@chainpatrol/cli 0.2.2 → 0.3.0

package/dist/{breakdown-PBH5NX6P.js → breakdown-BECXDJIS.js}

@@ -4,7 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{chunk-6FIJ4NU4.js → chunk-B3CCMSG2.js}

@@ -7,9 +7,11 @@ import {
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
 import {
-  DateTime,
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
 
 // src/presets/index.ts
 var PRESETS = [

package/dist/chunk-DSOM6TZX.js

@@ -0,0 +1,150 @@
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
+import {
+  getValidCredentials
+} from "./chunk-EEG7T6WT.js";
+import {
+  getConfig
+} from "./chunk-U73SABXK.js";
+
+// src/lib/api-client.ts
+function parseIsoDate(value) {
+  if (!value) return void 0;
+  const dt = DateTime.fromISO(value, { zone: "utc" });
+  if (!dt.isValid) {
+    throw new Error(`Invalid ISO date: '${value}'. Use YYYY-MM-DD or full ISO 8601.`);
+  }
+  return dt.toJSDate();
+}
+var REQUEST_TIMEOUT_MS = 3e4;
+function createApiClient(options) {
+  const config = getConfig();
+  const apiUrl = options?.apiUrl ?? config.apiUrl;
+  const getToken = options?.getToken ?? (() => getValidCredentials().accessToken);
+  async function request(path, body) {
+    const token = getToken();
+    let res;
+    try {
+      res = await fetch(`${apiUrl}/api/v2${path}`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+      });
+    } catch (err) {
+      if (err instanceof DOMException && err.name === "TimeoutError") {
+        throw new Error(
+          "Request timed out. Check your network connection and try again."
+        );
+      }
+      if (err instanceof TypeError && err.code === "ECONNREFUSED") {
+        throw new Error(`Cannot connect to ${apiUrl}. Is the server running?`);
+      }
+      throw new Error("Network error. Check your internet connection and try again.");
+    }
+    if (!res.ok) {
+      let errorMessageFromResponse = null;
+      try {
+        const errorBody = await res.json();
+        errorMessageFromResponse = errorBody.message ?? null;
+      } catch {
+      }
+      if (res.status === 401) {
+        throw new Error(
+          errorMessageFromResponse ?? "Authentication failed. Run `chainpatrol login` to re-authenticate."
+        );
+      }
+      if (res.status === 403) {
+        throw new Error(
+          errorMessageFromResponse ?? "You don't have permission to access this resource. Check your --org slug and permissions."
+        );
+      }
+      if (res.status === 404) {
+        throw new Error(
+          errorMessageFromResponse ?? "Organization not found. Check your --org slug."
+        );
+      }
+      if (res.status === 422) {
+        throw new Error(errorMessageFromResponse ?? "Request validation failed.");
+      }
+      if (res.status >= 500) {
+        throw new Error(
+          "ChainPatrol API is temporarily unavailable. Please try again later."
+        );
+      }
+      throw new Error(
+        errorMessageFromResponse ?? `Request failed (${res.status}). Run with --json for details.`
+      );
+    }
+    return await res.json();
+  }
+  return {
+    listDetectionConfigs(slug) {
+      return request("/detection/configs/list", { slug });
+    },
+    updateDetectionConfig(input) {
+      return request("/detection/configs/update", input);
+    },
+    runDetectionConfigs(input) {
+      return request("/detection/configs/run", input);
+    },
+    validateDetectionConfigs(input) {
+      return request("/detection/configs/validate", input);
+    },
+    getDetectionDrift(input) {
+      return request("/detection/drift", {
+        ...input,
+        startDate: parseIsoDate(input.startDate),
+        endDate: parseIsoDate(input.endDate)
+      });
+    },
+    getOperationsQueuesSnapshot(input) {
+      return request(
+        "/operations/queues/snapshot",
+        input
+      );
+    },
+    getMetricsSummary(input) {
+      return request("/metrics/summary", {
+        ...input,
+        startDate: parseIsoDate(input.startDate),
+        endDate: parseIsoDate(input.endDate)
+      });
+    },
+    getMetricsFound(input) {
+      return request("/metrics/found", {
+        ...input,
+        startDate: parseIsoDate(input.startDate),
+        endDate: parseIsoDate(input.endDate)
+      });
+    },
+    getMetricsBreakdown(input) {
+      return request("/metrics/breakdown", {
+        ...input,
+        startDate: parseIsoDate(input.startDate),
+        endDate: parseIsoDate(input.endDate)
+      });
+    },
+    createReport(input) {
+      return request("/report/create", input);
+    },
+    listOrganizationReports(input) {
+      return request("/public/getOrganizationReports", {
+        slug: input.slug,
+        limit: input.limit ?? 10,
+        cursor: input.cursor,
+        status: input.status,
+        searchQuery: input.searchQuery,
+        reportedByCustomer: input.reportedByCustomer
+      });
+    }
+  };
+}
+
+export {
+  createApiClient
+};

package/dist/{setup-skill-SIWP3KFS.js → chunk-T4DYUWUD.js}

@@ -4,20 +4,85 @@ import {
 } from "./chunk-IUZB3DQW.js";
 
 // src/commands/setup-skill.ts
-import { mkdirSync, writeFileSync, existsSync, readFileSync, rmSync } from "fs";
+import { mkdirSync, writeFileSync, existsSync, readFileSync as readFileSync2, rmSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
+
+// src/lib/version.ts
+import { readFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+var PACKAGE_NAME = "@chainpatrol/cli";
+var cached;
+function getCliVersion() {
+  if (cached !== void 0) return cached;
+  cached = resolveCliVersion();
+  return cached;
+}
+function resolveCliVersion() {
+  try {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+      resolve(here, "..", "package.json"),
+      resolve(here, "..", "..", "package.json")
+    ];
+    for (const candidate of candidates) {
+      const version = tryReadVersion(candidate);
+      if (version) return version;
+    }
+  } catch {
+  }
+  return "0.0.0";
+}
+function tryReadVersion(path) {
+  try {
+    const raw = readFileSync(path, "utf-8");
+    const pkg = JSON.parse(raw);
+    if (pkg.name === PACKAGE_NAME && typeof pkg.version === "string") {
+      return pkg.version;
+    }
+  } catch {
+  }
+  return void 0;
+}
+function compareVersions(a, b) {
+  const parsed = (value) => {
+    const hyphenIndex = value.indexOf("-");
+    const main = hyphenIndex >= 0 ? value.slice(0, hyphenIndex) : value;
+    const pre = hyphenIndex >= 0 ? value.slice(hyphenIndex + 1) : "";
+    const parts = main.split(".").map((n) => Number.parseInt(n, 10) || 0);
+    while (parts.length < 3) parts.push(0);
+    return { parts, pre };
+  };
+  const va = parsed(a);
+  const vb = parsed(b);
+  for (let i = 0; i < 3; i += 1) {
+    if (va.parts[i] !== vb.parts[i]) return va.parts[i] - vb.parts[i];
+  }
+  if (va.pre === vb.pre) return 0;
+  if (va.pre === "") return 1;
+  if (vb.pre === "") return -1;
+  return va.pre < vb.pre ? -1 : 1;
+}
+
+// src/commands/setup-skill.ts
 var SKILL_DIR = join(homedir(), ".claude", "skills", "chainpatrol");
 var SKILL_FILE = join(SKILL_DIR, "SKILL.md");
-var SKILL_CONTENT = `---
+function buildSkillContent(version) {
+  return `---
 name: chainpatrol
+version: ${version}
 description: |
   ChainPatrol CLI assistant. Helps use the chainpatrol CLI tool: login via device
   code flow, check auth status, list detection configs, list reports (including
-  customer-reported ones), and run CLI commands.
+  customer-reported ones), run CLI commands, and run an organization
+  healthcheck across the detection / reviewing / blocklisting / takedown
+  pipeline.
   Use when: "chainpatrol cli", "login to chainpatrol", "check detection configs",
   "am I logged in", "list configs", "use the cli", "list reports",
-  "customer reports", "reports reported by customer", "find detection gaps".
+  "customer reports", "reports reported by customer", "find detection gaps",
+  "org healthcheck", "organization health check", "audit my org",
+  "what's wrong with org", "review org setup".
 allowed-tools:
   - Bash
   - Read
@@ -156,6 +221,22 @@ Config is stored at \`~/.chainpatrol/config.json\`:
 
 Override config dir with \`CHAINPATROL_CONFIG_DIR\` env var.
 
+## Version Checks
+
+The CLI runs two lightweight version checks alongside each command and prints
+a nudge to stderr if anything is out of date:
+
+- **Skill freshness**: compares the installed skill (\`~/.claude/skills/chainpatrol/SKILL.md\`)
+  to the version bundled with the CLI. If it's missing or older, the user is
+  asked to run \`chainpatrol setup\`.
+- **NPM freshness**: compares the running CLI version to the latest published
+  on the npm registry. The check is throttled to once per 24 hours and capped
+  at a 1.5s timeout, with the result cached at \`<configDir>/version-check.json\`.
+
+Set \`CHAINPATROL_NO_UPDATE_CHECK=1\` to silence both checks. JSON mode
+(\`--json\`) and quiet mode (\`-q\` / \`--quiet\`) also suppress the nudges so
+machine-readable output is never polluted.
+
 ## Global Flags
 
 | Flag        | Description                          |
@@ -182,7 +263,129 @@ The \`configs list\` command shows detection sources grouped by:
 - **Not Configured** \u2014 Sources available but not yet set up for the org
 
 Each config entry includes: title, status, cron schedule, and configuration parameters.
+
+## Organization HealthCheck Guide
+
+This guide explains how to look for things that may be wrong for a given org
+across the full pipeline: **detection \u2192 reviewing \u2192 blocklisting \u2192 takedowns**.
+When the user asks for a "health check", "audit", "what's wrong with org X",
+"review org X's setup", or similar, walk through each section below and surface
+findings.
+
+In each section there are things you can look for that may be wrong.
+
+### Detection
+
+#### Enable Config That May Be Turned Off for Current Threats
+
+Blocked threats exist in an asset type but the matching detection source is
+turned off. For example: lots of Twitter assets are on the blocklist, but
+detection sources like "Twitter / X User Search" or "Twitter Post Search" are
+disabled. Those should be turned on.
+
+#### Spike in Detections
+
+A spike in recent detections is worth investigating. It could be a bad config
+change, or it could be a legitimate new attack push in this area \u2014 useful
+intel to surface to the security team as a targeted spike.
+
+#### Drop in Detections
+
+A drop is also worth looking into. It may be a bad config change, or it may
+mean the config is not really relevant and can be safely turned off (not all
+default-on configs are relevant to every org).
+
+### Reviewing
+
+#### Pile Up / Backlog of Unreviewed Proposals
+
+Too many proposals waiting in review. For most organizations this is over 100
+reports, but really the threshold is relative to the average number of
+confirmed threats per week. Example: if an org only adds 5 blocked threats per
+week, then a 7-day backlog of even 10 proposals is a really big deal.
+
+#### Really Old Proposals
+
+Any proposal waiting for review longer than 14 days is a sign something has
+gone wrong. Even complex investigations rarely take longer than this. Except
+for rare cases, these should be rejected or approved to prevent a backlog
+from building.
+
+#### Spike in Auto Approved Reports
+
+If suddenly a lot of proposals in an org are being approved by automation,
+that can be a sign of a bad rule approving too much, or a break in auto
+confidences. Sometimes detection is spamming things that uniquely combine
+with a weakness of a rule \u2014 which is effectively a bad rule. In all these
+cases, notify an engineer at ChainPatrol and check any detection configs you
+adjusted recently, since those may be the cause of spam combined with a weak
+rule.
+
+### Blocklisting
+
+#### Google Safe Browsing (Coming Soon)
+
+(Needs new public API added before this works.)
+
+High error rate in Google Safe Browsing submission tracker. Each submission
