npm - agentaudit - Versions diffs - 3.10.1 → 3.10.3 - Mend

agentaudit 3.10.1 → 3.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/cli.mjs +916 -48
package/package.json +1 -1

package/cli.mjs CHANGED Viewed

@@ -1,16 +1,23 @@
 #!/usr/bin/env node
 /**
  * AgentAudit CLI — Security scanner for AI packages
- *
- * Usage:
- *   agentaudit                                     Discover local MCP servers
- *   agentaudit discover [--quick|--deep]            Find MCP servers in AI editors
- *   agentaudit scan <repo-url> [--deep]             Quick scan (or deep audit with --deep)
- *   agentaudit audit <repo-url>                     Deep LLM-powered security audit
- *   agentaudit lookup <name>                        Look up package in registry
- *   agentaudit setup                                Register + configure API key
- *
- * Global flags: --json, --quiet, --no-color, --no-upload
+ *
+ * Usage: agentaudit <command> [options]
+ *
+ * Commands:
+ *   discover              Find MCP servers in AI editors
+ *   scan <url> [url...]   Quick static scan (regex)
+ *   audit <url> [url...]  Deep LLM-powered security audit
+ *   lookup <name>         Look up package in registry
+ *   dashboard             Interactive full-screen dashboard
+ *   leaderboard           Top contributors ranking
+ *   benchmark             LLM model performance comparison
+ *   model [name|reset]    Configure LLM provider + model
+ *   setup                 Log in to agentaudit.dev (for report uploads)
+ *   status                Show current config + auth status
+ *   help [command]        Show help
+ *
+ * Flags: --json, --quiet, --no-color, --no-upload, --model, --export, --debug
  */
 import fs from 'fs';
@@ -413,12 +420,13 @@ async function registerAgent(agentName) {
 }
 async function setupCommand() {
-  console.log(`  ${c.bold}Setup${c.reset}`);
+  console.log(`  ${c.bold}AgentAudit Login${c.reset}`);
+  console.log(`  ${c.dim}Create an account to upload audit reports to agentaudit.dev${c.reset}`);
   console.log();
   const existing = loadCredentials();
   if (existing) {
-    console.log(`  ${icons.safe}  Already configured as ${c.bold}${existing.agent_name}${c.reset}`);
+    console.log(`  ${icons.safe}  Already logged in as ${c.bold}${existing.agent_name}${c.reset}`);
     console.log(`  ${c.dim}Key: ${existing.api_key.slice(0, 8)}...${c.reset}`);
     console.log();
     const answer = await askQuestion(`  Reconfigure? ${c.dim}(y/N)${c.reset} `);
@@ -563,6 +571,120 @@ function severityIcon(sev) {
   }
 }
+// ── TUI Rendering Helpers ───────────────────────────────
+const term = {
+  clearScreen: '\x1b[2J\x1b[H',
+  hideCursor: '\x1b[?25l',
+  showCursor: '\x1b[?25h',
+  altScreenOn: '\x1b[?1049h',
+  altScreenOff: '\x1b[?1049l',
+  moveTo: (r, col) => `\x1b[${r};${col}H`,
+  clearLine: '\x1b[2K',
+  underline: '\x1b[4m',
+  noUnderline: '\x1b[24m',
+};
+const BOX = { tl: '╭', tr: '╮', bl: '╰', br: '╯', h: '─', v: '│', lt: '├', rt: '┤', tt: '┬', bt: '┴', x: '┼' };
+// Strip ANSI escape codes for length calculations
+function stripAnsi(str) {
+  return str.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, '');
+}
+function visLen(str) {
+  return stripAnsi(str).length;
+}
+function padRight(str, len) {
+  const diff = len - visLen(str);
+  return diff > 0 ? str + ' '.repeat(diff) : str;
+}
+function padLeft(str, len) {
+  const diff = len - visLen(str);
+  return diff > 0 ? ' '.repeat(diff) + str : str;
+}
+function drawBox(title, contentLines, width) {
+  const inner = width - 4; // 2 for "│ " + 2 for " │"
+  const lines = [];
+  const titleStr = title ? ` ${title} ` : '';
+  const titleLen = visLen(titleStr);
+  const topDash = BOX.h.repeat(Math.max(1, inner + 2 - titleLen));
+  lines.push(`  ${BOX.tl}${c.dim}─${c.reset}${c.bold}${titleStr}${c.reset}${c.dim}${topDash}${c.reset}${BOX.tr}`);
+  for (const line of contentLines) {
+    lines.push(`  ${BOX.v} ${padRight(line, inner + 1)}${BOX.v}`);
+  }
+  lines.push(`  ${BOX.bl}${c.dim}${BOX.h.repeat(inner + 2)}${c.reset}${BOX.br}`);
+  return lines;
+}
+// ████████░░░░ proportional bar
+function renderBar(value, maxValue, maxWidth) {
+  if (maxValue <= 0 || value <= 0) return c.dim + '░'.repeat(maxWidth) + c.reset;
+  const filled = Math.min(Math.round((value / maxValue) * maxWidth), maxWidth);
+  const empty = maxWidth - filled;
+  return c.cyan + '█'.repeat(filled) + c.dim + '░'.repeat(empty) + c.reset;
+}
+// [████████░░] 89%
+function renderGauge(value, max, width) {
+  const pct = max > 0 ? Math.round((value / max) * 100) : 0;
+  const inner = width - 2; // subtract brackets
+  const filled = Math.min(Math.round((pct / 100) * inner), inner);
+  const empty = inner - filled;
+  const color = pct >= 80 ? c.green : pct >= 50 ? c.yellow : c.red;
+  return `[${color}${'█'.repeat(filled)}${c.dim}${'░'.repeat(empty)}${c.reset}] ${pct}%`;
+}
+// ●●●○○ colored severity dots
+function severityDots(breakdown) {
+  const parts = [];
+  const critical = breakdown?.critical || 0;
+  const high = breakdown?.high || 0;
+  const medium = breakdown?.medium || 0;
+  const low = breakdown?.low || 0;
+  for (let i = 0; i < Math.min(critical, 3); i++) parts.push(`${c.red}●${c.reset}`);
+  for (let i = 0; i < Math.min(high, 3); i++) parts.push(`${c.red}●${c.reset}`);
+  for (let i = 0; i < Math.min(medium, 2); i++) parts.push(`${c.yellow}●${c.reset}`);
+  for (let i = 0; i < Math.min(low, 2); i++) parts.push(`${c.blue}●${c.reset}`);
+  // fill remaining with empty dots up to 5
+  while (parts.length < 5) parts.push(`${c.dim}○${c.reset}`);
