fuzzi-cli 0.1.4 → 0.1.6

package/dist/index.js

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __esm = (fn, res) => function __init() {
@@ -35,7 +36,7 @@ var init_brand = __esm({
       HIGH: BRAND.danger,
       CRITICAL: BRAND.critical
     };
-    VERSION = "0.1.4";
+    VERSION = "0.1.6";
     APP_ORIGIN = "https://fuzzi-ten.vercel.app";
     DEFAULT_API_URL = `${APP_ORIGIN}/api`;
     SETTINGS_API_KEYS_URL = `${APP_ORIGIN}/settings/api-keys`;
@@ -52,7 +53,10 @@ function fuzziDir() {
   return FUZZI_DIR;
 }
 async function ensureDir() {
-  await mkdir(FUZZI_DIR, { recursive: true, mode: 448 });
+  await mkdir(FUZZI_DIR, {
+    recursive: true,
+    ...process.platform === "win32" ? {} : { mode: 448 }
+  });
 }
 function normalizeCredentials(raw) {
   if (raw.api_key && typeof raw.api_key === "string") {
@@ -128,7 +132,10 @@ import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2, chmod
 import { homedir as homedir2 } from "os";
 import { join as join2 } from "path";
 async function ensureDir2() {
-  await mkdir2(fuzziDir(), { recursive: true, mode: 448 });
+  await mkdir2(fuzziDir(), {
+    recursive: true,
+    ...process.platform === "win32" ? {} : { mode: 448 }
+  });
 }
 async function loadConfig() {
   for (const path of [CONFIG_PATH, LEGACY_CONFIG_PATH]) {
@@ -219,10 +226,40 @@ var init_logger = __esm({
   }
 });
 
+// src/lib/api-utils.ts
+function errorText(value) {
+  if (value == null) return "";
+  if (typeof value === "string") return value;
+  if (Array.isArray(value)) return value.map(errorText).filter(Boolean).join("; ");
+  if (typeof value === "object") {
+    const o = value;
+    if (typeof o.detail === "string") return o.detail;
+    if (Array.isArray(o.detail)) return o.detail.map(errorText).join("; ");
+    if (typeof o.message === "string") return o.message;
+    if (typeof o.error === "string") return o.error;
+    try {
+      return JSON.stringify(value);
+    } catch {
+      return String(value);
+    }
+  }
+  return String(value);
+}
+function asList(data) {
+  if (!data) return [];
+  if (Array.isArray(data)) return data;
+  return data.results ?? data.data ?? [];
+}
+var init_api_utils = __esm({
+  "src/lib/api-utils.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/api-client.ts
 function mapErrorMessage(status, body) {
-  const code = body.code?.toLowerCase();
-  const msg = body.error || body.message || "";
+  const code = typeof body.code === "string" ? body.code.toLowerCase() : "";
+  const msg = errorText(body.error ?? body.message ?? body.detail);
   if (status === 401) {
     if (code === "key_revoked" || msg.toLowerCase().includes("revoked")) {
       return "API key has been revoked. Please log in again.";
@@ -230,7 +267,7 @@ function mapErrorMessage(status, body) {
     if (code === "key_expired" || msg.toLowerCase().includes("expired")) {
       return `API key has expired. Generate a new one at ${SETTINGS_API_KEYS_URL}`;
     }
-    return `Invalid API key. Generate a new one at ${SETTINGS_API_KEYS_URL}`;
+    return msg || `Invalid API key. Generate a new one at ${SETTINGS_API_KEYS_URL}`;
   }
   if (status === 403 && (code === "ssrf" || msg.toLowerCase().includes("private ip"))) {
     return "This URL is not allowed (private IP address detected). Please scan a public-facing URL.";
@@ -262,6 +299,7 @@ var init_api_client = __esm({
     init_credentials();
     init_logger();
     init_brand();
+    init_api_utils();
     ApiError = class extends Error {
       constructor(message, status, code, body, exitCode) {
         super(message);
@@ -334,7 +372,7 @@ var init_api_client = __esm({
             message = `Rate limit exceeded. Retry after ${seconds} seconds.`;
           }
           if (res.status >= 500) {
-            message = `Scan failed: ${errBody.error || errBody.message || res.statusText}`;
+            message = `Request failed: ${errorText(errBody.error ?? errBody.message ?? errBody.detail) || res.statusText}`;
           }
           throw new ApiError(message, res.status, errBody.code, data, 2);
         }
@@ -398,7 +436,8 @@ function getCapabilities() {
   const cols = stdout.columns ?? 80;
   const term = process.env.TERM ?? "";
   const colorterm = process.env.COLORTERM ?? "";
-  const trueColor = colorterm.includes("truecolor") || colorterm.includes("24bit") || term.includes("truecolor") || !!process.env.FORCE_COLOR && process.env.FORCE_COLOR !== "0";
+  const onWindows = process.platform === "win32";
+  const trueColor = colorterm.includes("truecolor") || colorterm.includes("24bit") || term.includes("truecolor") || !!process.env.FORCE_COLOR && process.env.FORCE_COLOR !== "0" || onWindows && stdout.isTTY === true || !!process.env.WT_SESSION || !!process.env.TERM_PROGRAM;
   cached = {
     width: Math.max(60, cols),
     trueColor,
@@ -524,10 +563,10 @@ var init_strings = __esm({
 });
 
 // src/terminal/width.ts
-import { stdout as stdout2 } from "process";
+import { stdout as stdout3 } from "process";
 function terminalWidth() {
   resetCapabilities();
-  return Math.max(64, (stdout2.columns ?? 80) - 2);
+  return Math.max(64, (stdout3.columns ?? 80) - 2);
 }
 function contentWidth() {
   return terminalWidth() - 4;
@@ -697,14 +736,41 @@ init_brand();
 init_logger();
 import { randomBytes } from "crypto";
 import { createServer } from "http";
-import { exec } from "child_process";
+
+// src/lib/platform.ts
+import { spawn } from "child_process";
+import { stdout as stdout2, stderr } from "process";
+function configurePlatform() {
+  if (process.platform !== "win32") return;
+  try {
+    if (stdout2.isTTY) enableWindowsVtMode(stdout2);
+    if (stderr.isTTY) enableWindowsVtMode(stderr);
+  } catch {
+  }
+}
+function enableWindowsVtMode(stream) {
+  const handle = stream._handle;
+  if (!handle?.setMode || handle.mode == null) return;
+  handle.setMode(handle.mode | 4);
+}
 function openBrowser(url) {
   const platform = process.platform;
-  const cmd2 = platform === "darwin" ? `open ${JSON.stringify(url)}` : platform === "win32" ? `start "" ${JSON.stringify(url)}` : `xdg-open ${JSON.stringify(url)}`;
-  exec(cmd2, (err) => {
-    if (err) log.warn("could not open browser automatically", err.message);
-  });
+  if (platform === "win32") {
+    spawn("cmd", ["/c", "start", "", url], {
+      detached: true,
+      stdio: "ignore",
+      windowsHide: true
+    }).unref();
+    return;
+  }
+  if (platform === "darwin") {
+    spawn("open", [url], { detached: true, stdio: "ignore" }).unref();
+    return;
+  }
+  spawn("xdg-open", [url], { detached: true, stdio: "ignore" }).unref();
 }
+
+// src/lib/browser-auth.ts
 function apiOrigin(apiUrl) {
   return apiUrl.replace(/\/api\/?$/, "") || APP_ORIGIN;
 }
@@ -718,6 +784,58 @@ async function openCliAuthPage() {
 
 // src/commands/auth.ts
 init_brand();
+
+// src/terminal/interactive.ts
+init_theme();
+import { select, search } from "@inquirer/prompts";
+var pauseHook = null;
+var resumeHook = null;
+function setReadlineHooks(pause, resume) {
+  pauseHook = pause;
+  resumeHook = resume;
+}
+async function runInteractive(fn) {
+  return withReadlinePaused(fn);
+}
+async function withReadlinePaused(fn) {
+  pauseHook?.();
+  try {
+    return await fn();
+  } finally {
+    resumeHook?.();
+  }
+}
+async function pickFromList(message, items) {
+  if (!items.length) return null;
+  try {
+    return await withReadlinePaused(() => select({ message, choices: items }));
+  } catch {
+    return null;
+  }
+}
+async function searchPalette(message, choices) {
+  try {
+    return await withReadlinePaused(
+      () => search({
+        message,
+        source: async (input5) => {
+          if (!input5) return choices;
+          const q = input5.toLowerCase();
+          return choices.filter(
+            (c) => c.value.toLowerCase().includes(q) || String(c.description ?? "").toLowerCase().includes(q)
+          );
+        }
+      })
+    );
+  } catch {
+    return null;
+  }
+}
+function formatChoice(name, description) {
+  return `${accent(name)}${muted(" \u2014 " + description)}`;
+}
+
+// src/commands/auth.ts
 async function runAssistedBrowserLogin() {
   await openCliAuthPage();
   console.log("");
@@ -753,15 +871,17 @@ async function runApiKeyLogin(opts = {}) {
         2
       );
     }
-    apiKey = await password({
-      message: "Paste your API key (fz_live_...):",
-      mask: "\u2022",
-      validate: (v) => {
-        if (!v.trim()) return "API key is required";
-        if (!isValidApiKeyFormat(v)) return "Key must start with fz_live_";
-        return true;
-      }
-    });
+    apiKey = await runInteractive(
+      () => password({
+        message: "Paste your API key (fz_live_...):",
+        mask: "\u2022",
+        validate: (v) => {
+          if (!v.trim()) return "API key is required";
+          if (!isValidApiKeyFormat(v)) return "Key must start with fz_live_";
+          return true;
+        }
+      })
+    );
   }
   apiKey = apiKey.trim();
   if (!isValidApiKeyFormat(apiKey)) {
@@ -1062,7 +1182,12 @@ function createProgress(label, stream = false) {
       }
     };
   }
-  let spinner = ora({ text: label, color: "cyan", discardStdin: false }).start();
+  let spinner = ora({
+    text: label,
+    color: "cyan",
+    discardStdin: false,
+    isEnabled: getCapabilities().interactive
+  }).start();
   return {
     update(message) {
       if (spinner) spinner.text = message;
@@ -1087,6 +1212,17 @@ function createProgress(label, stream = false) {
     }
   };
 }
+async function withSpinner(label, fn) {
+  const p = createProgress(label);
+  try {
+    const result = await fn();
+    p.stop();
+    return result;
+  } catch (e) {
+    p.fail();
+    throw e;
+  }
+}
 
 // src/commands/scan.ts
 init_strings();
@@ -1186,6 +1322,7 @@ async function runScanCommand(client, opts) {
 }
 
 // src/commands/scans.ts
+init_api_utils();
 async function runScansListCommand(client, format = "table", filters) {
   const params = new URLSearchParams({ page: "1", page_size: String(filters?.limit || 20) });
   if (filters?.status) params.set("status", filters.status);
@@ -1193,7 +1330,7 @@ async function runScansListCommand(client, format = "table", filters) {
   const data = await client.get(
     `/scans?${params.toString()}`
   );
-  return renderScansList(data.results || [], format);
+  return renderScansList(asList(data), format);
 }
 async function runScanGetCommand(client, scanId, format = "table") {
   const detail = await client.get(`/scan/${scanId}`);
@@ -1405,25 +1542,34 @@ import { stdin as input3, stdout as output, cwd as cwd3 } from "process";
 // src/lib/assets.ts
 import { readFile as readFile4 } from "fs/promises";
 import { dirname, join as join4 } from "path";
-import { fileURLToPath } from "url";
+import { fileURLToPath, pathToFileURL } from "url";
 import { existsSync as existsSync2 } from "fs";
+import { createRequire } from "module";
 function assetsDir() {
   const here = dirname(fileURLToPath(import.meta.url));
   const candidates = [
     join4(here, "..", "assets"),
-    // dist/lib → dist/../assets = package/assets
+    // dist/index.js or dist/lib → package/assets
     join4(here, "..", "..", "assets"),
     // src/lib → package/assets
     join4(here, "assets")
-    // bundled flat fallback
   ];
+  try {
+    const req = createRequire(import.meta.url);
+    const pkgRoot = dirname(req.resolve("fuzzi-cli/package.json"));
+    candidates.unshift(join4(pkgRoot, "assets"));
+  } catch {
+  }
   for (const p of candidates) {
     if (existsSync2(join4(p, "changelog.json"))) return p;
   }
   return candidates[0];
 }
+function assetPath(name) {
+  return join4(assetsDir(), name);
+}
 async function readAsset(name) {
-  return readFile4(join4(assetsDir(), name), "utf8");
+  return readFile4(assetPath(name), "utf8");
 }
 
 // src/shell/home-screen.ts
@@ -1453,6 +1599,10 @@ init_width();
 function visibleLen(s) {
   return s.replace(/\x1b\[[0-9;]*m/g, "").length;
 }
+function padCell(content, width) {
+  const inner = width - 2;
+  return " " + padEndVisible(content, inner) + " ";
+}
 function topBanner(title, width = contentWidth()) {
   const inner = ` ${title} `;
   const dashes = Math.max(0, width - 2 - visibleLen(inner));
@@ -1480,7 +1630,7 @@ function tripleColumnPanel(cols, totalWidth = contentWidth()) {
   const maxRows = Math.max(...cols.map((c) => c.lines.length), 1);
   const body = [top];
   for (let i = 0; i < maxRows; i++) {
-    const cells = cols.map((c, idx) => padEndVisible(c.lines[i] ?? "", widths[idx]));
+    const cells = cols.map((c, idx) => padCell(c.lines[i] ?? "", widths[idx]));
     body.push(
       border("\u2502") + cells[0] + border("\u2502") + cells[1] + border("\u2502") + cells[2] + border("\u2502")
     );
@@ -1498,7 +1648,7 @@ function singlePanel(title, lines, width = contentWidth()) {
   const dashes = Math.max(0, inner - visibleLen(prefix));
   const top = border(`\u250C${prefix}${"\u2500".repeat(dashes)}\u2510`);
   const bottom = border(`\u2514${"\u2500".repeat(inner)}\u2518`);
-  const body = lines.map((l) => border("\u2502") + padEndVisible(l, inner) + border("\u2502"));
+  const body = lines.map((l) => border("\u2502") + padCell(l, inner + 2) + border("\u2502"));
   return [top, ...body, bottom].join("\n");
 }
 function tipPanel(text, width = contentWidth()) {
@@ -1507,9 +1657,9 @@ function tipPanel(text, width = contentWidth()) {
   const dashes = Math.max(0, inner - visibleLen(prefix));
   const top = border(`\u250C${prefix}${"\u2500".repeat(dashes)}\u2510`);
   const bottom = border(`\u2514${"\u2500".repeat(inner)}\u2518`);
-  return [top, border("\u2502") + padEndVisible(text, inner) + border("\u2502"), bottom].join("\n");
+  return [top, border("\u2502") + padCell(text, inner + 2) + border("\u2502"), bottom].join("\n");
 }
-function besideMark(mark, text, markCol = 14, gap = 2) {
+function besideMark(mark, text, markCol = 18, gap = 3) {
   const rows = Math.max(mark.length, text.length);
   const out = [];
   for (let i = 0; i < rows; i++) {
@@ -1701,47 +1851,17 @@ function emptyState(title, hint, action) {
 
 // src/commands/keys.ts
 init_brand();
-
-// src/terminal/interactive.ts
-init_theme();
-import { select, search } from "@inquirer/prompts";
-async function pickFromList(message, items) {
-  if (!items.length) return null;
-  try {
-    return await select({ message, choices: items });
-  } catch {
-    return null;
-  }
-}
-async function searchPalette(message, choices) {
-  try {
-    return await search({
-      message,
-      source: async (input5) => {
-        if (!input5) return choices;
-        const q = input5.toLowerCase();
-        return choices.filter((c) => c.value.includes(q) || c.description?.includes(q));
-      }
-    });
-  } catch {
-    return null;
-  }
-}
-function formatChoice(name, description) {
-  return `${accent(name)}${muted(" \u2014 " + description)}`;
-}
-
-// src/commands/keys.ts
+init_api_utils();
 async function runKeysListCommand(client) {
   const data = await client.get("/keys");
-  const keys = data.results || [];
+  const keys = asList(data);
   if (!keys.length) {
     return emptyState("No API keys", `Create one at ${SETTINGS_API_KEYS_URL}`, "[n] new key in this view");
   }
   const rows = keys.map((k) => [
     k.name,
     k.prefix,
-    k.scopes?.join(", ") || muted("\u2014"),
+    k.scopes && Array.isArray(k.scopes) ? k.scopes.join(", ") : muted("\u2014"),
     k.revoked ? muted("Revoked") : k.active ? success("Active") : muted("Inactive"),
     k.last_used_at ? new Date(k.last_used_at).toLocaleDateString() : muted("Never")
   ]);
@@ -1753,13 +1873,16 @@ async function runKeyRevoke(client, keyId) {
 }
 async function pickKeyForRevoke(client) {
   const data = await client.get("/keys");
-  const active = (data.results || []).filter((k) => !k.revoked && k.active);
+  const active = asList(data).filter((k) => !k.revoked && k.active);
   return pickFromList(
     "Select a key to revoke",
     active.map((k) => ({ name: `${k.name} (${k.prefix})`, value: k.id }))
   );
 }
 
+// src/shell/slash-commands.ts
+init_api_utils();
+
 // src/shell/help-screen.ts
 init_layout();
 init_theme();
@@ -1843,7 +1966,10 @@ async function loadHistory() {
 async function appendHistory(line) {
   const trimmed = line.trim();
   if (!trimmed || trimmed.startsWith("#")) return;
-  await mkdir3(fuzziDir(), { recursive: true, mode: 448 });
+  await mkdir3(fuzziDir(), {
+    recursive: true,
+    ...process.platform === "win32" ? {} : { mode: 448 }
+  });
   await appendFile(HISTORY_PATH, trimmed + "\n", "utf8");
 }
 
@@ -1901,6 +2027,135 @@ function normalizeScanUrl(url) {
   if (!/^https?:\/\//i.test(u)) return `https://${u}`;
   return u;
 }
+var SPINNER_LABELS = {
+  "/scan": "Scanning target...",
+  "/status": "Loading account status...",
+  "/scans": "Loading scans...",
+  "/keys": "Loading API keys...",
+  "/config": "Updating configuration...",
+  "/compare": "Comparing scans...",
+  "/whatif": "Running simulation...",
+  "/report": "Fetching report...",
+  "/auth": "Signing in...",
+  "/auth-key": "Validating API key...",
+  "/login": "Signing in...",
+  "/changelog": "Loading changelog...",
+  "/history": "Loading history...",
+  "/palette": "Opening command palette...",
+  "/commands": "Opening command palette..."
+};
+function spinnerLabel(cmd2) {
+  return SPINNER_LABELS[cmd2.toLowerCase()] ?? null;
+}
+async function executeSlashCommand(cmd2, arg, ctx) {
+  switch (cmd2.toLowerCase()) {
+    case "/help":
+      ctx.sink.write(renderHelpScreen());
+      break;
+    case "/palette":
+    case "/commands": {
+      const picked = await openCommandPalette();
+      if (picked) return dispatchSlashCommand(picked, ctx);
+      break;
+    }
+    case "/clear":
+      return { redraw: true };
+    case "/history": {
+      const hist = await loadHistory();
+      ctx.sink.write(renderHistoryScreen(hist));
+      break;
+    }
+    case "/scan": {
+      if (!arg) {
+        ctx.sink.write(error("Usage: /scan <url>"));
+        break;
+      }
+      const client = await getAuthenticatedClient();
+      const progress = createStreamProgress(ctx.sink);
+      const result = await runScanCommand(client, {
+        url: normalizeScanUrl(arg),
+        wait: true,
+        onProgress: progress.update,
+        streamProgress: true
+      });
+      progress.stop();
+      ctx.sink.write(result.output);
+      break;
+    }
+    case "/status": {
+      const client = await getAuthenticatedClient();
+      const status = await runStatusCommand(client);
+      const rate = await runRateLimitStatus(client);
+      ctx.sink.write(rate ? `${status}
+
+${muted("Rate limit")}  ${rate}` : status);
+      break;
+    }
+    case "/scans":
+      await runScansInteractive(ctx);
+      break;
+    case "/keys":
+      await runKeysInteractive(ctx);
+      break;
+    case "/config": {
+      if (!arg.includes("=")) {
+        ctx.sink.write(error("Usage: /config key=value"));
+        break;
+      }
+      const [k, ...vParts] = arg.split("=");
+      ctx.sink.write(await runConfigSet(k.trim(), vParts.join("=").trim()));
+      break;
+    }
+    case "/changelog": {
+      const raw = await readAsset("changelog.json");
+      ctx.sink.write(renderChangelog(JSON.parse(raw)));
+      break;
+    }
+    case "/compare": {
+      const [a, b] = arg.split(/\s+/);
+      if (!a || !b) {
+        ctx.sink.write(error("Usage: /compare <scan-a> <scan-b>"));
+        break;
+      }
+      const { runCompareCommand: runCompareCommand2 } = await Promise.resolve().then(() => (init_compare(), compare_exports));
+      ctx.sink.write(await runCompareCommand2(a, b, "table"));
+      break;
+    }
+    case "/whatif": {
+      if (!arg) {
+        ctx.sink.write(error("Usage: /whatif <scan-id>"));
+        break;
+      }
+      const { runWhatIfCommand: runWhatIfCommand2 } = await Promise.resolve().then(() => (init_whatif(), whatif_exports));
+      ctx.sink.write(await runWhatIfCommand2(arg, {}, "table"));
+      break;
+    }
+    case "/report": {
+      if (!arg) {
+        ctx.sink.write(error("Usage: /report <scan-id>"));
+        break;
+      }
+      const { runReportCommand: runReportCommand2 } = await Promise.resolve().then(() => (init_report(), report_exports));
+      const client = await getAuthenticatedClient();
+      ctx.sink.write(await runReportCommand2(client, arg, "json"));
+      break;
+    }
+    case "/login":
+    case "/auth": {
+      const result = await runAssistedBrowserLogin();
+      ctx.sink.write(result.message);
+      return { profile: result.profile, redraw: true };
+    }
+    case "/auth-key": {
+      ctx.sink.write(await runApiKeyLogin({ interactive: true }));
+      const client = await getAuthenticatedClient();
+      return { profile: await client.get("/me"), redraw: true };
+    }
+    default:
+      ctx.sink.write(errorBox(`Unknown command: ${cmd2}`, "Type /help"));
+  }
+  return {};
+}
 async function dispatchSlashCommand(line, ctx) {
   const trimmed = line.trim();
   if (!trimmed) return {};
@@ -1922,112 +2177,11 @@ ${accent("/help")} lists everything`
     return {};
   }
   try {
-    switch (cmd2.toLowerCase()) {
-      case "/help":
-        ctx.sink.write(renderHelpScreen());
-        break;
-      case "/palette":
-      case "/commands": {
-        const picked = await openCommandPalette();
-        if (picked) return dispatchSlashCommand(picked, ctx);
-        break;
-      }
-      case "/clear":
-        return { redraw: true };
-      case "/history": {
-        const hist = await loadHistory();
-        ctx.sink.write(renderHistoryScreen(hist));
-        break;
-      }
-      case "/scan": {
-        if (!arg) {
-          ctx.sink.write(error("Usage: /scan <url>"));
-          break;
-        }
-        const client = await getAuthenticatedClient();
-        const progress = createStreamProgress(ctx.sink);
-        const result = await runScanCommand(client, {
-          url: normalizeScanUrl(arg),
-          wait: true,
-          onProgress: progress.update,
-          streamProgress: true
-        });
-        progress.stop();
-        ctx.sink.write(result.output);
-        break;
-      }
-      case "/status": {
-        const client = await getAuthenticatedClient();
-        const status = await runStatusCommand(client);
-        const rate = await runRateLimitStatus(client);
-        ctx.sink.write(rate ? `${status}
-
-${muted("Rate limit")}  ${rate}` : status);
-        break;
-      }
-      case "/scans":
-        await runScansInteractive(ctx);
-        break;
-      case "/keys":
-        await runKeysInteractive(ctx);
-        break;
-      case "/config": {
-        if (!arg.includes("=")) {
-          ctx.sink.write(error("Usage: /config key=value"));
-          break;
-        }
-        const [k, ...vParts] = arg.split("=");
-        ctx.sink.write(await runConfigSet(k.trim(), vParts.join("=").trim()));
-        break;
-      }
-      case "/changelog": {
-        const raw = await readAsset("changelog.json");
-        ctx.sink.write(renderChangelog(JSON.parse(raw)));
-        break;
-      }
-      case "/compare": {
-        const [a, b] = arg.split(/\s+/);
-        if (!a || !b) {
-          ctx.sink.write(error("Usage: /compare <scan-a> <scan-b>"));
-          break;
-        }
-        const { runCompareCommand: runCompareCommand2 } = await Promise.resolve().then(() => (init_compare(), compare_exports));
-        ctx.sink.write(await runCompareCommand2(a, b, "table"));
-        break;
-      }
-      case "/whatif": {
-        if (!arg) {
-          ctx.sink.write(error("Usage: /whatif <scan-id>"));
-          break;
-        }
-        const { runWhatIfCommand: runWhatIfCommand2 } = await Promise.resolve().then(() => (init_whatif(), whatif_exports));
-        ctx.sink.write(await runWhatIfCommand2(arg, {}, "table"));
-        break;
-      }
-      case "/report": {
-        if (!arg) {
-          ctx.sink.write(error("Usage: /report <scan-id>"));
-          break;
-        }
-        const { runReportCommand: runReportCommand2 } = await Promise.resolve().then(() => (init_report(), report_exports));
-        const client = await getAuthenticatedClient();
-        ctx.sink.write(await runReportCommand2(client, arg, "json"));
-        break;
-      }
-      case "/login":
-      case "/auth": {
-        const result = await runAssistedBrowserLogin();
-        ctx.sink.write(result.message);
-        return { profile: result.profile, redraw: true };
-      }
-      case "/auth-key": {
-        ctx.sink.write(await runApiKeyLogin({ interactive: true }));
-        const client = await getAuthenticatedClient();
-        return { profile: await client.get("/me"), redraw: true };
-      }
-      default:
-        ctx.sink.write(errorBox(`Unknown command: ${cmd2}`, "Type /help"));
+    const label = spinnerLabel(cmd2);
+    if (label) {
+      return await withSpinner(label, () => executeSlashCommand(cmd2, arg, ctx));
     }
+    return await executeSlashCommand(cmd2, arg, ctx);
   } catch (e) {
     ctx.sink.error(formatApiError(e));
   }
@@ -2052,7 +2206,7 @@ async function runScansInteractive(ctx) {
   while (true) {
     const list = await runScansListCommand(client, "table", { limit: 20 });
     const data = await client.get("/scans?page=1&page_size=20");
-    const scans = data.results || [];
+    const scans = asList(data);
     if (!scans.length) {
       ctx.sink.write(emptyState("No scans yet", "Run /scan <url> to create your first scan", "/scan https://example.com"));
       return;
@@ -2069,10 +2223,12 @@ async function runScansInteractive(ctx) {
     if (!scanId) return;
     const detail = await client.get(`/scan/${scanId}`);
     ctx.sink.write(renderScanResult(detail, "table"));
-    const cont = await input2({
-      message: muted("Enter = back to list  \xB7  q = exit"),
-      default: ""
-    }).catch(() => "q");
+    const cont = await runInteractive(
+      () => input2({
+        message: muted("Enter = back to list  \xB7  q = exit"),
+        default: ""
+      })
+    ).catch(() => "q");
     if (cont.toLowerCase() === "q") return;
   }
 }
@@ -2080,14 +2236,16 @@ async function runKeysInteractive(ctx) {
   const client = await getAuthenticatedClient();
   ctx.sink.write(await runKeysListCommand(client));
   ctx.sink.write(muted("\nActions: [r] revoke  [n] new key  [Enter] back"));
-  const action = await input2({ message: "Action", default: "" }).catch(() => "");
+  const action = await runInteractive(() => input2({ message: "Action", default: "" })).catch(() => "");
   if (action.toLowerCase() === "r") {
     const keyId = await pickKeyForRevoke(client);
     if (!keyId) return;
-    const ok = await confirm2({ message: "Revoke this API key?", default: false }).catch(() => false);
+    const ok = await runInteractive(
+      () => confirm2({ message: "Revoke this API key?", default: false })
+    ).catch(() => false);
     if (ok) ctx.sink.write(successBox(await runKeyRevoke(client, keyId)));
   } else if (action.toLowerCase() === "n") {
-    const name = await promptNewKeyName();
+    const name = await runInteractive(() => promptNewKeyName());
     const created = await client.post("/keys", { name });
     ctx.sink.write(success(`Created: ${created.name} (${created.prefix})`));
     ctx.sink.write(accent("Save this key \u2014 it won't be shown again:"));
@@ -2139,6 +2297,13 @@ async function runPromptLoop(initialProfile) {
     rl.close();
     process.exit(0);
   });
+  setReadlineHooks(
+    () => rl.pause(),
+    () => {
+      process.stdout.write("\n");
+      rl.resume();
+    }
+  );
   const prompt = () => process.stdout.write(accent("> "));
   prompt();
   for await (const line of rl) {
@@ -2176,15 +2341,32 @@ init_theme();
 init_credentials();
 init_api_client();
 init_logger();
+function profileFromCredentials(creds) {
+  return {
+    id: "local",
+    email: creds.email || "user@local",
+    full_name: creds.full_name || null,
+    role: "analyst",
+    organization: "\u2014",
+    key_expires_at: creds.key_expires_at ?? null,
+    key_prefix: creds.key_prefix ?? null
+  };
+}
 async function tryGetProfile() {
+  const creds = await loadCredentials();
+  if (!creds?.api_key) return null;
   try {
-    const creds = await loadCredentials();
-    if (!creds?.api_key) return null;
-    const client = await getAuthenticatedClient();
-    return await client.get("/me");
+    const client = await FuzziApiClient.create();
+    const profile = await client.get("/me");
+    return profile;
   } catch (e) {
-    log.debug("profile bootstrap failed", e);
-    return null;
+    if (e instanceof ApiError && e.status === 401) {
+      log.debug("stored credentials invalid, clearing");
+      await clearCredentials();
+      return null;
+    }
+    log.debug("profile bootstrap failed, using cached credentials", e);
+    return profileFromCredentials(creds);
   }
 }
 
@@ -2226,6 +2408,7 @@ async function runInteractiveMode() {
 }
 
 // src/index.ts
+configurePlatform();
 async function main(argv) {
   if (argv.length <= 2) {
     await runInteractiveMode();