@rosh100yx/outlier 0.4.25 → 0.7.0

package/data/grid-factors.json

@@ -1,7 +1,20 @@
 {
   "vietnam": 681,
-  "france": 21.7,
-  "us_east": 380,
+  "india_average": 715,
+  "indonesia": 650,
+  "china": 581,
   "singapore": 408,
-  "india_average": 715
+  "japan": 470,
+  "south_korea": 415,
+  "australia": 510,
+  "us_east": 380,
+  "us_west": 210,
+  "canada": 120,
+  "brazil": 95,
+  "uk": 210,
+  "germany": 350,
+  "france": 21.7,
+  "norway": 28,
+  "sweden": 41,
+  "global_average": 450
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rosh100yx/outlier",
-  "version": "0.4.25",
+  "version": "0.7.0",
   "description": "AI Code Governance & Capability Auditing for the Terminal. Measures AI reliance, context waste, and enforces local CI/CD policies.",
   "bin": {
     "outlier": "bin/outlier.js"

package/src/capabilities.ts

@@ -1,76 +1,116 @@
 import { homedir } from 'os';
 import { join } from 'path';
-import { existsSync, readdirSync } from 'fs';
+import { existsSync, readdirSync, readFileSync } from 'fs';
+
+// Reach = what a tool can actually do to you if an agent (or a prompt injection) drives it.
+export type Reach = 'read' | 'network' | 'model' | 'data' | 'write-local' | 'write-remote' | 'deploy' | 'exec' | 'money';
+
+export interface ToolReach {
+  name: string;
+  reach: Reach;
+}
+
+export type BlastRadius = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
 
 export interface CapabilitiesStats {
-  mcps: string[];
+  mcps: ToolReach[];
   skills: string[];
+  subagents: number;
+  hooks: string[];        // lifecycle events with auto-firing hooks
   hasOrchestration: boolean;
+  blastRadius: BlastRadius;
+  blastReasons: string[]; // plain-language reasons for the score
+}
+
+// Classify an MCP/tool by name into a reach category. Keyword-based, since names vary.
+export function classifyReach(name: string): Reach {
+  const n = name.toLowerCase();
+  if (/(stripe|payment|infinity|kucoin|wallet|billing|payout)/.test(n)) return 'money';
+  if (/(shell|bash|exec|terminal|command|sandbox)/.test(n)) return 'exec';
+  if (/(cloudflare|vercel|netlify|modal|deploy|fly\.io|render|heroku|aws|gcp|azure)/.test(n)) return 'deploy';
+  if (/(github|gitlab|git|bitbucket)/.test(n)) return 'write-remote';
+  if (/(filesystem|file|fs|disk)/.test(n)) return 'write-local';
+  if (/(memory|supermemory|mem|obsidian|notion|airtable|coda|database|sql|store)/.test(n)) return 'data';
+  if (/(openrouter|ollama|openai|anthropic|llm|model|hugging)/.test(n)) return 'model';
+  if (/(exa|web|fetch|search|brave|browser|http|scrape)/.test(n)) return 'network';
+  return 'network'; // unknown tool: assume it can reach out
+}
+
+const REACH_RISK: Record<Reach, number> = {
+  read: 0, model: 1, network: 1, 'data': 2, 'write-local': 2, 'write-remote': 3, deploy: 3, exec: 4, money: 4,
+};
+
+function scoreBlast(reaches: Reach[]): { radius: BlastRadius; reasons: string[] } {
+  const reasons: string[] = [];
+  const has = (r: Reach) => reaches.includes(r);
+  if (has('money')) reasons.push('can move money');
+  if (has('exec')) reasons.push('can run shell commands');
+  if (has('deploy')) reasons.push('can deploy to production');
+  if (has('write-remote')) reasons.push('can push to your remote repos');
+  if (has('write-local')) reasons.push('can write your local files');
+  if (has('data')) reasons.push('can read/write your stored data');
+  const netCount = reaches.filter(r => r === 'network' || r === 'model').length;
+  if (netCount >= 3) reasons.push(`reaches ${netCount} external services`);
+
+  const max = reaches.reduce((m, r) => Math.max(m, REACH_RISK[r]), 0);
+  let radius: BlastRadius = 'LOW';
+  if (max >= 4) radius = 'CRITICAL';
+  else if (max >= 3) radius = 'HIGH';
+  else if (max >= 2) radius = 'MEDIUM';
+  return { radius, reasons };
+}
+
+function readJson(path: string): any {
+  try { return JSON.parse(readFileSync(path, 'utf-8')); } catch { return null; }
+}
+
+function countDir(path: string, ext = '.md'): number {
+  try { return readdirSync(path).filter(f => f.endsWith(ext)).length; } catch { return 0; }
 }
 
