@defai.digital/ax-cli 3.6.0 → 3.6.2

package/README.md

@@ -1,7 +1,7 @@
-# AX CLI - Enterprise-Class GLM AI CLI
+# AX CLI - Enterprise-Class CLI for GenAI coding
 
 [![npm](https://img.shields.io/npm/dt/@defai.digital/ax-cli?style=flat-square&logo=npm&label=downloads)](https://npm-stat.com/charts.html?package=%40defai.digital%2Fax-cli)
-[![Tests](https://img.shields.io/badge/tests-1036%20passing-brightgreen?style=flat-square)](https://github.com/defai-digital/ax-cli/actions/workflows/test.yml)
+[![Tests](https://img.shields.io/badge/tests-1381%20passing-brightgreen?style=flat-square)](https://github.com/defai-digital/ax-cli/actions/workflows/test.yml)
 [![Coverage](https://img.shields.io/badge/coverage-98%2B%25-brightgreen?style=flat-square)](https://github.com/defai-digital/ax-cli)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.9%2B-blue?style=flat-square&logo=typescript)](https://www.typescriptlang.org/)
 [![Node.js Version](https://img.shields.io/badge/node-%3E%3D24.0.0-blue?style=flat-square)](https://nodejs.org/)
@@ -44,7 +44,7 @@ ax-cli
   - 200K context window, 128K max output capability
   - 30% more token efficient than GLM 4.5
   - Optimized for complex code generation and refactoring
-- **🎯 Multi-Phase Task Planner** (NEW in v3.0.0): Intelligent task decomposition for complex requests
+- **🎯 Multi-Phase Task Planner**: Intelligent task decomposition for complex requests
   - Automatic complexity detection (57 keyword patterns)
   - LLM-based plan generation with phases and dependencies
   - Phase-by-phase execution with progress tracking
@@ -64,32 +64,56 @@ ax-cli
 - **✅ Production-Ready**: 98%+ test coverage, TypeScript strict mode, Zod validation
 - **🎯 Interactive & Headless**: Chat interface or one-shot commands
 - **📝 Smart Project Init**: Automatic project analysis and custom instructions
-- **🧠 Project Memory** (NEW): Intelligent context caching for z.ai GLM-4.6
+- **🧠 Project Memory**: Intelligent context caching for z.ai GLM-4.6
   - Automatic project scanning and context generation
   - z.ai implicit caching support (50% token savings on repeated context)
   - Cache statistics tracking and efficiency monitoring
-- **🏥 Health Check** (NEW): Comprehensive diagnostics with `ax-cli doctor`
+- **🏥 Health Check**: Comprehensive diagnostics with `ax-cli doctor`
   - Verify configuration, API connectivity, and dependencies
   - Detailed error messages with actionable suggestions
-- **💬 Dual-Model Mode** (NEW): Use different models for chat vs coding
+- **🎨 Smart Verbosity Control**: Multi-level output for optimal UX
+  - **Quiet mode** (default): Groups tool operations → 85% less noise
+  - **Concise mode**: One line per tool execution
+  - **Verbose mode**: Full details for debugging
+  - Press `Ctrl+O` to cycle between levels
+  - Auto-expands errors with full details
+- **💬 Dual-Model Mode**: Use different models for chat vs coding
   - Configure chat and coding models separately
   - Manual model switching with `--chat-mode` flag
   - Optimize cost and performance for different task types
-- **🌐 Web Search** (NEW in v3.4.0): Real-time internet search capabilities
-  - Integrated Tavily AI (AI-optimized search) and Brave Search
-  - Intelligent query routing based on intent detection
-  - Results caching for faster responses and reduced API costs
-  - Support for technical docs, code examples, news, and general queries
-  - Configurable search depth and freshness filters
+- **🌐 Web Search**: Real-time package search capabilities
+  - **Works out-of-the-box**: npm, PyPI, and crates.io package search (no API keys required)
+  - **Intelligent routing**: Automatically selects the best engine based on query intent
+    - JavaScript/Node.js packages → npm registry search
+    - Python packages → PyPI registry search
+    - Rust packages → crates.io registry search
+  - Results caching for faster responses (5 minute TTL)
+  - Support for package discovery, dependency research, and version information
+  - Session-based context for iterative package exploration
 - **🔄 Auto-Update**: Built-in update checker and installer
-- **🔒 Enterprise Security** (NEW in v3.6.0): Optional hardening features for enterprise deployments
-  - **Automatic API Key Encryption**: AES-256-GCM encryption at rest (transparent migration)
-  - **Optional Command Whitelist**: Restrict bash commands to safe list (disabled by default)
-  - **Optional SSRF Protection**: Validate MCP transport URLs (disabled by default)
-  - **Optional Error Sanitization**: Remove sensitive data from error messages (disabled by default)
-  - **117 security tests** with 98%+ coverage
-  - **User-friendly defaults**: Full functionality for 95% of users, opt-in hardening for enterprise
-- **📊 Advanced Code Analysis** (NEW in v2.4.0): Professional-grade static analysis tools
+- **🔒 Enterprise-Grade Security**: **FREE & Open Source**
+  - **Command Injection Protection**: CVSS 9.8 CRITICAL fix - Safe command execution with whitelisting
+  - **Path Traversal Hardening**: CVSS 8.6 HIGH fix - Prevent unauthorized file system access
+  - **SSRF Attack Prevention**: CVSS 7.5 HIGH fix - Validate MCP transport URLs and block private IPs
+  - **Input Sanitization**: CVSS 7.0 HIGH fix - Comprehensive input validation and sanitization
+  - **Error Sanitization**: CVSS 6.5 MEDIUM fix - Prevent sensitive data leakage in error messages
+  - **API Key Encryption**: AES-256-GCM encryption at rest with automatic migration
+  - **Memory Leak Fixes**: Process pool management for long-running operations
+  - **Security Audit Logging**: Basic JSON logging with 30-day retention
+  - **Rate Limiting**: Token bucket algorithm to prevent API abuse (100 req/min)
+  - **1381+ tests passing** with **98.29% coverage** - Production-ready security
+  - **User-friendly defaults**: Full functionality with enterprise-grade security for everyone
+- **🏢 Enterprise Features**: Advanced capabilities for teams and compliance
+  - **Compliance Report Generation**: SOC2, HIPAA, PCI-DSS automated reporting
+  - **Advanced Audit Logging**: Tamper-proof encrypted logs with hash chains and extended retention (1+ years)
+  - **Real-time Security Dashboards**: Monitor security events, anomalies, and compliance status
+  - **Advanced Rate Limiting**: Custom quotas per user/team/project with cost analytics and budget alerts
+  - **Team Collaboration**: Shared chat history with full-text search and multi-format export
+  - **Policy Enforcement**: Tool execution policies, approval workflows, and usage analytics
+  - **SSO/SAML Integration**: Enterprise identity provider support
+  - **Priority Support**: 24-hour SLA email support
+  - 📧 **Contact sales@defai.digital** for enterprise licensing and pricing
+- **📊 Advanced Code Analysis**: Professional-grade static analysis tools
   - **Dependency Analyzer**: Detect circular dependencies, calculate coupling metrics, identify orphan and hub files
   - **Code Smell Detector**: Find 10+ anti-patterns (long methods, large classes, duplicates, dead code, etc.)
   - **Hotspot Analyzer**: Identify frequently changing, complex code using git history analysis
@@ -134,7 +158,7 @@ AX CLI officially supports the following platforms:
 ### Prerequisites
 
 - Node.js 24.0.0 or higher
-- npm or bun package manager
+- npm package manager
 
 ### Global Installation (Recommended)
 
@@ -148,20 +172,37 @@ npm install -g @defai.digital/ax-cli
 
 ### Quick Setup
 
+The recommended way to configure AX CLI is using the interactive setup wizard:
+
 ```bash
-# Set your API key (for cloud providers)
-export YOUR_API_KEY=your_api_key_here
+# Run the setup wizard (recommended)
+ax-cli setup
+
+# This will:
+# 1. Guide you through provider selection (Z.AI, OpenAI, Anthropic, Ollama, etc.)
+# 2. Securely encrypt and store your API key (AES-256-GCM encryption)
+# 3. Configure default model and settings
+# 4. Validate your configuration
+```
 
-# Or configure in settings
-ax-cli  # Will prompt for API key on first run
+**Alternative: Environment Variable Override**
+
+For CI/CD pipelines or temporary overrides, you can set an environment variable:
+
+```bash
+# Override API key temporarily (not recommended for daily use)
+export YOUR_API_KEY=your_api_key_here
+ax-cli
 ```
 
+**⚠️ Security Note**: API keys are automatically encrypted in config files using AES-256-GCM encryption. **Do not manually edit `~/.ax-cli/config.json`** - always use `ax-cli setup` to update your API key securely.
+
 ### Configuration Files
 
-- **User Settings**: `~/.ax-cli/config.json`
-- **Project Settings**: `.ax-cli/settings.json`
-- **Custom Instructions**: `.ax-cli/CUSTOM.md`
-- **Project Memory**: `.ax-cli/memory.json` (auto-generated)
+- **User Settings**: `~/.ax-cli/config.json` (API keys are encrypted)
+- **Project Settings**: `.ax-cli/settings.json` (project-specific overrides)
+- **Custom Instructions**: `.ax-cli/CUSTOM.md` (AI behavior customization)
+- **Project Memory**: `.ax-cli/memory.json` (auto-generated context cache)
 
 [Configuration Guide →](docs/configuration.md)
 
@@ -193,7 +234,7 @@ ax-cli -c
 /commit-and-push   # AI-powered git commit
 /exit              # Exit application
 
-# Multi-Phase Planner commands (NEW in v3.0.0):
+# Multi-Phase Planner commands:
 /plans             # List all execution plans
 /plan              # Show current plan details
 /phases            # Show phase progress
@@ -209,7 +250,7 @@ AX CLI supports powerful keyboard shortcuts for enhanced productivity:
 
 | Shortcut | Action | Description |
 |----------|--------|-------------|
-| **Ctrl+O** | Toggle verbose mode | Default: concise single-line output. Verbose: full details, diffs, file contents |
+| **Ctrl+O** | Cycle verbosity | Quiet (grouped) → Concise (per-tool) → Verbose (full details) → Quiet |
 | **Ctrl+B** | Background mode | Move running command to background, or toggle "always background" mode |
 | **Ctrl+K** | Quick actions | Open quick actions menu |
 | **Shift+Tab** | Auto-edit mode | Toggle automatic approval for all operations |
@@ -218,6 +259,11 @@ AX CLI supports powerful keyboard shortcuts for enhanced productivity:
 | **Ctrl+A/E** | Cursor | Move to line start/end |
 | **Ctrl+W** | Delete word | Delete word before cursor |
 
+**Verbosity Levels** (Ctrl+O to cycle):
+- **Quiet** (default): Groups operations → `⏺ Working on app.ts (3 edits, 5 reads) ✓ 2.3s`
+- **Concise**: One line per tool → `⏺ Read (app.ts) ✓ 22 lines`
+- **Verbose**: Full details → Shows args, outputs, diffs, timings
+
 ### 🔄 Background Tasks
 
 Run long-running commands in the background (like Claude Code's Ctrl+B):
@@ -250,7 +296,7 @@ ax-cli -p "write tests for utils/" --max-tool-rounds 50
 ax-cli -p "refactor" --model glm-4.6
 ```
 
-### 🔌 VSCode Integration (NEW!)
+### 🔌 VSCode Integration
 
 AX CLI integrates seamlessly with Visual Studio Code via tasks and keyboard shortcuts:
 
@@ -366,17 +412,43 @@ ax-cli usage reset
 
 ## 📋 Working with Large Content
 
-When working with large amounts of text (logs, code files, documentation), use **file-based workflows** instead of pasting directly into the terminal.
+AX CLI has **intelligent paste handling** that automatically manages large text inputs for better readability.
 
-### ⚠️ Terminal Paste Limitations
+### 📝 Smart Paste Auto-Collapse
 
-**Avoid pasting large content directly** into the interactive terminal:
+When you paste **20+ lines** of text, AX CLI automatically collapses it:
 
-- ❌ **DON'T**: Paste large code files, logs, or documents (>2000 characters)
-- ⚠️ Some terminals may have paste limitations
-- ⚠️ Character counter shows visual warning: Gray (0-999) → Cyan (1000-1599) → Yellow (1600-1999) → **Red (2000+)**
+- ✅ **Automatic Detection**: Pastes with 20+ lines are auto-collapsed
+- ✅ **Clean Display**: Shows `[Pasted text #1 +89 lines]` instead of cluttering the UI
+- ✅ **Full Submission**: Complete text is still sent to the AI (not just the placeholder)
+- ✅ **Review Anytime**: Press **Ctrl+P** on a collapsed block to expand/collapse
 
-### ✅ Recommended Approaches
+**Example:**
+```bash
+# Paste a 100-line error log
+# → Shows: [Pasted text #1 +100 lines]
+# → AI receives: Full 100 lines
+
+# Position cursor on placeholder and press Ctrl+P to review
+# → Expands to show all 100 lines
+```
+
+**Configure in `~/.ax-cli/config.json`:**
+```json
+{
+  "paste": {
+    "autoCollapse": true,        // Enable/disable (default: true)
+    "collapseThreshold": 20      // Min lines to collapse (default: 20)
+  }
+}
+```
+
+### ⚠️ Character Counter Warning
+
+The character counter shows visual warnings for very large single inputs:
+- Gray (0-999) → Cyan (1000-1599) → Yellow (1600-1999) → **Red (2000+)**
+
+### ✅ Alternative Approaches for Extremely Large Content
 
 **Option 1: File Reference (Interactive Mode)**
 ```bash
@@ -418,7 +490,7 @@ The interactive terminal shows a character counter `[count/2000]` with color-cod
 | **Yellow** | 1600-1999 | ⚠️ Consider using files |
 | **Red** | 2000+ | ❌ Use file-based workflow |
 
-## 🏥 Health Check & Diagnostics (NEW)
+## 🏥 Health Check & Diagnostics
 
 Run comprehensive diagnostics to verify your AX CLI configuration:
 
@@ -442,13 +514,15 @@ The `doctor` command checks:
 - ✓ MCP server configuration
 - ✓ Dependencies (ripgrep, git)
 
-## 💬 Dual-Model Mode (NEW)
+## 💬 Dual-Model Mode
 
 Use different models for chat vs coding tasks to optimize performance and cost:
 
 ### Configuration
 
-Add to `~/.ax-cli/config.json` or `.ax-cli/settings.json`:
+**Option 1: Project Settings** (recommended for project-specific preferences)
+
+Add to `.ax-cli/settings.json` in your project directory:
 
 ```json
 {
@@ -460,6 +534,8 @@ Add to `~/.ax-cli/config.json` or `.ax-cli/settings.json`:
 }
 ```
 
+**Option 2: Environment Variables** (for temporary or CI/CD use)
+
 ### Usage
 
 ```bash
@@ -489,72 +565,68 @@ ax-cli --chat-mode
 - ⚡ **Better performance**: Match model capability to task complexity
 - 🎯 **Manual control**: You decide when to use each model
 
-## 🌐 Web Search (NEW)
+## 🌐 Web Search
 
-Search the internet for real-time information, documentation, code examples, and current events.
+Search package registries for JavaScript, Python, and Rust packages with intelligent language detection and cross-registry comparison.
 
 ### ✨ Works Out of the Box!
 
-**npm package search is enabled by default** (no API key required). For enhanced web search capabilities, optionally configure Tavily AI or Brave Search.
+**Package search is enabled by default** (no API key required):
+- **npm** - JavaScript/Node.js packages from npmjs.com
+- **PyPI** - Python packages from pypi.org
+- **crates.io** - Rust packages from crates.io
 
 ### Quick Setup
 
-**Option 1: Use npm Search Only** (Default - No Setup Required)
-- npm package search works immediately
-- Perfect for JavaScript/TypeScript development
+**No setup required!** Package search works immediately:
+- **npm** - JavaScript/Node.js packages work immediately
+- **PyPI** - Python packages work immediately
+- **crates.io** - Rust packages work immediately
+- Perfect for package discovery and dependency management
 - No API keys needed
 
-**Option 2: Add Enhanced Web Search** (Optional)
-1. **Get API Keys** (choose one or both):
-   - **Tavily AI** (recommended): https://tavily.com/
-     - Free tier: 1,000 searches/month
-     - Best for: AI-optimized general search, technical queries
-   - **Brave Search**: https://brave.com/search/api/
-     - Free tier: 2,000 searches/month
-     - Best for: News, current events, privacy-focused
-
-2. **Configure API Keys**:
-
-```bash
-# Add to ~/.bashrc, ~/.zshrc, or .env (OPTIONAL)
-export TAVILY_API_KEY="your_tavily_api_key"
-export BRAVE_API_KEY="your_brave_api_key"
-```
-
 ### Usage
 
 ```bash
 # The AI will automatically use web search when needed
 ax-cli
 
-> "Find a React state management library"  # Uses npm search
-> "Search for axios npm package"           # Uses npm search
-> "What are the latest TypeScript features?" # Uses Tavily/Brave (if configured)
-> "Latest security news"                   # Uses Brave (if configured)
+> "Find a React state management library"     # Uses npm search
+> "Search for axios npm package"              # Uses npm search
+> "Find a Python data analysis library"       # Uses PyPI search
+> "Search for tokio rust crate"               # Uses crates.io search
 ```
 
 ### How It Works
 
-- **Intelligent Routing**: Automatically selects the best search engine based on query type
-  - **Package queries** → npm search (always available, no API key)
-  - **Technical queries** → Tavily (if configured) or npm fallback
-  - **News queries** → Brave (if configured) or npm fallback
-  - **General queries** → Tavily (if configured) or npm fallback
+- **Intelligent Routing**: Automatically selects the best search engine based on query type and language detection
+  - **JavaScript/Node.js packages** → npm registry search (always available, no API key)
+  - **Python packages** → PyPI registry search (always available, no API key)
+  - **Rust packages** → crates.io registry search (always available, no API key)
+  - **General/technical queries** → package search fallback
+
+- **Language Detection**: Automatically detects programming language from keywords
+  - Python keywords (pip, django, flask, pandas) → PyPI
+  - Rust keywords (cargo, crate, tokio, serde) → crates.io
+  - npm/package keywords → npm registry
+  - Multiple engines may be used in parallel for best results
 
-- **Automatic Caching**: Results cached for 5 minutes to reduce API costs
+- **Automatic Caching**: Results cached for 5 minutes for faster subsequent queries
 
-- **LLM Integration**: The AI decides when to search based on:
-  - Real-time information needs
-  - Documentation lookups
-  - Current events
-  - Questions beyond training data
+- **LLM Integration**: The AI automatically uses package search for:
+  - Package discovery and dependency management
+  - Version compatibility checks
+  - Alternative package recommendations
+  - Package documentation and usage information
 
 ### Features
 
-- **Search Depth**: `basic` (faster) or `advanced` (comprehensive)
-- **Freshness Filters**: `day`, `week`, `month`, or `year`
-- **AI Summaries**: Automatic answer generation from search results
+- **Multi-Registry Package Search**: Search across npm, PyPI, and crates.io simultaneously
+  - Package metadata, descriptions, and download statistics
+  - Version information and release dates
+  - No API keys or setup required
 - **Source Attribution**: All results include URLs and sources
+- **Parallel Search**: Multiple engines searched concurrently for comprehensive results
 
 ### Manual Usage
 
@@ -562,36 +634,253 @@ While the AI uses web search automatically, you can also request it explicitly:
 
 ```bash
 # In interactive mode
-> "search the web for Next.js 14 server actions tutorial"
+> "search npm for a markdown parser library"
+> "search PyPI for a web scraping package"
+> "search crates.io for async runtime"
 
