@pellux/goodvibes-agent 0.1.69 → 0.1.71

package/src/input/commands/operator-runtime.ts

@@ -1,25 +1,11 @@
 import type { CommandRegistry } from '../command-registry.ts';
 import type { ProfileData } from '@pellux/goodvibes-sdk/platform/profiles';
-import type { ReplaySnapshotInput } from '@/runtime/index.ts';
 import { logger } from '@pellux/goodvibes-sdk/platform/utils';
-import { registerOperatorPanelCommand } from './operator-panel-runtime.ts';
-import { requireProfileManager, requireReplayEngine } from './runtime-services.ts';
+import { requireProfileManager } from './runtime-services.ts';
 import { summarizeError } from '@pellux/goodvibes-sdk/platform/utils';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
 
-function printOpsMutationBlocked(print: (text: string) => void, target: string): void {
-  print([
-    `[Ops] ${target} mutation is blocked in GoodVibes Agent.`,
-    '  policy: Agent does not control copied local task/agent lifecycle from the operator surface.',
-    '  normal work: continue in the main conversation.',
-    '  build/fix/review: use /delegate <task> for explicit GoodVibes TUI handoff.',
-    '  result: no local task or agent state was changed.',
-  ].join('\n'));
-}
-
 export function registerOperatorRuntimeCommands(registry: CommandRegistry): void {
-  registerOperatorPanelCommand(registry);
-
   registry.register({
     name: 'settings',
     aliases: ['cfg-ui'],
@@ -249,134 +235,4 @@ export function registerOperatorRuntimeCommands(registry: CommandRegistry): void
       );
     },
   });
-
-  registry.register({
-    name: 'ops',
-    description: 'Operator runtime status: view Agent posture without local task/agent lifecycle mutations',
-    usage: '[view]',
-    argsHint: '[view]',
-    handler(args, ctx) {
-      const sub = args[0];
-
-      if (sub === 'view' || sub === undefined) {
-        if (ctx.openOpsPanel) ctx.openOpsPanel();
-        else ctx.print('Operator runtime status panel is not available. Enable the operator-control-plane feature flag.');
-        return;
-      }
-
-      if (sub === 'task') {
-        printOpsMutationBlocked(ctx.print, 'Task');
-        return;
-      }
-
-      if (sub === 'agent') {
-        printOpsMutationBlocked(ctx.print, 'Agent');
-        return;
-      }
-
-      ctx.print(
-        'Usage: /ops <subcommand>\n'
-        + '  /ops view                              — open the Ops Control panel (Ctrl+O)\n'
-        + '  task/agent lifecycle commands are blocked in Agent; use /delegate for explicit build handoff'
-      );
-    },
-  });
-
-  registry.register({
-    name: 'forensics',
-    aliases: ['foren'],
-    description: 'Failure Forensics: view, inspect, and export auto-classified failure reports',
-    usage: '[latest | show <id> | export <id>]',
-    argsHint: '[latest|show|export]',
-    handler(args, ctx) {
-      const sub = args[0];
-      if (sub === undefined || sub === 'view') {
-        if (ctx.openForensicsPanel) ctx.openForensicsPanel();
-        else ctx.print('Forensics panel is not available.');
-        return;
-      }
-      if (sub === 'latest') {
-        if (!ctx.extensions.forensicsRegistry) {
-          ctx.print('[Forensics] Registry not active.');
-          return;
-        }
-        const report = ctx.extensions.forensicsRegistry.latest();
-        if (!report) {
-          ctx.print('[Forensics] No failure reports recorded this session.');
-          return;
-        }
-        const lines: string[] = [
-          `[Forensics] Latest failure report (id: ${report.id})`,
-          `  Time:           ${new Date(report.generatedAt).toISOString()}`,
-          `  Classification: ${report.classification}`,
-          `  Summary:        ${report.summary}`,
-        ];
-        if (report.errorMessage) lines.push(`  Error:          ${report.errorMessage}`);
-        if (report.stopReason) lines.push(`  Stop reason:    ${report.stopReason}`);
-        if (report.taskId) lines.push(`  Task ID:        ${report.taskId}`);
-        if (report.turnId) lines.push(`  Turn ID:        ${report.turnId}`);
-        if (report.causalChain.length > 0) {
-          lines.push('  Causal chain:');
-          for (const entry of report.causalChain) {
-            const marker = entry.isRootCause ? '  ● ' : '  · ';
-            lines.push(`  ${marker}${entry.description}`);
-          }
-        }
-        if (report.jumpLinks.length > 0) {
-          lines.push('  Jump links:');
-          for (const link of report.jumpLinks) {
-            lines.push(`    [${link.kind}] ${link.label} → ${link.target}${link.args ? ` (${link.args})` : ''}`);
-          }
-        }
-        lines.push(`  Use "/forensics show ${report.id}" for full JSON.`);
-        ctx.print(lines.join('\n'));
-        return;
-      }
-      if (sub === 'show') {
-        const id = args[1];
-        if (!id) {
-          ctx.print('Usage: /forensics show <id>');
-          return;
-        }
-        if (!ctx.extensions.forensicsRegistry) {
-          ctx.print('[Forensics] Registry not active.');
-          return;
-        }
-        const json = ctx.extensions.forensicsRegistry.exportAsJson(id);
-        if (!json) {
-          ctx.print(`[Forensics] No report found with id "${id}". Use /forensics latest to see the most recent.`);
-          return;
-        }
-        ctx.print(json);
-        return;
-      }
-      if (sub === 'export') {
-        const id = args[1];
-        if (!id) {
-          ctx.print('Usage: /forensics export <id>');
-          return;
-        }
-        if (!ctx.extensions.forensicsRegistry) {
-          ctx.print('[Forensics] Registry not active.');
-          return;
-        }
-        const json = ctx.extensions.forensicsRegistry.exportBundleAsJson(id, {
-          replaySnapshot: requireReplayEngine(ctx).getSnapshot() as ReplaySnapshotInput,
-        });
-        if (!json) {
-          ctx.print(`[Forensics] No report found with id "${id}".`);
-          return;
-        }
-        ctx.print(`[Forensics] Incident bundle ${id}:\n${json}`);
-        return;
-      }
-      ctx.print(
-        'Usage: /forensics <subcommand>\n'
-        + '  /forensics             — open the Forensics panel\n'
-        + '  /forensics latest      — print the most recent failure report summary\n'
-        + '  /forensics show <id>   — show full JSON for a specific report\n'
-        + '  /forensics export <id> — export incident bundle JSON to the conversation'
-      );
-    },
-  });
 }

package/src/input/commands/platform-access-runtime.ts

@@ -1,33 +1,12 @@
 import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
-import { dirname, resolve } from 'node:path';
+import { dirname } from 'node:path';
 import type { CommandRegistry } from '../command-registry.ts';
-import { VERSION } from '../../version.ts';
 import { listBuiltinSubscriptionProviders } from '@pellux/goodvibes-sdk/platform/config';
 import { handleLocalAuthCommand } from './local-auth-runtime.ts';
 import { buildAuthInspectionSnapshot, inspectProviderAuth } from '@/runtime/index.ts';
-import { requireProfileManager, requireSecretsManager, requireServiceRegistry, requireShellPaths, requireSubscriptionManager } from './runtime-services.ts';
+import { requireSecretsManager, requireServiceRegistry, requireShellPaths, requireSubscriptionManager } from './runtime-services.ts';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
 
-interface InstallBundle {
-  readonly version: 1;
-  readonly exportedAt: number;
-  readonly appVersion: string;
-  readonly workingDirectory: string;
-  readonly homeDirectory: string;
-  readonly profileCount: number;
-  readonly secretKeyCount: number;
-  readonly setupLinks: readonly string[];
-}
-
-interface UpdateBundle {
-  readonly version: 1;
-  readonly exportedAt: number;
-  readonly appVersion: string;
-  readonly updateChannel: 'stable' | 'preview';
-  readonly subscriptionProviders: readonly string[];
-  readonly notes: readonly string[];
-}
-
 interface AuthReviewBundle {
   readonly version: 1;
   readonly exportedAt: number;
@@ -51,32 +30,6 @@ function authServiceSecretPrefix(target: AuthServiceLoginTarget): string {
   return target === 'runtime' ? 'RUNTIME' : 'LISTENER';
 }
 
