agentaudit 3.10.3 → 3.10.5

package/README.md

@@ -30,6 +30,7 @@ and supply chain attacks. Powered by regex static analysis and deep LLM audits.
 - [What It Detects](#-what-it-detects)
 - [How the 3-Pass Audit Works](#-how-the-3-pass-audit-works)
 - [CI/CD Integration](#-cicd-integration)
+- [Dashboard & Community](#-dashboard--community)
 - [Configuration](#-configuration)
 - [Requirements](#-requirements)
 - [FAQ](#-faq)
@@ -76,8 +77,7 @@ agentaudit lookup fastmcp
 
 **Example output:**
 ```
-  AgentAudit v3.9.8
-  Security scanner for AI packages
+  ⛨ AgentAudit v3.10.4  │  my-scanner #3 · 280pts · 19 audits
 
   Discovering MCP servers in your AI editors...
 
@@ -93,6 +93,8 @@ agentaudit lookup fastmcp
   Looking for general package scanning? Try `pip audit` or `npm audit`.
 ```
 
+> **Enhanced banner:** When logged in, the banner shows your agent name, rank, points, and audit count. Run `agentaudit setup` to create an account.
+
 ### Option B: MCP Server in your AI editor
 
 Add AgentAudit as an MCP server — your AI agent can then discover, scan, and audit packages using its own LLM. **No extra API key needed.**
@@ -197,6 +199,8 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
 
 ## 📋 Commands Reference
 
+### Scan & Audit
+
 | Command | Description | Example |
 |---------|-------------|---------|
 | `agentaudit` | Discover MCP servers (default, same as `discover`) | `agentaudit` |
@@ -207,18 +211,36 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
 | `agentaudit scan <url> --deep` | Deep audit (same as `audit`) | `agentaudit scan https://github.com/owner/repo --deep` |
 | `agentaudit audit <url>` | Deep LLM-powered 3-pass audit (~30s) | `agentaudit audit https://github.com/owner/repo` |
 | `agentaudit lookup <name>` | Look up package in trust registry | `agentaudit lookup fastmcp` |
-| `agentaudit check <name\|url>` | Lookup + auto-audit if not found | `agentaudit check https://github.com/owner/repo` |
-| `agentaudit status` | Check API keys + active LLM provider | `agentaudit status` |
-| `agentaudit setup` | Register agent + configure API key | `agentaudit setup` |
+
+### Community
+
+| Command | Alias | Description |
+|---------|-------|-------------|
+| `agentaudit dashboard` | `dash` | Interactive full-screen TUI with 5 tabs (Overview, Leaderboard, Benchmark, Activity, Search) |
+| `agentaudit leaderboard` | `lb` | Top contributors ranking (pipe-friendly) |
+| `agentaudit benchmark` | `bench` | LLM model audit performance comparison |
+| `agentaudit activity` | `my` | Your recent audits & findings |
+| `agentaudit search <query>` | `find` | Search packages in the registry by name, ASF-ID, or hash |
+
+### Configuration
+
+| Command | Alias | Description |
+|---------|-------|-------------|
+| `agentaudit model` | — | Interactive LLM provider + model configuration |
+| `agentaudit setup` | — | Register agent + configure API key for registry uploads |
+| `agentaudit status` | `whoami` | Show current config, API keys, and personal stats |
 
 ### Global Flags
 
 | Flag | Description |
 |------|-------------|
 | `--json` | Output machine-readable JSON to stdout |
-| `--quiet` / `-q` | Suppress banner and decorative output (show findings only) |
+| `--quiet` / `-q` | Suppress banner and decorative output |
 | `--no-color` | Disable ANSI colors (also respects `NO_COLOR` env var) |
-| `--provider <name>` | Force LLM provider (`anthropic`, `openai`, `openrouter`, `ollama`, `custom`) |
+| `--model <name>` | Override LLM model for this run |
+| `--no-upload` | Skip uploading report to registry |
+| `--export` | Export audit payload as markdown |
+| `--debug` | Show raw LLM response on parse errors |
 | `--help` / `-h` | Show help text |
 | `-v` / `--version` | Show version |
 
@@ -418,6 +440,41 @@ agentaudit lookup fastmcp --json
 
 ---
 
+## 📊 Dashboard & Community
+
+AgentAudit includes a full-screen interactive dashboard and standalone community commands.
+
+### Interactive Dashboard
+
+```bash
+agentaudit dashboard    # or: agentaudit dash
+```
+
+5-tab TUI with keyboard navigation (←→ tabs, ↑↓ scroll, 1-5 jump, q quit):
+
+| Tab | Content |
+|-----|---------|
+| **[1] Overview** | Your profile (rank, points, audits, severity breakdown) + registry stats |
+| **[2] Leaderboard** | Top contributors with medal rankings and bar charts |
+| **[3] Benchmark** | LLM model audit performance comparison |
+| **[4] Activity** | Your recent audits and findings |
+| **[5] Search** | Interactive package search (type to search, Enter to submit) |
+
+### Standalone Commands
+
+All community commands work without the dashboard (pipe-friendly, supports `--json`):
+
+```bash
+agentaudit leaderboard              # Top contributors
+agentaudit leaderboard --tab monthly --json   # Monthly rankings as JSON
+agentaudit benchmark                # Model comparison
+agentaudit activity                 # Your recent audits & findings
+agentaudit search fastmcp           # Search registry by name/ASF-ID
+agentaudit search fastmcp --json    # Machine-readable search results
+```
+
+---
+
 ## ⚙️ Configuration
 
 ### Credentials
@@ -430,23 +487,34 @@ Run `agentaudit setup` to configure interactively, or set via environment:
 export AGENTAUDIT_API_KEY=asf_your_key_here
 ```
 
-### Environment Variables
+### LLM Providers (13 supported)
+
+AgentAudit supports 13 LLM providers for deep audits. Set one API key — the CLI auto-detects it. Use `agentaudit model` to choose provider + model interactively, or `agentaudit status` to check your setup.
+
+| Variable | Provider | Default Model |
+|----------|----------|---------------|
+| `ANTHROPIC_API_KEY` | Anthropic (Claude) | `claude-sonnet-4-20250514` |
+| `GEMINI_API_KEY` | Google (Gemini) | `gemini-2.5-flash` |
+| `OPENAI_API_KEY` | OpenAI (GPT-4o) | `gpt-4o` |
+| `DEEPSEEK_API_KEY` | DeepSeek | `deepseek-chat` |
+| `MISTRAL_API_KEY` | Mistral | `mistral-large-latest` |
+| `GROQ_API_KEY` | Groq | `llama-3.3-70b-versatile` |
+| `XAI_API_KEY` | xAI (Grok) | `grok-3` |
+| `TOGETHER_API_KEY` | Together AI | `Llama-3.3-70B-Instruct-Turbo` |
+| `FIREWORKS_API_KEY` | Fireworks AI | `llama-v3p3-70b-instruct` |
+| `CEREBRAS_API_KEY` | Cerebras | `llama-3.3-70b` |
+| `ZAI_API_KEY` | Zhipu AI (GLM) | `glm-4.7` |
+| `OPENROUTER_API_KEY` | OpenRouter | `anthropic/claude-sonnet-4` |
+
+### Other Environment Variables
 
 | Variable | Description |
 |----------|-------------|
-| `AGENTAUDIT_API_KEY` | API key for registry access |
-| `ANTHROPIC_API_KEY` | Anthropic API key for deep audits (Claude) -- recommended |
-| `OPENAI_API_KEY` | OpenAI API key for deep audits (GPT-4o) |
-| `OPENROUTER_API_KEY` | OpenRouter API key (access 200+ models) |
-| `OPENROUTER_MODEL` | Model to use via OpenRouter (default: `anthropic/claude-sonnet-4`) |
-| `OLLAMA_MODEL` | Ollama model name for local audits (e.g. `llama3.1`, `qwen2.5-coder`) |
-| `OLLAMA_HOST` | Ollama server URL (default: `http://localhost:11434`) |
-| `LLM_API_URL` | Any OpenAI-compatible API endpoint (e.g. LM Studio, vLLM, Together, Groq) |
-| `LLM_API_KEY` | API key for custom endpoint (optional if no auth needed) |
-| `LLM_MODEL` | Model name for custom endpoint |
+| `AGENTAUDIT_API_KEY` | API key for registry uploads (or use `agentaudit setup`) |
+| `AGENTAUDIT_MODEL` | Override LLM model (same as `--model` flag) |
 | `NO_COLOR` | Disable ANSI colors ([no-color.org](https://no-color.org)) |
 
-> **Provider priority:** Anthropic > OpenAI > OpenRouter > Custom > Ollama. Override with `--provider=ollama` etc.
+> **Provider priority:** Set `preferred_provider` via `agentaudit model`, or the CLI picks the first available key. Override per-run with `--model <name>`.
 
 ---
 
@@ -477,49 +545,26 @@ Or use without installing: `npx agentaudit`
 
 ### Setting up your LLM key for deep audits
 
-The `audit` command supports **any LLM provider**. Set one of these environment variables:
-
-```bash
-# Linux / macOS
-export ANTHROPIC_API_KEY=sk-ant-...       # Recommended (Claude Sonnet)
-export OPENAI_API_KEY=sk-...              # Alternative (GPT-4o)
-export OPENROUTER_API_KEY=sk-or-...       # 200+ models via OpenRouter
-
-# Windows (PowerShell)
-$env:ANTHROPIC_API_KEY = "sk-ant-..."
-$env:OPENAI_API_KEY = "sk-..."
-$env:OPENROUTER_API_KEY = "sk-or-..."
-
-# Windows (CMD)
-set ANTHROPIC_API_KEY=sk-ant-...
-set OPENAI_API_KEY=sk-...
-set OPENROUTER_API_KEY=sk-or-...
-```
-
-**Provider priority:** Anthropic > OpenAI > OpenRouter > Custom > Ollama. Override with `--provider=<name>`.
-
-**OpenRouter model selection:** By default uses `anthropic/claude-sonnet-4`. Override with:
-```bash
-export OPENROUTER_MODEL=google/gemini-2.5-pro    # or any model on openrouter.ai
-```
+The `audit` command supports **13 LLM providers**. Set one API key and AgentAudit auto-detects it:
 
-**Local with Ollama (free, no API key):**
 ```bash
-export OLLAMA_MODEL=llama3.1          # or qwen2.5-coder, deepseek-r1, etc.
-agentaudit audit https://github.com/owner/repo
+# Set any one of these (Anthropic recommended)
+export ANTHROPIC_API_KEY=sk-ant-...
+export OPENAI_API_KEY=sk-...
+export GEMINI_API_KEY=...
+export DEEPSEEK_API_KEY=...
+# ... or any of the 13 supported providers (see Configuration section)
 ```
-> Note: Local models produce lower quality audits than Claude/GPT-4o. Use for quick checks, not production security audits.
 
-**Any OpenAI-compatible API:**
+**Interactive setup:**
 ```bash
-export LLM_API_URL=http://localhost:1234/v1     # LM Studio, vLLM, etc.
-export LLM_MODEL=my-model
-agentaudit audit https://github.com/owner/repo
+agentaudit model     # 2-step menu: pick provider → pick model
+agentaudit status    # check which keys are set + current config
 ```
 
-**Check your setup:**
+**Override per-run:**
 ```bash
-agentaudit status    # validates all configured API keys
+agentaudit audit https://github.com/owner/repo --model gpt-4o
 ```
 
 **Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.

package/cli.mjs

@@ -12,6 +12,8 @@
  *   dashboard             Interactive full-screen dashboard
  *   leaderboard           Top contributors ranking
  *   benchmark             LLM model performance comparison
+ *   activity              Your recent audits & findings
+ *   search <query>        Search packages in registry
  *   model [name|reset]    Configure LLM provider + model
  *   setup                 Log in to agentaudit.dev (for report uploads)
  *   status                Show current config + auth status
@@ -145,6 +147,7 @@ const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
 const USER_CRED_DIR = path.join(xdgConfig, 'agentaudit');
 const USER_CRED_FILE = path.join(USER_CRED_DIR, 'credentials.json');
 const SKILL_CRED_FILE = path.join(SKILL_DIR, 'config', 'credentials.json');
+const PROFILE_CACHE_FILE = path.join(USER_CRED_DIR, 'profile-cache.json');
 
 function loadCredentials() {
   for (const f of [SKILL_CRED_FILE, USER_CRED_FILE]) {
@@ -227,6 +230,29 @@ function saveCredentials(data) {
   } catch {}
 }
 
+function loadProfileCache() {
+  try {
+    if (!fs.existsSync(PROFILE_CACHE_FILE)) return null;
+    const data = JSON.parse(fs.readFileSync(PROFILE_CACHE_FILE, 'utf8'));
+    // TTL: 10 minutes
+    if (data.fetched_at && Date.now() - data.fetched_at < 10 * 60 * 1000) return data;
+    return null; // expired
+  } catch { return null; }
+}
+
+function saveProfileCache(data) {
+  try {
+    fs.mkdirSync(USER_CRED_DIR, { recursive: true });
+    fs.writeFileSync(PROFILE_CACHE_FILE, JSON.stringify({
+      agent_name: data.agent_name,
+      rank: data.rank,
+      total_points: data.total_points,
+      total_reports: data.total_reports,
+      fetched_at: Date.now(),
+    }, null, 2), { mode: 0o600 });
+  } catch {}
+}
+
 function askQuestion(question) {
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   return new Promise(resolve => rl.question(question, answer => { rl.close(); resolve(answer.trim()); }));
@@ -527,8 +553,17 @@ function getVersion() {
 function banner() {
   if (quietMode || jsonMode) return;
   console.log();
-  console.log(`  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}`);
-  console.log(`  ${c.dim}Security scanner for AI packages${c.reset}`);
+  const cache = loadProfileCache();
+  if (cache) {
+    const rankStr = cache.rank != null ? `#${cache.rank}` : '';
+    const ptsStr = `${fmtNum(cache.total_points)}pts`;
+    const auditsStr = `${fmtNum(cache.total_reports)} audits`;
+    const profile = [cache.agent_name, rankStr, ptsStr, auditsStr].filter(Boolean).join(' \u00b7 ');
+    console.log(`  ${c.bold}${c.cyan}\u26e8 AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}  ${c.dim}\u2502${c.reset}  ${profile}`);
+  } else {
+    console.log(`  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}`);
+    console.log(`  ${c.dim}Security scanner for AI packages${c.reset}`);
+  }
   console.log();
 }
 
@@ -1761,8 +1796,9 @@ async function auditRepo(url) {
     `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
     `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
     `  "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
-    `  "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
-    `  "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
+    `  "findings_count": <n>, "findings": [{ "pattern_id": "CMD_INJECT_001", "title": "...", "severity": "...", "category": "...",`,
+    `  "cwe_id": "CWE-78", "description": "...", "file": "...", "line": <n>, "content": "...", "remediation": "...",`,
+    `  "confidence": "high|medium|low", "by_design": false, "score_impact": -15 }] }`,
     ``,
     `## Source Code`,
     codeBlock,
@@ -1930,6 +1966,10 @@ async function auditRepo(url) {
     return null;
   }
   
+  // Add scan metadata for benchmarking
+  report.audit_duration_ms = Date.now() - start;
+  report.files_scanned = files.length;
+
   // Display results
   console.log();
   const riskScore = report.risk_score || 0;
@@ -1973,7 +2013,12 @@ async function auditRepo(url) {
         console.log(` ${c.green}done${c.reset}`);
         console.log(`  ${c.dim}Report: ${REGISTRY_URL}/skills/${slug}${c.reset}`);
       } else {
+        let errBody = '';
+        try { errBody = await res.text(); } catch {}
         console.log(` ${c.yellow}failed (HTTP ${res.status})${c.reset}`);
+        if (errBody && process.argv.includes('--debug')) {
+          console.log(`  ${c.dim}Server: ${errBody.slice(0, 300)}${c.reset}`);
+        }
       }
     } catch (err) {
       console.log(` ${c.yellow}failed${c.reset}`);
@@ -2078,6 +2123,20 @@ async function fetchDashboardData() {
     fetches.push(Promise.resolve(null));
   }
   const [stats, leaderboard, benchmark, agent] = await Promise.all(fetches);
+  // Update profile cache if we have agent data
+  if (agent && creds) {
+    let rank = null;
+    if (Array.isArray(leaderboard)) {
+      const idx = leaderboard.findIndex(e => e.agent_name === creds.agent_name);
+      if (idx >= 0) rank = idx + 1;
+    }
+    saveProfileCache({
+      agent_name: creds.agent_name,
+      rank,
+      total_points: agent.total_points || 0,
+      total_reports: agent.total_reports || 0,
+    });
+  }
   return { stats, leaderboard, benchmark, agent, creds };
 }
 
@@ -2173,7 +2232,7 @@ function renderLeaderboardTab(data, width, opts = {}) {
     const pts = padLeft(`${fmtNum(entry.total_points || 0)} pts`, 12);
     const audits = padLeft(`${fmtNum(entry.total_reports || 0)} audits`, 12);
     const extra = entry.monthly_reports != null ? padLeft(`${fmtNum(entry.monthly_reports)} this mo`, 12) : '';
-    lines.push(`${prefix}${padRight(nameStr, maxNameW + (isMe ? 14 : 0))}  ${bar}  ${pts}  ${audits}${extra}`);
+    lines.push(`${prefix}${padRight(nameStr, maxNameW)}  ${bar}  ${pts}  ${audits}${extra}`);
 
     // Separator after top 3
     if (i === 2 && leaderboard.length > 3) {
@@ -2204,20 +2263,27 @@ function renderBenchmarkTab(data, width) {
   lines.push('');
 
   // Header
-  const nameW = 26;
-  const hdr = `  ${padRight(`${c.bold}Model${c.reset}`, nameW + 9)}  ${padRight('Audits', 8)}  ${padRight('Risk', 8)}  ${padRight('Detection', 16)}  Severity`;
+  const nameW = 28;
+  const hdr = `  ${padRight(`${c.bold}Model${c.reset}`, nameW + 9)}  ${padRight('Audits', 7)} ${padRight('Risk', 5)} ${padRight('Detection', 16)}  Severity`;
   lines.push(hdr);
-  lines.push(`  ${c.dim}${'─'.repeat(Math.min(width - 4, 80))}${c.reset}`);
+  lines.push(`  ${c.dim}${'─'.repeat(Math.min(width - 4, 86))}${c.reset}`);
 
   for (const m of benchmark.models) {
     const name = (m.audit_model || 'unknown').slice(0, nameW - 2);
-    const audits = padLeft(fmtNum(m.total_audits), 6);
+    const audits = padLeft(fmtNum(m.total_audits), 5);
     const riskVal = parseFloat(m.avg_risk_score) || 0;
     const riskColor = riskVal <= 20 ? c.green : riskVal <= 40 ? c.yellow : c.red;
     const risk = `${riskColor}${padLeft(String(Math.round(riskVal)), 3)}${c.reset}`;
     const detection = renderGauge(m.detection_rate || 0, 100, 10);
-    const dots = severityDots(m.severity_breakdown);
-    lines.push(`  ${padRight(name, nameW)}  ${audits}   ${risk}   ${detection}  ${dots}`);
+    // Severity as compact text instead of dots
+    const sev = m.severity_breakdown || {};
+    const sevParts = [];
+    if (sev.critical) sevParts.push(`${c.red}${sev.critical}C${c.reset}`);
+    if (sev.high) sevParts.push(`${c.red}${sev.high}H${c.reset}`);
+    if (sev.medium) sevParts.push(`${c.yellow}${sev.medium}M${c.reset}`);
+    if (sev.low) sevParts.push(`${c.blue}${sev.low}L${c.reset}`);
+    const sevStr = sevParts.length > 0 ? sevParts.join(' ') : `${c.dim}—${c.reset}`;
+    lines.push(`  ${padRight(name, nameW)} ${audits}  ${risk}  ${detection}  ${sevStr}`);
   }
 
   // Vulnerability landscape
@@ -2249,6 +2315,274 @@ function renderBenchmarkTab(data, width) {
   return lines;
 }
 
+function timeAgo(dateStr) {
+  if (!dateStr) return '';
+  const diff = Date.now() - new Date(dateStr).getTime();
+  const mins = Math.floor(diff / 60000);
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  if (days < 30) return `${days}d ago`;
+  return `${Math.floor(days / 30)}mo ago`;
+}
+
+function renderActivityTab(data, width) {
+  const { agent, creds } = data;
+  const lines = [];
+
+  if (!creds || !agent) {
+    lines.push(`  ${c.dim}Not logged in${c.reset}`);
+    lines.push(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to see your activity${c.reset}`);
+    return lines;
+  }
+
+  // Recent Audits
+  const reports = agent.recent_reports || [];
+  const auditLines = [];
+  if (reports.length > 0) {
+    for (const r of reports.slice(0, 10)) {
+      const time = padRight(timeAgo(r.created_at), 8);
+      const name = padRight((r.skill_slug || r.package_name || '').slice(0, 20), 20);
+      const score = r.risk_score ?? r.latest_risk_score ?? 0;
+      let status;
+      if (score === 0) status = `${c.green}safe${c.reset}   `;
+      else if (score <= 30) status = `${c.yellow}caution${c.reset}`;
+      else status = `${c.red}unsafe${c.reset} `;
+      const findCount = r.finding_count != null ? `${r.finding_count} findings` : '';
+      const model = r.audit_model ? `${c.dim}${(r.audit_model || '').slice(0, 14)}${c.reset}` : '';
+      auditLines.push(`${c.dim}${time}${c.reset}  ${name}  ${status}  ${padRight(findCount, 12)} ${model}`);
+    }
+  } else {
+    auditLines.push(`${c.dim}No audits yet — run ${c.cyan}agentaudit audit <url>${c.dim} to get started${c.reset}`);
+  }
+  lines.push(...drawBox('Recent Audits', auditLines, Math.min(width - 4, 72)));
+  lines.push('');
+
+  // Recent Findings
+  const findings = agent.recent_findings || [];
+  const findingLines = [];
+  if (findings.length > 0) {
+    for (const f of findings.slice(0, 10)) {
+      const asfId = padRight(f.asf_id || f.id || '', 16);
+      const sev = severityIcon(f.severity);
+      const sevLabel = padRight(f.severity || '', 9);
+      const title = (f.title || f.pattern_id || '').slice(0, 40);
+      findingLines.push(`${asfId} ${sev} ${sevLabel} ${title}`);
+    }
+  } else {
+    findingLines.push(`${c.dim}No findings yet${c.reset}`);
+  }
+  lines.push(...drawBox('Recent Findings', findingLines, Math.min(width - 4, 72)));
+
+  return lines;
+}
+
+async function activityCommand(args) {
+  const creds = loadCredentials();
+
+  if (!creds?.agent_name || creds.agent_name === 'env') {
+    if (jsonMode) {
+      console.log(JSON.stringify({ error: 'not_logged_in' }));
+    } else {
+      banner();
+      console.log(`  ${c.yellow}Not logged in${c.reset}`);
+      console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to create an account${c.reset}`);
+    }
+    return;
+  }
+
+  if (!quietMode && !jsonMode) {
+    banner();
+    process.stdout.write(`  ${c.dim}Loading activity...${c.reset}`);
+  }
+
+  let agentData;
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/agents/${encodeURIComponent(creds.agent_name)}`, {
+      headers: { 'Authorization': `Bearer ${creds.api_key}` },
+      signal: AbortSignal.timeout(15_000),
+    });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    agentData = await res.json();
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write('\r\x1b[2K');
+      console.log(`  ${c.red}Failed to load activity: ${err.message}${c.reset}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+
+  if (jsonMode) {
+    console.log(JSON.stringify(agentData, null, 2));
+    return;
+  }
+
+  process.stdout.write('\r\x1b[2K');
+
+  // Update profile cache
+  try {
+    const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard?limit=100`, { signal: AbortSignal.timeout(10_000) }).then(r => r.ok ? r.json() : null);
+    let rank = null;
+    if (Array.isArray(lbRes)) {
+      const idx = lbRes.findIndex(e => e.agent_name === creds.agent_name);
+      if (idx >= 0) rank = idx + 1;
+    }
+    saveProfileCache({
+      agent_name: creds.agent_name,
+      rank,
+      total_points: agentData.total_points || 0,
+      total_reports: agentData.total_reports || 0,
+    });
+  } catch {}
+
+  const width = process.stdout.columns || 80;
+  const activityLines = renderActivityTab({ agent: agentData, creds }, width);
+  console.log(`  ${c.bold}Activity${c.reset}  ${c.dim}${creds.agent_name}${c.reset}`);
+  console.log();
+  for (const line of activityLines) console.log(line);
+  console.log();
+}
+
+function renderSearchResults(data, width) {
+  const lines = [];
+  const boxW = Math.min(width - 4, 72);
+
+  // Lookup API returns { reports: [], findings: [], total_matches }
+  const lookupData = Array.isArray(data) ? data[0] : data;
+  const reports = lookupData?.reports || [];
+  const findings = lookupData?.findings || [];
+  const total = lookupData?.total_matches || (reports.length + findings.length);
+
+  if (total === 0) return lines;
+
+  // Packages (from reports)
+  if (reports.length > 0) {
+    const pkgLines = [];
+    for (const r of reports.slice(0, 10)) {
+      const name = padRight((r.skill_slug || '').slice(0, 22), 22);
+      const riskScore = r.risk_score ?? 0;
+      let badge;
+      if (riskScore === 0) badge = `${c.green}SAFE${c.reset}   `;
+      else if (riskScore <= 30) badge = `${c.yellow}CAUTION${c.reset}`;
+      else badge = `${c.red}UNSAFE${c.reset} `;
+      const time = padRight(timeAgo(r.created_at), 8);
+      pkgLines.push(`${name}  ${badge}  ${c.dim}${time}${c.reset}`);
+    }
+    lines.push(...drawBox(`Packages (${reports.length})`, pkgLines, boxW));
+    lines.push('');
+  }
+
+  // Findings
+  if (findings.length > 0) {
+    const findLines = [];
+    for (const f of findings.slice(0, 10)) {
+      const asfId = padRight(f.asf_id || '', 16);
+      const sev = severityIcon(f.severity);
+      const sevLabel = padRight(f.severity || '', 9);
+      const title = (f.title || '').slice(0, 36);
+      findLines.push(`${asfId} ${sev} ${sevLabel} ${title}`);
+    }
+    lines.push(...drawBox(`Findings (${findings.length})`, findLines, boxW));
+  }
+
+  return lines;
+}
+
+function renderSearchTab(searchState, width) {
+  const { query, results, loading, error } = searchState;
+  const lines = [];
+
+  // Search input
+  lines.push(`  ${c.bold}Search:${c.reset} ${query || ''}${c.dim}\u2588${c.reset}`);
+  lines.push('');
+
+  if (loading) {
+    lines.push(`  ${c.dim}Searching...${c.reset}`);
+    return lines;
+  }
+
+  if (error) {
+    lines.push(`  ${c.red}${error}${c.reset}`);
+    return lines;
+  }
+
+  if (results) {
+    const resultLines = renderSearchResults(results, width);
+    if (resultLines.length > 0) {
+      lines.push(...resultLines);
+    } else {
+      lines.push(`  ${c.dim}No results found for "${query}"${c.reset}`);
+    }
+  } else if (!query) {
+    lines.push(`  ${c.dim}Type to search packages in the registry${c.reset}`);
+  }
+
+  lines.push('');
+  lines.push(`  ${c.dim}Type to search  \u2502  Enter=search  \u2502  Esc=clear  \u2502  Tab=switch tab${c.reset}`);
+
+  return lines;
+}
+
+async function searchCommand(args) {
+  const query = args.filter(a => !a.startsWith('--')).join(' ').trim();
+
+  if (!query) {
+    if (jsonMode) {
+      console.log(JSON.stringify({ error: 'query_required' }));
+    } else {
+      banner();
+      console.log(`  ${c.red}Error: search query required${c.reset}`);
+      console.log(`  ${c.dim}Usage: ${c.cyan}agentaudit search <query>${c.dim} \u2014 e.g. agentaudit search fastmcp${c.reset}`);
+    }
+    process.exitCode = 2;
+    return;
+  }
+
+  if (!quietMode && !jsonMode) {
+    banner();
+    process.stdout.write(`  ${c.dim}Searching "${query}"...${c.reset}`);
+  }
+
+  let data;
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/lookup?hash=${encodeURIComponent(query)}`, {
+      signal: AbortSignal.timeout(15_000),
+    });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    data = await res.json();
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write('\r\x1b[2K');
+      console.log(`  ${c.red}Search failed: ${err.message}${c.reset}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+
+  if (jsonMode) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+
+  process.stdout.write('\r\x1b[2K');
+  console.log(`  ${c.bold}Search${c.reset}  ${c.dim}"${query}"${c.reset}`);
+  console.log();
+
+  const width = process.stdout.columns || 80;
+  const resultLines = renderSearchResults(data, width);
+  if (resultLines.length === 0) {
+    console.log(`  ${c.dim}No results found${c.reset}`);
+    console.log(`  ${c.dim}Tip: try ${c.cyan}agentaudit scan <repo-url>${c.dim} to audit a new package${c.reset}`);
+    console.log();
+    return;
+  }
+
+  for (const line of resultLines) console.log(line);
+  console.log();
+}
+
 async function leaderboardCommand(args) {
   const tabArg = args.find((a, i) => args[i - 1] === '--tab') || 'overall';
   const showAll = args.includes('--all');
@@ -2302,7 +2636,7 @@ async function leaderboardCommand(args) {
     const bar = renderBar(entry.total_points || 0, maxPts, barW);
     const pts = `${fmtNum(entry.total_points || 0)} pts`;
     const audits = `${fmtNum(entry.total_reports || 0)} audits`;
-    console.log(`${prefix}${padRight(nameStr, 22 + (isMe ? 14 : 0))}  ${bar}  ${padLeft(pts, 12)}  ${padLeft(audits, 10)}`);
+    console.log(`${prefix}${padRight(nameStr, 22)}  ${bar}  ${padLeft(pts, 12)}  ${padLeft(audits, 10)}`);
     if (i === 2 && data.length > 3) {
       console.log(`  ${c.dim}${'─'.repeat(74)}${c.reset}`);
     }
@@ -2356,11 +2690,19 @@ async function dashboardCommand() {
     { key: '1', label: 'Overview' },
     { key: '2', label: 'Leaderboard' },
     { key: '3', label: 'Benchmark' },
+    { key: '4', label: 'Activity' },
+    { key: '5', label: 'Search' },
   ];
   let activeTab = 0;
   let scrollOffset = 0;
   let running = true;
 
+  // Search tab state
+  let searchQuery = '';
+  let searchResults = null;
+  let searchLoading = false;
+  let searchError = null;
+
   // Enter alt screen
   process.stdout.write(term.altScreenOn + term.hideCursor);
 
@@ -2373,6 +2715,25 @@ async function dashboardCommand() {
   // Fetch data
   const data = await fetchDashboardData();
 
+  async function doSearch() {
+    if (!searchQuery.trim()) return;
+    searchLoading = true;
+    searchError = null;
+    render();
+    try {
+      const res = await fetch(`${REGISTRY_URL}/api/lookup?hash=${encodeURIComponent(searchQuery.trim())}`, {
+        signal: AbortSignal.timeout(15_000),
+      });
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      searchResults = await res.json();
+    } catch (err) {
+      searchError = `Search failed: ${err.message}`;
+      searchResults = null;
+    }
+    searchLoading = false;
+    if (running) render();
+  }
+
   function render() {
     const cols = process.stdout.columns || 80;
     const rows = process.stdout.rows || 24;
@@ -2392,7 +2753,7 @@ async function dashboardCommand() {
       } else {
         tabBar += `${c.dim} [${tab.key}] ${tab.label} ${c.reset}`;
       }
-      if (i < tabs.length - 1) tabBar += `${c.dim}──${c.reset}`;
+      if (i < tabs.length - 1) tabBar += `${c.dim}\u2500${c.reset}`;
     }
     output += tabBar + '\n\n';
 
@@ -2408,6 +2769,12 @@ async function dashboardCommand() {
       case 2:
         contentLines = renderBenchmarkTab(data, cols);
         break;
+      case 3:
+        contentLines = renderActivityTab(data, cols);
+        break;
+      case 4:
+        contentLines = renderSearchTab({ query: searchQuery, results: searchResults, loading: searchLoading, error: searchError }, cols);
+        break;
     }
 
     // Apply scroll
@@ -2422,7 +2789,11 @@ async function dashboardCommand() {
     // Footer
     output += '\n';
     const scrollInfo = contentLines.length > availableRows ? `  ${c.dim}[${scrollOffset + 1}-${Math.min(scrollOffset + availableRows, contentLines.length)}/${contentLines.length}]${c.reset}` : '';
-    output += `  ${c.dim}←→ tab  ↑↓ scroll  1-3 jump  q quit${c.reset}${scrollInfo}\n`;
+    const isSearchTab = activeTab === 4;
+    const footerHint = isSearchTab
+      ? `${c.dim}\u2190\u2192 tab  Enter=search  Esc=clear  q quit${c.reset}`
+      : `${c.dim}\u2190\u2192 tab  \u2191\u2193 scroll  1-5 jump  q quit${c.reset}`;
+    output += `  ${footerHint}${scrollInfo}\n`;
 
     process.stdout.write(output);
   }
@@ -2439,37 +2810,103 @@ async function dashboardCommand() {
 
   function onKeypress(key) {
     if (!running) return;
+    const isSearchTab = activeTab === 4;
 
-    // q or Ctrl+C = quit
-    if (key === 'q' || key === '\x03') {
+    // Ctrl+C always quits
+    if (key === '\x03') {
+      cleanup();
+      return;
+    }
+
+    // Search tab: route printable keys to search input
+    if (isSearchTab) {
+      // Escape: clear search
+      if (key === '\x1b' && key.length === 1) {
+        searchQuery = '';
+        searchResults = null;
+        searchError = null;
+        scrollOffset = 0;
+        render();
+        return;
+      }
+
+      // Enter: trigger search
+      if (key === '\r' || key === '\n') {
+        doSearch();
+        return;
+      }
+
+      // Backspace / Delete
+      if (key === '\x7f' || key === '\b') {
+        if (searchQuery.length > 0) {
+          searchQuery = searchQuery.slice(0, -1);
+          render();
+        }
+        return;
+      }
+
+      // Tab: switch to next tab
+      if (key === '\t') {
+        activeTab = (activeTab + 1) % tabs.length;
+        scrollOffset = 0;
+        render();
+        return;
+      }
+
+      // Arrow keys still navigate
+      if (key === '\x1b[C') { activeTab = (activeTab + 1) % tabs.length; scrollOffset = 0; render(); return; }
+      if (key === '\x1b[D') { activeTab = (activeTab - 1 + tabs.length) % tabs.length; scrollOffset = 0; render(); return; }
+      if (key === '\x1b[A') { scrollOffset = Math.max(0, scrollOffset - 1); render(); return; }
+      if (key === '\x1b[B') { scrollOffset++; render(); return; }
+
+      // q quits only if search buffer is empty
+      if (key === 'q' && searchQuery.length === 0) {
+        cleanup();
+        return;
+      }
+
+      // Printable ASCII → append to search query
+      if (key.length === 1 && key.charCodeAt(0) >= 32 && key.charCodeAt(0) <= 126) {
+        searchQuery += key;
+        render();
+        return;
+      }
+      return;
+    }
+
+    // Non-search tabs: normal keypress handling
+    // q = quit
+    if (key === 'q') {
       cleanup();
       return;
     }
 
     // Tab navigation
-    if (key === '\x1b[C' || key === '\t') { // Right arrow or Tab
+    if (key === '\x1b[C' || key === '\t') {
       activeTab = (activeTab + 1) % tabs.length;
       scrollOffset = 0;
       render();
       return;
     }
-    if (key === '\x1b[D') { // Left arrow
+    if (key === '\x1b[D') {
       activeTab = (activeTab - 1 + tabs.length) % tabs.length;
       scrollOffset = 0;
       render();
       return;
     }
 
-    // Number keys
-    if (key === '1') { activeTab = 0; scrollOffset = 0; render(); return; }
-    if (key === '2') { activeTab = 1; scrollOffset = 0; render(); return; }
-    if (key === '3') { activeTab = 2; scrollOffset = 0; render(); return; }
+    // Number keys 1-5
+    if (key >= '1' && key <= '5') {
+      const idx = parseInt(key, 10) - 1;
+      if (idx < tabs.length) { activeTab = idx; scrollOffset = 0; render(); }
+      return;
+    }
 
     // Scroll
-    if (key === '\x1b[A' || key === 'k') { scrollOffset = Math.max(0, scrollOffset - 1); render(); return; } // Up
-    if (key === '\x1b[B' || key === 'j') { scrollOffset++; render(); return; } // Down
-    if (key === '\x1b[5~') { scrollOffset = Math.max(0, scrollOffset - 10); render(); return; } // PageUp
-    if (key === '\x1b[6~') { scrollOffset += 10; render(); return; } // PageDown
+    if (key === '\x1b[A' || key === 'k') { scrollOffset = Math.max(0, scrollOffset - 1); render(); return; }
+    if (key === '\x1b[B' || key === 'j') { scrollOffset++; render(); return; }
+    if (key === '\x1b[5~') { scrollOffset = Math.max(0, scrollOffset - 10); render(); return; }
+    if (key === '\x1b[6~') { scrollOffset += 10; render(); return; }
   }
 
   // Setup input
@@ -2636,9 +3073,9 @@ async function main() {
       `Uses alternate screen buffer — your scrollback stays intact.`,
       ``,
       `${c.bold}Navigation:${c.reset}`,
-      `  ←→ / Tab      Switch between tabs`,
-      `  1-3            Jump to tab by number`,
-      `  ↑↓ / j/k       Scroll content`,
+      `  \u2190\u2192 / Tab      Switch between tabs`,
+      `  1-5            Jump to tab by number`,
+      `  \u2191\u2193 / j/k       Scroll content`,
       `  PgUp/PgDn     Scroll fast`,
       `  q / Ctrl+C    Quit`,
       ``,
@@ -2646,6 +3083,8 @@ async function main() {
       `  [1] Overview    Your profile + registry stats`,
       `  [2] Leaderboard Top contributors ranking`,
       `  [3] Benchmark   LLM model performance comparison`,
+      `  [4] Activity    Your recent audits & findings`,
+      `  [5] Search      Search packages (interactive input)`,
       ``,
       `${c.bold}Aliases:${c.reset} dashboard, dash`,
     ],
@@ -2684,6 +3123,41 @@ async function main() {
       `  agentaudit benchmark --json`,
     ],
     bench: null, // alias → benchmark
+    activity: [
+      `${c.bold}agentaudit activity${c.reset} [options]`,
+      ``,
+      `Show your recent audits and findings from the AgentAudit registry.`,
+      `Requires being logged in (run ${c.cyan}agentaudit setup${c.reset} first).`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Aliases:${c.reset} activity, my`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit activity`,
+      `  agentaudit activity --json`,
+      `  agentaudit my`,
+    ],
+    my: null, // alias → activity
+    search: [
+      `${c.bold}agentaudit search${c.reset} <query> [options]`,
+      ``,
+      `Search for packages in the AgentAudit registry by name, ASF-ID, or hash.`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Aliases:${c.reset} search, find`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit search fastmcp`,
+      `  agentaudit search mcp-server`,
+      `  agentaudit search ASF-2025-0001`,
+      `  agentaudit search fastmcp --json`,
+      `  agentaudit find fastmcp`,
+    ],
+    find: null, // alias → search
   };
 
   // Show subcommand help: `agentaudit help <cmd>` or `agentaudit <cmd> --help`
@@ -2691,7 +3165,7 @@ async function main() {
     let helpLines = subcommandHelp[cmd];
     if (helpLines === null) {
       // alias redirect
-      const aliases = { check: 'lookup', dash: 'dashboard', lb: 'leaderboard', bench: 'benchmark' };
+      const aliases = { check: 'lookup', dash: 'dashboard', lb: 'leaderboard', bench: 'benchmark', my: 'activity', find: 'search' };
       helpLines = subcommandHelp[aliases[cmd] || cmd];
     }
     if (!helpLines) {
@@ -2739,6 +3213,8 @@ async function main() {
     console.log(`    ${c.cyan}dashboard${c.reset}             Interactive dashboard (full-screen)`);
     console.log(`    ${c.cyan}leaderboard${c.reset}           Top contributors ranking`);
     console.log(`    ${c.cyan}benchmark${c.reset}             LLM model performance comparison`);
+    console.log(`    ${c.cyan}activity${c.reset}              Your recent audits & findings`);
+    console.log(`    ${c.cyan}search${c.reset} <query>        Search packages in registry`);
     console.log();
     console.log(`  ${c.bold}CONFIGURATION${c.reset}`);
     console.log(`    ${c.cyan}model${c.reset}                 Configure LLM provider + model`);
@@ -2784,6 +3260,14 @@ async function main() {
     await benchmarkCommand(targets);
     return;
   }
+  if (command === 'activity' || command === 'my') {
+    await activityCommand(targets);
+    return;
+  }
+  if (command === 'search' || command === 'find') {
+    await searchCommand(targets);
+    return;
+  }
 
   banner();
 
@@ -2859,13 +3343,20 @@ async function main() {
           fetch(`${REGISTRY_URL}/api/leaderboard?limit=100`, { signal: AbortSignal.timeout(10_000) }).then(r => r.ok ? r.json() : null),
         ]);
         if (agentRes) {
-          console.log(`  ${c.bold}Profile${c.reset}`);
-          let rank = '-';
+          let rank = null;
           if (Array.isArray(lbRes)) {
             const idx = lbRes.findIndex(e => e.agent_name === creds.agent_name);
-            if (idx >= 0) rank = `#${idx + 1} of ${lbRes.length}`;
+            if (idx >= 0) rank = idx + 1;
           }
-          console.log(`    Rank        ${c.bold}${rank}${c.reset}`);
+          // Update profile cache
+          saveProfileCache({
+            agent_name: creds.agent_name,
+            rank,
+            total_points: agentRes.total_points || 0,
+            total_reports: agentRes.total_reports || 0,
+          });
+          console.log(`  ${c.bold}Profile${c.reset}`);
+          console.log(`    Rank        ${c.bold}${rank ? `#${rank} of ${lbRes.length}` : '-'}${c.reset}`);
           console.log(`    Points      ${c.bold}${fmtNum(agentRes.total_points || 0)}${c.reset}`);
           console.log(`    Audits      ${c.bold}${fmtNum(agentRes.total_reports || 0)}${c.reset}`);
           console.log(`    Findings    ${c.bold}${fmtNum(agentRes.total_findings_submitted || 0)}${c.reset} ${c.dim}(${fmtNum(agentRes.total_findings_confirmed || 0)} confirmed)${c.reset}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.10.3",
+  "version": "3.10.5",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {