agentaudit 3.10.10 → 3.12.0

package/cli.mjs

@@ -5,7 +5,7 @@
  * Usage: agentaudit <command> [options]
  *
  * Commands:
- *   discover              Find MCP servers in AI editors
+ *   discover              Find MCP servers across all AI tools
  *   scan <url> [url...]   Quick static scan (regex)
  *   audit <url> [url...]  Deep LLM-powered security audit
  *   lookup <name>         Look up package in registry
@@ -17,6 +17,7 @@
  *   model [name|reset]    Configure LLM provider + model
  *   setup                 Log in to agentaudit.dev (for report uploads)
  *   status                Show current config + auth status
+ *   profile               Your profile — rank, points, audit stats
  *   help [command]        Show help
  *
  * Flags: --json, --quiet, --no-color, --no-upload, --model, --export, --debug
@@ -554,7 +555,7 @@ function banner() {
     const ptsStr = `${fmtNum(cache.total_points)}pts`;
     const auditsStr = `${fmtNum(cache.total_reports)} audits`;
     const profile = [cache.agent_name, rankStr, ptsStr, auditsStr].filter(Boolean).join(' \u00b7 ');
-    console.log(`  ${c.bold}${c.cyan}\u26e8 AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}  ${c.dim}\u2502${c.reset}  ${profile}`);
+    console.log(`  ${c.bold}${c.cyan}\u25c6 AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}  ${c.dim}\u2502${c.reset}  ${profile}`);
   } else {
     console.log(`  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}`);
     console.log(`  ${c.dim}Security scanner for AI packages${c.reset}`);
@@ -575,10 +576,14 @@ function elapsed(startMs) {
 }
 
 function riskBadge(score) {
-  if (score === 0) return `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`;
-  if (score <= 10) return `${c.bgGreen}${c.white} LOW ${c.reset}`;
-  if (score <= 30) return `${c.bgYellow}${c.bold} CAUTION ${c.reset}`;
-  return `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
+  const badge = score === 0 ? `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`
+    : score <= 10 ? `${c.bgGreen}${c.white} LOW ${c.reset}`
+    : score <= 30 ? `${c.bgYellow}${c.bold} CAUTION ${c.reset}`
+    : `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
+  const filled = Math.min(Math.round(score / 20), 5);
+  const gaugeColor = score <= 10 ? c.green : score <= 30 ? c.yellow : c.red;
+  const gauge = `${gaugeColor}${'▰'.repeat(filled)}${c.dim}${'▱'.repeat(5 - filled)}${c.reset}`;
+  return `${badge} ${gauge}  ${score}/100`;
 }
 
 function severityColor(sev) {
@@ -695,6 +700,47 @@ function sparkline(values) {
   }).join('');
 }
 
+// ─── Section Header ─────────── labeled divider
+function sectionHeader(title, width = 60) {
+  const dashAfter = Math.max(3, width - 5 - title.length);
+  return `  ${c.dim}───${c.reset} ${c.bold}${title}${c.reset} ${c.dim}${'─'.repeat(dashAfter)}${c.reset}`;
+}
+
+// █████░░░░░░░░░░░░░░ coverage bar
+function coverageBar(filled, total, width = 20) {
+  if (total === 0) return `${c.dim}${'░'.repeat(width)}${c.reset}  0/0`;
+  const barFilled = Math.max(filled > 0 ? 1 : 0, Math.round((filled / total) * width));
+  const barEmpty = width - barFilled;
+  const pct = Math.round((filled / total) * 100);
+  const color = pct >= 80 ? c.green : pct >= 50 ? c.yellow : c.red;
+  return `${color}${'█'.repeat(barFilled)}${c.dim}${'░'.repeat(barEmpty)}${c.reset}  ${filled}/${total} (${pct}%)`;
+}
+
+// Severity histogram for findings
+function severityHistogram(findings) {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const f of findings) {
+    const sev = (f.severity || '').toLowerCase();
+    if (counts[sev] !== undefined) counts[sev]++;
+  }
+  const max = Math.max(...Object.values(counts), 1);
+  const lines = [];
+  for (const sev of ['critical', 'high', 'medium', 'low']) {
+    const count = counts[sev];
+    if (count === 0) continue;
+    const barLen = Math.max(1, Math.round((count / max) * 24));
+    const sc = severityColor(sev);
+    const label = sev.toUpperCase().padEnd(10);
+    lines.push(`  ${sc}${label}${c.reset} ${sc}${'█'.repeat(barLen)}${c.reset}${' '.repeat(24 - barLen)}  ${count}`);
+  }
+  return lines;
+}
+
+// ▰▰▰▱ step progress indicator
+function stepProgress(current, total) {
+  return `${c.cyan}${'▰'.repeat(current)}${c.dim}${'▱'.repeat(total - current)}${c.reset}`;
+}
+
 function fmtNum(n) {
   if (n == null) return '0';
   return n.toLocaleString('en-US');
@@ -709,7 +755,7 @@ function dashboardBanner() {
   const ver = getVersion();
   return [
     `  ${BOX.tl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.tr}`,
-    `  ${BOX.v}  ${c.bold}${c.cyan}⛨  AgentAudit${c.reset}  ${c.dim}v${ver}${c.reset}${' '.repeat(Math.max(0, 19 - ver.length))}${BOX.v}`,
+    `  ${BOX.v}  ${c.bold}${c.cyan}◆  AgentAudit${c.reset}  ${c.dim}v${ver}${c.reset}${' '.repeat(Math.max(0, 19 - ver.length))}${BOX.v}`,
     `  ${BOX.v}  ${c.dim}Security Registry for AI Agents${c.reset}  ${BOX.v}`,
     `  ${BOX.bl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.br}`,
   ];
@@ -1120,31 +1166,38 @@ function printScanResult(url, info, files, findings, registryData, duration) {
     console.log(`${icons.pipe}  ${c.dim}(no tools or prompts detected)${c.reset}`);
   }
   