 export async function getCapabilitiesStats(repoPath: string = process.cwd(), homeDirPath: string = homedir()): Promise<CapabilitiesStats> {
-  const stats: CapabilitiesStats = {
-    mcps: [],
-    skills: [],
-    hasOrchestration: false
-  };
-
-  // Check for AGENTS.md (Orchestration Policy)
-  if (existsSync(join(repoPath, 'AGENTS.md'))) {
-    stats.hasOrchestration = true;
-  }
+  const mcpNames = new Set<string>();
 
-  // Scan local project skills
-  const projectSkillsPath = join(repoPath, '.agents', 'skills');
-  if (existsSync(projectSkillsPath)) {
-    try {
-      const skills = readdirSync(projectSkillsPath, { withFileTypes: true })
-        .filter(dirent => dirent.isDirectory())
-        .map(dirent => dirent.name);
-      stats.skills.push(...skills);
-    } catch (e) {}
+  // MCP servers — the agent's actual tool reach. Read from every place they live.
+  for (const cfg of [
+    join(homeDirPath, '.claude.json'),
+    join(homeDirPath, '.claude', 'settings.json'),
+    join(repoPath, '.mcp.json'),
+    join(repoPath, '.claude', 'settings.json'),
+  ]) {
+    const j = readJson(cfg);
+    if (j?.mcpServers) Object.keys(j.mcpServers).forEach(k => mcpNames.add(k));
   }
-
-  // Scan global skills (Gemini / Claude)
-  const geminiSkillsPath = join(homeDirPath, '.gemini', 'skills');
-  if (existsSync(geminiSkillsPath)) {
-    try {
-      const skills = readdirSync(geminiSkillsPath, { withFileTypes: true })
-        .filter(dirent => dirent.isDirectory())
-        .map(dirent => dirent.name);
-      
-      // Only add if not already added (dedupe)
-      for (const skill of skills) {
-        if (!stats.skills.includes(skill)) stats.skills.push(skill);
-      }
-    } catch (e) {}
+  // Gemini-style MCP dir
+  const geminiMcp = join(homeDirPath, '.gemini', 'antigravity-cli', 'mcp');
+  if (existsSync(geminiMcp)) {
+    try { readdirSync(geminiMcp, { withFileTypes: true }).filter(d => d.isDirectory()).forEach(d => mcpNames.add(d.name)); } catch {}
   }
 
-  // Scan MCPs from gemini config
-  const geminiMcpPath = join(homeDirPath, '.gemini', 'antigravity-cli', 'mcp');
-  if (existsSync(geminiMcpPath)) {
-    try {
-      const mcps = readdirSync(geminiMcpPath, { withFileTypes: true })
-        .filter(dirent => dirent.isDirectory())
-        .map(dirent => dirent.name);
-      stats.mcps.push(...mcps);
-    } catch (e) {}
+  const mcps: ToolReach[] = [...mcpNames].map(name => ({ name, reach: classifyReach(name) }));
+
+  // Skills
+  const skills: string[] = [];
+  for (const p of [join(repoPath, '.agents', 'skills'), join(homeDirPath, '.claude', 'skills'), join(homeDirPath, '.gemini', 'skills')]) {
+    if (existsSync(p)) {
+      try { readdirSync(p, { withFileTypes: true }).filter(d => d.isDirectory()).forEach(d => { if (!skills.includes(d.name)) skills.push(d.name); }); } catch {}
+    }
   }
 
-  // Also check Claude settings for legacy MCPs/Plugins
-  const claudeSettingsPath = join(homeDirPath, '.claude', 'settings.json');
-  if (existsSync(claudeSettingsPath)) {
-    try {
-      const claudeSettings = require(claudeSettingsPath);
-      if (claudeSettings.enabledPlugins) {
-        Object.keys(claudeSettings.enabledPlugins).forEach(plugin => {
-          if (claudeSettings.enabledPlugins[plugin] && !stats.mcps.includes(plugin)) {
-            stats.mcps.push(`plugin:${plugin}`);
-          }
-        });
-      }
-    } catch (e) {}
+  // Sub-agents (Claude Code agent definitions)
+  const subagents = countDir(join(homeDirPath, '.claude', 'agents')) + countDir(join(repoPath, '.claude', 'agents'));
+
+  // Hooks — automation that fires on the developer's behalf (a real governance surface)
+  const hooks: string[] = [];
+  for (const cfg of [join(homeDirPath, '.claude', 'settings.json'), join(repoPath, '.claude', 'settings.json')]) {
+    const j = readJson(cfg);
+    if (j?.hooks) Object.keys(j.hooks).forEach(k => { if (!hooks.includes(k)) hooks.push(k); });
   }
 
-  return stats;
+  // Orchestration policy
+  const hasOrchestration = existsSync(join(repoPath, 'AGENTS.md')) || existsSync(join(repoPath, '.mcp.json'));
+
+  const { radius, reasons } = scoreBlast(mcps.map(m => m.reach));
+
+  return { mcps, skills, subagents, hooks, hasOrchestration, blastRadius: radius, blastReasons: reasons };
 }

package/src/carbon.ts

@@ -2,6 +2,8 @@ import { homedir } from 'os';
 import { join } from 'path';
 import { readFile, access, readdir } from 'fs/promises';
 import gridFactors from '../data/grid-factors.json';
+import { energyKwhByModel } from './emissions';
+import { detectSources, provLabel, type Provenance } from './sources';
 
 export interface CarbonStats {
   totalTokens: number;
@@ -13,12 +15,15 @@ export interface CarbonStats {
   localCo2Kg: number;
   localRegion: string;
   sessions: number;
-  estUsd: number;       // estimated spend in USD
-  costIsReal: boolean;  // true if summed from the log's own cost field, false if estimated from tokens
+  estUsd: number;          // estimated spend in USD
+  costIsReal: boolean;     // true if summed from the log's own cost field, false if estimated
+  tokenProvenance: Provenance;
+  carbonProvenance: Provenance;
+  sourceLabel: string;     // e.g. "estimated · Claude Code transcripts"
 }
 
 export interface TokenLogParser {
-  parse(): Promise<{ total: number, output: number, cache: number, sessions: number, cost: number }>;
+  parse(): Promise<{ total: number, output: number, cache: number, sessions: number, cost: number, outputByModel: Record<string, number> }>;
 }
 
 export class ClaudeLogParser implements TokenLogParser {
@@ -40,6 +45,7 @@ export class ClaudeLogParser implements TokenLogParser {
       if (files.length > 0) {
         let total = 0, output = 0, cache = 0;
         const sessions = new Set<string>();
+        const outputByModel: Record<string, number> = {};
         for (const file of files) {
           let text = '';
           try { text = await readFile(join(projectDir, file), 'utf-8'); } catch { continue; }
@@ -47,7 +53,8 @@ export class ClaudeLogParser implements TokenLogParser {
             if (!line.trim()) continue;
             try {
               const d = JSON.parse(line);
-              const u = (d.message && d.message.usage) || d.usage;
+              const msg = d.message || {};
+              const u = msg.usage || d.usage;
               if (u) {
                 const inp = u.input_tokens || 0;
                 const out = u.output_tokens || 0;
@@ -56,13 +63,15 @@ export class ClaudeLogParser implements TokenLogParser {
                 total += inp + out + cr + cw;
                 output += out;
                 cache += cr;
+                const model = msg.model || 'default';
+                outputByModel[model] = (outputByModel[model] || 0) + out;
               }
               if (d.sessionId) sessions.add(d.sessionId);
             } catch {}
           }
         }
         // Standard transcripts carry no cost field; cost is estimated downstream.
-        return { total, output, cache, sessions: sessions.size, cost: 0 };
+        return { total, output, cache, sessions: sessions.size, cost: 0, outputByModel };
       }
     } catch {}
 
@@ -72,11 +81,12 @@ export class ClaudeLogParser implements TokenLogParser {
     try {
       await access(logPath);
     } catch {
-      return { total: 0, output: 0, cache: 0, sessions: 0, cost: 0 };
+      return { total: 0, output: 0, cache: 0, sessions: 0, cost: 0, outputByModel: {} };
     }
     const text = await readFile(logPath, 'utf-8');
     let total = 0, output = 0, cache = 0, cost = 0;
     const sessions = new Set<string>();
+    const outputByModel: Record<string, number> = {};
     for (const line of text.split('\n')) {
       if (!line.trim()) continue;
       try {
@@ -86,15 +96,17 @@ export class ClaudeLogParser implements TokenLogParser {
         cache += data.cache_read || 0;
         cost += data.cost_usd || 0;
         if (data.session_id) sessions.add(data.session_id);
+        const model = data.model || 'default';
+        outputByModel[model] = (outputByModel[model] || 0) + (data.output_tokens || 0);
       } catch {}
     }
-    return { total, output, cache, sessions: sessions.size, cost };
+    return { total, output, cache, sessions: sessions.size, cost, outputByModel };
   }
 }
 
 class CursorLogParser implements TokenLogParser {
   async parse() {
-    return { total: 0, output: 0, cache: 0, sessions: 0, cost: 0 };
+    return { total: 0, output: 0, cache: 0, sessions: 0, cost: 0, outputByModel: {} };
   }
 }
 
@@ -114,13 +126,14 @@ function getLocalGridFactor(): { region: string, factor: number } {
     if (tz.includes('Singapore')) return { region: 'Singapore', factor: gridFactors.singapore };
     if (tz.includes('Calcutta') || tz.includes('Kolkata') || tz.includes('Asia/Kabul')) return { region: 'India', factor: gridFactors.india_average };
   } catch (e) {}
-  return { region: 'Global Average', factor: 450 };
+  return { region: 'Global Average', factor: gridFactors.global_average };
 }
 
 export async function getCarbonStats(): Promise<CarbonStats> {
   const parsers: TokenLogParser[] = [new ClaudeLogParser(), new CursorLogParser()];
-  
+
   let totalTokens = 0, outputTokens = 0, cacheReadTokens = 0, sessions = 0, loggedCost = 0;
+  const outputByModel: Record<string, number> = {};
 
   for (const parser of parsers) {
     const stats = await parser.parse();
@@ -129,11 +142,18 @@ export async function getCarbonStats(): Promise<CarbonStats> {
     cacheReadTokens += stats.cache;
     sessions += stats.sessions;
     loggedCost += stats.cost;
+    for (const [m, out] of Object.entries(stats.outputByModel)) {
+      outputByModel[m] = (outputByModel[m] || 0) + out;
+    }
   }
 
-  const energyKwh = (outputTokens / 1_000_000) * 0.662;
+  // Model-aware energy (replaces the single flat 0.662 coefficient).
+  const energyKwh = energyKwhByModel(outputByModel);
   const localGrid = getLocalGridFactor();
 
+  // Source provenance for honest labelling in the UI.
+  const sources = detectSources();
+
   // Prefer the log's own cost field (accurate); fall back to a rough token estimate.
   const costIsReal = loggedCost > 0;
   const estUsd = costIsReal ? loggedCost : estimateUsd(outputTokens, cacheReadTokens, totalTokens);
@@ -149,6 +169,9 @@ export async function getCarbonStats(): Promise<CarbonStats> {
     localRegion: localGrid.region,
     sessions,
     estUsd,
-    costIsReal
+    costIsReal,
+    tokenProvenance: sources.tokenSource.provenance,
+    carbonProvenance: sources.carbonSource.provenance,
+    sourceLabel: provLabel(sources.tokenSource)
   };
 }

package/src/cli.ts

@@ -20,6 +20,74 @@ const ASCII_LOGO = `
 
 let finalReceipt = '';
 
+// Build a stable, machine-readable audit object. This is the contract agents,
+// swarms, and CI parse — everything the human receipt shows, as plain JSON.
+async function emitJson() {
+  const pkg = require('../package.json');
+  const [gitStats, carbon, caps] = await Promise.all([
+    getAuthorshipStats().catch(() => null),
+    getCarbonStats().catch(() => null),
+    getCapabilitiesStats().catch(() => null),
+  ]);
+
+  const aiRatio = gitStats ? gitStats.ratio : 0;
+  const cap = 0.70;
+  const writeOrDeploy = caps
+    ? caps.mcps.filter((m: any) => ['money', 'exec', 'deploy', 'write-remote', 'write-local'].includes(m.reach)).length
+    : 0;
+
+  const out = {
+    tool: 'outlier',
+    version: pkg.version,
+    repo: process.cwd().split('/').pop(),
+    generatedAt: new Date().toISOString(),
+    localFirst: true,
+    authorship: gitStats ? {
+      aiPercent: +(gitStats.ratio * 100).toFixed(1),
+      aiRatio: gitStats.ratio,
+      totalCommits: gitStats.total,
+      aiCommits: gitStats.ai,
+      nonMergePercent: +(gitStats.ratioNoMerges * 100).toFixed(1),
+      provenance: 'proxy',
+      note: 'git Co-Authored-By trailers; under-counts if the agent omits the trailer',
+    } : null,
+    cost: carbon ? {
+      totalTokens: carbon.totalTokens,
+      outputTokens: carbon.outputTokens,
+      cacheReusePercent: carbon.totalTokens ? +((carbon.cacheReadTokens / carbon.totalTokens) * 100).toFixed(1) : 0,
+      estUsd: +carbon.estUsd.toFixed(2),
+      costIsReal: carbon.costIsReal,
+      provenance: carbon.tokenProvenance,
+      source: carbon.sourceLabel,
+    } : null,
+    carbon: carbon ? {
+      energyKwh: +carbon.energyKwh.toFixed(4),
+      co2Kg: +carbon.localCo2Kg.toFixed(4),
+      region: carbon.localRegion,
+      provenance: carbon.carbonProvenance,
+      note: 'counterfactual: cloud inference runs on the provider grid, not yours',
+    } : null,
+    reach: caps ? {
+      blastRadius: caps.blastRadius,
+      reasons: caps.blastReasons,
+      toolCount: caps.mcps.length,
+      writeOrDeployCount: writeOrDeploy,
+      tools: caps.mcps,
+      subagents: caps.subagents,
+      hooks: caps.hooks,
+      skills: caps.skills.length,
+      orchestration: caps.hasOrchestration,
+    } : null,
+    policy: {
+      aiCapPercent: cap * 100,
+      status: aiRatio > cap ? 'over' : 'within',
+    },
+  };
+
+  // Only JSON on stdout — nothing else.
+  process.stdout.write(JSON.stringify(out, null, 2) + '\n');
+}
+
 async function runOnboarding() {
   console.log(pc.cyan(ASCII_LOGO));
   intro(pc.inverse(' outlier: Welcome '));
@@ -78,11 +146,18 @@ async function main() {
     action = 'status';
   }
 