+  return parts.slice(0, 5).join('');
+}
+// ▁▂▃▅▇█▆▃ mini sparkline
+function sparkline(values) {
+  const chars = '▁▂▃▄▅▆▇█';
+  if (!values || values.length === 0) return '';
+  const max = Math.max(...values, 1);
+  return values.map(v => {
+    const idx = Math.min(Math.round((v / max) * (chars.length - 1)), chars.length - 1);
+    return chars[idx];
+  }).join('');
+}
+function fmtNum(n) {
+  if (n == null) return '0';
+  return n.toLocaleString('en-US');
+}
+function fmtPct(n) {
+  if (n == null) return '0%';
+  return Math.round(n) + '%';
+}
+function dashboardBanner() {
+  const ver = getVersion();
+  return [
+    `  ${BOX.tl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.tr}`,
+    `  ${BOX.v}  ${c.bold}${c.cyan}⛨  AgentAudit${c.reset}  ${c.dim}v${ver}${c.reset}${' '.repeat(Math.max(0, 19 - ver.length))}${BOX.v}`,
+    `  ${BOX.v}  ${c.dim}Security Registry for AI Agents${c.reset}  ${BOX.v}`,
+    `  ${BOX.bl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.br}`,
+  ];
+}
 // ── File Collection (same logic as MCP server) ──────────
 function formatApiError(error, provider, statusCode) {
@@ -1936,6 +2058,443 @@ async function checkPackage(name) {
   return data;
 }
+// ── Dashboard / Leaderboard / Benchmark Commands ────────
+async function fetchDashboardData() {
+  const creds = loadCredentials();
+  const fetches = [
+    fetch(`${REGISTRY_URL}/api/stats`, { signal: AbortSignal.timeout(15_000) }).then(r => r.ok ? r.json() : null).catch(() => null),
+    fetch(`${REGISTRY_URL}/api/leaderboard?limit=50`, { signal: AbortSignal.timeout(15_000) }).then(r => r.ok ? r.json() : null).catch(() => null),
+    fetch(`${REGISTRY_URL}/api/benchmark`, { signal: AbortSignal.timeout(15_000) }).then(r => r.ok ? r.json() : null).catch(() => null),
+  ];
+  if (creds?.agent_name && creds.agent_name !== 'env') {
+    fetches.push(
+      fetch(`${REGISTRY_URL}/api/agents/${encodeURIComponent(creds.agent_name)}`, {
+        headers: { 'Authorization': `Bearer ${creds.api_key}` },
+        signal: AbortSignal.timeout(15_000),
+      }).then(r => r.ok ? r.json() : null).catch(() => null)
+    );
+  } else {
+    fetches.push(Promise.resolve(null));
+  }
+  const [stats, leaderboard, benchmark, agent] = await Promise.all(fetches);
+  return { stats, leaderboard, benchmark, agent, creds };
+}
+function renderOverviewTab(data, width) {
+  const { stats, agent, leaderboard, creds } = data;
+  const lines = [];
+  const halfW = Math.min(Math.floor((width - 6) / 2), 40);
+  // Profile box
+  const profileLines = [];
+  if (agent && creds) {
+    // Find rank
+    let rank = '-';
+    if (leaderboard && Array.isArray(leaderboard)) {
+      const idx = leaderboard.findIndex(e => e.agent_name === creds.agent_name);
+      if (idx >= 0) rank = `#${idx + 1} of ${leaderboard.length}`;
+    }
+    profileLines.push(`${c.bold}${creds.agent_name}${c.reset}${' '.repeat(Math.max(1, halfW - 14 - visLen(creds.agent_name) - visLen(rank)))}${c.dim}${rank}${c.reset}`);
+    profileLines.push(`Points     ${c.bold}${fmtNum(agent.total_points)}${c.reset}`);
+    profileLines.push(`Audits     ${c.bold}${fmtNum(agent.total_reports)}${c.reset}`);
+    profileLines.push(`Findings   ${c.bold}${fmtNum(agent.total_findings_submitted)}${c.reset} ${c.dim}(${fmtNum(agent.total_findings_confirmed)} confirmed)${c.reset}`);
+    const sev = agent.severity_breakdown || {};
+    profileLines.push('');
+    const sevParts = [];
+    if (sev.critical) sevParts.push(`${c.red}${sev.critical} crit${c.reset}`);
+    if (sev.high) sevParts.push(`${c.red}${sev.high} high${c.reset}`);
+    if (sev.medium) sevParts.push(`${c.yellow}${sev.medium} med${c.reset}`);
+    if (sev.low) sevParts.push(`${c.blue}${sev.low} low${c.reset}`);
+    profileLines.push(sevParts.join('  ') || `${c.dim}no findings yet${c.reset}`);
+  } else {
+    profileLines.push(`${c.dim}Not logged in${c.reset}`);
+    profileLines.push(`${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to create account${c.reset}`);
+  }
+  // Registry box
+  const regLines = [];
+  if (stats) {
+    regLines.push(`Packages Audited    ${c.bold}${fmtNum(stats.skills_audited)}${c.reset}`);
+    regLines.push(`Total Findings      ${c.bold}${fmtNum(stats.total_findings)}${c.reset}`);
+    regLines.push(`Total Reports       ${c.bold}${fmtNum(stats.total_reports)}${c.reset}`);
+    regLines.push(`Contributors        ${c.bold}${fmtNum(stats.reporters)}${c.reset}`);
+    regLines.push(`Avg Trust Score     ${c.bold}${stats.avg_trust_score || 0}${c.reset}`);
+    regLines.push('');
+    const parts = [];
+    if (stats.safe_packages) parts.push(`${c.green}●${fmtNum(stats.safe_packages)} safe${c.reset}`);
+    if (stats.caution_packages) parts.push(`${c.yellow}●${fmtNum(stats.caution_packages)} caution${c.reset}`);
+    if (stats.unsafe_packages) parts.push(`${c.red}●${fmtNum(stats.unsafe_packages)} unsafe${c.reset}`);
+    regLines.push(parts.join('  ') || `${c.dim}no packages yet${c.reset}`);
+  } else {
+    regLines.push(`${c.dim}Could not load registry stats${c.reset}`);
+  }
+  const boxW = halfW + 4;
+  const profileBox = drawBox('Your Profile', profileLines, boxW);
+  const registryBox = drawBox('Registry', regLines, boxW);
+  // Side by side if wide enough, stacked otherwise
+  if (width >= boxW * 2 + 4) {
+    const maxLen = Math.max(profileBox.length, registryBox.length);
+    while (profileBox.length < maxLen) profileBox.push(`  ${BOX.v} ${' '.repeat(halfW + 1)}${BOX.v}`);
+    while (registryBox.length < maxLen) registryBox.push(`  ${BOX.v} ${' '.repeat(halfW + 1)}${BOX.v}`);