-function buildSetupLink(surface: string, target?: string): string {
-  const params = target ? `?target=${encodeURIComponent(target)}` : '';
-  return `goodvibes://open/${surface}${params}`;
-}
-
-function inspectInstallBundle(bundle: InstallBundle): string {
-  return [
-    'Install Bundle Review',
-    `  appVersion: ${bundle.appVersion}`,
-    `  workingDirectory: ${bundle.workingDirectory}`,
-    `  profileCount: ${bundle.profileCount}`,
-    `  secretKeys: ${bundle.secretKeyCount}`,
-    `  setupLinks: ${bundle.setupLinks.length}`,
-  ].join('\n');
-}
-
-function inspectUpdateBundle(bundle: UpdateBundle): string {
-  return [
-    'Update Bundle Review',
-    `  appVersion: ${bundle.appVersion}`,
-    `  updateChannel: ${bundle.updateChannel}`,
-    `  subscriptionProviders: ${bundle.subscriptionProviders.length}`,
-    `  notes: ${bundle.notes.length}`,
-  ].join('\n');
-}
-
 function inspectAuthBundle(bundle: AuthReviewBundle): string {
   return [
     'Auth Review Bundle',
@@ -157,152 +110,6 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
     },
   });
 
-  registry.register({
-    name: 'install',
-    description: 'Review install posture and export portable install bundles',
-    usage: '[review|bundle export <path> --yes|bundle inspect <path>]',
-    async handler(args, ctx) {
-      const parsed = stripYesFlag(args);
-      const commandArgs = [...parsed.rest];
-      const shellPaths = requireShellPaths(ctx);
-      const sub = commandArgs[0] ?? 'review';
-      if (sub === 'review') {
-        const profiles = requireProfileManager(ctx).list();
-        const secretKeys = await requireSecretsManager(ctx).list();
-        ctx.print([
-          'Install Review',
-          `  version: ${VERSION}`,
-          `  profiles: ${profiles.length}`,
-          `  secret keys: ${secretKeys.length}`,
-          `  setup links: 4`,
-        ].join('\n'));
-        return;
-      }
-      if (sub === 'bundle') {
-        const mode = commandArgs[1];
-        const pathArg = commandArgs[2];
-        if ((mode === 'export' || mode === 'inspect') && !pathArg) {
-          ctx.print(`Usage: /install bundle ${mode} <path>${mode === 'export' ? ' --yes' : ''}`);
-          return;
-        }
-        const targetPath = shellPaths.resolveWorkspacePath(pathArg!);
-        if (mode === 'export') {
-          if (!parsed.yes) {
-            requireYesFlag(ctx, `export install bundle to ${pathArg}`, '/install bundle export <path> --yes');
-            return;
-          }
-          const profiles = requireProfileManager(ctx).list();
-          const secretKeys = await requireSecretsManager(ctx).list();
-          const bundle: InstallBundle = {
-            version: 1,
-            exportedAt: Date.now(),
-            appVersion: VERSION,
-            workingDirectory: shellPaths.workingDirectory,
-            homeDirectory: shellPaths.homeDirectory,
-            profileCount: profiles.length,
-            secretKeyCount: secretKeys.length,
-            setupLinks: [
-              buildSetupLink('cockpit'),
-              buildSetupLink('security'),
-              buildSetupLink('remote'),
-              buildSetupLink('knowledge'),
-            ],
-          };
-          mkdirSync(dirname(targetPath), { recursive: true });
-          writeFileSync(targetPath, JSON.stringify(bundle, null, 2) + '\n', 'utf-8');
-          ctx.print(`Install bundle exported to ${targetPath}`);
-          return;
-        }
-        if (mode === 'inspect') {
-          const bundle = JSON.parse(readFileSync(targetPath, 'utf-8')) as InstallBundle;
-          ctx.print(inspectInstallBundle(bundle));
-          return;
-        }
-      }
-      ctx.print('Usage: /install [review|bundle export <path> --yes|bundle inspect <path>]');
-    },
-  });
-
-  registry.register({
-    name: 'update',
-    aliases: ['upgrade'],
-    description: 'Review update posture, choose release channel guidance, and package portable update bundles',
-    usage: '[review|channel <stable|preview> --yes|bundle export <path> --yes|bundle inspect <path>]',
-    handler(args, ctx) {
-      const parsed = stripYesFlag(args);
-      const commandArgs = [...parsed.rest];
-      const shellPaths = requireShellPaths(ctx);
-      const sub = commandArgs[0] ?? 'review';
-      const subscriptions = requireSubscriptionManager(ctx);
-      const serviceRegistry = requireServiceRegistry(ctx);
-      const secretsManager = requireSecretsManager(ctx);
-      const builtinProviders = listBuiltinSubscriptionProviders().map((entry) => entry.provider);
-      const activeSubscriptions = subscriptions.list().map((entry) => entry.provider);
-      if (sub === 'review') {
-        const channel = ctx.platform.configManager.get('release.channel');
-        ctx.print([
-          'Update Review',
-          `  version: ${VERSION}`,
-          `  channel: ${channel}`,
-          `  built-in subscription providers: ${builtinProviders.length}${builtinProviders.length > 0 ? ` (${builtinProviders.join(', ')})` : ''}`,
-          `  active subscriptions: ${activeSubscriptions.length}${activeSubscriptions.length > 0 ? ` (${activeSubscriptions.join(', ')})` : ''}`,
-          '  use /update channel <stable|preview> --yes to change release posture',
-        ].join('\n'));
-        return;
-      }
-      if (sub === 'channel') {
-        const channel = commandArgs[1];
-        if (channel !== 'stable' && channel !== 'preview') {
-          ctx.print('Usage: /update channel <stable|preview> --yes');
-          return;
-        }
-        if (!parsed.yes) {
-          requireYesFlag(ctx, `set update channel to ${channel}`, '/update channel <stable|preview> --yes');
-          return;
-        }
-        ctx.platform.configManager.setDynamic('release.channel', channel);
-        ctx.print(`Update channel set to ${channel}.`);
-        return;
-      }
-      if (sub === 'bundle') {
-        const mode = commandArgs[1];
-        const pathArg = commandArgs[2];
-        if ((mode === 'export' || mode === 'inspect') && !pathArg) {
-          ctx.print(`Usage: /update bundle ${mode} <path>${mode === 'export' ? ' --yes' : ''}`);
-          return;
-        }
-        const targetPath = shellPaths.resolveWorkspacePath(pathArg!);
-        if (mode === 'export') {
-          if (!parsed.yes) {
-            requireYesFlag(ctx, `export update bundle to ${pathArg}`, '/update bundle export <path> --yes');
-            return;
-          }
-          const bundle: UpdateBundle = {
-            version: 1,
-            exportedAt: Date.now(),
-            appVersion: VERSION,
-            updateChannel: ctx.platform.configManager.get('release.channel') as 'stable' | 'preview',
-            subscriptionProviders: [...new Set([...builtinProviders, ...activeSubscriptions])],
-            notes: [
-              'Preview channel is recommended only when operator review is enabled.',
-              'OAuth-backed provider subscriptions survive channel changes and continue to apply to supported provider surfaces.',
-            ],
-          };
-          mkdirSync(dirname(targetPath), { recursive: true });
-          writeFileSync(targetPath, JSON.stringify(bundle, null, 2) + '\n', 'utf-8');
-          ctx.print(`Update bundle exported to ${targetPath}`);
-          return;
-        }
-        if (mode === 'inspect') {
-          const bundle = JSON.parse(readFileSync(targetPath, 'utf-8')) as UpdateBundle;
-          ctx.print(inspectUpdateBundle(bundle));
-          return;
-        }
-      }
-      ctx.print('Usage: /update [review|channel <stable|preview> --yes|bundle export <path> --yes|bundle inspect <path>]');
-    },
-  });
-
   registry.register({
     name: 'auth',
     description: 'Review auth posture and exchange session login tokens with local services',

package/src/input/commands/product-runtime.ts

@@ -129,120 +129,4 @@ export function registerProductRuntimeCommands(registry: CommandRegistry): void
       ctx.print('Usage: /trust [review|bundle export <path> --yes|bundle inspect <path>]');
     },
   });
-  registry.register({
-    name: 'bridge',
-    description: 'Review self-hosted bridge and remote worker flows',
-    usage: '[status|pools|worker <id>|review <artifactId>|export <artifactId> [path] --yes|import <path> --yes]',
-    async handler(args, ctx) {
-      const parsed = stripYesFlag(args);
-      const commandArgs = [...parsed.rest];
-      const shellPaths = requireShellPaths(ctx);
-      if (!ctx.ops.remoteRuntime) {
-        ctx.print('Remote worker registry is not available in this runtime.');
-        return;
-      }
-      const remoteRegistry = ctx.ops.remoteRuntime;
-      const sub = commandArgs[0] ?? 'status';
-      if (sub === 'status') {
-        const remote = requireReadModels(ctx).remote.getSnapshot();
-        ctx.print([
-          'Bridge Status',
-          `  remote pools: ${remote.pools.length}`,
-          `  worker contracts: ${remote.contracts.length}`,
-          `  review artifacts: ${remote.artifacts.length}`,
-        ].join('\n'));
-        return;
-      }
-      if (sub === 'pools') {
-        const pools = remoteRegistry.listPools();
-        ctx.print(pools.length > 0
-          ? ['Bridge Pools', ...pools.map((pool) => `  ${pool.id}  workers=${pool.runnerIds.length}  trust=${pool.trustClass}`)].join('\n')
-          : 'Bridge Pools\n  No worker pools registered yet.');
-        return;
-      }
-      if (sub === 'assign') {
-        const poolId = commandArgs[1];
-        const runnerId = commandArgs[2];
-        if (!poolId || !runnerId) {
-          ctx.print('Usage: /bridge assign <pool> <worker> --yes');
-          return;
-        }
-        ctx.print([
-          'Bridge worker assignment is read-only in GoodVibes Agent.',
-          `  requested: /bridge assign ${poolId} ${runnerId}`,
-          '  policy: Agent reviews remote bridge state but does not mutate worker topology',
-          '  next: inspect /bridge pools or delegate explicit build/fix/review work to GoodVibes TUI',
-        ].join('\n'));
-        return;
-      }
-      if (sub === 'runner' || sub === 'worker') {
-        const runnerId = commandArgs[1];
-        if (!runnerId) {
-          ctx.print('Usage: /bridge worker <id>');
-          return;
-        }
-        const contract = remoteRegistry.getContract(runnerId);
-        if (!contract) {
-          ctx.print(`Unknown worker contract: ${runnerId}`);
-          return;
-        }
-        ctx.print([
-          `Bridge Worker ${runnerId}`,
-          `  template: ${contract.template}`,
-          `  trustClass: ${contract.trustClass}`,
-          `  transport: ${contract.sourceTransport}/${contract.transport.state}`,
-          `  tools: ${contract.capabilityCeiling.allowedTools.join(', ') || '(none)'}`,
-          `  pool: ${contract.poolId ?? '(unassigned)'}`,
-        ].join('\n'));
-        return;
-      }
-      if (sub === 'review') {
-        const artifactId = commandArgs[1];
-        if (!artifactId) {
-          ctx.print('Usage: /bridge review <artifactId>');
-          return;
-        }
-        const summary = remoteRegistry.buildReviewSummary(artifactId);
-        ctx.print(summary ?? `Unknown remote artifact: ${artifactId}`);
-        return;
-      }
-      if (sub === 'export') {
-        const artifactId = commandArgs[1];
-        if (!artifactId) {
-          ctx.print('Usage: /bridge export <artifactId> [path] --yes');
-          return;
-        }
-        if (!parsed.yes) {
-          requireYesFlag(ctx, `export bridge artifact ${artifactId}`, '/bridge export <artifactId> [path] --yes');
-          return;
-        }
-        const exported = await remoteRegistry.exportArtifact(
-          artifactId,
-          commandArgs[2] ? shellPaths.resolveWorkspacePath(commandArgs[2]) : undefined,
-        );
-        if (!exported) {
-          ctx.print(`Unknown remote artifact: ${artifactId}`);
-          return;
-        }
-        ctx.print(`Exported remote bridge artifact to ${exported.path}`);
-        return;
-      }
-      if (sub === 'import') {
-        const pathArg = commandArgs[1];
-        if (!pathArg) {
-          ctx.print('Usage: /bridge import <path> --yes');
-          return;
-        }
-        if (!parsed.yes) {
-          requireYesFlag(ctx, `import bridge artifact from ${pathArg}`, '/bridge import <path> --yes');
-          return;
-        }
-        const artifact = await remoteRegistry.importArtifact(shellPaths.resolveWorkspacePath(pathArg));
-        ctx.print(`Imported remote bridge artifact ${artifact.id} for worker ${artifact.runnerId}.`);
-        return;
-      }
-      ctx.print('Usage: /bridge [status|pools|worker <id>|review <artifactId>|export <artifactId> [path] --yes|import <path> --yes]');
-    },
-  });
-
 }

package/src/input/commands/security-runtime.ts

@@ -0,0 +1,88 @@
+import type { CommandRegistry } from '../command-registry.ts';
+import { buildMcpAttackPathReview } from '@/runtime/index.ts';
+import { listBuiltinSubscriptionProviders } from '@pellux/goodvibes-sdk/platform/config';
+import { requireReadModels, requireSubscriptionManager, requireTokenAuditor } from './runtime-services.ts';
+
+export function registerSecurityRuntimeCommands(registry: CommandRegistry): void {
+  registry.register({
+    name: 'security',
+    aliases: [],
+    description: 'Inspect security posture, attack paths, and review state',
+    usage: '[review | attack-paths | tokens]',
+    handler(args, ctx) {
+      if (args.length === 0) {
+        if (ctx.openSecurityPanel) {
+          ctx.openSecurityPanel();
+          return;
+        }
+        ctx.print('Security panel is not available in this runtime.');
+        return;
+      }
+
+      const subcommand = args[0]?.toLowerCase() ?? 'review';
+      const audit = requireTokenAuditor(ctx).auditAll(Date.now());
+      const securitySnapshot = requireReadModels(ctx).security.getSnapshot();
+      const policySnapshot = ctx.extensions.policyRuntimeState?.getSnapshot();
+      if (!policySnapshot) {
+        ctx.print('Policy runtime state is not available in this runtime.');
+        return;
+      }
+      const attackPaths = buildMcpAttackPathReview({
+        servers: securitySnapshot.mcpServers,
+        recentDecisions: securitySnapshot.recentMcpDecisions,
+      });
+
+      if (subcommand === 'tokens') {
+        if (audit.results.length === 0) {
+          ctx.print('No registered API tokens are currently under audit.');
+          return;
+        }
+        ctx.print([
+          `Token Audit (${audit.results.length})`,
+          ...audit.results.map((result) => (
+            `  ${result.label}  policy=${result.scope.policyId}  scope=${result.scope.outcome}  rotation=${result.rotation.outcome}  blocked=${result.blocked ? 'yes' : 'no'}`
+          )),
+        ].join('\n'));
+        return;
+      }
+
+      if (subcommand === 'attack-paths') {
+        if (attackPaths.findings.length === 0) {
+          ctx.print('No MCP attack-path findings are currently active.');
+          return;
+        }
+        ctx.print([
+          'MCP Attack-Path Review',
+          `  summary: ${attackPaths.summary}`,
+          ...attackPaths.findings.slice(0, 12).map((finding) => (
+            `  ${finding.severity.toUpperCase()} ${finding.serverName}  ${finding.route}\n    ${finding.reason}`
+          )),
+        ].join('\n'));
+        return;
+      }
+
+      const plugins = ctx.extensions.pluginManager?.list() ?? [];
+      const subscriptions = requireSubscriptionManager(ctx);
+      const builtinProviders = listBuiltinSubscriptionProviders();
+      ctx.print([
+        'Security Review',
+        `  tokens: ${audit.results.length}`,
+        `  blocked tokens: ${audit.blocked.length}`,
+        `  scope violations: ${audit.scopeViolations.length}`,
+        `  rotation overdue: ${audit.rotationOverdue.length}`,
+        `  rotation warnings: ${audit.rotationWarnings.length}`,
+        `  built-in subscription providers: ${builtinProviders.length}`,
+        `  active subscriptions: ${subscriptions.list().length}`,
+        `  pending subscriptions: ${subscriptions.listPending().length}`,
+        `  policy lint findings: ${policySnapshot.lintFindings.length}`,
+        `  policy preflight: ${policySnapshot.lastPreflightReview?.status ?? 'n/a'}`,
+        `  mcp servers: ${securitySnapshot.mcpServers.length}`,
+        `  mcp quarantined: ${securitySnapshot.mcpServers.filter((server) => server.schemaFreshness === 'quarantined').length}`,
+        `  mcp elevated: ${securitySnapshot.mcpServers.filter((server) => server.trustMode === 'allow-all').length}`,
+        `  mcp attack-path findings: ${attackPaths.findings.length}`,
+        `  quarantined plugins: ${plugins.filter((plugin) => plugin.quarantined).length}`,
+        `  untrusted plugins: ${plugins.filter((plugin) => plugin.trustTier === 'untrusted').length}`,
+      ].join('\n'));
+    },
+  });
+}