+  // Agent / CI / swarm contract: --json emits a structured audit and nothing else
+  // (no logo, no spinner, no ANSI). This is how an agent perceives outlier.
+  if (process.argv.includes('--json')) {
+    await emitJson();
+    process.exit(0);
+  }
+
   console.log(pc.cyan(ASCII_LOGO));
   const pkg = require('../package.json');
   console.log(pc.dim(`  Outlier v${pkg.version} · AI Code Reliance & Telemetry Engine\n`));
-  
-  
+
+
   if (action === '--help' || action === '-h' || action === 'help') {
     console.log(pc.bold('\nWHAT OUTLIER DOES'));
     console.log(pc.dim('  Reads your local git history and AI logs — on your machine — to show'));
@@ -91,6 +166,7 @@ async function main() {
     console.log(`  ${pc.cyan('outlier')}              Run the audit (the default — same as 'status')`);
     console.log(`  ${pc.cyan('outlier status')}       Full audit: who wrote the code, what it cost, your limit`);
     console.log(`  ${pc.cyan('outlier status --save')} Save the audit to ./outlier-audit.txt`);
+    console.log(`  ${pc.cyan('outlier --json')}       Machine-readable audit (for agents, CI, swarms)`);
     console.log(`  ${pc.cyan('outlier authorship')}   Just the AI-vs-human commit breakdown`);
     console.log(`  ${pc.cyan('outlier carbon')}       Just the token spend, cache waste & carbon`);
     console.log(`  ${pc.cyan('outlier capabilities')} What tools & skills your agents can reach`);
@@ -301,12 +377,25 @@ Conservative Floor: ${color(nmPct + '%')}`,
         let cachePct = '0';
         let co2Str = '0.0kg';
         let regionStr = 'Global Average';
+        let sourceLabel = 'no local AI logs found';
+        let noData = true;
         if (carbon) {
           if (carbon.totalTokens > 0) {
             cachePct = ((carbon.cacheReadTokens / carbon.totalTokens) * 100).toFixed(1);
+            noData = false;
           }
           co2Str = `${carbon.localCo2Kg.toFixed(2)}kg CO2`;
           regionStr = carbon.localRegion;
+          sourceLabel = carbon.sourceLabel;
+        }
+
+        // One-line agent-reach summary (full detail in `outlier capabilities`).
+        let reachStr = pc.dim('run: outlier capabilities');
+        if (capabilities) {
+          const rc = capabilities.blastRadius;
+          const col = rc === 'CRITICAL' || rc === 'HIGH' ? pc.red : rc === 'MEDIUM' ? pc.yellow : pc.green;
+          const risky = capabilities.mcps.filter((m: any) => ['money','exec','deploy','write-remote','write-local'].includes(m.reach)).length;
+          reachStr = `${col(pc.bold(rc))} · ${capabilities.mcps.length} tools` + (risky ? pc.dim(`, ${risky} can write/deploy`) : '');
         }
 
         // The thermal receipt below is the single canonical output for `status`.
@@ -370,10 +459,15 @@ Conservative Floor: ${color(nmPct + '%')}`,
  ${pc.dim('│')} Tokens used      ${pc.bold(totalTokensStr)}
  ${pc.dim('│')} Est. spend       ${pc.bold(estUsdStr)}
  ${pc.dim('│')} Re-used context  ${cacheBar} ${pc.bold(cachePct + '%')}
- ${pc.dim('│')} Energy           ${pc.bold(co2Str)} ${pc.dim(`(${regionStr} grid, rough)`)}
+ ${pc.dim('│')} Energy           ${pc.bold(co2Str)} ${pc.dim(`(${regionStr} grid)`)}
+ ${pc.dim('│')} ${pc.dim(`Source: ${sourceLabel}`)}
  ${pc.dim('│')}
  ${pc.dim('│')} ${cacheVerdict} — ${cacheText.split('\n').join('\n ' + pc.dim('│') + '   ')}
  ${pc.dim('├────────────────────────────────────────────────────────')}
+ ${pc.dim('│')} ${pc.bold(pc.bgCyan(pc.black(' WHAT YOUR AGENTS CAN REACH ')))}
+ ${pc.dim('│')} Blast radius   ${reachStr}
+ ${pc.dim('│')} ${pc.dim('Full map (deploy/push/write tools): outlier capabilities')}
+ ${pc.dim('├────────────────────────────────────────────────────────')}
  ${pc.dim('│')} ${pc.bold(pc.bgYellow(pc.black(' YOUR LIMIT ')))}
  ${pc.dim('│')} AI cap   ${pc.bold('70%')} ${pc.dim('· change with: outlier policy')}
  ${pc.dim('│')} Status   ${policyStatus} ${pc.dim('·')} ${policyAction}
@@ -394,24 +488,42 @@ Conservative Floor: ${color(nmPct + '%')}`,
     }
 