 # Headless mode
-ax-cli -p "search for latest Node.js LTS security updates"
+ax-cli -p "search for react-query npm package"
+ax-cli -p "find a Python FastAPI alternative"
 ```
 
-### Costs (Optional - Free Tier Available)
+### Web Search Session
+
+AX CLI maintains intelligent search context across your conversation, enabling natural follow-up questions and iterative refinement:
 
-Both services offer generous free tiers:
+**Session Continuity:**
+- Package search results are preserved in conversation context
+- Ask follow-up questions about packages without re-searching
+- Reference previous search results naturally
+- Session context includes package URLs, metadata, versions, and download stats
 
-| Service | Free Tier | Paid Tier |
-|---------|-----------|-----------|
-| Tavily AI | 1,000/month | $120/month (10K searches) |
-| Brave Search | 2,000/month | $3/1,000 queries |
-| **Combined** | **~3,000/month FREE** | **~$150/month (20K total)** |
+**Example Session:**
 
-**Recommendation**: Start with free tiers (sufficient for most users). Only upgrade if you exceed limits.
+```bash
+ax-cli
+
+# Initial package search
+> "search npm for a state management library"
+🔍 Searching npm registry...
+Found 5 packages:
+
+1. **zustand** (2.5M weekly downloads)
+   Small, fast and scalable state-management
+   Latest: v4.4.7 | Size: 1.2KB gzipped
+
+2. **redux** (8.1M weekly downloads)
+   Predictable state container for JavaScript apps
+   Latest: v5.0.0 | Size: 6.2KB (core only)
+
+3. **mobx** (1.2M weekly downloads)
+   Simple, scalable state management
+   Latest: v6.12.0 | Size: 16KB
+   ...
+
+# Natural follow-up (uses cached context from npm search)
+> "which one has the smallest bundle size?"
+Based on the npm search results:
+- ✅ zustand: 1.2KB (gzipped) - Smallest
+- jotai: 2.9KB (gzipped)
+- redux: 6.2KB (core only)
+- mobx: 16KB
+
+# Version and compatibility check
+> "what's the latest version of zustand and does it support React 18?"
+Package: zustand v4.4.7 (latest)
+✅ Full React 18 support with concurrent features
+✅ TypeScript 5.0+ support
+📅 Last published: 2 weeks ago
+
+# Installation guide
+> "show me how to install and use zustand"
+Installation:
+npm install zustand
+
+Basic usage:
+[Provides code example from npm documentation]
+```
+
+**Context-Aware Features:**
+
+1. **Result Caching**: Package search results stay in memory for the session
+   - 5-minute cache for identical queries
+   - Instant responses for follow-up questions about packages
+   - No repeated API calls to registries
+
+2. **Multi-Turn Package Refinement**:
+   ```bash
+   > "search npm for a react table library"
+   Found: tanstack-table, react-table, ag-grid-react, mui-x-data-grid
+
+   > "which ones have TypeScript support?"
+   All 4 packages support TypeScript:
+   - @tanstack/react-table: Full TS rewrite
+   - react-table (deprecated, use @tanstack)
+   - ag-grid-react: TypeScript included
+   - @mui/x-data-grid: Full TS support
+
+   > "which has the best documentation?"
+   Based on npm stats and GitHub stars:
+   - @tanstack/react-table: Excellent docs, 24K stars
+
+   > "install that one"
+   npm install @tanstack/react-table
+   ```
+
+3. **Cross-Registry Context**:
+   ```bash
+   > "search for data validation libraries"
+   Searching npm, PyPI, and crates.io...
+
+   npm: zod, yup, joi, ajv
+   PyPI: pydantic, marshmallow, cerberus
+   crates.io: serde, validator
+
+   > "compare the JavaScript and Python options"
+   **JavaScript (npm):**
+   - zod: 3.5M/week, TypeScript-first, 30KB
+   - yup: 5.2M/week, Schema builder, 45KB
+
+   **Python (PyPI):**
+   - pydantic: 50M/month, Type hints, fast
+   - marshmallow: 8M/month, Schema validation
+
+   > "which is fastest?"
+   - JavaScript: zod (TypeScript inference, zero-cost)
+   - Python: pydantic (uses Rust core, 20x faster than marshmallow)
+   ```
+
+4. **Package Comparison Tables**:
+   ```bash
+   > "search npm for http client libraries"
+   Found: axios, node-fetch, got, ky, superagent
+
+   > "create a comparison table"
+
+   | Package     | Weekly DLs | Size    | Last Update | Browser | Node |
+   |-------------|------------|---------|-------------|---------|------|
+   | axios       | 48M        | 11.5KB  | 2 weeks ago | ✅      | ✅   |
+   | node-fetch  | 35M        | 4.5KB   | 3 months    | ❌      | ✅   |
+   | got         | 23M        | 15KB    | 1 week ago  | ❌      | ✅   |
+   | ky          | 1.2M       | 12KB    | 2 weeks ago | ✅      | ✅   |
+
+   > "which is best for Node.js backend with retry logic?"
+   Recommendation: **got**
+   - Built-in retry with exponential backoff
+   - HTTP/2 support
+   - Request cancellation
+   - Promise & stream support
+   ```
+
+**Session Management:**
+
+- **Session Duration**: Active for entire interactive session
+- **History Integration**: Search results included in `--continue` sessions
+- **Memory Commands**:
+  ```bash
+  /clear    # Clears search context and conversation
+  /exit     # Ends session (context lost)
+  ```
+- **Persistent Context**: Use with `--continue` to maintain search context across sessions
+
+**Best Practices:**
+
+1. **Start Broad, Refine Iteratively**:
+   ```bash
+   > "search npm for testing libraries"
+   Found: jest, vitest, mocha, jasmine, playwright, cypress
+
+   > "focus on those for integration testing"
+   Integration testing: playwright, cypress, vitest (has browser mode)
+
+   > "which has TypeScript support?"
+   All 3 have TypeScript:
+   - playwright: Native TS
+   - cypress: Full TS support
+   - vitest: Native TS (Vite-powered)
+
+   > "show setup for playwright"
+   npm install -D @playwright/test
+   [Provides example config and test]
+   ```
+
+2. **Leverage Context for Framework Comparisons**:
+   ```bash
+   > "search npm for react vue svelte packages"
+   Found core packages with download stats:
+   - react: 22M/week
+   - vue: 5.1M/week
+   - svelte: 850K/week
+
+   > "compare their package ecosystems"
+   **React:** 180K+ packages
+   **Vue:** 45K+ packages
+   **Svelte:** 8K+ packages
+
+   > "which has better TypeScript support?"
+   All have excellent TS support:
+   - React: @types/react (20M/week)
+   - Vue: Built-in TS (Vue 3+)
+   - Svelte: svelte-check + TypeScript plugin
+   ```
+
+3. **Version Compatibility Checks**:
+   ```bash
+   > "search npm for next auth package"
+   Found: next-auth (8M/week, v4.24.5)
+
+   > "does it work with Next.js 15?"
+   ⚠️  Compatibility:
+   - next-auth v4: Next.js 12-14
+   - For Next.js 15: Use NextAuth.js v5 (beta)
+
+   > "show me the v5 package"
+   Package: next-auth@beta (v5.0.0-beta.4)
+   ✅ Next.js 15 compatible
+   [Installation and migration guide]
+   ```
+
+4. **Combine Search with Development Tasks**:
+   ```bash
+   > "search npm for a markdown parser library"
+   Found: marked, remark, markdown-it, showdown
+
+   > "which is fastest and most secure?"
+   Recommendation: **marked**
+   - 13M/week downloads
+   - Fast (built-in sanitization)
+   - Active maintenance
+
+   > "install marked and show me basic usage"
+   Installing: npm install marked
+   [Generates code example with marked usage]
+
+   > "add it to my project"
+   [Creates/updates relevant files with implementation]
+   ```
+
+**Performance Tips:**
+
+- **First search**: 1-3 seconds (registry API call)
+- **Follow-up questions**: Instant (uses cached package data)
+- **Cache duration**: 5 minutes per query
+- **Parallel searches**: Multiple registries searched concurrently for cross-language queries
+- **Offline work**: Use `--continue` to preserve search context across sessions
 
 ### Troubleshooting
 
-**"No search engines configured"**
-- Set at least one API key (TAVILY_API_KEY or BRAVE_API_KEY)
+**No results found**
+- Package registries (npm, PyPI, crates.io) are always available
+- Try refining your search query
+- Check your internet connection
 
 **Rate limit errors**
-- Check your usage at provider dashboards
+- Package registry searches are rate-limited by the registry providers
 - Results are cached to minimize API calls
 
 **Slow searches**
-- Use `basic` search depth (default)
-- Results are cached after first search
+- Results are cached after first search (5 minute TTL)
+- Subsequent identical queries will be instant
 
 ## 🔌 MCP (Model Context Protocol)
 
@@ -610,7 +899,7 @@ ax-cli mcp remove linear
 
 [MCP Integration Guide →](docs/mcp.md)
 
-## 🧠 Project Memory (NEW)
+## 🧠 Project Memory
 
 Project Memory enables intelligent context caching for z.ai GLM-4.6, reducing token costs and improving response consistency:
 
@@ -729,8 +1018,9 @@ AX CLI implements enterprise-grade architecture with:
 
 - **Single Source of Truth (SSOT)** type system via `@ax-cli/schemas`
 - **TypeScript strict mode** with Zod runtime validation
-- **98%+ test coverage** (562 tests)
+- **98%+ test coverage** (1381 tests passing)
 - **Modular design** with clean separation of concerns
+- **Enterprise security** with AES-256-GCM encryption for sensitive data
 
 [Architecture Documentation →](docs/architecture.md)
 
@@ -749,6 +1039,61 @@ AX CLI implements enterprise-grade architecture with:
 
 ## 📋 Changelog
 
+### v3.6.1 (2025-11-22)
+
+**🔧 Improvements:**
+- **Web Search Simplification**: Removed Tavily AI dependency, focusing entirely on package registries
+  - Streamlined to npm, PyPI, and crates.io package search only
+  - No API keys required for web search functionality
+  - Reduced dependencies and simplified architecture
+- **Documentation Overhaul**: Completely updated web search documentation
+  - 200+ lines updated with package-focused examples
+  - 15+ new realistic examples showing npm, PyPI, and crates.io workflows
+  - Comprehensive session examples for package discovery and comparison
+  - Best practices for cross-registry searches and version compatibility checks
+- **Smart Paste Auto-Collapse**: Intelligent handling of large text inputs
+  - Automatic collapse of 20+ line pastes for better readability
+  - Press Ctrl+P to expand/collapse pasted content
+  - Configurable threshold in `~/.ax-cli/config.json`
+  - Full content still sent to AI (not just the placeholder)
+
+**✅ Quality:**
+- All 1,381 tests passing with 98.29% coverage
+- Zero breaking changes
+- Cleaner codebase with reduced complexity
+
+### v3.6.0 (2025-11-22)
+
+**🔒 Enterprise-Grade Security (FREE & Open Source):**
+- **API Key Encryption**: AES-256-GCM encryption for API keys at rest
+- **Command Injection Protection**: CVSS 9.8 CRITICAL fix with command whitelisting
+- **Path Traversal Hardening**: CVSS 8.6 HIGH fix preventing unauthorized file access
+- **SSRF Attack Prevention**: CVSS 7.5 HIGH fix for MCP transport URL validation
+- **Input Sanitization**: CVSS 7.0 HIGH fix for comprehensive input validation
+- **Error Sanitization**: CVSS 6.5 MEDIUM fix preventing credential leakage
+- **Security Audit Logging**: Basic JSON logging with 30-day retention
+- **Rate Limiting**: Token bucket algorithm to prevent API abuse
+- **Memory Leak Fixes**: Process pool management for long-running operations
+
+**✅ Test Quality:**
+- **1381+ tests passing** (up from 1,038) with 98.29% coverage
+- All security modules fully tested and validated
+- Production-ready security implementation
+
+**🏢 Enterprise Features (Available):**
+- Advanced audit logging with compliance reports (SOC2, HIPAA, PCI-DSS)
+- Team collaboration with shared chat history
+- Policy enforcement and approval workflows
+- Extended audit log retention (1+ years)
+- SSO/SAML integration support
+- Priority 24-hour SLA support
+- Contact sales@defai.digital for enterprise licensing
+
+**🔧 Configuration Improvements:**
+- New `ax-cli setup` wizard for secure API key configuration
+- Automatic migration of plain-text API keys to encrypted format
+- Environment variable override support for CI/CD workflows
+
 ### v3.5.3 (2025-11-22)
 
 **Bug Fixes - Test Quality & Reliability:**
@@ -790,7 +1135,7 @@ AX CLI implements enterprise-grade architecture with:
 - Multi-phase task planner with automatic complexity detection
 - Enhanced MCP integration with production-ready templates
 - Project memory system with intelligent context caching
-- Web search capabilities with Tavily AI and Brave Search
+- Web search capabilities with npm, PyPI, and crates.io package registries
 - Advanced code analysis tools (dependency, security, metrics)
 
 ## 📄 License
@@ -804,5 +1149,5 @@ Built with **AutomatosX** multi-agent orchestration to achieve enterprise-class
 ---
 
 <p align="center">
-  Made with ❤️ by <a href="https://github.com/defai-digital">DefAI Digital</a>
+  Made with ❤️ by <a href="https://github.com/defai-digital">DEFAI Digital</a>
 </p>