@chainpatrol/cli 0.4.1 → 0.6.0

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # @chainpatrol/cli
 
+## 0.6.0
+
+### Minor Changes
+
+- 575b671: Add `chainpatrol orgs list` — lists organizations accessible to the caller along with each org's subscription status and active/automated service flags (reporting, reviewing, protection, takedowns, detection, dark web monitoring). Filter flags compose with AND and are applied server-side:
+
+  - `--subscription-status <list>` — comma-separated `PROSPECT`, `TRIAL`, `ACTIVE`, `INTEGRATION` (`INACTIVE` is intentionally not reachable through this filter)
+  - `--service-active <list>` / `--service-inactive <list>` — services that must be active / inactive
+  - `--service-automated <list>` / `--service-manual <list>` — services whose automation must be on / off (`reporting`, `reviewing`, `protection`, `takedowns`)
+  - `--query <text>` — partial name match
+
+  Use cases: "which ACTIVE customers have takedowns enabled but automation off", "which prospects don't have detection turned on yet". The bundled CLI skill gets a new `orgs list` section under the `queues snapshot` heading.
+
+## 0.5.0
+
+### Minor Changes
+
+- f8d9454: Add five new healthchecks covering the takedown pipeline and asset liveness, expanding the runnable surface for `chainpatrol healthchecks run`:
+
+  - **`takedowns.todo-volume`** — counts takedowns sitting in TODO. Default warn=50, fail=100. Catches automation gaps on new threat surfaces or manual-filing capacity issues.
+  - **`takedowns.in-progress-volume`** — counts takedowns currently IN*PROGRESS regardless of age. Default warn=30, fail=75. Complements `takedowns.stale-in-progress` (age-based) by catching submission-format / vendor-side issues \_before* items go stale.
+  - **`takedowns.cancelled-count`** — counts transitions into CANCELLED from the `TakedownEvent` log over a rolling window. Default 7d / warn=3 / fail=10. Replaces the placeholder `takedowns.cancelled-rate` registry entry. Uses the event log rather than `Takedown.updatedAt` so the cancellation date is correct even if the takedown has since been edited.
+  - **`takedowns.automation-off`** — flags orgs with takedown service enabled but `isAutomatedTakedownsActive` off for too long. Default warn=30d, fail=60d. Age is derived from the most recent `SERVICES_AUTOMATED_TAKEDOWNS_UPDATED` `OrganizationEvent`, falling back to `Organization.updatedAt`. Orgs with takedown service entirely disabled are skipped.
+  - **`assets.dead-asset-spike`** — compares `DETECTED_AS_DEAD` events in the current window against the prior baseline rate; warns on a multiplier exceeding the threshold (default 24h vs 7d, ×2 warn / ×4 fail) once the current count clears the `minSpikeCount` floor. Catches liveness-checker regressions after platform changes.
+
+  The bundled CLI skill gets a rewritten **Takedowns** section covering all four takedown checks and a new top-level **Assets** section covering `dead-asset-spike` plus guidance on the still-unimplemented `assets.dead-but-alive` / `assets.alive-but-marked-dead` (which require live HTTP probes and are not a fit for synchronous healthchecks).
+
+  The public `HealthcheckResult.category` enum gains `"assets"`. `observed` and `threshold` records now also accept booleans and null (for fields like `automatedTakedownsActive` and the nullable `ratio` on the spike check).
+
+  `HealthcheckResult` also gains an `appUrl` field (string or null) that deep-links to the relevant filtered admin page in the web app. For example, `takedowns.stale-in-progress` returns `https://app.chainpatrol.io/admin/<slug>/takedowns?takedownStatus=IN_PROGRESS&sortBy=oldest` and `reviewing.backlog` returns `https://app.chainpatrol.io/admin/<slug>/review?excludeWatchlisted=true`. The CLI prints `View in app: <url>` after each result. Checks without a sensible filtered view (`detections.silent-configs`, `assets.dead-asset-spike`) return `null`. The base URL respects `BETTER_AUTH_URL` and falls back to `https://app.chainpatrol.io`.
+
 ## 0.4.1
 
 ### Patch Changes

package/dist/{breakdown-EBSACUST.js → breakdown-AX6QNTQH.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{chunk-PIYOWGBZ.js → chunk-AGXMZFUU.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/{chunk-MXUZR2BV.js → chunk-LLWKCA3H.js}

@@ -147,6 +147,9 @@ function createApiClient(options) {
     },
     runHealthcheck(endpoint, input) {
       return request(endpoint, input);
+    },
+    getUserOrgs(input) {
+      return request("/user/orgs", input);
     }
   };
 }

package/dist/{chunk-F4GU6AII.js → chunk-XOXQPUR6.js}

@@ -82,7 +82,9 @@ description: |
   "am I logged in", "list configs", "use the cli", "list reports",
   "customer reports", "reports reported by customer", "find detection gaps",
   "org healthcheck", "organization health check", "audit my org",
-  "what's wrong with org", "review org setup".
+  "what's wrong with org", "review org setup", "list orgs", "list organizations",
+  "orgs with takedowns off", "automation off across orgs",
+  "which customers have X enabled", "service toggles by org".
 allowed-tools:
   - Bash
   - Read
@@ -321,10 +323,13 @@ chainpatrol --json healthchecks run reviewing.backlog --org <slug>
 chainpatrol --json healthchecks run --all --org <slug>
 \`\`\`
 
-Each implemented check has a stable id of the form \`category.name\`, e.g.
-\`detections.silent-configs\`, \`reviewing.backlog\`,
+Each implemented check has a stable id of the form \`category.name\`. Implemented
+ids today: \`detections.silent-configs\`, \`reviewing.backlog\`,
 \`reviewing.old-proposals\`, \`reviewing.watchlist-backlog\`,
-\`reviewing.watchlist-old\`, \`takedowns.stale-in-progress\`.
+\`reviewing.watchlist-old\`, \`takedowns.todo-volume\`,
+\`takedowns.in-progress-volume\`, \`takedowns.stale-in-progress\`,
+\`takedowns.cancelled-count\`, \`takedowns.automation-off\`,
+\`assets.dead-asset-spike\`.
 
 ### Pending proposals: "Needs Review" vs "Watchlisted"
 
@@ -344,6 +349,15 @@ grade them with separate checks:
   severity is **capped at warn** so they never block on the same SLA as
   Needs Review. When reporting findings, treat these as lower-priority.
 
+Each healthcheck result includes an \`appUrl\` field (string or null) that
+deep-links to the relevant filtered admin page in the web app \u2014 e.g. the
+takedowns page filtered to IN_PROGRESS for \`takedowns.stale-in-progress\`,
+or the review page filtered to oldest pending for \`reviewing.old-proposals\`.
+**When reporting a non-OK healthcheck to the user, always surface the
+\`appUrl\` so they can jump straight to the right view.** Some checks
+(\`detections.silent-configs\`, \`assets.dead-asset-spike\`) emit \`null\`
+because no filterable list page exists for that signal yet.
+
 Implemented checks today:
 
 - **detections.silent-configs** \u2014 equivalent to \`detections healthcheck\`,
@@ -358,8 +372,27 @@ Implemented checks today:
 - **reviewing.watchlist-old** \u2014 counts watchlisted pending proposals older
   than the warn-age threshold (default 30 days) and lists the oldest.
   Severity capped at warn.
+- **takedowns.todo-volume** \u2014 counts takedowns in TODO (default warn=50,
+  fail=100). Pile-ups here usually mean an automation gap on a new threat
+  surface, or manual-filing capacity issues.
+- **takedowns.in-progress-volume** \u2014 counts takedowns currently IN_PROGRESS
+  regardless of age (default warn=30, fail=75). Complements
+  \`stale-in-progress\` \u2014 a high count signals vendor-side or
+  submission-format problems even before items go stale.
 - **takedowns.stale-in-progress** \u2014 counts takedowns sitting in IN_PROGRESS
   past the staleness threshold (default 7 days) and lists the oldest.
+- **takedowns.cancelled-count** \u2014 counts CANCELLED transitions from the
+  TakedownEvent log over a rolling window (default 7d, warn=3, fail=10).
+  Cancellations should be rare; a spike usually means a proposal-funnel
+  quality problem or misuse of the CANCELLED status.
+- **takedowns.automation-off** \u2014 flags orgs with takedown service enabled
+  but \`isAutomatedTakedownsActive\` off for too long (default warn=30d,
+  fail=60d). Skipped for orgs with takedown service entirely disabled.
+- **assets.dead-asset-spike** \u2014 compares DEAD-detection events in the
+  current window against the prior baseline rate; warns on a multiplier
+  exceeding the threshold (default 24h vs 7d, \xD72 warn / \xD74 fail) once the
+  current count clears the \`minSpikeCount\` floor. Catches liveness-checker
+  regressions after platform changes.
 
 The following checks are listed by \`healthchecks list\` (\`implemented: false\`)
 but **not yet implemented on the backend** \u2014 when the agent surfaces them in
@@ -373,8 +406,11 @@ a healthcheck report, mark them explicitly as "manual check, no API yet":
   human approvers in the review history. Use \`metrics breakdown\` as a proxy.
 - **blocklisting.gsb-cancelled-rate** \u2014 Google Safe Browsing submission state
   is not yet exposed in the public API.
-- **takedowns.todo-volume** / **takedowns.cancelled-rate** /
-  **takedowns.automation-off** \u2014 the underlying read paths are not yet exposed.
+- **assets.dead-but-alive** / **assets.alive-but-marked-dead** \u2014 require live
+  HTTP probes against asset URLs, which is not a synchronous-healthcheck
+  shape. Until a dedicated probe command exists, sample a handful manually
+  from \`assets list --status DEAD\` (or ALIVE) and verify in a browser. Notify
+  ChainPatrol engineering if the liveness checker looks miscalibrated.
 
 When the user asks to "run a healthcheck on org X", the canonical command is:
 
@@ -409,6 +445,51 @@ Guide. Key signals in the response:
 
 Use \`--all\` to snapshot every org you have access to instead of a single slug.
 
+### \`orgs list\` \u2014 List organizations with subscription status and service toggles
+
+Returns every organization the caller can see, with each org's
+subscription status (\`PROSPECT\`, \`TRIAL\`, \`ACTIVE\`, \`INTEGRATION\`) and
+which services are active and automated. Use it to answer questions like
+"which customers have takedowns enabled but automation off?" or "which
+prospects don't have detection turned on yet?" \u2014 filters compose with AND
+and are applied server-side, so one call returns the final list.
+
+\`\`\`bash
+chainpatrol --json orgs list \\
+  --subscription-status ACTIVE \\
+  --service-active takedowns \\
+  --service-manual takedowns
+\`\`\`
+
+Filter flags (all optional, all comma-separated lists):
+
+- \`--query <text>\` partial name match (substring, case-insensitive)
+- \`--subscription-status <list>\` one or more of \`PROSPECT\`, \`TRIAL\`,
+  \`ACTIVE\`, \`INTEGRATION\`. \`INACTIVE\` is intentionally not reachable
+  through this filter \u2014 \`orgs list\` only ever returns live customers.
+- \`--service-active <list>\` services that must be active
+- \`--service-inactive <list>\` services that must be inactive
+- \`--service-automated <list>\` services whose automation must be ON
+  (\`reporting\`, \`reviewing\`, \`protection\`, \`takedowns\` \u2014 the four
+  with an automation toggle)
+- \`--service-manual <list>\` services whose automation must be OFF
+  (same four)
+
+Service names: \`reporting\`, \`reviewing\`, \`protection\`, \`takedowns\`,
+\`detection\`, \`darkWebMonitoring\`.
+
+Customers see only orgs they're a member of. Staff/superuser sessions see
+every matching org. The response is the same in both cases; visibility is
+enforced server-side.
+
+#### Use case: finding service configuration gaps across the customer base
+
+When the user asks something like "which customers are paying us but don't
+have takedowns automated yet?" or "any orgs running detection without
+takedowns?", reach for \`orgs list\` \u2014 it's the only command that exposes
+service flags across multiple orgs in one call. Run it in \`--json\` mode
+and summarize patterns by service or by subscription tier.
+
 ### \`metrics summary | found | breakdown\` \u2014 Org metrics for spike/drop analysis
 
 \`\`\`bash
@@ -775,19 +856,23 @@ exposed in the public API, this remains a manual / engineering-team check.
 
 ### Takedowns
 
+The takedown pipeline has three stages \u2014 TODO (queued, not yet filed),
+IN_PROGRESS (filed, waiting on vendor / customer / refile), and a terminal
+state (COMPLETED or CANCELLED). Healthchecks cover pile-ups at each stage,
+plus quality/configuration issues.
+
 #### Too Many Takedowns in ToDo
 
 Can mean a gap in automated takedowns not being implemented for some new area
 of threats. It can also mean the areas that require manual takedowns are
 being missed by the takedown team.
 
-**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
-in \`healthchecks list\` as \`takedowns.todo-volume\` with
-\`implemented: false\` (needs a per-org throughput baseline). As an interim
-signal, \`chainpatrol --json queues snapshot --org <slug>\` returns
-\`takedownQueue.totalOpen\` and breakdowns by status; a persistently large
-ToDo bucket relative to the org's typical takedown rate (use
-\`metrics summary\` for that baseline) is the finding.
+**Run via CLI:** **Implemented as \`healthchecks run takedowns.todo-volume\`.**
+Counts takedowns sitting in TODO (default warn=50, fail=100). For raw
+breakdowns by type, cross-reference with
+\`chainpatrol --json metrics breakdown --org <slug> --by assetType\` \u2014
+items piled up on a specific platform usually point at an automation
+gap there.
 
 #### Too Many Takedowns In Progress
 
@@ -795,12 +880,16 @@ Typically means something is wrong with the submission itself. The takedown
 may need to be resubmitted, the vendor asked for more evidence, or we may
 have submitted it in the wrong place.
 
-**Run via CLI:** **Implemented as \`healthchecks run takedowns.stale-in-progress\`.**
-The endpoint counts takedowns sitting in IN_PROGRESS past the staleness
-threshold (default 7 days) and lists the oldest offenders in \`findings\`.
-\`queues snapshot\` (\`takedownQueue.staleInProgress\`) still works as a raw
-view. Any non-zero value is worth investigating; a growing number across
-snapshots strongly suggests a vendor-side or submission-format problem.
+**Run via CLI:** Two checks, complementary:
+
+- **\`healthchecks run takedowns.in-progress-volume\`** \u2014 counts all
+  IN_PROGRESS takedowns regardless of age (default warn=30, fail=75).
+  Catches a vendor-side or submission-format problem before items go
+  stale.
+- **\`healthchecks run takedowns.stale-in-progress\`** \u2014 counts IN_PROGRESS
+  takedowns past a staleness threshold (default 7 days), lists the oldest
+  offenders. Any non-zero value is worth investigating; a growing count
+  across snapshots strongly suggests vendor-side or format issues.
 
 #### Too Many Cancelled Takedowns
 
@@ -809,14 +898,13 @@ do this takedown" for some reason. Cases like adding an item to the blocklist
 when it's already taken down are treated as completed, not cancelled. So even
 3 cancelled takedowns in a 7-day period is too many.
 
-**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
-in \`healthchecks list\` as \`takedowns.cancelled-rate\` with
-\`implemented: false\` (public API does not yet expose CANCELLED takedown
-counts over a rolling window). As an interim signal, use
-\`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
-and compare \`takedownsFiled\` vs \`takedownsCompleted\` for a sudden
-divergence \u2014 a widening gap with no In-Progress growth often shows up as
-cancellations.
+**Run via CLI:** **Implemented as \`healthchecks run takedowns.cancelled-count\`.**
+Counts transitions into the CANCELLED status from the TakedownEvent log
+within the lookback window (default 7 days, warn=3, fail=10). The check
+uses the event log rather than \`Takedown.updatedAt\` so it correctly
+attributes the cancellation date even if the takedown has since been
+edited. A spike usually means a quality problem in the proposal funnel
+or the CANCELLED status being used as a catch-all.
 
 #### Automated Takedowns Turned Off for Over 30 Days
 
@@ -824,12 +912,56 @@ Automated takedowns should be on by default for nearly every organization.
 Any issue that would make you want to turn off automated takedowns should be
 resolved within 30 days.
 
-**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
-in \`healthchecks list\` as \`takedowns.automation-off\` with
-\`implemented: false\` (public API does not yet expose automated-takedown
-enablement state). Check this manually with the org's takedown automation
-settings; the CLI's role here is mostly to highlight stale state in
-\`queues snapshot\` so you know to ask.
+**Run via CLI:** **Implemented as \`healthchecks run takedowns.automation-off\`.**
+Checks \`Organization.isAutomatedTakedownsActive\` and derives the
+off-duration from the most recent \`SERVICES_AUTOMATED_TAKEDOWNS_UPDATED\`
+entry in \`OrganizationEvent\` (default warn 30 days, fail 60 days). Orgs
+with takedown service entirely disabled (\`isTakedownsActive=0\`) are
+skipped \u2014 automation being off is implied in that case.
+
+### Assets
+
+Healthchecks on the asset model \u2014 specifically asset liveness state, which
+the takedown team depends on for follow-up.
+
+#### Spike in Recently Dead Assets
+
+A sudden spike in DEAD detections can be a good signal (takedowns or platform
+moderation working) but it can also mean the liveness checker is
+misclassifying assets after a platform change, captcha rollout, or anti-bot
+update. If many assets become dead at once, sample a few manually.
+
+**Run via CLI:** **Implemented as \`healthchecks run assets.dead-asset-spike\`.**
+Compares \`DETECTED_AS_DEAD\` events in the current window (default 24h)
+against the baseline rate from the prior \`baselineDays\` (default 7d).
+Severity fires only when the current count clears \`minSpikeCount\` (default
+10) AND exceeds the multiplier (default warn \xD72, fail \xD74). The
+\`minSpikeCount\` floor suppresses noise on orgs with near-zero baseline
+activity. When this fires, pull a sample of recent DEAD assets, verify a
+few in a browser, and notify ChainPatrol engineering if the sample is
+clearly still live.
+
+#### Assets Marked Dead but Still Online / Assets Not Marked Dead Even Though They Are Down
+
+These two opposite failure modes are **not implemented as healthchecks**
+(listed as \`assets.dead-but-alive\` and \`assets.alive-but-marked-dead\` with
+\`implemented: false\`). Both require live HTTP probes against asset URLs,
+which is not a synchronous-healthcheck shape.
+
+Until a dedicated probe command exists:
+
+- For "marked dead but still alive": sample a handful of recently-DEAD
+  assets, open them in a browser, and watch for any that load. Common
+  causes: bot protection, geo-blocking, rate limits, or liveness logic
+  that does not handle the asset type correctly.
+- For "alive but marked dead": after a known takedown event, sample
+  assets that *should* be dead but are still marked alive. Common causes:
+  cached responses, soft-404 pages, parked-domain redirects, platform
+  suspension pages still returning 200.
+
+In both cases, if liveness looks miscalibrated for a class of assets,
+notify ChainPatrol engineering \u2014 the checker likely needs a tuning pass for
+that platform.
 `;
 }
 function getBundledSkillVersion() {

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   getCliVersion,
   isSkillInstalled,
   readInstalledSkillVersion
-} from "./chunk-F4GU6AII.js";
+} from "./chunk-XOXQPUR6.js";
 import "./chunk-IUZB3DQW.js";
 import {
   DateTime
@@ -281,6 +281,31 @@ var HELP = {
       "--window-hours <n>    Hours used for staleness windows"
     ]
   },
+  orgs: {
+    description: "List organizations accessible to you with subscription status and service toggles.",
+    usage: "chainpatrol orgs list [filters]",
+    examples: [
+      "chainpatrol orgs list",
+      "chainpatrol orgs list --subscription-status ACTIVE --service-active takedowns --service-manual takedowns"
+    ]
+  },
+  "orgs list": {
+    description: "List organizations with their subscription status and per-service active/automated flags. All filters compose with AND.",
+    usage: "chainpatrol orgs list [filters]",
+    options: [
+      "--query <text>             Partial name match (substring, case-insensitive)",
+      "--subscription-status <l>  Comma-separated list (PROSPECT,TRIAL,ACTIVE,INTEGRATION)",
+      "--service-active <l>       Comma-separated services that must be active",
+      "--service-inactive <l>     Comma-separated services that must be inactive",
+      "--service-automated <l>    Services whose automation must be ON (reporting,reviewing,protection,takedowns)",
+      "--service-manual <l>       Services whose automation must be OFF (reporting,reviewing,protection,takedowns)"
+    ],
+    examples: [
+      "chainpatrol orgs list --subscription-status ACTIVE",
+      "chainpatrol orgs list --service-active takedowns --service-manual takedowns",
+      "chainpatrol --json orgs list --subscription-status ACTIVE,TRIAL --service-active detection"
+    ]
+  },
   healthchecks: {
     description: "Run organization healthchecks via the public API. Use `list` to see every available check (including planned ones not yet implemented on the backend) and `run` to execute one or all implemented checks.",
     usage: "chainpatrol healthchecks <list|run <id>|run --all>",
@@ -369,6 +394,7 @@ function getTopLevelHelp() {
     "    metrics       Query organization metrics and breakdowns",
     "    reports       Create and list reports from terminal",
     "    queues        Snapshot operations review/takedown queues",
+    "    orgs          List organizations and filter by status/services",
     "    presets       Run saved workflows for common jobs",
     "    setup         Install Claude Code skill and shell completions",
     "    uninstall     Remove Claude Code skill and shell completions",
@@ -538,6 +564,7 @@ var COMMANDS = [
   "metrics",
   "reports",
   "queues",
+  "orgs",
   "presets",
   "setup",
   "uninstall",
@@ -614,6 +641,12 @@ ${getTopLevelHelp()}
     contactInfo: { type: "string" },
     externalSubmissionLink: { type: "string" },
     payloadFile: { type: "string" },
+    subscriptionStatus: { type: "string" },
+    serviceActive: { type: "string" },
+    serviceInactive: { type: "string" },
+    serviceAutomated: { type: "string" },
+    serviceManual: { type: "string" },
+    query: { type: "string" },
     help: { type: "boolean", shortFlag: "h" },
     version: { type: "boolean", shortFlag: "V" },
     quiet: { type: "boolean", default: false, shortFlag: "q" },
@@ -717,12 +750,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-WTMYLZGY.js");
+    const { listConfigsJson } = await import("./list-json-LEKCCWQU.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-GEMCFDD5.js");
+  const { default: ConfigsList } = await import("./list-5ENZAOFL.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -820,7 +853,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-KAONRGSS.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-AQUXVKAO.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -835,7 +868,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-BJFEKI2N.js");
+        const { runDetectionsValidate } = await import("./validate-27RUCN7R.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -850,7 +883,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-DZ6A7JL5.js");
+        const { runDetectionsDrift } = await import("./drift-VOKQJ36G.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -864,7 +897,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-43CC5AXR.js");
+        const { runDetectionsRun } = await import("./run-OT2X46GT.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -883,7 +916,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-43CC5AXR.js");
+          const { runDetectionsRun } = await import("./run-OT2X46GT.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -901,7 +934,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-RPN32YTL.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-VROBC2HI.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -928,7 +961,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-6NCA7PDP.js");
+        const { runMetricsSummary } = await import("./summary-JOCABBCO.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -940,7 +973,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-AOPBSLRD.js");
+        const { runMetricsFound } = await import("./found-A5HRTJCJ.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -957,7 +990,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-EBSACUST.js");
+        const { runMetricsBreakdown } = await import("./breakdown-AX6QNTQH.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -977,7 +1010,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-MWDFCHMJ.js");
+        const { runReportsList } = await import("./list-CVFXTKNX.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -993,7 +1026,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-QP3M7EZM.js");
+        const { runReportsCreate } = await import("./create-XTCUNT2C.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -1017,7 +1050,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-E3TPZOKT.js");
+        const { runQueuesSnapshot } = await import("./snapshot-4QR4I67P.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -1033,9 +1066,29 @@ async function main() {
         subcommand ? `Unknown subcommand: queues ${subcommand}${hint ? `. Did you mean "queues ${hint}"?` : ""}` : "Usage: chainpatrol queues snapshot [--org <slug>|--all]"
       );
     }
+    case "orgs": {
+      if (subcommand === "list") {
+        const { runOrgsList } = await import("./list-CGRHTFAS.js");
+        await runOrgsList({
+          query: cli.flags.query,
+          subscriptionStatus: cli.flags.subscriptionStatus,
+          serviceActive: cli.flags.serviceActive,
+          serviceInactive: cli.flags.serviceInactive,
+          serviceAutomated: cli.flags.serviceAutomated,
+          serviceManual: cli.flags.serviceManual,
+          json: jsonMode,
+          outputFormat: cliContext.outputFormat
+        });
+        break;
+      }
+      const hint = subcommand ? suggest(subcommand, ["list"]) : null;
+      throw new Error(
+        subcommand ? `Unknown subcommand: orgs ${subcommand}${hint ? `. Did you mean "orgs ${hint}"?` : ""}` : "Usage: chainpatrol orgs list [--subscription-status <list>] [--service-active <list>] [--service-automated <list>] ..."
+      );
+    }
     case "healthchecks": {
       if (subcommand === "list") {
-        const { runHealthchecksList } = await import("./list-UW63DIKX.js");
+        const { runHealthchecksList } = await import("./list-PLZ67PNY.js");
         await runHealthchecksList({
           json: jsonMode,
           outputFormat: cliContext.outputFormat
@@ -1049,7 +1102,7 @@ async function main() {
           thresholds.minResults = cli.flags.minResults;
         if (cli.flags.lookbackHours !== void 0)
           thresholds.lookbackHours = cli.flags.lookbackHours;
-        const { runHealthchecksRun } = await import("./run-7THXM7GF.js");
+        const { runHealthchecksRun } = await import("./run-MS5SA5YL.js");
         await runHealthchecksRun({
           org,
           id: action,
@@ -1067,7 +1120,7 @@ async function main() {
     }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-LN6NOZIJ.js");
+        const { runPresetsList } = await import("./list-EYRN5JYC.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -1078,7 +1131,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-MH5RYPWA.js");
+        const { runPresetsRun } = await import("./run-YHDUUP66.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -1095,12 +1148,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-2SEVH3M6.js");
+      const { setupSkill } = await import("./setup-skill-BTR2IZ4E.js");
       setupSkill({ json: jsonMode });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-2SEVH3M6.js");
+      const { uninstallSkill } = await import("./setup-skill-BTR2IZ4E.js");
       uninstallSkill({ json: jsonMode });
       break;
     }

package/dist/{configs-update-RPN32YTL.js → configs-update-VROBC2HI.js}

@@ -7,7 +7,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{create-QP3M7EZM.js → create-XTCUNT2C.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{drift-DZ6A7JL5.js → drift-VOKQJ36G.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{found-AOPBSLRD.js → found-A5HRTJCJ.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import {
   DateTime

package/dist/{healthcheck-KAONRGSS.js → healthcheck-AQUXVKAO.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-GEMCFDD5.js → list-5ENZAOFL.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-JCMWDZYY.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import {
   AuthCorruptedError,
   AuthExpiredError,

package/dist/list-CGRHTFAS.js

@@ -0,0 +1,182 @@
+import {
+  CliExitError,
+  ExitCode
+} from "./chunk-E2LAMILJ.js";
+import {
+  printOutput,
+  toCsvRows
+} from "./chunk-VFT3TD3E.js";
+import {
+  createApiClient
+} from "./chunk-LLWKCA3H.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/orgs/list.ts
+var VALID_SUBSCRIPTION_STATUSES = /* @__PURE__ */ new Set([
+  "PROSPECT",
+  "TRIAL",
+  "ACTIVE",
+  "INTEGRATION"
+]);
+var DUAL_SERVICES = ["reporting", "reviewing", "protection", "takedowns"];
+var SINGLE_SERVICES = ["detection", "darkWebMonitoring"];
+var ALL_SERVICES = [...DUAL_SERVICES, ...SINGLE_SERVICES];
+function splitCsv(value) {
+  if (!value) return [];
+  return value.split(",").map((part) => part.trim()).filter(Boolean);
+}
+function parseSubscriptionStatuses(raw) {
+  const parts = splitCsv(raw);
+  if (parts.length === 0) return void 0;
+  const result = [];
+  for (const part of parts) {
+    const upper = part.toUpperCase();
+    if (!VALID_SUBSCRIPTION_STATUSES.has(upper)) {
+      throw new CliExitError(
+        `Unknown subscription status: '${part}'. Valid values: ${Array.from(VALID_SUBSCRIPTION_STATUSES).join(", ")}.`,
+        ExitCode.USAGE
+      );
+    }
+    result.push(upper);
+  }
+  return result;
+}
+function parseServiceList(raw, flagName) {
+  const parts = splitCsv(raw);
+  const result = [];
+  for (const part of parts) {
+    if (!ALL_SERVICES.includes(part)) {
+      throw new CliExitError(
+        `Unknown service '${part}' in --${flagName}. Valid services: ${ALL_SERVICES.join(", ")}.`,
+        ExitCode.USAGE
+      );
+    }
+    result.push(part);
+  }
+  return result;
+}
+function requireDualService(service, flagName) {
+  if (!DUAL_SERVICES.includes(service)) {
+    throw new CliExitError(
+      `Service '${service}' does not have an automation toggle and can't be used with --${flagName}. Use --service-active / --service-inactive instead.`,
+      ExitCode.USAGE
+    );
+  }
+  return service;
+}
+function buildServicesFilter(options) {
+  const filters = {};
+  const activeSetBy = /* @__PURE__ */ new Map();
+  const automatedSetBy = /* @__PURE__ */ new Map();
+  function setActive(service, active, flagName) {
+    const previous = activeSetBy.get(service);
+    if (previous && previous !== flagName) {
+      throw new CliExitError(
+        `Conflicting flags for service '${service}': --${previous} and --${flagName} can't both be passed.`,
+        ExitCode.USAGE
+      );
+    }
+    activeSetBy.set(service, flagName);
+    const existing = filters[service] ?? {};
+    filters[service] = { ...existing, active };
+  }
+  function setAutomated(service, automated, flagName) {
+    const previous = automatedSetBy.get(service);
+    if (previous && previous !== flagName) {
+      throw new CliExitError(
+        `Conflicting flags for service '${service}': --${previous} and --${flagName} can't both be passed.`,
+        ExitCode.USAGE
+      );
+    }
+    automatedSetBy.set(service, flagName);
+    const existing = filters[service] ?? {};
+    filters[service] = { ...existing, automated };
+  }
+  for (const service of parseServiceList(options.serviceActive, "service-active")) {
+    setActive(service, true, "service-active");
+  }
+  for (const service of parseServiceList(options.serviceInactive, "service-inactive")) {
+    setActive(service, false, "service-inactive");
+  }
+  for (const service of parseServiceList(options.serviceAutomated, "service-automated")) {
+    setAutomated(
+      requireDualService(service, "service-automated"),
+      true,
+      "service-automated"
+    );
+  }
+  for (const service of parseServiceList(options.serviceManual, "service-manual")) {
+    setAutomated(requireDualService(service, "service-manual"), false, "service-manual");
+  }
+  return Object.keys(filters).length > 0 ? filters : void 0;
+}
+function summarizeServices(org) {
+  const parts = [];
+  for (const service of DUAL_SERVICES) {
+    const entry = org.services[service];
+    if (!entry.active) continue;
+    parts.push(`${service}=${entry.automated ? "auto" : "manual"}`);
+  }
+  for (const service of SINGLE_SERVICES) {
+    if (org.services[service].active) parts.push(service);
+  }
+  return parts.length > 0 ? parts.join(" ") : "(no services enabled)";
+}
+async function runOrgsList(options) {
+  const client = options.apiClient ?? createApiClient();
+  const outputFormat = options.outputFormat ?? (options.json ? "json" : "human");
+  const input = {
+    query: options.query ?? "",
+    subscriptionStatus: parseSubscriptionStatuses(options.subscriptionStatus),
+    services: buildServicesFilter(options)
+  };
+  const result = await client.getUserOrgs(input);
+  const organizations = result.organizations;
+  printOutput({
+    outputFormat,
+    json: result,
+    markdown: [
+      `# Organizations (${organizations.length})`,
+      "",
+      ...organizations.map(
+        (org) => `- \`${org.slug}\` \u2014 ${org.name} \u2014 ${org.subscriptionStatus} \u2014 ${summarizeServices(org)}`
+      )
+    ].join("\n"),
+    csv: toCsvRows(
+      organizations.map((org) => ({
+        slug: org.slug,
+        name: org.name,
+        subscriptionStatus: org.subscriptionStatus,
+        reportingActive: org.services.reporting.active,
+        reportingAutomated: org.services.reporting.automated,
+        reviewingActive: org.services.reviewing.active,
+        reviewingAutomated: org.services.reviewing.automated,
+        protectionActive: org.services.protection.active,
+        protectionAutomated: org.services.protection.automated,
+        takedownsActive: org.services.takedowns.active,
+        takedownsAutomated: org.services.takedowns.automated,
+        detectionActive: org.services.detection.active,
+        darkWebMonitoringActive: org.services.darkWebMonitoring.active
+      }))
+    ),
+    human: () => {
+      if (organizations.length === 0) {
+        console.log("No organizations matched the filter.");
+        return;
+      }
+      console.log(`Found ${organizations.length} organization(s):`);
+      const slugWidth = Math.max(...organizations.map((org) => org.slug.length), 4);
+      const nameWidth = Math.max(...organizations.map((org) => org.name.length), 4);
+      for (const org of organizations) {
+        console.log(
+          `  ${org.slug.padEnd(slugWidth)}  ${org.name.padEnd(nameWidth)}  ${org.subscriptionStatus.padEnd(11)}  ${summarizeServices(org)}`
+        );
+      }
+    }
+  });
+}
+export {
+  runOrgsList
+};

package/dist/{list-MWDFCHMJ.js → list-CVFXTKNX.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-LN6NOZIJ.js → list-EYRN5JYC.js}

@@ -1,12 +1,12 @@
 import {
   PRESETS
-} from "./chunk-PIYOWGBZ.js";
+} from "./chunk-AGXMZFUU.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-MXUZR2BV.js";
+import "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-UW63DIKX.js → list-PLZ67PNY.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-json-WTMYLZGY.js → list-json-LEKCCWQU.js}

@@ -1,6 +1,6 @@
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{run-7THXM7GF.js → run-MS5SA5YL.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
@@ -27,7 +27,12 @@ function buildPayload(entry, org, thresholds) {
     "failThreshold",
     "warnAgeHours",
     "failAgeHours",
-    "staleThresholdHours"
+    "staleThresholdHours",
+    "windowHours",
+    "baselineDays",
+    "warnMultiplier",
+    "failMultiplier",
+    "minSpikeCount"
   ]);
   for (const [key, value] of Object.entries(thresholds)) {
     if (allowedKeys.has(key)) {
@@ -150,6 +155,9 @@ async function runHealthchecksRun(options) {
         if (entry.result.suggestedAction) {
           lines.push(`- Suggested action: ${entry.result.suggestedAction}`);
         }
+        if (entry.result.appUrl) {
+          lines.push(`- View in app: ${entry.result.appUrl}`);
+        }
         return lines.join("\n");
       }),
       ...errors.map((entry) => `## ${entry.entry.id} \u2014 ERROR
@@ -194,6 +202,10 @@ async function runHealthchecksRun(options) {
           console.log(`Suggested action for ${entry.result.id}:`);
           console.log(`  ${entry.result.suggestedAction}`);
         }
+        if (entry.result.appUrl) {
+          console.log("");
+          console.log(`View in app: ${entry.result.appUrl}`);
+        }
       }
     }
   });

package/dist/{run-43CC5AXR.js → run-OT2X46GT.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{run-MH5RYPWA.js → run-YHDUUP66.js}

@@ -1,13 +1,13 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-PIYOWGBZ.js";
+} from "./chunk-AGXMZFUU.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-MXUZR2BV.js";
+import "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{setup-skill-2SEVH3M6.js → setup-skill-BTR2IZ4E.js}

@@ -6,7 +6,7 @@ import {
   readInstalledSkillVersion,
   setupSkill,
   uninstallSkill
-} from "./chunk-F4GU6AII.js";
+} from "./chunk-XOXQPUR6.js";
 import "./chunk-IUZB3DQW.js";
 export {
   getBundledSkillContent,

package/dist/{snapshot-E3TPZOKT.js → snapshot-4QR4I67P.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{summary-6NCA7PDP.js → summary-JOCABBCO.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{validate-BJFEKI2N.js → validate-27RUCN7R.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-MXUZR2BV.js";
+} from "./chunk-LLWKCA3H.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.4.1",
+  "version": "0.6.0",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [