prismor-cli 1.3.0__py3-none-any.whl

prismor/cli.py

@@ -0,0 +1,1305 @@
+"""Command-line interface for Prismor security scanning tool."""
+
+import sys
+import json
+import os
+import click
+import threading
+import time
+import subprocess
+from typing import Optional
+from . import __version__
+from .api import PrismorClient, PrismorAPIError, parse_github_repo, DEFAULT_SCAN_POLL_INTERVAL_SECONDS, DEFAULT_SCAN_MAX_WAIT_SECONDS
+from .sanitize import strip_sensitive, build_fix_prompt
+
+try:
+    from rich.console import Console
+    from rich.table import Table
+    from rich.panel import Panel
+    from rich.live import Live
+    from rich.spinner import Spinner as RichSpinner
+    from rich.text import Text
+    from rich import box
+    RICH_AVAILABLE = True
+except ImportError:
+    RICH_AVAILABLE = False
+
+console = Console() if RICH_AVAILABLE else None
+
+
+def detect_git_branch() -> Optional[str]:
+    """Auto-detect the current git branch if running inside a git repository."""
+    try:
+        result = subprocess.run(
+            ['git', 'rev-parse', '--abbrev-ref', 'HEAD'],
+            capture_output=True, text=True, timeout=5
+        )
+        if result.returncode == 0:
+            branch = result.stdout.strip()
+            if branch and branch != 'HEAD':
+                return branch
+    except Exception:
+        pass
+    return None
+
+
+def print_success(message: str):
+    click.secho(f"✓ {message}", fg="green")
+
+
+def print_error(message: str):
+    click.secho(f"✗ {message}", fg="red", err=True)
+
+
+def print_info(message: str):
+    click.secho(f"ℹ {message}", fg="blue")
+
+
+def print_warning(message: str):
+    click.secho(f"⚠ {message}", fg="yellow")
+
+
+class Spinner:
+    """Simple spinner for showing loading state."""
+
+    def __init__(self, message: str = "Processing"):
+        self.message = message
+        self.spinner_chars = "|/-\\"
+        self.spinner_index = 0
+        self.running = False
+        self.thread = None
+
+    def _spin(self):
+        while self.running:
+            char = self.spinner_chars[self.spinner_index % len(self.spinner_chars)]
+            sys.stdout.write(f"\r{char} {self.message}...")
+            sys.stdout.flush()
+            self.spinner_index += 1
+            time.sleep(0.1)
+
+    def start(self):
+        self.running = True
+        self.thread = threading.Thread(target=self._spin, daemon=True)
+        self.thread.start()
+
+    def stop(self, message: str = None):
+        self.running = False
+        if self.thread:
+            self.thread.join(timeout=0.2)
+        sys.stdout.write("\r" + " " * (len(self.message) + 15) + "\r")
+        sys.stdout.flush()
+        if message:
+            click.echo(message)
+
+
+def should_show_spinner() -> bool:
+    """Show spinners only in interactive terminals, never in CI logs."""
+    if os.environ.get("PRISMOR_NO_SPINNER", "").strip().lower() in {"1", "true", "yes", "on"}:
+        return False
+    if os.environ.get("GITHUB_ACTIONS", "").strip().lower() == "true":
+        return False
+    if os.environ.get("CI", "").strip().lower() == "true":
+        return False
+    return sys.stdout.isatty()
+
+
+# Severity display config
+_SEVERITY_COLORS = {
+    "CRITICAL": "bold red",
+    "HIGH": "red",
+    "MEDIUM": "yellow",
+    "LOW": "blue",
+    "UNKNOWN": "dim",
+}
+
+_SEVERITY_CLICK_COLORS = {
+    "CRITICAL": ("red", True),
+    "HIGH": ("red", False),
+    "MEDIUM": ("yellow", False),
+    "LOW": ("blue", False),
+    "UNKNOWN": (None, False),
+}
+
+MAX_VULN_ROWS = 5
+
+
+def _render_vuln_table_rich(vulns: list, dashboard_url: Optional[str] = None):
+    """Render a Rich vulnerability table capped at MAX_VULN_ROWS."""
+    table = Table(box=box.ROUNDED, show_header=True, header_style="bold cyan", expand=False)
+    table.add_column("Severity", min_width=10)
+    table.add_column("CVE / ID", min_width=20)
+    table.add_column("Package", min_width=18)
+    table.add_column("Installed", min_width=12)
+    table.add_column("Fixed In", min_width=12)
+
+    shown = vulns[:MAX_VULN_ROWS]
+    for v in shown:
+        sev = (v.get("Severity") or v.get("severity") or "UNKNOWN").upper()
+        style = _SEVERITY_COLORS.get(sev, "dim")
+        cve = v.get("VulnerabilityID") or v.get("id") or "—"
+        pkg = v.get("PkgName") or v.get("package") or v.get("pkg") or "—"
+        installed = v.get("InstalledVersion") or v.get("installed_version") or "—"
+        fixed = v.get("FixedVersion") or v.get("fixed_version") or "—"
+        table.add_row(
+            Text(sev, style=style),
+            cve,
+            pkg,
+            installed,
+            fixed,
+        )
+
+    console.print(table)
+
+    remaining = len(vulns) - MAX_VULN_ROWS
+    if remaining > 0:
+        msg = f"  ... and {remaining} more"
+        if dashboard_url:
+            msg += f" — view full report: {dashboard_url}"
+        click.secho(msg, fg="cyan")
+
+
+def _render_vuln_table_plain(vulns: list, dashboard_url: Optional[str] = None):
+    """Fallback plain-text vulnerability table."""
+    header = f"  {'SEVERITY':<12} {'CVE / ID':<26} {'PACKAGE':<20} {'INSTALLED':<14} {'FIXED IN'}"
+    click.echo(header)
+    click.echo("  " + "-" * 90)
+    for v in vulns[:MAX_VULN_ROWS]:
+        sev = (v.get("Severity") or v.get("severity") or "UNKNOWN").upper()
+        fg, bold = _SEVERITY_CLICK_COLORS.get(sev, (None, False))
+        cve = (v.get("VulnerabilityID") or v.get("id") or "—")[:25]
+        pkg = (v.get("PkgName") or v.get("package") or "—")[:19]
+        installed = (v.get("InstalledVersion") or v.get("installed_version") or "—")[:13]
+        fixed = (v.get("FixedVersion") or v.get("fixed_version") or "—")[:13]
+        row = f"  {sev:<12} {cve:<26} {pkg:<20} {installed:<14} {fixed}"
+        click.secho(row, fg=fg, bold=bold)
+
+    remaining = len(vulns) - MAX_VULN_ROWS
+    if remaining > 0:
+        msg = f"  ... and {remaining} more"
+        if dashboard_url:
+            msg += f" — view full report: {dashboard_url}"
+        click.secho(msg, fg="cyan")
+
+
+def render_vuln_table(vulns: list, dashboard_url: Optional[str] = None):
+    """Render vulnerability table using Rich if available, else plain text."""
+    if not vulns:
+        click.secho("  No vulnerabilities found ✓", fg="green")
+        return
+    if RICH_AVAILABLE and should_show_spinner():
+        _render_vuln_table_rich(vulns, dashboard_url)
+    else:
+        _render_vuln_table_plain(vulns, dashboard_url)
+
+
+# Sanitization + prompt-building helpers live in prismor.sanitize so the
+# local-fix path can share them without a circular import. Keep the private
+# alias for the existing call sites in this module.
+_strip_sensitive = strip_sensitive
+
+
+def format_prompt_results(results: dict, repo: str):
+    """Format results with an LLM prompt for fixing vulnerabilities."""
+    click.echo(build_fix_prompt(results, repo, mode="advise"))
+
+
+def format_scan_results(results: dict, scan_type: str, dashboard_url: Optional[str] = None):
+    """Format and display scan results."""
+    click.echo("\n" + "=" * 60)
+    click.secho(f"  Scan Results - {scan_type}", fg="cyan", bold=True)
+    click.echo("=" * 60 + "\n")
+
+    if "repository" in results:
+        click.secho("Repository:", fg="yellow", bold=True)
+        click.echo(f"  {results['repository']}\n")
+
+    if "branch" in results:
+        click.secho("Branch:", fg="yellow", bold=True)
+        click.echo(f"  {results['branch']}\n")
+
+    if "commit_sha" in results:
+        click.secho("Commit SHA:", fg="yellow", bold=True)
+        click.echo(f"  {results['commit_sha']}\n")
+
+    if "scans" in results:
+        scans = results["scans"]
+
+        # Vulnerability scan results
+        if "vulnerability" in scans:
+            vuln_scan = scans["vulnerability"]
+            click.secho("Vulnerability Scan:", fg="yellow", bold=True)
+            status_color = "green" if vuln_scan.get("status") in ["success", "completed"] else "red"
+            click.secho(f"  Status: {vuln_scan.get('status', 'unknown')}", fg=status_color)
+
+            vulns = []
+            if "scan_results" in vuln_scan:
+                scan_data = vuln_scan["scan_results"]
+                # Flat list format (legacy)
+                flat = scan_data.get("vulnerabilities")
+                if isinstance(flat, list) and flat and isinstance(flat[0], dict) and "Severity" in flat[0]:
+                    vulns = flat
+                else:
+                    # Trivy format: Results[].Vulnerabilities[]
+                    for target in scan_data.get("Results", []):
+                        vulns.extend(target.get("Vulnerabilities") or [])
+                    # Final fallback: top-level Results as flat list
+                    if not vulns:
+                        top = scan_data.get("Results", [])
+                        if isinstance(top, list) and top and "Severity" in top[0]:
+                            vulns = top
+
+            if vulns:
+                click.secho(f"  Vulnerabilities Found: {len(vulns)}", fg="red" if len(vulns) > 0 else "green")
+                click.echo()
+                render_vuln_table(vulns, dashboard_url)
+            else:
+                click.secho("  Vulnerabilities Found: 0", fg="green")
+
+            if "public_url" in vuln_scan:
+                click.echo(f"\n  Results URL: {vuln_scan['public_url']}")
+            click.echo()
+
+        # SBOM results
+        if "sbom" in scans:
+            sbom_scan = scans["sbom"]
+            click.secho("SBOM Generation:", fg="yellow", bold=True)
+            status_color = "green" if sbom_scan.get("status") in ["success", "completed"] else "red"
+            click.secho(f"  Status: {sbom_scan.get('status', 'unknown')}", fg=status_color)
+            if "sbom" in sbom_scan:
+                sbom_data = sbom_scan["sbom"]
+                if isinstance(sbom_data, list):
+                    click.echo(f"  Artifacts Found: {len(sbom_data)}")
+            if "public_url" in sbom_scan:
+                click.echo(f"  Results URL: {sbom_scan['public_url']}")
+            click.echo()
+
+        # Secret scan results
+        if "secret" in scans:
+            secret_scan = scans["secret"]
+            click.secho("Secret Detection:", fg="yellow", bold=True)
+            status_color = "green" if secret_scan.get("status") in ["success", "completed"] else "red"
+            click.secho(f"  Status: {secret_scan.get('status', 'unknown')}", fg=status_color)
+
+            if "summary" in secret_scan:
+                summary = secret_scan["summary"]
+                if isinstance(summary, dict):
+                    total = summary.get("total", 0)
+                    click.echo(f"  Total Detected: {total}")
+                    ai_triage = summary.get("ai_triage")
+                    if isinstance(ai_triage, dict) and ai_triage.get("total", 0) > 0:
+                        real = ai_triage.get("real_secrets", 0)
+                        false_pos = ai_triage.get("false_positives", 0)
+                        click.secho("  AI Triage:", fg="cyan", bold=True)
+                        if real > 0:
+                            click.secho(f"    Real Secrets: {real}", fg="red", bold=True)
+                        else:
+                            click.secho(f"    Real Secrets: {real}", fg="green")
+                        click.secho(f"    False Positives: {false_pos}", fg="bright_black")
+                        by_severity = ai_triage.get("by_severity", {})
+                        if by_severity:
+                            click.secho("    Severity Breakdown:", fg="cyan")
+                            if by_severity.get("CRITICAL", 0) > 0:
+                                click.secho(f"      CRITICAL: {by_severity['CRITICAL']}", fg="red", bold=True)
+                            if by_severity.get("HIGH", 0) > 0:
+                                click.secho(f"      HIGH: {by_severity['HIGH']}", fg="red")
+                            if by_severity.get("MEDIUM", 0) > 0:
+                                click.secho(f"      MEDIUM: {by_severity['MEDIUM']}", fg="yellow")
+                            if by_severity.get("LOW", 0) > 0:
+                                click.secho(f"      LOW: {by_severity['LOW']}", fg="blue")
+                            if by_severity.get("FALSE_POSITIVE", 0) > 0:
+                                click.secho(f"      FALSE POSITIVE: {by_severity['FALSE_POSITIVE']}", fg="bright_black")
+                    else:
+                        for key, value in summary.items():
+                            if key not in ("total", "ai_triage"):
+                                click.echo(f"  {key}: {value}")
+                else:
+                    click.echo(f"  Summary: {summary}")
+
+            if "public_url" in secret_scan:
+                click.echo(f"  Results URL: {secret_scan['public_url']}")
+            click.echo()
+
+    if "scanned_at" in results:
+        click.secho("Scanned At:", fg="yellow", bold=True)
+        click.echo(f"  {results['scanned_at']}\n")
+
+    click.echo("=" * 60 + "\n")
+
+
+def _watch_scan(client: PrismorClient, job_id: str):
+    """Poll scan status with a live spinner until done, then return status_data."""