+    for (let i = 0; i < maxLen; i++) {
+      lines.push(profileBox[i] + '  ' + registryBox[i].trimStart());
+    }
+  } else {
+    lines.push(...profileBox, '', ...registryBox);
+  }
+  return lines;
+}
+function renderLeaderboardTab(data, width, opts = {}) {
+  const { leaderboard, creds } = data;
+  const lines = [];
+  const maxNameW = 20;
+  const barW = Math.min(Math.max(10, width - 70), 30);
+  if (!leaderboard || !Array.isArray(leaderboard) || leaderboard.length === 0) {
+    lines.push(`  ${c.dim}No leaderboard data available${c.reset}`);
+    return lines;
+  }
+  const maxPts = leaderboard[0]?.total_points || 1;
+  const medals = ['🥇', '🥈', '🥉'];
+  for (let i = 0; i < leaderboard.length; i++) {
+    const entry = leaderboard[i];
+    const name = (entry.agent_name || '').slice(0, maxNameW);
+    const isMe = creds && entry.agent_name === creds.agent_name;
+    const prefix = i < 3 ? ` ${medals[i]} ` : `  ${c.dim}#${String(i + 1).padStart(2)}${c.reset} `;
+    const nameStr = isMe ? `${c.green}${c.bold}${name}${c.reset}` : name;
+    const bar = renderBar(entry.total_points || 0, maxPts, barW);
+    const pts = padLeft(`${fmtNum(entry.total_points || 0)} pts`, 12);
+    const audits = padLeft(`${fmtNum(entry.total_reports || 0)} audits`, 12);
+    const extra = entry.monthly_reports != null ? padLeft(`${fmtNum(entry.monthly_reports)} this mo`, 12) : '';
+    lines.push(`${prefix}${padRight(nameStr, maxNameW + (isMe ? 14 : 0))}  ${bar}  ${pts}  ${audits}${extra}`);
+    // Separator after top 3
+    if (i === 2 && leaderboard.length > 3) {
+      lines.push(`  ${c.dim}${'─'.repeat(Math.min(width - 4, 76))}${c.reset}`);
+    }
+  }
+  // Highlight current user if not in top list
+  if (creds && !leaderboard.find(e => e.agent_name === creds.agent_name)) {
+    lines.push('');
+    lines.push(`  ${c.dim}← you are not on this leaderboard yet${c.reset}`);
+  }
+  return lines;
+}
+function renderBenchmarkTab(data, width) {
+  const { benchmark } = data;
+  const lines = [];
+  if (!benchmark || !benchmark.models || benchmark.models.length === 0) {
+    lines.push(`  ${c.dim}No benchmark data available${c.reset}`);
+    return lines;
+  }
+  const overview = benchmark.overview || {};
+  lines.push(`  ${c.bold}${fmtNum(benchmark.models.length)}${c.reset} models ${c.dim}│${c.reset} ${c.bold}${fmtNum(overview.total_reports || 0)}${c.reset} audits ${c.dim}│${c.reset} ${c.bold}${fmtNum(overview.total_findings || 0)}${c.reset} findings`);
+  lines.push('');
+  // Header
+  const nameW = 26;
+  const hdr = `  ${padRight(`${c.bold}Model${c.reset}`, nameW + 9)}  ${padRight('Audits', 8)}  ${padRight('Risk', 8)}  ${padRight('Detection', 16)}  Severity`;
+  lines.push(hdr);
+  lines.push(`  ${c.dim}${'─'.repeat(Math.min(width - 4, 80))}${c.reset}`);
+  for (const m of benchmark.models) {
+    const name = (m.audit_model || 'unknown').slice(0, nameW - 2);
+    const audits = padLeft(fmtNum(m.total_audits), 6);
+    const riskVal = parseFloat(m.avg_risk_score) || 0;
+    const riskColor = riskVal <= 20 ? c.green : riskVal <= 40 ? c.yellow : c.red;
+    const risk = `${riskColor}${padLeft(String(Math.round(riskVal)), 3)}${c.reset}`;
+    const detection = renderGauge(m.detection_rate || 0, 100, 10);
+    const dots = severityDots(m.severity_breakdown);
+    lines.push(`  ${padRight(name, nameW)}  ${audits}   ${risk}   ${detection}  ${dots}`);
+  }
+  // Vulnerability landscape
+  const cats = benchmark.global_categories;
+  if (cats && cats.length > 0) {
+    lines.push('');
+    const catTotal = cats.reduce((sum, cat) => sum + (cat.count || 0), 0) || 1;
+    const catW = Math.min(width - 8, 56);
+    const catLines = [];
+    for (const cat of cats.slice(0, 6)) {
+      const pct = Math.round((cat.count / catTotal) * 100);
+      const barFill = Math.round((cat.count / catTotal) * (catW - 30));
+      catLines.push(`${padRight(cat.category || 'Other', 22)} ${c.cyan}${'█'.repeat(Math.max(1, barFill))}${c.dim}${'░'.repeat(Math.max(0, catW - 30 - barFill))}${c.reset}  ${padLeft(fmtPct(pct), 4)}`);
+    }
+    lines.push(...drawBox('Vulnerability Landscape', catLines, catW + 4));
+  }
+  // Cross-model findings
+  const cross = benchmark.cross_model_findings;
+  if (cross && cross.length > 0) {
+    lines.push('');
+    lines.push(`  ${c.bold}Cross-Model Findings${c.reset} ${c.dim}(confirmed by multiple models)${c.reset}`);
+    for (const cf of cross.slice(0, 5)) {
+      const models = (cf.models || []).slice(0, 3).join(', ');
+      lines.push(`  ${c.dim}•${c.reset} ${cf.title || cf.pattern_id}  ${c.dim}[${cf.model_count} models: ${models}]${c.reset}`);
+    }
+  }
+  return lines;
+}
+async function leaderboardCommand(args) {
+  const tabArg = args.find((a, i) => args[i - 1] === '--tab') || 'overall';
+  const showAll = args.includes('--all');
+  const limit = showAll ? 200 : 20;
+  if (!quietMode && !jsonMode) {
+    banner();
+    process.stdout.write(`  ${c.dim}Loading leaderboard...${c.reset}`);
+  }
+  let data;
+  try {
+    const url = `${REGISTRY_URL}/api/leaderboard?tab=${encodeURIComponent(tabArg)}&limit=${limit}`;
+    const res = await fetch(url, { signal: AbortSignal.timeout(15_000) });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    data = await res.json();
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write('\r\x1b[2K');
+      console.log(`  ${c.red}Failed to load leaderboard: ${err.message}${c.reset}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  if (jsonMode) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  process.stdout.write('\r\x1b[2K');
+  const creds = loadCredentials();
+  console.log(`  ${c.bold}Leaderboard${c.reset}  ${c.dim}${tabArg}${c.reset}`);
+  console.log();
+  if (!Array.isArray(data) || data.length === 0) {
+    console.log(`  ${c.dim}No data available${c.reset}`);
+    return;
+  }
+  const maxPts = data[0]?.total_points || 1;
+  const medals = ['🥇', '🥈', '🥉'];
+  const barW = 24;
+  for (let i = 0; i < data.length; i++) {
+    const entry = data[i];
+    const name = (entry.agent_name || '').slice(0, 20);
+    const isMe = creds && entry.agent_name === creds.agent_name;
+    const prefix = i < 3 ? ` ${medals[i]} ` : `  #${String(i + 1).padStart(2)}  `;
+    const nameStr = isMe ? `${c.green}${c.bold}${name}${c.reset}` : name;
+    const bar = renderBar(entry.total_points || 0, maxPts, barW);
+    const pts = `${fmtNum(entry.total_points || 0)} pts`;
+    const audits = `${fmtNum(entry.total_reports || 0)} audits`;
+    console.log(`${prefix}${padRight(nameStr, 22 + (isMe ? 14 : 0))}  ${bar}  ${padLeft(pts, 12)}  ${padLeft(audits, 10)}`);
+    if (i === 2 && data.length > 3) {
+      console.log(`  ${c.dim}${'─'.repeat(74)}${c.reset}`);
+    }
+  }
+  console.log();
+}
+async function benchmarkCommand(args) {
+  if (!quietMode && !jsonMode) {
+    banner();
+    process.stdout.write(`  ${c.dim}Loading benchmark data...${c.reset}`);
+  }
+  let data;
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/benchmark`, { signal: AbortSignal.timeout(15_000) });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    data = await res.json();
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write('\r\x1b[2K');
+      console.log(`  ${c.red}Failed to load benchmark: ${err.message}${c.reset}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  if (jsonMode) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  process.stdout.write('\r\x1b[2K');
+  const width = process.stdout.columns || 80;
+  const benchLines = renderBenchmarkTab({ benchmark: data }, width);
+  console.log(`  ${c.bold}Model Benchmark${c.reset} ${c.dim}— LLM Audit Performance${c.reset}`);
+  console.log();
+  for (const line of benchLines) console.log(line);
+  console.log();
+}
+async function dashboardCommand() {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    console.log(`${c.red}Error: dashboard requires an interactive terminal${c.reset}`);
+    console.log(`${c.dim}Tip: use ${c.cyan}agentaudit leaderboard${c.dim} or ${c.cyan}agentaudit benchmark${c.dim} for non-interactive output${c.reset}`);
+    process.exitCode = 1;
+    return;
+  }
+  const tabs = [
+    { key: '1', label: 'Overview' },
+    { key: '2', label: 'Leaderboard' },
+    { key: '3', label: 'Benchmark' },
+  ];
+  let activeTab = 0;
+  let scrollOffset = 0;
+  let running = true;
+  // Enter alt screen
+  process.stdout.write(term.altScreenOn + term.hideCursor);
+  // Loading screen
+  process.stdout.write(term.clearScreen);
+  const bannerLines = dashboardBanner();
+  for (const line of bannerLines) process.stdout.write(line + '\n');
+  process.stdout.write(`\n  ${c.dim}Loading data...${c.reset}\n`);
+  // Fetch data
+  const data = await fetchDashboardData();
+  function render() {
+    const cols = process.stdout.columns || 80;
+    const rows = process.stdout.rows || 24;
+    let output = term.clearScreen;
+    // Banner
+    const bLines = dashboardBanner();
+    for (const line of bLines) output += line + '\n';
+    output += '\n';
+    // Tab bar
+    let tabBar = '  ';
+    for (let i = 0; i < tabs.length; i++) {
+      const tab = tabs[i];
+      if (i === activeTab) {
+        tabBar += `${c.bold}${c.cyan}${term.underline} [${tab.key}] ${tab.label} ${term.noUnderline}${c.reset}`;
+      } else {
+        tabBar += `${c.dim} [${tab.key}] ${tab.label} ${c.reset}`;
+      }
+      if (i < tabs.length - 1) tabBar += `${c.dim}──${c.reset}`;
+    }
+    output += tabBar + '\n\n';
+    // Tab content
+    let contentLines = [];
+    switch (activeTab) {
+      case 0:
+        contentLines = renderOverviewTab(data, cols);
+        break;
+      case 1:
+        contentLines = renderLeaderboardTab(data, cols);
+        break;
+      case 2:
+        contentLines = renderBenchmarkTab(data, cols);
+        break;
+    }
+    // Apply scroll
+    const availableRows = rows - 10; // header + tab bar + footer
+    const maxScroll = Math.max(0, contentLines.length - availableRows);
+    scrollOffset = Math.min(scrollOffset, maxScroll);
+    scrollOffset = Math.max(0, scrollOffset);
+    const visible = contentLines.slice(scrollOffset, scrollOffset + availableRows);
+    for (const line of visible) output += line + '\n';
+    // Footer
+    output += '\n';
+    const scrollInfo = contentLines.length > availableRows ? `  ${c.dim}[${scrollOffset + 1}-${Math.min(scrollOffset + availableRows, contentLines.length)}/${contentLines.length}]${c.reset}` : '';
+    output += `  ${c.dim}←→ tab  ↑↓ scroll  1-3 jump  q quit${c.reset}${scrollInfo}\n`;
+    process.stdout.write(output);
+  }
+  function cleanup() {
+    if (!running) return;
+    running = false;
+    process.stdout.write(term.showCursor + term.altScreenOff);
+    try { process.stdin.setRawMode(false); } catch {}
+    process.stdin.pause();
+    process.stdin.removeListener('data', onKeypress);
+    process.stdout.removeListener('resize', render);
+  }
+  function onKeypress(key) {
+    if (!running) return;
+    // q or Ctrl+C = quit
+    if (key === 'q' || key === '\x03') {
+      cleanup();
+      return;
+    }
+    // Tab navigation
+    if (key === '\x1b[C' || key === '\t') { // Right arrow or Tab
+      activeTab = (activeTab + 1) % tabs.length;
+      scrollOffset = 0;
+      render();
+      return;
+    }
+    if (key === '\x1b[D') { // Left arrow
+      activeTab = (activeTab - 1 + tabs.length) % tabs.length;
+      scrollOffset = 0;
+      render();
+      return;
+    }
+    // Number keys
+    if (key === '1') { activeTab = 0; scrollOffset = 0; render(); return; }
+    if (key === '2') { activeTab = 1; scrollOffset = 0; render(); return; }
+    if (key === '3') { activeTab = 2; scrollOffset = 0; render(); return; }
+    // Scroll
+    if (key === '\x1b[A' || key === 'k') { scrollOffset = Math.max(0, scrollOffset - 1); render(); return; } // Up
+    if (key === '\x1b[B' || key === 'j') { scrollOffset++; render(); return; } // Down
+    if (key === '\x1b[5~') { scrollOffset = Math.max(0, scrollOffset - 10); render(); return; } // PageUp
+    if (key === '\x1b[6~') { scrollOffset += 10; render(); return; } // PageDown
+  }
+  // Setup input
+  process.stdin.setRawMode(true);
+  process.stdin.resume();
+  process.stdin.setEncoding('utf8');
+  process.stdin.on('data', onKeypress);
+  process.stdout.on('resize', render);
+  // Graceful cleanup
+  process.on('exit', cleanup);
+  process.on('SIGINT', () => { cleanup(); process.exit(0); });
+  process.on('SIGTERM', () => { cleanup(); process.exit(0); });
+  // Initial render
+  render();
+  // Keep alive until user quits
+  await new Promise(resolve => {
+    const check = setInterval(() => {
+      if (!running) { clearInterval(check); resolve(); }
+    }, 100);
+  });
+}
 // ── Main ────────────────────────────────────────────────
 async function main() {
@@ -1959,53 +2518,251 @@ async function main() {
   const modelIdx = args.indexOf('--model');
   if (modelIdx !== -1) args.splice(modelIdx, 2);
+  // Detect per-command --help BEFORE stripping (e.g. `agentaudit model --help`)
+  const wantsHelp = args.includes('--help') || args.includes('-h');
+  // Strip --help/-h from args for routing
+  args = args.filter(a => a !== '--help' && a !== '-h');
   if (args[0] === '-v' || args[0] === '--version') {
     console.log(`agentaudit ${getVersion()}`);
     process.exitCode = 0; return;
   }
-  if (args[0] === '--help' || args[0] === '-h') {
+  // Subcommand help definitions
+  const subcommandHelp = {
+    discover: [
+      `${c.bold}agentaudit discover${c.reset} [options]`,
+      ``,
+      `Find MCP servers configured in your AI editors (Cursor, Claude Desktop, VS Code, Windsurf).`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --quick, -s    Auto-scan all discovered servers (regex-based)`,
+      `  --deep, -a     Interactively select servers for deep LLM audit`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit discover`,
+      `  agentaudit discover --quick`,
+      `  agentaudit discover --deep`,
+    ],
+    scan: [
+      `${c.bold}agentaudit scan${c.reset} <url> [url...] [options]`,
+      ``,
+      `Quick regex-based static security scan (~2s). Checks for 15+ patterns`,
+      `(command injection, eval, hardcoded secrets, path traversal, etc.)`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --deep         Run deep LLM audit instead (same as \`agentaudit audit\`)`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit scan https://github.com/owner/repo`,
+      `  agentaudit scan https://github.com/a/b https://github.com/c/d`,
+      `  agentaudit scan https://github.com/owner/repo --deep`,
+    ],
+    audit: [
+      `${c.bold}agentaudit audit${c.reset} <url> [url...] [options]`,
+      ``,
+      `Deep LLM-powered 3-pass security audit (~30s). Requires an LLM API key.`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --model <name>   Override LLM model for this run`,
+      `  --no-upload      Skip uploading report to registry`,
+      `  --export         Export audit payload as markdown (for manual LLM review)`,
+      `  --debug          Show raw LLM response on parse errors`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit audit https://github.com/owner/repo`,
+      `  agentaudit audit https://github.com/owner/repo --no-upload`,
+      `  agentaudit audit https://github.com/owner/repo --model gpt-4o`,
+      `  agentaudit audit https://github.com/owner/repo --export`,
+    ],
+    lookup: [
+      `${c.bold}agentaudit lookup${c.reset} <name> [options]`,
+      ``,
+      `Look up a package in the AgentAudit registry. Shows trust score,`,
+      `findings, confidence level, and audit history.`,
+      ``,
+      `${c.bold}Aliases:${c.reset} lookup, check`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit lookup fastmcp`,
+      `  agentaudit lookup @anthropic/mcp-server-filesystem --json`,
+      `  agentaudit check fastmcp`,
+    ],
+    check: null, // alias → lookup
+    model: [
+      `${c.bold}agentaudit model${c.reset} [name|reset]`,
+      ``,
+      `Configure LLM provider and model. Interactive two-step menu when`,
+      `called without arguments: choose provider, then choose model.`,
+      ``,
+      `${c.bold}Usage:${c.reset}`,
+      `  agentaudit model              Interactive provider + model menu`,
+      `  agentaudit model <name>       Set model directly (keeps current provider)`,
+      `  agentaudit model reset        Reset provider + model to defaults`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit model`,
+      `  agentaudit model gpt-4o`,
+      `  agentaudit model qwen/qwen3-coder`,
+      `  agentaudit model reset`,
+    ],
+    setup: [
+      `${c.bold}agentaudit setup${c.reset}`,
+      ``,
+      `Log in to agentaudit.dev — create an account or enter an existing API key.`,
+      `This enables uploading audit reports to the public registry.`,
+      ``,
+      `${c.bold}Note:${c.reset} This is NOT for LLM/provider configuration. Use ${c.cyan}agentaudit model${c.reset} for that.`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit setup`,
+    ],
+    status: [
+      `${c.bold}agentaudit status${c.reset}`,
+      ``,
+      `Show current configuration: active LLM provider, model, account`,
+      `status, and which API keys are available.`,
+      ``,
+      `${c.bold}Aliases:${c.reset} status, whoami`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit status`,
+      `  agentaudit status --json`,
+    ],
+    dashboard: [
+      `${c.bold}agentaudit dashboard${c.reset}`,
+      ``,
+      `Interactive full-screen dashboard with stats, leaderboard, and benchmark.`,
+      `Uses alternate screen buffer — your scrollback stays intact.`,
+      ``,
+      `${c.bold}Navigation:${c.reset}`,
+      `  ←→ / Tab      Switch between tabs`,
+      `  1-3            Jump to tab by number`,
+      `  ↑↓ / j/k       Scroll content`,
+      `  PgUp/PgDn     Scroll fast`,
+      `  q / Ctrl+C    Quit`,
+      ``,
+      `${c.bold}Tabs:${c.reset}`,
+      `  [1] Overview    Your profile + registry stats`,
+      `  [2] Leaderboard Top contributors ranking`,
+      `  [3] Benchmark   LLM model performance comparison`,
+      ``,
+      `${c.bold}Aliases:${c.reset} dashboard, dash`,
+    ],
+    dash: null, // alias → dashboard
+    leaderboard: [
+      `${c.bold}agentaudit leaderboard${c.reset} [options]`,
+      ``,
+      `Show top contributors ranking. Pipe-friendly output (no alt-screen).`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --tab <name>   Category: overall (default), monthly, reviewers, verifiers, streaks`,
+      `  --all           Show all entries (default: top 20)`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Aliases:${c.reset} leaderboard, lb`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit leaderboard`,
+      `  agentaudit leaderboard --tab monthly`,
+      `  agentaudit leaderboard --all --json`,
+    ],
+    lb: null, // alias → leaderboard
+    benchmark: [
+      `${c.bold}agentaudit benchmark${c.reset} [options]`,
+      ``,
+      `Compare LLM model performance across security audits.`,
+      `Shows detection rates, severity breakdown, and vulnerability landscape.`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Aliases:${c.reset} benchmark, bench`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit benchmark`,
+      `  agentaudit benchmark --json`,
+    ],
+    bench: null, // alias → benchmark
+  };
+  // Show subcommand help: `agentaudit help <cmd>` or `agentaudit <cmd> --help`
+  function showSubcommandHelp(cmd) {
+    let helpLines = subcommandHelp[cmd];
+    if (helpLines === null) {
+      // alias redirect
+      const aliases = { check: 'lookup', dash: 'dashboard', lb: 'leaderboard', bench: 'benchmark' };
+      helpLines = subcommandHelp[aliases[cmd] || cmd];
+    }
+    if (!helpLines) {
+      console.log(`  ${c.red}No help available for "${cmd}"${c.reset}`);
+      console.log(`  ${c.dim}Run ${c.cyan}agentaudit help${c.dim} for available commands${c.reset}`);
+      return;
+    }
+    banner();
+    for (const line of helpLines) console.log(`  ${line}`);
+    console.log();
+  }
+  // Handle: `agentaudit <cmd> --help` (wantsHelp + has a command)
+  if (wantsHelp && args[0] && args[0] !== '--help' && args[0] !== '-h') {
+    const cmd = args[0];
+    if (subcommandHelp[cmd] !== undefined) {
+      showSubcommandHelp(cmd);
+      process.exitCode = 0; return;
+    }
+  }
+  // Handle: `agentaudit help [cmd]`
+  if (args[0] === 'help') {
+    const helpCmd = args[1];
+    if (helpCmd && subcommandHelp[helpCmd] !== undefined) {
+      showSubcommandHelp(helpCmd);
+      process.exitCode = 0; return;
+    }
+    // No subcommand or unknown → show main help
+    wantsHelp || (args[0] = '--help'); // fall through to main help
+  }
+  if (args[0] === '--help' || args[0] === '-h' || args[0] === 'help' || (wantsHelp && args.length === 0)) {
     banner();
-    console.log(`  ${c.bold}Commands:${c.reset}`);
+    console.log(`  ${c.bold}USAGE${c.reset}`);
+    console.log(`    agentaudit <command> [options]`);
     console.log();
-    console.log(`    ${c.cyan}agentaudit${c.reset}                                   Discover MCP servers (same as discover)`);
-    console.log(`    ${c.cyan}agentaudit discover${c.reset}                          Find MCP servers in your AI editors (Cursor, Claude, VS Code, Windsurf)`);
-    console.log(`    ${c.cyan}agentaudit discover --quick${c.reset}                  Discover + auto-scan all servers`);
-    console.log(`    ${c.cyan}agentaudit discover --deep${c.reset}                   Discover + select servers to deep-audit`);
-    console.log(`    ${c.cyan}agentaudit scan${c.reset} <url> [url...]               Quick static scan (regex, local)`);
-    console.log(`    ${c.cyan}agentaudit scan${c.reset} <url> ${c.dim}--deep${c.reset}                Deep audit (same as audit)`);
-    console.log(`    ${c.cyan}agentaudit audit${c.reset} <url> [url...]              Deep LLM-powered security audit`);
-    console.log(`    ${c.cyan}agentaudit lookup${c.reset} <name>                     Look up package in registry`);
-    console.log(`    ${c.cyan}agentaudit model${c.reset}                             Configure LLM provider + model interactively`);
-    console.log(`    ${c.cyan}agentaudit model${c.reset} <name>                     Set model directly (e.g. gpt-4o)`);
-    console.log(`    ${c.cyan}agentaudit setup${c.reset}                             Create account / enter API key (for report uploads)`);
+    console.log(`  ${c.bold}SCAN & AUDIT${c.reset}`);
+    console.log(`    ${c.cyan}discover${c.reset}              Find MCP servers in your AI editors`);
+    console.log(`    ${c.cyan}scan${c.reset} <url> [url...]   Quick static scan (regex, ~2s)`);
+    console.log(`    ${c.cyan}audit${c.reset} <url> [url...]  Deep LLM-powered security audit (~30s)`);
+    console.log(`    ${c.cyan}lookup${c.reset} <name>         Look up package in registry`);
     console.log();
-    console.log(`  ${c.bold}Global flags:${c.reset}`);
-    console.log(`    ${c.dim}--json           Output JSON to stdout (machine-readable)${c.reset}`);
-    console.log(`    ${c.dim}--quiet          Suppress banner and tree visualization${c.reset}`);
-    console.log(`    ${c.dim}--no-color       Disable ANSI colors (also: NO_COLOR env)${c.reset}`);
-    console.log(`    ${c.dim}--model <name>   Override LLM model for this run${c.reset}`);
-    console.log(`    ${c.dim}--no-upload      Skip uploading report to registry${c.reset}`);
+    console.log(`  ${c.bold}COMMUNITY${c.reset}`);
+    console.log(`    ${c.cyan}dashboard${c.reset}             Interactive dashboard (full-screen)`);
+    console.log(`    ${c.cyan}leaderboard${c.reset}           Top contributors ranking`);
+    console.log(`    ${c.cyan}benchmark${c.reset}             LLM model performance comparison`);
     console.log();
-    console.log(`  ${c.bold}Quick Scan${c.reset} vs ${c.bold}Deep Audit${c.reset}:`);
-    console.log(`    ${c.dim}scan  = fast regex-based static analysis (~2s)${c.reset}`);
-    console.log(`    ${c.dim}audit = deep LLM analysis with 3-pass methodology (~30s)${c.reset}`);
+    console.log(`  ${c.bold}CONFIGURATION${c.reset}`);
+    console.log(`    ${c.cyan}model${c.reset}                 Configure LLM provider + model`);
+    console.log(`    ${c.cyan}setup${c.reset}                 Log in to agentaudit.dev (for report uploads)`);
+    console.log(`    ${c.cyan}status${c.reset}                Show current config + auth status`);
     console.log();
-    console.log(`  ${c.bold}Exit codes:${c.reset}`);
-    console.log(`    ${c.dim}0 = clean / success    1 = findings detected    2 = error${c.reset}`);
+    console.log(`  ${c.bold}FLAGS${c.reset}`);
+    console.log(`    ${c.dim}--json             Machine-readable JSON output${c.reset}`);
+    console.log(`    ${c.dim}--quiet            Suppress banner${c.reset}`);
+    console.log(`    ${c.dim}--no-color         Disable ANSI colors (also: NO_COLOR env)${c.reset}`);
+    console.log(`    ${c.dim}--model <name>     Override LLM model for this run${c.reset}`);
+    console.log(`    ${c.dim}--no-upload        Skip uploading report to registry${c.reset}`);
+    console.log(`    ${c.dim}--export           Export audit payload as markdown${c.reset}`);
+    console.log(`    ${c.dim}--debug            Show raw LLM response on parse errors${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}Examples:${c.reset}`);
-    console.log(`    agentaudit`);
+    console.log(`  ${c.bold}EXAMPLES${c.reset}`);
     console.log(`    agentaudit discover --quick`);
     console.log(`    agentaudit scan https://github.com/owner/repo`);
     console.log(`    agentaudit audit https://github.com/owner/repo`);
     console.log(`    agentaudit lookup fastmcp --json`);
     console.log();
-    console.log(`  ${c.bold}For deep audits,${c.reset} set an LLM API key (e.g. ${c.cyan}export OPENROUTER_API_KEY=sk-or-...${c.reset})`);
-    console.log(`  ${c.dim}Run "agentaudit model" to configure provider + model interactively${c.reset}`);
-    console.log();
-    console.log(`  ${c.bold}Or use as MCP server${c.reset} in Cursor/Claude ${c.dim}(no extra API key needed):${c.reset}`);
-    console.log(`  ${c.dim}{ "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } }${c.reset}`);
+    console.log(`  ${c.bold}LEARN MORE${c.reset}`);
+    console.log(`    ${c.dim}agentaudit help <command>${c.reset}     Help for a specific command`);
+    console.log(`    ${c.dim}https://agentaudit.dev${c.reset}        Documentation`);
     console.log();
     process.exitCode = 0; return;
   }
@@ -2013,14 +2770,123 @@ async function main() {
   // Default no-arg → discover
   const command = args.length === 0 ? 'discover' : args[0];
   const targets = args.slice(1);
+  // Dashboard/Leaderboard/Benchmark — before banner() since dashboard uses alt-screen
+  if (command === 'dashboard' || command === 'dash') {
+    await dashboardCommand();
+    return;
+  }
+  if (command === 'leaderboard' || command === 'lb') {
+    await leaderboardCommand(targets);
+    return;
+  }
+  if (command === 'benchmark' || command === 'bench') {
+    await benchmarkCommand(targets);
+    return;
+  }
   banner();
   if (command === 'setup') {
     await setupCommand();
     return;
   }
+  if (command === 'status' || command === 'whoami') {
+    // ── Status / diagnostic overview ──
+    const config = loadLlmConfig();
+    const creds = loadCredentials();
+    const resolved = resolveProvider();
+    console.log(`  ${c.bold}Status${c.reset}`);
+    console.log();
+    // Provider + Model
+    const prefProvider = config?.preferred_provider;
+    const prefModel = config?.llm_model;
+    if (prefProvider && resolved) {
+      console.log(`  Provider    ${c.bold}${resolved.name}${c.reset}  ${c.dim}(${resolved.key})${c.reset}  ${c.green}✔${c.reset}`);
+    } else if (resolved) {
+      console.log(`  Provider    ${c.bold}${resolved.name}${c.reset}  ${c.dim}(auto-detected via ${resolved.key})${c.reset}  ${c.green}✔${c.reset}`);
+    } else {
+      console.log(`  Provider    ${c.yellow}none${c.reset}  ${c.dim}— set an API key or run ${c.cyan}agentaudit model${c.dim}${c.reset}`);
+    }
+    if (prefModel) {
+      console.log(`  Model       ${c.bold}${prefModel}${c.reset}  ${c.dim}(custom)${c.reset}`);
+    } else if (resolved) {
+      console.log(`  Model       ${c.dim}${resolved.model} (provider default)${c.reset}`);
+    } else {
+      console.log(`  Model       ${c.dim}—${c.reset}`);
+    }
+    console.log();
+    // Account / auth
+    if (creds) {
+      console.log(`  Account     ${c.bold}${creds.agent_name}${c.reset}  ${c.green}✔ logged in${c.reset}`);
+      console.log(`  ${c.dim}            Key: ${creds.api_key.slice(0, 12)}...${c.reset}`);
+    } else {
+      console.log(`  Account     ${c.yellow}not configured${c.reset}  ${c.dim}— run ${c.cyan}agentaudit setup${c.dim} to create one${c.reset}`);
+    }
+    console.log();
+    // All provider keys
+    const seen = new Set();
+    const keyLines = [];
+    for (const p of LLM_PROVIDERS) {
+      if (seen.has(p.provider)) continue;
+      seen.add(p.provider);
+      const keys = LLM_PROVIDERS.filter(x => x.provider === p.provider);
+      const hasKey = keys.some(x => process.env[x.key]);
+      keyLines.push({ name: p.name, key: p.key, hasKey });
+    }
+    console.log(`  ${c.bold}API Keys${c.reset}`);
+    for (const k of keyLines) {
+      const icon = k.hasKey ? `${c.green}✔${c.reset}` : `${c.dim}✗${c.reset}`;
+      const label = k.hasKey ? k.name : `${c.dim}${k.name}${c.reset}`;
+      console.log(`    ${icon}  ${label}  ${c.dim}${k.key}${c.reset}`);
+    }
+    console.log();
+    // Personal stats (from registry, silently skip on error)
+    if (creds?.agent_name && creds.agent_name !== 'env') {
+      try {
+        const [agentRes, lbRes] = await Promise.all([
+          fetch(`${REGISTRY_URL}/api/agents/${encodeURIComponent(creds.agent_name)}`, {
+            headers: { 'Authorization': `Bearer ${creds.api_key}` },
+            signal: AbortSignal.timeout(10_000),
+          }).then(r => r.ok ? r.json() : null),
+          fetch(`${REGISTRY_URL}/api/leaderboard?limit=100`, { signal: AbortSignal.timeout(10_000) }).then(r => r.ok ? r.json() : null),
+        ]);
+        if (agentRes) {
+          console.log(`  ${c.bold}Profile${c.reset}`);
+          let rank = '-';
+          if (Array.isArray(lbRes)) {
+            const idx = lbRes.findIndex(e => e.agent_name === creds.agent_name);
+            if (idx >= 0) rank = `#${idx + 1} of ${lbRes.length}`;
+          }
+          console.log(`    Rank        ${c.bold}${rank}${c.reset}`);
+          console.log(`    Points      ${c.bold}${fmtNum(agentRes.total_points || 0)}${c.reset}`);
+          console.log(`    Audits      ${c.bold}${fmtNum(agentRes.total_reports || 0)}${c.reset}`);
+          console.log(`    Findings    ${c.bold}${fmtNum(agentRes.total_findings_submitted || 0)}${c.reset} ${c.dim}(${fmtNum(agentRes.total_findings_confirmed || 0)} confirmed)${c.reset}`);
+          console.log();
+        }
+      } catch {}
+    }
+    // JSON mode
+    if (jsonMode) {
+      const status = {
+        version: getVersion(),
+        provider: resolved ? { name: resolved.name, provider: resolved.provider, key: resolved.key, model: prefModel || resolved.model } : null,
+        account: creds ? { agent_name: creds.agent_name, has_key: true } : null,
+        api_keys: keyLines.reduce((acc, k) => { acc[k.key] = k.hasKey; return acc; }, {}),
+      };
+      console.log(JSON.stringify(status, null, 2));
+    }
+    return;
+  }
   if (command === 'model') {
     const newModel = targets.filter(t => !t.startsWith('--'))[0];
     const config = loadLlmConfig();
@@ -2195,6 +3061,7 @@ async function main() {
     const names = targets.filter(t => !t.startsWith('--'));
     if (names.length === 0) {
       console.log(`  ${c.red}Error: package name required${c.reset}`);
+      console.log(`  ${c.dim}Usage: ${c.cyan}agentaudit lookup <name>${c.dim} — e.g. agentaudit lookup fastmcp${c.reset}`);
       process.exitCode = 2;
       return;
     }
@@ -2207,7 +3074,6 @@ async function main() {
       console.log(JSON.stringify(results.length === 1 ? (results[0] || { error: 'not_found' }) : results, null, 2));
     }
     process.exitCode = 0; return;
-    return;
   }
   if (command === 'scan') {
@@ -2269,6 +3135,8 @@ async function main() {
     const urls = targets.filter(t => !t.startsWith('--'));
     if (urls.length === 0) {
       console.log(`  ${c.red}Error: at least one repository URL required${c.reset}`);
+      console.log(`  ${c.dim}Usage: ${c.cyan}agentaudit audit <url>${c.dim} — e.g. agentaudit audit https://github.com/owner/repo${c.reset}`);
+      console.log(`  ${c.dim}Tip: use ${c.cyan}agentaudit discover --deep${c.dim} to find & audit locally installed MCP servers${c.reset}`);
       process.exitCode = 2;
       return;
     }
@@ -2283,7 +3151,7 @@ async function main() {
   }
   console.log(`  ${c.red}Unknown command: ${command}${c.reset}`);
-  console.log(`  ${c.dim}Run agentaudit --help for usage${c.reset}`);
+  console.log(`  ${c.dim}Run ${c.cyan}agentaudit help${c.dim} for available commands${c.reset}`);
   process.exitCode = 2;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.10.1",
+  "version": "3.10.3",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {