agentaudit 3.12.8 → 3.12.10

package/README.md

@@ -6,12 +6,12 @@
 
 # 🛡️ AgentAudit
 
-**Security scanner for AI packages — MCP server + CLI**
+**Security scanner for AI agent packages — CLI + MCP server**
 
 Scan MCP servers, AI skills, and packages for vulnerabilities, prompt injection,
 and supply chain attacks. Powered by regex static analysis and deep LLM audits.
 
-[![AgentAudit](https://www.agentaudit.dev/api/badge/agentaudit-mcp)](https://www.agentaudit.dev/skills/agentaudit-mcp)
+[![AgentAudit](https://www.agentaudit.dev/api/badge/agentaudit-mcp)](https://www.agentaudit.dev/packages/agentaudit-mcp)
 [![npm version](https://img.shields.io/npm/v/agentaudit?style=for-the-badge&color=CB3837&logo=npm)](https://www.npmjs.com/package/agentaudit)
 [![Trust Registry](https://img.shields.io/badge/Trust_Registry-Live-00C853?style=for-the-badge)](https://agentaudit.dev)
 [![License](https://img.shields.io/badge/License-AGPL_3.0-F9A825?style=for-the-badge)](LICENSE)
@@ -77,7 +77,7 @@ agentaudit lookup fastmcp
 
 **Example output:**
 ```
-  ⛨ AgentAudit v3.10.4  │  my-scanner #3 · 280pts · 19 audits
+  ⛨ AgentAudit v3.12.9  │  my-scanner #3 · 280pts · 19 audits
 
   Discovering MCP servers in your AI editors...
 
@@ -227,7 +227,7 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
 | Command | Alias | Description |
 |---------|-------|-------------|
 | `agentaudit model` | — | Interactive LLM provider + model configuration |
-| `agentaudit setup` | — | Register agent + configure API key for registry uploads |
+| `agentaudit setup` | `login` | Sign in with GitHub OAuth or paste API key manually |
 | `agentaudit status` | `whoami` | Show current config, API keys, and personal stats |
 
 ### Global Flags
@@ -481,7 +481,7 @@ agentaudit search fastmcp --json    # Machine-readable search results
 
 AgentAudit stores credentials in `~/.config/agentaudit/credentials.json` (or `$XDG_CONFIG_HOME/agentaudit/credentials.json`).
 
-Run `agentaudit setup` to configure interactively, or set via environment:
+Run `agentaudit setup` to sign in with GitHub or paste an API key, or set via environment:
 
 ```bash
 export AGENTAUDIT_API_KEY=asf_your_key_here
@@ -595,10 +595,10 @@ It checks standard config file locations for Claude Desktop, Cursor, VS Code, an
 | | Project | Description |
 |---|---------|-------------|
 | 🌐 | [agentaudit.dev](https://agentaudit.dev) | Trust Registry -- browse packages, findings, leaderboard |
-| 🛡️ | [agentaudit-skill](https://github.com/starbuck100/agentaudit-skill) | Agent Skill -- pre-install security gate for Claude Code, Cursor, Windsurf |
-| ⚡ | [agentaudit-github-action](https://github.com/ecap0-ai/agentaudit-github-action) | GitHub Action -- CI/CD security scanning |
-| 📚 | [agentaudit-mcp](https://github.com/ecap0-ai/agentaudit-mcp) | This repo -- CLI + MCP server source |
-| 🐛 | [Report Issues](https://github.com/ecap0-ai/agentaudit-mcp/issues) | Bug reports and feature requests |
+| 🛡️ | [agentaudit-skill](https://github.com/agentaudit-dev/agentaudit-skill) | Agent Skill -- pre-install security gate for Claude Code, Cursor, Windsurf |
+| ⚡ | [agentaudit-github-action](https://github.com/agentaudit-dev/agentaudit-github-action) | GitHub Action -- CI/CD security scanning |
+| 📚 | [agentaudit-cli](https://github.com/agentaudit-dev/agentaudit-cli) | This repo -- CLI + MCP server source |
+| 🐛 | [Report Issues](https://github.com/agentaudit-dev/agentaudit-cli/issues) | Bug reports and feature requests |
 
 ---
 
@@ -612,6 +612,6 @@ It checks standard config file locations for Claude Desktop, Cursor, VS Code, an
 
 **Protect your AI stack. Scan before you trust.**
 
-[Trust Registry](https://agentaudit.dev) · [Leaderboard](https://agentaudit.dev/leaderboard) · [Report Issues](https://github.com/ecap0-ai/agentaudit-mcp/issues)
+[Trust Registry](https://agentaudit.dev) · [Leaderboard](https://agentaudit.dev/leaderboard) · [Report Issues](https://github.com/agentaudit-dev/agentaudit-cli/issues)
 
 </div>

package/cli.mjs

@@ -21,7 +21,7 @@
  *   profile               Your profile — rank, points, audit stats
  *   help [command]        Show help
  *
- * Flags: --json, --quiet, --no-color, --no-upload, --model, --export, --debug
+ * Flags: --json, --quiet, --no-color, --no-upload, --model, --export, --format, --debug
  */
 
 import fs from 'fs';
@@ -656,9 +656,14 @@ async function loginCommand() {
 
   // Try to auto-open browser
   try {
-    const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
     const { exec } = await import('child_process');
-    exec(`${openCmd} "${verifyUrl}"`);
+    if (process.platform === 'darwin') {
+      exec(`open "${verifyUrl}"`);
+    } else if (process.platform === 'win32') {
+      exec(`start "" "${verifyUrl}"`);
+    } else {
+      exec(`xdg-open "${verifyUrl}"`);
+    }
     console.log(`  ${c.dim}(Browser should open automatically)${c.reset}`);
   } catch {}
 
@@ -2980,7 +2985,120 @@ function enrichFindings(report, files, pkgInfo) {
   return report;
 }
 
+// ── SARIF 2.1.0 output ────────────────────────────────
+
+function toSarif(reports) {
+  if (!reports || (Array.isArray(reports) && reports.length === 0)) {
+    reports = [];
+  }
+  const version = getVersion();
+  const LEVEL_MAP = { critical: 'error', high: 'error', medium: 'warning', low: 'note', info: 'note' };
+  const SCORE_MAP = { critical: '9.5', high: '8.0', medium: '5.5', low: '2.0', info: '0.5' };
+  const rules = [];
+  const results = [];
+  const ruleIndex = new Map();
+
+  for (const report of (Array.isArray(reports) ? reports : [reports]).filter(Boolean)) {
+    for (const f of (report.findings || [])) {
+      const ruleId = f.pattern_id || f.id || 'UNKNOWN';
+      const sev = (f.severity || 'medium').toLowerCase();
+
+      if (!ruleIndex.has(ruleId)) {
+        ruleIndex.set(ruleId, rules.length);
+        const tags = ['security'];
+        if (f.cwe_id) tags.push(f.cwe_id.toLowerCase());
+        if (f.category) tags.push(f.category);
+        rules.push({
+          id: ruleId,
+          shortDescription: { text: f.title || ruleId },
+          fullDescription: { text: f.description || f.title || '' },
+          helpUri: f.cwe_id
+            ? `https://cwe.mitre.org/data/definitions/${f.cwe_id.replace('CWE-', '')}.html`
+            : `https://agentaudit.dev`,
+          defaultConfiguration: { level: LEVEL_MAP[sev] || 'warning' },
+          properties: { 'security-severity': SCORE_MAP[sev] || '5.5', tags },
+        });
+      }
+
+      const result = {
+        ruleId,
+        ruleIndex: ruleIndex.get(ruleId),
+        level: LEVEL_MAP[sev] || 'warning',
+        message: { text: [f.title, f.description].filter(Boolean).join(': ') },
+        locations: [],
+      };
+
+      const filePath = f.file || f.file_path;
+      const lineNum = f.line || f.line_start;
+      if (filePath) {
+        const loc = {
+          physicalLocation: {
+            artifactLocation: { uri: filePath, uriBaseId: '%SRCROOT%' },
+          },
+        };
+        if (lineNum) {
+          loc.physicalLocation.region = { startLine: lineNum };
+        }
+        const snippet = f.content || f.snippet || f.code_snippet;
+        if (snippet) {
+          loc.physicalLocation.region = loc.physicalLocation.region || {};
+          loc.physicalLocation.region.snippet = { text: snippet };
+        }
+        result.locations.push(loc);
+      }
+
+      if (f.remediation) {
+        result.fixes = [{ description: { text: f.remediation } }];
+      }
+
+      if (f.by_design) {
+        result.suppressions = [{ kind: 'inSource', justification: 'Marked as by-design' }];
+      }
+
+      if (filePath && lineNum) {
+        const hash = crypto.createHash('sha256')
+          .update(`${ruleId}:${filePath}:${lineNum}`)
+          .digest('hex').slice(0, 16);
+        result.partialFingerprints = { primaryLocationLineHash: hash };
+      } else {
+        // Fallback fingerprint from rule + title for findings without file/line
+        const hash = crypto.createHash('sha256')
+          .update(`${ruleId}:${f.title || ''}`)
+          .digest('hex').slice(0, 16);
+        result.partialFingerprints = { primaryLocationLineHash: hash };
+      }
+
+      results.push(result);
+    }
+  }
+
+  return {
+    version: '2.1.0',
+    $schema: 'https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'AgentAudit',
+          semanticVersion: version,
+          informationUri: 'https://agentaudit.dev',
+          rules,
+        },
+      },
+      results,
+    }],
+  };
+}
+
 async function auditRepo(url) {
+  // In quiet mode (SARIF/JSON), redirect all progress output to stderr
+  // so stdout only contains clean machine-readable data
+  const _origConsoleLog = console.log;
+  const _origStdoutWrite = process.stdout.write;
+  if (quietMode) {
+    console.log = console.error;
+    process.stdout.write = process.stderr.write.bind(process.stderr);
+  }
+  try {
   const start = Date.now();
 
   // Support local directories
@@ -3278,15 +3396,52 @@ async function auditRepo(url) {
   }
 
   if (!activeLlm) {
+    // Check if user is logged in — offer remote scan as fallback
+    const _creds = loadCredentials();
+    if (_creds && process.stdin.isTTY && !process.argv.includes('--export')) {
+      console.log();
+      console.log(`  ${c.yellow}No LLM API key configured.${c.reset}`);
+      console.log();
+      // Fetch quota for display
+      let quotaLabel = '3/day free';
+      try {
+        const qr = await fetch(`${REGISTRY_URL}/api/scan`, {
+          headers: { 'Authorization': `Bearer ${_creds.api_key}` },
+          signal: AbortSignal.timeout(5_000),
+        });
+        if (qr.ok) {
+          const q = await qr.json();
+          quotaLabel = `${q.remaining}/${q.limit} free remaining`;
+        }
+      } catch {}
+      console.log(`  ${c.cyan}1${c.reset}  Use agentaudit.dev ${c.dim}(${quotaLabel})${c.reset}`);
+      console.log(`  ${c.cyan}2${c.reset}  Configure local LLM ${c.dim}(agentaudit model)${c.reset}`);
+      console.log();
+      const _choice = await askQuestion(`  Choice ${c.dim}(1/2, default: 1):${c.reset} `);
+      console.log();
+      if (_choice.trim() === '2') {
+        console.log(`  ${c.dim}Run ${c.cyan}agentaudit model${c.dim} to configure your LLM provider and API key.${c.reset}`);
+        console.log();
+        return null;
+      }
+      // Default: remote audit
+      return await remoteAudit(url);
+    }
+
+    // Not logged in or non-interactive
     console.log();
-    console.log(`  ${c.yellow}No LLM API key found.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
-    console.log();
-    console.log(`  ${c.bold}Set an API key${c.reset} (e.g. ${c.cyan}export OPENROUTER_API_KEY=sk-or-...${c.reset})`);
-    console.log(`  ${c.dim}Run "agentaudit model" to configure provider + model interactively${c.reset}`);
-    console.log();
-    console.log(`  ${c.bold}Or export for manual review:${c.reset} ${c.cyan}agentaudit audit ${url} --export${c.reset}`);
-    console.log(`  ${c.bold}Or use as MCP server${c.reset} in Cursor/Claude ${c.dim}(no extra API key needed)${c.reset}`);
-    console.log(`  ${c.dim}{ "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } }${c.reset}`);
+    if (!_creds) {
+      console.log(`  ${c.yellow}No LLM API key found.${c.reset} To run a deep audit, you need either:`);
+      console.log();
+      console.log(`  ${c.bold}1.${c.reset} An LLM API key:  ${c.cyan}agentaudit model${c.reset}`);
+      console.log(`  ${c.bold}2.${c.reset} A free account:   ${c.cyan}agentaudit login${c.reset}  ${c.dim}(3 free remote scans/day)${c.reset}`);
+    } else {
+      console.log(`  ${c.yellow}No LLM API key found.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
+      console.log();
+      console.log(`  ${c.bold}Set an API key${c.reset} (e.g. ${c.cyan}export OPENROUTER_API_KEY=sk-or-...${c.reset})`);
+      console.log(`  ${c.dim}Run "agentaudit model" to configure provider + model interactively${c.reset}`);
+      console.log(`  ${c.dim}Or use ${c.cyan}agentaudit audit ${url} --remote${c.dim} for a free server-side scan${c.reset}`);
+    }
     console.log();
     if (process.argv.includes('--export')) {
       const exportPath = path.join(process.cwd(), `audit-${slug}.md`);
@@ -3404,6 +3559,215 @@ async function auditRepo(url) {
 
   console.log();
   return report;
+
+  } finally {
+    console.log = _origConsoleLog;
+    process.stdout.write = _origStdoutWrite;
+  }
+}
+
+// ── Remote Audit (server-side free scan via SSE) ────────
+
+async function remoteAudit(url) {
+  // 1. Check credentials
+  const creds = loadCredentials();
+  if (!creds) {
+    console.log();
+    console.log(`  ${c.red}Not logged in.${c.reset} Remote scans require an agentaudit.dev account.`);
+    console.log(`  ${c.dim}Run ${c.cyan}agentaudit login${c.dim} to sign in (free).${c.reset}`);
+    console.log();
+    return null;
+  }
+
+  const authHeaders = { 'Authorization': `Bearer ${creds.api_key}`, 'Content-Type': 'application/json' };
+
+  // 2. Check quota
+  if (!quietMode) {
+    try {
+      const quotaRes = await fetch(`${REGISTRY_URL}/api/scan`, {
+        headers: authHeaders,
+        signal: AbortSignal.timeout(10_000),
+      });
+      if (quotaRes.ok) {
+        const quota = await quotaRes.json();
+        if (quota.remaining <= 0) {
+          console.log();
+          console.log(`  ${c.red}Rate limit reached${c.reset} — 0 of ${quota.limit} free remote scans remaining.`);
+          console.log(`  ${c.dim}Configure a local LLM for unlimited scans: ${c.cyan}agentaudit model${c.reset}`);
+          console.log();
+          return null;
+        }
+        console.log(`  ${c.dim}Remote scans: ${quota.remaining} of ${quota.limit} remaining today${c.reset}`);
+      }
+    } catch {
+      // Quota check failed — continue, the POST will catch it
+    }
+  }
+
+  // 3. Start SSE stream
+  if (!quietMode) {
+    console.log();
+    console.log(sectionHeader('Remote Audit'));
+    console.log(`  ${c.dim}Server: ${REGISTRY_URL}  •  Model: Gemini 2.5 Flash${c.reset}`);
+    console.log();
+  }
+
+  const startTime = Date.now();
+  let report = null;
+
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/scan`, {
+      method: 'POST',
+      headers: authHeaders,
+      body: JSON.stringify({ url }),
+      signal: AbortSignal.timeout(90_000),
+    });
+
+    if (!res.ok) {
+      let errBody;
+      try { errBody = await res.json(); } catch { errBody = { error: `HTTP ${res.status}` }; }
+      console.log(`  ${c.red}${errBody.message || errBody.error || `Server error (${res.status})`}${c.reset}`);
+      console.log();
+      return null;
+    }
+
+    // 4. Parse SSE stream
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+    const findings = [];
+    let currentStep = '';
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+
+      const parts = buffer.split('\n\n');
+      buffer = parts.pop(); // keep incomplete chunk
+
+      for (const part of parts) {
+        const eventMatch = part.match(/^event:\s*(.+)/m);
+        const dataMatch = part.match(/^data:\s*(.+)/m);
+        if (!eventMatch || !dataMatch) continue;
+
+        const event = eventMatch[1].trim();
+        let data;
+        try { data = JSON.parse(dataMatch[1]); } catch { continue; }
+
+        switch (event) {
+          case 'step': {
+            if (quietMode) break;
+            const icon = data.status === 'done' ? `${c.green}✔${c.reset}` : `${c.cyan}◌${c.reset}`;
+            const detail = data.detail ? ` ${c.dim}(${data.detail})${c.reset}` : '';
+            // Clear previous line if updating same step
+            if (currentStep && data.status === 'done') {
+              process.stdout.write(`\r\x1b[K`);
+            }
+            if (data.status === 'done') {
+              console.log(`  ${icon} ${data.label}${detail}`);
+              currentStep = '';
+            } else {
+              process.stdout.write(`\r  ${icon} ${data.label}${detail}`);
+              currentStep = data.label;
+            }
+            break;
+          }
+
+          case 'finding': {
+            findings.push(data);
+            break;
+          }
+
+          case 'cached': {
+            if (!quietMode) {
+              console.log(`  ${c.cyan}ℹ${c.reset} Using cached result from ${c.bold}${data.scanned_ago}${c.reset}`);
+            }
+            break;
+          }
+
+          case 'result': {
+            report = {
+              cached: data.cached,
+              result: data.result,
+              risk_score: data.risk_score,
+              trust_score: data.trust_score,
+              findings_count: data.findings_count,
+              max_severity: data.max_severity,
+              slug: data.slug,
+              url: data.url,
+              findings: findings,
+              audit_model: 'google/gemini-2.5-flash',
+              audit_provider: 'agentaudit.dev',
+              source_url: url,
+              skill_slug: data.slug,
+              audit_duration_ms: Date.now() - startTime,
+            };
+            break;
+          }
+
+          case 'error': {
+            if (currentStep) {
+              process.stdout.write(`\r\x1b[K`);
+              currentStep = '';
+            }
+            console.log(`  ${c.red}${data.message || 'Server error'}${c.reset}`);
+            break;
+          }
+
+          case 'done':
+            break;
+        }
+      }
+    }
+  } catch (err) {
+    if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+      console.log(`  ${c.red}Timeout — server took too long to respond.${c.reset}`);
+    } else {
+      console.log(`  ${c.red}Connection error: ${err.message}${c.reset}`);
+    }
+    console.log();
+    return null;
+  }
+
+  if (!report) {
+    console.log(`  ${c.red}No result received from server.${c.reset}`);
+    console.log();
+    return null;
+  }
+
+  // 5. Display results
+  if (!quietMode) {
+    console.log();
+    console.log(sectionHeader('Result'));
+    console.log(`  ${riskBadge(report.risk_score || 0)}`);
+    console.log();
+
+    if (findings.length > 0) {
+      console.log(sectionHeader(`Findings (${findings.length})`));
+      console.log();
+      for (const f of findings) {
+        const sc = severityColor(f.severity);
+        console.log(`  ${sc}┃${c.reset} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset}  ${c.bold}${f.title}${c.reset}`);
+        if (f.file) console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
+        console.log();
+      }
+    } else {
+      console.log(`  ${c.green}No findings — package looks clean.${c.reset}`);
+      console.log();
+    }
+
+    console.log(`  ${c.dim}Report: ${REGISTRY_URL}/packages/${report.slug}${c.reset}`);
+    console.log(`  ${c.dim}Duration: ${elapsed(startTime)}${c.reset}`);
+    console.log();
+  }
+
+  // JSON output
+  if (jsonMode && !quietMode) {
+    console.log(JSON.stringify(report, null, 2));
+  }
+
+  return report;
 }
 
 // ── Check command ───────────────────────────────────────
@@ -4281,16 +4645,32 @@ async function main() {
   jsonMode = rawArgs.includes('--json');
   quietMode = rawArgs.includes('--quiet') || rawArgs.includes('-q');
   // --no-color already handled at top level for `c` object
-  
-  // Strip global flags from args (including --model <value>)
-  const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color', '--no-upload']);
+
+  // Strip global flags from args (including --model <value>, --format <value>)
+  const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color', '--no-upload', '--remote']);
   let args = rawArgs.filter(a => !globalFlags.has(a));
   // Remove --model <value> and --models <value> pairs
   const modelIdx = args.indexOf('--model');
   if (modelIdx !== -1) args.splice(modelIdx, 2);
   const modelsIdx = args.indexOf('--models');
   if (modelsIdx !== -1) args.splice(modelsIdx, 2);
-  
+  // Remove --format <value> pair
+  const formatIdx = args.indexOf('--format');
+  const formatFlag = formatIdx !== -1 ? args.splice(formatIdx, 2)[1] : null;
+  // --json is alias for --format json
+  const outputFormat = formatFlag || (jsonMode ? 'json' : null);
+  // Validate --format value
+  if (outputFormat && !['json', 'sarif'].includes(outputFormat)) {
+    console.error(`  ${c.red}Unknown format: ${outputFormat}${c.reset}`);
+    console.error(`  ${c.dim}Supported formats: json, sarif${c.reset}`);
+    process.exitCode = 2; return;
+  }
+  // SARIF mode: suppress console output so only clean JSON goes to stdout
+  if (outputFormat === 'sarif') { quietMode = true; jsonMode = true; }
+
+  // --remote: use server-side scan instead of local LLM
+  const remoteFlag = rawArgs.includes('--remote');
+
   // Detect per-command --help BEFORE stripping (e.g. `agentaudit model --help`)
   const wantsHelp = args.includes('--help') || args.includes('-h');
   // Strip --help/-h from args for routing
@@ -4326,29 +4706,37 @@ async function main() {
       `(command injection, eval, hardcoded secrets, path traversal, etc.)`,
       ``,
       `${c.bold}Options:${c.reset}`,
-      `  --deep         Run deep LLM audit instead (same as \`agentaudit audit\`)`,
+      `  --deep             Run deep LLM audit instead (same as \`agentaudit audit\`)`,
+      `  --remote           Use agentaudit.dev server for --deep (no LLM key needed)`,
+      `  --format sarif      Output results as SARIF 2.1.0 (for GitHub Code Scanning)`,
       ``,
       `${c.bold}Examples:${c.reset}`,
       `  agentaudit scan https://github.com/owner/repo`,
       `  agentaudit scan https://github.com/a/b https://github.com/c/d`,
       `  agentaudit scan https://github.com/owner/repo --deep`,
+      `  agentaudit scan https://github.com/owner/repo --deep --remote`,
+      `  agentaudit scan https://github.com/owner/repo --format sarif > results.sarif`,
     ],
     audit: [
       `${c.bold}agentaudit audit${c.reset} <url> [url...] [options]`,
       ``,
-      `Deep LLM-powered 3-pass security audit (~30s). Requires an LLM API key.`,
+      `Deep LLM-powered 3-pass security audit (~30s).`,
       ``,
       `${c.bold}Options:${c.reset}`,
+      `  --remote           Use agentaudit.dev server (no LLM key needed, 3/day free)`,
       `  --model <name>     Override LLM model for this run`,
       `  --models <a,b,c>   Multi-model audit (parallel calls, consensus comparison)`,
       `  --no-upload        Skip uploading report to registry`,
       `  --export           Export audit payload as markdown (for manual LLM review)`,
+      `  --format sarif      Output results as SARIF 2.1.0 (for GitHub Code Scanning)`,
       `  --debug            Show raw LLM response on parse errors`,
       ``,
       `${c.bold}Examples:${c.reset}`,
       `  agentaudit audit https://github.com/owner/repo`,
+      `  agentaudit audit https://github.com/owner/repo --remote`,
       `  agentaudit audit https://github.com/owner/repo --model gpt-4o`,
       `  agentaudit audit https://github.com/owner/repo --models gemini-2.5-flash,claude-sonnet-4-20250514`,
+      `  agentaudit audit https://github.com/owner/repo --format sarif > results.sarif`,
       `  agentaudit audit https://github.com/owner/repo --export`,
     ],
     lookup: [
@@ -4790,6 +5178,20 @@ async function main() {
     if (creds) {
       console.log(`  Account     ${c.bold}${creds.agent_name}${c.reset}  ${c.green}✔ logged in${c.reset}`);
       console.log(`  ${c.dim}            Key: ${creds.api_key.slice(0, 12)}...${c.reset}`);
+      // Remote scan quota
+      try {
+        const quotaRes = await fetch(`${REGISTRY_URL}/api/scan`, {
+          headers: { 'Authorization': `Bearer ${creds.api_key}` },
+          signal: AbortSignal.timeout(5_000),
+        });
+        if (quotaRes.ok) {
+          const quota = await quotaRes.json();
+          const resetLabel = quota.resets_in_ms
+            ? ` ${c.dim}(resets in ${Math.ceil(quota.resets_in_ms / 3600000)}h)${c.reset}`
+            : '';
+          console.log(`  Remote      ${c.bold}${quota.remaining}${c.reset} of ${quota.limit} free scans remaining${resetLabel}`);
+        }
+      } catch {}
     } else {
       console.log(`  Account     ${c.yellow}not configured${c.reset}  ${c.dim}— run ${c.cyan}agentaudit setup${c.dim} to create one${c.reset}`);
     }
@@ -5274,12 +5676,23 @@ async function main() {
       return;
     }
     
-    // --deep redirects to audit flow
+    // --deep redirects to audit flow (--remote supported)
     if (deepFlag) {
+      const auditFn = remoteFlag ? remoteAudit : auditRepo;
       let hasFindings = false;
+      const allReports = [];
       for (const url of urls) {
-        const report = await auditRepo(url);
-        if (report?.findings?.length > 0) hasFindings = true;
+        const report = await auditFn(url);
+        if (Array.isArray(report)) {
+          allReports.push(...report.filter(Boolean));
+          if (report.some(r => r?.findings?.length > 0)) hasFindings = true;
+        } else if (report) {
+          allReports.push(report);
+          if (report.findings?.length > 0) hasFindings = true;
+        }
+      }
+      if (outputFormat === 'sarif') {
+        console.log(JSON.stringify(toSarif(allReports), null, 2));
       }
       process.exitCode = hasFindings ? 1 : 0;
       return;
@@ -5293,7 +5706,12 @@ async function main() {
       else hadErrors = true;
     }
     
-    if (jsonMode) {
+    if (outputFormat === 'sarif') {
+      const sarif = toSarif(results.map(r => ({
+        findings: (r.findings || []).map(f => ({ ...f, pattern_id: f.id })),
+      })));
+      console.log(JSON.stringify(sarif, null, 2));
+    } else if (jsonMode || outputFormat === 'json') {
       const jsonOut = results.map(r => ({
         slug: r.slug,
         url: r.url,
@@ -5327,17 +5745,44 @@ async function main() {
       process.exitCode = 2;
       return;
     }
-    
+
+    // --remote: use server-side scan
+    if (remoteFlag) {
+      let hasFindings = false;
+      const allReports = [];
+      for (const url of urls) {
+        const result = await remoteAudit(url);
+        if (result) {
+          allReports.push(result);
+          if (result.findings?.length > 0) hasFindings = true;
+        }
+      }
+      if (outputFormat === 'sarif') {
+        console.log(JSON.stringify(toSarif(allReports), null, 2));
+      }
+      process.exitCode = hasFindings ? 1 : 0;
+      return;
+    }
+
     let hasFindings = false;
+    const allReports = [];
     for (const url of urls) {
       const result = await auditRepo(url);
       // Multi-model returns array, single-model returns object
       if (Array.isArray(result)) {
+        allReports.push(...result.filter(Boolean));
         if (result.some(r => r?.findings?.length > 0)) hasFindings = true;
-      } else if (result?.findings?.length > 0) {
-        hasFindings = true;
+      } else if (result) {
+        allReports.push(result);
+        if (result.findings?.length > 0) hasFindings = true;
       }
     }
+
+    if (outputFormat === 'sarif') {
+      const sarif = toSarif(allReports);
+      console.log(JSON.stringify(sarif, null, 2));
+    }
+
     process.exitCode = hasFindings ? 1 : 0;
     return;
   }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agentaudit",
-  "version": "3.12.8",
-  "description": "Security scanner for AI packages — MCP server + CLI",
+  "version": "3.12.10",
+  "description": "Security scanner for AI agent packages — CLI + MCP server",
   "type": "module",
   "bin": {
     "agentaudit": "cli.mjs"
@@ -39,7 +39,7 @@
   "license": "AGPL-3.0",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/agentaudit-dev/agentaudit-mcp.git"
+    "url": "git+https://github.com/agentaudit-dev/agentaudit-cli.git"
   },
   "homepage": "https://agentaudit.dev",
   "engines": {