fuzzi-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1880 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/types/brand.ts
+var BRAND, RISK_COLORS, VERSION, DEFAULT_API_URL;
+var init_brand = __esm({
+  "src/types/brand.ts"() {
+    "use strict";
+    BRAND = {
+      accent: "#4FC3A1",
+      accentDim: "#3A9A7E",
+      text: "#FAFAFA",
+      textSecondary: "#8C8C8C",
+      bg: "#0A0A0A",
+      border: "#2A2A2A"
+    };
+    RISK_COLORS = {
+      LOW: "#22C55E",
+      MEDIUM: "#F59E0B",
+      HIGH: "#EF4444",
+      CRITICAL: "#A855F7"
+    };
+    VERSION = "0.1.0";
+    DEFAULT_API_URL = "https://app.fuzzi.dev/api";
+  }
+});
+
+// src/lib/credentials.ts
+import { mkdir, readFile, writeFile, chmod, unlink } from "fs/promises";
+import { homedir } from "os";
+import { join } from "path";
+function fuzziDir() {
+  return FUZZI_DIR;
+}
+async function ensureDir() {
+  await mkdir(FUZZI_DIR, { recursive: true, mode: 448 });
+}
+function normalizeCredentials(raw) {
+  if (raw.api_key && typeof raw.api_key === "string") {
+    return {
+      api_key: raw.api_key,
+      auth_method: "api_key",
+      key_prefix: raw.key_prefix || raw.api_key.slice(0, 12) + "...",
+      key_expires_at: raw.key_expires_at,
+      email: raw.email,
+      full_name: raw.full_name,
+      saved_at: raw.saved_at || (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (raw.access_token && typeof raw.access_token === "string") {
+    return {
+      api_key: raw.access_token,
+      auth_method: "api_key",
+      key_prefix: raw.access_token.slice(0, 12) + "...",
+      email: raw.email,
+      full_name: raw.full_name,
+      saved_at: raw.saved_at || (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  throw new Error("Invalid credentials file");
+}
+async function loadCredentials() {
+  for (const path of [CREDENTIALS_PATH, LEGACY_CREDENTIALS_PATH]) {
+    try {
+      const raw = await readFile(path, "utf8");
+      const parsed = JSON.parse(raw);
+      if (!parsed || Object.keys(parsed).length === 0) return null;
+      return normalizeCredentials(parsed);
+    } catch {
+    }
+  }
+  return null;
+}
+async function saveCredentials(creds) {
+  await ensureDir();
+  await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
+  try {
+    await chmod(CREDENTIALS_PATH, 384);
+  } catch {
+  }
+}
+async function clearCredentials() {
+  for (const path of [CREDENTIALS_PATH, LEGACY_CREDENTIALS_PATH]) {
+    try {
+      await unlink(path);
+    } catch {
+    }
+  }
+}
+function maskApiKey(key) {
+  if (key.length <= 16) return key.slice(0, 8) + "...";
+  return key.slice(0, 12) + "...";
+}
+function isValidApiKeyFormat(key) {
+  return /^fz_live_[A-Za-z0-9_-]{20,}$/.test(key.trim());
+}
+var FUZZI_DIR, CREDENTIALS_PATH, LEGACY_CREDENTIALS_PATH;
+var init_credentials = __esm({
+  "src/lib/credentials.ts"() {
+    "use strict";
+    FUZZI_DIR = join(homedir(), ".fuzzi");
+    CREDENTIALS_PATH = join(FUZZI_DIR, "credentials");
+    LEGACY_CREDENTIALS_PATH = join(FUZZI_DIR, "credentials.json");
+  }
+});
+
+// src/lib/config.ts
+import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2, chmod as chmod2 } from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+async function ensureDir2() {
+  await mkdir2(fuzziDir(), { recursive: true, mode: 448 });
+}
+async function loadConfig() {
+  for (const path of [CONFIG_PATH, LEGACY_CONFIG_PATH]) {
+    try {
+      const raw = await readFile2(path, "utf8");
+      const parsed = JSON.parse(raw);
+      return {
+        api_url: process.env.FUZZI_API_URL || parsed.api_url || DEFAULT_API_URL,
+        default_env: parsed.default_env,
+        default_format: parsed.default_format,
+        ...parsed
+      };
+    } catch {
+    }
+  }
+  return { api_url: process.env.FUZZI_API_URL || DEFAULT_API_URL };
+}
+async function saveConfig(config) {
+  await ensureDir2();
+  await writeFile2(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 384 });
+  try {
+    await chmod2(CONFIG_PATH, 384);
+  } catch {
+  }
+}
+async function setConfigValue(key, value) {
+  const config = await loadConfig();
+  if (key === "api_url") config.api_url = value;
+  else if (key === "default_env") config.default_env = value;
+  else if (key === "default_format") config.default_format = value;
+  else config[key] = value;
+  await saveConfig(config);
+}
+async function getConfigValue(key) {
+  const config = await loadConfig();
+  return config[key];
+}
+async function listConfigEntries() {
+  const config = await loadConfig();
+  const entries = {};
+  for (const [k, v] of Object.entries(config)) {
+    if (v !== void 0) entries[k] = String(v);
+  }
+  return entries;
+}
+var CONFIG_PATH, LEGACY_CONFIG_PATH;
+var init_config = __esm({
+  "src/lib/config.ts"() {
+    "use strict";
+    init_brand();
+    init_credentials();
+    CONFIG_PATH = join2(homedir2(), ".fuzzi", "config");
+    LEGACY_CONFIG_PATH = join2(homedir2(), ".fuzzi", "config.json");
+  }
+});
+
+// src/lib/logger.ts
+function currentLevel() {
+  if (process.env.FUZZI_DEBUG === "1" || process.env.FUZZI_DEBUG === "true") return "debug";
+  if (process.env.FUZZI_LOG_LEVEL) return process.env.FUZZI_LOG_LEVEL;
+  return "warn";
+}
+function shouldLog(level) {
+  return LEVELS[level] >= LEVELS[currentLevel()];
+}
+function stamp() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function isDebugMode() {
+  return currentLevel() === "debug";
+}
+var LEVELS, log;
+var init_logger = __esm({
+  "src/lib/logger.ts"() {
+    "use strict";
+    LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
+    log = {
+      debug(...args) {
+        if (shouldLog("debug")) console.error(`[fuzzi ${stamp()}]`, ...args);
+      },
+      info(...args) {
+        if (shouldLog("info")) console.error(`[fuzzi ${stamp()}]`, ...args);
+      },
+      warn(...args) {
+        if (shouldLog("warn")) console.error(`[fuzzi ${stamp()}]`, ...args);
+      },
+      error(...args) {
+        if (shouldLog("error")) console.error(`[fuzzi ${stamp()}]`, ...args);
+      }
+    };
+  }
+});
+
+// src/lib/api-client.ts
+function mapErrorMessage(status, body) {
+  const code = body.code?.toLowerCase();
+  const msg = body.error || body.message || "";
+  if (status === 401) {
+    if (code === "key_revoked" || msg.toLowerCase().includes("revoked")) {
+      return "API key has been revoked. Please log in again.";
+    }
+    if (code === "key_expired" || msg.toLowerCase().includes("expired")) {
+      return "API key has expired. Generate a new one at https://app.fuzzi.dev/settings/api-keys";
+    }
+    return "Invalid API key. Generate a new one at https://app.fuzzi.dev/settings/api-keys";
+  }
+  if (status === 403 && (code === "ssrf" || msg.toLowerCase().includes("private ip"))) {
+    return "This URL is not allowed (private IP address detected). Please scan a public-facing URL.";
+  }
+  if (status === 400 && msg.toLowerCase().includes("url")) {
+    return "Invalid URL. Please provide a valid URL starting with http:// or https://";
+  }
+  if (status === 429) {
+    return msg || "Rate limit exceeded.";
+  }
+  if (msg.toLowerCase().startsWith("scan failed")) {
+    return msg;
+  }
+  if (msg) return msg;
+  return `Request failed with status ${status}`;
+}
+async function getAuthenticatedClient() {
+  const client = await FuzziApiClient.create();
+  if (!client["token"]) {
+    throw new ApiError("Not authenticated. Run: fuzzi auth login", 401, "not_authenticated", void 0, 2);
+  }
+  return client;
+}
+var ApiError, FuzziApiClient;
+var init_api_client = __esm({
+  "src/lib/api-client.ts"() {
+    "use strict";
+    init_config();
+    init_credentials();
+    init_logger();
+    ApiError = class extends Error {
+      constructor(message, status, code, body, exitCode) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.body = body;
+        this.name = "ApiError";
+        this.exitCode = exitCode;
+      }
+      status;
+      code;
+      body;
+      exitCode;
+    };
+    FuzziApiClient = class _FuzziApiClient {
+      constructor(baseUrl, token) {
+        this.baseUrl = baseUrl;
+        this.token = token;
+      }
+      baseUrl;
+      token;
+      static async create() {
+        const config = await loadConfig();
+        const creds = await loadCredentials();
+        return new _FuzziApiClient(config.api_url.replace(/\/$/, ""), creds?.api_key);
+      }
+      get base() {
+        return this.baseUrl;
+      }
+      setToken(token) {
+        this.token = token;
+      }
+      headers() {
+        const h = { "Content-Type": "application/json", Accept: "application/json" };
+        if (this.token) h.Authorization = `Bearer ${this.token}`;
+        return h;
+      }
+      async request(method, path, body) {
+        const url = `${this.baseUrl}${path.startsWith("/") ? path : `/${path}`}`;
+        log.debug(`${method} ${url}`);
+        let res;
+        try {
+          res = await fetch(url, {
+            method,
+            headers: this.headers(),
+            body: body !== void 0 ? JSON.stringify(body) : void 0
+          });
+        } catch {
+          throw new ApiError(
+            "Could not connect to app.fuzzi.dev. Check your internet connection or try again later.",
+            0,
+            "network_error",
+            void 0,
+            2
+          );
+        }
+        let data;
+        const text = await res.text();
+        try {
+          data = text ? JSON.parse(text) : {};
+        } catch {
+          data = { error: text };
+        }
+        if (!res.ok) {
+          const errBody = data;
+          let message = mapErrorMessage(res.status, errBody);
+          if (res.status === 429) {
+            const retryAfter = res.headers.get("Retry-After");
+            const seconds = retryAfter ? parseInt(retryAfter, 10) : 60;
+            message = `Rate limit exceeded. Retry after ${seconds} seconds.`;
+          }
+          if (res.status >= 500) {
+            message = `Scan failed: ${errBody.error || errBody.message || res.statusText}`;
+          }
+          throw new ApiError(message, res.status, errBody.code, data, 2);
+        }
+        return data;
+      }
+      get(path) {
+        return this.request("GET", path);
+      }
+      post(path, body) {
+        return this.request("POST", path, body);
+      }
+      patch(path, body) {
+        return this.request("PATCH", path, body);
+      }
+      delete(path) {
+        return this.request("DELETE", path);
+      }
+      async validateToken() {
+        try {
+          await this.get("/me");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      async download(path) {
+        const url = `${this.baseUrl}${path.startsWith("/") ? path : `/${path}`}`;
+        let res;
+        try {
+          res = await fetch(url, { headers: this.headers() });
+        } catch {
+          throw new ApiError(
+            "Could not connect to app.fuzzi.dev. Check your internet connection or try again later.",
+            0,
+            "network_error",
+            void 0,
+            2
+          );
+        }
+        if (!res.ok) {
+          const text = await res.text();
+          let errBody = {};
+          try {
+            errBody = JSON.parse(text);
+          } catch {
+            errBody = { error: text };
+          }
+          throw new ApiError(mapErrorMessage(res.status, errBody), res.status, errBody.code, errBody, 2);
+        }
+        const buf = Buffer.from(await res.arrayBuffer());
+        return { data: buf, contentType: res.headers.get("content-type") || "application/octet-stream" };
+      }
+    };
+  }
+});
+
+// src/terminal/capabilities.ts
+import { stdout } from "process";
+function getCapabilities() {
+  if (cached) return cached;
+  const cols = stdout.columns ?? 80;
+  const term = process.env.TERM ?? "";
+  const colorterm = process.env.COLORTERM ?? "";
+  const trueColor = colorterm.includes("truecolor") || colorterm.includes("24bit") || term.includes("truecolor") || !!process.env.FORCE_COLOR && process.env.FORCE_COLOR !== "0";
+  cached = {
+    width: Math.max(60, Math.min(cols, 120)),
+    trueColor,
+    interactive: stdout.isTTY === true
+  };
+  return cached;
+}
+var cached;
+var init_capabilities = __esm({
+  "src/terminal/capabilities.ts"() {
+    "use strict";
+    cached = null;
+  }
+});
+
+// src/terminal/theme.ts
+import chalk from "chalk";
+function color(hex, fallback) {
+  return getCapabilities().trueColor ? chalk.hex(hex) : fallback;
+}
+function riskColor(level) {
+  if (!level) return muted;
+  const key = level.toUpperCase();
+  const hex = RISK_COLORS[key] || BRAND.textSecondary;
+  const fallbacks = {
+    LOW: chalk.green,
+    MEDIUM: chalk.yellow,
+    HIGH: chalk.red,
+    CRITICAL: chalk.magenta
+  };
+  return color(hex, fallbacks[key] ?? chalk.gray).bold;
+}
+function scoreBold(n) {
+  if (n == null) return muted("\u2014");
+  return chalk.bold(String(n));
+}
+function error(text) {
+  return color("#EF4444", chalk.red)(text);
+}
+function success(text) {
+  return color("#22C55E", chalk.green)(text);
+}
+function warn(text) {
+  return color("#F59E0B", chalk.yellow)(text);
+}
+var accent, accentBold, muted, bold, dim;
+var init_theme = __esm({
+  "src/terminal/theme.ts"() {
+    "use strict";
+    init_brand();
+    init_capabilities();
+    accent = color(BRAND.accent, chalk.cyan);
+    accentBold = accent.bold;
+    muted = color(BRAND.textSecondary, chalk.gray);
+    bold = chalk.bold;
+    dim = chalk.dim;
+  }
+});
+
+// src/lib/theme.ts
+var init_theme2 = __esm({
+  "src/lib/theme.ts"() {
+    "use strict";
+    init_theme();
+  }
+});
+
+// src/terminal/table.ts
+import Table from "cli-table3";
+function createTable(headers, rows) {
+  const table = new Table({
+    head: headers.map((h) => muted(h)),
+    style: { head: [], border: [] },
+    chars: BOX_CHARS
+  });
+  for (const row of rows) table.push(row);
+  return table.toString();
+}
+var BOX_CHARS;
+var init_table = __esm({
+  "src/terminal/table.ts"() {
+    "use strict";
+    init_theme();
+    BOX_CHARS = {
+      mid: "\u2500",
+      "left-mid": "\u251C",
+      "mid-mid": "\u253C",
+      "right-mid": "\u2524"
+    };
+  }
+});
+
+// src/terminal/strings.ts
+function truncate(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max - 1) + "\u2026";
+}
+function padEndVisible(s, width) {
+  const plain = s.replace(/\x1b\[[0-9;]*m/g, "");
+  const pad = Math.max(0, width - plain.length);
+  return s + " ".repeat(pad);
+}
+function formatTimestamp(iso) {
+  if (!iso) return "\u2014";
+  const d = new Date(iso);
+  const p = (n) => String(n).padStart(2, "0");
+  return `${d.getFullYear()}-${p(d.getMonth() + 1)}-${p(d.getDate())} ${p(d.getHours())}:${p(d.getMinutes())}:${p(d.getSeconds())}`;
+}
+function hostnameFromUrl(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var init_strings = __esm({
+  "src/terminal/strings.ts"() {
+    "use strict";
+  }
+});
+
+// src/terminal/layout.ts
+import boxen from "boxen";
+function panel(content, opts = {}) {
+  return boxen(content, {
+    title: opts.title ? accentBold(opts.title) : void 0,
+    padding: opts.padding ?? 1,
+    margin: { top: 0, bottom: opts.marginBottom ?? 1, left: 0, right: 0 },
+    borderStyle: "round",
+    borderColor: getCapabilities().trueColor ? BRAND.accent : void 0,
+    titleAlignment: "left"
+  });
+}
+function columns(left, right, leftWidth) {
+  const width = leftWidth ?? Math.floor(getCapabilities().width * 0.45);
+  const leftLines = left.split("\n");
+  const rightLines = right.split("\n");
+  const rows = Math.max(leftLines.length, rightLines.length);
+  const out = [];
+  for (let i = 0; i < rows; i++) {
+    const l = padEndVisible(leftLines[i] ?? "", width);
+    const r = rightLines[i] ?? "";
+    out.push(`${l}  ${r}`);
+  }
+  return out.join("\n");
+}
+function divider(char = "\u2500", width) {
+  const w = width ?? getCapabilities().width - 4;
+  return dim(char.repeat(Math.max(20, w)));
+}
+function statusBar(parts) {
+  return dim(parts.filter(Boolean).join("  \xB7  "));
+}
+function keyValue(rows, indent = 2) {
+  const pad = " ".repeat(indent);
+  const maxKey = Math.max(...rows.map(([k]) => k.length), 4);
+  return rows.map(([k, v]) => `${pad}${muted(k.padEnd(maxKey))}  ${v}`).join("\n");
+}
+var init_layout = __esm({
+  "src/terminal/layout.ts"() {
+    "use strict";
+    init_brand();
+    init_theme();
+    init_capabilities();
+    init_strings();
+  }
+});
+
+// src/commands/report.ts
+var report_exports = {};
+__export(report_exports, {
+  runReportCommand: () => runReportCommand
+});
+import { writeFile as writeFile3 } from "fs/promises";
+async function runReportCommand(client, scanId, format, outputPath) {
+  const { data, contentType } = await client.download(`/scan/${scanId}/report?format=${format}`);
+  const ext = format === "pdf" ? "pdf" : format === "csv" ? "csv" : "json";
+  const path = outputPath || `fuzzi-report-${scanId.slice(0, 8)}.${ext}`;
+  await writeFile3(path, data);
+  return `Report saved to ${path} (${contentType})`;
+}
+var init_report = __esm({
+  "src/commands/report.ts"() {
+    "use strict";
+  }
+});
+
+// src/commands/whatif.ts
+var whatif_exports = {};
+__export(whatif_exports, {
+  runWhatIfCommand: () => runWhatIfCommand
+});
+async function runWhatIfCommand(scanId, overrides, format = "table") {
+  const client = await getAuthenticatedClient();
+  const data = await client.post("/whatif", { scan_id: scanId, overrides });
+  if (format === "json") return JSON.stringify(data, null, 2);
+  return [
+    `Original:  ${riskColor(data.original.risk_level)(data.original.risk_level)} (${scoreBold(data.original.overall_score)})`,
+    `Simulated: ${riskColor(data.simulated.risk_level)(data.simulated.risk_level)} (${scoreBold(data.simulated.overall_score)})`,
+    `Delta:     ${data.overall_score_delta > 0 ? "+" : ""}${data.overall_score_delta}`,
+    data.summary
+  ].join("\n");
+}
+var init_whatif = __esm({
+  "src/commands/whatif.ts"() {
+    "use strict";
+    init_api_client();
+    init_theme2();
+  }
+});
+
+// src/commands/compare.ts
+var compare_exports = {};
+__export(compare_exports, {
+  runCompareCommand: () => runCompareCommand
+});
+async function runCompareCommand(scanA, scanB, format = "table") {
+  const client = await getAuthenticatedClient();
+  const data = await client.post("/compare", {
+    scan_a_id: scanA,
+    scan_b_id: scanB
+  });
+  if (format === "json") return JSON.stringify(data, null, 2);
+  const summary = [
+    `Scan A  ${data.scan_a.target_url}`,
+    `        ${riskColor(data.scan_a.risk_level || "")(data.scan_a.risk_level || "\u2014")}  ${scoreBold(data.scan_a.overall_score)}`,
+    `Scan B  ${data.scan_b.target_url}`,
+    `        ${riskColor(data.scan_b.risk_level || "")(data.scan_b.risk_level || "\u2014")}  ${scoreBold(data.scan_b.overall_score)}`,
+    `Delta   ${data.score_delta > 0 ? "+" : ""}${data.score_delta}`,
+    data.summary
+  ].join("\n");
+  let body = panel(summary, { title: "Compare" });
+  if (data.factor_changes?.length) {
+    const rows = data.factor_changes.map((f) => [f.name.replace(/_/g, " "), String(f.delta)]);
+    body += "\n\n" + createTable(["Factor", "Delta"], rows);
+  }
+  return body;
+}
+var init_compare = __esm({
+  "src/commands/compare.ts"() {
+    "use strict";
+    init_table();
+    init_theme();
+    init_layout();
+    init_api_client();
+  }
+});
+
+// src/cli/program.ts
+init_brand();
+init_api_client();
+import { Command } from "commander";
+import { cwd as cwd2 } from "process";
+
+// src/commands/auth.ts
+init_credentials();
+init_api_client();
+init_credentials();
+init_config();
+init_theme2();
+import { password, input } from "@inquirer/prompts";
+async function runAuthLogin(opts = {}) {
+  const config = await loadConfig();
+  const client = new FuzziApiClient(config.api_url);
+  let apiKey = opts.apiKey?.trim();
+  if (!apiKey) {
+    if (opts.interactive === false) {
+      throw new ApiError(
+        "No API key provided. Generate one at https://app.fuzzi.dev/settings/api-keys",
+        401,
+        "missing_key",
+        void 0,
+        2
+      );
+    }
+    apiKey = await password({
+      message: "Paste your API key (fz_live_...):",
+      mask: "\u2022",
+      validate: (v) => {
+        if (!v.trim()) return "API key is required";
+        if (!isValidApiKeyFormat(v)) return "Key must start with fz_live_";
+        return true;
+      }
+    });
+  }
+  apiKey = apiKey.trim();
+  if (!isValidApiKeyFormat(apiKey)) {
+    throw new ApiError(
+      "Invalid API key format. Generate a new one at https://app.fuzzi.dev/settings/api-keys",
+      401,
+      "invalid_key_format",
+      void 0,
+      2
+    );
+  }
+  client.setToken(apiKey);
+  const valid = await client.validateToken();
+  if (!valid) {
+    throw new ApiError(
+      "Invalid API key. Generate a new one at https://app.fuzzi.dev/settings/api-keys",
+      401,
+      "invalid_token",
+      void 0,
+      2
+    );
+  }
+  const profile = await client.get("/me");
+  await saveCredentials({
+    api_key: apiKey,
+    auth_method: "api_key",
+    key_prefix: profile.key_prefix || maskApiKey(apiKey),
+    key_expires_at: profile.key_expires_at || void 0,
+    email: profile.email,
+    full_name: profile.full_name || void 0,
+    saved_at: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  const name = profile.full_name || profile.email;
+  return success(`Authenticated as ${name}`);
+}
+async function runAuthLogout() {
+  await clearCredentials();
+  return muted("You are now logged out.");
+}
+async function promptNewKeyName() {
+  return input({
+    message: "Key name:",
+    validate: (v) => v.trim().length > 0 ? true : "Name is required"
+  });
+}
+
+// src/lib/output.ts
+init_theme();
+init_table();
+init_strings();
+init_layout();
+function formatScanDate(scan) {
+  return formatTimestamp("created_at" in scan ? scan.created_at : void 0);
+}
+function renderScanResult(scan, format) {
+  if (format === "json") return JSON.stringify(buildScanJson(scan), null, 2);
+  if (format === "markdown") return renderScanMarkdown(scan);
+  return renderScanTable(scan);
+}
+function buildScanJson(scan) {
+  const fr = scan.fuzzy_result;
+  return {
+    scan: {
+      id: scan.id,
+      target_url: scan.target_url,
+      status: scan.status,
+      risk_level: fr?.risk_level ?? null,
+      risk_score: fr?.risk_score ?? null,
+      overall_score: fr?.overall_score ?? null
+    },
+    factors: scan.factors ?? [],
+    recommendations: scan.recommendations ?? []
+  };
+}
+function levelIndicator(level) {
+  if (level === "LOW") return muted("ok");
+  return warn("!");
+}
+function renderScanTable(scan) {
+  const fr = scan.fuzzy_result;
+  const rc = riskColor(fr?.risk_level);
+  const lines = [];
+  lines.push(panel([
+    bold(scan.target_url),
+    fr ? `${rc("Risk")} ${rc(fr.risk_level)}   ${muted("Score")} ${scoreBold(fr.overall_score)}/100` : "",
+    `${muted("Date")}  ${formatScanDate(scan)}`,
+    scan.status === "completed_inconclusive" ? warn("Inconclusive \u2014 indicative only") : ""
+  ].filter(Boolean).join("\n"), { title: "Scan result" }));
+  if (scan.factors?.length) {
+    const rows = [...scan.factors].sort((a, b) => a.score_100 - b.score_100).map((f) => {
+      const inc = f.details?.inconclusive;
+      return [
+        f.name.replace(/_/g, " "),
+        inc ? muted("\u2014") : `${f.score_100}/100`,
+        inc ? muted("n/a") : `${riskColor(f.linguistic_value)(f.linguistic_value)} ${levelIndicator(f.linguistic_value)}`
+      ];
+    });
+    lines.push("", createTable(["Dimension", "Score", "Level"], rows));
+  }
+  if (scan.recommendations?.length) {
+    lines.push("", accent("Findings"));
+    scan.recommendations.forEach((r, i) => {
+      lines.push(`  ${muted(String(i + 1).padStart(2))}  ${riskColor(r.severity.toUpperCase())(`[${r.severity.toUpperCase()}]`)}  ${r.title}`);
+    });
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function renderScanMarkdown(scan) {
+  const fr = scan.fuzzy_result;
+  const host = hostnameFromUrl(scan.target_url);
+  const lines = [`## Fuzzi Security Scan: ${host}`, ""];
+  if (fr) lines.push(`**Risk Level:** ${fr.risk_level} (${fr.overall_score}/100)`, "");
+  if (scan.factors?.length) {
+    lines.push("| Dimension | Score | Level |", "|-----------|-------|-------|");
+    for (const f of scan.factors) {
+      lines.push(`| ${f.name.replace(/_/g, " ")} | ${f.score_100}/100 | ${f.linguistic_value} |`);
+    }
+    lines.push("");
+  }
+  if (scan.recommendations?.length) {
+    lines.push("### Findings");
+    scan.recommendations.forEach((r, i) => {
+      lines.push(`${i + 1}. [${r.severity.toUpperCase()}] ${r.title}`);
+    });
+  }
+  return lines.join("\n");
+}
+function renderScansList(scans, format) {
+  if (format === "json") return JSON.stringify(scans, null, 2);
+  if (format === "markdown") {
+    if (!scans.length) return "No scans found.";
+    const lines = ["| URL | Status | Risk | Score | Date |", "|-----|--------|------|-------|------|"];
+    for (const s of scans) {
+      lines.push(`| ${s.target_url} | ${s.status} | ${s.risk_level || "\u2014"} | ${s.overall_score ?? "\u2014"} | ${formatScanDate(s)} |`);
+    }
+    return lines.join("\n");
+  }
+  if (!scans.length) return muted("No scans found.");
+  const rows = scans.map((s) => [
+    truncate(s.target_url, 40),
+    s.status === "completed_inconclusive" ? warn("inconcl.") : s.status,
+    s.risk_level ? riskColor(s.risk_level)(s.risk_level) : muted("\u2014"),
+    s.overall_score != null ? scoreBold(s.overall_score) : muted("\u2014"),
+    muted(formatScanDate(s))
+  ]);
+  return createTable(["URL", "Status", "Risk", "Score", "Date"], rows);
+}
+
+// src/commands/scan.ts
+init_api_client();
+init_config();
+init_theme();
+
+// src/lib/errors.ts
+init_api_client();
+function formatApiError(err) {
+  if (err instanceof ApiError) {
+    return err.message;
+  }
+  if (err instanceof Error) {
+    if (err.message.includes("fetch failed") || err.message.includes("ECONNREFUSED")) {
+      return "Could not connect to app.fuzzi.dev. Check your internet connection or try again later.";
+    }
+    return `An error occurred: ${err.message}. Please report this at https://github.com/fuzzi-cli/fuzzi-cli/issues`;
+  }
+  return `An error occurred: ${String(err)}. Please report this at https://github.com/fuzzi-cli/fuzzi-cli/issues`;
+}
+function getExitCode(err) {
+  if (err instanceof ApiError && err.exitCode !== void 0) {
+    return err.exitCode;
+  }
+  return 2;
+}
+function validateUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+      return "Invalid URL. Please provide a valid URL starting with http:// or https://";
+    }
+    return null;
+  } catch {
+    return "Invalid URL. Please provide a valid URL starting with http:// or https://";
+  }
+}
+
+// src/lib/risk.ts
+var RISK_ORDER = {
+  LOW: 0,
+  MEDIUM: 1,
+  HIGH: 2,
+  CRITICAL: 3
+};
+function normalizeRiskLevel(level) {
+  if (!level) return null;
+  const upper = level.toUpperCase();
+  return upper in RISK_ORDER ? upper : null;
+}
+function riskMeetsThreshold(actual, threshold) {
+  const a = normalizeRiskLevel(actual);
+  const t = normalizeRiskLevel(threshold);
+  if (!a || !t) return false;
+  return RISK_ORDER[a] >= RISK_ORDER[t];
+}
+
+// src/lib/project-config.ts
+import { readFile as readFile3 } from "fs/promises";
+import { join as join3 } from "path";
+import { existsSync } from "fs";
+function parseTomlSimple(raw) {
+  const config = { scan: {}, output: {} };
+  let section = "";
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const sectionMatch = trimmed.match(/^\[([^\]]+)\]$/);
+    if (sectionMatch) {
+      section = sectionMatch[1];
+      continue;
+    }
+    const kv = trimmed.match(/^(\w+)\s*=\s*"?([^"]+)"?$/);
+    if (!kv) continue;
+    const [, key, value] = kv;
+    if (section === "scan" || section === "scan.scan") {
+      config.scan ??= {};
+      if (key === "url") config.scan.url = value;
+      else if (key === "environment") config.scan.environment = value;
+      else if (key === "fail_on") config.scan.fail_on = value;
+      else if (key === "title") config.scan.title = value;
+    } else if (section === "output") {
+      config.output ??= {};
+      if (key === "format") config.output.format = value;
+    }
+  }
+  return config;
+}
+async function loadProjectConfig(cwd5) {
+  const fuzzirc = join3(cwd5, ".fuzzirc");
+  const fuzzitoml = join3(cwd5, "fuzzi.toml");
+  if (existsSync(fuzzirc)) {
+    try {
+      const raw = await readFile3(fuzzirc, "utf8");
+      return JSON.parse(raw);
+    } catch {
+      return null;
+    }
+  }
+  if (existsSync(fuzzitoml)) {
+    try {
+      const raw = await readFile3(fuzzitoml, "utf8");
+      return parseTomlSimple(raw);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+
+// src/terminal/progress.ts
+init_theme();
+init_capabilities();
+import ora from "ora";
+function createProgress(label, stream = false) {
+  if (!getCapabilities().interactive) {
+    return {
+      update: () => {
+      },
+      succeed: () => {
+      },
+      fail: () => {
+      },
+      stop: () => {
+      }
+    };
+  }
+  if (stream) {
+    let last = "";
+    return {
+      update(message) {
+        if (last) process.stdout.write("\r\x1B[K");
+        last = message;
+        process.stdout.write(muted(message));
+      },
+      succeed(message) {
+        if (last) process.stdout.write("\r\x1B[K");
+        if (message) process.stdout.write(muted(message) + "\n");
+        last = "";
+      },
+      fail(message) {
+        if (last) process.stdout.write("\r\x1B[K");
+        if (message) process.stdout.write(muted(message) + "\n");
+        last = "";
+      },
+      stop() {
+        if (last) process.stdout.write("\r\x1B[K");
+        last = "";
+      }
+    };
+  }
+  let spinner = ora({ text: label, color: "cyan", discardStdin: false }).start();
+  return {
+    update(message) {
+      if (spinner) spinner.text = message;
+    },
+    succeed(message) {
+      if (spinner) {
+        spinner.succeed(message);
+        spinner = null;
+      }
+    },
+    fail(message) {
+      if (spinner) {
+        spinner.fail(message);
+        spinner = null;
+      }
+    },
+    stop() {
+      if (spinner) {
+        spinner.stop();
+        spinner = null;
+      }
+    }
+  };
+}
+
+// src/commands/scan.ts
+init_strings();
+
+// src/lib/retry.ts
+init_logger();
+async function withRetry(fn, opts = {}) {
+  const max = opts.maxAttempts ?? 3;
+  const base = opts.baseDelayMs ?? 500;
+  const retryOn = opts.retryOn ?? ((e) => {
+    const err = e;
+    return err.status === 429 || err.status === 502 || err.status === 503;
+  });
+  let last;
+  for (let attempt = 1; attempt <= max; attempt++) {
+    try {
+      return await fn();
+    } catch (e) {
+      last = e;
+      if (attempt >= max || !retryOn(e)) throw e;
+      const delay = base * Math.pow(2, attempt - 1);
+      log.debug(`retry ${attempt}/${max} in ${delay}ms`);
+      await new Promise((r) => setTimeout(r, delay));
+    }
+  }
+  throw last;
+}
+
+// src/commands/scan.ts
+init_logger();
+import { cwd } from "process";
+var TERMINAL_STATUSES = /* @__PURE__ */ new Set(["completed", "completed_inconclusive", "failed"]);
+var POLL_INTERVAL_MS = 3e3;
+async function pollScan(client, scanId, onTick, maxWaitMs = 3e5) {
+  const start = Date.now();
+  let last = "pending";
+  while (Date.now() - start < maxWaitMs) {
+    const detail = await withRetry(() => client.get(`/scan/${scanId}`));
+    last = detail.status;
+    onTick?.(Math.floor((Date.now() - start) / 1e3), last);
+    if (TERMINAL_STATUSES.has(detail.status)) {
+      if (detail.status === "failed") {
+        throw new ApiError(
+          `Scan failed: ${detail.inconclusive_message || detail.inconclusive_reason || "unknown error"}`,
+          500,
+          "scan_failed",
+          detail,
+          2
+        );
+      }
+      return detail;
+    }
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+  }
+  throw new ApiError(`Scan timed out after ${maxWaitMs / 1e3}s (last status: ${last})`, 408, "scan_timeout", void 0, 2);
+}
+function resolveFormat(format, projectFormat) {
+  return format || projectFormat || "table";
+}
+function computeExitCode(scan, opts) {
+  const fr = scan.fuzzy_result;
+  if (!fr) return 0;
+  if (opts.failThreshold != null && fr.risk_score >= opts.failThreshold) return 1;
+  if (opts.failOn && riskMeetsThreshold(fr.risk_level, opts.failOn)) return 1;
+  return 0;
+}
+async function runScanCommand(client, opts) {
+  const urlError = validateUrl(opts.url);
+  if (urlError) throw new ApiError(urlError, 400, "invalid_url", void 0, 2);
+  const projectConfig = await loadProjectConfig(cwd());
+  const config = await loadConfig();
+  const format = resolveFormat(opts.format, projectConfig?.output?.format || config.default_format);
+  const env = opts.environment || projectConfig?.scan?.environment || config.default_env || "production";
+  const failOn = opts.failOn || projectConfig?.scan?.fail_on;
+  const shouldWait = opts.noWait ? false : opts.wait !== false;
+  const body = { url: opts.url, environment: env };
+  if (opts.title || projectConfig?.scan?.title) {
+    body.title = opts.title || projectConfig?.scan?.title || "";
+  }
+  log.debug("creating scan", { url: opts.url, env });
+  const created = await withRetry(() => client.post("/scan", body));
+  if (!shouldWait) {
+    const output2 = format === "json" ? JSON.stringify(created, null, 2) : [success("Scan started"), muted(`ID: ${created.scan_id}`), muted(created.message)].join("\n");
+    return { output: output2, exitCode: 0 };
+  }
+  const host = hostnameFromUrl(opts.url);
+  const progress = opts.onProgress ? { update: opts.onProgress, stop: () => {
+  }, succeed: () => {
+  }, fail: () => {
+  } } : createProgress(`Scanning ${host}...`, opts.streamProgress);
+  const detail = await pollScan(client, created.scan_id, (sec, status) => {
+    progress.update(`Scanning ${host}... (${sec}s)  ${muted(status)}`);
+  });
+  progress.succeed(`Scan complete \u2014 ${host}`);
+  const exitCode = computeExitCode(detail, { ...opts, failOn });
+  return { output: renderScanResult(detail, format), exitCode, scan: detail };
+}
+
+// src/commands/scans.ts
+async function runScansListCommand(client, format = "table", filters) {
+  const params = new URLSearchParams({ page: "1", page_size: String(filters?.limit || 20) });
+  if (filters?.status) params.set("status", filters.status);
+  if (filters?.riskLevel) params.set("risk_level", filters.riskLevel);
+  const data = await client.get(
+    `/scans?${params.toString()}`
+  );
+  return renderScansList(data.results || [], format);
+}
+async function runScanGetCommand(client, scanId, format = "table") {
+  const detail = await client.get(`/scan/${scanId}`);
+  return renderScanResult(detail, format);
+}
+
+// src/commands/status.ts
+init_config();
+init_credentials();
+init_layout();
+init_theme();
+function daysUntil(dateStr) {
+  const diff = new Date(dateStr).getTime() - Date.now();
+  return Math.max(0, Math.ceil(diff / (1e3 * 60 * 60 * 24)));
+}
+async function runRateLimitStatus(client) {
+  try {
+    const data = await client.get("/rate-limit");
+    if (data.limit != null) {
+      return `${data.remaining ?? "?"}/${data.limit} remaining`;
+    }
+  } catch {
+  }
+  return null;
+}
+async function runStatusCommand(client) {
+  const creds = await loadCredentials();
+  const profile = await client.get("/me");
+  const keyExpiry = creds?.key_expires_at || profile.key_expires_at;
+  const config = await loadConfig();
+  const rate = await runRateLimitStatus(client);
+  const rows = [
+    ["Name", profile.full_name || profile.email.split("@")[0]],
+    ["Email", profile.email],
+    ["Organization", profile.organization || muted("\u2014")],
+    ["Role", profile.role],
+    ["Auth", `API Key (${creds ? maskApiKey(creds.api_key) : "\u2014"})`]
+  ];
+  if (keyExpiry) {
+    const days = daysUntil(keyExpiry);
+    rows.push(["Key expires", `${keyExpiry.slice(0, 10)} (${days}d remaining)`]);
+  } else {
+    rows.push(["Key expires", muted("No expiry")]);
+  }
+  rows.push(["API", config.api_url]);
+  if (rate) rows.push(["Rate limit", rate]);
+  return [panel(keyValue(rows), { title: "Account" }), "", divider(), muted("Use /keys to manage API keys")].join("\n");
+}
+
+// src/commands/config.ts
+init_config();
+init_theme2();
+async function runConfigList() {
+  const entries = await listConfigEntries();
+  const lines = Object.entries(entries).map(([k, v]) => `  ${k} = ${v}`);
+  return lines.length ? [accent("Config (~/.fuzzi/config)"), ...lines].join("\n") : muted("No config set.");
+}
+async function runConfigGet(key) {
+  if (!key) return runConfigList();
+  const value = await getConfigValue(key);
+  if (value === void 0) return muted(`Config key not set: ${key}`);
+  return value;
+}
+async function runConfigSet(key, value) {
+  const allowed = ["api_url", "default_env", "default_format"];
+  if (!allowed.includes(key)) {
+    return muted(`Unknown config key: ${key}. Supported: ${allowed.join(", ")}`);
+  }
+  await setConfigValue(key, value);
+  return accent("Config updated.");
+}
+
+// src/cli/exit.ts
+function handleCommandError(e) {
+  console.error(formatApiError(e));
+  process.exit(getExitCode(e));
+}
+function exitWith(code) {
+  process.exit(code);
+}
+
+// src/cli/program.ts
+function buildProgram() {
+  const program = new Command("fuzzi").name("fuzzi").description("Fuzzi security scanner CLI \u2014 interactive shell and scriptable commands").version(VERSION);
+  const auth = program.command("auth").description("Authentication");
+  auth.command("login").description("Authenticate with an API key from https://app.fuzzi.dev/settings/api-keys").option("--api-key <key>", "API key (fz_live_...)").action(async (opts) => {
+    try {
+      console.log(await runAuthLogin({ apiKey: opts.apiKey, interactive: !opts.apiKey }));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  auth.command("logout").description("Clear stored credentials").action(async () => {
+    console.log(await runAuthLogout());
+  });
+  auth.command("status").description("Show auth status").action(async () => {
+    try {
+      const client = await getAuthenticatedClient();
+      console.log(await runStatusCommand(client));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  program.command("scan [url]").description("Scan a URL (waits for completion by default)").option("-t, --title <title>", "Scan title").option("-e, --env <env>", "production|staging|development").option("-w, --wait", "Poll until scan completes (default)").option("--no-wait", "Return immediately with scan ID").option("-f, --format <format>", "table|json|markdown", "table").option("--fail-on <level>", "Exit 1 if risk >= level (low|medium|high|critical)").option("--fail-threshold <n>", "Exit 1 if risk_score >= threshold (0.0-1.0)", parseFloat).action(async (urlArg, opts) => {
+    try {
+      const project = await loadProjectConfig(cwd2());
+      const url = urlArg || project?.scan?.url;
+      if (!url) {
+        console.error("Usage: fuzzi scan <url>");
+        exitWith(2);
+      }
+      const client = await getAuthenticatedClient();
+      const result = await runScanCommand(client, {
+        url,
+        wait: opts.wait,
+        noWait: opts.noWait,
+        format: opts.format,
+        environment: opts.env,
+        title: opts.title,
+        failOn: opts.failOn,
+        failThreshold: opts.failThreshold
+      });
+      console.log(result.output);
+      exitWith(result.exitCode);
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  const scans = program.command("scans").description("Browse scans");
+  scans.command("list").description("List recent scans").option("--status <status>", "pending|running|completed|failed").option("--risk-level <level>", "low|medium|high|critical").option("--limit <n>", "Max results", "20").option("-f, --format <format>", "table|json|markdown", "table").action(async (opts) => {
+    try {
+      const client = await getAuthenticatedClient();
+      console.log(
+        await runScansListCommand(client, opts.format, {
+          status: opts.status,
+          riskLevel: opts.riskLevel,
+          limit: parseInt(opts.limit, 10)
+        })
+      );
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  scans.command("get <scan-id>").description("Get scan details").option("-f, --format <format>", "table|json|markdown", "table").action(async (scanId, opts) => {
+    try {
+      const client = await getAuthenticatedClient();
+      console.log(await runScanGetCommand(client, scanId, opts.format));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  program.command("report <scan-id>").description("Download a scan report").requiredOption("--format <format>", "pdf|csv|json").option("-o, --output <path>", "Output file path").action(async (scanId, opts) => {
+    try {
+      const { runReportCommand: runReportCommand2 } = await Promise.resolve().then(() => (init_report(), report_exports));
+      const client = await getAuthenticatedClient();
+      console.log(await runReportCommand2(client, scanId, opts.format, opts.output));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  program.command("whatif <scan-id>").description("Simulate factor overrides").option("--set <pair>", "dimension=value (repeatable)", (v, prev) => [...prev, v], []).option("-f, --format <format>", "table|json", "table").action(async (scanId, opts) => {
+    try {
+      const { runWhatIfCommand: runWhatIfCommand2 } = await Promise.resolve().then(() => (init_whatif(), whatif_exports));
+      const overrides = {};
+      for (const pair of opts.set) {
+        const [k, val] = pair.split("=");
+        if (k && val) overrides[k] = parseFloat(val);
+      }
+      console.log(await runWhatIfCommand2(scanId, overrides, opts.format));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  program.command("compare <scan-a> <scan-b>").description("Compare two scans").option("-f, --format <format>", "table|json", "table").action(async (scanA, scanB, opts) => {
+    try {
+      const { runCompareCommand: runCompareCommand2 } = await Promise.resolve().then(() => (init_compare(), compare_exports));
+      console.log(await runCompareCommand2(scanA, scanB, opts.format));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  const config = program.command("config").description("CLI configuration (~/.fuzzi/config)");
+  config.command("list").action(async () => console.log(await runConfigList()));
+  config.command("get [key]").action(async (key) => console.log(await runConfigGet(key)));
+  config.command("set <key> <value>").action(async (key, value) => console.log(await runConfigSet(key, value)));
+  program.command("status").description("Show account status").action(async () => {
+    try {
+      const client = await getAuthenticatedClient();
+      console.log(await runStatusCommand(client));
+    } catch (e) {
+      handleCommandError(e);
+    }
+  });
+  return program;
+}
+
+// src/cli/bootstrap.ts
+init_credentials();
+init_api_client();
+import { cwd as cwd4 } from "process";
+
+// src/shell/prompt-loop.ts
+import * as readline from "readline/promises";
+import { stdin as input3, stdout as output } from "process";
+
+// src/shell/ascii-mark.ts
+function renderFuzziMark() {
+  return [
+    "       \u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E",
+    "      \u2571   \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2572",
+    "     \u2502    \u2502 FUZZI \u2502    \u2502",
+    "     \u2502    \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518    \u2502",
+    "     \u2502       \u2593\u2593\u2593       \u2502",
+    "      \u2572               \u2571",
+    "       \u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F"
+  ].join("\n");
+}
+
+// src/shell/home-screen.ts
+init_brand();
+init_theme();
+init_layout();
+
+// src/lib/assets.ts
+import { readFile as readFile4 } from "fs/promises";
+import { dirname, join as join4 } from "path";
+import { fileURLToPath } from "url";
+import { existsSync as existsSync2 } from "fs";
+function assetsDir() {
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join4(here, "..", "assets"),
+    // dist/lib → dist/../assets = package/assets
+    join4(here, "..", "..", "assets"),
+    // src/lib → package/assets
+    join4(here, "assets")
+    // bundled flat fallback
+  ];
+  for (const p of candidates) {
+    if (existsSync2(join4(p, "changelog.json"))) return p;
+  }
+  return candidates[0];
+}
+async function readAsset(name) {
+  return readFile4(join4(assetsDir(), name), "utf8");
+}
+
+// src/shell/home-screen.ts
+async function fetchHomeData(profile, cwd5) {
+  let changelog = [];
+  try {
+    changelog = JSON.parse(await readAsset("changelog.json"));
+  } catch {
+    changelog = [];
+  }
+  return { profile, cwd: cwd5, changelog };
+}
+function renderHomeScreen(data) {
+  const name = data.profile?.full_name || data.profile?.email?.split("@")[0] || "there";
+  const org = data.profile?.organization?.trim();
+  const welcome = data.profile ? accentBold(`Welcome back, ${name}!`) : muted("Welcome to Fuzzi");
+  const mark = accent(renderFuzziMark());
+  const connected = data.profile ? statusBar([accent("Connected"), org ?? null].filter(Boolean)) : muted("Not connected");
+  const headerBody = ["", welcome, "", mark, "", connected, muted(data.cwd), ""].join("\n");
+  const latest = data.changelog[0];
+  const whatsNew = latest ? [...latest.highlights.slice(0, 2).map((h) => muted(`\xB7 ${h}`)), muted("/changelog for more")].join("\n") : muted("Stay tuned for updates");
+  const quickActions = [
+    accent("/scan") + muted(" <url>") + muted("  scan a target"),
+    accent("/scans") + muted("       browse history"),
+    accent("/status") + muted("      account info"),
+    accent("/palette") + muted("     search commands"),
+    accent("/help") + muted("        all commands")
+  ].join("\n");
+  const panels = panel(columns(quickActions, whatsNew, 38), { title: "Quick actions" });
+  return panel(headerBody, { title: `Fuzzi CLI v${VERSION}`, marginBottom: 0 }) + "\n" + panels;
+}
+function renderChangelog(entries) {
+  if (!entries.length) return muted("No changelog entries.");
+  return entries.map((e) => {
+    const lines = [
+      accentBold(`v${e.version}`) + muted(` \u2014 ${e.date}`),
+      ...e.highlights.map((h) => muted(`  \xB7 ${h}`))
+    ];
+    return lines.join("\n");
+  }).join("\n\n");
+}
+
+// src/shell/slash-commands.ts
+init_api_client();
+import { confirm, input as input2 } from "@inquirer/prompts";
+
+// src/commands/keys.ts
+init_table();
+init_theme();
+
+// src/terminal/empty-state.ts
+init_theme();
+function emptyState(title, hint, action) {
+  const lines = ["", muted(title), muted(hint)];
+  if (action) lines.push("", accent(action));
+  return lines.join("\n");
+}
+
+// src/terminal/interactive.ts
+init_theme();
+import { select, search } from "@inquirer/prompts";
+async function pickFromList(message, items) {
+  if (!items.length) return null;
+  try {
+    return await select({ message, choices: items });
+  } catch {
+    return null;
+  }
+}
+async function searchPalette(message, choices) {
+  try {
+    return await search({
+      message,
+      source: async (input4) => {
+        if (!input4) return choices;
+        const q = input4.toLowerCase();
+        return choices.filter((c) => c.value.includes(q) || c.description?.includes(q));
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+function formatChoice(name, description) {
+  return `${accent(name)}${muted(" \u2014 " + description)}`;
+}
+
+// src/commands/keys.ts
+async function runKeysListCommand(client) {
+  const data = await client.get("/keys");
+  const keys = data.results || [];
+  if (!keys.length) {
+    return emptyState("No API keys", "Create one at app.fuzzi.dev/settings/api-keys", "[n] new key in this view");
+  }
+  const rows = keys.map((k) => [
+    k.name,
+    k.prefix,
+    k.scopes?.join(", ") || muted("\u2014"),
+    k.revoked ? muted("Revoked") : k.active ? success("Active") : muted("Inactive"),
+    k.last_used_at ? new Date(k.last_used_at).toLocaleDateString() : muted("Never")
+  ]);
+  return createTable(["Name", "Prefix", "Scopes", "Status", "Last Used"], rows);
+}
+async function runKeyRevoke(client, keyId) {
+  await client.delete(`/keys/${keyId}`);
+  return "API key revoked.";
+}
+async function pickKeyForRevoke(client) {
+  const data = await client.get("/keys");
+  const active = (data.results || []).filter((k) => !k.revoked && k.active);
+  return pickFromList(
+    "Select a key to revoke",
+    active.map((k) => ({ name: `${k.name} (${k.prefix})`, value: k.id }))
+  );
+}
+
+// src/shell/help-screen.ts
+init_layout();
+init_theme();
+
+// src/shell/registry.ts
+var SLASH_COMMANDS = [
+  { name: "/scan", description: "Run a security scan on a URL", usage: "/scan <url>", requiresAuth: true },
+  { name: "/scans", description: "Browse recent scans", requiresAuth: true },
+  { name: "/status", description: "Show auth status and rate limits", requiresAuth: true },
+  { name: "/keys", description: "Manage API keys", requiresAuth: true },
+  { name: "/config", description: "Set CLI configuration", usage: "/config key=value" },
+  { name: "/compare", description: "Compare two scans", usage: "/compare <id-a> <id-b>", requiresAuth: true },
+  { name: "/whatif", description: "Simulate factor overrides", usage: "/whatif <id>", requiresAuth: true },
+  { name: "/report", description: "Download scan report", usage: "/report <id>", requiresAuth: true },
+  { name: "/palette", description: "Open command palette", aliases: ["/commands"] },
+  { name: "/changelog", description: "View release notes" },
+  { name: "/help", description: "Show all commands" },
+  { name: "/auth", description: "Log in with API key", aliases: ["/login"] },
+  { name: "/clear", description: "Clear screen and refresh home" },
+  { name: "/history", description: "Show recent commands" },
+  { name: "/exit", description: "Exit the shell", aliases: ["/quit"] }
+];
+function findCommand(input4) {
+  const cmd = input4.trim().split(/\s/)[0].toLowerCase();
+  return SLASH_COMMANDS.find(
+    (c) => c.name === cmd || c.aliases?.some((a) => a === cmd)
+  );
+}
+
+// src/shell/help-screen.ts
+function renderHelpScreen() {
+  const visible = SLASH_COMMANDS.filter((c) => !c.hidden);
+  const left = visible.slice(0, Math.ceil(visible.length / 2)).map((c) => `${accent(c.name.padEnd(12))} ${muted(c.description)}`).join("\n");
+  const right = visible.slice(Math.ceil(visible.length / 2)).map((c) => `${accent(c.name.padEnd(12))} ${muted(c.description)}`).join("\n");
+  const script = [
+    muted("Scriptable commands"),
+    `  fuzzi scan <url> [--format json|markdown] [--fail-on critical]`,
+    `  fuzzi scans list | get <id>  \xB7  fuzzi auth login | status`,
+    `  fuzzi config set default_env staging`
+  ].join("\n");
+  return [
+    panel(columns(left, right), { title: "Commands" }),
+    "",
+    script,
+    "",
+    divider(),
+    dim("Tips: Tab to complete  \xB7  /palette to search  \xB7  Ctrl+C to exit")
+  ].join("\n");
+}
+function renderHistoryScreen(entries) {
+  if (!entries.length) return muted("No command history yet.");
+  const body = entries.slice(-15).reverse().map((e, i) => `${dim(String(i + 1).padStart(2))}  ${e}`).join("\n");
+  return panel(body, { title: "Recent commands" });
+}
+
+// src/shell/command-palette.ts
+async function openCommandPalette() {
+  const choices = SLASH_COMMANDS.filter((c) => !c.hidden).map((c) => ({
+    name: formatChoice(c.name, c.description),
+    value: c.name,
+    description: c.usage
+  }));
+  return searchPalette("Command palette", choices);
+}
+
+// src/shell/session.ts
+init_credentials();
+import { mkdir as mkdir3, readFile as readFile5, writeFile as writeFile4, appendFile } from "fs/promises";
+import { join as join5 } from "path";
+var HISTORY_PATH = join5(fuzziDir(), "history");
+var MAX_ENTRIES = 200;
+async function loadHistory() {
+  try {
+    const raw = await readFile5(HISTORY_PATH, "utf8");
+    return raw.split("\n").filter(Boolean).slice(-MAX_ENTRIES);
+  } catch {
+    return [];
+  }
+}
+async function appendHistory(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#")) return;
+  await mkdir3(fuzziDir(), { recursive: true, mode: 448 });
+  await appendFile(HISTORY_PATH, trimmed + "\n", "utf8");
+}
+
+// src/shell/slash-commands.ts
+init_theme();
+
+// src/terminal/banner.ts
+init_layout();
+init_theme();
+function errorBox(message, hint) {
+  const body = hint ? `${message}
+
+${hint}` : message;
+  return panel(body, { title: "Error" });
+}
+function successBox(message) {
+  return panel(success(message), { title: "Done" });
+}
+
+// src/shell/slash-commands.ts
+init_strings();
+async function dispatchSlashCommand(line, ctx) {
+  const trimmed = line.trim();
+  if (!trimmed) return {};
+  if (trimmed === "/exit" || trimmed === "/quit") return { exit: true };
+  const [cmd, ...rest] = trimmed.split(/\s+/);
+  const arg = rest.join(" ").trim();
+  const def = findCommand(cmd);
+  if (!def && cmd.startsWith("/")) {
+    ctx.sink.write(errorBox(`Unknown command: ${cmd}`, "Type /help or /palette"));
+    return {};
+  }
+  try {
+    switch (cmd.toLowerCase()) {
+      case "/help":
+        ctx.sink.write(renderHelpScreen());
+        break;
+      case "/palette":
+      case "/commands": {
+        const picked = await openCommandPalette();
+        if (picked) return dispatchSlashCommand(picked, ctx);
+        break;
+      }
+      case "/clear":
+        return { redraw: true };
+      case "/history": {
+        const hist = await loadHistory();
+        ctx.sink.write(renderHistoryScreen(hist));
+        break;
+      }
+      case "/scan": {
+        if (!arg) {
+          ctx.sink.write(error("Usage: /scan <url>"));
+          break;
+        }
+        const client = await getAuthenticatedClient();
+        const progress = createStreamProgress(ctx.sink);
+        const result = await runScanCommand(client, {
+          url: arg,
+          wait: true,
+          onProgress: progress.update
+        });
+        progress.stop();
+        ctx.sink.write(result.output);
+        break;
+      }
+      case "/status": {
+        const client = await getAuthenticatedClient();
+        const status = await runStatusCommand(client);
+        const rate = await runRateLimitStatus(client);
+        ctx.sink.write(rate ? `${status}
+
+${muted("Rate limit")}  ${rate}` : status);
+        break;
+      }
+      case "/scans":
+        await runScansInteractive(ctx);
+        break;
+      case "/keys":
+        await runKeysInteractive(ctx);
+        break;
+      case "/config": {
+        if (!arg.includes("=")) {
+          ctx.sink.write(error("Usage: /config key=value"));
+          break;
+        }
+        const [k, ...vParts] = arg.split("=");
+        ctx.sink.write(await runConfigSet(k.trim(), vParts.join("=").trim()));
+        break;
+      }
+      case "/changelog": {
+        const raw = await readAsset("changelog.json");
+        ctx.sink.write(renderChangelog(JSON.parse(raw)));
+        break;
+      }
+      case "/compare": {
+        const [a, b] = arg.split(/\s+/);
+        if (!a || !b) {
+          ctx.sink.write(error("Usage: /compare <scan-a> <scan-b>"));
+          break;
+        }
+        const { runCompareCommand: runCompareCommand2 } = await Promise.resolve().then(() => (init_compare(), compare_exports));
+        ctx.sink.write(await runCompareCommand2(a, b, "table"));
+        break;
+      }
+      case "/whatif": {
+        if (!arg) {
+          ctx.sink.write(error("Usage: /whatif <scan-id>"));
+          break;
+        }
+        const { runWhatIfCommand: runWhatIfCommand2 } = await Promise.resolve().then(() => (init_whatif(), whatif_exports));
+        ctx.sink.write(await runWhatIfCommand2(arg, {}, "table"));
+        break;
+      }
+      case "/report": {
+        if (!arg) {
+          ctx.sink.write(error("Usage: /report <scan-id>"));
+          break;
+        }
+        const { runReportCommand: runReportCommand2 } = await Promise.resolve().then(() => (init_report(), report_exports));
+        const client = await getAuthenticatedClient();
+        ctx.sink.write(await runReportCommand2(client, arg, "json"));
+        break;
+      }
+      case "/login":
+      case "/auth": {
+        ctx.sink.write(await runAuthLogin({ interactive: true }));
+        const client = await getAuthenticatedClient();
+        return { profile: await client.get("/me"), redraw: true };
+      }
+      default:
+        ctx.sink.write(errorBox(`Unknown command: ${cmd}`, "Type /help"));
+    }
+  } catch (e) {
+    ctx.sink.error(formatApiError(e));
+  }
+  return {};
+}
+function createStreamProgress(sink) {
+  let last = "";
+  return {
+    update(msg) {
+      if (last) sink.clearLine?.();
+      last = msg;
+      process.stdout.write(muted(msg));
+    },
+    stop() {
+      if (last) sink.clearLine?.();
+      last = "";
+    }
+  };
+}
+async function runScansInteractive(ctx) {
+  const client = await getAuthenticatedClient();
+  while (true) {
+    const list = await runScansListCommand(client, "table", { limit: 20 });
+    const data = await client.get("/scans?page=1&page_size=20");
+    const scans = data.results || [];
+    if (!scans.length) {
+      ctx.sink.write(emptyState("No scans yet", "Run /scan <url> to create your first scan", "/scan https://example.com"));
+      return;
+    }
+    ctx.sink.write(list);
+    ctx.sink.write("");
+    const scanId = await pickFromList(
+      "Select a scan (Esc to go back)",
+      scans.map((s) => ({
+        name: `${truncate(s.target_url, 32)}  ${s.risk_level ?? s.status}  ${s.overall_score ?? "\u2014"}  ${formatTimestamp(s.created_at)}`,
+        value: s.id
+      }))
+    );
+    if (!scanId) return;
+    const detail = await client.get(`/scan/${scanId}`);
+    ctx.sink.write(renderScanResult(detail, "table"));
+    const cont = await input2({
+      message: muted("Enter = back to list  \xB7  q = exit"),
+      default: ""
+    }).catch(() => "q");
+    if (cont.toLowerCase() === "q") return;
+  }
+}
+async function runKeysInteractive(ctx) {
+  const client = await getAuthenticatedClient();
+  ctx.sink.write(await runKeysListCommand(client));
+  ctx.sink.write(muted("\nActions: [r] revoke  [n] new key  [Enter] back"));
+  const action = await input2({ message: "Action", default: "" }).catch(() => "");
+  if (action.toLowerCase() === "r") {
+    const keyId = await pickKeyForRevoke(client);
+    if (!keyId) return;
+    const ok = await confirm({ message: "Revoke this API key?", default: false }).catch(() => false);
+    if (ok) ctx.sink.write(successBox(await runKeyRevoke(client, keyId)));
+  } else if (action.toLowerCase() === "n") {
+    const name = await promptNewKeyName();
+    const created = await client.post("/keys", { name });
+    ctx.sink.write(success(`Created: ${created.name} (${created.prefix})`));
+    ctx.sink.write(accent("Save this key \u2014 it won't be shown again:"));
+    ctx.sink.write(created.key);
+  }
+}
+
+// src/shell/prompt-loop.ts
+init_theme();
+import { cwd as cwd3 } from "process";
+
+// src/shell/completer.ts
+function buildCompleter(commands, history) {
+  const names = commands.map((c) => c.name);
+  return (line) => {
+    const trimmed = line.trimStart();
+    if (!trimmed.startsWith("/")) {
+      if (trimmed === "") return [[...names, ...history.slice(-20).reverse()], line];
+      return [[], line];
+    }
+    const hits = names.filter((n) => n.startsWith(trimmed.split(/\s/)[0]));
+    return [hits.length ? hits : names, line];
+  };
+}
+
+// src/shell/prompt-loop.ts
+init_capabilities();
+init_layout();
+init_logger();
+async function runPromptLoop(initialProfile) {
+  let profile = initialProfile;
+  const workDir = cwd3();
+  const history = await loadHistory();
+  const refresh = async () => {
+    if (getCapabilities().interactive) console.clear();
+    const data = await fetchHomeData(profile, workDir);
+    console.log(renderHomeScreen(data));
+    const bar = statusBar([
+      profile ? muted(profile.email) : muted("guest"),
+      dim(workDir),
+      isDebugMode() ? muted("debug") : null
+    ].filter(Boolean));
+    console.log(bar);
+    console.log("");
+  };
+  await refresh();
+  const rl = readline.createInterface({
+    input: input3,
+    output,
+    terminal: true,
+    completer: buildCompleter(SLASH_COMMANDS, history),
+    historySize: 300
+  });
+  rl.on("SIGINT", () => {
+    console.log(muted("\nGoodbye!"));
+    rl.close();
+    process.exit(0);
+  });
+  const prompt = () => process.stdout.write(accent("\u203A "));
+  prompt();
+  for await (const line of rl) {
+    await appendHistory(line);
+    history.push(line.trim());
+    const sink = {
+      write: (text) => console.log(text),
+      error: (text) => console.error(text),
+      clearLine: () => process.stdout.write("\r\x1B[K")
+    };
+    const result = await dispatchSlashCommand(line, {
+      cwd: workDir,
+      profile,
+      sink,
+      refresh
+    });
+    if (result.profile) profile = result.profile;
+    if (result.exit) {
+      console.log(muted("Goodbye!"));
+      rl.close();
+      break;
+    }
+    if (result.redraw) await refresh();
+    prompt();
+  }
+}
+
+// src/shell/onboarding.ts
+init_theme();
+function renderOnboarding() {
+  return [
+    muted("Authenticate to run scans and browse results."),
+    "",
+    `  1. Generate an API key at ${accent("app.fuzzi.dev/settings/api-keys")}`,
+    `  2. Run ${accent("/auth")} or ${accent("fuzzi auth login")}`,
+    `  3. Scan a URL with ${accent("/scan https://example.com")}`,
+    "",
+    muted("Type /help for all commands  \xB7  /palette to search")
+  ].join("\n");
+}
+
+// src/cli/bootstrap.ts
+init_layout();
+init_logger();
+async function tryGetProfile() {
+  try {
+    const creds = await loadCredentials();
+    if (!creds?.api_key) return null;
+    const client = await getAuthenticatedClient();
+    return await client.get("/me");
+  } catch (e) {
+    log.debug("profile bootstrap failed", e);
+    return null;
+  }
+}
+async function runInteractiveMode() {
+  const profile = await tryGetProfile();
+  const workDir = cwd4();
+  const data = await fetchHomeData(profile, workDir);
+  console.log(renderHomeScreen(data));
+  if (!profile) {
+    console.log(panel(renderOnboarding(), { title: "Get started" }));
+  }
+  await runPromptLoop(profile);
+}
+
+// src/index.ts
+async function main(argv) {
+  if (argv.length <= 2) {
+    await runInteractiveMode();
+    return;
+  }
+  await buildProgram().parseAsync(argv);
+}
+main(process.argv).catch((e) => {
+  console.error(formatApiError(e));
+  process.exit(getExitCode(e));
+});
+//# sourceMappingURL=index.js.map