@shakecodeslikecray/whiterose 1.0.8 → 1.0.10

package/dist/cli/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { readFileSync, existsSync, mkdirSync, writeFileSync, rmSync, readdirSync, statSync, mkdtempSync, realpathSync } from 'fs';
-import { join, dirname, isAbsolute, resolve, basename, relative } from 'path';
+import { readFileSync, existsSync, mkdirSync, writeFileSync, rmSync, readdirSync, mkdtempSync, statSync, realpathSync } from 'fs';
+import { join, dirname, relative, isAbsolute, resolve, basename } from 'path';
 import chalk3 from 'chalk';
 import * as readline from 'readline';
 import { Command } from 'commander';
@@ -307,14 +307,24 @@ var ClaudeCodeExecutor = class {
   }
   async runPrompt(prompt, options) {
     const claudeCommand = getProviderCommand("claude-code");
+    if (process.env.WHITEROSE_DEBUG) {
+      console.log("\n[DEBUG] Running Claude Code command:", claudeCommand);
+      console.log("[DEBUG] Prompt length:", prompt.length);
+      console.log("[DEBUG] CWD:", options.cwd);
+      console.log("[DEBUG] First 500 chars of prompt:");
+      console.log(prompt.substring(0, 500));
+    }
     try {
       const { stdout, stderr } = await execa(
         claudeCommand,
         [
           "-p",
           prompt,
-          "--dangerously-skip-permissions"
+          "--dangerously-skip-permissions",
           // Allow file reads without prompts
+          "--output-format",
+          "text"
+          // Ensure non-interactive output
         ],
         {
           cwd: options.cwd,
@@ -323,7 +333,9 @@ var ClaudeCodeExecutor = class {
             ...process.env,
             NO_COLOR: "1"
           },
-          reject: false
+          reject: false,
+          stdin: "ignore"
+          // Prevent waiting for stdin
         }
       );
       if (stderr) {
@@ -340,6 +352,13 @@ var ClaudeCodeExecutor = class {
           throw new Error(`Claude Code error: ${stderr.substring(0, 200)}`);
         }
       }
+      if (process.env.WHITEROSE_DEBUG) {
+        console.log("\n[DEBUG] Claude Code stdout length:", stdout?.length || 0);
+        console.log("[DEBUG] Claude Code stderr:", stderr?.substring(0, 300) || "(none)");
+        console.log("[DEBUG] First 1000 chars of stdout:");
+        console.log(stdout?.substring(0, 1e3) || "(empty)");
+        console.log("[DEBUG] End response\n");
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -1195,23 +1214,18 @@ ${pass.falsePositiveHints.map((h) => `- ${h}`).join("\n")}
 ${cwePatterns ? `## KNOWN VULNERABILITY PATTERNS
 ${cwePatterns}` : ""}
 
-## CRITICAL RULES
+## REPORTING GUIDELINES
 
-1. **ONLY ${pass.name.toUpperCase()} BUGS** - Ignore all other categories
-2. **MUST HAVE FIX** - No fix = not confirmed = don't report
-3. **TRACE THE DATA** - Follow user input to the vulnerable sink
-4. **CHECK GUARDS** - Verify there's no validation you missed
-5. **BE SPECIFIC** - Exact file, line, and triggering input
-6. **CHECK CONTROL FLOW** - CRITICAL: Verify the buggy line is actually REACHABLE:
-   - Look for early returns: \`if (x.length === 0) return;\` makes later \`x[0]\` SAFE
-   - Look for throws: \`if (!user) throw new Error()\` makes later \`user.name\` SAFE
-   - Look for guard clauses that exit before the buggy line
-   - If a condition causes function exit, code after is UNREACHABLE in that case
-   - Example FALSE POSITIVE: \`if (arr.length === 0) return false; ... arr[0].name\` - the access is SAFE because empty array caused early return
+1. **ONLY ${pass.name.toUpperCase()} ISSUES** - Focus on this category
+2. **REPORT POTENTIAL ISSUES** - If something looks suspicious, report it. Better to flag potential issues than miss real bugs.
+3. **INCLUDE CODE SMELLS** - Report risky patterns even if not immediately exploitable (set kind: "smell")
+4. **TRACE THE DATA** - Follow user input to potentially vulnerable sinks
+5. **BE SPECIFIC** - Include exact file, line number, and what makes it suspicious
+6. **SUGGESTED FIX IS OPTIONAL** - Nice to have but not required. Report the issue even without a fix.
 
 ## REPORTING FORMAT
 
-When you find a CONFIRMED ${pass.name} bug:
+When you find a ${pass.name} issue (bug or code smell):
 
 <json>
 {
@@ -1220,25 +1234,23 @@ When you find a CONFIRMED ${pass.name} bug:
     "file": "src/api/users.ts",
     "line": 42,
     "endLine": 45,
-    "title": "Short description of the bug",
-    "description": "Detailed explanation of why this is a bug and how it can be exploited.",
+    "title": "Short description of the issue",
+    "description": "Explanation of why this is problematic and potential impact.",
+    "kind": "bug|smell",
     "category": "${pass.category}",
     "severity": "critical|high|medium|low",
     "confidence": "high|medium|low",
-    "triggerInput": "Exact input that triggers the bug",
-    "codePath": [
-      {"step": 1, "file": "src/api/users.ts", "line": 38, "code": "const name = req.query.name", "explanation": "User input enters here"},
-      {"step": 2, "file": "src/api/users.ts", "line": 42, "code": "db.execute(query)", "explanation": "Used unsafely here"}
-    ],
     "evidence": [
       "Evidence point 1",
       "Evidence point 2"
     ],
-    "suggestedFix": "const result = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);"
+    "suggestedFix": "Optional: how to fix it"
   }
 }
 </json>
 
+Use kind="bug" for confirmed vulnerabilities, kind="smell" for risky patterns that need review.
+
 Progress updates:
 ###SCANNING:path/to/file.ts
 
@@ -1247,9 +1259,13 @@ When done:
 
 ## BEGIN
 
-Start by searching for ${pass.name} patterns using grep. Then read the files and trace the data flow. Report bugs as you confirm them.
+Start by searching for ${pass.name} patterns using grep. Read at least 10-15 files that match the patterns. Report issues as you find them.
 
-REMEMBER: Only ${pass.name.toUpperCase()} bugs. Quality over quantity. Every bug must have an exact fix.`;
+IMPORTANT:
+- Report ANYTHING suspicious - we'll filter false positives later
+- Include code smells and risky patterns, not just confirmed exploits
+- If unsure, report it with confidence="low"
+- Aim for thoroughness - finding 10 potential issues is better than finding 0 confirmed bugs`;
 }
 
 // src/providers/prompts/constants.ts
@@ -2554,31 +2570,46 @@ var CoreScanner = class {
     return jobs;
   }
   buildQuickScanPrompt(context) {
-    const { understanding, staticResults } = context;
+    const { understanding, staticResults, files } = context;
     const staticSignals = staticResults.length > 0 ? `
 Static analysis signals:
 ${staticResults.slice(0, 30).map((r) => `- ${r.file}:${r.line}: ${r.message}`).join("\n")}` : "";
-    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs.
+    const fileList = files.slice(0, 50).map((f) => `- ${f}`).join("\n");
+    const moreFiles = files.length > 50 ? `
+... and ${files.length - 50} more files` : "";
+    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs and code smells.
 
 Project: ${understanding.summary.description || "Unknown"}
 Framework: ${understanding.summary.framework || "None"}
 Language: ${understanding.summary.language}
-${staticSignals}
-
-Find bugs in these categories:
-1. Injection (SQL, command, XSS)
-2. Auth bypass
-3. Null/undefined dereference
-4. Logic errors
-5. Async/race conditions
-6. Resource leaks
-7. Data validation issues
-8. Secrets exposure
 
-Output ONLY a JSON array:
-[{"file": "path", "line": 42, "title": "Bug title", "description": "Details", "severity": "critical|high|medium|low", "category": "injection|auth-bypass|null-reference|logic-error|async-issue|resource-leak|data-validation|secrets-exposure", "evidence": ["evidence"], "suggestedFix": "fix"}]
+## FILES TO ANALYZE
+Read and analyze these files for security issues:
+${fileList}${moreFiles}
+${staticSignals}
 
-If no bugs, return: []`;
+## INSTRUCTIONS
+1. Read each file listed above
+2. Look for security issues, bugs, and code smells
+3. Report ALL suspicious patterns - false positives will be filtered later
+4. Use kind="smell" for risky patterns, kind="bug" for confirmed issues
+
+## CATEGORIES TO CHECK
+- Injection (SQL, command, XSS) - unsanitized user input
+- Auth bypass - missing auth checks, IDOR
+- Null/undefined dereference - accessing properties on potentially null values
+- Logic errors - wrong conditions, off-by-one, inverted checks
+- Async/race conditions - unhandled promises, race conditions
+- Resource leaks - unclosed handles, missing cleanup
+- Data validation - missing input validation, type coercion issues
+- Secrets exposure - hardcoded keys, leaked credentials
+- Error handling - swallowed errors, missing try/catch
+
+## OUTPUT FORMAT
+Output a JSON array (one object per issue found):
+[{"file": "path", "line": 42, "title": "Issue title", "description": "Details", "kind": "bug|smell", "severity": "critical|high|medium|low", "category": "logic-error", "evidence": ["evidence"]}]
+
+If no issues found after reading all files, return: []`;
   }
   // ─────────────────────────────────────────────────────────────
   // Response Parsing
@@ -2599,6 +2630,23 @@ If no bugs, return: []`;
       } catch {
       }
     }
+    if (bugs.length === 0) {
+      const codeBlockMatches = output.matchAll(/```(?:json)?\s*([\s\S]*?)```/g);
+      for (const match of codeBlockMatches) {
+        try {
+          const parsed = JSON.parse(match[1].trim());
+          const items = Array.isArray(parsed) ? parsed : [parsed];
+          for (const item of items) {
+            const bug = this.parseBugData(item, startIndex + bugs.length, files, passName);
+            if (bug) {
+              bugs.push(bug);
+              this.progress.onBugFound?.(bug);
+            }
+          }
+        } catch {
+        }
+      }
+    }
     if (bugs.length === 0) {
       const arrayMatch = output.match(/\[[\s\S]*\]/);
       if (arrayMatch) {
@@ -2617,6 +2665,20 @@ If no bugs, return: []`;
         }
       }
     }
+    if (bugs.length === 0) {
+      const objectMatches = output.matchAll(/\{[^{}]*"file"[^{}]*"line"[^{}]*\}/g);
+      for (const match of objectMatches) {
+        try {
+          const parsed = JSON.parse(match[0]);
+          const bug = this.parseBugData(parsed, startIndex + bugs.length, files, passName);
+          if (bug) {
+            bugs.push(bug);
+            this.progress.onBugFound?.(bug);
+          }
+        } catch {
+        }
+      }
+    }
     return bugs;
   }
   parseBugData(data, index, files, passName) {
@@ -3039,8 +3101,8 @@ function splitIntoSections(content) {
 function parseListItems(content) {
   const items = [];
   const lines = content.split("\n");
-  for (const line of lines) {
-    const match = line.match(/^[-*]\s+(.+)/);
+  for (const line2 of lines) {
+    const match = line2.match(/^[-*]\s+(.+)/);
     if (match) {
       const item = match[1].trim();
       if (!item.includes("Add your") && !item.includes("Add files") && item !== "") {
@@ -3066,8 +3128,8 @@ function parseFeatureSection(section) {
   const constraintsMatch = section.match(/\*\*Constraints:\*\*\n((?:[-*]\s+[^\n]+\n?)+)/);
   if (constraintsMatch) {
     const constraintLines = constraintsMatch[1].split("\n");
-    for (const line of constraintLines) {
-      const match = line.match(/^[-*]\s+(.+)/);
+    for (const line2 of constraintLines) {
+      const match = line2.match(/^[-*]\s+(.+)/);
       if (match) {
         constraints.push(match[1].trim());
       }
@@ -3207,12 +3269,12 @@ function extractIntentFromDocs(docs) {
   if (docs.readme) {
     const featuresMatch = docs.readme.match(/##\s*Features?\s*\n([\s\S]*?)(?=\n##|\n---|$)/i);
     if (featuresMatch) {
-      const featureLines = featuresMatch[1].split("\n").filter((line) => line.trim().startsWith("-") || line.trim().startsWith("*")).map((line) => line.replace(/^[-*]\s*/, "").trim()).filter((line) => line.length > 0);
+      const featureLines = featuresMatch[1].split("\n").filter((line2) => line2.trim().startsWith("-") || line2.trim().startsWith("*")).map((line2) => line2.replace(/^[-*]\s*/, "").trim()).filter((line2) => line2.length > 0);
       intent.features.push(...featureLines.slice(0, 20));
     }
   }
   if (docs.envExample) {
-    const envLines = docs.envExample.split("\n").filter((line) => line.includes("=") && !line.startsWith("#")).map((line) => line.split("=")[0].trim()).filter((line) => line.length > 0);
+    const envLines = docs.envExample.split("\n").filter((line2) => line2.includes("=") && !line2.startsWith("#")).map((line2) => line2.split("=")[0].trim()).filter((line2) => line2.length > 0);
     intent.envVariables.push(...envLines);
   }
   for (const apiDoc of docs.apiDocs) {
@@ -3222,7 +3284,7 @@ function extractIntentFromDocs(docs) {
     }
   }
   if (docs.contributing) {
-    const conventionLines = docs.contributing.split("\n").filter((line) => line.trim().startsWith("-") || line.trim().startsWith("*")).map((line) => line.replace(/^[-*]\s*/, "").trim()).filter((line) => line.length > 10 && line.length < 200).slice(0, 10);
+    const conventionLines = docs.contributing.split("\n").filter((line2) => line2.trim().startsWith("-") || line2.trim().startsWith("*")).map((line2) => line2.replace(/^[-*]\s*/, "").trim()).filter((line2) => line2.length > 10 && line2.length < 200).slice(0, 10);
     intent.conventions.push(...conventionLines);
   }
   return intent;
@@ -3716,6 +3778,26 @@ z.object({
   lastIncrementalScan: z.string().datetime().optional(),
   fileHashes: z.array(FileHash)
 });
+var SeverityBreakdown = z.object({
+  critical: z.number(),
+  high: z.number(),
+  medium: z.number(),
+  low: z.number(),
+  total: z.number()
+});
+var ScanSummary = z.object({
+  bugs: SeverityBreakdown,
+  smells: SeverityBreakdown,
+  total: z.number()
+});
+var ScanMeta = z.object({
+  repoName: z.string(),
+  provider: z.string(),
+  duration: z.number(),
+  // ms
+  filesScanned: z.number(),
+  linesOfCode: z.number()
+});
 z.object({
   id: z.string(),
   timestamp: z.string().datetime(),
@@ -3724,16 +3806,10 @@ z.object({
   filesChanged: z.number().optional(),
   duration: z.number(),
   // ms
+  linesOfCode: z.number().optional(),
   bugs: z.array(Bug),
-  summary: z.object({
-    critical: z.number(),
-    high: z.number(),
-    medium: z.number(),
-    low: z.number(),
-    total: z.number(),
-    bugs: z.number(),
-    smells: z.number()
-  })
+  summary: ScanSummary,
+  meta: ScanMeta.optional()
 });
 
 // src/core/config.ts
@@ -3792,8 +3868,8 @@ async function runTypeScript(cwd) {
   } catch (error) {
     const output = [error.stdout, error.stderr].filter(Boolean).join("\n");
     const lines = output.split("\n");
-    for (const line of lines) {
-      const match = line.match(/^(.+)\((\d+),(\d+)\):\s+(error|warning)\s+TS(\d+):\s+(.+)$/);
+    for (const line2 of lines) {
+      const match = line2.match(/^(.+)\((\d+),(\d+)\):\s+(error|warning)\s+TS(\d+):\s+(.+)$/);
       if (match) {
         const filePath = normalizeFilePath(match[1], cwd);
         results.push({
@@ -4012,15 +4088,15 @@ function outputMarkdown(result) {
   lines.push("");
   lines.push("## Summary");
   lines.push("");
-  lines.push(`| Severity | Count |`);
-  lines.push(`|----------|-------|`);
-  lines.push(`| Critical | ${result.summary.critical} |`);
-  lines.push(`| High | ${result.summary.high} |`);
-  lines.push(`| Medium | ${result.summary.medium} |`);
-  lines.push(`| Low | ${result.summary.low} |`);
-  lines.push(`| **Verified Bugs** | **${result.summary.bugs}** |`);
-  lines.push(`| **Smells** | **${result.summary.smells}** |`);
-  lines.push(`| **Total Findings** | **${result.summary.total}** |`);
+  lines.push(`| | Bugs | Smells |`);
+  lines.push(`|----------|-------|-------|`);
+  lines.push(`| Critical | ${result.summary.bugs.critical} | ${result.summary.smells.critical} |`);
+  lines.push(`| High | ${result.summary.bugs.high} | ${result.summary.smells.high} |`);
+  lines.push(`| Medium | ${result.summary.bugs.medium} | ${result.summary.smells.medium} |`);
+  lines.push(`| Low | ${result.summary.bugs.low} | ${result.summary.smells.low} |`);
+  lines.push(`| **Total** | **${result.summary.bugs.total}** | **${result.summary.smells.total}** |`);
+  lines.push("");
+  lines.push(`**Total Findings:** ${result.summary.total}`);
   lines.push("");
   lines.push(`- **Scan Type:** ${result.scanType}`);
   lines.push(`- **Files Scanned:** ${result.filesScanned}`);
@@ -4338,18 +4414,19 @@ function outputHumanReadableMarkdown(result) {
   sections.push(`# Bug Report
 
 > Human-readable summary generated by whiterose on ${new Date(result.timestamp).toLocaleDateString()}
-> **${result.summary.bugs} bugs found** in ${result.filesScanned} files
+> **${result.summary.bugs.total} bugs found** in ${result.filesScanned} files
 
 ---
 
 ## Summary
 
-| Severity | Count | Description |
-|----------|-------|-------------|
-| \u{1F534} Critical | ${result.summary.critical} | Requires immediate attention |
-| \u{1F7E0} High | ${result.summary.high} | Should be fixed soon |
-| \u{1F7E1} Medium | ${result.summary.medium} | Fix when convenient |
-| \u26AA Low | ${result.summary.low} | Minor issues |
+| Severity | Bugs | Smells |
+|----------|------|--------|
+| Critical | ${result.summary.bugs.critical} | ${result.summary.smells.critical} |
+| High | ${result.summary.bugs.high} | ${result.summary.smells.high} |
+| Medium | ${result.summary.bugs.medium} | ${result.summary.smells.medium} |
+| Low | ${result.summary.bugs.low} | ${result.summary.smells.low} |
+| **Total** | **${result.summary.bugs.total}** | **${result.summary.smells.total}** |
 
 ---
 `);
@@ -4627,18 +4704,18 @@ function extractFileEffects(filePath, content) {
   let currentFunction = "";
   const functionRegex = /(?:async\s+)?(?:function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?(?:\([^)]*\)|[^=])\s*=>|(\w+)\s*\([^)]*\)\s*(?::\s*[^{]+)?\s*\{)/;
   for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
+    const line2 = lines[i];
     const lineNum = i + 1;
-    const trimmed = line.trim();
+    const trimmed = line2.trim();
     if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) {
       continue;
     }
-    const funcMatch = line.match(functionRegex);
+    const funcMatch = line2.match(functionRegex);
     if (funcMatch) {
       currentFunction = funcMatch[1] || funcMatch[2] || funcMatch[3] || "";
     }
     for (const pattern of patterns) {
-      const match = line.match(pattern.regex);
+      const match = line2.match(pattern.regex);
       if (match) {
         let target = match[1] || "unknown";
         target = target.trim().replace(/['"`,]/g, "");
@@ -4654,8 +4731,8 @@ function extractFileEffects(filePath, content) {
           /cache/
         ];
         for (const pp of pathPatterns) {
-          if (line.match(pp)) {
-            target = line.match(pp)?.[0] || target;
+          if (line2.match(pp)) {
+            target = line2.match(pp)?.[0] || target;
             break;
           }
         }
@@ -4664,7 +4741,7 @@ function extractFileEffects(filePath, content) {
           type: pattern.type,
           target,
           line: lineNum,
-          code: line.trim(),
+          code: line2.trim(),
           functionName: currentFunction
         });
       }
@@ -4949,14 +5026,14 @@ function detectWeakValidation(block) {
   }
   for (let i = 0; i < lines.length; i++) {
     if (reportedLines.has(i)) continue;
-    const line = lines[i];
+    const line2 = lines[i];
     const weakPatterns = [
       { regex: /matchCount\s*>=?\s*\d/, issue: "Accepts content if only a few lines match" },
       { regex: /\.length\s*>\s*\w+\.length\s*\*\s*0\.\d/, issue: "Accepts content based only on length ratio" }
     ];
     const issues = [];
     for (const pattern of weakPatterns) {
-      if (line.match(pattern.regex)) {
+      if (line2.match(pattern.regex)) {
         issues.push(pattern.issue);
       }
     }
@@ -4970,7 +5047,7 @@ function detectWeakValidation(block) {
         line: block.startLine + i,
         evidence: [
           `Function: ${block.functionName}`,
-          `Pattern: ${line.trim()}`,
+          `Pattern: ${line2.trim()}`,
           `Issues: ${issues.join(", ")}`
         ],
         severity: "medium"
@@ -4986,14 +5063,14 @@ function detectPartialFailure(block) {
   let forLoopStart = 0;
   let forLoopItem = "";
   for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const forMatch = line.match(/for\s*\(\s*(?:const|let|var)\s+(\w+)\s+of/);
+    const line2 = lines[i];
+    const forMatch = line2.match(/for\s*\(\s*(?:const|let|var)\s+(\w+)\s+of/);
     if (forMatch) {
       inForLoop = true;
       forLoopStart = i;
       forLoopItem = forMatch[1];
     }
-    if (inForLoop && line.includes("break")) {
+    if (inForLoop && line2.includes("break")) {
       const hasFailureCheck = lines.slice(Math.max(0, i - 3), i + 1).join("\n").includes("!result.success") || lines.slice(Math.max(0, i - 3), i + 1).join("\n").includes("error") || lines.slice(Math.max(0, i - 3), i + 1).join("\n").includes("failed");
       const hasSkippedReport = block.content.includes("skipped") || block.content.includes("remaining") || block.content.includes("not attempted");
       if (hasFailureCheck && !hasSkippedReport) {
@@ -5013,7 +5090,7 @@ function detectPartialFailure(block) {
         });
       }
     }
-    if (inForLoop && line.trim() === "}" && i > forLoopStart + 2) {
+    if (inForLoop && line2.trim() === "}" && i > forLoopStart + 2) {
       inForLoop = false;
     }
   }
@@ -5025,21 +5102,21 @@ function extractFunctions(filePath, content) {
   const funcRegex = /(?:export\s+)?(?:async\s+)?function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*[^=]+)?\s*=>/;
   let currentFunc = null;
   for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
+    const line2 = lines[i];
+    const trimmed = line2.trim();
     if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) {
       continue;
     }
     if (!currentFunc) {
-      const match = line.match(funcRegex);
+      const match = line2.match(funcRegex);
       if (match) {
         const funcName = match[1] || match[2];
         currentFunc = { name: funcName, start: i, braceCount: 0 };
       }
     }
     if (currentFunc) {
-      currentFunc.braceCount += (line.match(/{/g) || []).length;
-      currentFunc.braceCount -= (line.match(/}/g) || []).length;
+      currentFunc.braceCount += (line2.match(/{/g) || []).length;
+      currentFunc.braceCount -= (line2.match(/}/g) || []).length;
       if (currentFunc.braceCount <= 0 && i > currentFunc.start) {
         blocks.push({
           file: filePath,
@@ -5248,10 +5325,146 @@ function makeIntentBug(cwd, contract, reason) {
   };
 }
 
+// src/cli/components/progress.ts
+function formatDuration(ms) {
+  const seconds = Math.floor(ms / 1e3);
+  const hours = Math.floor(seconds / 3600);
+  const mins = Math.floor(seconds % 3600 / 60);
+  const secs = seconds % 60;
+  if (hours > 0) {
+    return mins > 0 ? `${hours}h ${mins}m` : `${hours}h`;
+  }
+  if (mins > 0) {
+    return secs > 0 ? `${mins}m ${secs}s` : `${mins}m`;
+  }
+  return `${secs}s`;
+}
+
+// src/cli/components/card.ts
+var BOX = {
+  topLeft: "\u250C",
+  topRight: "\u2510",
+  bottomLeft: "\u2514",
+  bottomRight: "\u2518",
+  horizontal: "\u2500",
+  vertical: "\u2502",
+  teeRight: "\u251C",
+  teeLeft: "\u2524"
+};
+function line(char, width) {
+  return char.repeat(width);
+}
+function padRight(str, width) {
+  const stripped = str.replace(/\u001b\[\d+(;\d+)*m/g, "");
+  const padding = Math.max(0, width - stripped.length);
+  return str + " ".repeat(padding);
+}
+function row(content, width) {
+  return BOX.vertical + "  " + padRight(content, width - 4) + "  " + BOX.vertical;
+}
+function divider(width) {
+  return BOX.teeRight + line(BOX.horizontal, width) + BOX.teeLeft;
+}
+function topBorder(width) {
+  return BOX.topLeft + line(BOX.horizontal, width) + BOX.topRight;
+}
+function bottomBorder(width) {
+  return BOX.bottomLeft + line(BOX.horizontal, width) + BOX.bottomRight;
+}
+function severityDot(severity) {
+  const colors = {
+    critical: chalk3.red,
+    high: chalk3.yellow,
+    medium: chalk3.blue,
+    low: chalk3.dim
+  };
+  return colors[severity]("\u25CF");
+}
+function formatNumber(n) {
+  return String(n).padStart(3);
+}
+function renderScanCard(data) {
+  const width = 61;
+  const lines = [];
+  lines.push(topBorder(width));
+  lines.push(row(chalk3.bold.red("WHITEROSE SCAN COMPLETE"), width));
+  lines.push(divider(width));
+  const locFormatted = data.meta.linesOfCode.toLocaleString();
+  lines.push(row(`${chalk3.dim("Repository")}    ${data.meta.repoName}`, width));
+  lines.push(row(`${chalk3.dim("Provider")}      ${data.meta.provider}`, width));
+  lines.push(row(`${chalk3.dim("Duration")}      ${formatDuration(data.meta.duration)}`, width));
+  lines.push(row(`${chalk3.dim("Files")}         ${data.meta.filesScanned} files | ${locFormatted} LoC`, width));
+  lines.push(divider(width));
+  lines.push(row(`${chalk3.bold("BUGS")}                          ${chalk3.bold("SMELLS")}`, width));
+  const severities = ["critical", "high", "medium", "low"];
+  for (const sev of severities) {
+    const bugLine = `${severityDot(sev)} ${sev.charAt(0).toUpperCase() + sev.slice(1).padEnd(8)} ${formatNumber(data.bugs[sev])}`;
+    const smellLine = `${severityDot(sev)} ${sev.charAt(0).toUpperCase() + sev.slice(1).padEnd(8)} ${formatNumber(data.smells[sev])}`;
+    lines.push(row(`${bugLine}               ${smellLine}`, width));
+  }
+  lines.push(row(`${chalk3.dim("\u2500".repeat(13))}                 ${chalk3.dim("\u2500".repeat(13))}`, width));
+  const bugTotal = `Total        ${formatNumber(data.bugs.total)}`;
+  const smellTotal = `Total        ${formatNumber(data.smells.total)}`;
+  lines.push(row(`${chalk3.bold(bugTotal)}               ${chalk3.bold(smellTotal)}`, width));
+  lines.push(divider(width));
+  lines.push(row(`${chalk3.dim("Reports:")} ${chalk3.cyan(data.reportPath)}`, width));
+  if (data.bugs.total > 0 || data.smells.total > 0) {
+    lines.push(row(`${chalk3.dim("Run:")} ${chalk3.cyan("whiterose fix")}`, width));
+  }
+  lines.push(bottomBorder(width));
+  return lines.join("\n");
+}
+function renderStatusCard(repoName, provider, totalBugs, totalSmells, lastScanDate) {
+  const width = 45;
+  const lines = [];
+  lines.push(topBorder(width));
+  lines.push(row(chalk3.bold.red("WHITEROSE STATUS"), width));
+  lines.push(divider(width));
+  lines.push(row(`${chalk3.dim("Repository")}  ${repoName}`, width));
+  lines.push(row(`${chalk3.dim("Provider")}    ${provider}`, width));
+  if (lastScanDate) {
+    lines.push(row(`${chalk3.dim("Last scan")}   ${lastScanDate}`, width));
+  }
+  lines.push(divider(width));
+  lines.push(row(`${chalk3.bold("Open bugs:")}   ${totalBugs}`, width));
+  lines.push(row(`${chalk3.bold("Open smells:")} ${totalSmells}`, width));
+  lines.push(bottomBorder(width));
+  return lines.join("\n");
+}
+
 // src/cli/commands/scan.ts
+function getRepoName(cwd) {
+  try {
+    const gitConfigPath = join(cwd, ".git", "config");
+    if (existsSync(gitConfigPath)) {
+      const config = readFileSync(gitConfigPath, "utf-8");
+      const match = config.match(/url\s*=\s*.*[/:]([^/]+?)(?:\.git)?$/m);
+      if (match) return match[1];
+    }
+  } catch {
+  }
+  return basename(cwd);
+}
+async function countLinesOfCode(cwd, files) {
+  let total = 0;
+  for (const file of files.slice(0, 500)) {
+    try {
+      const content = readFileSync(join(cwd, file), "utf-8");
+      const lines = content.split("\n").filter((line2) => {
+        const trimmed = line2.trim();
+        return trimmed.length > 0 && !trimmed.startsWith("//") && !trimmed.startsWith("/*") && !trimmed.startsWith("*");
+      });
+      total += lines.length;
+    } catch {
+    }
+  }
+  return total;
+}
 async function scanCommand(paths, options) {
+  const scanStartTime = Date.now();
   const cwd = process.cwd();
   const whiterosePath = join(cwd, ".whiterose");
+  const repoName = getRepoName(cwd);
   const isQuickScan = options.quick || options.ci;
   const isQuiet = options.json || options.sarif || options.ci;
   if (!isQuickScan && !existsSync(whiterosePath)) {
@@ -5264,8 +5477,10 @@ async function scanCommand(paths, options) {
     process.exit(1);
   }
   if (!isQuiet) {
-    const scanMode = isQuickScan ? "quick scan (pre-commit)" : "thorough scan";
-    p3.intro(chalk3.red("whiterose") + chalk3.dim(` - ${scanMode}`));
+    const scanMode = isQuickScan ? "quick" : "full";
+    console.log();
+    console.log(chalk3.red.bold("whiterose") + chalk3.dim(` v1.0.9 | ${scanMode} scan`));
+    console.log();
   }
   let config;
   let understanding;
@@ -5311,12 +5526,19 @@ async function scanCommand(paths, options) {
   if (options.full || paths.length > 0) {
     scanType = "full";
     if (!isQuiet) {
-      const spinner6 = p3.spinner();
-      spinner6.start("Scanning files...");
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
-      spinner6.stop(`Found ${filesToScan.length} files to scan`);
+      console.log(chalk3.dim("\u2502") + " Discovering files...");
+    }
+    if (paths.length > 0) {
+      filesToScan = await fg3(paths, {
+        cwd,
+        ignore: ["node_modules/**", "dist/**", "build/**", ".next/**"],
+        absolute: false
+      });
     } else {
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
+      filesToScan = await scanCodebase(cwd, config);
+    }
+    if (!isQuiet) {
+      console.log(chalk3.dim("\u2502") + ` Found ${chalk3.cyan(filesToScan.length)} files`);
     }
   } else {
     if (!config) {
@@ -5342,12 +5564,11 @@ async function scanCommand(paths, options) {
   }
   let staticResults;
   if (!isQuiet) {
-    const staticSpinner = p3.spinner();
-    staticSpinner.start("Running static analysis (tsc, eslint)...");
-    staticResults = await runStaticAnalysis(cwd, filesToScan, config);
-    staticSpinner.stop(`Static analysis: ${staticResults.length} signals found`);
-  } else {
-    staticResults = await runStaticAnalysis(cwd, filesToScan, config);
+    console.log(chalk3.dim("\u2502") + " Running static analysis (tsc, eslint)...");
+  }
+  staticResults = await runStaticAnalysis(cwd, filesToScan, config);
+  if (!isQuiet) {
+    console.log(chalk3.dim("\u2502") + ` Static analysis: ${chalk3.cyan(staticResults.length)} signals`);
   }
   const providerName = options.provider || config?.provider || "claude-code";
   const executor = getExecutor(providerName);
@@ -5359,13 +5580,12 @@ async function scanCommand(paths, options) {
   }
   let bugs;
   if (!isQuiet) {
-    const llmSpinner = p3.spinner();
-    const analysisStartTime = Date.now();
-    llmSpinner.start(`Analyzing with ${providerName}...`);
+    console.log(chalk3.dim("\u2502"));
+    console.log(chalk3.cyan("\u2550\u2550\u2550 Analyzing with " + providerName + " \u2550\u2550\u2550"));
+    console.log();
     const scanner = new CoreScanner(executor, {}, {
       onProgress: (message) => {
         if (message.trim()) {
-          llmSpinner.stop("");
           if (message.includes("\u2550\u2550\u2550\u2550")) {
             console.log(chalk3.cyan(message));
           } else if (message.includes("\u2713")) {
@@ -5377,13 +5597,11 @@ async function scanCommand(paths, options) {
           } else {
             console.log(chalk3.dim(message));
           }
-          llmSpinner.start("Scanning...");
         }
       },
       onBugFound: (bug) => {
-        llmSpinner.stop("");
-        console.log(chalk3.magenta(`  \u2605 Found: ${bug.title} (${bug.severity})`));
-        llmSpinner.start("Scanning...");
+        const severityColor = bug.severity === "critical" ? chalk3.red : bug.severity === "high" ? chalk3.yellow : bug.severity === "medium" ? chalk3.blue : chalk3.dim;
+        console.log(chalk3.magenta("\u2605") + ` ${severityColor("[" + bug.severity + "]")} ${bug.title}`);
       }
     });
     try {
@@ -5402,11 +5620,11 @@ async function scanCommand(paths, options) {
           config
         });
       }
-      const totalTime = Math.floor((Date.now() - analysisStartTime) / 1e3);
-      llmSpinner.stop(`Found ${bugs.length} potential bugs (${totalTime}s)`);
+      console.log();
+      console.log(chalk3.dim("\u2502") + ` Found ${chalk3.cyan(bugs.length)} potential bugs`);
       if (scanner.hasPassErrors()) {
         const errors = scanner.getPassErrors();
-        p3.log.warn(`${errors.length} analysis pass(es) failed:`);
+        console.log(chalk3.yellow("\u26A0") + ` ${errors.length} analysis pass(es) failed:`);
         for (const err of errors.slice(0, 5)) {
           console.log(chalk3.yellow(`  - ${err.passName}: ${err.error}`));
         }
@@ -5415,8 +5633,8 @@ async function scanCommand(paths, options) {
         }
       }
     } catch (error) {
-      llmSpinner.stop("Analysis failed");
-      p3.log.error(String(error));
+      console.log(chalk3.red("\u2717") + " Analysis failed");
+      console.error(String(error));
       process.exit(1);
     }
   } else {
@@ -5449,61 +5667,53 @@ async function scanCommand(paths, options) {
   }
   if (!isQuickScan) {
     if (!isQuiet) {
-      const crossFileSpinner = p3.spinner();
-      crossFileSpinner.start("Running cross-file analysis...");
-      try {
-        const crossFileBugs = await analyzeCrossFile(cwd);
-        if (crossFileBugs.length > 0) {
-          bugs.push(...crossFileBugs);
-          crossFileSpinner.stop(`Cross-file analysis: ${crossFileBugs.length} issues found`);
-        } else {
-          crossFileSpinner.stop("Cross-file analysis: no issues");
-        }
-      } catch {
-        crossFileSpinner.stop("Cross-file analysis: skipped");
-      }
-    } else {
-      try {
-        const crossFileBugs = await analyzeCrossFile(cwd);
+      console.log(chalk3.dim("\u2502") + " Running cross-file analysis...");
+    }
+    try {
+      const crossFileBugs = await analyzeCrossFile(cwd);
+      if (crossFileBugs.length > 0) {
         bugs.push(...crossFileBugs);
-      } catch (err) {
-        if (options.ci) {
-          console.error(JSON.stringify({
-            error: "Cross-file analysis failed",
-            message: err instanceof Error ? err.message : String(err)
-          }));
-          process.exit(1);
+        if (!isQuiet) {
+          console.log(chalk3.dim("\u2502") + ` Cross-file: ${chalk3.cyan(crossFileBugs.length)} issues`);
         }
+      } else if (!isQuiet) {
+        console.log(chalk3.dim("\u2502") + " Cross-file: no issues");
+      }
+    } catch (err) {
+      if (!isQuiet) {
+        console.log(chalk3.dim("\u2502") + chalk3.dim(" Cross-file: skipped"));
+      } else if (options.ci) {
+        console.error(JSON.stringify({
+          error: "Cross-file analysis failed",
+          message: err instanceof Error ? err.message : String(err)
+        }));
+        process.exit(1);
       }
     }
   }
   if (!isQuickScan) {
     if (!isQuiet) {
-      const contractSpinner = p3.spinner();
-      contractSpinner.start("Running contract analysis...");
-      try {
-        const contractBugs = await analyzeContracts(cwd);
-        if (contractBugs.length > 0) {
-          bugs.push(...contractBugs);
-          contractSpinner.stop(`Contract analysis: ${contractBugs.length} issues found`);
-        } else {
-          contractSpinner.stop("Contract analysis: no issues");
-        }
-      } catch {
-        contractSpinner.stop("Contract analysis: skipped");
-      }
-    } else {
-      try {
-        const contractBugs = await analyzeContracts(cwd);
+      console.log(chalk3.dim("\u2502") + " Running contract analysis...");
+    }
+    try {
+      const contractBugs = await analyzeContracts(cwd);
+      if (contractBugs.length > 0) {
         bugs.push(...contractBugs);
-      } catch (err) {
-        if (options.ci) {
-          console.error(JSON.stringify({
-            error: "Contract analysis failed",
-            message: err instanceof Error ? err.message : String(err)
-          }));
-          process.exit(1);
+        if (!isQuiet) {
+          console.log(chalk3.dim("\u2502") + ` Contract: ${chalk3.cyan(contractBugs.length)} issues`);
         }
+      } else if (!isQuiet) {
+        console.log(chalk3.dim("\u2502") + " Contract: no issues");
+      }
+    } catch (err) {
+      if (!isQuiet) {
+        console.log(chalk3.dim("\u2502") + chalk3.dim(" Contract: skipped"));
+      } else if (options.ci) {
+        console.error(JSON.stringify({
+          error: "Contract analysis failed",
+          message: err instanceof Error ? err.message : String(err)
+        }));
+        process.exit(1);
       }
     }
   }
@@ -5543,25 +5753,45 @@ async function scanCommand(paths, options) {
     );
   }
   const allBugs = mergeResult.bugs;
+  const linesOfCode = await countLinesOfCode(cwd, filesToScan);
+  const scanDuration = Date.now() - scanStartTime;
+  const bugItems = allBugs.filter((b) => b.kind === "bug");
+  const smellItems = allBugs.filter((b) => b.kind === "smell");
+  const summary = {
+    bugs: {
+      critical: bugItems.filter((b) => b.severity === "critical").length,
+      high: bugItems.filter((b) => b.severity === "high").length,
+      medium: bugItems.filter((b) => b.severity === "medium").length,
+      low: bugItems.filter((b) => b.severity === "low").length,
+      total: bugItems.length
+    },
+    smells: {
+      critical: smellItems.filter((b) => b.severity === "critical").length,
+      high: smellItems.filter((b) => b.severity === "high").length,
+      medium: smellItems.filter((b) => b.severity === "medium").length,
+      low: smellItems.filter((b) => b.severity === "low").length,
+      total: smellItems.length
+    },
+    total: allBugs.length
+  };
+  const meta = {
+    repoName,
+    provider: providerName,
+    duration: scanDuration,
+    filesScanned: filesToScan.length,
+    linesOfCode
+  };
   const result = {
     id: `scan-${Date.now()}`,
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     scanType,
     filesScanned: filesToScan.length,
     filesChanged: scanType === "incremental" ? filesToScan.length : void 0,
-    duration: 0,
-    // TODO: track actual duration
+    duration: scanDuration,
+    linesOfCode,
     bugs: allBugs,
-    // Use accumulated bugs (union across all scans)
-    summary: {
-      critical: allBugs.filter((b) => b.kind === "bug" && b.severity === "critical").length,
-      high: allBugs.filter((b) => b.kind === "bug" && b.severity === "high").length,
-      medium: allBugs.filter((b) => b.kind === "bug" && b.severity === "medium").length,
-      low: allBugs.filter((b) => b.kind === "bug" && b.severity === "low").length,
-      total: allBugs.length,
-      bugs: allBugs.filter((b) => b.kind === "bug").length,
-      smells: allBugs.filter((b) => b.kind === "smell").length
-    }
+    summary,
+    meta
   };
   if (pendingHashState) {
     try {
@@ -5571,12 +5801,12 @@ async function scanCommand(paths, options) {
   }
   if (options.json || options.ci && !options.sarif) {
     console.log(JSON.stringify(result, null, 2));
-    if (options.ci && result.summary.bugs > 0) {
+    if (options.ci && result.summary.bugs.total > 0) {
       process.exit(1);
     }
   } else if (options.sarif) {
     console.log(JSON.stringify(outputSarif(result), null, 2));
-    if (options.ci && result.summary.bugs > 0) {
+    if (options.ci && result.summary.bugs.total > 0) {
       process.exit(1);
     }
   } else {
@@ -5599,32 +5829,24 @@ async function scanCommand(paths, options) {
     writeFileSync(sarifPath, JSON.stringify(outputSarif(result), null, 2));
     const jsonPath = join(outputDir, "bugs.json");
     writeFileSync(jsonPath, JSON.stringify(result, null, 2));
+    const lastScanPath = join(whiterosePath, "last-scan.json");
+    writeFileSync(lastScanPath, JSON.stringify(result, null, 2));
     writeFileSync(join(reportsDir, `${timestamp}.sarif`), JSON.stringify(outputSarif(result), null, 2));
     console.log();
-    p3.log.message(chalk3.bold("Scan Results"));
-    console.log();
-    console.log(`  ${chalk3.red("\u25CF")} Critical: ${result.summary.critical}`);
-    console.log(`  ${chalk3.yellow("\u25CF")} High: ${result.summary.high}`);
-    console.log(`  ${chalk3.blue("\u25CF")} Medium: ${result.summary.medium}`);
-    console.log(`  ${chalk3.dim("\u25CF")} Low: ${result.summary.low}`);
-    console.log();
-    if (newBugsThisScan > 0) {
-      console.log(`  ${chalk3.green("+")} New this scan: ${newBugsThisScan}`);
-    }
-    console.log(
-      `  ${chalk3.bold("Total findings:")} ${result.summary.total} (bugs: ${result.summary.bugs}, smells: ${result.summary.smells})`
-    );
+    const cardData = {
+      meta,
+      bugs: summary.bugs,
+      smells: summary.smells,
+      reportPath: "./" + relative(cwd, humanPath)
+    };
+    console.log(renderScanCard(cardData));
     console.log();
-    p3.log.success("Reports saved:");
-    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan(humanPath)} ${chalk3.dim("(tester-friendly)")}`);
-    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan(mdPath)} ${chalk3.dim("(technical)")}`);
-    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan(sarifPath)}`);
-    console.log(`  ${chalk3.dim("\u2514")} ${chalk3.cyan(jsonPath)}`);
+    console.log(chalk3.dim("Reports:"));
+    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan("./" + relative(cwd, humanPath))} ${chalk3.dim("(tester-friendly)")}`);
+    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan("./" + relative(cwd, mdPath))} ${chalk3.dim("(technical)")}`);
+    console.log(`  ${chalk3.dim("\u251C")} ${chalk3.cyan("./" + relative(cwd, sarifPath))}`);
+    console.log(`  ${chalk3.dim("\u2514")} ${chalk3.cyan("./" + relative(cwd, jsonPath))}`);
     console.log();
-    if (result.summary.total > 0) {
-      p3.log.info(`Run ${chalk3.cyan("whiterose fix")} to fix bugs interactively.`);
-    }
-    p3.outro(chalk3.green("Scan complete"));
   }
 }
 var Dashboard = ({ bugs, onSelectCategory }) => {
@@ -6655,8 +6877,8 @@ async function runAgenticFix(bug, config, projectDir, onProgress) {
           lineBuffer += text2;
           const lines = lineBuffer.split("\n");
           lineBuffer = lines.pop() || "";
-          for (const line of lines) {
-            const trimmed = line.trim();
+          for (const line2 of lines) {
+            const trimmed = line2.trim();
             if (trimmed) {
               try {
                 const event = JSON.parse(trimmed);
@@ -7042,7 +7264,7 @@ function loadBugsFromSarif(sarifPath) {
     const rawFile = r.locations?.[0]?.physicalLocation?.artifactLocation?.uri;
     const file = typeof rawFile === "string" ? rawFile : "unknown";
     const rawLine = r.locations?.[0]?.physicalLocation?.region?.startLine;
-    const line = typeof rawLine === "number" && Number.isFinite(rawLine) ? Math.floor(rawLine) : 0;
+    const line2 = typeof rawLine === "number" && Number.isFinite(rawLine) ? Math.floor(rawLine) : 0;
     const rawEndLine = r.locations?.[0]?.physicalLocation?.region?.endLine;
     const endLine = typeof rawEndLine === "number" && Number.isFinite(rawEndLine) ? Math.floor(rawEndLine) : void 0;
     const rawId = r.ruleId;
@@ -7055,7 +7277,7 @@ function loadBugsFromSarif(sarifPath) {
       title: sanitizeSarifText(String(rawTitle), "title"),
       description: sanitizeSarifText(String(rawDescription), "description"),
       file,
-      line,
+      line: line2,
       endLine,
       kind: validatedKind.success ? validatedKind.data : "bug",
       severity: mapSarifLevel(r.level),
@@ -7337,13 +7559,13 @@ async function fixSingleBug(bug, config, options, cwd) {
       if (result.diff) {
         console.log();
         console.log(chalk3.dim("  Changes:"));
-        for (const line of result.diff.split("\n")) {
-          if (line.startsWith("+")) {
-            console.log(chalk3.green(`  ${line}`));
-          } else if (line.startsWith("-")) {
-            console.log(chalk3.red(`  ${line}`));
+        for (const line2 of result.diff.split("\n")) {
+          if (line2.startsWith("+")) {
+            console.log(chalk3.green(`  ${line2}`));
+          } else if (line2.startsWith("-")) {
+            console.log(chalk3.red(`  ${line2}`));
           } else {
-            console.log(chalk3.dim(`  ${line}`));
+            console.log(chalk3.dim(`  ${line2}`));
           }
         }
         console.log();
@@ -7427,6 +7649,18 @@ async function refreshCommand(_options) {
   }
   p3.outro(chalk3.green("Refresh complete!"));
 }
+function getRepoName2(cwd) {
+  try {
+    const gitConfigPath = join(cwd, ".git", "config");
+    if (existsSync(gitConfigPath)) {
+      const config = readFileSync(gitConfigPath, "utf-8");
+      const match = config.match(/url\s*=\s*.*[/:]([^/]+?)(?:\.git)?$/m);
+      if (match) return match[1];
+    }
+  } catch {
+  }
+  return basename(cwd);
+}
 async function statusCommand() {
   const cwd = process.cwd();
   const whiterosePath = join(cwd, ".whiterose");
@@ -7435,67 +7669,75 @@ async function statusCommand() {
     p3.log.info('Run "whiterose init" first.');
     process.exit(1);
   }
-  p3.intro(chalk3.red("whiterose") + chalk3.dim(" - status"));
+  console.log();
+  console.log(chalk3.red.bold("whiterose") + chalk3.dim(" status"));
+  console.log();
   const config = await loadConfig(cwd);
-  const understanding = await loadUnderstanding(cwd);
-  const availableProviders = await detectProvider();
+  const repoName = getRepoName2(cwd);
+  const lastScanPath = join(whiterosePath, "last-scan.json");
+  let lastScan = null;
+  if (existsSync(lastScanPath)) {
+    try {
+      lastScan = JSON.parse(readFileSync(lastScanPath, "utf-8"));
+    } catch {
+    }
+  }
+  if (lastScan && lastScan.meta) {
+    const cardData = {
+      meta: lastScan.meta,
+      bugs: lastScan.summary.bugs,
+      smells: lastScan.summary.smells,
+      reportPath: "./whiterose-output/bugs-human.md"
+    };
+    console.log(renderScanCard(cardData));
+    console.log();
+    console.log(chalk3.dim(`Last scan: ${new Date(lastScan.timestamp).toLocaleString()}`));
+  } else {
+    const bugStats2 = getAccumulatedBugsStats(cwd);
+    const totalBugs = bugStats2.bySeverity ? Object.values(bugStats2.bySeverity).reduce((a, b) => a + b, 0) : 0;
+    console.log(renderStatusCard(
+      repoName,
+      config.provider,
+      totalBugs,
+      0,
+      // No smell tracking in accumulated bugs
+      bugStats2.lastUpdated ? new Date(bugStats2.lastUpdated).toLocaleDateString() : void 0
+    ));
+  }
   console.log();
-  console.log(chalk3.bold("  Configuration"));
-  console.log(`  ${chalk3.dim("Provider:")} ${config.provider}`);
-  console.log(`  ${chalk3.dim("Available:")} ${availableProviders.join(", ") || "none"}`);
+  const availableProviders = await detectProvider();
+  console.log(chalk3.dim("Configuration"));
+  console.log(`  Provider:  ${config.provider}`);
+  console.log(`  Available: ${availableProviders.join(", ") || "none"}`);
   console.log();
+  const understanding = await loadUnderstanding(cwd);
   if (understanding) {
-    console.log(chalk3.bold("  Codebase Understanding"));
-    console.log(`  ${chalk3.dim("Type:")} ${understanding.summary.type}`);
-    console.log(`  ${chalk3.dim("Framework:")} ${understanding.summary.framework || "none"}`);
-    console.log(`  ${chalk3.dim("Files:")} ${understanding.structure.totalFiles}`);
-    console.log(`  ${chalk3.dim("Features:")} ${understanding.features.length}`);
-    console.log(`  ${chalk3.dim("Contracts:")} ${understanding.contracts.length}`);
-    console.log(`  ${chalk3.dim("Generated:")} ${understanding.generatedAt}`);
+    console.log(chalk3.dim("Codebase"));
+    console.log(`  Type:      ${understanding.summary.type}`);
+    console.log(`  Framework: ${understanding.summary.framework || "none"}`);
+    console.log(`  Files:     ${understanding.structure.totalFiles}`);
+    console.log(`  Features:  ${understanding.features.length}`);
+    console.log(`  Contracts: ${understanding.contracts.length}`);
     console.log();
   }
   const hashesPath = join(whiterosePath, "cache", "file-hashes.json");
   if (existsSync(hashesPath)) {
     try {
       const hashes = JSON.parse(readFileSync(hashesPath, "utf-8"));
-      console.log(chalk3.bold("  Cache"));
-      console.log(`  ${chalk3.dim("Files tracked:")} ${hashes.fileHashes?.length || 0}`);
-      console.log(`  ${chalk3.dim("Last full scan:")} ${hashes.lastFullScan || "never"}`);
+      console.log(chalk3.dim("Cache"));
+      console.log(`  Files tracked: ${hashes.fileHashes?.length || 0}`);
+      console.log(`  Last full:     ${hashes.lastFullScan ? new Date(hashes.lastFullScan).toLocaleDateString() : "never"}`);
       console.log();
     } catch {
     }
   }
   const bugStats = getAccumulatedBugsStats(cwd);
   if (bugStats.total > 0) {
-    console.log(chalk3.bold("  Accumulated Bugs"));
-    console.log(`  ${chalk3.dim("Total:")} ${bugStats.total}`);
-    if (Object.keys(bugStats.bySeverity).length > 0) {
-      for (const [severity, count] of Object.entries(bugStats.bySeverity)) {
-        const color = severity === "critical" ? "red" : severity === "high" ? "yellow" : severity === "medium" ? "blue" : "dim";
-        console.log(`    ${chalk3[color]("\u25CF")} ${severity}: ${count}`);
-      }
-    }
-    console.log(`  ${chalk3.dim("Last updated:")} ${new Date(bugStats.lastUpdated).toLocaleString()}`);
-    console.log();
-  }
-  const reportsDir = join(whiterosePath, "reports");
-  if (existsSync(reportsDir)) {
-    const reports = readdirSync(reportsDir).filter((f) => f.endsWith(".sarif"));
-    if (reports.length > 0) {
-      const latestReport = reports.sort().reverse()[0];
-      const reportPath = join(reportsDir, latestReport);
-      const stats = statSync(reportPath);
-      console.log(chalk3.bold("  Last Scan"));
-      console.log(`  ${chalk3.dim("Report:")} ${latestReport}`);
-      console.log(`  ${chalk3.dim("Date:")} ${stats.mtime.toISOString()}`);
-      console.log();
-    }
-  }
-  if (bugStats.total > 0) {
-    p3.outro(chalk3.dim('Run "whiterose fix" to fix bugs, or "whiterose clear" to reset'));
+    console.log(chalk3.dim('Run "whiterose fix" to fix bugs, or "whiterose clear" to reset'));
   } else {
-    p3.outro(chalk3.dim('Run "whiterose scan" to scan for bugs'));
+    console.log(chalk3.dim('Run "whiterose scan" to scan for bugs'));
   }
+  console.log();
 }
 async function reportCommand(options) {
   const cwd = process.cwd();
@@ -7538,6 +7780,8 @@ async function reportCommand(options) {
     createdAt: (/* @__PURE__ */ new Date()).toISOString(),
     status: "open"
   })) || [];
+  const bugItems = bugs.filter((b) => b.kind === "bug");
+  const smellItems = bugs.filter((b) => b.kind === "smell");
   const result = {
     id: "report",
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
@@ -7546,13 +7790,21 @@ async function reportCommand(options) {
     duration: 0,
     bugs,
     summary: {
-      critical: bugs.filter((b) => b.kind === "bug" && b.severity === "critical").length,
-      high: bugs.filter((b) => b.kind === "bug" && b.severity === "high").length,
-      medium: bugs.filter((b) => b.kind === "bug" && b.severity === "medium").length,
-      low: bugs.filter((b) => b.kind === "bug" && b.severity === "low").length,
-      total: bugs.length,
-      bugs: bugs.filter((b) => b.kind === "bug").length,
-      smells: bugs.filter((b) => b.kind === "smell").length
+      bugs: {
+        critical: bugItems.filter((b) => b.severity === "critical").length,
+        high: bugItems.filter((b) => b.severity === "high").length,
+        medium: bugItems.filter((b) => b.severity === "medium").length,
+        low: bugItems.filter((b) => b.severity === "low").length,
+        total: bugItems.length
+      },
+      smells: {
+        critical: smellItems.filter((b) => b.severity === "critical").length,
+        high: smellItems.filter((b) => b.severity === "high").length,
+        medium: smellItems.filter((b) => b.severity === "medium").length,
+        low: smellItems.filter((b) => b.severity === "low").length,
+        total: smellItems.length
+      },
+      total: bugs.length
     }
   };
   let output;