+has a status. If too many are in \`CANCELLED\`, that means Google's engine
+denied our submission. Contact ChainPatrol's eng team to investigate why, and
+also take a look at the org's custom detection sources \u2014 it's possible there
+are too many false positives landing on the blocklist, indicating issues with
+detection and reviewing rules.
+
+### Takedowns
+
+#### Too Many Takedowns in ToDo
+
+Can mean a gap in automated takedowns not being implemented for some new area
+of threats. It can also mean the areas that require manual takedowns are
+being missed by the takedown team.
+
+#### Too Many Takedowns In Progress
+
+Typically means something is wrong with the submission itself. The takedown
+may need to be resubmitted, the vendor asked for more evidence, or we may
+have submitted it in the wrong place.
+
+#### Too Many Cancelled Takedowns
+
+Takedowns should rarely be cancelled. A cancelled takedown means "we will not
+do this takedown" for some reason. Cases like adding an item to the blocklist
+when it's already taken down are treated as completed, not cancelled. So even
+3 cancelled takedowns in a 7-day period is too many.
+
+#### Automated Takedowns Turned Off for Over 30 Days
+
+Automated takedowns should be on by default for nearly every organization.
+Any issue that would make you want to turn off automated takedowns should be
+resolved within 30 days.
 `;
+}
+function getBundledSkillVersion() {
+  return getCliVersion();
+}
+function getBundledSkillContent() {
+  return buildSkillContent(getCliVersion());
+}
+function readInstalledSkillVersion() {
+  if (!existsSync(SKILL_FILE)) return void 0;
+  try {
+    const raw = readFileSync2(SKILL_FILE, "utf-8");
+    return parseSkillVersion(raw);
+  } catch {
+    return void 0;
+  }
+}
+function isSkillInstalled() {
+  return existsSync(SKILL_FILE);
+}
+function parseSkillVersion(content) {
+  const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!fmMatch) return void 0;
+  const versionMatch = fmMatch[1].match(/^version:\s*(.+?)\s*$/m);
+  return versionMatch ? versionMatch[1].trim() : void 0;
+}
 var LOGO = `
    \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557
   \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557
@@ -195,10 +398,11 @@ var LOGO = `
   \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 `;
 function setupSkill(options) {
+  const skillContent = buildSkillContent(getCliVersion());
   const alreadyExists = existsSync(SKILL_FILE);
   if (alreadyExists) {
-    const existing = readFileSync(SKILL_FILE, "utf-8");
-    if (existing === SKILL_CONTENT) {
+    const existing = readFileSync2(SKILL_FILE, "utf-8");
+    if (existing === skillContent) {
       if (options.json) {
         console.log(JSON.stringify({ status: "up-to-date", path: SKILL_FILE }));
       } else {
@@ -208,7 +412,7 @@ function setupSkill(options) {
     }
   }
   mkdirSync(SKILL_DIR, { recursive: true });
-  writeFileSync(SKILL_FILE, SKILL_CONTENT, { mode: 420 });
+  writeFileSync(SKILL_FILE, skillContent, { mode: 420 });
   const completionResult = installCompletions();
   if (options.json) {
     console.log(
@@ -257,7 +461,15 @@ function uninstallSkill(options) {
     }
   }
 }
+
 export {
+  getCliVersion,
+  compareVersions,
+  getBundledSkillVersion,
+  getBundledSkillContent,
+  readInstalledSkillVersion,
+  isSkillInstalled,
+  parseSkillVersion,
   setupSkill,
   uninstallSkill
 };

package/dist/{chunk-KMILLX3U.js → chunk-TFCNKBRC.js}

@@ -1,10 +1,3 @@
-import {
-  getValidCredentials
-} from "./chunk-EEG7T6WT.js";
-import {
-  getConfig
-} from "./chunk-U73SABXK.js";
-
 // ../../node_modules/luxon/src/errors.js
 var LuxonError = class extends Error {
 };
@@ -6430,144 +6423,6 @@ function friendlyDateTime(dateTimeish) {
   }
 }
 
-// src/lib/api-client.ts
-function parseIsoDate(value) {
-  if (!value) return void 0;
-  const dt = DateTime.fromISO(value, { zone: "utc" });
-  if (!dt.isValid) {
-    throw new Error(`Invalid ISO date: '${value}'. Use YYYY-MM-DD or full ISO 8601.`);
-  }
-  return dt.toJSDate();
-}
-var REQUEST_TIMEOUT_MS = 3e4;
-function createApiClient(options) {
-  const config = getConfig();
-  const apiUrl = options?.apiUrl ?? config.apiUrl;
-  const getToken = options?.getToken ?? (() => getValidCredentials().accessToken);
-  async function request(path, body) {
-    const token = getToken();
-    let res;
-    try {
-      res = await fetch(`${apiUrl}/api/v2${path}`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${token}`
-        },
-        body: JSON.stringify(body),
-        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
-      });
-    } catch (err) {
-      if (err instanceof DOMException && err.name === "TimeoutError") {
-        throw new Error(
-          "Request timed out. Check your network connection and try again."
-        );
-      }
-      if (err instanceof TypeError && err.code === "ECONNREFUSED") {
-        throw new Error(`Cannot connect to ${apiUrl}. Is the server running?`);
-      }
-      throw new Error("Network error. Check your internet connection and try again.");
-    }
-    if (!res.ok) {
-      let errorMessageFromResponse = null;
-      try {
-        const errorBody = await res.json();
-        errorMessageFromResponse = errorBody.message ?? null;
-      } catch {
-      }
-      if (res.status === 401) {
-        throw new Error(
-          errorMessageFromResponse ?? "Authentication failed. Run `chainpatrol login` to re-authenticate."
-        );
-      }
-      if (res.status === 403) {
-        throw new Error(
-          errorMessageFromResponse ?? "You don't have permission to access this resource. Check your --org slug and permissions."
-        );
-      }
-      if (res.status === 404) {
-        throw new Error(
-          errorMessageFromResponse ?? "Organization not found. Check your --org slug."
-        );
-      }
-      if (res.status === 422) {
-        throw new Error(errorMessageFromResponse ?? "Request validation failed.");
-      }
-      if (res.status >= 500) {
-        throw new Error(
-          "ChainPatrol API is temporarily unavailable. Please try again later."
-        );
-      }
-      throw new Error(
-        errorMessageFromResponse ?? `Request failed (${res.status}). Run with --json for details.`
-      );
-    }
-    return await res.json();
-  }
-  return {
-    listDetectionConfigs(slug) {
-      return request("/detection/configs/list", { slug });
-    },
-    updateDetectionConfig(input) {
-      return request("/detection/configs/update", input);
-    },
-    runDetectionConfigs(input) {
-      return request("/detection/configs/run", input);
-    },
-    validateDetectionConfigs(input) {
-      return request("/detection/configs/validate", input);
-    },
-    getDetectionDrift(input) {
-      return request("/detection/drift", {
-        ...input,
-        startDate: parseIsoDate(input.startDate),
-        endDate: parseIsoDate(input.endDate)
-      });
-    },
-    getOperationsQueuesSnapshot(input) {
-      return request(
-        "/operations/queues/snapshot",
-        input
-      );
-    },
-    getMetricsSummary(input) {
-      return request("/metrics/summary", {
-        ...input,
-        startDate: parseIsoDate(input.startDate),
-        endDate: parseIsoDate(input.endDate)
-      });
-    },
-    getMetricsFound(input) {
-      return request("/metrics/found", {
-        ...input,
-        startDate: parseIsoDate(input.startDate),
-        endDate: parseIsoDate(input.endDate)
-      });
-    },
-    getMetricsBreakdown(input) {
-      return request("/metrics/breakdown", {
-        ...input,
-        startDate: parseIsoDate(input.startDate),
-        endDate: parseIsoDate(input.endDate)
-      });
-    },
-    createReport(input) {
-      return request("/report/create", input);
-    },
-    listOrganizationReports(input) {
-      return request("/public/getOrganizationReports", {
-        slug: input.slug,
-        limit: input.limit ?? 10,
-        cursor: input.cursor,
-        status: input.status,
-        searchQuery: input.searchQuery,
-        reportedByCustomer: input.reportedByCustomer
-      });
-    }
-  };
-}
-
 export {
-  DateTime,
-  createApiClient
+  DateTime
 };

package/dist/cli.js

@@ -7,6 +7,20 @@ import {
 import {
   resolveOutputFormat
 } from "./chunk-VFT3TD3E.js";
+import {
+  compareVersions,
+  getBundledSkillVersion,
+  getCliVersion,
+  isSkillInstalled,
+  readInstalledSkillVersion
+} from "./chunk-T4DYUWUD.js";
+import "./chunk-IUZB3DQW.js";
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
+import {
+  getConfigDir
+} from "./chunk-U73SABXK.js";
 
 // src/cli.tsx
 import meow from "meow";
@@ -345,6 +359,145 @@ function getTopLevelHelp() {
   ].join("\n");
 }
 
+// src/lib/version-check.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+var NPM_REGISTRY_URL = "https://registry.npmjs.org/@chainpatrol/cli/latest";
+var CHECK_FILE_NAME = "version-check.json";
+var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
+var NPM_REQUEST_TIMEOUT_MS = 1500;
+function checkSkillStatus() {
+  const bundled = getBundledSkillVersion();
+  if (!isSkillInstalled()) {
+    return { state: "missing", bundled };
+  }
+  const installed = readInstalledSkillVersion();
+  if (!installed) {
+    return { state: "outdated", installed: void 0, bundled };
+  }
+  if (compareVersions(installed, bundled) < 0) {
+    return { state: "outdated", installed, bundled };
+  }
+  return { state: "ok", installed, bundled };
+}
+function getCheckFilePath() {
+  return join(getConfigDir(), CHECK_FILE_NAME);
+}
+function readCheckCache() {
+  const path = getCheckFilePath();
+  if (!existsSync(path)) return {};
+  try {
+    return JSON.parse(readFileSync(path, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeCheckCache(cache) {
+  try {
+    mkdirSync(getConfigDir(), { recursive: true });
+    writeFileSync(getCheckFilePath(), JSON.stringify(cache, null, 2), { mode: 420 });
+  } catch {
+  }
+}
+async function fetchNpmLatestVersion(timeoutMs) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(NPM_REGISTRY_URL, {
+      signal: controller.signal,
+      headers: { accept: "application/json" }
+    });
+    if (!res.ok) return void 0;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : void 0;
+  } catch {
+    return void 0;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function checkNpmStatus(options) {
+  const current = getCliVersion();
+  if (process.env.CHAINPATROL_NO_UPDATE_CHECK === "1") {
+    return { state: "unknown", current };
+  }
+  const now = options?.now ?? DateTime.now().toUTC().toMillis();
+  const force = options?.force ?? false;
+  const timeoutMs = options?.timeoutMs ?? NPM_REQUEST_TIMEOUT_MS;
+  const cache = readCheckCache();
+  const fresh = cache.lastNpmCheckAt !== void 0 && now - cache.lastNpmCheckAt < CHECK_INTERVAL_MS;
+  let latest;
+  if (!force && fresh && cache.lastSeenLatest) {
+    latest = cache.lastSeenLatest;
+  } else {
+    latest = await fetchNpmLatestVersion(timeoutMs);
+    if (latest) {
+      writeCheckCache({ lastNpmCheckAt: now, lastSeenLatest: latest });
+    }
+  }
+  if (!latest) return { state: "unknown", current };
+  if (compareVersions(current, latest) < 0) {
+    return { state: "outdated", current, latest };
+  }
+  return { state: "ok", current, latest };
+}
+function formatSkillNudge(status) {
+  if (status.state === "missing") {
+    return [
+      "Tip: the ChainPatrol skill for Claude Code is not installed.",
+      "  Run `chainpatrol setup` to install it (one-time setup)."
+    ].join("\n");
+  }
+  if (status.state === "outdated") {
+    const from = status.installed ?? "unknown";
+    return [
+      `Tip: your installed ChainPatrol skill (${from}) is out of date (latest: ${status.bundled}).`,
+      "  Run `chainpatrol setup` to update."
+    ].join("\n");
+  }
+  return void 0;
+}
+function formatNpmNudge(status) {
+  if (status.state === "outdated") {
+    return [
+      `Tip: a new version of @chainpatrol/cli is available: ${status.latest} (you have ${status.current}).`,
+      "  Update: npm i -g @chainpatrol/cli"
+    ].join("\n");
+  }
+  return void 0;
+}
+async function runVersionChecks(options) {
+  const skill = checkSkillStatus();
+  const npm = await checkNpmStatus(options);
+  const messages = [];
+  const skillMsg = formatSkillNudge(skill);
+  if (skillMsg) messages.push(skillMsg);
+  const npmMsg = formatNpmNudge(npm);
+  if (npmMsg) messages.push(npmMsg);
+  return { skill, npm, messages };
+}
+function shouldRunVersionChecks(opts) {
+  if (opts.jsonMode || opts.quiet || opts.helpOrVersionFlag) return false;
+  if (process.env.CHAINPATROL_NO_UPDATE_CHECK === "1") return false;
+  if (!opts.command) return false;
+  const skipCommands = /* @__PURE__ */ new Set([
+    "setup",
+    "install",
+    "i",
+    "uninstall",
+    "completions",
+    "help"
+  ]);
+  return !skipCommands.has(opts.command);
+}
+function printVersionMessages(messages) {
+  if (messages.length === 0) return;
+  for (const msg of messages) {
+    console.error("");
+    console.error(msg);
+  }
+}
+
 // src/cli.tsx
 var COMMANDS = [
   "login",
@@ -389,7 +542,7 @@ var cli = meow(`
 ${getTopLevelHelp()}
 `, {
   importMeta: import.meta,
-  version: "0.1.0",
+  version: getCliVersion(),
   // Boolean flags without an explicit `default` should resolve to `undefined`
   // when not passed (rather than meow's default of `false`), so handlers can
   // distinguish "flag omitted" from "flag explicitly set to false". Flags that
@@ -533,12 +686,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-GTST5CRN.js");
+    const { listConfigsJson } = await import("./list-json-GANUT7SB.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-IZT5P7II.js");
+  const { default: ConfigsList } = await import("./list-56BS25X4.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -564,6 +717,14 @@ function maybeShowScopedHelp() {
   }
   return false;
 }
+var helpOrVersionFlag = cli.flags.help === true || cli.flags.version === true;
+var versionChecksEnabled = shouldRunVersionChecks({
+  command,
+  jsonMode,
+  quiet,
+  helpOrVersionFlag
+});
+var versionChecksPromise = versionChecksEnabled ? runVersionChecks().catch(() => ({ messages: [] })) : null;
 async function main() {
   if (maybeShowScopedHelp()) {
     return;
@@ -625,7 +786,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-URZRXICK.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-6RHZBEVE.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -640,7 +801,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-VQKKFNBO.js");
+        const { runDetectionsValidate } = await import("./validate-NIBVL7X5.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -655,7 +816,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-UDNSOP2S.js");
+        const { runDetectionsDrift } = await import("./drift-2JRZK2MC.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -669,7 +830,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-V66OGZ3W.js");
+        const { runDetectionsRun } = await import("./run-JZNZSCDJ.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -688,7 +849,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-V66OGZ3W.js");
+          const { runDetectionsRun } = await import("./run-JZNZSCDJ.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -706,7 +867,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-OVEREFCP.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-AHI7T6S4.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -733,7 +894,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-SUWVXO7Y.js");
+        const { runMetricsSummary } = await import("./summary-PA2CCZVO.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -745,7 +906,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-SJVDAINM.js");
+        const { runMetricsFound } = await import("./found-YYYFF4FD.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -762,7 +923,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-PBH5NX6P.js");
+        const { runMetricsBreakdown } = await import("./breakdown-BECXDJIS.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -782,7 +943,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-V5OVJ5NG.js");
+        const { runReportsList } = await import("./list-MHEIY7LQ.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -798,7 +959,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-C7H3L7TU.js");
+        const { runReportsCreate } = await import("./create-RS37JAMM.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -822,7 +983,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-TZHS7XQX.js");
+        const { runQueuesSnapshot } = await import("./snapshot-KGMO44YB.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -840,7 +1001,7 @@ async function main() {
     }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-3JBC4637.js");
+        const { runPresetsList } = await import("./list-M2UQCXIO.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -851,7 +1012,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-MUMSMG4V.js");
+        const { runPresetsRun } = await import("./run-7NTCD7JI.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -868,12 +1029,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-SIWP3KFS.js");
+      const { setupSkill } = await import("./setup-skill-ZUZ5MYLI.js");
       setupSkill({ json: jsonMode });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-SIWP3KFS.js");
+      const { uninstallSkill } = await import("./setup-skill-ZUZ5MYLI.js");
       uninstallSkill({ json: jsonMode });
       break;
     }
@@ -893,12 +1054,26 @@ async function main() {
     }
   }
 }
-main().catch((err) => {
+async function flushVersionChecks() {
+  if (!versionChecksPromise) return;
+  let timer;
+  const timeoutPromise = new Promise((resolve) => {
+    timer = setTimeout(() => resolve({ messages: [] }), 500);
+  });
+  try {
+    const result = await Promise.race([versionChecksPromise, timeoutPromise]);
+    printVersionMessages(result.messages);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+main().then(flushVersionChecks).catch(async (err) => {
   const message = err instanceof Error ? err.message : String(err);
   const exitCode = mapErrorToExitCode(err);
   if (jsonMode) {
     jsonError(message, exitCode);
   }
   console.error(message);
+  await flushVersionChecks();
   process.exit(exitCode);
 });

package/dist/{configs-update-OVEREFCP.js → configs-update-AHI7T6S4.js}

@@ -7,7 +7,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{create-C7H3L7TU.js → create-RS37JAMM.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{drift-UDNSOP2S.js → drift-2JRZK2MC.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{found-SJVDAINM.js → found-YYYFF4FD.js}

@@ -3,9 +3,11 @@ import {
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
 import {
-  DateTime,
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import {
+  DateTime
+} from "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{healthcheck-URZRXICK.js → healthcheck-6RHZBEVE.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-IZT5P7II.js → list-56BS25X4.js}

@@ -1,6 +1,7 @@
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import {
   ErrorDisplay,
   Spinner

package/dist/{list-3JBC4637.js → list-M2UQCXIO.js}

@@ -1,12 +1,13 @@
 import {
   PRESETS
-} from "./chunk-6FIJ4NU4.js";
+} from "./chunk-B3CCMSG2.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-KMILLX3U.js";
+import "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-V5OVJ5NG.js → list-MHEIY7LQ.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-json-GTST5CRN.js → list-json-GANUT7SB.js}

@@ -1,6 +1,7 @@
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{run-MUMSMG4V.js → run-7NTCD7JI.js}

@@ -1,13 +1,14 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-6FIJ4NU4.js";
+} from "./chunk-B3CCMSG2.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-KMILLX3U.js";
+import "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{run-V66OGZ3W.js → run-JZNZSCDJ.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/setup-skill-ZUZ5MYLI.js

@@ -0,0 +1,19 @@
+import {
+  getBundledSkillContent,
+  getBundledSkillVersion,
+  isSkillInstalled,
+  parseSkillVersion,
+  readInstalledSkillVersion,
+  setupSkill,
+  uninstallSkill
+} from "./chunk-T4DYUWUD.js";
+import "./chunk-IUZB3DQW.js";
+export {
+  getBundledSkillContent,
+  getBundledSkillVersion,
+  isSkillInstalled,
+  parseSkillVersion,
+  readInstalledSkillVersion,
+  setupSkill,
+  uninstallSkill
+};

package/dist/{snapshot-TZHS7XQX.js → snapshot-KGMO44YB.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{summary-SUWVXO7Y.js → summary-PA2CCZVO.js}

@@ -4,7 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{validate-VQKKFNBO.js → validate-NIBVL7X5.js}

@@ -8,7 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-KMILLX3U.js";
+} from "./chunk-DSOM6TZX.js";
+import "./chunk-TFCNKBRC.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-U73SABXK.js";
 

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [