subto 4.0.0 → 6.0.0

package/README.md

@@ -14,3 +14,30 @@ subto scan <url> # request a scan
 ```
 
 This package is a production CLI; it intentionally omits development instructions.
+
+Advanced features
+-----------------
+
+- `subto upload [dir]` — upload your project directory to the built-in AI analyzer. The command samples files from the target directory, respecting a `.subtoignore` file (one pattern per line, `#` for comments). For safety the uploader always ignores `.env` files. The uploader limits total files and bytes to avoid extremely large uploads; see CLI flags `--max-files` and `--max-bytes`.
+
+- `subto scan upload [dir]` — upload a directory to the server and request a scan. This command respects `.subtoignore` and always ignores `.env`. It uploads sampled file snippets (small files fully, larger files head only) and returns an `uploadId` and `scanId` you can use with the AI chat or to fetch scan status.
+
+- `subto upload [dir]` — run a local-only AI analysis on the sampled files (does not send files to the server). Useful when you want quick on-device feedback without uploading.
+
+`.subtoignore` format
+- One pattern per line.
+- Lines starting with `#` are comments.
+- Patterns may be folder names (e.g. `node_modules`), file globs/partials (e.g. `*.lock`), or specific files (`secret.txt`). The uploader uses simple matching: exact token, prefix, contains `/token`, or endsWith token. Examples:
+
+```
+# ignore node modules and build artifacts
+node_modules
+dist
+*.lock
+# ignore specific file
+secret.txt
+```
+
+- AI provider: The CLI prefers `OPENAI_API_KEY` / `AI_API_KEY` for OpenAI calls; if not present it will fall back to `OPENROUTER_API_KEY`. To pick a specific model set `AI_MODEL` (example: `openai/gpt-oss-120b:free` or `gpt-4o-mini`).
+
+Security note: Do not commit secrets. If sensitive keys are accidentally present, rotate them immediately. The `subto upload` tool attempts to avoid printing secret values; it will report their presence and recommend remediation.

package/dist/package/README.md

@@ -40,7 +40,7 @@ Commands
 {
   "url": "https://example.com",
   "source": "cli",
-  "client": { "name": "subto-cli", "version": "4.0.0" }
+  "client": { "name": "subto-cli", "version": "5.0.0" }
 }
 ```
 
@@ -98,11 +98,11 @@ Download
 After publishing or packing, a distributable tarball will be available under `./dist/` e.g.:
 
 ```
-./dist/subto-4.0.0.tgz
+./dist/subto-5.0.0.tgz
 ```
 
 You can download that file directly and install locally with:
 
 ```bash
-npm install -g ./dist/subto-4.0.0.tgz
+npm install -g ./dist/subto-5.0.0.tgz
 ```

package/dist/package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one';
-const CLIENT_META = { name: 'subto-cli', version: '4.0.0' };
+const CLIENT_META = { name: 'subto-cli', version: '5.0.0' };
 
 function configFilePath() { return CONFIG_PATH; }
 
@@ -91,7 +91,7 @@ function printScanSummary(obj) {
 
 async function run(argv) {
   const program = new Command();
-  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '4.0.0');
+  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '5.0.0');
 
   program.command('login').description('Store your API key in ~/.subto/config.json').action(async () => {
     try {

package/index.js

@@ -11,7 +11,22 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one';
-const CLIENT_META = { name: 'subto-cli', version: '4.0.0' };
+const CLIENT_META = { name: 'subto-cli', version: '5.0.0' };
+const cp = require('child_process');
+
+// Load local CLI .env if present (safe, optional)
+try {
+  const dotenvPath = path.join(__dirname, '.env');
+  const fsSync = require('fs');
+  if (fsSync.existsSync(dotenvPath)) {
+    try {
+      const dotenv = require('dotenv');
+      dotenv.config({ path: dotenvPath });
+    } catch (e) {
+      // dotenv not installed in this environment; ignore silently
+    }
+  }
+} catch (e) { /* non-fatal */ }
 
 function configFilePath() { return CONFIG_PATH; }
 
@@ -77,6 +92,18 @@ async function postScan(url, apiKey) {
   return { status: res.status, headers: res.headers, body: data };
 }
 
+function extractScanIdFromHtml(html) {
+  if (!html || typeof html !== 'string') return null;
+  // common patterns: /scan/ID or scanId="..." or data-scan-id="..."
+  const m1 = html.match(/\/scan\/(?:id\/)?([a-zA-Z0-9_-]{8,})/i);
+  if (m1 && m1[1]) return m1[1];
+  const m2 = html.match(/scanId["'\s:=]+([a-zA-Z0-9_-]{8,})/i);
+  if (m2 && m2[1]) return m2[1];
+  const m3 = html.match(/data-scan-id["'\s=:\>]+([a-zA-Z0-9_-]{8,})/i);
+  if (m3 && m3[1]) return m3[1];
+  return null;
+}
+
 function printScanSummary(obj) {
   if (!obj || typeof obj !== 'object') { console.log(obj); return; }
   console.log(chalk.bold('Scan result:'));
@@ -89,12 +116,12 @@ function printScanSummary(obj) {
   if (keys.length) console.log(chalk.dim('  Additional keys: ' + keys.join(', ')));
 }
 
-function printFullReport(data) {
+async function printFullReport(data) {
   const scan = (data && data.results) ? data.results : data;
   if (!scan || typeof scan !== 'object') { console.log(JSON.stringify(data, null, 2)); return; }
 
   const lh = scan.lighthouse || scan.lhr || (scan.results && scan.results.lighthouse) || null;
-  const vt = scan.virustotal || (scan.results && scan.results.virustotal) || null;
+  // VirusTotal reporting removed from API responses; omit vt variable.
   const timings = scan.timings || scan.coreWebVitals || (scan.results && scan.results.timings) || null;
 
   console.log(chalk.bold.underline('\nOverview'));
@@ -154,29 +181,218 @@ function printFullReport(data) {
     console.log('  No issues reported');
   }
 
-  // Malware / VirusTotal
-  if (vt) {
-    console.log(chalk.bold.underline('\nMalware Scan (VirusTotal)'));
-    if (vt.scanDate) console.log('  Scan Date:', vt.scanDate);
-    console.log('  Harmless:', vt.harmless ?? vt.undetected ?? '--');
-    console.log('  Malicious:', vt.malicious ?? '--');
-    console.log('  Suspicious:', vt.suspicious ?? '--');
-    if (vt.resultUrl) console.log('  View Full VirusTotal Report:', vt.resultUrl.replace('https://www.virustotal.com/gui/url/','https://www.virustotal.com/gui/url/'));
-  }
+  // Malware reporting via VirusTotal has been disabled in API responses.
 
   // Video link
   if (scan.videoUrl || scan.videoPath || scan.hasVideo) {
     const vurl = scan.videoUrl || ((scan.videoPath) ? `${process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE}/video/${scan.scanId || scan.id}` : null);
-    if (vurl) console.log(chalk.bold('\nSession video:'), chalk.cyan(vurl));
+    if (vurl) {
+      // attempt to HEAD the video URL to detect expiry / 404
+      let note = '';
+      try {
+        const fetchFn = global.fetch;
+        if (typeof fetchFn === 'function') {
+          const head = await fetchFn(vurl, { method: 'HEAD' });
+          if (head && head.status === 404) note = ' (not found / expired)';
+        }
+      } catch (e) { /* ignore network errors */ }
+      console.log(chalk.bold('\nSession video:'), chalk.cyan(vurl) + (note ? chalk.red(note) : ''));
+      console.log(chalk.dim('  Note: session videos are short-lived (≈1 day) and may return 404 after expiry.'));
+    }
   }
 
   // AI assistant hint
-  console.log(chalk.dim('\nTo inspect full JSON output, run with --json')); 
+  console.log(chalk.dim('\nTo inspect full JSON output, run with --json'));
+  console.log(chalk.dim('Start the built-in assistant with `--chat` to ask questions interactively.'));
+
+  // Helpful interactive links (browser-based) — point to server-side chat and video endpoints
+  try {
+    const base = (process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE).replace(/\/$/, '');
+    const id = scan.scanId || scan.id;
+    if (id) {
+      console.log(chalk.bold.underline('\nInteractive Links'));
+      console.log('  AI Chat:', chalk.cyan(`${base}/aichat/${id}`));
+      console.log('  Session Video:', chalk.cyan(`${base}/video/${id}`));
+      console.log(chalk.dim('  You can also open the local assistant with `--chat`'));    
+    }
+  } catch (e) { /* no-op if env malformed */ }
+}
+
+function copyToClipboard(text){
+  try{
+    if (process.platform === 'darwin'){
+      const p = cp.spawnSync('pbcopy');
+      p.stdin && p.stdin.end(String(text));
+      return true;
+    }
+    if (process.platform === 'win32'){
+      const p = cp.spawnSync('clip'); p.stdin && p.stdin.end(String(text)); return true;
+    }
+  }catch(e){}
+  return false;
+}
+
+async function callOpenAI(prompt){
+  // Test hook: when SUBTO_LOCAL_AI=1, return a canned local response
+  if (process.env.SUBTO_LOCAL_AI === '1') {
+    return 'LOCAL_AI: sample analysis (dry-run) — 1 issue: Example secret detected; Recommendation: rotate.';
+  }
+  // Prefer OpenAI env vars, but also accept OpenRouter key from env or local config for compatibility.
+  const openaiKey = process.env.OPENAI_API_KEY || process.env.AI_API_KEY;
+  let openrouterKey = process.env.OPENROUTER_API_KEY;
+  let configuredModel = process.env.AI_MODEL || process.env.OPENROUTER_MODEL || null;
+  try {
+    const cfg = await readConfig();
+    if (cfg) {
+      if (!openrouterKey && cfg.openrouterKey) openrouterKey = cfg.openrouterKey;
+      if (!configuredModel && cfg.openrouterModel) configuredModel = cfg.openrouterModel;
+      if (!configuredModel && cfg.aiModel) configuredModel = cfg.aiModel;
+    }
+  } catch (e) { /* ignore config read errors */ }
+  const fetchFn = global.fetch;
+  if(typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
+
+  // If OpenAI key present, call OpenAI API; otherwise, if OpenRouter key present, call OpenRouter endpoint.
+  if (openaiKey) {
+    const model = process.env.AI_MODEL || process.env.OPENAI_MODEL || 'gpt-4o-mini';
+    const body = {
+      model,
+      messages: [
+        { role: 'system', content: 'You are an assistant that answers questions using only the provided scan data. If the answer is not contained in the scan data, say you don\'t know. Keep answers concise and reference fields when useful.' },
+        { role: 'user', content: prompt }
+      ],
+      temperature: 0.2,
+      max_tokens: 800
+    };
+    const res = await fetchFn('https://api.openai.com/v1/chat/completions', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${openaiKey}` }, body: JSON.stringify(body) });
+    if (!res.ok) {
+      // Avoid including response bodies in errors to prevent accidental leakage of sensitive data
+      throw new Error(`OpenAI API error ${res.status}: ${res.statusText || 'request failed'}`);
+    }
+    const j = await res.json();
+    const msg = j && j.choices && j.choices[0] && (j.choices[0].message && j.choices[0].message.content || j.choices[0].text);
+    return String(msg || '').trim();
+  }
+
+  if (openrouterKey) {
+    // Use OpenRouter chat completions endpoint
+    const model = configuredModel || 'openai/gpt-oss-120b:free';
+    const body = {
+      model,
+      messages: [
+        { role: 'system', content: 'You are an assistant that answers questions using only the provided scan data. If the answer is not contained in the scan data, say you don\'t know. Keep answers concise and reference fields when useful.' },
+        { role: 'user', content: prompt }
+      ],
+      temperature: 0.2,
+      max_tokens: 800
+    };
+    const res = await fetchFn('https://openrouter.ai/api/v1/chat/completions', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${openrouterKey}` }, body: JSON.stringify(body) });
+    if (!res.ok) {
+      // Avoid including response bodies in errors to prevent accidental leakage of sensitive data
+      throw new Error(`OpenRouter API error ${res.status}: ${res.statusText || 'request failed'}`);
+    }
+    const j = await res.json();
+    // OpenRouter responses mimic OpenAI shape (choices[0].message.content)
+    const msg = j && j.choices && j.choices[0] && (j.choices[0].message && j.choices[0].message.content || j.choices[0].text);
+    return String(msg || '').trim();
+  }
+
+  throw new Error('No AI API key configured in environment (set OPENAI_API_KEY, AI_API_KEY, or OPENROUTER_API_KEY)');
+}
+
+function summarizeScanForPrompt(scan){
+  if(!scan || typeof scan !== 'object') return 'No scan data available.';
+  const parts = [];
+  parts.push(`URL: ${scan.url || scan.results && scan.results.url || 'unknown'}`);
+  parts.push(`ScanId: ${scan.scanId || scan.id || (scan.results && scan.results.scanId) || 'unknown'}`);
+  if(scan.status) parts.push(`Status: ${scan.status}`);
+  const lh = scan.lighthouse || scan.lhr || (scan.results && scan.results.lighthouse);
+  if(lh) {
+    const perf = lh.performance ?? lh.performanceScore ?? (lh.categories && lh.categories.performance && Math.round((lh.categories.performance.score||0)*100));
+    if(perf!=null) parts.push(`Performance: ${perf}`);
+  }
+  const vitals = scan.timings || scan.coreWebVitals || (scan.results && scan.results.timings);
+  if(vitals) {
+    const fcp = vitals.firstContentfulPaint || vitals.fcp; if(fcp!=null) parts.push(`FCP: ${fcp}`);
+    const lcp = vitals.largestContentfulPaint || vitals.lcp; if(lcp!=null) parts.push(`LCP: ${lcp}`);
+    const cls = vitals.cumulativeLayoutShift || vitals.cls; if(cls!=null) parts.push(`CLS: ${cls}`);
+  }
+  const issues = scan.issues || (scan.results && scan.results.issues) || [];
+  if(Array.isArray(issues) && issues.length) parts.push(`Issues: ${issues.slice(0,10).map(i=>i.title||i.message||i.rule||i.id).join('; ')}`);
+  if(scan.videoUrl || scan.videoPath) parts.push(`Video: ${scan.videoUrl || `${process.env.SUBTO_API_BASE_URL||DEFAULT_API_BASE}/video/${scan.scanId||scan.id}`}`);
+  return parts.join('\n');
+}
+
+async function answerFromScan(scan, question){
+  const q = String(question||'').trim();
+  if(!scan) return 'No scan data available.';
+  // If an external AI key is configured, prefer it for richer answers
+  const aiKey = process.env.OPENAI_API_KEY || process.env.AI_API_KEY;
+  if(aiKey) {
+    const summary = summarizeScanForPrompt(scan);
+    const prompt = `Scan summary:\n${summary}\n\nQuestion: ${q}\nAnswer concisely, referencing the scan when relevant.`;
+    try {
+      const out = await callOpenAI(prompt);
+      return out || 'No answer.';
+    } catch (e) {
+      // fall back to local heuristic on API errors
+      // sanitize any bearer tokens that might appear in error messages
+      const raw = e && e.message ? String(e.message) : String(e);
+      const safe = raw.replace(/(Bearer\s+)([^\s]+)/ig, '$1[REDACTED]');
+      console.error('AI request failed:', safe);
+    }
+  }
+
+  // Local heuristic fallback
+  const lq = q.toLowerCase();
+  if(lq.includes('video')||lq.includes('record')){
+    const url = scan.videoUrl || (scan.videoPath? `${process.env.SUBTO_API_BASE_URL||DEFAULT_API_BASE}/video/${scan.scanId||scan.id}` : null);
+    return url? `Session video: ${url}` : 'No session video available for this scan.';
+  }
+  if(lq.includes('issues')||lq.includes('problem')){
+    const issues = scan.issues || (scan.results && scan.results.issues) || [];
+    if(!issues.length) return 'No issues recorded.';
+    return issues.slice(0,10).map((it,i)=> `${i+1}. ${it.title||it.message||it.rule||JSON.stringify(it).slice(0,80)}`).join('\n');
+  }
+  if(lq.includes('performance')||lq.includes('lighthouse')||lq.includes('score')){
+    const lh = scan.lighthouse || scan.lhr || (scan.results && scan.results.lighthouse);
+    if(!lh) return 'No Lighthouse data available.';
+    const cats = lh.categories || {};
+    return Object.keys(cats).map(k=> `${k}: ${Math.round((cats[k].score||0)*100)}%`).join('\n');
+  }
+  const parts = [];
+  if(scan.overview && scan.overview.title) parts.push(`Title: ${scan.overview.title}`);
+  if(scan.results && scan.results.lighthouse && scan.results.lighthouse.categories){
+    const cat = scan.results.lighthouse.categories.performance || scan.results.lighthouse.categories.performance;
+    if(cat && cat.score!=null) parts.push(`Lighthouse performance: ${Math.round(cat.score*100)}%`);
+  }
+  if(scan.issues && scan.issues.length) parts.push(`${scan.issues.length} issues detected.`);
+  return parts.length? parts.join(' — ') : 'Scan complete.';
+}
+
+async function startChatREPL(scanData){
+  if(!process.stdin.isTTY){ console.log(chalk.yellow('Interactive chat not available in non-interactive terminal.')); return; }
+  console.log(chalk.cyan('\nStarting interactive assistant. Type `exit` or Ctrl-D to quit.'));
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: 'AI> ' });
+  rl.prompt();
+  rl.on('line', async (line)=>{
+    const t = line.trim();
+    if(!t){ rl.prompt(); return; }
+    if(['exit','quit'].includes(t.toLowerCase())){ rl.close(); return; }
+    try {
+      const ans = await answerFromScan(scanData, t);
+      console.log(chalk.green('\nAssistant:'), ans.replace(/\n/g,'\n'));
+    } catch (e) {
+      console.error(chalk.red('Assistant error:'), e && e.message ? e.message : String(e));
+    }
+    rl.prompt();
+  }).on('close', ()=>{ console.log(chalk.dim('Assistant closed.')); });
 }
 
 async function run(argv) {
   const program = new Command();
-  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '4.0.0');
+  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '5.0.0');
+  program.option('--chat', 'Start local AI assistant (no command required)');
 
   program.command('login').description('Store your API key in ~/.subto/config.json').action(async () => {
     try {
@@ -194,6 +410,7 @@ async function run(argv) {
     .option('--json', 'Output raw JSON')
     .option('--wait', 'Poll for completion and show progress')
     .option('--no-wait', 'Do not poll; return immediately')
+    .option('--chat', 'Open interactive AI assistant after scan completes')
     .action(async (url, opts) => {
       if (!validateUrl(url)) { console.error(chalk.red('Invalid URL. Provide a full URL including http:// or https://')); process.exit(1); }
       const cfg = await readConfig(); if (!cfg || !cfg.apiKey) { console.error(chalk.red('Missing API key. Run:'), chalk.cyan('subto login')); process.exit(1); }
@@ -212,6 +429,33 @@ async function run(argv) {
         // - if user passed --wait -> poll
         // - if user passed --no-wait -> do not poll
         // - otherwise, poll by default when server returns a queued/started status
+        // If server returned HTML (some proxies or web routes), avoid dumping raw HTML to terminal.
+        // Try to recover a scanId from the HTML and fetch the JSON scan resource instead.
+        if (typeof resp.body === 'string' && resp.body.indexOf('<') !== -1) {
+          // attempt to extract scan id
+          const attemptId = extractScanIdFromHtml(resp.body);
+          const fetchFn = global.fetch;
+          if (attemptId && typeof fetchFn === 'function') {
+            try {
+              const base = process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE;
+              const statusUrl = new URL(`/api/v1/scan/${attemptId}`, base).toString();
+              const r2 = await fetchFn(statusUrl, { headers: { 'Authorization': `Bearer ${cfg.apiKey}`, 'Accept': 'application/json' } });
+              if (r2 && r2.ok) {
+                try { resp.body = await r2.json(); } catch (e) { /* leave as-is */ }
+              } else {
+                // replace body with minimal metadata so CLI can continue
+                resp.body = { scanId: attemptId, status: 'accepted' };
+              }
+            } catch (e) {
+              // couldn't fetch, fall through and keep original body but avoid printing HTML
+              resp.body = { status: 'unknown', note: 'Server returned HTML and scanId could not be resolved.' };
+            }
+          } else {
+            // No scan id found; replace with a safe message (do NOT print raw HTML)
+            resp.body = { status: 'unknown', note: 'Server returned HTML. Use --wait or provide the scanId to fetch structured JSON.' };
+          }
+        }
+
         const serverStatus = resp.body && resp.body.status;
         const serverIndicatesQueued = serverStatus && ['started', 'queued', 'pending', 'accepted'].includes(String(serverStatus).toLowerCase());
         const shouldPoll = (!opts.noWait) && (opts.wait || serverIndicatesQueued);
@@ -244,6 +488,9 @@ async function run(argv) {
           // Percent smoothing: last displayed percent and target from server
           let lastDisplayedPercent = 0;
           let targetPercent = 0;
+          // Track last server-provided percent to detect stalls
+          let lastServerPercent = null;
+          let lastServerChangeAt = Date.now();
           let lastPollTs = Date.now();
           const terminalStates = ['finished', 'completed', 'done', 'complete', 'success', 'succeeded'];
 
@@ -315,17 +562,28 @@ async function run(argv) {
             const spinner = spinnerFrames[spinnerIndex % spinnerFrames.length];
             spinnerIndex += 1;
 
-            // robustly extract status string
-            let rawLabel = 'waiting';
-            if (d && d.status) {
-              if (typeof d.status === 'string') rawLabel = d.status;
-              else if (typeof d.status === 'object' && (d.status.state || d.status.name)) rawLabel = d.status.state || d.status.name;
-              else rawLabel = String(d.status);
-            }
-            const label = String(rawLabel).replace(/[_-]+/g, ' ').trim().replace(/\b\w/g, c => c.toUpperCase());
+            // concise status label to avoid dumping long stage strings
+            const normalize = s => String(s || '').toLowerCase().replace(/[_-]+/g,' ').trim();
+            const statusRaw = d && d.status ? (typeof d.status === 'string' ? d.status : (d.status.state||d.status.name||String(d.status))) : '';
+            const statusNorm = normalize(statusRaw);
+            let statusLabel = 'Waiting';
+            if (statusNorm.includes('queued') || statusNorm.includes('pending') || statusNorm.includes('accepted')) statusLabel = 'Queued';
+            else if (statusNorm.includes('start') || statusNorm.includes('running') || statusNorm.includes('in progress') || statusNorm.includes('processing') || statusNorm.includes('scanning')) statusLabel = 'In Progress';
+            else if (statusNorm && terminalStates.includes(statusNorm)) statusLabel = 'Finished';
+
+            // short stage (truncated)
+            const rawStage = d && (d.stage || d.step || d.substage) ? (d.stage || d.step || d.substage) : '';
+            const stageShort = String(rawStage).replace(/[_-]+/g,' ').trim().slice(0,24);
+            const label = stageShort ? `${statusLabel} • ${stageShort}` : statusLabel;
 
             // Update targetPercent from latest data but don't immediately drop lastDisplayedPercent
             const serverPct = computePercentFromData(d);
+            // detect server percent changes
+            if (lastServerPercent === null || serverPct !== lastServerPercent) {
+              lastServerPercent = serverPct;
+              lastServerChangeAt = Date.now();
+            }
+
             if (serverPct >= 100) {
               targetPercent = 100;
             } else if (serverPct > lastDisplayedPercent) {
@@ -334,11 +592,26 @@ async function run(argv) {
               targetPercent = Math.max(targetPercent, serverPct);
             }
 
-            // If explicit numeric progress provided and > lastDisplayed, accept it as target
-            if (d && typeof d.progress === 'number' && d.progress > lastDisplayedPercent) {
-              targetPercent = Math.max(targetPercent, Math.max(0, Math.min(100, Math.round(d.progress))));
+            // If explicit numeric progress provided, accept and trust it
+            if (d && typeof d.progress === 'number') {
+              const p = Math.max(0, Math.min(100, Math.round(d.progress)));
+              if (p > targetPercent) targetPercent = p;
+              if (p !== lastServerPercent) { lastServerPercent = p; lastServerChangeAt = Date.now(); }
             }
 
+            // Nudging: if server percent hasn't changed for a while, nudge progress slowly toward next bucket
+            try {
+              const now = Date.now();
+              const stallMs = now - lastServerChangeAt;
+              if (stallMs > 5000 && serverPct > 0 && serverPct < 100) {
+                const BUCKETS = [1,5,10,50,70,90,99,100];
+                const next = BUCKETS.find(b => b > serverPct) || 100;
+                // gently increment by 1 per render tick but do not exceed next bucket
+                const proposed = Math.min(next, lastDisplayedPercent + 1);
+                if (proposed > lastDisplayedPercent) targetPercent = Math.max(targetPercent, proposed);
+              }
+            } catch (e) { /* ignore nudging errors */ }
+
             // Smooth display: approach targetPercent gradually each tick
             if (lastDisplayedPercent < targetPercent) {
               const diff = targetPercent - lastDisplayedPercent;
@@ -370,7 +643,6 @@ async function run(argv) {
             lastPollTs = Date.now();
           }
 
-          console.log(chalk.blue('Queued scan. Polling for progress...'));
           let headerState = 'queued';
           function startSpinner(){
             if (spinnerTimer) return;
@@ -402,18 +674,9 @@ async function run(argv) {
             const nonQueueStates = ['started','running','in progress','inprogress','processing','scanning'];
             const statusStr = data && data.status ? String(data.status).toLowerCase().trim() : '';
             if (headerState === 'queued' && statusStr && !['queued','pending','accepted'].includes(statusStr)) {
+              // transition to started but keep single-line spinner (do not print extra lines)
               headerState = 'started';
-              try {
-                if (process.stdout && process.stdout.isTTY) {
-                  readline.moveCursor(process.stdout, 0, -1);
-                  readline.clearLine(process.stdout, 0);
-                  console.log(chalk.blue('Started scan.'));
-                } else {
-                  console.log(chalk.blue('Started scan.'));
-                }
-              } catch (e) {
-                console.log(chalk.blue('Started scan.'));
-              }
+              lastRender = ''; // force render refresh
             }
 
             // render progress line
@@ -441,7 +704,8 @@ async function run(argv) {
               try { readline.clearLine(process.stdout, 0); readline.cursorTo(process.stdout, 0); } catch (e) { /* ignore */ }
               console.log(chalk.green('Scan finished. Full results:'));
               if (opts && opts.json) console.log(JSON.stringify(data, null, 2));
-              else printFullReport(data);
+              else await printFullReport(data);
+              if (opts && opts.chat) await startChatREPL(data);
               return;
             }
 
@@ -453,10 +717,273 @@ async function run(argv) {
 
         // Default (no wait): pretty summary
         printScanSummary(resp.body);
+        if (opts && opts.chat) await startChatREPL(resp.body);
       } catch (err) { const msg = err && err.message ? err.message : String(err); console.error(chalk.red('Network error:'), msg); process.exit(1); }
     });
 
+  // Upload and scan locally via server: `subto scan upload [dir]`
+  program
+    .command('scan upload [dir]')
+    .description('Upload a directory to the server and request a scan (respects .subtoignore)')
+    .option('--wait', 'Poll until analysis completes')
+    .action(async (dir, opts) => {
+      const target = dir ? path.resolve(dir) : process.cwd();
+      const cfg = await readConfig(); if (!cfg || !cfg.apiKey) { console.error(chalk.red('Missing API key. Run:'), chalk.cyan('subto login')); process.exit(1); }
+
+      // reuse uploader logic to collect & sample files (simple version)
+      async function readIgnore(root){ const ignPath = path.join(root, '.subtoignore'); try{ const txt = await fs.readFile(ignPath,'utf8'); return txt.split(/\r?\n/).map(l=>l.trim()).filter(l=>l && !l.startsWith('#')); }catch(e){ return []; } }
+      const ignoreList = (await readIgnore(target)).concat(['.env']);
+      function isIgnored(rel){ if(!rel) return false; for(const ig of ignoreList){ if(!ig) continue; if(ig===rel) return true; if(rel===ig) return true; if(rel.startsWith(ig) || rel.includes('/'+ig) || rel.endsWith(ig)) return true; } return false; }
+      const collected = []; let totalBytes = 0;
+      async function walk(dirPath, base){ const entries = await fs.readdir(dirPath, { withFileTypes: true }); for(const ent of entries){ const rel = path.relative(base, path.join(dirPath, ent.name)).replace(/\\/g,'/'); if (isIgnored(rel)) continue; const full = path.join(dirPath, ent.name); if (ent.isDirectory()) { await walk(full, base); } else if (ent.isFile()) { try { const st = await fs.stat(full); if (st.size <=0) continue; collected.push({ path: rel, full, size: st.size }); totalBytes += st.size; } catch(e){} } } }
+      await walk(target, target);
+      if (!collected.length) { console.error(chalk.yellow('No files collected for upload.')); return; }
+      // sample up to 80 smallest files with content snippets
+      const bySize = collected.slice().sort((a,b)=>a.size-b.size).slice(0,80);
+      const samples = [];
+      for(const f of bySize){ try { if (f.size <= 16*1024) { const txt = await fs.readFile(f.full,'utf8'); samples.push({ path: f.path, size: f.size, content: txt.slice(0, 12000) }); } else { const fd = await fs.open(f.full,'r'); const buf = Buffer.alloc(8192); const { bytesRead } = await fd.read(buf,0,buf.length,0); await fd.close(); samples.push({ path: f.path, size: f.size, content: buf.slice(0,bytesRead).toString('utf8') }); } } catch(e){ samples.push({ path: f.path, size: f.size, content: '' }); } }
+
+      // Send to server
+      try {
+        const base = process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE;
+        const endpoint = new URL('/api/v1/upload', base).toString();
+        const fetchFn = global.fetch; if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
+        const body = { files: samples, meta: { collected: collected.length, totalBytes } };
+        const r = await fetchFn(endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${cfg.apiKey}` }, body: JSON.stringify(body) });
+        if (!r.ok) {
+          const txt = await r.text().catch(()=>null);
+          console.error(chalk.red('Upload failed:'), r.status, txt || r.statusText);
+          try {
+            const t = String(txt || '').toLowerCase();
+            if (t.includes('openrouter') && (t.includes('429') || t.includes('too many requests') || t.includes('rate limit'))) {
+              console.error(chalk.yellow('Experiencing This To Much Upload Your Own Key At "subto upload key"'));
+            }
+          } catch (e) { /* ignore */ }
+          process.exit(1);
+        }
+        const j = await r.json(); console.log(chalk.green('Upload queued:'), j.uploadId, 'scanId:', j.scanId, 'expiresAt:', new Date(j.expiresAt).toString());
+        if (opts.wait) {
+          // Poll the scan resource until completed (reuse existing polling behavior)
+          const statusUrl = new URL(`/api/v1/scan/${j.scanId}`, base).toString();
+          const sleep = ms => new Promise(r=>setTimeout(r,ms));
+          while (true) {
+            const s = await fetchFn(statusUrl, { headers: { 'Authorization': `Bearer ${cfg.apiKey}`, 'Accept': 'application/json' } });
+            if (!s.ok) { console.error(chalk.red('Failed to fetch scan status:', s.status)); break; }
+            const data = await s.json(); if (data.status && ['completed','done','finished','success'].includes(String(data.status).toLowerCase())) { console.log(chalk.green('Scan complete.')); await printFullReport(data); break; }
+            console.log(chalk.dim('Scan status:'), data.status || 'queued', '— polling again in 4s'); await sleep(4000);
+          }
+        }
+      } catch (e) { console.error(chalk.red('Upload request error:'), e && e.message ? e.message : String(e)); process.exit(1); }
+    });
+
+  program
+    .command('chat [scanId]')
+    .description('Start the local AI assistant for a scan (optionally provide scanId)')
+    .action(async (scanId) => {
+      const cfg = await readConfig();
+      if (!cfg || !cfg.apiKey) { console.error(chalk.red('Missing API key. Run:'), chalk.cyan('subto login')); process.exit(1); }
+      let scanData = null;
+      try {
+        if (!scanId) {
+          console.log(chalk.yellow('No scanId provided. You can paste raw JSON or enter a scanId. Press Enter to cancel.'));
+          const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+          const answer = await new Promise(res => rl.question('ScanId or JSON file path: ', a => { rl.close(); res(a && a.trim()); }));
+          if (!answer) { console.log('Aborted.'); return; }
+          // if answer looks like a file, try to read JSON
+          try { if (await fs.stat(answer).then(s=>s.isFile()).catch(()=>false)) { const txt = await fs.readFile(answer,'utf8'); scanData = JSON.parse(txt); } } catch(e) { /* not a file */ }
+          if (!scanData) scanId = answer;
+        }
+
+        if (!scanData && scanId) {
+          const base = process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE;
+          const fetchFn = global.fetch;
+          if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
+          const statusUrl = new URL(`/api/v1/scan/${scanId}`, base).toString();
+          const r = await fetchFn(statusUrl, { headers: { 'Authorization': `Bearer ${cfg.apiKey}`, 'Accept': 'application/json' } });
+          if (!r.ok) { throw new Error(`Failed to fetch scan ${scanId}: ${r.status}`); }
+          scanData = await r.json();
+        }
+
+        if (!scanData) { console.error(chalk.red('No scan data available.')); return; }
+        await startChatREPL(scanData);
+      } catch (e) { console.error(chalk.red('Error starting chat:'), e && e.message ? e.message : String(e)); process.exit(1); }
+    });
+
+  // Upload project files to AI for analysis. Respects `.subtoignore` and always ignores `.env`.
+  program
+    .command('upload [dir]')
+    .description('Upload your project (or directory) to the AI assistant for analysis')
+    .option('--max-files <n>', 'Maximum number of files to include', '300')
+    .option('--max-bytes <n>', 'Maximum total bytes to include', String(5 * 1024 * 1024))
+    .action(async (dir, opts) => {
+      try {
+        const target = dir ? path.resolve(dir) : process.cwd();
+        const maxFiles = parseInt(opts.maxFiles || opts.maxFiles === 0 ? opts.maxFiles : opts.maxFiles, 10) || parseInt(opts.maxFiles || 300, 10) || 300;
+        const maxBytes = parseInt(opts.maxBytes || opts.maxBytes === 0 ? opts.maxBytes : opts.maxBytes, 10) || (5 * 1024 * 1024);
+
+        // Read .subtoignore if present
+        async function readIgnore(root){
+          const ignPath = path.join(root, '.subtoignore');
+          try { const txt = await fs.readFile(ignPath, 'utf8'); return txt.split(/\r?\n/).map(l=>l.trim()).filter(l=>l && !l.startsWith('#')); } catch(e){ return []; }
+        }
+
+        const ignoreList = (await readIgnore(target)).concat(['.env']);
+
+        // Simple matcher: skip if relative path equals or contains any ignore token
+        function isIgnored(rel){
+          if (!rel) return false;
+          for (const ig of ignoreList) {
+            if (!ig) continue;
+            if (ig === rel) return true;
+            if (rel === ig) return true;
+            if (rel.startsWith(ig) || rel.includes('/' + ig) || rel.endsWith(ig)) return true;
+          }
+          return false;
+        }
+
+        // Walk directory
+        const collected = [];
+        let totalBytes = 0;
+        async function walk(dirPath, base){
+          const entries = await fs.readdir(dirPath, { withFileTypes: true });
+          for (const ent of entries) {
+            const rel = path.relative(base, path.join(dirPath, ent.name)).replace(/\\\\/g,'/');
+            if (isIgnored(rel)) continue;
+            const full = path.join(dirPath, ent.name);
+            if (ent.isDirectory()) {
+              await walk(full, base);
+              if (collected.length >= maxFiles) return;
+            } else if (ent.isFile()) {
+              try {
+                const st = await fs.stat(full);
+                if (st.size <= 0) continue;
+                if (totalBytes + st.size > maxBytes) continue;
+                collected.push({ path: rel, full, size: st.size });
+                totalBytes += st.size;
+                if (collected.length >= maxFiles) return;
+              } catch (e) { continue; }
+            }
+          }
+        }
+
+        await walk(target, target);
+
+        if (!collected.length) { console.log(chalk.yellow('No files collected for upload (check .subtoignore or target directory).')); return; }
+
+        // Sample files (small files included fully; large files include head)
+        async function sampleFile(f) {
+          try {
+            if (f.size <= 16 * 1024) {
+              const txt = await fs.readFile(f.full, 'utf8'); return { path: f.path, size: f.size, snippet: txt };
+            }
+            const fd = await fs.open(f.full, 'r');
+            const buf = Buffer.alloc(8192);
+            const { bytesRead } = await fd.read(buf, 0, buf.length, 0);
+            await fd.close();
+            return { path: f.path, size: f.size, snippet: buf.slice(0, bytesRead).toString('utf8') };
+          } catch (e) { return { path: f.path, size: f.size, snippet: null }; }
+        }
+
+        const samples = [];
+        // choose up to 80 files to sample, preferring smaller files
+        const bySize = collected.slice().sort((a,b)=>a.size-b.size).slice(0, 80);
+        for (const f of bySize) samples.push(await sampleFile(f));
+
+        // Build prompt
+        const manifestLines = collected.slice(0, 1000).map(f => `${f.path} (${f.size} bytes)`);
+        const promptParts = [];
+        promptParts.push('You are a codebase analysis assistant.');
+        promptParts.push('The user asked: Analyze the uploaded project and provide actionable fixes, security issues, performance improvements, and a prioritized TODO list. NEVER print any secrets found in files; instead, flag their presence and recommend rotation/removal.');
+        promptParts.push('\nMANIFEST:\n' + manifestLines.join('\n'));
+        promptParts.push('\nSAMPLES:\n');
+        for (const s of samples) {
+          promptParts.push(`--- FILE: ${s.path} (${s.size} bytes) ---\n` + (s.snippet ? s.snippet.slice(0, 12000) : '[binary or unreadable]'));
+        }
+        promptParts.push('\nProvide a concise prioritized list of suggested fixes (max 12 items), and mark any potential secrets or sensitive config entries found.');
+
+        const prompt = promptParts.join('\n\n');
+
+        console.log(chalk.dim(`Collected ${collected.length} files, ${Math.round(totalBytes/1024)} KB total. Sending summary to AI...`));
+        const answer = await callOpenAI(prompt);
+        console.log(chalk.bold('\nAI Analysis:'));
+        console.log(answer);
+        console.log(chalk.dim('\nNote: sensitive values are not printed; rotate any exposed keys if they were stored in the repo.'));
+      } catch (e) {
+        console.error(chalk.red('Upload failed:'), e && e.message ? e.message : String(e));
+        process.exit(1);
+      }
+    });
+
+  // Store a local OpenRouter key + model for client-side AI calls (kept in ~/.subto)
+  program
+    .command('upload key')
+    .description('Store a local OpenRouter API key and model for analysis (kept locally only)')
+    .action(async () => {
+      try {
+        const key = await promptHidden('OpenRouter API key: ');
+        if (!key || !key.trim()) { console.log('Aborted.'); return; }
+        // Ask for preferred model
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+        const model = await new Promise(res => rl.question('Model (e.g. openai/gpt-oss-120b:free): ', a => { rl.close(); res(a && a.trim()); }));
+        const chosenModel = model && model.length ? model : 'openai/gpt-oss-120b:free';
+
+        // Try to validate model exists (best-effort). If validation fails, ask user to confirm saving.
+        let validated = false;
+        const fetchFn = global.fetch;
+        if (typeof fetchFn === 'function') {
+          try {
+            const res = await fetchFn('https://openrouter.ai/api/v1/models', { headers: { 'Authorization': `Bearer ${key}` } });
+            if (res && res.ok) {
+              const jd = await res.json().catch(()=>null);
+              const modelsList = jd && (jd.models || jd.data || jd) ;
+              const names = Array.isArray(modelsList) ? modelsList.map(m => m.id || m.name || m.model || m.modelId).filter(Boolean) : [];
+              if (names.length && names.includes(chosenModel)) validated = true;
+            }
+          } catch (e) { /* ignore network errors */ }
+        }
+
+        if (!validated) {
+          const rl2 = readline.createInterface({ input: process.stdin, output: process.stdout });
+          const answer = await new Promise(res => rl2.question('Could not verify model with OpenRouter. Save anyway? (y/N): ', a => { rl2.close(); res(a && a.trim().toLowerCase()); }));
+          if (answer !== 'y' && answer !== 'yes') { console.log('Aborted.'); return; }
+        }
+
+        const cfg = await readConfig() || {};
+        cfg.openrouterKey = key.trim();
+        cfg.openrouterModel = chosenModel;
+        await writeConfig(cfg);
+        console.log(chalk.green('OpenRouter key and model saved to'), chalk.cyan(configFilePath()));
+      } catch (e) { console.error(chalk.red('Failed to save key:'), e && e.message ? e.message : String(e)); process.exit(1); }
+    });
+
   if (!argv || argv.length === 0) { program.help(); return; }
+  // Support global `--chat` flag when used without a subcommand (e.g. `subto --chat`)
+  const rawArgs = Array.isArray(argv) ? argv.slice() : [];
+  const chatFlagOnly = rawArgs.includes('--chat') && !rawArgs.some(a => ['scan','login','chat'].includes(a));
+  if (chatFlagOnly) {
+    // emulate the `chat` command action
+    const cfg = await readConfig();
+    if (!cfg || !cfg.apiKey) { console.error(chalk.red('Missing API key. Run:'), chalk.cyan('subto login')); process.exit(1); }
+    // prompt for scanId or JSON path
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise(res => rl.question('ScanId or JSON file path (blank to cancel): ', a => { rl.close(); res(a && a.trim()); }));
+    if (!answer) { console.log('Aborted.'); return; }
+    let scanData = null;
+    try { if (await fs.stat(answer).then(s=>s.isFile()).catch(()=>false)) { const txt = await fs.readFile(answer,'utf8'); scanData = JSON.parse(txt); } } catch(e) {}
+    try {
+      if (!scanData) {
+        const base = process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE; const fetchFn = global.fetch;
+        if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
+        const statusUrl = new URL(`/api/v1/scan/${answer}`, base).toString();
+        const r = await fetchFn(statusUrl, { headers: { 'Authorization': `Bearer ${cfg.apiKey}`, 'Accept': 'application/json' } });
+        if (!r.ok) throw new Error(`Failed to fetch scan ${answer}: ${r.status}`);
+        scanData = await r.json();
+      }
+      await startChatREPL(scanData);
+      return;
+    } catch (e) { console.error(chalk.red('Error starting chat:'), e && e.message ? e.message : String(e)); process.exit(1); }
+  }
+
   await program.parseAsync(argv, { from: 'user' });
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "subto",
-  "version": "4.0.0",
+  "version": "6.0.0",
   "description": "Subto CLI — thin wrapper around the Subto.One API",
   "bin": {
     "subto": "bin/subto.js"
@@ -29,10 +29,12 @@
   },
   "scripts": {
     "prepublishOnly": "node ./scripts/prepublish-check.js",
-    "postinstall": "node ./scripts/fix-node-domexception.js"
+    "postinstall": "node ./scripts/fix-node-domexception.js",
+    "test:smoke": "bash test/smoke_cli_test.sh"
   },
   "dependencies": {
     "commander": "^11.0.0",
     "chalk": "^5.3.0"
   }
+  
 }