-  // Findings
+  // Findings with severity stripe
   if (findings.length > 0) {
-    console.log(`${icons.pipe}`);
-    console.log(`${icons.pipe}  ${c.bold}Findings (${findings.length})${c.reset}  ${c.dim}static analysis — may include false positives${c.reset}`);
-    for (let i = 0; i < findings.length; i++) {
-      const f = findings[i];
-      const isLast = i === findings.length - 1;
-      const branch = isLast ? icons.treeLast : icons.tree;
-      const pipeOrSpace = isLast ? '   ' : `${icons.pipe}  `;
+    console.log();
+    console.log(sectionHeader(`Findings (${findings.length})`));
+    console.log(`  ${c.dim}static analysis — may include false positives${c.reset}`);
+    console.log();
+    for (const f of findings) {
       const sc = severityColor(f.severity);
-      console.log(`${branch}  ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      console.log(`${pipeOrSpace}   ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset}  ${c.bold}${f.title}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
+    }
+
+    // Severity histogram
+    const histLines = severityHistogram(findings);
+    if (histLines.length > 1) {
+      console.log();
+      console.log(sectionHeader('Severity'));
+      for (const line of histLines) console.log(line);
     }
   }
-  
+
   // Registry status
-  console.log(`${icons.pipe}`);
+  console.log();
+  console.log(sectionHeader('Registry'));
   if (registryData) {
     const rd = registryData;
     const riskScore = rd.risk_score ?? rd.latest_risk_score ?? 0;
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${riskBadge(riskScore)} Risk ${riskScore}  ${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
+    console.log(`  ${riskBadge(riskScore)}  ${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
   } else {
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${c.dim}not audited yet${c.reset}`);
+    console.log(`  ${c.dim}not audited yet${c.reset}`);
   }
-  
+
   console.log();
 }
 
@@ -1153,27 +1206,23 @@ function printSummary(results) {
   const safe = results.filter(r => r.findings.length === 0).length;
   const withFindings = total - safe;
   const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
-  
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${total} packages scanned`);
+  const allFindings = results.flatMap(r => r.findings);
+
+  console.log(sectionHeader(`Summary — ${total} packages scanned`));
   console.log();
   if (safe > 0) console.log(`  ${icons.safe}  ${c.green}${safe} clean${c.reset}`);
   if (withFindings > 0) console.log(`  ${icons.caution}  ${c.yellow}${withFindings} with findings${c.reset} (${totalFindings} total)`);
-  
-  // Breakdown by severity
-  const bySev = {};
-  results.forEach(r => r.findings.forEach(f => {
-    bySev[f.severity] = (bySev[f.severity] || 0) + 1;
-  }));
-  if (Object.keys(bySev).length > 0) {
+  console.log();
+  console.log(`  ${coverageBar(safe, total)}`);
+
+  // Severity histogram
+  const histLines = severityHistogram(allFindings);
+  if (histLines.length > 0) {
     console.log();
-    for (const sev of ['critical', 'high', 'medium', 'low']) {
-      if (bySev[sev]) {
-        console.log(`    ${severityIcon(sev)} ${bySev[sev]}× ${severityColor(sev)}${sev}${c.reset}`);
-      }
-    }
+    console.log(sectionHeader('Severity'));
+    for (const line of histLines) console.log(line);
   }
-  
+
   console.log();
 }
 
@@ -1230,48 +1279,290 @@ async function scanRepo(url) {
 
 // ── Discover local MCP configs ──────────────────────────
 
+/**
+ * Minimal YAML parser — extracts MCP server list entries from
+ * Continue.dev (mcpServers: list) and Goose (extensions: list).
+ * Zero dependencies. Only handles the subset of YAML used by these tools.
+ */
+function parseSimpleYaml(text, rootKey) {
+  const result = { mcpServers: {} };
+  const lines = text.split('\n');
+  let inSection = false;
+  let currentName = null;
+  let currentServer = {};
+  let collectingArgs = false;
+  let argsIndent = -1;
+
+  for (const line of lines) {
+    const trimmed = line.trimEnd();
+    if (trimmed === '' || /^\s*#/.test(trimmed)) continue;
+    const indent = line.search(/\S/);
+
+    if (indent === 0 && trimmed === rootKey + ':') { inSection = true; continue; }
+    if (indent === 0 && inSection && /^\w/.test(trimmed)) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      break;
+    }
+    if (!inSection) continue;
+
+    const nameMatch = trimmed.match(/^\s*-\s+name:\s*(.+)/);
+    if (nameMatch) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = nameMatch[1].replace(/^["']|["']$/g, '');
+      currentServer = {};
+      collectingArgs = false;
+      continue;
+    }
+
+    if (collectingArgs && indent > argsIndent) {
+      const argVal = trimmed.match(/^\s*-\s+(.+)/);
+      if (argVal) {
+        if (!currentServer.args) currentServer.args = [];
+        currentServer.args.push(argVal[1].replace(/^["']|["']$/g, ''));
+        continue;
+      }
+    }
+    if (collectingArgs && indent <= argsIndent) collectingArgs = false;
+    if (!currentName) continue;
+
+    const kvMatch = trimmed.match(/^\s+(command|cmd|type|url):\s*(.+)/);
+    if (kvMatch) {
+      collectingArgs = false;
+      const key = kvMatch[1] === 'cmd' ? 'command' : kvMatch[1];
+      currentServer[key] = kvMatch[2].replace(/^["']|["']$/g, '');
+      continue;
+    }
+
+    const argsMatch = trimmed.match(/^\s+(args):\s*(.*)/);
+    if (argsMatch) {
+      const inlineArr = argsMatch[2].match(/^\[(.+)\]$/);
+      if (inlineArr) {
+        currentServer.args = inlineArr[1].split(',').map(s => s.trim().replace(/^["']|["']$/g, ''));
+        collectingArgs = false;
+      } else {
+        collectingArgs = true;
+        argsIndent = indent;
+        currentServer.args = [];
+      }
+      continue;
+    }
+  }
+  if (currentName) result.mcpServers[currentName] = currentServer;
+  return result;
+}
+
+/**
+ * Minimal TOML parser — extracts [mcp_servers.xxx] sections
+ * from OpenAI Codex CLI config. Zero dependencies.
+ */
+function parseSimpleToml(text) {
+  const result = { mcpServers: {} };
+  const lines = text.split('\n');
+  let currentName = null;
+  let currentServer = {};
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === '' || trimmed.startsWith('#')) continue;
+
+    const sectionMatch = trimmed.match(/^\[mcp_servers\.(.+)\]$/);
+    if (sectionMatch) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = sectionMatch[1];
+      currentServer = {};
+      continue;
+    }
+    if (trimmed.startsWith('[') && !trimmed.startsWith('[mcp_servers.')) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = null;
+      continue;
+    }
+    if (!currentName) continue;
+
+    const strMatch = trimmed.match(/^(command|url)\s*=\s*"(.+?)"/);
+    if (strMatch) { currentServer[strMatch[1]] = strMatch[2]; continue; }
+
+    const argsMatch = trimmed.match(/^args\s*=\s*\[(.+)\]/);
+    if (argsMatch) {
+      currentServer.args = argsMatch[1].split(',').map(s => s.trim().replace(/^["']|["']$/g, ''));
+      continue;
+    }
+
+    const boolMatch = trimmed.match(/^enabled\s*=\s*(true|false)/);
+    if (boolMatch && boolMatch[1] === 'false') currentServer.disabled = true;
+  }
+  if (currentName) result.mcpServers[currentName] = currentServer;
+  return result;
+}
+
+/**
+ * Comprehensive MCP config discovery across all major AI editors & tools.
+ *
+ * Supports: Claude Desktop, Claude Code, Cursor, Windsurf, VS Code,
+ * Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose,
+ * OpenAI Codex CLI, Visual Studio — global + project-level configs.
+ */
 function findMcpConfigs() {
   const home = process.env.HOME || process.env.USERPROFILE || '';
   const platform = process.platform;
-  
-  // All known MCP config locations
+  const cwd = process.cwd();
+  const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
+
+  // Platform-specific app data directory
+  // macOS: ~/Library/Application Support, Windows: ~/AppData/Roaming, Linux: ~/.config
+  const appData = platform === 'darwin'
+    ? path.join(home, 'Library', 'Application Support')
+    : platform === 'win32'
+    ? path.join(home, 'AppData', 'Roaming')
+    : xdgConfig;
+
+  // Each candidate: { name, path, format: 'json'|'yaml'|'toml', key: top-level key }
   const candidates = [
-    // Claude Desktop
-    { name: 'Claude Desktop', path: path.join(home, '.claude', 'mcp.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, '.config', 'claude', 'claude_desktop_config.json') },
-    // Cursor
-    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
-    // Windsurf / Codeium
-    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
-    // VS Code
-    { name: 'VS Code', path: path.join(home, '.vscode', 'mcp.json') },
-    // Continue.dev
-    { name: 'Continue', path: path.join(home, '.continue', 'config.json') },
+    // ── Claude Desktop ──
+    ...(platform === 'darwin' ? [{ name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Claude Desktop', path: path.join(xdgConfig, 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+
+    // ── Claude Code ──
+    { name: 'Claude Code', path: path.join(home, '.claude.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Claude Code', path: path.join(home, '.claude', 'mcp.json'), format: 'json', key: 'mcpServers' },
+
+    // ── Cursor (global) ──
+    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json'), format: 'json', key: 'mcpServers' },
+
+    // ── Windsurf / Codeium ──
+    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json'), format: 'json', key: 'mcpServers' },
+
+    // ── VS Code (global mcp.json — uses 'servers' key) ──
+    ...(platform === 'darwin' ? [{ name: 'VS Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'VS Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'VS Code', path: path.join(xdgConfig, 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+
+    // ── VS Code settings.json (mcp.servers nested key) ──
+    ...(platform === 'darwin' ? [{ name: 'VS Code (settings)', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'VS Code (settings)', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'VS Code (settings)', path: path.join(xdgConfig, 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+
+    // ── Cline (VS Code extension) ──
+    ...(platform === 'darwin' ? [{ name: 'Cline', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Cline', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Cline', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+
+    // ── Roo Code (VS Code extension) ──
+    ...(platform === 'darwin' ? [{ name: 'Roo Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Roo Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Roo Code', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+
+    // ── Amazon Q Developer ──
+    { name: 'Amazon Q', path: path.join(home, '.aws', 'amazonq', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Amazon Q (IDE)', path: path.join(home, '.aws', 'amazonq', 'default.json'), format: 'json', key: 'mcpServers' },
+
+    // ── Gemini CLI ──
+    { name: 'Gemini CLI', path: path.join(home, '.gemini', 'settings.json'), format: 'json', key: 'mcpServers' },
+
+    // ── Zed (macOS + Linux only, uses 'context_servers' key) ──
+    ...(platform === 'darwin' ? [{ name: 'Zed', path: path.join(home, '.zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Zed', path: path.join(xdgConfig, 'zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+
+    // ── Continue.dev ──
+    { name: 'Continue', path: path.join(home, '.continue', 'config.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Continue', path: path.join(home, '.continue', 'config.yaml'), format: 'yaml', key: 'mcpServers' },
+
+    // ── Goose (Block/Square) ──
+    { name: 'Goose', path: path.join(xdgConfig, 'goose', 'config.yaml'), format: 'yaml', key: 'extensions' },
+
+    // ── OpenAI Codex CLI ──
+    { name: 'Codex CLI', path: path.join(home, '.codex', 'config.toml'), format: 'toml', key: 'mcp_servers' },
+
+    // ── Visual Studio (Windows only) ──
+    ...(platform === 'win32' ? [{ name: 'Visual Studio', path: path.join(home, '.mcp.json'), format: 'json', key: 'mcpServers' }] : []),
+
+    // ── Project-level configs (cwd) ──
+    { name: 'Claude Code (project)', path: path.join(cwd, '.mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json'), format: 'json', key: 'servers' },
+    { name: 'Roo Code (project)', path: path.join(cwd, '.roo', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Amazon Q (project)', path: path.join(cwd, '.amazonq', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Gemini CLI (project)', path: path.join(cwd, '.gemini', 'settings.json'), format: 'json', key: 'mcpServers' },
+    ...(platform !== 'win32' ? [{ name: 'Zed (project)', path: path.join(cwd, '.zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+    { name: 'Codex CLI (project)', path: path.join(cwd, '.codex', 'config.toml'), format: 'toml', key: 'mcp_servers' },
   ];
-  
-  // Also check AGENTAUDIT_TEST_CONFIG env for testing
+
+  // Test config override
   if (process.env.AGENTAUDIT_TEST_CONFIG) {
-    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG });
+    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG, format: 'json', key: 'mcpServers' });
   }
-  
-  // Also scan workspace .cursor/mcp.json, .vscode/mcp.json in cwd
-  const cwd = process.cwd();
-  candidates.push(
-    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json') },
-    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json') },
-  );
-  
+
+  // Continue.dev mcpServers drop-in directory (individual JSON files)
+  const continueDropIn = path.join(home, '.continue', 'mcpServers');
+  try {
+    if (fs.existsSync(continueDropIn)) {
+      for (const f of fs.readdirSync(continueDropIn)) {
+        if (f.endsWith('.json')) {
+          candidates.push({ name: 'Continue (drop-in)', path: path.join(continueDropIn, f), format: 'json', key: 'mcpServers' });
+        }
+      }
+    }
+  } catch {}
+
+  // Project-level Continue.dev drop-ins
+  const cwdContinueDropIn = path.join(cwd, '.continue', 'mcpServers');
+  try {
+    if (fs.existsSync(cwdContinueDropIn)) {
+      for (const f of fs.readdirSync(cwdContinueDropIn)) {
+        if (f.endsWith('.json')) {
+          candidates.push({ name: 'Continue (project drop-in)', path: path.join(cwdContinueDropIn, f), format: 'json', key: 'mcpServers' });
+        }
+      }
+    }
+  } catch {}
+
   const found = [];
+  const seenPaths = new Set();
+
   for (const c of candidates) {
-    if (fs.existsSync(c.path)) {
-      try {
-        const content = JSON.parse(fs.readFileSync(c.path, 'utf8'));
-        found.push({ ...c, content });
-      } catch {}
-    }
+    const resolved = path.resolve(c.path);
+    if (seenPaths.has(resolved)) continue;
+    if (!fs.existsSync(c.path)) continue;
+    seenPaths.add(resolved);
+
+    try {
+      const raw = fs.readFileSync(c.path, 'utf8');
+      let content;
+
+      if (c.format === 'yaml') {
+        content = parseSimpleYaml(raw, c.key);
+      } else if (c.format === 'toml') {
+        content = parseSimpleToml(raw);
+      } else {
+        content = JSON.parse(raw);
+        // Normalize different JSON key structures to mcpServers
+        if (c.key === 'mcp.servers' && content.mcp?.servers) {
+          content = { mcpServers: content.mcp.servers };
+        } else if (c.key === 'context_servers' && content.context_servers) {
+          // Zed: normalize nested { command: { path, args } } → { command, args }
+          const normalized = {};
+          for (const [name, cfg] of Object.entries(content.context_servers)) {
+            if (cfg.command && typeof cfg.command === 'object') {
+              normalized[name] = { command: cfg.command.path || cfg.command.command, args: cfg.command.args || [], env: cfg.command.env || {} };
+            } else {
+              normalized[name] = cfg;
+            }
+          }
+          content = { mcpServers: normalized };
+        } else if (c.key === 'servers' && content.servers && !content.mcpServers) {
+          content = { mcpServers: content.servers };
+        }
+      }
+
+      // Only include configs that actually have servers
+      const servers = content?.mcpServers || content?.servers || {};
+      if (Object.keys(servers).length > 0) {
+        found.push({ name: c.name, path: c.path, content });
+      }
+    } catch {}
   }
+
   return found;
 }
 
@@ -1450,7 +1741,7 @@ async function discoverCommand(options = {}) {
   const interactiveAudit = options.audit || false;
   
   if (!jsonMode) {
-    console.log(`  ${c.bold}Discovering MCP servers in your AI editors...${c.reset}`);
+    console.log(`  ${c.bold}Discovering MCP servers across all AI tools...${c.reset}`);
     console.log();
   }
   
@@ -1458,13 +1749,16 @@ async function discoverCommand(options = {}) {
   
   if (configs.length === 0) {
     console.log(`  ${c.yellow}No MCP configurations found.${c.reset}`);
-    console.log(`  ${c.dim}Searched: Claude Desktop, Cursor, Windsurf, VS Code${c.reset}`);
+    console.log(`  ${c.dim}Searched 15+ tools: Claude Desktop, Claude Code, Cursor, Windsurf, VS Code,${c.reset}`);
+    console.log(`  ${c.dim}Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose, Codex CLI${c.reset}`);
     console.log();
-    console.log(`  ${c.dim}MCP config locations:${c.reset}`);
-    console.log(`  ${c.dim}  Claude:   ~/.claude/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Cursor:   ~/.cursor/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Windsurf: ~/.codeium/windsurf/mcp_config.json${c.reset}`);
-    console.log(`  ${c.dim}  VS Code:  ~/.vscode/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}Common MCP config locations:${c.reset}`);
+    console.log(`  ${c.dim}  Claude Desktop:  ~/Library/Application Support/Claude/claude_desktop_config.json${c.reset}`);
+    console.log(`  ${c.dim}  Claude Code:     ~/.claude.json${c.reset}`);
+    console.log(`  ${c.dim}  Cursor:          ~/.cursor/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Windsurf:        ~/.codeium/windsurf/mcp_config.json${c.reset}`);
+    console.log(`  ${c.dim}  VS Code:         (platform)/Code/User/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Project-level:   .mcp.json / .cursor/mcp.json / .vscode/mcp.json${c.reset}`);
     console.log();
     return;
   }
@@ -1527,7 +1821,7 @@ async function discoverCommand(options = {}) {
         const riskScore = regData.risk_score ?? regData.latest_risk_score ?? 0;
         const hasOfficial = regData.has_official_audit;
         console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
-        console.log(`${pipe}  ${riskBadge(riskScore)} Risk ${riskScore}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
+        console.log(`${pipe}  ${riskBadge(riskScore)}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
         if (resolvedUrl) allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: true, regData });
       } else {
         unauditedServers++;
@@ -1550,11 +1844,14 @@ async function discoverCommand(options = {}) {
   }
   
   // Summary
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`);
+  console.log(sectionHeader(`Summary — ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`));
   console.log();
   if (auditedServers > 0) console.log(`  ${icons.safe}  ${c.green}${auditedServers} audited${c.reset}`);
   if (unauditedServers > 0) console.log(`  ${icons.caution}  ${c.yellow}${unauditedServers} not audited${c.reset}`);
+  if (totalServers > 0) {
+    console.log();
+    console.log(`  ${coverageBar(auditedServers, totalServers)}`);
+  }
   console.log();
   
   // --scan: automatically scan all servers with resolved source URLs (git-cloneable only)
@@ -1570,8 +1867,8 @@ async function discoverCommand(options = {}) {
     });
     const skipped = allServersWithUrls.filter(s => s.sourceUrl && !isCloneable(s.sourceUrl));
     if (dedupedTargets.length > 0) {
-      console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-      console.log(`  ${c.bold}${icons.scan}  Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}...${c.reset}`);
+      console.log(sectionHeader(`Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}`));
+      console.log(`  ${c.bold}${icons.scan}  Starting scans...${c.reset}`);
       if (skipped.length > 0) {
         console.log(`  ${c.dim}(${skipped.length} skipped — no cloneable source URL)${c.reset}`);
       }
@@ -1585,8 +1882,7 @@ async function discoverCommand(options = {}) {
       
       if (scanResults.length > 1) {
         // Print combined scan summary
-        console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-        console.log(`  ${c.bold}Scan Summary${c.reset}  ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`);
+        console.log(sectionHeader(`Scan Summary — ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`));
         console.log();
         
         let totalFindings = 0;
@@ -1695,7 +1991,7 @@ async function auditRepo(url) {
   console.log();
   
   // Step 1: Clone
-  process.stdout.write(`  ${c.dim}[1/4]${c.reset} Cloning repository...`);
+  process.stdout.write(`  ${stepProgress(1, 4)} Cloning repository...`);
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
   const repoPath = path.join(tmpDir, 'repo');
   try {
@@ -1710,12 +2006,12 @@ async function auditRepo(url) {
   }
   
   // Step 2: Collect files
-  process.stdout.write(`  ${c.dim}[2/4]${c.reset} Collecting source files...`);
+  process.stdout.write(`  ${stepProgress(2, 4)} Collecting source files...`);
   const files = collectFiles(repoPath);
   console.log(` ${c.green}${files.length} files${c.reset}`);
   
   // Step 3: Build audit payload
-  process.stdout.write(`  ${c.dim}[3/4]${c.reset} Preparing audit payload...`);
+  process.stdout.write(`  ${stepProgress(3, 4)} Preparing audit payload...`);
   const auditPrompt = loadAuditPrompt();
   
   let codeBlock = '';
@@ -1788,7 +2084,7 @@ async function auditRepo(url) {
   
   // We have an API key — run LLM audit
   const modelLabel = modelOverride ? `${activeProvider} → ${activeLlm.model}` : activeProvider;
-  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${modelLabel})${c.reset}...`);
+  process.stdout.write(`  ${stepProgress(4, 4)} Running LLM analysis ${c.dim}(${modelLabel})${c.reset}...`);
 
   const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
   const userMessage = [
@@ -2002,17 +2298,26 @@ async function auditRepo(url) {
   // Display results
   console.log();
   const riskScore = report.risk_score || 0;
-  console.log(`  ${riskBadge(riskScore)} Risk ${riskScore}/100  ${c.bold}${report.result || 'unknown'}${c.reset}`);
+  console.log(sectionHeader('Result'));
+  console.log(`  ${riskBadge(riskScore)}`);
   console.log();
-  
+
   if (report.findings && report.findings.length > 0) {
-    console.log(`  ${c.bold}Findings (${report.findings.length})${c.reset}`);
+    console.log(sectionHeader(`Findings (${report.findings.length})`));
     console.log();
     for (const f of report.findings) {
       const sc = severityColor(f.severity);
-      console.log(`  ${severityIcon(f.severity)} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      if (f.file) console.log(`    ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
-      if (f.description) console.log(`    ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset}  ${c.bold}${f.title}${c.reset}`);
+      if (f.file) console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
+      if (f.description) console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
+      console.log();
+    }
+
+    // Severity histogram
+    const histLines = severityHistogram(report.findings);
+    if (histLines.length > 1) {
+      console.log(sectionHeader('Severity'));
+      for (const line of histLines) console.log(line);
       console.log();
     }
   } else {
@@ -2247,7 +2552,7 @@ function renderLeaderboardTab(data, width, opts = {}) {
   }
 
   const maxPts = leaderboard[0]?.total_points || 1;
-  const medals = ['🥇', '🥈', '🥉'];
+  const medals = [`${c.yellow}★${c.reset}`, `${c.cyan}★${c.reset}`, `${c.magenta}★${c.reset}`];
 
   for (let i = 0; i < leaderboard.length; i++) {
     const entry = leaderboard[i];
@@ -2651,7 +2956,7 @@ async function leaderboardCommand(args) {
   }
 
   const maxPts = data[0]?.total_points || 1;
-  const medals = ['🥇', '🥈', '🥉'];
+  const medals = [`${c.yellow}★${c.reset}`, `${c.cyan}★${c.reset}`, `${c.magenta}★${c.reset}`];
   const barW = 24;
 
   for (let i = 0; i < data.length; i++) {
@@ -2997,7 +3302,9 @@ async function main() {
     discover: [
       `${c.bold}agentaudit discover${c.reset} [options]`,
       ``,
-      `Find MCP servers configured in your AI editors (Cursor, Claude Desktop, VS Code, Windsurf).`,
+      `Find MCP servers across 15+ AI tools (Claude Desktop, Claude Code, Cursor, VS Code,`,
+      `Windsurf, Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose, Codex CLI).`,
+      `Checks global + project-level configs on macOS, Windows, and Linux.`,
       ``,
       `${c.bold}Options:${c.reset}`,
       `  --quick, -s    Auto-scan all discovered servers (regex-based)`,
@@ -3185,6 +3492,21 @@ async function main() {
       `  agentaudit find fastmcp`,
     ],
     find: null, // alias → search
+    profile: [
+      `${c.bold}agentaudit profile${c.reset}`,
+      ``,
+      `Show your AgentAudit profile — rank, points, audit stats,`,
+      `and a link to your public profile on agentaudit.dev.`,
+      ``,
+      `Requires being logged in (run ${c.cyan}agentaudit setup${c.reset} first).`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit profile`,
+      `  agentaudit profile --json`,
+    ],
   };
 
   // Show subcommand help: `agentaudit help <cmd>` or `agentaudit <cmd> --help`
@@ -3247,6 +3569,7 @@ async function main() {
     console.log(`    ${c.cyan}model${c.reset}                 Configure LLM provider + model`);
     console.log(`    ${c.cyan}setup${c.reset}                 Log in to agentaudit.dev (for report uploads)`);
     console.log(`    ${c.cyan}status${c.reset}                Show current config + auth status`);
+    console.log(`    ${c.cyan}profile${c.reset}               Your profile — rank, points, audit stats`);
     console.log();
     console.log(`  ${c.bold}FLAGS${c.reset}`);
     console.log(`    ${c.dim}--json             Machine-readable JSON output${c.reset}`);
@@ -3405,6 +3728,103 @@ async function main() {
     return;
   }
 
+  if (command === 'profile') {
+    const creds = loadCredentials();
+    if (!creds) {
+      console.log(`  ${c.yellow}Not logged in.${c.reset}`);
+      console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to link your API key.${c.reset}`);
+      console.log();
+      return;
+    }
+
+    const agentName = creds.agent_name || 'unknown';
+    console.log(`  ${c.bold}Profile${c.reset}  ${c.cyan}${agentName}${c.reset}`);
+    console.log();
+
+    try {
+      process.stdout.write(`  ${c.dim}Fetching profile data...${c.reset}`);
+      const [agentRes, lbRes] = await Promise.all([
+        fetch(`${REGISTRY_URL}/api/agents/${encodeURIComponent(agentName)}`, {
+          headers: { 'Authorization': `Bearer ${creds.api_key}` },
+          signal: AbortSignal.timeout(10_000),
+        }).then(r => r.ok ? r.json() : null),
+        fetch(`${REGISTRY_URL}/api/leaderboard?limit=100`, {
+          signal: AbortSignal.timeout(10_000),
+        }).then(r => r.ok ? r.json() : null),
+      ]);
+      process.stdout.write('\r\x1b[K');
+
+      if (!agentRes) {
+        console.log(`  ${c.yellow}Could not fetch profile data.${c.reset}`);
+        console.log(`  ${c.dim}Your account may not have submitted any audits yet.${c.reset}`);
+        console.log();
+        console.log(`  ${c.dim}Web profile: ${c.cyan}${REGISTRY_URL}/profile${c.reset}`);
+        console.log();
+        return;
+      }
+
+      let rank = null;
+      if (Array.isArray(lbRes)) {
+        const idx = lbRes.findIndex(e => e.agent_name === agentName);
+        if (idx >= 0) rank = idx + 1;
+      }
+
+      // Update cache
+      saveProfileCache({
+        agent_name: agentName,
+        rank,
+        total_points: agentRes.total_points || 0,
+        total_reports: agentRes.total_reports || 0,
+      });
+
+      if (jsonMode) {
+        console.log(JSON.stringify({
+          agent_name: agentName,
+          rank: rank ? { position: rank, total: lbRes?.length || 0 } : null,
+          total_points: agentRes.total_points || 0,
+          total_reports: agentRes.total_reports || 0,
+          total_findings_submitted: agentRes.total_findings_submitted || 0,
+          total_findings_confirmed: agentRes.total_findings_confirmed || 0,
+          profile_url: `${REGISTRY_URL}/profile`,
+        }, null, 2));
+        return;
+      }
+
+      const boxW = 44;
+      const rankStr = rank ? `#${rank} of ${lbRes.length}` : '—';
+      const pts = agentRes.total_points || 0;
+      const audits = agentRes.total_reports || 0;
+      const findingsSubmitted = agentRes.total_findings_submitted || 0;
+      const findingsConfirmed = agentRes.total_findings_confirmed || 0;
+      const ptsBar = renderBar(pts, Math.max(pts, 1000), boxW - 16);
+
+      const contentLines = [
+        '',
+        `${c.bold}${c.cyan}${agentName}${c.reset}${' '.repeat(Math.max(1, boxW - 6 - agentName.length - rankStr.length))}${c.bold}${rankStr}${c.reset}`,
+        '',
+        `Points      ${c.bold}${padLeft(fmtNum(pts), 8)}${c.reset}`,
+        `Audits      ${c.bold}${padLeft(fmtNum(audits), 8)}${c.reset}`,
+        `Findings    ${c.bold}${padLeft(fmtNum(findingsSubmitted), 8)}${c.reset}  ${c.dim}(${fmtNum(findingsConfirmed)} confirmed)${c.reset}`,
+        '',
+        ptsBar,
+        '',
+        `${c.dim}${REGISTRY_URL}/profile${c.reset}`,
+        `${c.dim}Key: ${creds.api_key.slice(0, 12)}...${c.reset}`,
+        '',
+      ];
+      const boxLines = drawBox('Profile', contentLines, boxW + 4);
+      for (const line of boxLines) console.log(line);
+      console.log();
+    } catch (err) {
+      process.stdout.write('\r\x1b[K');
+      console.log(`  ${c.yellow}Failed to fetch profile: ${err.message}${c.reset}`);
+      console.log();
+      console.log(`  ${c.dim}Web profile: ${c.cyan}${REGISTRY_URL}/profile${c.reset}`);
+      console.log();
+    }
+    return;
+  }
+
   if (command === 'model') {
     const newModel = targets.filter(t => !t.startsWith('--'))[0];
     const config = loadLlmConfig();