+    poll_interval = DEFAULT_SCAN_POLL_INTERVAL_SECONDS
+    max_wait = DEFAULT_SCAN_MAX_WAIT_SECONDS
+    started_at = time.time()
+
+    use_rich = RICH_AVAILABLE and should_show_spinner()
+
+    try:
+        if use_rich:
+            with Live(refresh_per_second=4, transient=True) as live:
+                while True:
+                    elapsed = int(time.time() - started_at)
+                    live.update(Text(f"  ⠸ Polling scan {job_id}... ({elapsed}s elapsed)", style="cyan"))
+                    time.sleep(poll_interval)
+                    if time.time() - started_at > max_wait:
+                        raise PrismorAPIError(f"Timed out after {max_wait}s. Check with: prismor scan-status {job_id}")
+                    status_data = client.check_scan_status(job_id)
+                    status = status_data.get("status")
+                    if status in {"completed", "success", "failed", "error"}:
+                        return status_data
+        else:
+            while True:
+                elapsed = int(time.time() - started_at)
+                print_info(f"Polling scan {job_id}... ({elapsed}s elapsed)")
+                time.sleep(poll_interval)
+                if time.time() - started_at > max_wait:
+                    raise PrismorAPIError(f"Timed out after {max_wait}s. Check with: prismor scan-status {job_id}")
+                status_data = client.check_scan_status(job_id)
+                status = status_data.get("status")
+                if status in {"completed", "success", "failed", "error"}:
+                    return status_data
+    except KeyboardInterrupt:
+        click.echo()
+        print_warning(f"Stopped watching. Scan still running in background.")
+        click.echo(f"  Check with: prismor scan-status {job_id}")
+        sys.exit(0)
+
+
+def _show_fix_success_panel(status_data: dict):
+    """Display a highlighted panel for a successful fix job."""
+    pr_url = status_data.get("pr_url", "")
+    branch = status_data.get("branch", "")
+    files = status_data.get("files_changed") or []
+    summary = status_data.get("summary", "")
+
+    if RICH_AVAILABLE and should_show_spinner():
+        lines = ["[bold green]Fix PR Ready![/bold green]"]
+        if pr_url:
+            lines.append(f"[green]{pr_url}[/green]")
+        if branch:
+            lines.append(f"Branch: {branch}")
+        if files:
+            lines.append(f"Files changed: {len(files)}")
+        if summary:
+            lines.append(f"\n{summary}")
+        console.print(Panel("\n".join(lines), border_style="green", expand=False))
+    else:
+        click.echo("\n" + "=" * 60)
+        print_success("Fix PR Ready!")
+        if pr_url:
+            click.secho(f"  PR: {pr_url}", fg="green", bold=True)
+        if branch:
+            click.echo(f"  Branch: {branch}")
+        if files:
+            click.echo(f"  Files changed: {len(files)}")
+            for f in files[:10]:
+                click.echo(f"    • {f}")
+            if len(files) > 10:
+                click.echo(f"    ... and {len(files) - 10} more")
+        if summary:
+            click.echo(f"  Summary: {summary}")
+        click.echo("=" * 60 + "\n")
+
+
+@click.group(invoke_without_command=True)
+@click.option("--repo", "scan_repo", type=str, help="Repository to scan (username/repo, GitHub URL, SSH URL, etc.)")
+@click.option("--scan", is_flag=True, help="Perform vulnerability scanning")
+@click.option("--sbom", is_flag=True, help="Generate Software Bill of Materials")
+@click.option("--detect-secret", is_flag=True, help="Detect secrets in repository")
+@click.option("--fullscan", is_flag=True, help="Perform all scan types")
+@click.option("--fix", is_flag=True, help="AI auto-fix: scan then open a PR with fixes (implies --scan if no scan flag given)")
+@click.option("--branch", type=str, help="Specific branch to scan (defaults to main/master)")
+@click.option("--json", "output_json", is_flag=True, help="Output results in JSON format")
+@click.option("--output", "-o", type=click.Path(), help="Save results to file (JSON format)")
+@click.option("--quiet", "-q", is_flag=True, help="Minimal output (only errors and final results)")
+@click.option("--action_id", type=str, help="GitHub Action Run ID associated with this scan")
+@click.option("--prompt", is_flag=True, help="Output detailed scan results with an LLM prompt for fixing vulnerabilities")
+@click.version_option(version=__version__, prog_name="prismor")
+@click.pass_context
+def cli(ctx, scan_repo: Optional[str], scan: bool, sbom: bool, detect_secret: bool,
+        fullscan: bool, fix: bool, branch: Optional[str], output_json: bool, output: Optional[str], quiet: bool, action_id: Optional[str], prompt: bool):
+    """Prismor CLI - Security scanning tool for GitHub repositories.
+
+    Examples:
+        prismor --repo username/repo --scan
+        prismor --repo username/repo --fullscan
+        prismor --repo username/repo --scan --fix
+        prismor --repo https://github.com/username/repo --detect-secret
+        prismor --repo git@github.com:username/repo.git --sbom
+        prismor --repo github.com/username/repo --fullscan --branch develop
+        prismor trigger-fix username/repo
+        prismor fix-status <job_id>
+        prismor status
+        prismor repos
+    """
+    if ctx.invoked_subcommand is None and not scan_repo:
+        click.echo(ctx.get_help())
+        return
+
+    if scan_repo:
+        if not any([scan, sbom, detect_secret, fullscan, fix]):
+            print_error("Please specify at least one scan type: --scan, --sbom, --detect-secret, --fullscan, or --fix")
+            sys.exit(1)
+
+        if fix and not any([scan, sbom, detect_secret, fullscan]):
+            scan = True
+
+        if not branch:
+            detected = detect_git_branch()
+            if detected:
+                branch = detected
+                if not quiet:
+                    print_info(f"Auto-detected branch: {branch}")
+
+        try:
+            if not quiet:
+                print_info(f"Initializing Prismor scan for: {scan_repo}")
+            client = PrismorClient()
+
+            scan_types = []
+            if fullscan:
+                scan_types.append("Full Scan (scan + SBOM + Secret Detection)")
+            else:
+                if scan:
+                    scan_types.append("scan")
+                if sbom:
+                    scan_types.append("SBOM")
+                if detect_secret:
+                    scan_types.append("Secret Detection")
+
+            if not quiet:
+                print_info(f"Scan type: {', '.join(scan_types)}")
+                if scan or fullscan:
+                    print_info("Starting scan... (typical scans finish in 30-90s; large repos may take several minutes)")
+                else:
+                    print_info("Starting scan...")
+
+            spinner = None
+            if not quiet and not output_json and not output and should_show_spinner():
+                spinner = Spinner("Scanning repository")
+                spinner.start()
+
+            try:
+                results = client.scan(
+                    repo=scan_repo,
+                    scan=scan,
+                    sbom=sbom,
+                    detect_secret=detect_secret,
+                    fullscan=fullscan,
+                    branch=branch,
+                    action_id=action_id
+                )
+                if spinner:
+                    spinner.stop()
+            except Exception as e:
+                if spinner:
+                    spinner.stop()
+                raise e
+
+            # Detect silent-success responses. The server returns 200 even when the
+            # scanner couldn't fetch the repo (bad branch, no access, repo not connected).
+            # Heuristic: if commit_sha is missing AND every scan type came back with
+            # zero findings AND no Trivy "Results" array, the scanner never examined
+            # real code. Fail loudly instead of letting users mistake it for a clean scan.
+            if isinstance(results, dict):
+                no_commit = not (results.get("commit_sha") or "").strip()
+                scans_dict = results.get("scans") or {}
+                vuln_sr = (scans_dict.get("vulnerability") or {}).get("scan_results") or {}
+                no_vuln_targets = not (isinstance(vuln_sr, dict) and vuln_sr.get("Results"))
+                secret_sr = (scans_dict.get("secret") or {}).get("scan_results")
+                no_secrets = not secret_sr
+                sbom_sr = (scans_dict.get("sbom") or {}).get("scan_results") or {}
+                no_artifacts = not (isinstance(sbom_sr, dict) and sbom_sr.get("artifacts"))
+                if no_commit and no_vuln_targets and no_secrets and no_artifacts:
+                    branch_label = results.get("branch") or branch or "default"
+                    print_error(
+                        f"Scan returned no results for {scan_repo} (branch: {branch_label}). "
+                        "The branch may not exist, the repository may not be connected to your "
+                        "account, or Prismor may not have access. Verify with: prismor repos"
+                    )
+                    sys.exit(2)
+
+            results = _strip_sensitive(results)
+
+            if output:
+                try:
+                    with open(output, 'w') as f:
+                        json.dump(results, f, indent=2)
+                    if not quiet:
+                        print_success(f"Results saved to: {output}")
+                except Exception as e:
+                    print_error(f"Failed to save results to file: {str(e)}")
+                    sys.exit(1)
+
+            # AI auto-fix: trigger after scan completes
+            if fix and not output_json and not output:
+                if not quiet:
+                    click.echo()
+                    print_info("Triggering AI auto-fix...")
+                fix_spinner = None
+                if not quiet and should_show_spinner():
+                    fix_spinner = Spinner("Starting auto-fix")
+                    fix_spinner.start()
+                try:
+                    fix_result = client.trigger_autofix(scan_repo, branch=branch)
+                    if fix_spinner:
+                        fix_spinner.stop()
+                except Exception as e:
+                    if fix_spinner:
+                        fix_spinner.stop()
+                    print_error(f"Auto-fix failed to start: {str(e)}")
+                    fix_result = None
+
+                if fix_result and fix_result.get("ok"):
+                    fix_job_id = fix_result.get("job_id", "")
+                    if not quiet:
+                        print_success("Auto-fix job started!")
+                        click.secho(f"  Job ID: {fix_job_id}", fg="yellow", bold=True)
+                        click.echo(f"  Track progress: prismor fix-status {fix_job_id} --watch")
+
+            # Output results
+            if output_json or output:
+                if not output:
+                    click.echo(json.dumps(results, indent=2))
+            elif prompt:
+                format_prompt_results(results, scan_repo)
+            else:
+                if not quiet:
+                    print_success("Scan completed successfully!")
+
+                # Fetch dashboard URL for the "view more" link
+                dashboard_url = None
+                if not quiet:
+                    try:
+                        repo_name = parse_github_repo(scan_repo)
+                        repo_info = client.get_repository_by_name(repo_name)
+                        if repo_info.get("success") and "repository" in repo_info:
+                            repo_id = repo_info["repository"]["id"]
+                            dashboard_url = f"{client.base_url}/repositories/{repo_id}"
+                    except Exception:
+                        pass
+
+                format_scan_results(results, ', '.join(scan_types), dashboard_url=dashboard_url)
+
+                if dashboard_url and not quiet:
+                    click.secho(f"  View full analysis: {dashboard_url}", fg="cyan")
+                    click.echo()
+
+        except PrismorAPIError as e:
+            print_error(str(e))
+            sys.exit(1)
+        except Exception as e:
+            print_error(f"Unexpected error: {str(e)}")
+            sys.exit(1)
+
+
+@cli.command()
+def version():
+    """Display the version of Prismor CLI."""
+    click.echo(f"Prismor CLI v{__version__}")
+
+
+@cli.command()
+def config():
+    """Display current configuration."""
+    click.echo("\n" + "=" * 60)
+    click.secho("  Prismor CLI Configuration", fg="cyan", bold=True)
+    click.echo("=" * 60 + "\n")
+
+    api_key = os.environ.get("PRISMOR_API_KEY")
+    if api_key:
+        masked_key = f"{api_key[:4]}...{api_key[-4:]}" if len(api_key) > 8 else "***"
+        print_success(f"PRISMOR_API_KEY: {masked_key}")
+    else:
+        print_error("PRISMOR_API_KEY: Not set")
+        click.echo("\nPlease specify your API key. You can generate one for free at:")
+        click.secho("  https://www.prismor.dev/cli", fg="cyan", underline=True)
+        click.echo("\nTo set your API key, run:")
+        click.echo("  export PRISMOR_API_KEY=your_api_key")
+
+    click.echo("=" * 60 + "\n")
+
+
+@cli.group()
+def org():
+    """Manage which organization your scans and fixes belong to."""
+    pass
+
+
+@org.command("list")
+def org_list():
+    """List the organizations you belong to (★ = active)."""
+    from prismor import cli_config
+    try:
+        client = PrismorClient()
+        data = client.list_orgs()
+        orgs = data.get("orgs", [])
+        active = cli_config.active_org_id() or data.get("activeOrgId")
+        if not orgs:
+            print_error("You're not a member of any organization.")
+            return
+        click.echo("")
+        for o in orgs:
+            mark = "★" if o.get("id") == active else " "
+            click.secho(f"  {mark} {o.get('name')}", fg="cyan" if mark == "★" else None, bold=mark == "★", nl=False)
+            click.echo(f"  ({o.get('slug')}) · {str(o.get('role','')).lower()}")
+        click.echo("\n  Switch with: prismor org switch <slug>\n")
+    except Exception as e:
+        print_error(f"Could not list organizations: {e}")
+
+
+@org.command("switch")
+@click.argument("slug_or_id")
+def org_switch(slug_or_id: str):
+    """Set the active organization (scans/fixes will be attributed to it)."""
+    from prismor import cli_config
+    try:
+        client = PrismorClient()
+        orgs = client.list_orgs().get("orgs", [])
+        match = next((o for o in orgs if o.get("slug") == slug_or_id or o.get("id") == slug_or_id), None)
+        if not match:
+            print_error(f"You're not a member of '{slug_or_id}'. Run `prismor org list` to see your orgs.")
+            return
+        cli_config.set_active_org(match)
+        print_success(f"Active organization: {match.get('name')} ({match.get('slug')})")
+    except Exception as e:
+        print_error(f"Could not switch organization: {e}")
+
+
+@org.command("current")
+def org_current():
+    """Show the active organization."""
+    from prismor import cli_config
+    active = cli_config.active_org()
+    if active:
+        click.echo(f"\n  Active organization: {active.get('name')} ({active.get('slug')})\n")
+    else:
+        click.echo("\n  No active organization set — using your API key's default org.")
+        click.echo("  Set one with: prismor org switch <slug>\n")
+
+
+@cli.group()
+def policy():
+    """Manage your organization's security policy as code (pull / apply / show)."""
+    pass
+
+
+@policy.command("show")
+def policy_show():
+    """Print the active org policy (version + YAML)."""
+    try:
+        data = PrismorClient().get_org_policy()
+        p = data.get("policy", {})
+        click.echo("")
+        click.secho(f"  Org policy · v{p.get('version', 0)}" + (f" · {p.get('name')}" if p.get('name') else " · (default — everything observes)"), fg="cyan", bold=True)
+        if not data.get("signingConfigured", True):
+            click.secho("  ⚠ Policy signing not configured — devices will reject remote policy.", fg="yellow")
+        click.echo("")
+        click.echo(p.get("yaml", ""))
+    except Exception as e:
+        print_error(f"Could not fetch policy: {e}")
+
+
+@policy.command("pull")
+@click.option("-o", "--output", "output", default=None, help="Write the policy YAML to this file (default: stdout).")
+def policy_pull(output):
+    """Fetch the active org policy YAML (for version control / editing)."""
+    try:
+        data = PrismorClient().get_org_policy()
+        yaml_text = data.get("policy", {}).get("yaml", "")
+        if output:
+            with open(output, "w") as f:
+                f.write(yaml_text)
+            print_success(f"Wrote org policy (v{data.get('policy', {}).get('version', 0)}) to {output}")
+        else:
+            click.echo(yaml_text, nl=False)
+    except Exception as e:
+        print_error(f"Could not pull policy: {e}")
+
+
+@policy.command("lint")
+@click.argument("file", type=click.Path(exists=True))
+def policy_lint(file):
+    """Validate a policy YAML file against the floor (no changes made)."""
+    try:
+        with open(file) as f:
+            yaml_text = f.read()
+        PrismorClient().apply_org_policy(yaml_text, dry_run=True)
+        print_success("Policy is valid (parses + honors the non-weakening floor).")
+    except PrismorAPIError as e:
+        print_error(f"Policy is invalid:\n{e}")
+    except Exception as e:
+        print_error(f"Could not lint policy: {e}")
+
+
+@policy.command("apply")
+@click.argument("file", type=click.Path(exists=True))
+@click.option("--dry-run", is_flag=True, help="Validate only; don't publish.")
+@click.option("--yes", is_flag=True, help="Skip the confirmation prompt.")
+def policy_apply(file, dry_run, yes):
+    """Publish a policy YAML file to the org (signed; devices apply within ~30s)."""
+    try:
+        with open(file) as f:
+            yaml_text = f.read()
+        if dry_run:
+            PrismorClient().apply_org_policy(yaml_text, dry_run=True)
+            print_success("Valid — would publish cleanly. Re-run without --dry-run to apply.")
+            return
+        if not yes:
+            click.secho("  This publishes the org policy to EVERY enrolled device (~30s).", fg="yellow")
+            if not click.confirm("  Continue?", default=False):
+                click.echo("  Aborted.")
+                return
+        res = PrismorClient().apply_org_policy(yaml_text, dry_run=False)
+        print_success(f"Published org policy v{res.get('version')}. Enrolled devices apply it within ~30s.")
+        if not res.get("signingConfigured", True):
+            click.secho("  ⚠ Policy signing not configured — devices will reject it until set.", fg="yellow")
+    except PrismorAPIError as e:
+        print_error(f"Could not apply policy:\n{e}")
+    except Exception as e:
+        print_error(f"Could not apply policy: {e}")
+
+
+@cli.command()
+def devices():
+    """List enrolled devices in your active organization."""
+    try:
+        data = PrismorClient().list_devices()
+        rows = data.get("devices", [])
+        click.echo("")
+        click.secho(f"  Devices ({len(rows)})", fg="cyan", bold=True)
+        click.echo("")
+        if not rows:
+            click.echo("  No devices enrolled. Enroll one with: immunity enroll <token>\n")
+            return
+        for d in rows:
+            status = d.get("status", "active")
+            color = "green" if status == "active" else "red"
+            click.secho(f"  {d.get('label')}", bold=True, nl=False)
+            click.echo(f"  · {d.get('platform') or 'unknown'} · {d.get('owner')} · ", nl=False)
+            click.secho(status, fg=color, nl=False)
+            click.echo(f" · policy v{d.get('appliedPolicyVersion') if d.get('appliedPolicyVersion') is not None else '-'}")
+        click.echo("")
+    except Exception as e:
+        print_error(f"Could not list devices: {e}")
+
+
+@cli.command()
+def members():
+    """List members of your active organization and their roles."""
+    try:
+        data = PrismorClient().list_members()
+        rows = data.get("members", [])
+        click.echo("")
+        click.secho(f"  Members ({len(rows)})", fg="cyan", bold=True)
+        click.echo("")
+        for mbr in rows:
+            click.secho(f"  {mbr.get('name') or mbr.get('email')}", bold=True, nl=False)
+            click.echo(f"  ({mbr.get('email')}) · {str(mbr.get('role', '')).lower()}")
+        click.echo("")
+    except Exception as e:
+        print_error(f"Could not list members: {e}")
+
+
+@cli.command()
+def repos():
+    """List your connected repositories."""
+    try:
+        client = PrismorClient()
+        spinner = Spinner("Loading repositories") if should_show_spinner() else None
+        if spinner:
+            spinner.start()
+        try:
+            repos_data = client.get_repositories()
+            if spinner:
+                spinner.stop()
+        except Exception as e:
+            if spinner:
+                spinner.stop()
+            raise e
+
+        click.echo("\n" + "=" * 60)
+        click.secho("  Your Repositories", fg="cyan", bold=True)
+        click.echo("=" * 60 + "\n")
+
+        user_info = repos_data.get("user", {})
+        if user_info:
+            click.secho(f"User: {user_info.get('name', 'Unknown')} ({user_info.get('email', 'No email')})", fg="yellow")
+            click.echo()
+
+        repositories = repos_data.get("repositories", [])
+        if repositories:
+            for repo in repositories:
+                click.secho(f"• {repo.get('name', 'Unknown')}", fg="green")
+                click.echo(f"  URL: {repo.get('htmlUrl', 'No URL')}")
+                click.echo(f"  Owner: {repo.get('githubOwner', 'Unknown')}")
+                click.echo()
+        else:
+            print_warning("No repositories found. Connect repositories through the web interface.")
+
+        click.echo("=" * 60 + "\n")
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+@cli.command()
+@click.argument("repo", type=str)
+@click.option("--branch", type=str, help="Specific branch to scan (defaults to main)")
+@click.option("--token", type=str, help="GitHub token (or set GITHUB_TOKEN env var)")
+@click.option("--json", "output_json", is_flag=True, help="Output results in JSON format")
+def start_scan(repo: str, branch: Optional[str], token: Optional[str], output_json: bool):
+    """Start a vulnerability scan and return a job_id for status checking.
+
+    REPO is the repository to scan (username/repo, GitHub URL, SSH URL, etc.)
+
+    Examples:
+        prismor start-scan username/repo
+        prismor start-scan https://github.com/username/repo --branch develop
+        prismor start-scan username/repo --token ghp_xxxxx
+        prismor start-scan username/repo --json
+    """
+    if not branch:
+        detected = detect_git_branch()
+        if detected:
+            branch = detected
+            print_info(f"Auto-detected branch: {branch}")
+
+    try:
+        client = PrismorClient()
+        print_info(f"Starting vulnerability scan for: {repo}")
+        if branch:
+            print_info(f"Branch: {branch}")
+
+        spinner = Spinner("Starting scan") if should_show_spinner() else None
+        if spinner:
+            spinner.start()
+        try:
+            result = client.start_vulnerability_scan(repo, branch, token)
+            if spinner:
+                spinner.stop()
+        except Exception as e:
+            if spinner:
+                spinner.stop()
+            raise e
+
+        if output_json:
+            click.echo(json.dumps(result, indent=2))
+        else:
+            click.echo("\n" + "=" * 60)
+            click.secho("  Scan Started", fg="cyan", bold=True)
+            click.echo("=" * 60 + "\n")
+
+            job_id = result.get("job_id")
+            if job_id:
+                print_success("Scan started successfully!")
+                click.echo()
+                click.secho(f"Job ID: {job_id}", fg="yellow", bold=True)
+                click.echo()
+                click.secho("Repository:", fg="yellow", bold=True)
+                click.echo(f"  {result.get('repository', repo)}")
+                click.echo()
+                if "branch" in result:
+                    click.secho("Branch:", fg="yellow", bold=True)
+                    click.echo(f"  {result['branch']}")
+                    click.echo()
+                click.secho("Status:", fg="yellow", bold=True)
+                click.echo(f"  {result.get('status', 'accepted')}")
+                click.echo()
+                click.secho("Next Steps:", fg="cyan", bold=True)
+                click.echo(f"  Check scan status with:")
+                click.secho(f"    prismor scan-status {job_id} --watch", fg="green", bold=True)
+                click.echo()
+            else:
+                print_error("Failed to get job_id from response")
+                click.echo(json.dumps(result, indent=2))
+
+            click.echo("=" * 60 + "\n")
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+@cli.command()
+@click.argument("job_id", type=str)
+@click.option("--watch", is_flag=True, help="Poll until the scan completes (up to 30 min)")
+@click.option("--json", "output_json", is_flag=True, help="Output results in JSON format")
+@click.option("--prompt", is_flag=True, help="Output detailed scan results with an LLM prompt for fixing vulnerabilities")
+def scan_status(job_id: str, watch: bool, output_json: bool, prompt: bool):
+    """Check the status of a vulnerability scan job.
+
+    JOB_ID is the job ID returned when starting a scan.
+
+    Examples:
+        prismor scan-status a724a4663cda4bf087ad171683cb726d
+        prismor scan-status a724a4663cda4bf087ad171683cb726d --watch
+        prismor scan-status 50cbe253e5634227b81fe744c2a0b3e7 --json
+    """
+    try:
+        client = PrismorClient()
+
+        if watch:
+            print_info(f"Watching scan {job_id} (Ctrl+C to stop)...")
+            status_data = _watch_scan(client, job_id)
+        else:
+            print_info(f"Checking scan status for job: {job_id}")
+            spinner = Spinner("Checking status") if should_show_spinner() else None
+            if spinner:
+                spinner.start()
+            try:
+                status_data = client.check_scan_status(job_id)
+                if spinner:
+                    spinner.stop()
+            except Exception as e:
+                if spinner:
+                    spinner.stop()
+                raise e
+
+        status_data = _strip_sensitive(status_data)
+
+        if output_json:
+            click.echo(json.dumps(status_data, indent=2))
+            return
+
+        if prompt and status_data.get("status") in {"completed", "success"}:
+            repo_name = status_data.get("repository", "Unknown Repository")
+            format_prompt_results(status_data.get("results", status_data), repo_name)
+            return
+
+        click.echo("\n" + "=" * 60)
+        click.secho("  Scan Status", fg="cyan", bold=True)
+        click.echo("=" * 60 + "\n")
+
+        click.secho(f"Job ID: {status_data.get('job_id', job_id)}", fg="yellow", bold=True)
+        click.echo()
+
+        status = status_data.get("status", "unknown")
+        if status in {"completed", "success"}:
+            print_success(f"Status: {status}")
+            click.echo()
+
+            if "repository" in status_data:
+                click.secho("Repository:", fg="yellow", bold=True)
+                click.echo(f"  {status_data['repository']}")
+                click.echo()
+
+            if "branch" in status_data:
+                click.secho("Branch:", fg="yellow", bold=True)
+                click.echo(f"  {status_data['branch']}")
+                click.echo()
+
+            if "duration" in status_data:
+                click.secho("Duration:", fg="yellow", bold=True)
+                click.echo(f"  {status_data['duration']:.2f} seconds")
+                click.echo()
+
+            if "public_url" in status_data:
+                click.secho("Results URL:", fg="yellow", bold=True)
+                click.secho(f"  {status_data['public_url']}", fg="green")
+                click.echo()
+
+            if "presigned_url" in status_data:
+                click.secho("Presigned URL (expires in 1 hour):", fg="yellow", bold=True)
+                click.secho(f"  {status_data['presigned_url']}", fg="blue")
+                click.echo()
+
+            if "summary" in status_data:
+                summary = status_data["summary"]
+                click.secho("Vulnerability Summary:", fg="yellow", bold=True)
+                click.echo(f"  Total Vulnerabilities: {summary.get('total_vulnerabilities', 0)}")
+                click.echo(f"  Total Targets Scanned: {summary.get('total_targets', 0)}")
+                click.echo()
+                severity_breakdown = summary.get('severity_breakdown', {})
+                if severity_breakdown:
+                    click.secho("  Severity Breakdown:", fg="yellow")
+                    if severity_breakdown.get('CRITICAL', 0) > 0:
+                        click.secho(f"    CRITICAL: {severity_breakdown['CRITICAL']}", fg="red", bold=True)
+                    if severity_breakdown.get('HIGH', 0) > 0:
+                        click.secho(f"    HIGH: {severity_breakdown['HIGH']}", fg="red")
+                    if severity_breakdown.get('MEDIUM', 0) > 0:
+                        click.secho(f"    MEDIUM: {severity_breakdown['MEDIUM']}", fg="yellow")
+                    if severity_breakdown.get('LOW', 0) > 0:
+                        click.secho(f"    LOW: {severity_breakdown['LOW']}", fg="blue")
+                    if severity_breakdown.get('UNKNOWN', 0) > 0:
+                        click.secho(f"    UNKNOWN: {severity_breakdown['UNKNOWN']}", fg="white")
+                    click.echo()
+
+            if "scan_date" in status_data:
+                click.secho("Scan Date:", fg="yellow", bold=True)
+                click.echo(f"  {status_data['scan_date']}")
+                click.echo()
+
+        elif status == "running":
+            print_info(f"Status: {status}")
+            if "message" in status_data:
+                click.echo(f"  {status_data['message']}")
+            click.echo()
+            click.echo("  The scan is still in progress.")
+            click.echo(f"  Watch it live with: prismor scan-status {job_id} --watch")
+            click.echo()
+
+        elif status == "failed":
+            print_error(f"Status: {status}")
+            if "error" in status_data:
+                click.echo(f"  Error: {status_data['error']}")
+            click.echo()
+        else:
+            click.secho(f"Status: {status}", fg="yellow")
+            click.echo()
+
+        click.echo("=" * 60 + "\n")
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+@cli.command()
+def status():
+    """Check your account status and GitHub integration."""
+    try:
+        client = PrismorClient()
+        spinner = Spinner("Checking account status") if should_show_spinner() else None
+        if spinner:
+            spinner.start()
+        try:
+            auth_data = client.authenticate()
+            if spinner:
+                spinner.stop()
+        except Exception as e:
+            if spinner:
+                spinner.stop()
+            raise e
+
+        click.echo("\n" + "=" * 60)
+        click.secho("  Account Status", fg="cyan", bold=True)
+        click.echo("=" * 60 + "\n")
+
+        user_info = auth_data.get("user", {})
+        if user_info:
+            repositories = user_info.get("repositories", [])
+            click.secho(f"Connected Repositories: {len(repositories)}", fg="green")
+            if repositories:
+                click.echo("\nRepository List:")
+                for repo in repositories:
+                    click.echo(f"  • {repo.get('name', 'Unknown')} ({repo.get('htmlUrl', 'No URL')})")
+            else:
+                print_warning("No repositories connected.")
+                click.echo("\nTo connect repositories:")
+                click.echo("  1. Visit https://prismor.dev/dashboard")
+                click.echo("  2. Connect your GitHub account")
+                click.echo("  3. Select repositories to scan")
+        else:
+            print_error("Failed to retrieve account information.")
+
+        click.echo("\n" + "=" * 60 + "\n")
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+@cli.command("trigger-fix")
+@click.argument("repo", type=str)
+@click.option("--branch", type=str, help="Base branch to apply fixes on (defaults to main)")
+@click.option("--instruction", type=str, help="Custom fix instruction for the AI agent")
+@click.option("--json", "output_json", is_flag=True, help="Output results in JSON format")
+def trigger_fix(repo: str, branch: Optional[str], instruction: Optional[str], output_json: bool):
+    """Trigger AI auto-fix for a repository without running a scan first.
+
+    REPO is the repository to fix (username/repo, GitHub URL, etc.)
+
+    Examples:
+        prismor trigger-fix username/repo
+        prismor trigger-fix https://github.com/username/repo --branch develop
+        prismor trigger-fix username/repo --instruction "Update lodash to 4.17.21"
+        prismor trigger-fix username/repo --json
+    """
+    if not branch:
+        detected = detect_git_branch()
+        if detected:
+            branch = detected
+            print_info(f"Auto-detected branch: {branch}")
+
+    try:
+        client = PrismorClient()
+        print_info(f"Triggering auto-fix for: {repo}")
+
+        spinner = Spinner("Starting auto-fix") if should_show_spinner() else None
+        if spinner:
+            spinner.start()
+        try:
+            result = client.trigger_autofix(repo, branch=branch, instruction=instruction)
+            if spinner:
+                spinner.stop()
+        except Exception as e:
+            if spinner:
+                spinner.stop()
+            raise e
+
+        if output_json:
+            click.echo(json.dumps(result, indent=2))
+        else:
+            click.echo("\n" + "=" * 60)
+            click.secho("  Auto-Fix Triggered", fg="cyan", bold=True)
+            click.echo("=" * 60 + "\n")
+
+            if result.get("ok"):
+                print_success("Auto-fix job started successfully!")
+                click.echo()
+                job_id = result.get("job_id", "")
+                click.secho(f"Job ID: {job_id}", fg="yellow", bold=True)
+                click.echo()
+                click.secho("Next Steps:", fg="cyan", bold=True)
+                click.echo("  Watch for the PR with:")
+                click.secho(f"    prismor fix-status {job_id} --watch", fg="green", bold=True)
+            else:
+                print_error(f"Failed: {result.get('error', 'Unknown error')}")
+
+            click.echo("\n" + "=" * 60 + "\n")
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+@cli.command("fix-status")
+@click.argument("job_id", type=str)
+@click.option("--watch", is_flag=True, help="Poll until the fix completes (up to 30 min)")
+@click.option("--wait", is_flag=True, hidden=True, help="Alias for --watch (deprecated)")
+@click.option("--json", "output_json", is_flag=True, help="Output results in JSON format")
+def fix_status(job_id: str, watch: bool, wait: bool, output_json: bool):
+    """Check the status of an AI auto-fix job.
+
+    JOB_ID is the job ID returned by 'trigger-fix' or '--fix'.
+
+    Examples:
+        prismor fix-status agent_cli_1234567890_abc123
+        prismor fix-status agent_cli_1234567890_abc123 --watch
+        prismor fix-status agent_cli_1234567890_abc123 --json
+    """
+    polling = watch or wait  # support legacy --wait flag
+
+    try:
+        client = PrismorClient()
+        print_info(f"Checking fix status for job: {job_id}")
+
+        max_wait = 1800
+        poll_interval = 10
+        started_at = time.time()
+        use_rich = RICH_AVAILABLE and should_show_spinner()
+
+        while True:
+            spinner = Spinner("Checking status") if (should_show_spinner() and not use_rich) else None
+            if spinner:
+                spinner.start()
+            try:
+                status_data = client.check_fix_status(job_id)
+                if spinner:
+                    spinner.stop()
+            except Exception as e:
+                if spinner:
+                    spinner.stop()
+                raise e
+
+            status = status_data.get("status", "unknown")
+            done = status in {"success", "failed", "validation_failed"}
+
+            if output_json:
+                click.echo(json.dumps(status_data, indent=2))
+                if not polling or done:
+                    break
+                time.sleep(poll_interval)
+                continue
+
+            if status == "processing" and polling and (time.time() - started_at) < max_wait:
+                elapsed = int(time.time() - started_at)
+                if use_rich:
+                    # Print a single live line then sleep — simple approach without Live context loop
+                    sys.stdout.write(f"\r  ⠸ Waiting for AI fix... ({elapsed}s elapsed)  ")
+                    sys.stdout.flush()
+                else:
+                    print_info(f"Still processing... ({elapsed}s elapsed). Checking again in {poll_interval}s")
+                try:
+                    time.sleep(poll_interval)
+                except KeyboardInterrupt:
+                    click.echo()
+                    print_warning("Stopped watching. Fix still running in background.")
+                    click.echo(f"  Check with: prismor fix-status {job_id}")
+                    sys.exit(0)
+                continue
+
+            # Clear any inline progress line before printing the result
+            if use_rich and polling:
+                sys.stdout.write("\r" + " " * 60 + "\r")
+                sys.stdout.flush()
+
+            if status == "success":
+                _show_fix_success_panel(status_data)
+            else:
+                click.echo("\n" + "=" * 60)
+                click.secho("  Auto-Fix Status", fg="cyan", bold=True)
+                click.echo("=" * 60 + "\n")
+                click.secho(f"Job ID: {job_id}", fg="yellow", bold=True)
+                click.echo()
+
+                if status in {"failed", "validation_failed"}:
+                    print_error(f"Status: {status}")
+                    click.echo()
+                    if status_data.get("error"):
+                        click.echo(f"  Error: {status_data['error']}")
+                        click.echo()
+                    if status_data.get("retry_count"):
+                        click.echo(f"  Retries: {status_data['retry_count']}")
+                        click.echo()
+                else:
+                    click.secho(f"Status: {status}", fg="yellow")
+                    click.echo()
+                    if not polling:
+                        click.echo(f"  The fix is still in progress.")
+                        click.echo(f"  Watch it with: prismor fix-status {job_id} --watch")
+                        click.echo()
+
+                click.echo("=" * 60 + "\n")
+
+            break
+
+    except PrismorAPIError as e:
+        print_error(str(e))
+        sys.exit(1)
+    except Exception as e:
+        print_error(f"Unexpected error: {str(e)}")
+        sys.exit(1)
+
+
+# Register the local AI auto-fix command. Defined in its own module so the
+# agent-runner logic stays isolated; imported here at the bottom so all of this
+# module's console helpers exist before fix_local's deferred import resolves them.
+from .local_fix import fix_local  # noqa: E402
+cli.add_command(fix_local)
+
+
+def main():
+    """Entry point for the CLI."""
+    cli()
+
+
+if __name__ == "__main__":
+    main()