   } else if (action === 'capabilities') {
-    s.start('Auditing AI surface area (MCPs, Skills, Orchestrators)...');
+    s.start('Mapping what your agents can reach...');
     try {
       const caps = await getCapabilitiesStats();
-      s.stop('Capabilities Scan Complete');
+      s.stop('Reach map complete');
+
+      const radiusColor = caps.blastRadius === 'CRITICAL' ? pc.red
+        : caps.blastRadius === 'HIGH' ? pc.red
+        : caps.blastRadius === 'MEDIUM' ? pc.yellow : pc.green;
+
+      // Group tools by reach so the risky ones stand out.
+      const order: string[] = ['money', 'exec', 'deploy', 'write-remote', 'write-local', 'data', 'network', 'model', 'read'];
+      const reachLabel: Record<string, string> = {
+        money: 'can move money', exec: 'can run shell', deploy: 'can deploy', 'write-remote': 'can push to repos',
+        'write-local': 'can write files', data: 'data stores', network: 'network', model: 'models', read: 'read-only',
+      };
+      const riskyReaches = new Set(['money', 'exec', 'deploy', 'write-remote', 'write-local']);
+      const toolLines = caps.mcps.length === 0 ? '  None detected'
+        : order.filter(r => caps.mcps.some(m => m.reach === r)).map(r => {
+            const names = caps.mcps.filter(m => m.reach === r).map(m => m.name).join(', ');
+            const tag = riskyReaches.has(r) ? pc.red(`[${reachLabel[r]}]`) : pc.dim(`[${reachLabel[r]}]`);
+            return `  ${tag} ${names}`;
+          }).join('\n');
 
       note(
-        `Orchestration Policy: ${caps.hasOrchestration ? pc.green('Detected (AGENTS.md)') : pc.yellow('None')}
+        `${pc.bold('BLAST RADIUS:')} ${radiusColor(pc.bold(caps.blastRadius))}  ${pc.dim('— if an agent or a prompt injection drives your tools')}
+${caps.blastReasons.length ? caps.blastReasons.map(r => `  ${pc.red('•')} ${r}`).join('\n') : pc.green('  • read-only — limited reach')}
 
-Active Skills (${caps.skills.length}):
-${caps.skills.length > 0 ? pc.cyan(caps.skills.map(s => `  • ${s}`).join('\n')) : '  None'}
+${pc.bold(`What your agents can reach (${caps.mcps.length} MCP tools):`)}
+${toolLines}
 
-Active MCP Servers (${caps.mcps.length}):
-${caps.mcps.length > 0 ? pc.magenta(caps.mcps.map(m => `  • ${m}`).join('\n')) : '  None'}
+${pc.bold('Automation & agents:')}
+  Hooks that fire for you: ${caps.hooks.length ? pc.yellow(caps.hooks.join(', ')) : 'none'}
+  Sub-agents: ${caps.subagents}   Skills: ${caps.skills.length}   Orchestration policy: ${caps.hasOrchestration ? pc.green('yes') : pc.yellow('no')}
 
-${pc.bold('Governance Assessment:')}
-This repository provides agents with ${caps.mcps.length} toolsets and ${caps.skills.length} skills. 
-${caps.skills.length > 5 ? pc.red('⚠ High Surface Area: Ensure strict authorship review is enabled.') : pc.green('✓ Low Surface Area: Risk contained.')}`,
-        'AI Capabilities Map'
+${pc.dim('This is your attack surface. Fewer write/deploy tools per session = smaller blast radius.')}`,
+        'Agent Reach & Blast Radius'
       );
     } catch (e: any) {
       s.stop('Audit failed');

package/src/emissions.ts

@@ -0,0 +1,69 @@
+// Offline, model-aware emissions engine.
+//
+// Local-first means NO network: no Electricity Maps / WattTime API calls. We bundle
+// the coefficients and look them up. This is the same approach CodeCarbon uses for its
+// offline tracker. Two inputs:
+//   1. per-model energy  (kWh per 1M output tokens) — output tokens dominate inference cost
+//   2. grid carbon intensity (gCO2 per kWh) for the assumed region
+//
+// All numbers are estimates with wide uncertainty (inference energy varies ~4-20x in the
+// literature). We expose the method so the UI can label provenance honestly. We never
+// claim precision we don't have.
+
+// Energy per 1M OUTPUT tokens, by model class (kWh). Anchor: the paper measured ~10 kWh
+// across 15.1M output tokens on Opus-class (~0.66). Smaller/faster models use materially
+// less. These are order-of-magnitude class estimates, not vendor figures.
+const MODEL_ENERGY_KWH_PER_M_OUTPUT: Record<string, number> = {
+  'opus':    0.66,  // large frontier (Claude Opus, GPT-4 class)
+  'sonnet':  0.30,  // mid (Claude Sonnet, GPT-4o)
+  'haiku':   0.10,  // small/fast (Claude Haiku, GPT-4o-mini)
+  'gpt-4':   0.55,
+  'gpt-4o':  0.30,
+  'gpt-5':   0.45,
+  'gemini':  0.35,  // Gemini Pro class
+  'flash':   0.10,  // Gemini Flash class
+  'local':   0.50,  // self-hosted / unknown open weights
+  'default': 0.45,  // unknown model -> conservative mid
+};
+
+// Map a raw model id (e.g. "claude-opus-4-8", "gpt-4o-mini", "gemini-2.5-flash") to a class.
+export function modelClass(modelId: string): string {
+  const m = (modelId || '').toLowerCase();
+  if (m.includes('opus')) return 'opus';
+  if (m.includes('sonnet')) return 'sonnet';
+  if (m.includes('haiku')) return 'haiku';
+  if (m.includes('flash') || m.includes('mini')) return 'haiku';
+  if (m.includes('gpt-5')) return 'gpt-5';
+  if (m.includes('gpt-4o')) return 'gpt-4o';
+  if (m.includes('gpt-4')) return 'gpt-4';
+  if (m.includes('gemini')) return 'gemini';
+  if (m.includes('llama') || m.includes('qwen') || m.includes('mistral') || m.includes('local')) return 'local';
+  return 'default';
+}
+
+export function energyKwhForModel(modelId: string, outputTokens: number): number {
+  const cls = modelClass(modelId);
+  const coeff = MODEL_ENERGY_KWH_PER_M_OUTPUT[cls] ?? 0.45;
+  return (outputTokens / 1_000_000) * coeff;
+}
+
+// Sum energy across a per-model output-token breakdown. Falls back to 'default' when the
+// model is unknown. Returns total kWh.
+export function energyKwhByModel(outputByModel: Record<string, number>): number {
+  let kwh = 0;
+  for (const [model, out] of Object.entries(outputByModel)) {
+    kwh += energyKwhForModel(model, out);
+  }
+  return kwh;
+}
+
+export interface EmissionsResult {
+  energyKwh: number;
+  co2Kg: number;
+  gridFactor: number;
+  method: string; // human-readable provenance for the UI
+}
+
+export function co2FromEnergy(energyKwh: number, gridFactorGPerKwh: number): number {
+  return (energyKwh * gridFactorGPerKwh) / 1000; // kg
+}