:
-- Before reading each file, output: ${MARKERS.SCANNING}<filepath>
-- When you find a bug, output: ${MARKERS.BUG}<json>
+- When reading a file, output: ${MARKERS.SCANNING}<filepath>
+- When you find a VALIDATED bug, output: ${MARKERS.BUG}<json>
 - When completely done, output: ${MARKERS.COMPLETE}
 - If you encounter an error, output: ${MARKERS.ERROR}<message>
 
-BUG JSON FORMAT:
-${MARKERS.BUG}{"file":"src/api/users.ts","line":42,"title":"Null dereference in getUserById","description":"...","severity":"high","category":"null-reference","evidence":["..."],"suggestedFix":"..."}
+BUG JSON FORMAT (only after validation):
+${MARKERS.BUG}{"file":"src/api/users.ts","line":42,"title":"Null dereference in getUserById","description":"...","severity":"high","category":"null-reference","confidence":"high","evidence":["line of code","why it's reachable"],"validationNotes":"Checked for guards - none found. Type allows null.","suggestedFix":"..."}
+
+SEVERITY GUIDE:
+- critical: Security vulnerabilities, data loss, crashes in production
+- high: Bugs that will definitely cause issues for users
+- medium: Edge cases that may cause issues under certain conditions
+- low: Minor issues, potential improvements
 
 IMPORTANT:
-- Only report bugs you have HIGH confidence in
-- Include exact line numbers
-- Focus on real bugs, not style issues
-- Explore systematically - check API routes, data handling, auth flows
+- Do NOT report style issues or potential improvements
+- Do NOT report bugs you haven't validated
+- Include EXACT line numbers from the files you read
+- Include validation notes explaining why the bug is real
+- Explore systematically - check entry points, API routes, data flows
 
-Now explore this codebase and find bugs. Start by reading the main entry points.`;
+Now explore this codebase and find VALIDATED bugs. Start by reading the main entry points.`;
   }
   buildAgenticUnderstandingPrompt(existingDocsSummary) {
     const docsSection = existingDocsSummary ? `
 
-EXISTING DOCUMENTATION (merge this with your exploration):
+EXISTING DOCUMENTATION:
 ${existingDocsSummary}
 ` : "";
-    return `You are whiterose. Your task is to understand this codebase.
+    return `You are whiterose. Your task is to QUICKLY understand this codebase structure.
 ${docsSection}
-YOUR TASK:
-1. Review the existing documentation above (if any)
-2. Explore the codebase structure to fill in gaps
-3. Read key files (main entry points, config files, core modules)
-4. Build a comprehensive understanding merging docs + code exploration
-5. Identify main features, business rules, and behavioral contracts
+YOUR TASK (be fast, read only key files):
+1. Read package.json or similar config to understand the project type
+2. Read the main entry point (index.ts, main.ts, app.ts, etc.)
+3. Skim 2-3 core files to understand the architecture
+4. Output your understanding - don't over-explore
 
 PROTOCOL - You MUST output these markers:
-- Before reading each file, output: ${MARKERS.SCANNING}<filepath>
-- When you have full understanding, output: ${MARKERS.UNDERSTANDING}<json>
-- When completely done, output: ${MARKERS.COMPLETE}
+- When reading a file, output: ${MARKERS.SCANNING}<filepath>
+- When you have understanding, output: ${MARKERS.UNDERSTANDING}<json>
+- When done, output: ${MARKERS.COMPLETE}
 
 UNDERSTANDING JSON FORMAT:
 ${MARKERS.UNDERSTANDING}{
   "summary": {
-    "type": "api|web-app|cli|library|etc",
-    "framework": "next.js|express|react|etc",
+    "type": "api|web-app|cli|library|monorepo",
+    "framework": "next.js|express|react|fastify|none",
     "language": "typescript|javascript",
-    "description": "2-3 sentence description"
+    "description": "1-2 sentence description of what this project does"
   },
   "features": [
-    {"name": "Feature", "description": "What it does", "priority": "critical|high|medium|low", "constraints": ["business rule 1", "invariant 2"], "relatedFiles": ["path/to/file.ts"]}
+    {"name": "Feature Name", "description": "Brief description", "priority": "critical|high|medium|low", "relatedFiles": ["path/to/file.ts"]}
   ],
-  "contracts": [
-    {"function": "functionName", "file": "path/to/file.ts", "inputs": [], "outputs": {}, "invariants": ["must do X before Y"], "sideEffects": [], "throws": []}
-  ]
+  "contracts": []
 }
 
 IMPORTANT:
-- Merge existing documentation with what you discover in the code
-- Focus on business rules and invariants (what MUST be true)
-- Identify critical paths (checkout, auth, payments, etc.)
-- Document behavioral contracts for important functions
+- Be FAST - read 3-5 files max
+- Focus on WHAT the project does, not implementation details
+- Identify the main features/capabilities
+- Don't deep-dive into every file
 
-Now explore this codebase and build understanding.`;
+Now QUICKLY understand this codebase.`;
   }
   buildAdversarialPrompt(bug, fileContent) {
     return `You are a skeptical code reviewer. Try to DISPROVE this bug report.
@@ -688,26 +702,37 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
   // Claude CLI Execution (Agentic Mode)
   // ─────────────────────────────────────────────────────────────
   async runAgenticClaude(prompt, cwd, callbacks) {
+    this.streamBuffer = "";
+    this.fullResponseBuffer = "";
     const claudeCommand = getProviderCommand("claude-code");
-    const args = ["--verbose", "-p", prompt];
-    if (this.unsafeMode) {
-      args.unshift("--dangerously-skip-permissions");
-    }
-    this.currentProcess = execa(
-      claudeCommand,
-      args,
-      {
-        cwd,
-        env: {
-          ...process.env,
-          NO_COLOR: "1"
-        },
-        reject: false
+    const args = [
+      "-p",
+      prompt,
+      "--output-format",
+      "stream-json",
+      "--verbose"
+    ];
+    args.push("--dangerously-skip-permissions");
+    this.currentProcess = spawn(claudeCommand, args, {
+      cwd,
+      env: {
+        ...process.env,
+        NO_COLOR: "1"
+      },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let lastActivity = Date.now();
+    const heartbeat = setInterval(() => {
+      const elapsed = Math.floor((Date.now() - lastActivity) / 1e3);
+      if (elapsed > 10) {
+        this.reportProgress(`Analyzing... (${elapsed}s since last update)`);
       }
-    );
+    }, 5e3);
     let buffer = "";
     this.currentProcess.stdout?.on("data", (chunk) => {
-      buffer += chunk.toString();
+      lastActivity = Date.now();
+      const text3 = chunk.toString();
+      buffer += text3;
       const lines = buffer.split("\n");
       buffer = lines.pop() || "";
       for (const line of lines) {
@@ -715,17 +740,95 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
       }
     });
     this.currentProcess.stderr?.on("data", (chunk) => {
-      const text4 = chunk.toString().trim();
-      if (text4 && !text4.includes("Loading")) ;
+      lastActivity = Date.now();
+      const text3 = chunk.toString().trim();
+      if (text3) {
+        this.reportProgress(`Claude: ${text3.slice(0, 50)}...`);
+      }
     });
-    await this.currentProcess;
+    await new Promise((resolve5, reject) => {
+      const timeout = setTimeout(() => {
+        this.currentProcess?.kill();
+        reject(new Error("Claude analysis timed out after 5 minutes"));
+      }, 3e5);
+      this.currentProcess?.on("exit", (code) => {
+        clearTimeout(timeout);
+        if (code !== 0 && code !== null) {
+          this.reportProgress(`Claude exited with code ${code}`);
+        }
+        resolve5();
+      });
+      this.currentProcess?.on("error", (err) => {
+        clearTimeout(timeout);
+        reject(err);
+      });
+    });
+    clearInterval(heartbeat);
     if (buffer.trim()) {
       this.processAgentOutput(buffer, callbacks);
     }
+    if (this.fullResponseBuffer && callbacks.onUnderstanding) {
+      this.tryExtractUnderstandingJson(this.fullResponseBuffer, callbacks);
+    }
     this.currentProcess = void 0;
   }
   processAgentOutput(line, callbacks) {
     const trimmed = line.trim();
+    if (!trimmed) return;
+    try {
+      const event = JSON.parse(trimmed);
+      if (event.type === "system") {
+        this.reportProgress("Claude initialized...");
+      } else if (event.type === "stream_event") {
+        const innerEvent = event.event;
+        if (innerEvent?.type === "content_block_delta") {
+          const text3 = innerEvent.delta?.text;
+          if (text3) {
+            this.processTextContent(text3, callbacks);
+          }
+        } else if (innerEvent?.type === "content_block_start") {
+          if (innerEvent.content_block?.type === "tool_use") {
+            const toolName = innerEvent.content_block.name || "tool";
+            this.reportProgress(`Using ${toolName}...`);
+          }
+        }
+      } else if (event.type === "assistant") {
+        const content = event.message?.content || [];
+        for (const item of content) {
+          if (item.type === "text" && item.text) {
+            this.processTextContent(item.text, callbacks);
+          } else if (item.type === "tool_use") {
+            const toolName = item.name || "tool";
+            const input = item.input || {};
+            if (toolName === "Read" && input.file_path) {
+              callbacks.onScanning?.(input.file_path);
+              this.reportProgress(`Reading: ${input.file_path.split("/").pop()}`);
+            } else if (toolName === "Glob" || toolName === "Grep") {
+              this.reportProgress(`Searching: ${input.pattern || "..."}`);
+            } else {
+              this.reportProgress(`Using ${toolName}...`);
+            }
+          }
+        }
+      } else if (event.type === "user") {
+        if (event.tool_use_result) {
+          const numFiles = event.tool_use_result.numFiles;
+          if (numFiles) {
+            this.reportProgress(`Found ${numFiles} files...`);
+          }
+        }
+      } else if (event.type === "result") {
+        if (event.result) {
+          this.processTextContent(event.result, callbacks);
+          this.tryExtractUnderstandingJson(event.result, callbacks);
+        }
+        callbacks.onComplete?.();
+      } else if (event.type === "error") {
+        callbacks.onError?.(event.error || event.message || "Unknown error");
+      }
+      return;
+    } catch {
+    }
     if (trimmed.startsWith(MARKERS.SCANNING)) {
       const file = trimmed.slice(MARKERS.SCANNING.length).trim();
       callbacks.onScanning?.(file);
@@ -742,6 +845,92 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
       callbacks.onError?.(error);
     }
   }
+  // Accumulated text for marker detection in streaming responses
+  streamBuffer = "";
+  // Full response text for fallback extraction
+  fullResponseBuffer = "";
+  processTextContent(text3, callbacks) {
+    this.streamBuffer += text3;
+    this.fullResponseBuffer += text3;
+    const lines = this.streamBuffer.split("\n");
+    this.streamBuffer = lines.pop() || "";
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith(MARKERS.SCANNING)) {
+        callbacks.onScanning?.(trimmed.slice(MARKERS.SCANNING.length).trim());
+      } else if (trimmed.startsWith(MARKERS.BUG)) {
+        callbacks.onBugFound?.(trimmed.slice(MARKERS.BUG.length).trim());
+      } else if (trimmed.startsWith(MARKERS.UNDERSTANDING)) {
+        callbacks.onUnderstanding?.(trimmed.slice(MARKERS.UNDERSTANDING.length).trim());
+      } else if (trimmed.startsWith(MARKERS.COMPLETE)) {
+        callbacks.onComplete?.();
+      } else if (trimmed.startsWith(MARKERS.ERROR)) {
+        callbacks.onError?.(trimmed.slice(MARKERS.ERROR.length).trim());
+      }
+    }
+  }
+  // Try to extract understanding JSON from text without markers
+  tryExtractUnderstandingJson(text3, callbacks) {
+    const codeBlockMatch = text3.match(/```(?:json)?\s*([\s\S]*?)```/);
+    if (codeBlockMatch) {
+      const jsonStr = codeBlockMatch[1].trim();
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.summary && (parsed.summary.type || parsed.summary.language)) {
+          callbacks.onUnderstanding?.(jsonStr);
+          return;
+        }
+      } catch {
+      }
+    }
+    const candidates = [];
+    let depth = 0;
+    let start = -1;
+    let inString = false;
+    let escapeNext = false;
+    for (let i = 0; i < text3.length; i++) {
+      const char = text3[i];
+      if (escapeNext) {
+        escapeNext = false;
+        continue;
+      }
+      if (char === "\\" && inString) {
+        escapeNext = true;
+        continue;
+      }
+      if (char === '"' && !escapeNext) {
+        inString = !inString;
+        continue;
+      }
+      if (inString) continue;
+      if (char === "{") {
+        if (depth === 0) {
+          start = i;
+        }
+        depth++;
+      } else if (char === "}") {
+        depth--;
+        if (depth === 0 && start !== -1) {
+          const candidate = text3.slice(start, i + 1);
+          if (candidate.includes('"summary"') && candidate.includes('"type"')) {
+            candidates.push(candidate);
+          }
+          start = -1;
+        }
+      }
+    }
+    candidates.sort((a, b) => b.length - a.length);
+    for (const jsonStr of candidates) {
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.summary && (parsed.summary.type || parsed.summary.language)) {
+          callbacks.onUnderstanding?.(jsonStr);
+          return;
+        }
+      } catch {
+      }
+    }
+  }
   // Simple non-agentic mode for short prompts (adversarial validation)
   async runSimpleClaude(prompt, cwd) {
     const claudeCommand = getProviderCommand("claude-code");
@@ -903,18 +1092,63 @@ Set "survived": true if you CANNOT disprove it (it's a real bug).`;
   // ─────────────────────────────────────────────────────────────
   // Utilities
   // ─────────────────────────────────────────────────────────────
-  extractJson(text4) {
-    const codeBlockMatch = text4.match(/```(?:json)?\s*([\s\S]*?)```/);
+  extractJson(text3) {
+    const codeBlockMatch = text3.match(/```(?:json)?\s*([\s\S]*?)```/);
     if (codeBlockMatch) {
       return codeBlockMatch[1].trim();
     }
-    const arrayMatch = text4.match(/\[[\s\S]*\]/);
-    if (arrayMatch) {
-      return arrayMatch[0];
+    return this.findBalancedJson(text3);
+  }
+  // Find the first balanced JSON object or array in text
+  findBalancedJson(text3) {
+    const objectStart = text3.indexOf("{");
+    const arrayStart = text3.indexOf("[");
+    let start = -1;
+    let openChar = "{";
+    let closeChar = "}";
+    if (objectStart === -1 && arrayStart === -1) {
+      return null;
+    } else if (objectStart === -1) {
+      start = arrayStart;
+      openChar = "[";
+      closeChar = "]";
+    } else if (arrayStart === -1) {
+      start = objectStart;
+    } else {
+      if (arrayStart < objectStart) {
+        start = arrayStart;
+        openChar = "[";
+        closeChar = "]";
+      } else {
+        start = objectStart;
+      }
     }
-    const objectMatch = text4.match(/\{[\s\S]*\}/);
-    if (objectMatch) {
-      return objectMatch[0];
+    let depth = 0;
+    let inString = false;
+    let escapeNext = false;
+    for (let i = start; i < text3.length; i++) {
+      const char = text3[i];
+      if (escapeNext) {
+        escapeNext = false;
+        continue;
+      }
+      if (char === "\\" && inString) {
+        escapeNext = true;
+        continue;
+      }
+      if (char === '"' && !escapeNext) {
+        inString = !inString;
+        continue;
+      }
+      if (inString) continue;
+      if (char === openChar) {
+        depth++;
+      } else if (char === closeChar) {
+        depth--;
+        if (depth === 0) {
+          return text3.slice(start, i + 1);
+        }
+      }
     }
     return null;
   }
@@ -1266,12 +1500,12 @@ Output JSON ONLY describing:
   // ─────────────────────────────────────────────────────────────
   // Utilities
   // ─────────────────────────────────────────────────────────────
-  extractJson(text4) {
-    const codeBlockMatch = text4.match(/```(?:json)?\s*([\s\S]*?)```/);
+  extractJson(text3) {
+    const codeBlockMatch = text3.match(/```(?:json)?\s*([\s\S]*?)```/);
     if (codeBlockMatch) return codeBlockMatch[1].trim();
-    const arrayMatch = text4.match(/\[[\s\S]*\]/);
+    const arrayMatch = text3.match(/\[[\s\S]*\]/);
     if (arrayMatch) return arrayMatch[0];
-    const objectMatch = text4.match(/\{[\s\S]*\}/);
+    const objectMatch = text3.match(/\{[\s\S]*\}/);
     if (objectMatch) return objectMatch[0];
     return null;
   }
@@ -1734,35 +1968,44 @@ async function initCommand(options) {
     process.exit(1);
   }
   p3.intro(chalk.red("whiterose") + chalk.dim(" - initialization"));
-  const providerSpinner = p3.spinner();
-  providerSpinner.start("Detecting available LLM providers...");
-  const availableProviders = await detectProvider();
-  if (availableProviders.length === 0) {
-    providerSpinner.stop("No LLM providers detected");
-    p3.log.error("whiterose requires an LLM provider to function.");
-    p3.log.info("Supported providers: claude-code, aider, codex, opencode");
-    p3.log.info("Install one and ensure it's configured, then run init again.");
-    process.exit(1);
-  }
-  providerSpinner.stop(`Detected providers: ${availableProviders.join(", ")}`);
   let selectedProvider;
-  if (options.skipQuestions) {
-    selectedProvider = availableProviders[0];
-    p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+  if (options.skipProviderDetection && options.provider) {
+    selectedProvider = options.provider;
   } else {
-    const providerChoice = await p3.select({
-      message: "Which LLM provider should whiterose use?",
-      options: availableProviders.map((prov) => ({
-        value: prov,
-        label: prov,
-        hint: prov === "claude-code" ? "recommended" : void 0
-      }))
-    });
-    if (p3.isCancel(providerChoice)) {
-      p3.cancel("Initialization cancelled.");
-      process.exit(0);
+    const providerSpinner = p3.spinner();
+    providerSpinner.start("Detecting available LLM providers...");
+    const availableProviders = await detectProvider();
+    if (availableProviders.length === 0) {
+      providerSpinner.stop("No LLM providers detected");
+      p3.log.error("whiterose requires an LLM provider to function.");
+      p3.log.info("Supported providers: claude-code, aider, codex, opencode");
+      p3.log.info("Install one and ensure it's configured, then run init again.");
+      process.exit(1);
+    }
+    providerSpinner.stop(`Detected providers: ${availableProviders.join(", ")}`);
+    const passedProvider = options.provider;
+    const isPassedProviderAvailable = availableProviders.includes(passedProvider);
+    if (isPassedProviderAvailable) {
+      selectedProvider = passedProvider;
+      p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+    } else if (options.skipQuestions) {
+      selectedProvider = availableProviders[0];
+      p3.log.info(`Using ${selectedProvider} as your LLM provider.`);
+    } else {
+      const providerChoice = await p3.select({
+        message: "Which LLM provider should whiterose use?",
+        options: availableProviders.map((prov) => ({
+          value: prov,
+          label: prov,
+          hint: prov === "claude-code" ? "recommended" : void 0
+        }))
+      });
+      if (p3.isCancel(providerChoice)) {
+        p3.cancel("Initialization cancelled.");
+        process.exit(0);
+      }
+      selectedProvider = providerChoice;
     }
-    selectedProvider = providerChoice;
   }
   const verifySpinner = p3.spinner();
   verifySpinner.start("Verifying provider CLI works...");
@@ -1820,10 +2063,6 @@ async function initCommand(options) {
   let understanding;
   try {
     const provider = await getProvider(selectedProvider);
-    if (options.unsafe && "setUnsafeMode" in provider) {
-      provider.setUnsafeMode(true);
-      p3.log.warn("Running in unsafe mode (--unsafe). LLM permission prompts are bypassed.");
-    }
     if ("setProgressCallback" in provider) {
       provider.setProgressCallback((message) => {
         understandingSpinner.message(message);
@@ -2364,14 +2603,6 @@ async function scanCommand(paths, options) {
   }
   const providerName = options.provider || config.provider;
   const provider = await getProvider(providerName);
-  if (options.unsafe) {
-    if ("setUnsafeMode" in provider) {
-      provider.setUnsafeMode(true);
-      if (!isQuiet) {
-        p3.log.warn("Running in unsafe mode (--unsafe). LLM permission prompts are bypassed.");
-      }
-    }
-  }
   let bugs;
   if (!isQuiet) {
     const llmSpinner = p3.spinner();
@@ -2408,47 +2639,6 @@ async function scanCommand(paths, options) {
       staticAnalysisResults: staticResults
     });
   }
-  if (options.adversarial && bugs.length > 0) {
-    if (!isQuiet) {
-      const advSpinner = p3.spinner();
-      advSpinner.start("Running adversarial validation...");
-      const validatedBugs = [];
-      for (const bug of bugs) {
-        const result2 = await provider.adversarialValidate(bug, {
-          files: filesToScan,
-          understanding,
-          config,
-          staticAnalysisResults: staticResults
-        });
-        if (result2.survived) {
-          validatedBugs.push({
-            ...bug,
-            confidence: result2.adjustedConfidence || bug.confidence
-          });
-        }
-      }
-      const filtered = bugs.length - validatedBugs.length;
-      advSpinner.stop(`Adversarial validation: ${filtered} false positives filtered`);
-      bugs = validatedBugs;
-    } else {
-      const validatedBugs = [];
-      for (const bug of bugs) {
-        const result2 = await provider.adversarialValidate(bug, {
-          files: filesToScan,
-          understanding,
-          config,
-          staticAnalysisResults: staticResults
-        });
-        if (result2.survived) {
-          validatedBugs.push({
-            ...bug,
-            confidence: result2.adjustedConfidence || bug.confidence
-          });
-        }
-      }
-      bugs = validatedBugs;
-    }
-  }
   const minConfidence = options.minConfidence;
   const confidenceOrder = { high: 3, medium: 2, low: 1 };
   bugs = bugs.filter((bug) => confidenceOrder[bug.confidence.overall] >= confidenceOrder[minConfidence]);
@@ -3374,12 +3564,12 @@ function generateDiff(original, fixed, filename) {
   return diff.join("\n");
 }
 async function startFixTUI(bugs, config, options) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     const handleFix = async (bug) => {
       await applyFix(bug, config, options);
     };
     const handleExit = () => {
-      resolve4();
+      resolve5();
     };
     const { unmount, waitUntilExit } = render(
       /* @__PURE__ */ jsx(
@@ -3394,7 +3584,7 @@ async function startFixTUI(bugs, config, options) {
       )
     );
     waitUntilExit().then(() => {
-      resolve4();
+      resolve5();
     });
   });
 }
@@ -3936,6 +4126,160 @@ async function reportCommand(options) {
     p3.log.success(`Report written to ${options.output}`);
   }
 }
+function getPathCompletions(partial) {
+  try {
+    if (!partial) partial = ".";
+    const resolved = resolve(partial);
+    let dir;
+    let prefix;
+    if (partial.endsWith("/") || existsSync(resolved) && statSync(resolved).isDirectory()) {
+      dir = resolved;
+      prefix = "";
+    } else {
+      dir = dirname(resolved);
+      prefix = basename(partial);
+    }
+    if (!existsSync(dir)) {
+      return [];
+    }
+    const entries = readdirSync(dir, { withFileTypes: true });
+    const matches = entries.filter((entry) => entry.isDirectory()).filter((entry) => entry.name.toLowerCase().startsWith(prefix.toLowerCase())).filter((entry) => !entry.name.startsWith(".") || prefix.startsWith(".")).map((entry) => {
+      if (partial.endsWith("/") || prefix === "") {
+        return partial + entry.name + "/";
+      }
+      const base = partial.slice(0, partial.length - prefix.length);
+      return base + entry.name + "/";
+    }).sort();
+    return matches;
+  } catch {
+    return [];
+  }
+}
+function longestCommonPrefix(strings) {
+  if (strings.length === 0) return "";
+  if (strings.length === 1) return strings[0];
+  let prefix = strings[0];
+  for (let i = 1; i < strings.length; i++) {
+    while (!strings[i].startsWith(prefix)) {
+      prefix = prefix.slice(0, -1);
+      if (prefix === "") return "";
+    }
+  }
+  return prefix;
+}
+function pathInput(options) {
+  return new Promise((resolvePromise) => {
+    const { message, defaultValue = "", validate } = options;
+    const promptText = chalk.cyan("\u25C6") + " " + chalk.bold(message);
+    const hint = defaultValue ? chalk.dim(` (default: ${defaultValue})`) : "";
+    const tabHint = chalk.dim(" [Tab to autocomplete]");
+    process.stdout.write(promptText + hint + tabHint + "\n");
+    process.stdout.write(chalk.cyan("\u2502") + " ");
+    let input = "";
+    let cursorPos = 0;
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+    }
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    const redrawLine = () => {
+      readline.clearLine(process.stdout, 0);
+      readline.cursorTo(process.stdout, 0);
+      process.stdout.write(chalk.cyan("\u2502") + " " + input);
+      readline.cursorTo(process.stdout, 2 + cursorPos);
+    };
+    const cleanup = () => {
+      if (process.stdin.isTTY) {
+        process.stdin.setRawMode(false);
+      }
+      process.stdin.pause();
+      process.stdin.removeAllListeners("data");
+    };
+    const finish = (result) => {
+      cleanup();
+      console.log();
+      resolvePromise(result);
+    };
+    process.stdin.on("data", (key) => {
+      const code = key.charCodeAt(0);
+      if (code === 3) {
+        console.log();
+        finish(null);
+        return;
+      }
+      if (code === 13) {
+        const finalPath = input.trim() || defaultValue;
+        if (validate) {
+          const error = validate(finalPath);
+          if (error) {
+            console.log();
+            process.stdout.write(chalk.red("\u2502") + " " + chalk.red(error) + "\n");
+            process.stdout.write(chalk.cyan("\u2502") + " " + input);
+            return;
+          }
+        }
+        finish(finalPath);
+        return;
+      }
+      if (code === 9) {
+        const completions = getPathCompletions(input || ".");
+        if (completions.length === 1) {
+          input = completions[0];
+          cursorPos = input.length;
+          redrawLine();
+        } else if (completions.length > 1) {
+          const common = longestCommonPrefix(completions);
+          if (common.length > input.length) {
+            input = common;
+            cursorPos = input.length;
+            redrawLine();
+          } else {
+            console.log();
+            const maxShow = 10;
+            const shown = completions.slice(0, maxShow);
+            process.stdout.write(chalk.dim("\u2502 ") + shown.map((c) => chalk.cyan(basename(c.slice(0, -1)))).join("  "));
+            if (completions.length > maxShow) {
+              process.stdout.write(chalk.dim(` ... +${completions.length - maxShow} more`));
+            }
+            console.log();
+            process.stdout.write(chalk.cyan("\u2502") + " " + input);
+          }
+        }
+        return;
+      }
+      if (code === 127 || code === 8) {
+        if (cursorPos > 0) {
+          input = input.slice(0, cursorPos - 1) + input.slice(cursorPos);
+          cursorPos--;
+          redrawLine();
+        }
+        return;
+      }
+      if (key === "\x1B[D") {
+        if (cursorPos > 0) {
+          cursorPos--;
+          redrawLine();
+        }
+        return;
+      }
+      if (key === "\x1B[C") {
+        if (cursorPos < input.length) {
+          cursorPos++;
+          redrawLine();
+        }
+        return;
+      }
+      if (key.startsWith("\x1B")) {
+        return;
+      }
+      if (code >= 32 && code < 127) {
+        input = input.slice(0, cursorPos) + key + input.slice(cursorPos);
+        cursorPos++;
+        redrawLine();
+      }
+    });
+  });
+}
 
 // src/cli/index.ts
 var BANNER = `
@@ -3949,15 +4293,15 @@ ${chalk.red(" \u255A\u2550\u2550\u255D\u255A\u2550\u2550\u255D \u255A\u2550\u255
 ${chalk.dim(`  "I've been staring at your code for a long time."`)}
 `;
 var program = new Command();
-program.name("whiterose").description("AI-powered bug hunter that uses your existing LLM subscription").version("0.2.0").hook("preAction", () => {
+program.name("whiterose").description("AI-powered bug hunter that uses your existing LLM subscription").version("0.2.3").hook("preAction", () => {
   const args = process.argv.slice(2);
   if (!args.includes("--help") && !args.includes("-h") && args.length > 0) {
     console.log(BANNER);
   }
 });
-program.command("init").description("Initialize whiterose for this project (scans codebase, asks questions, generates config)").option("-p, --provider <provider>", "LLM provider to use", "claude-code").option("--skip-questions", "Skip interactive questions, use defaults").option("--force", "Overwrite existing .whiterose directory").option("--unsafe", "Bypass LLM permission prompts (use with caution)").action(initCommand);
-program.command("scan [paths...]").description("Scan for bugs in the codebase").option("-f, --full", "Force full scan (ignore cache)").option("--json", "Output as JSON only").option("--sarif", "Output as SARIF only").option("-p, --provider <provider>", "Override LLM provider").option("-c, --category <categories...>", "Filter by bug categories").option("--min-confidence <level>", "Minimum confidence level to report", "low").option("--no-adversarial", "Skip adversarial validation (faster, less accurate)").option("--unsafe", "Bypass LLM permission prompts (use with caution)").action(scanCommand);
-program.command("fix [bugId]").description("Fix bugs interactively or by ID").option("--dry-run", "Show proposed fixes without applying").option("--branch <name>", "Create fixes in a new branch").option("--sarif <path>", "Load bugs from an external SARIF file").option("--github <url>", "Load bug from a GitHub issue URL").option("--describe", "Manually describe a bug to fix").action(fixCommand);
+program.command("init").description("Initialize whiterose for this project (scans codebase, asks questions, generates config)").option("-p, --provider <provider>", "LLM provider to use", "claude-code").option("--skip-questions", "Skip interactive questions, use defaults").option("--force", "Overwrite existing .whiterose directory").action(initCommand);
+program.command("scan [paths...]").description("Scan for bugs in the codebase (includes inline validation)").option("-f, --full", "Force full scan (ignore cache)").option("--json", "Output as JSON only").option("--sarif", "Output as SARIF only").option("-p, --provider <provider>", "Override LLM provider").option("-c, --category <categories...>", "Filter by bug categories").option("--min-confidence <level>", "Minimum confidence level to report", "low").action(scanCommand);
+program.command("fix [bugId]").description("Fix bugs interactively or by ID").option("--dry-run", "Show proposed fixes without applying").option("--branch <name>", "Create fixes in a new branch").option("--sarif <path>", "Load bugs from an external SARIF file").option("--github <url>", "Load bug from a GitHub issue URL").option("--describe", "Manually describe a bug to fix").option("--unsafe", "Skip all permission prompts (full trust mode)").action(fixCommand);
 program.command("refresh").description("Rebuild codebase understanding from scratch").option("--keep-config", "Keep existing config, only regenerate understanding").action(refreshCommand);
 program.command("status").description("Show whiterose status (cache, last scan, provider)").action(statusCommand);
 program.command("report").description("Generate BUGS.md from last scan").option("-o, --output <path>", "Output path", "BUGS.md").option("--format <format>", "Output format (markdown, sarif, json)", "markdown").action(reportCommand);
@@ -3966,10 +4310,9 @@ async function showInteractiveWizard() {
   p3.intro(chalk.red("whiterose") + chalk.dim(" - AI Bug Hunter"));
   const cwd = process.cwd();
   const defaultPath = cwd;
-  const repoPath = await p3.text({
+  const repoPath = await pathInput({
     message: "Repository path",
-    placeholder: defaultPath,
-    initialValue: defaultPath,
+    defaultValue: defaultPath,
     validate: (value) => {
       const path = value || defaultPath;
       if (!existsSync(path)) {
@@ -3978,7 +4321,7 @@ async function showInteractiveWizard() {
       return void 0;
     }
   });
-  if (p3.isCancel(repoPath)) {
+  if (repoPath === null) {
     p3.cancel("Cancelled.");
     process.exit(0);
   }
@@ -4034,7 +4377,9 @@ async function showInteractiveWizard() {
       provider: selectedProvider,
       skipQuestions: false,
       force: false,
-      unsafe: false
+      // Read-only operations auto-approve, unsafe only matters for fix
+      skipProviderDetection: true
+      // Already verified in wizard
     });
     console.log();
   } else {
@@ -4069,9 +4414,7 @@ async function showInteractiveWizard() {
     sarif: false,
     provider: selectedProvider,
     category: void 0,
-    minConfidence: "low",
-    adversarial: true,
-    unsafe: false
+    minConfidence: "low"
   });
 }
 if (process.argv.length === 2) {