Turn the terminal viewer from a single-run reader into a project
explorer that can also drive scans, and extract the run-finding logic
both viewers were going to need into one place.

Terminal viewer (argus view terminal):
- Runs sidebar (``b``): lists the scan runs discovered next to the
  current one — newest first, each row tagged with its worst-finding
  glyph and finding count. Auto-reveals when more than one run exists.
  Selecting a run loads it in place, preserving the active filters /
  sort and resetting the (now-stale) multi-select.
- In-app scan runner (``R``): prompts for an optional scanner + path,
  runs ``argus scan`` as a subprocess streamed into an overlay, and
  reloads the freshly-written run when it finishes. Re-invokes the
  running interpreter (sys.executable -m argus) so a venv'd viewer
  scans with that venv's argus and scanners.
- Context menus now open at the cursor (clamped to stay on screen)
  instead of screen-centre.

Refactor:
- New argus.core.run_discovery owns discover_runs / list_directory /
  peek_run_stats / is_within / RESULTS_FILENAME (UI-free). The browser
  viewer's _collect_recent_scans / _list_directory / _is_within now
  delegate to it, deduping ~200 lines and guaranteeing the two
  interfaces agree on what counts as a run (incl. latest/ symlink
  de-dup). peek_run_stats distinguishes a malformed results file
  (count None) from a valid empty scan (0).

Pure logic (run discovery, row formatting, argv building, menu-offset
clamping) is unit-tested directly; the Textual widgets are exercised
via the stubbed-textual loader. +55 tests, coverage 92%. Docs and
.ai/architecture.yaml updated.

…unner

Capture the new TUI states as committed SVGs (11–14) alongside the
existing view-terminal screenshots, embed them in docs/view-terminal.md,
and extend scripts/docsite/capture_view_terminal.py to regenerate them so
they can't drift:

- 11-runs-sidebar         — runs sidebar revealed beside the findings list
- 12-scan-runner-prompt   — the "Run a scan" prompt overlay
- 13-scan-runner-output   — streamed scan output + "complete" status
- 14-context-menu-anchored — context menu opening at the cursor

The runs-sidebar / runner / anchored-menu states use a deterministic
two-run synthetic fixture (the real container scans land in separate
parents and don't exercise sibling discovery; the runner-output stream is
stubbed for a stable capture). Docsite builds clean with all four refs
resolving.

Capture the TUI's evolution from post-scan viewer into a terminal-native
control centre (scan → triage → fix → configure, and eventually what bare
`argus` launches in a TTY) as a phased epic, matching the SDK-ROADMAP
format:

- Phase 0 — explorer + scan runner (shipped this PR, #261)
- Phase 1 — vulnerability mitigation ("Fix"): Tier 1 deterministic/OSS,
  Tier 2 AI-assisted (opt-in, diff-only, reuses scn/ai.py + [ai] extra)
- Phase 2 — config editor screen (form + live validation + surfaced docs)
- Phase 3 — init wizard screen
- Phase 4 — Console home + bare-`argus` entry (TTY-gated; needs an ADR)

Documents the load-bearing backward-compat contract (bare `argus` only
goes interactive on a TTY; every subcommand and all headless/CI use is
unchanged), the screens-over-UI-free-core architecture, and the open
product decisions per phase. Linked from SDK-ROADMAP.md's in-flight
initiatives.

Make bare `argus` (interactive TTY only) open the Argus Console: a
screen-based Textual home for the whole local workflow, with a herdr-style
settings system. Builds on the runs-explorer / scan-runner foundations.

Home (console.py + console_model.py):
- ASCII wordmark + tagline (fade honours motion settings / ARGUS_NO_ANIMATION),
  a status line (config presence + latest run label / count / worst severity
  via run_discovery), and a launcher menu: Run a scan / View findings /
  Configure / Initialize / Settings / Help & docs / Quit.
- Scan reuses the in-app RunScanScreen; Configure opens argus.yml in
  $EDITOR/$VISUAL; Initialize streams `argus init`; View findings hands off
  to the existing viewer (`argus view`) and returns.

Settings (full Screen, herdr-style) + console_config.py (UI-free):
- Theme (built-in Textual themes + a bespoke argus-dark), accent colour,
  animations, reduced-motion, notifications. Theme/accent preview live;
  persisted to $XDG_CONFIG_HOME/argus/console.yml (pyyaml only). Settings
  is a full Screen, not a ModalScreen — live re-theming under a modal hits a
  Textual 8.x NoneType-visual render bug.

Entry point (cli._run_bare_argus):
- Opens the Console only when stdout AND stdin are a TTY; piped / CI /
  missing-[terminal] falls back to today's `--help`, so headless use is
  unchanged. `argus view` still deep-links to findings.

Pure logic (settings, model, status, argv) is unit-tested in CI without the
[terminal] extra; the Textual screens are covered via the stubbed-textual
loader and verified end-to-end with a real-Textual Pilot run. Docs:
docs/console.md + regenerable screenshots (scripts/docsite/capture_console.py);
CONSOLE-ROADMAP Phase 4 shell marked shipped; .ai/architecture.yaml updated.

…R review)

Address PR #262 review feedback:

- Theme: argus-dark now mirrors the Argus website / browser viewer brand
  (deep green-black base, primary green #84b852, lime accent #dbe64c) instead
  of the placeholder cyan. Default accent is the brand green; severity
  warning/error tokens match the browser's med/crit. Non-default accents
  still recolour the primary/accent.
- Centering: the wordmark is now a full-width, text-align:center banner in a
  fixed-width centred column, so it sits dead-centre over the menu (it was
  left-of-centre).
- Tagline: "perception is protection".
- Wordmark font: ansi_regular (clean flat blocks) replaces the heavier
  ansi_shadow.

Committed screenshots regenerated; tests + lint updated/green.

The ANSI block-letter banner relies on `█` glyphs tiling seamlessly; GitHub's
image proxy renders the committed SVG with a font that strips the rows apart,
so the wordmark looked mangled on the PR. Switch the console screenshots to
raster PNG (pixel-identical everywhere), point docs/console.md at them, and
update capture_console.py to rasterise its SVG capture to PNG (rsvg-convert /
cairosvg / qlmanage, whichever is on PATH; Pillow trims padding).

Phase 1 of the Console roadmap — let users resolve findings, not just read
them, with no AI and no new runtime deps.

Core (argus/core/remediation.py, UI-free):
- propose(finding, *, repo_root) / apply() / is_fixable() turn a dependency
  finding (package + fixed_version + purl) into a reviewable fix. Tier-1
  covers dependency version bumps for pip (requirements*.txt) and npm
  (package.json): locate the package, emit a unified diff bumping it to the
  fixed version, preserving the user's spec style (== stays pinned, >= keeps
  its operator, bare name -> >=). PEP 503 name normalization for pip;
  caret/tilde preserved for npm. Falls back to the ecosystem upgrade command
  (shown, never auto-run) when no manifest line matches.
- Diff-/command-first: nothing touches the working tree until apply(); apply
  is idempotent and refuses to write command-only remediations.

TUI (argus view terminal):
- F (shift+f) -> FixScreen: previews the proposed diff(s), applies on a/Enter,
  batch over the multi-select set. An "Apply fix" item appears in the
  right-click context menu for fixable findings. After applying, re-run the
  scan (R) to confirm.

Pure logic unit-tested in CI without the [terminal] extra; the TUI wiring is
covered via the stubbed-textual loader and verified end-to-end with a
real-Textual Pilot run. Docs + CONSOLE-ROADMAP (Phase 1 Tier-1) +
.ai/architecture.yaml updated. +35 tests.

Phase 2 of the Console roadmap. The home menu's Configure entry now opens
a form editor (ConfigScreen) instead of shelling out to $EDITOR: scanner
on/off toggles and the bounded choice settings (severity_threshold,
execution backend/pull_policy, view cve_source/open_location) are listed
with their current value and a one-line description; enter cycles a value,
s validates + writes, esc discards.

Edits go through config_editor.py — a UI-free, textual-free module so it's
covered in CI without the [terminal] extra. Write-back is comment-preserving:
set_value walks the file indentation-aware to the matched key: value line and
rewrites only its value, keeping key, indentation, and any trailing inline
comment. This resolves the roadmap's open YAML write-back decision in favour
of targeted line edits over a ruamel.yaml round-trip — no new dependency, at
the cost of only editing settings already present in the file. Before saving,
the result is re-validated against argus.core.schema.validate_config and
refused on any error-level issue.

When no argus.yml exists, Configure nudges toward Initialize and falls back
to $EDITOR/$VISUAL so a file can still be created by hand.

feat(console): form editor for argus.yml (Configure screen)

Phase 3 of the Console roadmap. The home menu's Initialize entry now opens
an in-app wizard (InitScreen) instead of shelling out to `argus init`: it
detects the project, shows what it found plus a tool-readiness line, lists
the proposed scanners as toggles, and writes argus.yml. `w` writes; `r`
writes and hands straight to the Phase-0 scan runner for the first scan;
`esc` cancels. An existing argus.yml requires a confirming second keypress
before it's overwritten — mirroring `argus init`'s --force guard, never a
silent clobber.

The wizard reimplements no detection logic. init_wizard.py is a UI-free,
textual-free frontend over the pure functions in argus.init
(detect_project, generate_config, _extract_enabled_scanners,
_check_local_readiness): build_plan returns an InitPlan (detected
categories, proposed scanners, generated YAML, readiness) and write_config
enforces the overwrite guard. Scanner toggles reuse the Phase-2
config_editor over the generated YAML, so toggling and the
comment-preserving write share one implementation.

The signal-to-label map moves to argus.init.SIGNAL_LABELS so the CLI
summary and the wizard render identical names. With Init now in-app, the
_HANDOFF_INIT sentinel and its subprocess hand-off in launch() are removed.

feat(console): in-app init wizard (Initialize screen)

Adds Part II to the Console roadmap — the eight phases that take the
Console from "exists" to best-in-class for security tooling, since almost
every scanner (trivy/grype/semgrep/snyk/osv-scanner/gitleaks) is
non-interactive:

- Phase 5  Modern navigation essentials (command palette, fuzzy filter,
           OSC 8 hyperlinks, OSC 52 clipboard)
- Phase 6  Live vulnerability intelligence (EPSS + CISA KEV + OSV/GHSA
           enrichment, risk re-ranking) — the headline
- Phase 7  Triage at scale (bulk suppress + OpenVEX writeback + audit trail)
- Phase 8  Visual analytics (textual-plotext trend/scanner/severity charts)
- Phase 9  Inline graphics (Kitty/Sixel via textual-image, ASCII fallback)
- Phase 10 AI triage assistant (reuse argus/scn/ai.py, Ollama default,
           no key required) — foundation
- Phase 11 Console on the web (textual serve, localhost + token gated) — ADR
- Phase 12 Reachability-aware prioritization (heuristic first cut; true
           call-graph reachability stays roadmap-only research)

Each phase keeps the Part I split (logic in UI-free argus/core/, thin
screens) and every network/AI feature is opt-in and offline-degrading so
the default argus experience needs no key, daemon, or egress. Build order
and sequencing documented.

Three issues surfaced test-driving the Console's Configure screen:

1. Long keys ran into the value column — `reporting · severity_threshold`
   (30 chars) overflowed the fixed `:<26` label width and rendered as
   "severity_thresholdcritical". Column widths are now sized to the widest
   label/value (new UI-free `config_editor.row_display`), so nothing
   collides regardless of key length.

2. Bounded-choice (enum) settings cycled one value per Enter press. They
   now open a `_ChoiceScreen` dropdown picker listing the allowed values
   (current one marked), so the user selects directly. Enum rows carry a
   ▾ affordance; on/off toggles still flip in place on Enter.

3. After a change, the OptionList is rebuilt via recompose but was never
   re-focused, so arrow keys and Enter silently died until a mouse click.
   `_restore_cursor` now re-focuses the rebuilt list — fixed on the
   Configure, Settings, and Init screens (all shared the pattern).

- row_display is UI-free + unit-tested (alignment, no-overlap regression,
  ▾ affordance); the picker + focus wiring follow the existing modal
  pattern. 302 terminal-viewer tests green.

Two issues from test-driving:

1. Bare `argus` → "View findings" flickered straight back to the home
   screen. The terminal loader's `locate_results` only looked for
   `argus-results/argus-results.json`, but `argus scan` writes to a
   timestamped subdir (`argus-results/<ts>/`) and maintains a `latest`
   symlink — so the file was never found, `load_summary` raised, and the
   findings app exited on mount. `locate_results` now resolves a directory
   the same way the browser viewer does: direct drop → `latest/` →
   newest discovered run (via `discover_runs`). A file path and a direct
   `argus-results.json` still win, and `None` resolves against the
   conventional `./argus-results` home.

2. The browser **Report** nav link now opens in a new tab
   (`target="_blank"`, with a ↗ hint). The report is a standalone print
   document, so opening it in place forced a Back press to return to the
   triage view.

Regression tests cover latest-symlink, newest-run, no-symlink, and
direct-drop-wins resolution.

… (O)

When the findings viewer can't resolve a scan in the launch directory it
now opens a filesystem picker instead of exiting (which read as the
"View findings flickers back to the Console home" report). The same
picker is available on demand via `O` (shift+o) to traverse to another
project's results or an archived folder without relaunching — it
re-roots the runs sidebar at the opened scan.

- argus/viewers/terminal/results_picker.py — UI-free row formatting +
  id encode/decode over run_discovery.list_directory (dirs + results
  files only; scan dirs flagged with a finding-count peek). Fully tested.
- ResultsPickerScreen — navigates one level at a time (backspace = up),
  loads a scan-bearing dir / results file on select.
- BrowseApp: extracted `_try_load` (one loader shared by on_mount, the
  runs sidebar, the scan runner, and the picker); on_mount routes the
  no-scan case to `_prompt_for_results`; `_switch_run(..., update_root=)`
  re-roots discovery when opening from elsewhere; `O` keybind +
  command-palette entry + help.

`O` is capital (lowercase `o` is "open last export"), matching the
capital-for-major-action convention (R / F / S / D). Docs + .ai updated.

Surface "can I scan right now, and with what?" before the user hits a
wall like "Docker isn't running" (which is what prompted this). The home
gets a single go/no-go chip — ● ready / ▲ warning / ✖ blocked — with a
short headline; press `d` to expand it into the full breakdown.

Three checks (argus.core.system_status, UI-free, injectable probes):
- Docker daemon — running / installed-but-stopped / absent. Only
  *blocking* when the effective execution.backend needs it with no local
  fallback (so a stopped Docker on an all-local setup is a warning, not a
  hard stop; backend: docker with Docker down is blocking).
- Local tools — how many common scanners are runnable as local binaries.
- Scanner images — best-effort: cached Argus image digests vs published
  release digests (genuine vs rebuilt/overridden), skipped when Docker is
  off.

- compute_status() is pure over injected probes → fully unit-tested
  without Docker or installed tools; the three subprocess probes are the
  only un-covered edges. Computed in a background worker so the home
  paints instantly; SystemStatusScreen renders the detail + remediation.
- `d` keybind on the home; docs + .ai updated.

Settings → Theme now opens a dropdown of all themes instead of cycling one
step per Enter: arrow up/down to see each theme applied live, Enter to keep
it, Esc to revert to the one you started on.

- ThemePickerScreen (a full Screen, not a ModalScreen — applying a theme
  under a ModalScreen hits the Textual 8.x NoneType-visual bug, the same
  reason SettingsScreen is a full screen): highlighting a theme previews it
  via app.apply_theme(); Enter dismisses keeping it, Esc restores the
  original.
- ConsoleSettings.with_value(key, value) — UI-free setter for a *specific*
  value (vs advance()'s cycle), normalized so an out-of-range theme snaps
  to the default.
- SettingsScreen routes the Theme row to the picker; accent + toggles keep
  their cycle-on-Enter behaviour.
- Tests: with_value (set / invalid-snaps / unknown-key / immutability) +
  ThemePickerScreen (preview applies live, Enter keeps, Esc reverts).
  Docs + .ai updated.

Three spots left the TUI "in the dark" during brief synchronous work.
Each now gives immediate feedback instead of a frozen screen:

- Initialize — `build_plan` (a filesystem walk) ran on the UI thread
  before the wizard opened. It now runs in a worker behind an immediate
  "Detecting project…" toast, so the home stays live; the wizard opens
  when detection finishes (_open_init → worker → _show_init).
- Run switching — selecting a run (sidebar / picker / post-scan reload)
  loaded the results + rebuilt the table synchronously. It now shows the
  DataTable's built-in spinner (loading = True) while the load runs in a
  worker, applying the rows back on the UI thread (_switch_run →
  _finish_switch) so the spinner actually animates.
- Scan — RunScanScreen now prints "⏳ Starting argus scan…" immediately,
  before the subprocess produces its first line, so the pane isn't blank
  during spawn + scanner startup.

Test fixtures run the workers synchronously (run_worker / call_from_thread
stubs) so the existing state assertions still hold; production runs them
threaded.

…eport

The README predated the whole interactive-surface + reporting work and
undersold it: the Console/TUI was described as a "findings explorer", the
browser viewer was one bullet, the formal PDF report wasn't mentioned, and
there were no product screenshots (plus a duplicated TUI bullet and a stale
scanner list).

Rewrite around a Find it → Triage it → Prove it story:
- A screenshot showcase up top (Console home · browser dashboard · PDF
  report), all relative paths so they render on GitHub.
- "Triage it" section for the Console (in-app scan/fix/triage, EPSS/KEV
  intel, OpenVEX suppress, AI explain, runs sidebar + filesystem picker,
  command palette, system-readiness chip, theme picker) and the browser
  viewer (charts, risk column, light/dark).
- "Prove it" section for the one-click PDF report + cosign provenance +
  signed OpenVEX attestations.
- Refreshed scanner table (adds gosec, MUMPS, supply-chain, dependency
  review, SCN compliance, linters), de-duped Features, tightened GHES /
  config / MCP into scannable sections.

No content claims beyond what ships today; version pins unchanged (release-it
manages them).

The browser UI was renamed from `argus serve` to `argus view browser`, but
the old name lingered — most visibly in the "No scan loaded" splash ("Point
argus serve at a results directory…"), plus template/JS/CSS comments, two
console.warn prefixes, and the docs troubleshooting (which still referenced
the removed `serve` command + a non-existent `[serve]` extra).

Swept argus/viewers/browser/ to the current command name and corrected the
two stale troubleshooting entries in docs/view-browser.md. Text/comment only;
no behaviour change.

… sections

The hero tagline is now three in-page links jumping to the matching
sections, via explicit <a id> anchors (robust against GitHub's emoji/em-dash
slug munging on the "✦ … —" headers).

The bold README refresh dropped the AICaC adoption badge. The AICaC
workflow has update-badge: true, so it then tried to regenerate + push the
badge back to the branch and failed at the push (checkout uses
persist-credentials: false → no push creds → git exit 128). Restoring the
badge means the action finds it up to date and never attempts the push.

The architecture-map modal renders a scanner's `purpose` field. MUMPS's was
~6.3k chars (every rule M001–M219, all config knobs, FP analysis, validation
corpora, parser pin, phase roadmap) — an unreadable wall versus 15–110 chars
for every other scanner. Cut it to a one-liner in the same voice as gosec
(what it covers + a few example sink categories), matching the rest of the
map. The full rule list + config still live in docs/scanners.md and
argus/scanners/mumps/, which is where that depth belongs.