fuzzi-cli 0.1.0 → 0.1.2

package/dist/index.js

@@ -9,7 +9,7 @@ var __export = (target, all) => {
 };
 
 // src/types/brand.ts
-var BRAND, RISK_COLORS, VERSION, DEFAULT_API_URL;
+var BRAND, RISK_COLORS, VERSION, APP_ORIGIN, DEFAULT_API_URL;
 var init_brand = __esm({
   "src/types/brand.ts"() {
     "use strict";
@@ -27,8 +27,9 @@ var init_brand = __esm({
       HIGH: "#EF4444",
       CRITICAL: "#A855F7"
     };
-    VERSION = "0.1.0";
-    DEFAULT_API_URL = "https://app.fuzzi.dev/api";
+    VERSION = "0.1.2";
+    APP_ORIGIN = "https://app.fuzzi.dev";
+    DEFAULT_API_URL = `${APP_ORIGIN}/api`;
   }
 });
 
@@ -396,6 +397,9 @@ function getCapabilities() {
   };
   return cached;
 }
+function resetCapabilities() {
+  cached = null;
+}
 var cached;
 var init_capabilities = __esm({
   "src/terminal/capabilities.ts"() {
@@ -434,7 +438,10 @@ function success(text) {
 function warn(text) {
   return color("#F59E0B", chalk.yellow)(text);
 }
-var accent, accentBold, muted, bold, dim;
+function info(text) {
+  return color(BRAND.accent, chalk.cyan)(text);
+}
+var accent, accentBold, muted, bold, dim, italic;
 var init_theme = __esm({
   "src/terminal/theme.ts"() {
     "use strict";
@@ -445,14 +452,7 @@ var init_theme = __esm({
     muted = color(BRAND.textSecondary, chalk.gray);
     bold = chalk.bold;
     dim = chalk.dim;
-  }
-});
-
-// src/lib/theme.ts
-var init_theme2 = __esm({
-  "src/lib/theme.ts"() {
-    "use strict";
-    init_theme();
+    italic = chalk.italic;
   }
 });
 
@@ -510,33 +510,79 @@ var init_strings = __esm({
   }
 });
 
+// src/terminal/width.ts
+import { stdout as stdout2 } from "process";
+function terminalWidth() {
+  resetCapabilities();
+  return Math.max(64, (stdout2.columns ?? 80) - 2);
+}
+function contentWidth() {
+  return terminalWidth() - 4;
+}
+var init_width = __esm({
+  "src/terminal/width.ts"() {
+    "use strict";
+    init_capabilities();
+  }
+});
+
 // src/terminal/layout.ts
 import boxen from "boxen";
 function panel(content, opts = {}) {
+  const width = opts.fullWidth !== false ? terminalWidth() : void 0;
   return boxen(content, {
     title: opts.title ? accentBold(opts.title) : void 0,
     padding: opts.padding ?? 1,
     margin: { top: 0, bottom: opts.marginBottom ?? 1, left: 0, right: 0 },
-    borderStyle: "round",
+    borderStyle: opts.borderStyle ?? "classic",
     borderColor: getCapabilities().trueColor ? BRAND.accent : void 0,
-    titleAlignment: "left"
+    titleAlignment: "left",
+    width
   });
 }
+function centerInColumn(text, colWidth) {
+  return text.split("\n").map((line) => {
+    const plain = line.replace(/\x1b\[[0-9;]*m/g, "");
+    const pad = Math.max(0, Math.floor((colWidth - plain.length) / 2));
+    return " ".repeat(pad) + line;
+  }).join("\n");
+}
+function splitHomePanel(opts) {
+  const total = contentWidth();
+  const leftW = Math.max(28, Math.floor(total * (opts.leftRatio ?? 0.34)));
+  const rightW = total - leftW - 3;
+  const leftLines = opts.left.split("\n");
+  const rightTop = opts.rightTop.split("\n");
+  const rightDiv = dim("\u2500".repeat(Math.max(10, rightW)));
+  const rightBottom = opts.rightBottom.split("\n");
+  const rightLines = [...rightTop, "", rightDiv, "", ...rightBottom];
+  const rows = Math.max(leftLines.length, rightLines.length);
+  const sep = dim("\u2502");
+  const body = [""];
+  for (let i = 0; i < rows; i++) {
+    const l = padEndVisible(leftLines[i] ?? "", leftW);
+    const r = rightLines[i] ?? "";
+    body.push(`${l} ${sep} ${r}`);
+  }
+  body.push("");
+  return panel(body.join("\n"), { title: opts.title, marginBottom: 0, borderStyle: "classic" });
+}
 function columns(left, right, leftWidth) {
-  const width = leftWidth ?? Math.floor(getCapabilities().width * 0.45);
+  const total = contentWidth();
+  const split = leftWidth ?? Math.floor(total * 0.48);
   const leftLines = left.split("\n");
   const rightLines = right.split("\n");
   const rows = Math.max(leftLines.length, rightLines.length);
   const out = [];
   for (let i = 0; i < rows; i++) {
-    const l = padEndVisible(leftLines[i] ?? "", width);
+    const l = padEndVisible(leftLines[i] ?? "", split);
     const r = rightLines[i] ?? "";
     out.push(`${l}  ${r}`);
   }
   return out.join("\n");
 }
 function divider(char = "\u2500", width) {
-  const w = width ?? getCapabilities().width - 4;
+  const w = width ?? contentWidth();
   return dim(char.repeat(Math.max(20, w)));
 }
 function statusBar(parts) {
@@ -554,6 +600,15 @@ var init_layout = __esm({
     init_theme();
     init_capabilities();
     init_strings();
+    init_width();
+  }
+});
+
+// src/lib/theme.ts
+var init_theme2 = __esm({
+  "src/lib/theme.ts"() {
+    "use strict";
+    init_theme();
   }
 });
 
@@ -648,16 +703,125 @@ init_credentials();
 init_api_client();
 init_credentials();
 init_config();
-init_theme2();
-import { password, input } from "@inquirer/prompts";
+init_theme();
+import { password, input, confirm } from "@inquirer/prompts";
+
+// src/lib/browser-auth.ts
+init_config();
+init_credentials();
+init_api_client();
+init_brand();
+init_logger();
+import { randomBytes } from "crypto";
+import { createServer } from "http";
+import { exec } from "child_process";
+var TIMEOUT_MS = 5 * 60 * 1e3;
+function generateState() {
+  return randomBytes(24).toString("base64url");
+}
+function openBrowser(url) {
+  const platform = process.platform;
+  const cmd = platform === "darwin" ? `open ${JSON.stringify(url)}` : platform === "win32" ? `start "" ${JSON.stringify(url)}` : `xdg-open ${JSON.stringify(url)}`;
+  exec(cmd, (err) => {
+    if (err) log.warn("could not open browser automatically", err.message);
+  });
+}
+function apiOrigin(apiUrl) {
+  return apiUrl.replace(/\/api\/?$/, "") || APP_ORIGIN;
+}
+async function runBrowserLogin() {
+  const config = await loadConfig();
+  const state = generateState();
+  const handoffToken = await new Promise((resolve, reject) => {
+    const server = createServer((req, res) => {
+      try {
+        const addr = server.address();
+        const port = typeof addr === "object" && addr ? addr.port : 0;
+        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+        if (url.pathname !== "/callback") {
+          res.writeHead(404);
+          res.end();
+          return;
+        }
+        const token = url.searchParams.get("token");
+        const returnedState = url.searchParams.get("state");
+        if (!token || returnedState !== state) {
+          res.writeHead(400);
+          res.end("Invalid callback");
+          reject(new ApiError("Invalid sign-in callback.", 400, "invalid_callback", void 0, 2));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;text-align:center;padding:48px">
+          <h1>Signed in to Fuzzi CLI</h1><p>Return to your terminal.</p>
+          <script>setTimeout(()=>window.close(),1200)</script></body></html>`);
+        server.close();
+        resolve(token);
+      } catch (e) {
+        server.close();
+        reject(e);
+      }
+    });
+    const timer = setTimeout(() => {
+      server.close();
+      reject(new ApiError("Sign-in timed out after 5 minutes.", 408, "auth_timeout", void 0, 2));
+    }, TIMEOUT_MS);
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      const port = typeof addr === "object" && addr ? addr.port : 0;
+      const loginUrl = `${apiOrigin(config.api_url)}/cli-auth?state=${encodeURIComponent(state)}&callback_port=${port}`;
+      openBrowser(loginUrl);
+      log.debug("browser auth", loginUrl);
+    });
+    server.on("error", (e) => {
+      clearTimeout(timer);
+      reject(e);
+    });
+  });
+  const client = new FuzziApiClient(config.api_url);
+  const handoff = await client.post("/cli/handoff", {
+    handoff_token: handoffToken,
+    state
+  });
+  if (!handoff.api_key) {
+    throw new ApiError("Sign-in failed: no API key returned.", 500, "handoff_failed", void 0, 2);
+  }
+  client.setToken(handoff.api_key);
+  const profile = await client.get("/me");
+  await saveCredentials({
+    api_key: handoff.api_key,
+    auth_method: "api_key",
+    key_prefix: handoff.prefix || profile.key_prefix || maskApiKey(handoff.api_key),
+    key_expires_at: handoff.expires_at || profile.key_expires_at || void 0,
+    email: profile.email,
+    full_name: profile.full_name || void 0,
+    saved_at: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  const name = profile.full_name || profile.email;
+  return { message: `Signed in as ${name}`, profile };
+}
+
+// src/commands/auth.ts
 async function runAuthLogin(opts = {}) {
+  if (opts.browser || opts.interactive !== false && !opts.apiKey && !opts.apiKeyOnly) {
+    try {
+      const result = await runBrowserLogin();
+      return success(result.message);
+    } catch (e) {
+      if (opts.browser) throw e;
+      if (opts.apiKeyOnly) throw e;
+    }
+  }
+  return runApiKeyLogin(opts);
+}
+async function runApiKeyLogin(opts = {}) {
   const config = await loadConfig();
   const client = new FuzziApiClient(config.api_url);
   let apiKey = opts.apiKey?.trim();
   if (!apiKey) {
     if (opts.interactive === false) {
       throw new ApiError(
-        "No API key provided. Generate one at https://app.fuzzi.dev/settings/api-keys",
+        "No API key provided. Run fuzzi auth login or sign in via browser.",
         401,
         "missing_key",
         void 0,
@@ -909,9 +1073,9 @@ function parseTomlSimple(raw) {
   }
   return config;
 }
-async function loadProjectConfig(cwd5) {
-  const fuzzirc = join3(cwd5, ".fuzzirc");
-  const fuzzitoml = join3(cwd5, "fuzzi.toml");
+async function loadProjectConfig(cwd4) {
+  const fuzzirc = join3(cwd4, ".fuzzirc");
+  const fuzzitoml = join3(cwd4, "fuzzi.toml");
   if (existsSync(fuzzirc)) {
     try {
       const raw = await readFile3(fuzzirc, "utf8");
@@ -1079,8 +1243,8 @@ async function runScanCommand(client, opts) {
   log.debug("creating scan", { url: opts.url, env });
   const created = await withRetry(() => client.post("/scan", body));
   if (!shouldWait) {
-    const output2 = format === "json" ? JSON.stringify(created, null, 2) : [success("Scan started"), muted(`ID: ${created.scan_id}`), muted(created.message)].join("\n");
-    return { output: output2, exitCode: 0 };
+    const output3 = format === "json" ? JSON.stringify(created, null, 2) : [success("Scan started"), muted(`ID: ${created.scan_id}`), muted(created.message)].join("\n");
+    return { output: output3, exitCode: 0 };
   }
   const host = hostnameFromUrl(opts.url);
   const progress = opts.onProgress ? { update: opts.onProgress, stop: () => {
@@ -1189,9 +1353,17 @@ function exitWith(code) {
 function buildProgram() {
   const program = new Command("fuzzi").name("fuzzi").description("Fuzzi security scanner CLI \u2014 interactive shell and scriptable commands").version(VERSION);
   const auth = program.command("auth").description("Authentication");
-  auth.command("login").description("Authenticate with an API key from https://app.fuzzi.dev/settings/api-keys").option("--api-key <key>", "API key (fz_live_...)").action(async (opts) => {
+  auth.command("login").description("Sign in via browser (default) or API key").option("--browser", "Sign in via browser (default when interactive)").option("--api-key <key>", "Paste an API key (fz_live_...)").action(async (opts) => {
     try {
-      console.log(await runAuthLogin({ apiKey: opts.apiKey, interactive: !opts.apiKey }));
+      const useApiKey = !!opts.apiKey;
+      console.log(
+        await runAuthLogin({
+          apiKey: opts.apiKey,
+          interactive: !opts.apiKey,
+          browser: !useApiKey,
+          apiKeyOnly: useApiKey
+        })
+      );
     } catch (e) {
       handleCommandError(e);
     }
@@ -1300,25 +1472,27 @@ function buildProgram() {
   return program;
 }
 
-// src/cli/bootstrap.ts
-init_credentials();
-init_api_client();
-import { cwd as cwd4 } from "process";
-
 // src/shell/prompt-loop.ts
 import * as readline from "readline/promises";
 import { stdin as input3, stdout as output } from "process";
 
+// src/shell/home-screen.ts
+import { homedir as homedir3 } from "os";
+
 // src/shell/ascii-mark.ts
 function renderFuzziMark() {
   return [
-    "       \u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E",
-    "      \u2571   \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2572",
-    "     \u2502    \u2502 FUZZI \u2502    \u2502",
-    "     \u2502    \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518    \u2502",
-    "     \u2502       \u2593\u2593\u2593       \u2502",
-    "      \u2572               \u2571",
-    "       \u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F"
+    "      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588",
+    "    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588",
+    "    \u2588\u2588          \u2588\u2588",
+    "    \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588",
+    "    \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588",
+    "    \u2588\u2588   \u2588\u2588\u2588\u2588   \u2588\u2588",
+    "    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588",
+    "      \u2588\u2588      \u2588\u2588",
+    "      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588",
+    "        \u2588\u2588  \u2588\u2588",
+    "        \u2588\u2588  \u2588\u2588"
   ].join("\n");
 }
 
@@ -1326,6 +1500,7 @@ function renderFuzziMark() {
 init_brand();
 init_theme();
 init_layout();
+init_width();
 
 // src/lib/assets.ts
 import { readFile as readFile4 } from "fs/promises";
@@ -1352,33 +1527,119 @@ async function readAsset(name) {
 }
 
 // src/shell/home-screen.ts
-async function fetchHomeData(profile, cwd5) {
+async function fetchHomeData(profile, cwd4) {
   let changelog = [];
   try {
     changelog = JSON.parse(await readAsset("changelog.json"));
   } catch {
     changelog = [];
   }
-  return { profile, cwd: cwd5, changelog };
+  return { profile, cwd: cwd4, changelog };
 }
-function renderHomeScreen(data) {
+function isHomeDir(dir) {
+  return dir === homedir3() || dir === homedir3().replace(/\/$/, "");
+}
+function renderLeftColumn(data) {
+  const colW = Math.max(28, Math.floor(contentWidth() * 0.34));
   const name = data.profile?.full_name || data.profile?.email?.split("@")[0] || "there";
   const org = data.profile?.organization?.trim();
-  const welcome = data.profile ? accentBold(`Welcome back, ${name}!`) : muted("Welcome to Fuzzi");
-  const mark = accent(renderFuzziMark());
-  const connected = data.profile ? statusBar([accent("Connected"), org ?? null].filter(Boolean)) : muted("Not connected");
-  const headerBody = ["", welcome, "", mark, "", connected, muted(data.cwd), ""].join("\n");
+  const mark = centerInColumn(accent(renderFuzziMark()), colW);
+  const lines = [];
+  if (data.profile) {
+    lines.push(
+      accentBold(`Welcome back ${name}!`),
+      "",
+      mark,
+      "",
+      [accent("\u25CF Connected"), muted("\xB7"), info("API Key auth"), org ? muted("\xB7 " + org) : ""].filter(Boolean).join(" "),
+      muted(data.profile.email),
+      data.profile.role ? muted(`Role: ${data.profile.role}`) : "",
+      "",
+      muted(data.cwd),
+      "",
+      accent("/scan") + muted(" <url>   scan a target"),
+      accent("/scans") + muted("        browse history"),
+      accent("/status") + muted("       account info"),
+      accent("/keys") + muted("         manage keys"),
+      accent("/palette") + muted("      find commands")
+    );
+  } else {
+    lines.push(
+      accentBold("Welcome to Fuzzi!"),
+      "",
+      mark,
+      "",
+      muted("Not connected"),
+      info("Press Enter to sign in"),
+      "",
+      muted(data.cwd),
+      "",
+      accent("/auth") + muted("      browser sign-in"),
+      accent("/auth-key") + muted("  paste API key"),
+      accent("/scan") + muted(" <url>  after login"),
+      accent("/help") + muted("       all commands")
+    );
+  }
+  return lines.filter((l) => l !== "").join("\n");
+}
+function renderTipsColumn(data) {
+  const lines = [
+    accentBold("Tips for getting started"),
+    "",
+    `Run ${accent("/scan")}${muted(" <url>")} to scan a site for security risks`,
+    `Run ${accent("/palette")} to search every available command`,
+    `Run ${accent("/help")} for the full command reference`,
+    ""
+  ];
+  if (!data.profile) {
+    lines.push(
+      muted("Note: You launched without credentials."),
+      muted("Press Enter at the prompt to open your browser,"),
+      muted("or use /auth-key to paste an API key."),
+      ""
+    );
+  } else if (isHomeDir(data.cwd)) {
+    lines.push(
+      muted("Note: You launched fuzzi in your home directory."),
+      muted("cd into a project folder first for better context,"),
+      muted("or pass URLs directly: /scan https://example.com"),
+      ""
+    );
+  } else {
+    lines.push(
+      muted("Note: Add a .fuzzirc in this directory to set default"),
+      muted("scan URL, environment, and output format for the team."),
+      ""
+    );
+  }
+  lines.push(
+    muted("CI usage: "),
+    muted("fuzzi scan <url> --fail-on critical --format json")
+  );
+  return lines.join("\n");
+}
+function renderWhatsNewColumn(data) {
   const latest = data.changelog[0];
-  const whatsNew = latest ? [...latest.highlights.slice(0, 2).map((h) => muted(`\xB7 ${h}`)), muted("/changelog for more")].join("\n") : muted("Stay tuned for updates");
-  const quickActions = [
-    accent("/scan") + muted(" <url>") + muted("  scan a target"),
-    accent("/scans") + muted("       browse history"),
-    accent("/status") + muted("      account info"),
-    accent("/palette") + muted("     search commands"),
-    accent("/help") + muted("        all commands")
-  ].join("\n");
-  const panels = panel(columns(quickActions, whatsNew, 38), { title: "Quick actions" });
-  return panel(headerBody, { title: `Fuzzi CLI v${VERSION}`, marginBottom: 0 }) + "\n" + panels;
+  const lines = [accentBold("What's new"), ""];
+  if (latest) {
+    for (const h of latest.highlights.slice(0, 4)) {
+      lines.push(muted(h));
+    }
+    lines.push("");
+    lines.push(italic(muted("/changelog for more")));
+  } else {
+    lines.push(muted("Stay tuned for updates."));
+  }
+  return lines.join("\n");
+}
+function renderHomeScreen(data) {
+  return splitHomePanel({
+    title: `Fuzzi CLI v${VERSION}`,
+    left: renderLeftColumn(data),
+    rightTop: renderTipsColumn(data),
+    rightBottom: renderWhatsNewColumn(data),
+    leftRatio: 0.36
+  });
 }
 function renderChangelog(entries) {
   if (!entries.length) return muted("No changelog entries.");
@@ -1393,7 +1654,7 @@ function renderChangelog(entries) {
 
 // src/shell/slash-commands.ts
 init_api_client();
-import { confirm, input as input2 } from "@inquirer/prompts";
+import { confirm as confirm2, input as input2 } from "@inquirer/prompts";
 
 // src/commands/keys.ts
 init_table();
@@ -1422,9 +1683,9 @@ async function searchPalette(message, choices) {
   try {
     return await search({
       message,
-      source: async (input4) => {
-        if (!input4) return choices;
-        const q = input4.toLowerCase();
+      source: async (input5) => {
+        if (!input5) return choices;
+        const q = input5.toLowerCase();
         return choices.filter((c) => c.value.includes(q) || c.description?.includes(q));
       }
     });
@@ -1482,13 +1743,14 @@ var SLASH_COMMANDS = [
   { name: "/palette", description: "Open command palette", aliases: ["/commands"] },
   { name: "/changelog", description: "View release notes" },
   { name: "/help", description: "Show all commands" },
-  { name: "/auth", description: "Log in with API key", aliases: ["/login"] },
+  { name: "/auth", description: "Sign in via browser", aliases: ["/login"] },
+  { name: "/auth-key", description: "Paste an API key instead", usage: "/auth-key" },
   { name: "/clear", description: "Clear screen and refresh home" },
   { name: "/history", description: "Show recent commands" },
   { name: "/exit", description: "Exit the shell", aliases: ["/quit"] }
 ];
-function findCommand(input4) {
-  const cmd = input4.trim().split(/\s/)[0].toLowerCase();
+function findCommand(input5) {
+  const cmd = input5.trim().split(/\s/)[0].toLowerCase();
   return SLASH_COMMANDS.find(
     (c) => c.name === cmd || c.aliases?.some((a) => a === cmd)
   );
@@ -1569,14 +1831,59 @@ function successBox(message) {
 
 // src/shell/slash-commands.ts
 init_strings();
+function normalizeInput(line) {
+  let t = line.trim();
+  if (!t || t.startsWith("/")) return t;
+  if (t.toLowerCase().startsWith("fuzzi ")) t = t.slice(6).trim();
+  const lower = t.toLowerCase();
+  const aliases = {
+    "auth login": "/auth",
+    auth: "/auth",
+    login: "/auth",
+    "auth-key": "/auth-key",
+    logout: "/exit",
+    help: "/help",
+    exit: "/exit",
+    quit: "/exit",
+    clear: "/clear",
+    changelog: "/changelog",
+    status: "/status",
+    scans: "/scans",
+    keys: "/keys",
+    palette: "/palette"
+  };
+  if (aliases[lower]) return aliases[lower];
+  if (lower.startsWith("scan ")) return `/scan ${t.slice(5).trim()}`;
+  if (lower.startsWith("config set ")) {
+    const parts = t.slice(11).trim().split(/\s+/);
+    if (parts.length >= 2) return `/config ${parts[0]}=${parts.slice(1).join(" ")}`;
+  }
+  if (lower.startsWith("config ")) return `/config ${t.slice(7).trim().replace(/\s+/, "=")}`;
+  if (!t.includes(" ") && t.includes(".")) return `/scan ${t}`;
+  return t;
+}
+function normalizeScanUrl(url) {
+  const u = url.trim();
+  if (!/^https?:\/\//i.test(u)) return `https://${u}`;
+  return u;
+}
 async function dispatchSlashCommand(line, ctx) {
   const trimmed = line.trim();
   if (!trimmed) return {};
   if (trimmed === "/exit" || trimmed === "/quit") return { exit: true };
   const [cmd, ...rest] = trimmed.split(/\s+/);
   const arg = rest.join(" ").trim();
-  const def = findCommand(cmd);
-  if (!def && cmd.startsWith("/")) {
+  if (!cmd.startsWith("/")) {
+    ctx.sink.write(
+      errorBox(
+        `Not a shell command: ${trimmed}`,
+        `Use slash commands here \u2014 e.g. ${accent("/auth")} not "fuzzi auth login"
+${accent("/help")} lists everything`
+      )
+    );
+    return {};
+  }
+  if (!findCommand(cmd) && cmd.startsWith("/")) {
     ctx.sink.write(errorBox(`Unknown command: ${cmd}`, "Type /help or /palette"));
     return {};
   }
@@ -1606,9 +1913,10 @@ async function dispatchSlashCommand(line, ctx) {
         const client = await getAuthenticatedClient();
         const progress = createStreamProgress(ctx.sink);
         const result = await runScanCommand(client, {
-          url: arg,
+          url: normalizeScanUrl(arg),
           wait: true,
-          onProgress: progress.update
+          onProgress: progress.update,
+          streamProgress: true
         });
         progress.stop();
         ctx.sink.write(result.output);
@@ -1674,7 +1982,12 @@ ${muted("Rate limit")}  ${rate}` : status);
       }
       case "/login":
       case "/auth": {
-        ctx.sink.write(await runAuthLogin({ interactive: true }));
+        ctx.sink.write(await runAuthLogin({ interactive: true, browser: true }));
+        const client = await getAuthenticatedClient();
+        return { profile: await client.get("/me"), redraw: true };
+      }
+      case "/auth-key": {
+        ctx.sink.write(await runApiKeyLogin({ interactive: true }));
         const client = await getAuthenticatedClient();
         return { profile: await client.get("/me"), redraw: true };
       }
@@ -1737,7 +2050,7 @@ async function runKeysInteractive(ctx) {
   if (action.toLowerCase() === "r") {
     const keyId = await pickKeyForRevoke(client);
     if (!keyId) return;
-    const ok = await confirm({ message: "Revoke this API key?", default: false }).catch(() => false);
+    const ok = await confirm2({ message: "Revoke this API key?", default: false }).catch(() => false);
     if (ok) ctx.sink.write(successBox(await runKeyRevoke(client, keyId)));
   } else if (action.toLowerCase() === "n") {
     const name = await promptNewKeyName();
@@ -1775,15 +2088,16 @@ async function runPromptLoop(initialProfile) {
   const workDir = cwd3();
   const history = await loadHistory();
   const refresh = async () => {
-    if (getCapabilities().interactive) console.clear();
+    if (getCapabilities().interactive) {
+      process.stdout.write("\x1B[2J\x1B[H");
+    }
     const data = await fetchHomeData(profile, workDir);
     console.log(renderHomeScreen(data));
-    const bar = statusBar([
+    console.log(statusBar([
       profile ? muted(profile.email) : muted("guest"),
       dim(workDir),
       isDebugMode() ? muted("debug") : null
-    ].filter(Boolean));
-    console.log(bar);
+    ].filter(Boolean)));
     console.log("");
   };
   await refresh();
@@ -1809,7 +2123,8 @@ async function runPromptLoop(initialProfile) {
       error: (text) => console.error(text),
       clearLine: () => process.stdout.write("\r\x1B[K")
     };
-    const result = await dispatchSlashCommand(line, {
+    const normalized = normalizeInput(line);
+    const result = await dispatchSlashCommand(normalized, {
       cwd: workDir,
       profile,
       sink,
@@ -1826,22 +2141,16 @@ async function runPromptLoop(initialProfile) {
   }
 }
 
-// src/shell/onboarding.ts
+// src/shell/auth-gate.ts
+init_layout();
 init_theme();
-function renderOnboarding() {
-  return [
-    muted("Authenticate to run scans and browse results."),
-    "",
-    `  1. Generate an API key at ${accent("app.fuzzi.dev/settings/api-keys")}`,
-    `  2. Run ${accent("/auth")} or ${accent("fuzzi auth login")}`,
-    `  3. Scan a URL with ${accent("/scan https://example.com")}`,
-    "",
-    muted("Type /help for all commands  \xB7  /palette to search")
-  ].join("\n");
-}
+init_width();
+import * as readline2 from "readline";
+import { stdin as input4, stdout as output2 } from "process";
 
-// src/cli/bootstrap.ts
-init_layout();
+// src/cli/profile.ts
+init_credentials();
+init_api_client();
 init_logger();
 async function tryGetProfile() {
   try {
@@ -1854,13 +2163,83 @@ async function tryGetProfile() {
     return null;
   }
 }
+
+// src/shell/auth-gate.ts
+init_brand();
+function renderAuthGate() {
+  const colW = Math.max(28, Math.floor(contentWidth() * 0.36));
+  const mark = centerInColumn(accent(renderFuzziMark()), colW);
+  const left = [
+    accentBold("Welcome to Fuzzi!"),
+    "",
+    mark,
+    "",
+    muted("Not connected"),
+    info("Sign in to run scans"),
+    "",
+    accent("/auth-key") + muted("  paste API key"),
+    accent("/help") + muted("       commands")
+  ].join("\n");
+  const rightTop = [
+    accentBold("Sign in to continue"),
+    "",
+    info("Press Enter to open your browser"),
+    muted("and authorize the CLI."),
+    "",
+    muted("A local server receives the callback"),
+    muted("from app.fuzzi.dev automatically.")
+  ].join("\n");
+  const rightBottom = [
+    accentBold("Other options"),
+    "",
+    muted("Paste an API key with /auth-key"),
+    muted("from Settings \u2192 API Keys on the web."),
+    "",
+    italic(muted("docs: app.fuzzi.dev/settings/api-keys"))
+  ].join("\n");
+  return splitHomePanel({
+    title: `Fuzzi CLI v${VERSION}`,
+    left,
+    rightTop,
+    rightBottom,
+    leftRatio: 0.36
+  });
+}
+function waitForEnter() {
+  return new Promise((resolve) => {
+    const rl = readline2.createInterface({ input: input4, output: output2, terminal: true });
+    output2.write(accent("\n  \u203A Press Enter to open browser... "));
+    rl.once("line", () => {
+      rl.close();
+      resolve();
+    });
+  });
+}
+async function runAuthGate() {
+  const existing = await tryGetProfile();
+  if (existing) return existing;
+  if (!output2.isTTY) return null;
+  console.log(renderAuthGate());
+  await waitForEnter();
+  const progress = createProgress("Opening browser...");
+  try {
+    const result = await runBrowserLogin();
+    progress.succeed("Signed in");
+    console.log(accent(result.message));
+    return result.profile;
+  } catch (e) {
+    progress.fail("Sign-in failed");
+    console.log(muted(formatApiError(e)));
+    console.log(muted("Use /auth-key to paste an API key, or /auth to retry."));
+    return null;
+  }
+}
+
+// src/cli/bootstrap.ts
 async function runInteractiveMode() {
-  const profile = await tryGetProfile();
-  const workDir = cwd4();
-  const data = await fetchHomeData(profile, workDir);
-  console.log(renderHomeScreen(data));
+  let profile = await tryGetProfile();
   if (!profile) {
-    console.log(panel(renderOnboarding(), { title: "Get started" }));
+    profile = await runAuthGate();
   }
   await runPromptLoop(profile);
 }